In the past wireless devices were limited in applications, were not always interoperable and were only available from a few vendors. However, today emerging wireless standards and products are fuelling growth in the wireless communications market. This growth has also been aided by a number of factors, such as, the availability of a range of unlicensed frequencies in the 2.40 to 2.48 GHz band and 5 GHz band, a larger mobile work force and the globalization of electronic commerce. One of the well-known standards is the BLUETOOTH® specification, developed by a consortium of companies, the BLUETOOTH Special Interest Group (SIG) and a trademark of Ericsson, Sweden. The BLUETOOTH specification defines a universal radio interface in the 2.45 GHz frequency band that enables wireless electronic devices to connect and communicate wirelessly via short-range, ad hoc networks. The typical communication range of a BLUETOOTH wireless device is 30 to 100 feet.
Generally, wireless devices built according to the BLUETOOTH specification include a link level security feature that enables these devices to authenticate each other and encrypt their communications using a symmetric link key shared between the two devices. Typically, a pairing procedure is defined, which enables a user to establish a link key shared between two devices, where the two devices may be previously unknown to one another.
One security problem in the pairing procedure of the current BLUETOOTH specification results from the fact that radio signals can be easily intercepted. It has therefore been suggested that a user performing the pairing procedure should be in a private area such as his home where it is less likely that the communication between the devices being paired could be eavesdropped. Therefore pairing in a public place where an attacker could easily eavesdrop on the communication between the devices being paired is discouraged.
At present, the pairing procedure requires the manual entry of a code or a personal identification number (PIN) into one or both of the devices. However, if the small-sized pin PIN is chosen to facilitate manual entry, then it is possible for an eavesdropper to determine the link key. Therefore, the number of digits or characters in the PIN must be unreasonably large in order to ensure that an eavesdropper cannot determine the link key. Typically, entry of even a short PIN is tedious for the user of the devices and prone to error; while using a PIN long enough to be secure is even worse. Furthermore, some devices are not expected to have a user interface that is conducive to the entry of a PIN. For example, a BLUETOOTH headset may be paired to a mobile telephone, such that the headset may include an input device such as a button and the telephone would include an input device and an output device such as a display. It is currently contemplated that a new headset would included a pre-programmed PIN, and in order to pair the headset with the phone, the user is required to enter the PIN using the keypad of the phone.
One of the solutions presented for facilitating pairing are techniques such as Diffie-Hellman protocol that can be used to establish a shared key. However, techniques such as Diffie-Hellman are vulnerable to a man-in-the-middle attack. Prior art methods have been established that use a key agreement technique such as Diffie-Hellman followed by a verification step to establish a shared key, the purpose of the verification step being to detect a man-in-the-middle attack. For example, U.S. Pat. No. 5,450,493 describes a scheme in which two devices communicate over an insecure telephone line and perform a Diffie-Hellman key agreement to establish a shared secret. Although it is known that it is possible for an attacker to force both devices to establish the same shared secret via a small subgroup attack, it is possible to defeat the small subgroup attack, as described in U.S. Pat. No. 5,933,504 to Vanstone, et al.
The following methods have been proposed to prevent these attacks, these include checking that the Diffie-Hellman shared secret does not lie in a small subgroup and rejecting the secret if it does, or using a secondary shared secret derived as the hash of the Diffie-Hellman shared secret and the exchanged public keys. Following the key agreement, an antispoof variable based upon the shared key is computed independently by each of the communicating devices. The antispoof variable is then displayed to both devices and over the insecure telephone line the two devices then verbally determine if the antispoof variable is the same. One could read the antispoof variable to the other, for example. The assumption made is that a perpetrator of a man-in-the-middle attack would be detected because of the difficulty in forging the voice of the communicating devices.
This technique may be applied to the BLUETOOTH headset pairing scenario. However, for this scenario, there is only one user involved. After initiating the pairing, the headset and phone would perform a key agreement such as Diffie-Hellman. The devices could compute the antispoof variable based upon the shared key. The phone could then display the antispoof variable on its display. The headset has no display, but it could take the place of the other user and use text-to-speech capability to automatically transmit the digits of the variable to the phone over the BLUETOOTH link as audio. The phone would play the audio. The user could then listen to the value on the phone and compare it to the value on the display. A man-in-the-middle attack is a problem for this method since it would be easy for an attacker to forge the audio output of a text-to-speech capability and transmit forged speech to the phone.
Other public key methods can be used to establish a shared key in such a way as to be resistant to a man-in-the middle attack. Public key methods may be impractical for use in the BLUETOOTH headset pairing scenario (and in other BLUETOOTH pairing scenarios). To use public key methods the headset and phone would both have public keys and private keys. A certificate signed by a Certificate Authority would be required for each device in order to avoid a man-in-the-middle attack. A certificate typically only has a limited validity period, so a device must have an accurate time source in order to validate a certificate. An out-of-the-box BLUETOOTH headset would be unlikely to have an accurate time source, so it may be unable to validate a certificate. Furthermore, to validate a certificate, an online check with a server on the Internet may be required to check a certificate revocation list or an online certificate status protocol client. This online check guards against the compromise of a device's private key. Without this check, the devices may be vulnerable to a man-in-the-middle attack perpetrated by an attacker having a compromised private key. In some circumstances it may be possible for a phone to make the online check if it has Internet connectivity. However, it would be desirable to pair a phone with a headset before a phone has established service with a service provider. For example, a user may wish to establish a link key between a new phone and a new headset, then use the headset and phone to sign up for service an over-the-air service provisioning procedure. Sensitive information would be sent from the headset to phone and then to the service provider; this information requires protection even before the phone has been provisioned over the air.
The desirability of authenticating the location of a correspondent in a wireless environment is recognized in U.S. Pat. No. 5,659,617. It is proposed that the exact location of a correspondent can be obtained using GPS to ensure that certain acts are performed in designated locations, for example, the signing of a certificate within a bank. It is also proposed to determine the position of a correspondent by measuring its distance from a fixed beacon. However, such an arrangement within the context of a BLUETOOTH device would require the provision of a fixed beacon and information about acceptable location in which the particular devices could be paired.
Moreover, this technique requires that a security relationship already exist between the two devices via the use of certificates and PKI; obviously this is an unacceptable constraint since the object is to establish a security relationship when none exists. Furthermore, according to the embodiments shown, distance from a fixed beacon is measured by having the measuring device transmit a signal to the measured device using RF, for example. The measured device then receives the transmitted signal, which may include some sort of challenge. The measured device then performs some sort of cryptographic operation to the measuring device. The measuring device then measures the time of the receipt of the response. The measuring device then computes a round trip time by subtracting the time at which its signal was transmitted from the time of the receipt of the response.
The round trip time includes two components. The first component is the processing time required by the measured device to recover the signal from the measuring device, determine the response (potentially including cryptographic operations), and begin transmitting the response. This first component is a fixed predetermined value that gives a measured device adequate time to perform any appropriate processing. Examples of the processing are cryptographic operations and also conventional techniques used in digital radios such as despreading, deinterleaving, and decoding of the received signal and encoding interleaving and spreading of the transmitted signal.
The second component is the time it actually takes the RF signal to travel from the measuring device to the measured device and then from the measured device to the measuring device. Since RF signals travel at the speed of light, the measuring device computes the distance by taking the difference between the round trip time and the fixed first component allocated for processing and multiplying this difference by the speed of light divided by two.
It should be noted that the distance light could travel during the processing time allocated for the first component of the round trip time is large compared to the distances being measured. For example, suppose that the processing time allocated is one microsecond. The speed of light is approximately one foot per nanosecond which-means, that in the allocated microsecond, light could travel about 1000 feet which would correspond to a measured distance between two devices of 500 feet. It should be further noted that in a conventional microprocessor one microsecond would not be long enough to perform cryptographic operations used by the prior art techniques. A legitimate device being measured observes the fixed processing time and transmits the return signal precisely after the amount of processing time allocated. A device used by an attacker to perpetrate a man-in-the-middle attack need not abide by the fixed processing time. An attacking device may return a response sooner than if it abided by the fixed processing time. For example, suppose an attacking device is 20 feet away from the measuring device and wishes to appear to be only one foot away. As long as the attacker can prepare the response 38 nanoseconds sooner than the fixed processing time, it can do so. The attacking device can remove 38 nanoseconds from the fixed processing time (returning the response 38 nanoseconds sooner than a legitimate device would) and therefore appear to be within one foot of the measuring device.
For devices that are capable of infrared communication using a standard such as the IrDA standards it has been suggested in the prior art that establishment of a link key between two devices may be accomplished by having one device transmit the BLUETOOTH PIN in plaintext to the other device using an infrared transmission. This would make it possible for an eavesdropper capable of receiving infrared transmissions to determine the link key and eavesdrop on the communication between the two devices.
Accordingly, it is an object of the present invention to obviate or mitigate one or more of the above disadvantages.