Understanding Bluetooth LE Pairing—Step by Step
Pairing is an important concept in Bluetooth LE. Let’s examine the fundamentals of Bluetooth LE pairing, outlining how LE devices securely share keys between trusted devices.
In an earlier article, we talked about Bluetooth LE's security keys. We learned that Bluetooth LE devices could make and share three distinct security keys: one for data encryption, another for creating a resolvable private address, and a third for data signing.
But perhaps you’ve wondered—how exactly does this key generation and distribution process occur among trusted devices?
The answer lies in the process known as pairing. This article will provide a step-by-step guide to understanding Bluetooth LE pairing.
Basics of Bluetooth LE Pairing
Think of pairing like a secret handshake between two Bluetooth LE devices. It's their way of building trust and creating a secure environment to exchange security keys safely.
Now, to really grasp what Bluetooth pairing involves, think about its goals. Essentially, they boil down to three points:
- Distribute Keys: Both devices need to share specific keys, which enable important security features like encryption, data signing, and privacy. Pairing encrypts the communication link so these keys can be shared securely.
- Guard Against Eavesdroppers: While swapping these keys (up to three types, actually), the pairing procedure must keep them safe from sneaky eavesdroppers who might try to snatch them mid-distribution.
- Verify Identities: Sometimes, it might be necessary to check if the devices are who they say they are during pairing. This authentication helps defend against attacks like the infamous man-in-the-middle (MITM) attack.
So, if the pairing goes off without a hitch, what do the devices get out of it? Well, they can enjoy a connection with the following aspects:
- Capable of data encryption to keep the communication confidential
- Capable of data authentication, ensuring the data comes from a trusted source
- Offers device authentication, confirming the identity of the devices
- Provides device tracking protection, preventing unwanted tracking
Besides pairing, there’s another concept called' bonding. Bonding is like taking the trust between the paired devices to the next level. Bonding is the process where devices remember the security information exchanged during a successful pairing.
This means they can reconnect automatically in the future without needing to go through the pairing process all over again. It's kind of like making a new friend (pairing) and then remembering that friend for the future (bonding).
Bonding can save time, improve user experience, and provide even stronger security since paired devices won't have to frequently expose their keys for the pairing process.
Pairing is a structured three-phase process. The initial two phases are indispensable, while the third phase, focused on transport-specific key distribution, is optional.
The Pairing Process—Phase 1: Pairing Feature Exchange
The first step of the process—called Pairing Feature Exchange—is kicked off by a device known as the initiator.
During this phase, the initiator sends a Pairing Request to the other device, known as the responder. The responder then replies with a Pairing Response. The Pairing Request and Pairing Response are packets of information that contain important details about each device's features and capabilities.
Figure 1. Pairing Request/Response packet structure. Image used courtesy of: Bluetooth SIG
Let’s take a look at the data fields in the “Pairing Request” and “Pairing Response” packets (Figure 1).
- IO Capability: This field specifies the device's input and output capabilities, which help determine the level of security and the key generation method for pairing. The options for this field could include DisplayOnly, DisplayYesNo, KeyboardOnly, NoInputNoOutput, and KeyboardDisplay, each of which corresponds to a different physical capability of the device.
- OOB Data Flag: This field indicates whether Out-of-Band (OOB) data is available. OOB is a method of communication that uses an external means of communication (outside the standard Bluetooth communication channels) to authenticate a device. The field is binary, either OOB Authentication Data Not Present or OOB Authentication Data from a Remote Device Present.
- AuthReq: This field, short for Authentication Requirements, defines the security requirements of the device. It is a combination of multiple bits, each of which represents a specific requirement, such as Bonding Flags, MITM (Man In The Middle Protection), Secure Connections, and Keypress.
- Max Encryption Key Size: This field specifies the maximum length of the encryption key that can be used in the pairing process, ranging from 7 to 16 bytes. This impacts the strength or entropy of the encryption for the subsequent connection.
- Initiator Key Distribution / Responder Key Distribution: These fields indicate which keys the initiator and responder are able to distribute. The keys may include the Long Term Key (LTK), Identity Resolving Key (IRK), and Connection Signature Resolving Key (CSRK).
The data shared during this initial Pairing Feature Exchange determines the key generation pairing method used in the next phase of the pairing process. The workflow for choosing the pairing method is as below:
Workflow for Choosing Pairing Method
By examining the Secure Connections (SC), Out-of-Band (OOB), Man In The Middle (MITM) protection, and IO capability fields in the pairing packets, devices can collectively determine the most suitable pairing method for key generation (Figure 2).
Figure 2. Workflow for choosing pairing association method. Image used courtesy of: Nordic Developer Academy
This decision-making process follows these steps:
- Secure Connections (SC): They first check whether they both support Secure Connections. If they both do, then the devices will use the LE Secure Connections pairing method, and if not, then they will use the Legacy Pairing method. After the selection of the pairing method, the next step is to choose an association method.
- Out-of-Band (OOB) Data: The next thing they consider is whether both of them have Out-of-Band data. If both do, the Out-of-Band association method is selected, which offers additional security through a separate communication channel for verification. If only one or neither device has OOB data, the MITM bit is evaluated next.
- Man In The Middle (MITM) Protection: If neither device supports MITM protection, the Just Works association method is selected. However, if either or both devices support MITM protection, the IO capabilities bit is inspected to choose an association method that includes user interaction to establish MITM protection.
- IO Capabilities: Finally, the devices need to understand what each of them can do (Figure 3). Can they display numbers? Do they have a keyboard for entering a passcode? This helps them decide on the most practical pairing method. If both have a display and keyboard, they can “compare numbers.” If only one can display, they use 'passkey entry.' And if neither can display or input numbers, they go with Just Works.
Figure 3. Using IO capabilities to choose pairing association method. Image used courtesy of: Nordic Developer Academy
Phase 2: Key Generation
Bluetooth LE devices compliant with Bluetooth Core Specification version 4.2 or later typically have two main pairing methods at their disposal.
The first is known as LE Legacy Pairing, which is the traditional method. The second, and considerably more secure is LE Secure Connections. Devices operating on a Bluetooth stack version earlier than 4.2 will only have the LE Legacy Pairing option.
Difference Between LE Legacy Pairing and LE Secure Connections
LE Legacy Pairing uses a simpler key generation mechanism that, while functional, doesn't offer the highest level of security. In contrast, LE Secure Connections utilize the Elliptic Curve Diffie Hellman (ECDH) key exchange, providing a significantly higher level of security. This method is particularly effective against passive eavesdropping and man-in-the-middle attacks.
Pairing Association Models
These are various ways or strategies in which the pairing process may proceed. These models vary based on the devices' IO capabilities and MITM protection requirements. Table 1 shows a simplified breakdown of the models:
Just Works (JW)
Used when at least one device has no display or no ability to input numbers. The method provides basic security but is susceptible to Man-In-The-Middle attacks.
Passkey Entry (PKE)
One device displays a passkey that is then input on the second device. It helps protect against MITM attacks because it requires physical interaction from the user.
Numeric Comparison (NC)
Both devices display a numeric value. A user confirms that the numbers match on both devices, ensuring a higher security level. Like Passkey Entry, this process is effective against MITM attacks as it requires user interaction.
Authentication data is transferred through a different communication method. Suitable when OOB data is available.
Table 1. Listed here is a simplified breakdown of the association models
Phase 3: Transport-Specific Key Distribution
The final phase of the Bluetooth LE pairing process, the Transport Specific Key Distribution, comes after a successful pairing. This phase is primarily used to distribute the security keys that devices specified in the Initiator and Responder Key distribution fields. Figure 4 illustrates the three phases of the paring process.
Figure 4. The three phases in the pairing process. Image used courtesy of: Bluetooth Security Document
Creating a Trusty Bluetooth Link
Pairing is a structured, three-stage procedure that creates a trusty bridge for the safe exchange of security keys between the connected Bluetooth LE devices.
Pairing commences with the Pairing Feature Exchange phase, wherein the devices involved exchange their capabilities and establish the groundwork for the pairing process. The second phase involves Key Generation, where an encryption key is generated, and the link is encrypted.
The devices can then share their security keys on the encrypted link. Once the devices have paired. They can choose to bond. Bonding is the process where devices remember the security information exchanged during a successful pairing.
With all that in mind, pairing serves as the foundation for securing all future communications between LE devices.