Bluetooth pairing is a simple authentication method that is used by mobile communication devices, such as a mobile (cell) telephones, PDAs and the like. It is a relatively easy to use system that enables two Bluetooth compatible devices to communicate with each other in a local space.
In order to communicate, the two devices are required to link together by way of a Bluetooth pairing mechanism. That is, an authentication request is sent by a first device. This authentication request is based on a PIN set by the user of the first device. The first user also tells the second user the PIN that was used.
An authentication response is returned by the second device using the same PIN. Therefore, the authentication response returned by the second device is based on the same PIN and so the connection is authenticated and established.
Once established a 128 bit link key is used to avoid the need to enter the PIN each time the two devices wish to communicate with each other.
However, as the PIN is fixed, once one person knows the PIN they can share it with others and anyone is then able to gain access. Also, to change the PIN every time requires an authorised user to enter the PIN to validate a user. That is, an administrator who wishes to authorise a user to access a site using a specific Bluetooth access device provides the user with a PIN which allows them to pair their Bluetooth device with the Bluetooth access device. However, the administrator then needs to provide a new PIN at the access device each time a new user requires access.
PCT application WO 02/095689 describes a security system that includes a central controller, mobile device and access device. The central controller transmits the same authorisation code to both the mobile device and access device. When the mobile device requests access through the access device, the access device forwards an authentication challenge that includes a randomly generated number that is not known by the mobile device. The mobile device uses a portion of the authentication challenge in combination with the authorisation code to create a response. This static response is compared with the expected response by the access device, and access is provided if they are the same. However, this system sends and uses the same static authorisation code for both the mobile device and access device. Further, the system requires the mobile device to be fitted with specific technology that enables it to generate the required response.
U.S. Pat. No. 7,360,248 describes a system that compares the location of a user using their GPS device with the location of the access device to determine if they correspond, and so make the determination of whether to allow access. However, the system does not utilise a Bluetooth compatible PIN to verify the user.
The present invention aims to overcome, or at least alleviate, some or all of the afore-mentioned problems, or to at least provide the public with a useful choice.