Technology enabling wireless communication between electronic devices is evolving daily. Bluetooth is an emerging wireless radio communication protocol for establishing device “p airings.” A pairing, for example, can be between a mobile phone and a headset, a mouse and a personal computer, or a PDA (personal digital assistant) and a printer. Once paired, devices are able to interact as if they were physically connected. This assumes, of course, that the paired devices remain within communication range with one another.
The Bluetooth protocol uses well known security procedures to establish and then maintain a device pairing. To establish a pairing, an authentication process is performed in which at least one of the devices (the verifying device) confirms that the other (the claimant device) is authorized for interaction. Each Bluetooth device has a unique device address. Paired devices share a symmetric link key. To authenticate, the claimant device uses its device address and the link key to generate a first password that it sends on to the verifying device. The verifying device uses its copy of the link key and the address of the claimant device to generate a second password. Authentication occurs when the first and second passwords match.
Prior to being paired, the claimant device and the verifying device do not share a link key. In this case, a code (referred to as a PIN) is used to generate the link key. To work, the same PIN must be supplied to both devices. The claimant device generates the link key using its device address and the PIN. Likewise, the verifying device generates its copy of the link key using the PIN and the address of the claimant device. Where, for example, the claimant device is a PDA and the verifying device is a cell phone, identical PINs can be entered through the PDA's touch screen and the cell phone's keypad.
Some devices have no or limited user interface capabilities making it difficult or impossible to enter a PIN. At least two solutions have been developed for this problem. An example of one solution involves a wireless headset for mobile telephone. It is desirable for a mobile phone user to establish a secure connection between the headset and the handset. The PIN is preprogrammed into the headset at the factory. The PIN is usually a short series of numbers like “1234” or “0000.” The user enters these numbers into the handset using the handset's user interface to complete authentication. While this does create a secure link key, it is not a strong way to use the Bluetooth security mechanisms. It has at least two major weaknesses: (1) the PIN is well known and the same for anyone who purchases a headset, and (2) the PIN is short.
Another example involves a Bluetooth enabled wireless printer that is attached to a computer with a cable. A software configuration utility resides on the computer and allows a PIN number to be set by the user and stored on the printer. Any device wishing to connect to the printer must know this PIN value. While this creates a secure link key, it also has major weaknesses: (1) The PIN is usually short, (2) the printer must be connected to a PC via a cable to set the PIN number, and (3) the same PIN number is used each time a new pairing is established between a device and the printer.
While no security scheme is perfect, the Bluetooth security mechanism is deemed “computationally secure”. However, the computational methods that might crack the Bluetooth security mechanism are simplified if the PIN is short or the PIN is well known. Moreover, when a cable is required to set the PIN on a wireless device, many of the benefits of a wireless device are lost.
What is needed is an improved method and system for generating a more secure PIN for use by devices with limited user interface capabilities.