simple bluetooth security manager based on the open bluetooth stack dec. 18. 2001 jongbae park...

Simple Bluetooth Security Manager based Simple Bluetooth Security Manager based on the Open Bluetooth stack on the Open Bluetooth stack

Dec. 18. 2001

Jongbae Park

(+82-42-866-6162 )

([email protected])

2

ContentsContents

Bluetooth Introduction

Bluetooth security architecture

Axis Bluetooth stack

Simple Security Manager Implementation

Result

What Is A Emerging Technology What Is A Emerging Technology Called bluetooth ?Called bluetooth ?

4

Bluetooth

Nobody loves wires!

Forget Plug and Play - just Play 1Mbps(Sync), 723kbps(Async) 2.4GHz ISM band 1 or 100mW, 10 m, $4 @2003 ~

4 3 voice channels 8 participants in a piconet

: a short-range radio technology for integration into mobile and handheld devices that is targeted to replace cables.

5

What Does Bluetooth Wireless Technology Do For What Does Bluetooth Wireless Technology Do For You?You?

Landline

Data/Voice Data/Voice Access Access PointsPoints

Personal Ad-hoc Personal Ad-hoc NetworksNetworks

Cable Cable ReplacementReplacement

6

PAN WGPAN WG

7

IF/RF (BT1/BT2)

Baseband (BT1/BT2)

Bluetooth Protocol StackBluetooth Protocol Stack

8

Bluetooth ProductsBluetooth Products

T39T28 w/ Adapter

R520

9

ProductsProducts

3Com PC Card, USB Adapter

- CSR, Parthus

ATO Headset- Ericsson Axis AP

Brain Boxes – PC Card, RS232 Adapter, CF Card- CSR, Socket Comm.

Bluetooth security architectureBluetooth security architecture

11


3 Security modes are defined Security Mode 1: non-secure Security Mode 2: service level enforced security Security Mode 3: link level enforced security

Security Mode 2 Bluetooth device initiates security procedures after the

channel is established (at the higher layers)

Security Mode 3 Bluetooth device initiates security procedures before

the channel is established (at the lower layers).

12


Example Bluetooth Security Architecture

13


1. Store security-related information on services & devices

2. Answer access requests by protocol implementations or applications (either access granted or refused)

3. Enforce authentication and/or encryption before connecting to the application.

4. Initiate or process input from the device user to set-up trusted relationships on device level.

5. Initiate pairing and query PIN entry by the user. PIN entry might also be done by an application.

14

AXIS BLUETOOTH STACKAXIS BLUETOOTH STACK

The AXIS OpenBT Stack Implementation of Bluetooth stack for Linux. Bluetooth Driver for Linux Kernel v2.0,

v2.2 and v2.4 http://sourceforge.net/projects/openbt/

15

AXIS BLUETOOTH STACKAXIS BLUETOOTH STACK

Structure of AXIS Openbt bluetooth Stack

16

AXIS BLUETOOTH STACK- SecurityAXIS BLUETOOTH STACK- Security

17

AXIS BLUETOOTH STACK- Sec_managerAXIS BLUETOOTH STACK- Sec_manager

함수명설명sec_client_shutdown static voidsec_client_shutdown()security_query.originator = KERNELKernel version 이 정의되어 있을 경우 “ wake_up process~~”

문장을 출력sec_man_init static voidsec_man_init(enum security_requests user)Kernel version 이 정의되어 있을 경우 open_socket() 함수를

호출 .

18


sec_man_checkstatic voidsec_man_check(enum security_requests user,

BD_ADDR bd_addr, u32 service_data, u32 user_data)

Kernel version 이 정의되어 있을 경우 sec_man_sock 이 0 보다 작을 경우 (security manager 가

있지 않을 경우 error 메시지를 출력 )Kernel version 이 정 의 되 어 있 지 않 은 경 우 sec_man_

doquery() 함수를 호출 .sec_man_eventstatic voidsec_man_event(enum security_requests user,

BD_ADDR bd_addr, u8 event, u8 *param, u8 param_len)

19


param_len 과 MAX_EVENT_DATA_LENGTH 의 크기를 비교해서 param_len 이 더 큰 경우는 “ event data length too long” 을 찍고 param 의 MAX_EVENT_DATA_ LENGTH 값만큼을 security_query.event_param 에 memcpy 해줌 .

그 반대의 경우는 param_len 을 memcpy.sec_man_doquery() 함수를 호출open_socketintopen_socket(char *name)Socket 을 open 함 . Connection 이 0 보다 작으면 socket 을 열수 없으므로 security

manager 를 사용할 수 없다는 에러 메시지를 출력 .sec_man_proc_dir_entry_read

20


static s32sec_man_proc_dir_entry_read(char *buf, char

**start, off_t offset, s32 len, s32 unused)sec_man_read() 함수를 호출 . sec_man_readstatic s32sec_man_read(struct inode *inode, struct file *

file, char * buf, s32 count)security_query.originator 가 BT_SEC_MAN 이

아닌 경우 no response 라는 메시지를 출력하고 interruptible_sleep_on() 함수를 호출 .

21


sec_man_writestatic s32sec_man_write(struct inode *inode, struct file * file, const

char * buf, s32 count)sec_hdl->originator == BT_SEC_MAN( 새 로 운 request 를

받 을 수 있 으 면 ) 인 경 우 security_query.originator = SEC_CLIENT 로 하고

sec_hdl->request_type 가 L2CAP 인 경우 l2cap_process_sec_man_response() 함수 호출 sec_hdl->request_type 가 RFCOMM 경우 rfcomm_process_sec_man_response() 함수 호출 sec_man_doquerystatic s32sec_man_doquery(s32 fd, u8 *request)sec_man_sock 에서 security_query 크기만큼 읽어서 request

에 저장

22


n= sec_man_sock 에서 BUFFER_SIZE 만큼 읽어와서 tmpbuf 에 저장 한 수 .

n 이 security_query 의 크기보다 작으면 db_hdl len 만큼 response 했다고 출력

sec_hdl->request_type 가 L2CAP 인 경우 l2cap_process_sec_man_response() 함수 호출 sec_hdl->request_type 가 RFCOMM 경우 rfcomm_process_sec_man_response() 함 수

호출sec_client_shutdownstatic voidsec_client_shutdown ( )Wait_up process 가 awaikening 하다는 문장을 출력

23


init_link_key_liststatic voidinit_link_key_list ( )link_key_list.first = NULL;link_key_list.last = NULL;link_key_list.cur = NULL;link_key_list.count = 0;free_link_key_liststatic voidfree_link_key_list ( )delete_link_key ( ) 함수를 호출

24


create_link_keylink_key_information_type*create_link_key(unsigned char *bd_addr,

unsigned char *link_key_str)Link key list 크기를 보고 새로운 link key element 를

할당할 수 있는지 없는지를 출력link_key_list.count 값이 MAX_LINKKEYLISTSIZE 면

connection list full 에러 메시지가 뜸get_next_link_keylink_key_information_type*get_next_link_key(link_key_information_type*

link_key)link_key_list.first 값이 link_key->next 값과 같으면

Null 을 return

25


insert_link_keystatic voidinsert_link_key(link_key_information_type

*new_link_key)List 가 빈 경우link_key_list.first = new_link_key; link_key_list.cur = new_link_key;link_key_list.last = new_link_key;link_key_list.count++;new_link_key->next = link_key_list.first; /*

Pos32 at itself new_link_key->prev = link_key_list.first

26


List 가 비어있지 않은 경우old_link_key = link_key_list.first; /* mark oldlink_key first new_link_key->next = old_link_key;link_key_list.last->next = new_link_key;old_link_key->prev = new_link_key;new_link_key->prev = link_key_list.last; link_key_list.cur = new_link_key; /* Set current to new

element */link_key_list.first = new_link_key; /* Set first to new

element */link_key_list.count++;delete_link_keyStatic s32delete_link_key(link_key_information_type *link_key)

27


Element 를 지우고 pointer 를 update 함Last element 인 경우 (link_key_list.count == 1)

link_key_list.count--;link_key_list.first = NULL;link_key_list.cur = NULL;link_key_list.last = NULL;kfree(link_key);

28


sec_man_create_proc_fileStatic s32sec_man_create_proc_file(void)Wait queue 를 초 기 화 시 켜 줌 . init_waitqueue_head ()

함수를 호출Proc entry 가 성공적으로 register 되면 (create_proc_entry

() 함수 호출 ) 필요한 structure 정보를 set 함sec_man_remove_proc_fileStatic s32sec_man_remove_proc_file (void)LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,0) 인

경우 remove_proc_entry () 함수를 호출 .그렇지 않은 경우 proc_unregister() 함수를 호출 .

29


sec_man_get_cached_link_keyStatic voidsec_man_get_cached_link_key(u8 *param)get_first_link_key () 함수를 호출link key 가 null 이 아닐 경우 link_key->bd_addr 를

param 으로 BD_ADDRESS_SIZE 만큼 memcpy해 줌 . 그 후 link_key->link_key 를 param + BD_ADDRESS_SIZE 에 다 LINK_KEY_SIZE 만 큼 memcpy 해 줌 . Link key 가 null 인 경 우 는 memset 을 해줌 .

30


HCI: process_event, REMOTE_NAME_REQUEST_COMPLETE AXIS 9010 (129.132.164.116) HCI: send_cmd_queue, start: Num_HCI_Command_Packets=1 BT DATA <--|X| 8 HCI:

send_cmd_queue, end : 0 cmds left in queue HCI: send_acl_data_task, 0 bytes BT DATA -->|X| 9 hci_receive_data, hci-9 HCI: hci_receive_data, WAIT_FOR_PACKET_TYPE HCI: hci_receive_data, WAIT_FOR_EVENT_TYPE HCI: hci_receive_data,

WAIT_FOR_EVENT_LENGTH HCI: process_event, COMMAND_COMPLETE HCI: <CC> process_return_param, WRITE_LINK_POLICY_SETTINGS HCI: update_nhcp, Num_HCI_Command_Packets=1 HCI: send_cmd_queue, start: Num_HCI_Command_Packets=1 HCI: send_cmd_queue, end : 0 cmds

31

ResultResult

left in queue BT DATA -->|X| 9 hci_receive_data, hci-9 HCI: hci_receive_data, WAIT_FOR_PACKET_TYPE HCI: hci_receive_data, WAIT_FOR_EVENT_TYPE HCI: hci_receive_data, WAIT_FOR_EVENT_LENGTH HCI: process_event,

PIN_CODE_REQUEST forwarding event to security manager Called my_sec_man We are in SEC_MAN_LOOPBACK mode ...

32

ResultResult

We are in SEC_MAN_LOOPBACK mode ...hci_pin_code_request_replyNew pin is (3): 0x31 0x32 0x33 hci_pin_code_request_replyBD_addr (6): 0x73 0x85 0x58 0x8c 0x40 0x00hci_pin_code_request_reply, pin (3): 0x31 0x32

0x33 HCI: start_cmd_timer HCI: insert_cmd Aiee: scheduling in interrupt 90066664 Aiee:

scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664

33

ResultResult

my sec_manager: -----------------------------------------------------void my_sec_man(BD_ADDR bd_addr)

{ BD_ADDR address; char pin[ ]="123"; char len = 3; printk("We are in SEC_MAN_LOOPBACK

mode ...\n"); memcpy(address, bd_addr, BD_ADDRESS_SIZE); hci_pin_code_request_reply(address, pin, len);

}

simple bluetooth security manager based on the open bluetooth stack dec. 18. 2001 jongbae park...

Documents