Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp875786imj; Fri, 15 Feb 2019 08:14:06 -0800 (PST) X-Google-Smtp-Source: AHgI3IYSibbnoufDsHie1mpL64X45kMQ1iDzpKYij2QK5PN1I/ABH4Gyhsi8GoyZZnc8xEtko7Ky X-Received: by 2002:a17:902:e307:: with SMTP id cg7mr10994014plb.255.1550247246629; Fri, 15 Feb 2019 08:14:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550247246; cv=none; d=google.com; s=arc-20160816; b=P+C6AgjTgR/nIm2tffSKFKz71XxSMgyH4lO5w2Eoj1ALRpaCwDC/DZvaxl56T/vqRT XYDar7iXa2MU4hxuQ3G4k1TpO1ecgRfwCPHGUffa/r6l/MPsPWlwV8yDu1Gw2F4SdWMy Ny3h4G6DwuaBWi1CZLtz+SkbB80pi0U/Zl9ktdwKXZNnimpFoTe4gQeTRpcZlpc2tCU6 zdZlz1fNfBo+B+jG1xIj0iSrrb3EGBFFPnwwCm2V3e5IfFwsev0vqLleUEsy8jW/4Vhn D/tujERBGWikA0zEg9S9P17uVgq6vOJwWzGcQ7nZgf2T8I7KfMsv5iKrI5yXVzjHiChE n6pQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=p3KjsjLe03/+hTrGOVMznt+9CZQAH/a8Fn5uycS3M28=; b=0bF5Qc9TYmMk+ut/rkILucLA5DVyMwXqLlhJIUxVt9DiBBZ389P9vCwQu6O5L6B/zd 7yHyXcFV3Komc26GWxKx3NL6GfSBY17Y/6s/oihxpQHQs+4Yycj/2p1qcYCs4/aoi1yP UoWefxesD05v8lJnJZo/LUdigrdKHYYMKY8d1ADOdHhGTfOhg7gYG5N71IM3ERynP4yg Kg4bytdmEiGcDlI5uOSJkG14eZWEfOQEQCEOldJM2vcjpUlowhtBycYrjFAvf8DGtRTv 0KuWPmVVpmb4BnrbVxCgpJYm6NDovvUikkH8q/F8nchyFj76lMKL/DfCXsPQwh9g53X6 p8XQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=NXOxe7CD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d2si5689139pfn.180.2019.02.15.08.13.50; Fri, 15 Feb 2019 08:14:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=NXOxe7CD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2436938AbfBOMV5 (ORCPT + 99 others); Fri, 15 Feb 2019 07:21:57 -0500 Received: from mail-pg1-f196.google.com ([209.85.215.196]:42238 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731176AbfBOMV5 (ORCPT ); Fri, 15 Feb 2019 07:21:57 -0500 Received: by mail-pg1-f196.google.com with SMTP id d72so4745271pga.9; Fri, 15 Feb 2019 04:21:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=p3KjsjLe03/+hTrGOVMznt+9CZQAH/a8Fn5uycS3M28=; b=NXOxe7CDI+r04zfcDfttKFsAa/AXqmT9idfDfb4hqRrdLLY9TpQEx+yWCLBAh1fDh6 92Q3WYJcSf+1Kx9tDxVYBsGXlYbc97nIYcJ6jFq5EHFAQgKXBoYxh1kcXH0VxYerT+n7 49BvN49Pd/HzXpGazNkLbsP7ZREGKz4o37w7jwwxDtRTubWBvVWH+X4d3vKpqRSTuhNJ jS0O1Rz2lnBH2+mEj6gilEGW/6Sf33sXN3DQNBHidLyPB2EHK98SeZcuzXOb2mTckIfq v/bJwbymQpgrNaZscyLBLGnTQ+xfpvsN8oLcqcDKuMQjTqtzAcg7O1Hmax6HLhSK2MVO jLhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=p3KjsjLe03/+hTrGOVMznt+9CZQAH/a8Fn5uycS3M28=; b=qotDycidf7+Ut2Kg00yEH1NpWknezBwq23Z7HGi9Hrpy++A6jWs4FFtN0lMhqk1dOs J9jwVyibJzGrYd8g5szPz+tC36jrTxQ2MYS5CQivJkUWAcQ/sxUjBBg451UuEYHKb8U0 V4NajAOzbmW7+G3GtVNXHTMyTUsxi3i8mX+vceDyzu0bOE8N2Q8utLZFIEzYewSTnTWf B9MVFW/mUx090SKlW6g7EAigsd+V1rBjQuPE9J8vHjNcyOsiV7gBow8GMHaFHuvQHsHr uKbXVKn8km+OsWETKQZZ51F5jDzBdw1XKyxDSQnHwZbWMaePicqyBL3iAYV2TaraIGSJ UgxA== X-Gm-Message-State: AHQUAuavOXsr0DxcUwHj1o3RlUdUwYs69AJ4BT6KcnE9iMiTsM/9fm2I tUj9+dp93cNrWngk13dXVjS8QqrmwLc6r12uvXyZwA== X-Received: by 2002:a65:6099:: with SMTP id t25mr8991097pgu.448.1550233316084; Fri, 15 Feb 2019 04:21:56 -0800 (PST) MIME-Version: 1.0 References: <20190213224859.GA7151@amd> <20190215114622.GA32198@amd> In-Reply-To: <20190215114622.GA32198@amd> From: Emil Lenngren Date: Fri, 15 Feb 2019 13:21:45 +0100 Message-ID: Subject: Re: [PATCH] pre-shared passcode: secure pairing for "no keyboard, no display" devices To: Pavel Machek Cc: Marcel Holtmann , Johan Hedberg , Bluez mailing list , kernel list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Den fre 15 feb. 2019 kl 12:46 skrev Pavel Machek : > > Hi! > > > > Currently, "no keyboard, no display" devices can be paired, but > > > pairing is not secure against active attacker. > > > > > > Can we do better? Not for the first pairing; but for the next ones -- > > > yes, I believe we can. > > > > > > BLE device in this case has internal storage, and Linux running > > > there. From factory, random 6-digit number is stored in the > > > flash. Legitimate user knows the number, and system is manipulated so > > > that pairing passkey will be this pre-shared passkey. After pairing, > > > user is allowed to change it. > > > > > > [Or maybe passkey is 000000 from the factory; this is still win for > > > the user, as long as he can change the key to something random in a > > > secure cave.] > > > > > > Fortunately, kernel support for this is rather easy; patch is attached > > > below. > > > > > > Does someone see a security issue with proposal above? > > > > Assuming "LE Secure Connections" is used, the protocol is only secure > > if the passkey is not reused. A 6 digit passkey means 20 bits. The > > protocol is performed in 20 steps, where one bit is compared and > > revealed in every step. This means the attacker will know for every > > attempt the first bit that is incorrect in the attempted passkey. If > > the passkey is reused, the attacker can just try the same passkey with > > the incorrect bit flipped. In average it takes 10 attempts to crack > > the key and maximum 20 attempts. Hence, a static key doesn't really > > add much security compared to Just Works and might give a false sense > > of security. > > Thanks a lot for quick reply. And no, that is not good. > > Just Works basically means that there's no security at all, anyone > within range can connect when owner is not around, and do whatever > they want. > > Is there some common way this is solved? > > We do have pre-shared passkey, if only 20 bits. If we set > passkey = sha( pre-shared passkey + pairing_attempt++ ), would we get > some kind of meaningful security? Perhaps with limiting pairing > attempt to say 10 a day? I see two issues with that approach. First, the user needs to know the correct counter of pairing_attempt (how?) and perform the sha calculation and map that to a passkey. Second, if you eavesdrop a pairing attempt that succeeds, you can just bruteforce sha over all possible pre-shared passkeys (1 million if you have 6 digits) times the number of different pairing_attempt counters you want to test, and match that with the recorded pairing messages. That shouldn't take more than a few seconds on a normal PC. What people really do that wants proper security over BLE when they need to use static passkeys, is using a PAKE algorithm in the application layer to establish a session key, and then use some AEAD cipher with that session key also in the application layer (or potentially start BLE encryption using that session key as LTK, but I haven't seen that). Unencrypted BLE is just used then as a transport layer. /Emil