Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp122278imj;
        Thu, 14 Feb 2019 16:47:03 -0800 (PST)
X-Google-Smtp-Source: AHgI3IY2gCuf3+YXscS/8BbY7azlSmdYUioAUwW9zfU4KEPK9ljLU37n3aPoD/rgUw1jzA9EANU1
X-Received: by 2002:a17:902:129:: with SMTP id 38mr7259429plb.140.1550191623106;
        Thu, 14 Feb 2019 16:47:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1550191623; cv=none;
        d=google.com; s=arc-20160816;
        b=AmWiQDHhy8U1reJ4cv1WbSkGCWp7sfpW6fChoyJxjAejcjHi1h10Mxf/C3RkdN5Usk
         Ta1XzUO59opR1n0c6NOfKjzG3/iN0dhlru5R3D8E9rNCg77dKkUNLTg5YxvINoaf7hPD
         PgqqivtTDil02EUdr2MyePEJqxYfzTMIe4A4g+IdaYJ/mUdXChBl39V+UBkegiaXQuVk
         L+gjLb/P8pcBDcWHwRBeb13X5ubgr1Xty3aUb9zHaElEnKJZ09m3GOYW9ru4dMa+CIIX
         /ALYP5L8QATWHt1OYd9vz6CEeGhY22RLqB4rbTqjly6OD+sxtU3hfdezYfoB8TCKWpW/
         JxLg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=0HUSwDOyUGgWH5TjR1AcrgVsuq/Kz8O6lTekdx9IkEs=;
        b=OW/Hr0cbvVx4QBLPZ2m70aRbxOSG7JLra9eLNtGFfNSIDn6/LsxowOxltQNstoyQSM
         LtJ9vStj1hOkV3h7oyNV8p96oLGPRE4hAx0iFAIpTR6BPAkHZjUjuH7vkiBYeNoj6Bz0
         oEz3vZVojnG9ePngmCn7RtoLSTdcGEtjF76nLR4d/hFWho/UHZ6iIOkZsu/5WdhS7O5f
         Gw30UOGxc7VU1MGXA/a3e6bcvx8LVLy7QKibJ84fmqA6Wy6AFJzZVBiYGBfT//Yxddpd
         sWHDnB0ILVDVnprr7zAVbEfjwpH6QJMRKI8qP1vSB9FpbgKfKIuW4nbuXkpaiK09e+xK
         VFAQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=s6uAohrK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e17si3855677pfh.6.2019.02.14.16.46.47;
        Thu, 14 Feb 2019 16:47:03 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=s6uAohrK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2407560AbfBNP2M (ORCPT <rfc822;chenc2371@gmail.com> + 99 others);
        Thu, 14 Feb 2019 10:28:12 -0500
Received: from mail-pf1-f194.google.com ([209.85.210.194]:34156 "EHLO
        mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726906AbfBNP2M (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 14 Feb 2019 10:28:12 -0500
Received: by mail-pf1-f194.google.com with SMTP id j18so3269905pfe.1;
        Thu, 14 Feb 2019 07:28:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=0HUSwDOyUGgWH5TjR1AcrgVsuq/Kz8O6lTekdx9IkEs=;
        b=s6uAohrKEZGtWspAGidZE3djwjOrGTzKLYPhgv7NWuzBBkUGpkDKUr3hWdTxNXnI5D
         IUEF+bqBZUouers+sie1qWjaVcTVryRo4X6AD8SRlBhOnoiYcy/6gkJtGirKREXe8cuZ
         cTTYMcpll8mKypf8dZbMr/21a7PCdId2VDjp8eqJFSXC/yhejkaY2KG7o30xiiA8iXOk
         20BK8dlbBBmuQw0mjybuXBERpSi25BLTph+zQpa2LpzN9XKixaQwhC3Ruv4OcH4dQc/L
         xK7BBf2tZCy35Lmc1qvtqGSSi5XKaRSWmhRitzdBiz6cw+MP+/nENqXLVE6TutKYJ2V/
         awMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=0HUSwDOyUGgWH5TjR1AcrgVsuq/Kz8O6lTekdx9IkEs=;
        b=lplMeKc8NIQMapFvp6aHYlbmSOyHS6ZovflnFKoJu+NBQ5DFOkgPdWC5x5N9D7l13s
         nl6t+bYwp3vKCkgzLwutZDHEneyaZh8z1LwbN69VBxzbuoz/jsFlUnDbAu/Ql1HGeqEn
         OfR2FznMo7tgqUBFYzZoiHfXlTD9INklrX7wrmjtEfmhh9WwkcQcOISaBRsYBZGsRZxB
         CXhvOWTUdOo7BnsOjpZapUaxOVYI7ixisL9w6d/gt4Af4zuGkTJ94La7/mKV9dh2E/Cs
         6qNogV9gy0r0l+Knj+/GrwFgVlm2r4h8ixkHYu4XZ1h4Bj2ggTxBU8YWdGvAyu8VeqIc
         jhmQ==
X-Gm-Message-State: AHQUAuadaUwLv7UhSq71gW2nn7xdYsBP4zNx3kj7wEDJWT71zqkVqVD1
        zzKfGCf1Co97FK0a+D5b4SXwKSWOw/AtGKXaYuw=
X-Received: by 2002:a62:6702:: with SMTP id b2mr4591900pfc.244.1550158091151;
 Thu, 14 Feb 2019 07:28:11 -0800 (PST)
MIME-Version: 1.0
References: <20190213224859.GA7151@amd>
In-Reply-To: <20190213224859.GA7151@amd>
From:   Emil Lenngren <emil.lenngren@gmail.com>
Date:   Thu, 14 Feb 2019 16:27:59 +0100
Message-ID: <CAO1O6sdyJbo0LR9Lak+6yP0FKda4o66+8vwx4fE1fe36z2mDNQ@mail.gmail.com>
Subject: Re: [PATCH] pre-shared passcode: secure pairing for "no keyboard, no
 display" devices
To:     Pavel Machek <pavel@ucw.cz>
Cc:     Marcel Holtmann <marcel@holtmann.org>,
        Johan Hedberg <johan.hedberg@gmail.com>,
        Bluez mailing list <linux-bluetooth@vger.kernel.org>,
        kernel list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Pavel,

Den tors 14 feb. 2019 kl 14:59 skrev Pavel Machek <pavel@ucw.cz>:
>
> Hi!
>
> Currently, "no keyboard, no display" devices can be paired, but
> pairing is not secure against active attacker.
>
> Can we do better? Not for the first pairing; but for the next ones --
> yes, I believe we can.
>
> BLE device in this case has internal storage, and Linux running
> there. From factory, random 6-digit number is stored in the
> flash. Legitimate user knows the number, and system is manipulated so
> that pairing passkey will be this pre-shared passkey. After pairing,
> user is allowed to change it.
>
> [Or maybe passkey is 000000 from the factory; this is still win for
> the user, as long as he can change the key to something random in a
> secure cave.]
>
> Fortunately, kernel support for this is rather easy; patch is attached
> below.
>
> Does someone see a security issue with proposal above?

Assuming "LE Secure Connections" is used, the protocol is only secure
if the passkey is not reused. A 6 digit passkey means 20 bits. The
protocol is performed in 20 steps, where one bit is compared and
revealed in every step. This means the attacker will know for every
attempt the first bit that is incorrect in the attempted passkey. If
the passkey is reused, the attacker can just try the same passkey with
the incorrect bit flipped. In average it takes 10 attempts to crack
the key and maximum 20 attempts. Hence, a static key doesn't really
add much security compared to Just Works and might give a false sense
of security.

A static key for Legacy Pairing has comparable security as using a
random key. The security is kind of the same as logging in to a
website over unencrypted HTTP, assuming the static key is stored on
the peripheral and the user enters the passkey on the central. In the
case where the passkey is entered by the user on the peripheral
instead of the central, the protocol is completely broken
(https://eprint.iacr.org/2013/309.pdf).

/Emil