Vulnerability and Enhancement on Bluetooth Pairing and Link Key Generation Scheme for Security Modes 2 and 3

  • Da-Zhi SunEmail author
  • Xiao-Hong Li
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9977)


According to adopted Bluetooth standard specifications, we examine the security of the pairing and link key generation scheme for Security Modes 2 and 3. The contribution is threefold. (1) It is demonstrated that the pairing and link key generation scheme for Security Modes 2 and 3 suffers the known-key attack. That is, the attacker without any long-term secret key is able to impersonate the targeted Bluetooth device at any time, once he obtains a short-term secret key, i.e., the initialization key, in its previous successful run. (2) An improved scheme is therefore proposed to overcome the known-key attack. (3) A security model is also presented to check the improved scheme. The improved scheme provably prevents the known-key attack on the original pairing and link key generation scheme for Security Modes 2 and 3. In addition, the improved scheme is more efficient than the original pairing and link key generation scheme.


Bluetooth standard Pairing Link key generation Known-key attack Security model Bluetooth device 



We thank the anonymous reviewers for their useful comments. The work of Dr. Da-Zhi Sun was supported in part by the State Scholarship Fund of the China Scholarship Council, in part by the Open Project of Shanghai Key Laboratory of Trustworthy Computing under Grant No. 07dz22304201402, and in part by National Natural Science Foundation of China under Grant Nos. 61003306 and 61272106.


  1. 1.
    Bluetooth Special Interest Group (SIG) (2016).
  2. 2.
    Hager, C.T., Midkiff, S.F.: An analysis of Bluetooth security vulnerabilities. In: Proceedings of IEEE Wireless Communications and Networking Conference-WCNC 2003, New Orleans, LA, USA, vol. 3, pp. 1825–1831. IEEE Communications Society (2003)Google Scholar
  3. 3.
    Wong, F.-L., Stajano, F., Clulow, J.: Repairing the Bluetooth pairing protocol. In: Christianson, B., Crispo, B., Malcolm, James, A., Roe, M. (eds.) Security Protocols 2005. LNCS, vol. 4631, pp. 31–45. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-77156-2_4 CrossRefGoogle Scholar
  4. 4.
    Lindell, A.Y.: Comparison-based key exchange and the security of the numeric comparison mode in Bluetooth v2.1. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 66–83. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00862-7_5 CrossRefGoogle Scholar
  5. 5.
    Haataja, K., Toivanen, P.: Two practical man-in-the-middle attacks on Bluetooth secure simple pairing and countermeasures. IEEE Trans. Wireless Commun. 9(1), 384–392 (2010)CrossRefGoogle Scholar
  6. 6.
    Phan, R.C.-W., Mingard, P.: Analyzing the secure simple pairing in Bluetooth v4.0. Wireless Pers. Commun. 64(4), 719–737 (2012)CrossRefGoogle Scholar
  7. 7.
    Xu, J.F., Zhang, T., Lin, D., Mao, Y., Liu, X.N., Chen, S.W., Shao, S., Tian, B., Yi, S.W.: Pairing and authentication security technologies in low-power Bluetooth. In: Proceedings of the 2013 IEEE International Conference on Green Computing and Communications-GreenCom, the 2013 IEEE International Conference on Internet of Things-iThings, the 2013 IEEE International Conference on and IEEE Cyber, Physical and Social Computing-CPSCom, Beijing, China, pp. 1081–1085. IEEE Computer Society (2013)Google Scholar
  8. 8.
    Mandal, B.K., Bhattacharyya, D., Kim, T.H.: An architecture design for wireless authentication security in Bluetooth network. Int. J. Secur. Appl. 8(3), 1–8 (2014)Google Scholar
  9. 9.
    Padgette, J., Scarfone, K., Chen, L.: Guide to Bluetooth security: recommendations of the National Institute of Standards and Technology. National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Special Publication 800-121 Revision 1 June 2012.
  10. 10.
    Specification of the Bluetooth System, Covered Core Package Version: 4.2, Master Table of Contents & Compliance Requirements, Bluetooth SIG Proprietary, December 2014.
  11. 11.
    Specification of the Bluetooth System, Supplement to the Bluetooth Core Specification, CSSv6, Bluetooth SIG Proprietary, July 2015.
  12. 12.
    Diffie, W., van Oorschot, P., Wiener, M.: Authentication and authenticated key exchanges. Des. Codes Crypt. 2(2), 107–125 (1992)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). doi: 10.1007/3-540-44987-6_28 CrossRefGoogle Scholar
  14. 14.
    Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Strongly secure authenticated key exchange from factoring, codes, and lattices. Des. Codes Crypt. 76(3), 469–504 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Wang, D., Wang, N., Wang, P., Qing, S.H.: Preserving privacy for free: efficient and provably secure two-factor authentication scheme with user anonymity. Inf. Sci. 321, 162–178 (2015)CrossRefGoogle Scholar
  16. 16.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography, pp. 489–534. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  17. 17.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). doi: 10.1007/3-540-48329-2_21 CrossRefGoogle Scholar
  18. 18.
    Blake-Wilson, S., Johnson, D., Menezes, A.: Key agreement protocols and their security analysis. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997). doi: 10.1007/BFb0024447 CrossRefGoogle Scholar
  19. 19.
    Sun, D.-Z., Li, J.-X., Feng, Z.-Y., Cao, Z.-F., Xu, G.-Q.: On the security and improvement of a two-factor user authentication scheme in wireless sensor networks. Pers. Ubiquit. Comput. 17(5), 895–905 (2013)CrossRefGoogle Scholar
  20. 20.
    Talasila, M., Curtmola, R., Borcea, C.: Collaborative Bluetooth-based location authentication on smart phones. Pervasive Mob. Comput. 17(Part A), 43–62 (2015)CrossRefGoogle Scholar
  21. 21.
    Sun, J.C., Zhang, R., Jin, X.C., Zhang, Y.C.: SecureFind: secure and privacy-preserving object finding via mobile crowdsourcing. IEEE Trans. Wireless Commun. 15(3), 1716–1728 (2016)CrossRefGoogle Scholar
  22. 22.
    Farina, P., Cambiaso, E., Papaleo, G., Aiello, M.: Are mobile botnets a possible threat? The case of SlowBot Net. Comput. Secur. 58, 268–283 (2016)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.School of Computer Science and TechnologyTianjin UniversityTianjinPeople’s Republic of China
  2. 2.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingPeople’s Republic of China

Personalised recommendations