Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp873780imj; Fri, 15 Feb 2019 08:12:14 -0800 (PST) X-Google-Smtp-Source: AHgI3IbAwtxccUQItWb8K2S7T0D8inul0GC+7RWQ0T32rbWcGZzYg+vZBFjriIj7sib3beDaBbSE X-Received: by 2002:a63:105a:: with SMTP id 26mr5935828pgq.184.1550247134130; Fri, 15 Feb 2019 08:12:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550247134; cv=none; d=google.com; s=arc-20160816; b=UMGxqFISZwEFsd0PE85Gv1zLakUqkLzFC0uM4LII1uV/+TfhSEW7xLK7cl4jwRw5ce +d3dNIv4o27RSRwhwDjpuv3AtljuBjMJ6Upg+v9NNNNJ6c4FZ1moB99FlOZB7JcfWwuX kfS0R7Y80QY8th65iY0Tx9cZYp9vmfX7QtECsA+V7NbsOCAwtbHXGyBydjH3Gq5G9nVz n7RCRGBZU01LvmIMPhmrKJIhzo8n1YEGy1f6CmRJzOcfs2z4l//OQy4ZrYolqzTaXLgE +0pGI4K9+K1lbhWWmJF0qu9+Zox2KdrwfGVLpxwaipH136cJrRSyG9WqVn73YHBJvAV1 zRqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=8i+jl9IPAyvIs5iMwGqSE7lja6hk66twA5pxezZ41PU=; b=APzMp/Z027jZhsEZIOIefch8g44Qc6pxtvhlvxqMGuGenevlULZISHa3WD+Sco9eq9 pSJdMe28bzDNQ5T9AunWoBPtfLz07FPK6Vr2NSF7cXjIDlkhV2azSZtkrJuOPgH7g4zp Zr72PYYqVRj09Ceu5GNINXo5B6i8py22X6TFTuU3hDhPCTUojLywbGW/BEXmgYE4QzkN 64H6Sc9H0UxRL1zKrD9Zfz8P/ihRyGA7PwjNNfYkVI51TNGcmXLJbZHZICr2eoYPaIXk DSt49WGGHm06PHe96MWTyV+RoCCLZTSLLiPjkf541qoEwvQltBKUfAmYKnP3VHznz2jL +/zg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p31si5940414pgb.440.2019.02.15.08.11.57; Fri, 15 Feb 2019 08:12:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2394436AbfBOLq0 (ORCPT + 99 others); Fri, 15 Feb 2019 06:46:26 -0500 Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:54934 "EHLO atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391983AbfBOLq0 (ORCPT ); Fri, 15 Feb 2019 06:46:26 -0500 Received: by atrey.karlin.mff.cuni.cz (Postfix, from userid 512) id 4176E8036F; Fri, 15 Feb 2019 12:46:16 +0100 (CET) Date: Fri, 15 Feb 2019 12:46:22 +0100 From: Pavel Machek To: Emil Lenngren Cc: Marcel Holtmann , Johan Hedberg , Bluez mailing list , kernel list Subject: Re: [PATCH] pre-shared passcode: secure pairing for "no keyboard, no display" devices Message-ID: <20190215114622.GA32198@amd> References: <20190213224859.GA7151@amd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > > Currently, "no keyboard, no display" devices can be paired, but > > pairing is not secure against active attacker. > > > > Can we do better? Not for the first pairing; but for the next ones -- > > yes, I believe we can. > > > > BLE device in this case has internal storage, and Linux running > > there. From factory, random 6-digit number is stored in the > > flash. Legitimate user knows the number, and system is manipulated so > > that pairing passkey will be this pre-shared passkey. After pairing, > > user is allowed to change it. > > > > [Or maybe passkey is 000000 from the factory; this is still win for > > the user, as long as he can change the key to something random in a > > secure cave.] > > > > Fortunately, kernel support for this is rather easy; patch is attached > > below. > > > > Does someone see a security issue with proposal above? >=20 > Assuming "LE Secure Connections" is used, the protocol is only secure > if the passkey is not reused. A 6 digit passkey means 20 bits. The > protocol is performed in 20 steps, where one bit is compared and > revealed in every step. This means the attacker will know for every > attempt the first bit that is incorrect in the attempted passkey. If > the passkey is reused, the attacker can just try the same passkey with > the incorrect bit flipped. In average it takes 10 attempts to crack > the key and maximum 20 attempts. Hence, a static key doesn't really > add much security compared to Just Works and might give a false sense > of security. Thanks a lot for quick reply. And no, that is not good. Just Works basically means that there's no security at all, anyone within range can connect when owner is not around, and do whatever they want. Is there some common way this is solved? We do have pre-shared passkey, if only 20 bits. If we set passkey =3D sha( pre-shared passkey + pairing_attempt++ ), would we get some kind of meaningful security? Perhaps with limiting pairing attempt to say 10 a day? Best regards, Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --a8Wt8u1KmwUX3Y2C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlxmpo4ACgkQMOfwapXb+vJAaACgmHH3XYqK8JGSdVe7OUxD6m7q hqQAn22Yg6q9iiUap1fZJ9VCIkaX/LGI =TjF9 -----END PGP SIGNATURE----- --a8Wt8u1KmwUX3Y2C--