Bluetooth Gets A Major Security Overhaul In Version 2.1

The Bluetooth Special Interest group has recently published version 2.1 of their specification. While the press mostly writes about the new easy pairing mechanisms, 2.1 contains a complete security overhaul.

It looks like this has become quite necessary since two attacks are now known that can break the security of the pairing process. While encrypted Bluetooth transmissions are still secure, intercepting the initial pairing sequence allows a passive attacker that just collects packets to compute the PIN used by both devices. A further attack for which specialized equipment is required can force a Bluetooth device into re-pairing so an attacker does not have to be present during the initial pairing. In practice, re-pairing means entering the PIN again. Users thus do get a warning when somebody tries such an attack.

BT 2.1 changes the pairing process fundamentally and now offers the following modes in what the standard referrs to as "Secure Simple Paring":

Numeric Comparison Protocol: The major difference of this pairing scheme compared to what has been done before is that instead of a PIN, a pair of public/private keys is used by each device together with the Elliptic Curve Diffie-Hellman one way cryptography algorithm. Each device sends its public key to the other side which then uses it to encrypt a secret to be returned. Once the encrypted secret is received, it is decrypted by using the private key. The encryption/decryption only works one way so an attacker intercepting the communication cannot decrypt the secret and thus cannot generate the link keys that identify the devices later on. This kind of authentication and ciphering key generation is very similar to what is done today to protect web pages with SSL/TLS and certificates. To protect against a man in the middle attack the pairing procedure then continues and a 6 digit number is then calculated on both sides and shown to the user. The 6 digit number will only be identical on both sides if the conversation has not been tampered and hence ensures that no third device has intercepted and modified the pairing messages. (Note that a man in the middle attack is not possible in SSL/TLS since it uses a certificate authority and trusted certificates in the browser)

Just Works Protocol: The same as the Numeric Comparison Protocol described above but the 6 digit number calculation process is skipped. While offering no protection against an active man in the middle attack some devices do not have a display to show a 6 digit number. Thus, such a pairing should only be performed when the user can be reasonably certain that no attacker can be close by. The encryption whenever a connection is established later on, however, is not impacted by this weakness and thus even this protocol offers enough protection for most applications. It’s also important to point out that the attacker has to be present each time the two devices start to communicate with each other as otherwise the connection establishment will fail.

Passkey Protocol: In this protocol a passkey (PIN) which has been entered by the user in both devices is used just as in the original Bluetooth specification. The way the PIN is used during the pairing process, however, is fundamentally different. Again public/private key pairs and random numbers are used by each device to generate the link keys. The PIN is just used to  prevent a man in the middle attack as follows: For each bit a commitment message is generated by both devices by using a one way algorithm that takes the public keys of both sides, a random number generated individually by each side and the bit of the PIN to be committed as input parameters. Afterwards the commitments are exchanged between the devices. Once this is done, device A then sends the random number it has used to generate the commitment. This allows device B to verify that the commitment message was not tampered with. If the message was correct, device B sends its random number to device A so it can also check that the message was correct. For the following bit the order in which the random numbers are exchanged is reversed, i.e. device B has to send the random number first. A device in the middle can thus not forge commitments since it does not know the PIN and the random numbers are only exchanged after the commitment. Since commitments are given in an alternating fashion a device in the middle can only get one bit of the PIN from each side before it has to start guessing the value of the bit.

Out Of Band Protocol: And finally, Bluetooth 2.1 also allows using out of band exchange of security information such as via NFC (Near Field Communication) during the pairing process. This makes things even easier and more secure by only requiring two devices to come very close during the paging process. Both active and passive NFC is supported. In active mode, the NFC device is connected to the Bluetooth chip and can both transmit and receive authentication information. Some devices such as headsets do not have room for the extra NFC hardware. In such a case a passive NFC tag is used which could be attached to the manual or the box of the device. Pairing is then initiated by a device with an active NFC component which is held close to a passive NFC tag. The passive NFC tag then transmits all information required to start the pairing process.

Here are some links for the technical deep-dive:

Continuous Packet Connectivity (CPC) Is Not Sexy – Part 2

In a previous post I’ve given a broad overview of a 3GPP release 7 work item called "Continuous Packet Connectivity" (CPC). This feature or rather this set of features aim to improve user experience by enhancing battery lifetime, reaction time after idle times and to increase network bandwidth in situations with many simultaneous voice over IP and other real time service users. Rather than introducing a bold new concept, CPC very much works "under the hood" by improving functions that are already present. Part 2 and 3 of "CPC Is not sexy" now take a closer look at the individual features:

A new UL DPCCH slot format configurable by Layer 3 in a semi-static way (Section 4.1 of 3GPP TR 25.903):

In UMTS networks, information is sent in both uplink and downlink in virtual channels. For a connection several channels are used simultaneously since there is not only user data sent over a connection but also control information to keep the link established, to control transmit power, etc. Currently, the radio control channel in uplink (the Uplink Dedicated Control Channel, UL DPCCH) is transmitted continuously even during times of inactivity in order not to loose synchronization. This way, the terminal can resume uplink transmission of user data without delay whenever required.

The channel carries four parameters (for details, see 3GPP 25.211, chapter 5.2.1):

  • Transmit power control (TPC)
  • Pilot (Used for channel estimation of the receiver)
  • TFCI (Transport Format Combination Identifier)
  • FBI (Feedback indicator)

The pilot bits are always the same and allow the receiver to get a channel estimate before decoding user data frames. While no user data frames are received, however, the pilot bits are of little importance. What remains important is the TPC. The idea behind the new slot format is to increase the number of bits to encode the TPC and decrease the number of pilot bits while the uplink channel is idle. This way, additional redundancy is added to the TPC field.

As a consequence the transmission power for the control channel can be lowered without running the risk of corrupting the information contained in the TPC. Once user data transmission resumes, the standard slot format and higher transmission power is used again.

UL HS-DPCCH gating/discontinuous transmission (DTX) in 2 cycles (based on section 4.2 of TR 25.903 ) connected with a F-DPCH gating in DL and an implicit CQI reporting reduction in UL (see section 4.4 of TR 25.903)

CQI reporting reduction: To make the best use of the current signal conditions in downlink, the mobile is required to send information back to the network about how well a transmission was received. The quality of the signal is reported to the network with the Channel Quality Index (CQI) alongside the user data in uplink. The proposed concept has the goal to reduce the transmit power of the terminal while data is transferred in the uplink but not in the downlink by reducing the CQI reporting interval.

UL HS-DPCCH gating (gating=switch off): When no data is transmitted in both uplink and downlink the UL DPCCH for HSDPA is switched off. Periodically it is switched on for a short time to transmit bursts to the network in order to maintain synchronization. This improves battery life for applications such as web browsing. The solution can also improve battery consumption for VoIP and reduces the noise level in the network (i.e. more simultaneous VoIP users)

F-DPCH gating: Terminals in HSDPA active mode always receive a Dedicated Physical Channel in downlink in addition to high speed shared channels which carries power control information and Layer 3 radio resource (RRC) messages, e.g. for handovers, channel modifications etc. The Fractional-DPCH feature puts the RRC messages on the HSDPA shared channels and the mobile thus only has to decode the power control information from the DPCH. At all other times the DPCH is not used by the mobile (thus it’s fractional). During these times, power control information is transmitted for other mobiles using the same spreading code. Consequently, several mobiles use the same spreading code for the dedicated physical channel but listen to it at different times. That means that fewer spreading codes are used by the system for this purpose which in turn leaves more resources for the high speed downlink channels.

Your head is still not spinning? Great, then watch out for part 3 of this mini-series which explains UE DRX and HS-SCCH-less reception!

Vacation Connectivity – Part II

In a previous post I’ve put down my thoughts and practical experiences with roaming through Europe and staying connected to the Internet with prepaid GSM/UMTS SIM cards. While it works quite well there is the disadvantage that a different SIM card is required in each country. So I was asked how people can reach me when I change my SIM card every couple of days!? There are several strategies:

1) I have a SIM card dedicated to voice calls. My friends only know this number and the SIM card is in a seperate phone.

2) If I only want to carry one phone I activate call forwarding unconditional on that SIM card to the SIM card I am currently using for Internet access in a country. There is one problem with this approach: Some prepaid SIMs by default forward calls to the voicemail and this call forwarding can not be deactivated. So I always pay for an incoming call no matter whether I pick up or not. So I ususally prefer to carry two phones.

3) I have an ISDN fixed line at home. While I travel I forward calls to the SIM card I use. There is a web interface available so I can change the call forwarding from abroad when necessary

4) Skype is also an option, though I haven’t tried this yet: Get a Skype in number and then forward the calls to a mobile phone number when you are not online.

It’s a pity one has to go through all of this just because pricing models of operators prevent people from using a single SIM card for all purposes. But who knows, one day…

If WiMAX Becomes a 3G (IMT-2000) Standard, What’s Left for 4G?

Now that 3G systems such as UMTS are under full deployment, the industry is looking forward to what comes next. While some say that WiMAX is a 4G system, the IEEE and the WiMAX forum think that 802.16e is rather a 3G technology and have asked the ITU (International Telecommunication Union) to include this standard into its IMT-2000 specification (International Mobile Telecommunications 2000). This specification is generally accepted as being the umbrella defining which standards are to be considered 3G.

This is mainly a political move since in many regions of the world, frequencies are reserved for 3G IMT-2000 systems. If WiMAX were included in IMT-2000, and it looks like it will be in the near future, some frequency bands such as the 2.5 GHz IMT-2000 extension band in Europe could be used for WiMAX without changing policies.

So what remains for IMT-Advanced, the ITU umbrella name for future 4G technologies?

Currently there is still no no clear definition by ITU of the characteristics of future 4G IMT-Advanced systems. The ITU-R M.1645 recommendation gives first hints but leaves the door wide open:

It is predicted that potential new radio interface(s) will need to support data rates of up to approximately 100 Mbit/s for high mobility such as mobile access and up to approximately 1 Gbit/s for low mobility such as nomadic/local wireless access, by around the year 2010 […]
These data rate figures and the relationship to the degree of mobility (Fig. 2) should be seen as targets for research and investigation of the basic technologies necessary to implement the framework. Future system specifications and designs will be based on the results of the research and investigations.

When WiMAX is compared to the potential requirements above it’s quite clear that the current 802.16e standard would not qualify as a 4G IMT-Advanced standard since data rates even under ideal conditions are much lower.

3GPP’s Long Term Evolution (LTE) project will also have difficulties fulfilling these requirements. Even with the recently proposed 4×4 MIMO, data rates in a 20 MHz carrier would not exceed 326 MBit/s. And that’s already a long stretch since putting 4 antennas in a small device or on a rooftop will be far from simple in practice. If WiMAX is accepted as a 3G IMT-2000 technology, how can LTE with a similar performance be accepted as a 4G IMT-Advanced technology?

Additionally, one should also not forget that IMT-2000 systems such as UMTS are still evolving. UMTS is a good example. With HSDPA and HSUPA, user speeds now exceed the 2 MBit/s which were initially foreseen for IMT-2000 systems. But development hasn’t stopped here. Recent new developments in 3GPP Release 7 and 8 called HSPA+, which will include MIMO technology and other enhancements, will bring the evolved UMTS technology to the same capacity levels as what is currently predicted for LTE on a 5 MHz carrier. HSPA+ is clearly not a 4G IMT-Advanced system since it enhances a current 3G IMT-2000 radio technology. Thus, HSPA+ categorized as a ‘enhanced IMT-2000 system’.

Maybe that’s the reason why the IEEE 802.16 working group is already looking forward and has started work on 802.16m with the stated goal of reaching top speeds of 1 GBit/s.

When looking at current research it’s clear that the transmission speed requirements described in ITU-R M.1645 can only be achieved in a frequency band of 100+ MHz. This is quite a challenge since such large bands are few. Thus, I have my doubts whether these requirements will remain in place for the final definition of 4G IMT-Advanced.

Does It Really Matter If A Technology Is 3.5G, 3.9G or 4G?

While discussions are ongoing the best one can do is to look at HSPA+, WiMAX, LTE and other future developments as "Beyond 3G" systems. After all, from a user point of view it doesn’t  matter if a technology is IMT-2000, Enhanced IMT-2000 or IMT-Advanced as long as data rate, coverage and other attributes of the network can keep up with the growing data traffic.

A whitepaper produced by 3G Americas has some further thoughts on the topic.

As always, comments are welcome!

Wireshark Now Supports WPA Decryption

Good to see that Wireshark, my favorite network analysis tool is now able to decrypt Wifi WPA protection. Starting with release 0.99.5, WPA information can be entered as shown here. It’s important that the trace also includes the authentication sequences for all mobiles in the network. This is necessary as each connection uses different session keys which are negotiated when a device enters the network.

Most of the time, it’s the beacon frames and other management information that is important when tracing Wifi. This is possible even without decrypting the conntent of the package. However, once packets are decrypted their content can be analyzed by Wireshark and frames are marked in different colors in the main window. This makes it very simple for example to detect Wifi retransmissions due to missing ACKnolwedgement frames for example. Without the different colors such retransmissions are much harder to spot.

Continuous Packet Connectivity (CPC) Is Not Sexy – Part 1

Currently, the 3GPP Standards body is giving the final touches to a set of features which are together referred to as Continuous Packet Connectivity (CPC). Several papers mention CPC but I haven’t found a single one so far who could really tell in simple words why these features are necessary and what they actually do. The reason for this is simple: While features like MIMO, spatial multiplexing, beamforming, etc. etc. are broad new concepts (and sound sexy…) CPC consists of a couple of deeply embedded features enhancing existing functionality. Twisting a couple of bits here and a couple of bits there is not very sexy and also not very understandable out of the box.

The Situation Today

With HSPA (HSDPA and HSUPA), mobile devices now have a multi megabit data bearer to both send and receive their data. As devices do not send data all the time there are the following activity states which require more or less interaction with the network:

  • Active: In this mode, the mobile uses HSDPA High Speed Downlink Shared Channels (HS-DSCHs) and an HSUPA Dedicated Uplink Channel (E-DCH).
  • During Short Periods of Inactivity (< around 10s): The network keeps the high speed channels in both uplink and downlink direction in place so the mobile can resume transferring data without delay. Keeping the high speed channels in place means that the mobile has to keep transmitting radio layer control information to the network which has a negative impact on battery life and also decreases the bandwidth for other devices in the cell. 10 seconds is certainly a compromise which is not always ideal since during a web browsing session, for example, it takes the user longer in many cases than this time to click on a new link.
  • During longer periods of inactivity (< around 30s): When no data is transfered for longer than a couple of seconds, the network puts the device on slow channels (RACH in uplink , FACH in downlink). This has the advantage that the mobile does not have to send radio layer control information back to the network anymore. This saves battery capacity to some extent. However, the mobile still has to observe the downlink channel to catch incoming data transmissions which also requires some energy. If the mobile wants to resume communication or in case data arrives for the device from the Internet, the network starts sending/receiving the data on the slow channels and starts a procedure to put the device back on the fast channels. However, this procedure takes in the order of 1 to 2 seconds so the user notices a delay when requesting a new web page for example. This delay is quite undesired.
  • Even longer periods of inactivity (> around 30 seconds): After about 30 seconds, or 60 seconds in some networks, the Radio Network Controller decides that it’s unlikely that the mobile will send or receive any more data for some time and thus puts the connection in Idle state. In this state the mobile does not have to send control information to the network and also does not have to listen to downlink transmissions except during periodic slots in which paging messages are broadcast. These paging messages are important to inform devices of incoming calls or of new data packets. For most of the time the mobile can now completely switch of the receiver and only activate it to receive paging messages and to scan for other cells of the network. If the mobile wants to transmit data again the radio layer has to request a channel again from the network. This takes even longer than the upgrade from a slow channel to a fast channel and results in an even longer delay before a web page starts loading. (Note: I won’t consider Cell-PCH and URA-PCH states for now)

The mobile keeps it’s IP address in all states, i.e. also in Idle state. Therefore, these state changes are  transparent to applications and the user except for the delay when upgrading to a faster channel once data is transfered again.

Desired Improvements

Continuous Packet Connectivity aims at reducing the shortcomings described above by introducing enhancements to keep a device on the high speed channels (i.e. in active state) as long as possible while no data transfer is ongoing by reducing the negative effects of this, i.e. reducing power consumption and reducing the bandwidth requirements for radio layer signaling during that time.

CPC Enhancements

CPC introduces the following new features to reach these improvements:

In Uplink:

  • A new UL DPCCH slot format
  • UL DPCCH gating/discontinuous transmission
  • Implicit CQI reporting reduction

In the Downlink:

  • F-DPCH gating in DL
  • Discontinuous reception (DRX) at the UE
  • A so called HS-SCCH-less operation
  • Modified HS-SCCH for retransmission(s)

Unless you regularly attend 3GPP RAN meetings, this list probably won’t tell you much. But don’t despair, I’ll publish part two of "CPC is Not Sexy" soon in which I will describe these features in understandable terms.

Prepaid Mobile Internet Access In Austria

I am in Austria for a couple of days again and finally had the chance to get hold of a 3 Prepaid SIM card for Internet access. The price 3 charges per megabyte is 80 cents. It’s a bit too expensive to be used with a notebook but o.k. to check eMails and surf the web via the mobile phone.

The SIM card is €19,90 with an already included balance of 5 euros. When buying the SIM card make sure packet data services are activated for the SIM card in the shop. The access point name (APN) for web, eMail (POP3, SMTP), etc. is "drei.at". For easy access and bookmarking I’ve put the information on the Prepaid SIM Internet Access Wiki as well.

Happy surfing!

P.S.: For Internet access with a notebook while roaming in Austria, Vodafone Germany’s Websession offer is still the best choice.

A (WiMAX) world without SIM cards

A recent blog entry of mine on WiMAX terminals with and without support of EAP-SIM and thus SIM cards for authentication has provoked a number of interesting responses. What I take away from them is that first devices will probably not have a SIM card.

So the next logical question is how authentication is done in the absence of a SIM card!? I can see two basic approaches:

1. A device comes with a built in certificate. That’s straight forward. The user goes to a shop, buys a device, it gets activated for him and he’s set. While this is all nice and well the trouble starts when the device breaks or the user wants to use the services of another operator. No way with this model.

2. Another model would be to use a username and password to be supplied by the user. It could work in a similar fashion as with Wireless LAN today. I can also imagine user installable certificates. While both  being a bit more complicated then pre-installed certificates it would preserve the flexibility the SIM card approach offers today.

I like and depend on flexibility since I travel a lot and a device locked to a single network is useless for me. While I am certainly not the average user I am sure the majority would prefer openness over being locked into a single garden.

If you have further information on this topic, please leave a comment.

The Cost Of Vacation Connectivity

You might have noticed that I am blogging a bit less at the moment than normal. Among other things it’s got something to do with that I am currently on vacation traveling through Europe. Staying connected has become much easier in recent years but still requires a fair amount of self organization, a bag full of SIM cards and willingness to spend a certain amount of money. So how much do I spend for Internet connectivity during my 3 weeks vacation?

Things are complicated since I spend my vacation in four countries: Austria, Italy, southern France and Spain. For Austria I’ve bought a prepaid SIM from ‘3’ for eMail and Web access via my Nokia N93. Works well and details will follow in a seperate blog entry. Cost: 20 Euros for the SIM card and credit which lasted me for the time I spent in Austria. During 3 days I required full Internet access so in addition I used two Vodafone Web Sessions for 15 Euros each. Total amount spent in Austria: 50 Euros.

Next stop Italy. Here, things are simple. I already have a TIM prepaid SIM and use it for notebook and phone web access. 20 Euros buy me 500 MB. That’s good enough for the 5 days I am staying in ‘Bella Italia’.

Next, the south of France is on my agenda for about 10 days. I’ll use Orange’s prepaid SIM for eMail and web access via the mobile phone. That’s 6 euros. In addition I will probably need full Internet access during 4 days. That’s four Vodafone Websessions that add up to 60 Euros.

Final Stop: Spain. Just a weekend but it’s unlikely that I want to spend them disconnected. Maybe I will find enough open Wifi Access Points in the street. An alternative is a Yoigo prepaid SIM with web access for a euro a day. The SIM will cost a couple of Euros, too. Well, we’ll see.

Altogether, that’s going to be around 150 Euros. Definitely not on the cheap side. I wished ‘3’ would be present in all countries I (live and) travel to since they don’t charge extra for data roaming in their networks.

For the details on the prepaid SIMs I use, take a look on the left side on the blog for the link to the Prepaid SIM Internet Access Wiki.

802.11 Options, Options, Options

Gone are the days when standards were pure and simple (well, probably never simple, but at least pure…). Today, it seems they are cluttered with options of which most are probably never going to be implemented. The Wireless LAN 802.11 standard seems to be no exception. Let me make two examples:

Packet Transmission:

  • Default: This is the good old "backoff period – send – ack" mechanism. Easy, works well but performance is not that great.
  • Frame Bursting: Packets are sent in the following manner: "packet – ack – packet – ack – packet – ack". Still easy, was  implemented as a proprietary enhancement in many 802.11g products and has been sort of legalized with 802.11e (WMM).
  • Block Acknowledgments: An addition to frame bursting which allows transmissions without ack’s. A whole set of frames are then acknowledged once they are all sent. To make things just a bit more complicated there’s immediate ACK and delayed ACK (which seems to have been defined for devices which can’t tell right away if all went fine).
  • Aggregation: And on top, 802.11n has now specified that several MAC frames can be put into a physical frame which can now have a size of up to 64kByte. Looks like this is mandatory so all 802.11 devices should support this.

The statistics on this one are not so bad. Even low end 802.11n devices should support the default method, frame bursting and aggregation. Haven’t seen block ack’s implemented in the devices that have come by me, however.

Power Saving:

I can see at least four possibilities here:

  • Standard Power Save (PS): This has been in the standards since the beginning. Devices tell the AP that they are going to sleep and the access point buffers incoming packets. When devices wake up and see that the access point has packets waiting for them they poll for each buffered frame.
  • U-APSD: Unscheduled Automated Power-Save Delivery: Introduced by 802.11e, optional in the WMM (Wireless Multimedia) specification. Similar to PS above but once a device sends a trigger frame, the access point forwards all frames of in the buffer that fit into the service period during which the device is active. Once the service period is over, the device automatically goes back to sleep.
  • S-APSD: Scheduled Automated Power-Save Delivery: No trigger frames. Instead, a schedule is agreed between the access point and wireless devices. The devices then wake up at predefined instants and packets are delivered automatically. This one is not included in the WMM specification, so this one probably has no chance of seeing the light of day.
  • PSMP: Power Save Multi Poll. Yet another power save scheme which was lately introduced with the 802.11n High Throughput specification. This one schedules uplink and downlink transmissions of end user devices. Outside the scheduled times, devices can enter sleep mode. It looks like this power save mode has been designed for devices and applications that have constant data streams with a static bandwidth requirement (e.g. VoIP, video streaming etc.). Nice but also optional.

Statistics on this one are bad. I haven’t seen an access point yet that supports more than the classic PS mode. Has anyone seen more than this implemented yet?