THE AUTHENTICATION AND KEY-GENERATING FUNCTIONS

This section describes the algorithmic means for supporting the Bluetooth security requirements on authentication and key generation.

14.5.1 The authentication function E₁

The authentication function proposed for the Bluetooth is a computationally secure authentication code, or often called a MAC. uses the encryption function called SAFER+. The algorithm is an enhanced version¹ of an existing 64-bit block cipher SAFER-SK128, and it is freely available. In the sequel the block cipher will be denoted as the function which maps under a 128-bit key, a 128-bit input to a 128-bit output, i.e.

(EQ 31)

The details of are given in the next section. The function is constructed using as follows

(EQ 32)

where , where is a keyed hash

function defined as²,

(EQ 33)

and where

1. It is presently one of the contenders for the Advanced Encryption Standard (AES) submitted by Cylink, Corp, Sunnyvale, USA

2. The operator +₁₆ denotes bytewise addition mod 256 of the 16 octets, and the operator ⊕₁₆ denotes bytewise XORing of the 16 octets.

E₁

(EQ 34)

is an expansion of the octet word into a 128-bit word. Thus we see that we have to evaluate the function twice for each evaluation of . The key for the second use of (actually ) is offseted from as follows¹

(EQ 35)

A data flowchart of the computation of is depicted in Figure 14.12 on page 173. is also used to deliver the parameter ACO (Authenticated Ciphering Offset) that is used in the generation of the ciphering key by , see equations (EQ 23) and (EQ 43). The value of ACO is formed by the octets 4 through 15 of the output of the hash function defined in (EQ 33), i.e.

. (EQ 36)

1. The constants are the first largest primes below 257 for which 10 is a primitive root.

E: 0 1{ , }^8×L×{6 12, }→{0 1, }^8×16 X 0[ , ,… L–1],L

( ) ^|→(X i(mod L)[ ] for i = 0...15),

L X

A_r E₁ K˜

A_r A’_r K

K 0[ ] =(K 0[ ]+233) mod 256, K 1[ ]=K 1[ ]⊕229, K˜ 2[ ] =(K 2[ ]+223) mod 256, K 3[ ]=K 3[ ]⊕193, K˜ 4[ ] =(K 4[ ]+179) mod 256, K 5[ ]=K 5[ ]⊕167, K˜ 6[ ] =(K 6[ ]+149) mod 256, K 7[ ]=K 7[ ]⊕131,

K˜ 8[ ]= K 8[ ]⊕233, K˜ 9[ ]=(K 9[ ]+229) mod 256, K˜ 10[ ]= K 10[ ]⊕223, K˜ 11[ ]=(K 11[ ]+193) mod 256, K˜ 12[ ]= K 12[ ]⊕179, K˜ 13[ ]=(K 13[ ]+167) mod 256, K˜ 14[ ]=K 14[ ]⊕149, K˜ 15[ ]=(K 15[ ]+131) mod 256.

E₁ E₁

E₃

ACO = Hash K RAND,address 6( , , )[4, ,… 15]

Figure 14.12: Flow of data for the computation of .

14.5.2 The functions A_r and A’_r

The function is identical to SAFER+. It consists of a set of 8 layers, (each layer is called a round) and a parallel mechanism for generating the sub keys

, , the so-called round keys to be used in each round. The function will produce a 128-bit result from a 128-bit “random” input string and a 128-bit “key”. Besides the function , a slightly modified version referred to as is used in which the input of round 1 is added to the input of the 3rd round.

This is done to make the modified version non-invertible and prevents the use of (especially in ) as an encryption function. See Figure 14.13 on page 174 for details.

14.5.2.1 The round computations

The computations in each round are a composition of encryption with a round key, substitution, encryption with the next round key, and, finally, a Pseudo Hadamard Transform (PHT). The computations in a round are shown in Figure 14.13 on page 174. The sub keys for round are denoted

add: 16 8-bit additions mod 256

A_r

, , . After the last round is applied in a similar fashion as all previous odd numbered keys.

14.5.2.2 The substitution boxes “e” and “l”

In Figure 14.13 on page 174 two boxes occur, marked “e” and “l”. These boxes implement the same substitutions as used in SAFER+; i.e. they implement

Their role, as in the SAFER+ algorithm, is to introduce non-linearity.

Figure 14.13: One round in and . The permuatation boxes show how input byte indices are mapped onto output byte indices. Thus, position 0 (leftmost) is mapped on position 8, position 1 is mapped on position 11, et cetera.

K_2r–1[ ]j K_2r[ ]j j = 0 1, , ,… 15 k₁₇[ ]j

e l, : {0, ,… 255}→{0, ,… 255}, e : i ^|→(45ⁱ (mod 257)) (mod 256), l : i →^| j s.t. i = e j( ).

e e e e e e e e

PHT PHT PHT PHT PHT PHT

PHT PHT

PHT

PHT PHT

PHT

PHT PHT PHT PHT

PHT PHT PHT PHT PHT PHT PHT PHT

addition mod 256

bitwise XOR

PHT(x,y)= (2x+y mod 256, x+y mod 256)

K [0..15]2r

PHT PHT PHT PHT PHT PHT PHT PHT

128 K [0..15]

14.5.2.3 Key scheduling

In each round, 2 batches of 16 octet-wide keys are needed. These so-called round keys are derived as specified by the key scheduling in SAFER+. Figure 14.14 on page 175 gives an overview of how the round keys are deter-mined. The bias vectors B₂, B₃, ..., B₁₇ are computed according to following equation:

(EQ 37)

Figure 14.14: Key scheduling in .

14.5.3 E₂-Key generation function for authentication

The key used for authentication is derived through a procedure that is shown in Figure 14.15 on page 177. The figure shows two different modes of operation for the algorithm. In the first mode, the function should produce on input of a 128-bit RAND value and a 48-bit address, a 128-bit link key . This mode is utilized when creating unit keys and combination keys. In the second mode the function should produce, on input of a 128-bit RAND value and an octet user PIN, a 128-bit link key . The second mode is used to create the initializa-tion key, and also whenever a master key is to be generated.

K_p[ ]j Rotate each octet left by 3 bit positions

Rotate each octet left by 3 bit positions

Rotate each octet left by 3 bit positions 128 bit Key grouped in 16 octets

sum octets

When the initialization key is generated, the PIN is augmented with the

BD_ADDR of the claimant unit. The augmentation always starts with the least significant octet of the address immediately following the most significant octet of the PIN. Since the maximum length of the PIN used in the algorithm cannot exceed 16 octets, it is possible that not all octets of BD_ADDR will be used.

This key generating algorithm again exploits the cryptographic function. For-mally can be expressed for mode 1 (denoted ) as

(EQ 38)

where (for mode 1)

(EQ 39)

Let be the number of octets in the user PIN. The augmenting is defined by

(EQ 40)

where it is assumed that unit B is the claimant. Then, in mode 2, (denoted ) can be expressed as

(EQ 41)

Figure 14.15: Key generating algorithm and its two modes. Mode 1 is used for unit and combination keys, while mode 2 is used for and .

14.5.4 E₃-Key generation function for encryption

The ciphering key used by is generated by . The function is con-structed using as follows

(EQ 43)

where is the hash function as defined by (EQ 33). Note that the produced key length is 128 bits. However, before use within , the encryption key will be shortened to the correct encryption key length, as described in Section 14.3.5 on page 165. A block scheme of is depicted in Figure 14.16.

The value of COF is determined as specified by equation (EQ 23).

Figure 14.16: Generation of the encryption key.

E₂₂