Side-Channel Analysis for the Re-keying Protocol of Bluetooth Low Energy

doi:10.1007/s11390-022-1229-3

Journal of Computer Science and Technology

Side-Channel Analysis for the Re-keying Protocol of Bluetooth Low Energy

Pei Cao (曹培), Chi Zhang (张驰), Xiang-Jun Lu (陆相君), Hai-Ning Lu (陆海宁), and Da-Wu Gu^* (谷大武), Distinguished Member, CCF, Member, ACM

School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Shanghai 200240, China

Contact: Da-Wu Gu E-mail:dwgu@sjtu.edu.cn
About author:Da-Wu Gu is a distinguished professor at School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Shanghai. He received from Xidian University of China, Xi'an, his B.S. degree in applied mathematics in 1992, and his M.S. degree in 1995 and Ph.D. degree in 1998 both in cryptography. His research interests include crypto algorithms, crypto engineering, and system security. He leads the Laboratory of Cryptology and Computer Security (LoCCS) at SJTU, Shanghai. He was the winner of Chang Jiang Scholars Distinguished Professors Program in 2014 by Ministry of Education of China. He won the National Award of Science and Technology Progress in 2017. He has got over 150 scientific papers in academic journals and conferences, and owned 28 innovation patents.

Abstract

In the era of the Internet of Things, Bluetooth Low Energy (BLE/BTLE) plays an important role as a well-known wireless communication technology. While the security and privacy of BLE have been analyzed and fixed several times, the threat of side-channel attacks to BLE devices is still not well understood. In this work, we highlight a side-channel threat to the re-keying protocol of BLE. This protocol uses a fixed long term key for generating session keys, and the leakage of the long term key could render the encryption of all the following (and previous) connections useless. Our attack exploits the side-channel leakage of the re-keying protocol when it is implemented on embedded devices. In particular, we present successful correlation electromagnetic analysis and deep learning-based profiled analysis that recover long term keys of BLE devices. We evaluate our attack on an ARM Cortex-M4 processor (Nordic Semiconductor nRF52840) running Nimble, a popular open-source BLE stack. Our results demonstrate that the long term key can be recovered within only a small amount of electromagnetic traces. Further, we summarize the features and limitations of our attack, and suggest a range of countermeasures to prevent it.

中文摘要：

1、研究背景（Context）
随着物联网设备的普及，由物联网协议设计和实现所带来的安全问题层出不穷。在物联网协议中，以低功耗蓝牙（BLE）为代表的无线通讯技术扮演着重要的角色。随着近几年的发展，BLE协议的安全属性已经在不断地修复中得到进一步完善，但是BLE设备抵御侧信道攻击的能力尚未得到充分的研究。
2、目的（Objective）
本文针对低功耗蓝牙设备，分析其协议和实现中潜在的侧信道攻击威胁，并根据不同的攻击场景（建模攻击和非建模攻击）提出可行的侧信道攻击方法。同时，本文提出抵御此类攻击的防护方法，为协议的安全设计与安全实现提供建议。
3、方法（Method）
本文针对BLE的密钥更新协议关键步骤，使用嗅探技术捕获AES-128加密的明文数据，同时使用电磁探头与示波器捕获蓝牙芯片的侧信道信息。侧信道数据收集完成后分别使用电磁相关性分析（CEMA）和深度学习建模分析（DLPA）攻击AES-128算法的关键步骤，恢复低功耗蓝牙设备的长期密钥（LTK），进而解密蓝牙通信的内容。
4、结果（Result）
本文在nRF52840芯片上（运行Nimble蓝牙协议栈）验证了所提攻击方法的有效性，对于软件AES实现，CEMA和DLPA攻击成功所需的最小电磁曲线条数分别达到了9000和30条。对于nRF52840的硬件AES实现，攻击代价更为昂贵，攻击成功所需的曲线条数是软件实现的10倍以上。
5、结论（Conclusions）
本文针对低功耗蓝牙设备，提出了嗅探与侧信道分析相结合的攻击方法，使用该方法可以恢复已配对BLE设备的LTK，解密设备之间的通讯数据。本文证实了针对BLE设备的侧信道攻击是可行的，因此，协议设计者与设备生产商都应认真考虑侧信道攻击的威胁，合理地应用侧信道防护技术保障BLE设备的安全。此外，针对其他通讯协议的物联网设备的侧信道分析是未来进一步研究的方向。

Key words: bluetooth low energy; long term key; re-keying protocol; side-channel analysis;

Pei Cao (曹培), Chi Zhang (张驰), Xiang-Jun Lu (陆相君), Hai-Ning Lu (陆海宁), and Da-Wu Gu (谷大武). Side-Channel Analysis for the Re-keying Protocol of Bluetooth Low Energy[J].Journal of Computer Science and Technology, 0, (): 1-.

References

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed

Comments

Recommended 0

No Suggested Reading articles found!