The Host Controller Interface

Report
Introduction to Bluetooth®
March 3, 2011
1
Frequency Hopping Spread Spectrum
Information about the Master device determines the channel
selection sequence
• The Master’s unique device address (“Bluetooth Device Address” or
BD_ADDR) is one of the components in the channel selection
sequence
• The Master’s internal clock (“Bluetooth clock”) is another component
of the channel selection sequence
• The two components taken together provide enough randomness in
the channel selection sequence that a reasonable number of
Bluetooth piconets can operate in the same physical space
The Master’s Bluetooth clock is rarely “on the air”, so the
frequency hopping provides a measure of security
8
Bluetooth Networks
14
Device Addressing
Bluetooth Device Addressing uses the IEEE 48 bit MAC address
format.
• Each Bluetooth device has a unique address known as the Bluetooth
Device Address
• The upper 24 bits are an Organizationally Unique Identifier (OUI)
assigned by the IEEE
• This is commonly referred to as a BD_ADDR
15
Masters and Slaves
A Bluetooth “Master” is a device that initiates a connection to
another device
A Bluetooth “Slave” is a device that accepts a connection from a
Master
A device that is not currently connected is neither a Master or a
Slave
A Bluetooth network consists of one Master device and up to
seven Slave devices
• This is called a “piconet”
• When a device participates in more than one piconet, a “scatternet” is
present
16
Masters and Slaves
The Master device provides timing and access control for Slave
devices
• Slaves do not speak unless spoken to
Slave devices only communicate with their associated Master
devices
• Slave devices do not directly communicate with one another
After a connection is established, a Master and Slave may chose to
trade places
• This is referred to as a “Role Switch”
17
Inquiry and Paging
18
Device Discoverability
Bluetooth devices may be placed into a mode where they
periodically listen for a request to locate nearby devices
• This is referred to as “Inquiry Scanning”
• A device that is not Inquiry Scanning will not receive the “Inquiry Request”
and is therefore invisible to the Device Discovery process
When an Inquiry request message is received, the device responds
with its BD_ADDR, Bluetooth Clock, Class of Device and some
other information
• The Class of Device is a rough description of the device and can be used to
filter away devices that are not of interest
“Inquiry Scanning”, “Inquireable” and “Discoverable” are often
used interchangeably
19
Device Connectability
Bluetooth devices may be placed into a mode where they
periodically listen for a request from another device to initiate a
physical connection
• This is referred to as “Page Scanning”
• A device that is not Page Scanning will not receive the “Page Request” and
is therefore invisible to the Device Connection process
When the device is in this mode, and it receives a request with
its device address, it responds to the requesting device and
the process of creating a physical connection ensues
“Page Scanning”, “Pageable” and “Connectable” are often used
interchangeably
20
Device Connectability
A device may be in any combination of Inquirable and Pageable as
needed
21
Security
22
Link Keys
Two devices may establish a common secret known as a "Link
Key“
This allows two devices to determine that they know each
other at a later time
• The devices exchange information based on what they believe is the
shared link key
• If the information is correct, the two devices are known to each other
• This is known as LMP Authentication
The Link Key itself is never transmitted over the air
• Instead, values derived from the Link Key, a large random number, and
some other data items is used to compute the information that
appears on the air
23
LMP Authentication
The results from the Authentication process do not persist
across connections
• If a connection is broken, the devices must Authenticate again at their
next connection
Authentication must be performed before encryption is
enabled
• One of the values from the Authentication process is used in the
computation of the seed for the encryption key sequence
24
Where Do Link Keys Come From?
The Link Key shared between a pair of devices may be
permanently stored in the devices
• This is used for special circumstances and is generally discouraged
Two devices execute a process known as “Pairing” to create
their common Link Key
• The Link Key is stored for future use
• A new Link Key may be generated at any time by re-executing the
Pairing process
There are two form of Pairing:
• Legacy Pairing
• Secure Simple Pairing
25
Where Do Link Keys Come From?
Two devices which have executed the pairing process and
computed a common link key are said to be Bonded
• After two devices have Bonded, there may be no need for either of
them to be Discoverable
26
Legacy Pairing
Legacy Pairing generally involves the use of a shared four digit
PIN Code
The devices exchange large random numbers and then perform
some math on those numbers factoring in the PIN Code
• The result of the math is a Link Key
• The PIN Code itself is never transmitted over the air
LMP Authentication is used to confirm that both devices
computed the same answer (Link Key)
27
Vulnerabilities Of Legacy Pairing
PIN Codes may be up to 16 bytes in length and may be binary
4 digits are commonly used to reduce the amount of input that
the user needs to provide
The limited number of buttons on mobile phones has caused
only the digits 0 to 9 to be used in common practice
The lack of a user interface on devices such has mobile phone
headsets had led to the common use of “0000” as the PIN Code
28
Vulnerabilities Of Legacy Pairing
If the PIN Code is known to a third party, and the exchange of
random numbers can be captured over the air, then the third
party can compute the Link Key
29
Secure Simple Pairing
Secure Simple Pairing was introduced in version 2.1 of the
Bluetooth Core Specification to address the issues in Legacy
Pairing
A two phase approach is used to compute the Link Key
The first phase involves the use of the Diffie Helman Elliptic Curve
algorithm to compute a common numeric value
30
Secure Simple Pairing
The second phase varies based on the capabilities of the two
devices
The second phase methods are known as
•
•
•
•
Numeric Comparison
Just Works
Passkey Entry
Out Of Band
When a Bluetooth 2.1 (or later) device learns that its peer device is
also a 2.1 device, Secure Simple Pairing MUST be used to generate
the common Link Key
31
Secure Simple Pairing – Numeric Comparison
This method may be chosen when both devices have a display and
the ability for the user to enter a “Yes” or “No” value
• A 6 digit random number is displayed on both devices
• The user must then confirm on both devices that the same number is
displayed
32
Secure Simple Pairing – Just Works
This method may be chosen when one of the devices has neither a
display or a keyboard
• A 6 digit random number is exchanged between the devices
• The devices automatically accept value without user intervention
This method is not as secure as Numeric Comparison
The resulting Link Key is labeled “un-authenticiated” so that the
application software can decide if it is usable
33
Secure Simple Pairing – Passkey Entry
This method may be chosen when one device has a display and
the other device has a keyboard
• A 6 digit random number is displayed on the device containing the display
• The 6 digit number is entered on the device which has the keyboard
34
Secure Simple Pairing – Out Of Band
When two devices share a secure means of transferring data
without using Bluetooth, the Out Of Band mechanism may be
used
The cryptographic information may be exchanged using
• Smart Cards
• Near Field Communications
• RFID
35
Encryption
Because the “seed” for the encryption key sequence comes
from the most recent LMP Authentication, the encryption key
sequence is different each time two devices connect
Bluetooth currently uses Safer+
• A stronger method, possibly AES-128, may be used in the future
36
Security Modes
The Bluetooth Core Specification defines four security modes
Security Mode 1 is “non secure”
Security Mode 2 is “service level enforced security”
• In this mode, an application (service) initiates security
• The security features used may be trusted device Authentication, or
Authentication and Encryption
Security Mode 3 is “link level enforced security”
• In this mode, security is initiated when the devices connect to one
another
• The security features are the same as with mode 2
37
Security Modes
Security Mode 4 is a more stringent form of Security Mode 2
• All applications (services) are required to initiate security procedures
• Both Authenticiation and Encryption are required to be used
• Services may choose to re-initiate the pairing process based on the
strength of the existing Link Key.
• An un-authenticated Link Key may not be strong enough for some
applications
When a Bluetooth 2.1 (or later) device learns that its peer
device is also a 2.1 device, Security Mode 4 MUST be used
• An exception is the Service Discovery Protocol, which is used to learn
the set of services available on the peer device
38
Secure Simple Pairing Debug Mode
The first phase of Secure Simple Pairing (Diffie Helman
algortihm) was chosen to make it difficult to capture the
pairing process using an “Air Sniffer”
Secure Simple Pairing Debug Mode may be enabled on a device
to cause the pair of devices to used a predefined set of public
and private keys
• An Air Sniffer when seeing one of the predefined public keys on the air
automatically knows the rest of the keys and can excute the Diffie
Helman algorithm
A Link Key that results from Debug Mode is labeled as a Debug
Key and is not considered to be secure
39
The Host Controller Interface
40
The Host Controller Interface
Bluetooth Device 1
HOST
Bluetooth defines two entities that
make up a complete implementation
• Hosts
• Host Controllers
• You need one of each
“Host Controllers” are often simply
referred to as “Controllers”
HOST Controller
41
Hosts and Host Controllers
Bluetooth Device 1
HOST
The Host is where the application executes
• If a device has a CPU, it may be convenient
for the Host to execute there
The Host Controller is where the radio
work gets done
• The Host Controller creates links to other
Bluetooth devices upon request from the
Host
• It maintains the quality of the radio link
• It responds to a limited class of messages
without involving the Host
HOST Controller
42
Host and Controller Interconnection
Bluetooth Device 1
HOST
HCI
Host
Controller
Interface
HCI
HOST Controller
43
The connection point between a Host and a
Controller is the Host Controller Interface
• Bluetooth defines a messaging protocol to be
used at the interface - HCI
• HCI allows application software from one
vendor to be used with a Bluetooth radio
(Controller) from another vendor
HCI Transports
USB
Bluetooth Device 1
HOST
HCI Transports
HCI
Host
Controller
Interface
USB (H2)
HCI
HOST Controller
44
Asynchronous Serial
HCI UART (H4)
Three-Wire UART
(H5)
BCSP
I/O Busses
Secure Digital (SD)
 Sometimes referred to as
“H2”
 The USB transport takes
advantage of the
robustness and increased
data rates provided by
the Universal Serial Bus
Secure Digital (SD)
 The SD transport allows
for Bluetooth HCI to be
carried over SDIO
interfaces
HCI Transports
Bluetooth Device 1
Future Transports
Under Consideration
HOST
HCI Transports
HCI
Host
Controller
Interface
HCI
HOST Controller
45
Asynchronous Serial
HCI UART (H4)
Three-Wire UART
(H5)
BCSP
I/O Busses
USB (H2)
Secure Digital (SD)
 SPI
 PCI
The Bluetooth Protocol Stack
46
Host Controller Side Protocols
Bluetooth Device 1
HOST
HCI Transports
Asynchronous Serial
HCI UART (H4)
HCI
Host
Controller
Interface
HCI
Baseband
HOST Controller
47
Three-Wire UART
(H5)
BCSP
I/O Busses
USB (H2)
Secure Digital (SD)
Transmitting and receiving of
data is performed by the
Baseband layer
Host Controller Side Protocols
Bluetooth Device 1
HOST
HCI Transports
Asynchronous Serial
HCI UART (H4)
HCI
Host
Controller
Interface
I/O Busses
USB (H2)
HCI
Link Controller/
Link Manager
Baseband
HOST Controller
48
Three-Wire UART
(H5)
BCSP
Secure Digital (SD)
The Link Controller provides
packet link level control and
maintenance of a
communications link
The Link Manager Protocol
provides the command and
control interface for Link
Controller & Baseband
 HCI commands often result in the
exchange of one or more Link
Manager Protocol messages
 A number of HCI events are generated
in response to messages from the Link
Manager
Host Side Protocols
Bluetooth Device 1
The L2CAP protocol is used to
create and control virtual
channels over an existing ACL link
HOST
HCI Transports
L2CAP
HCI
Host
Controller
Interface
USB (H2)
HCI
Link Controller/
Link Manager
Baseband
HOST Controller
49
Asynchronous Serial
HCI UART (H4)
Three-Wire UART
(H5)
BCSP
I/O Busses
Secure Digital (SD)
•
L2CAP provides protocol
multiplexing allowing a single ACL
connection to be used for multiple
purposes
Host Side Protocols
Bluetooth Device 1
HOST
SDP
L2CAP
HCI
Host
Controller
Interface
HCI
Link Controller/
Link Manager
Baseband
HOST Controller
50
HCI Transports
Asynchronous Serial
HCI UART (H4)
Three-Wire UART
(H5)
BCSP
I/O Busses
USB (H2)
Secure Digital (SD)
The Service Discovery Protocol
allows a device to learn about
the applications that are
supported on another device
Host Side Protocols
Bluetooth Device 1
HOST
RFCOMM
SDP
L2CAP
HCI
Host
Controller
Interface
HCI
Link Controller/
Link Manager
Baseband
HOST Controller
51
RFCOMM is used for general
purpose datastreams by the
HCI Transports application profiles
Asynchronous Serial
HCI UART (H4)
Three-Wire UART
(H5)
BCSP
I/O Busses
USB (H2)
Secure Digital (SD)
• RFCOMM has a flow control
mechanism based on credits
Profiles
Bluetooth Device 1
HOST
Profiles
RFCOMM
SDP
L2CAP
HCI
Host
Controller
Interface
HCI
Link Controller/
Link Manager
Baseband
HOST Controller
52
HCI Transports
Asynchronous Serial
HCI UART (H4)
Three-Wire UART
(H5)
BCSP
I/O Busses
USB (H2)
Secure Digital (SD)
Profiles are used at the
application level as a way of
specifying high level
functionality
The profile specifications
define the rules and
messaging required to
implement a particular
application client or server
Bluetooth Device 1
Bluetooth Device 2
HOST
HOST
Profiles
Profiles
RFCOMM
SDP
L2CAP
HCI
Host
Controller
Interface
HCI
53
HCI Transports
Asynchronous Serial
HCI UART (H4)
Three-Wire UART (H5)
BCSP
I/O Busses
USB (H2)
Secure Digital (SD)
RFCOMM
SDP
L2CAP
HCI
Host
Controller
Interface
HCI
Link Controller/
Link Manager
Link Controller/
Link Manager
Baseband
Baseband
HOST Controller
HOST Controller
Profiles
54
Profiles
Each profile is developed by a Working Group and consists of
three documents
• Profile Specification
• Defines the features available in the profile
• Defines the functions used to create the given features
• Profile Implementation Conformance Statement (PICS)
• A list of the features provided by the profile along with an indication of
those that are Mandatory versus those that are optional
• Profile Test Specification
• Defines the procedures used to test the application functions defined in
the Profile
• Provides a mapping between the features listed in the PICS and the
functions used to implement them
55
Roles and Responsibilities
A Profile specification defines one or more roles for a given
Bluetooth application
• Most Profiles define two roles, one for each side of the application
purpose
• For example, a mobile phone and a headset
Each Profile feature is defined in terms of the overall roles for
the profile
• For example, a mobile phone can place a call using the phone number
provided to it by a headset.
56
Profile Testing
The Bluetooth SIG has released the Profile Tuning Suite (PTS)
PTS can be used to test implementations to ensure function in
accordance with the specifications
If two devices that are supposed to communicate with each
other can pass the profile tests, there is high confidence that
the devices will interoperate
Use of the PTS is required by the Bluetooth Qualification
Program
57
Common Profiles
58
Headset Profiles
The Headset profiles are used with mobile phones, personal
headsets for hands free phone usage, and hands free phone
systems used in automobiles
HandsFree Profile (HFP)
• Roles
• HandsFree Unit: Headset or car kit
• Audio Gateway: Mobile phone
Headset Profile (HSP)
• Roles
• Headset
• Audio Gateway
59
Printing Profiles
The Printing profiles are used to transfer data from devices to
printers. They can also be used for moving photos to “smart
picture frames”
Basic Imaging Profile (BIP)
• Used for printing pictures and other graphics
• Roles
• Initiatiator: The device that is sending a picture
• Responder: The device that is receiving a picture to be printed or
otherwise displayed
60
Printing Profiles
Basic Printing Profile (BPP)
• Printer support for text based descriptions of the printed output
• Simple text files
• HTML web pages
• Structured text objects such a vCards
• Roles
• Sender
• Printer
61
Printing Profiles
Hardcopy Cable Replacement Profile (HCRP)
• A simple command and messaging structure to allow for the
elimination of cables between printers and other devices
• Roles
• HCRP Client
• HCRP Server
62
Transfer Profiles
The Transfer profiles are used to transfer information between
devices
File Transfer Profile (FTP)
• General purpose file transfer between devices
• Supports file system directory structures on the serving device
• Session based connection where multiple operations may be carried out
• Roles
• File Transfer Client
• File Transfer Server
63
Transfer Profiles
Object Push Profile (OPP)
• Primarily used for transferring common items such as business cards
betweens mobile phones, PDAs, etc
•
•
•
•
Used to “push” (send) an item from one to device to the another
Not session based, a single connection is used for item to be pushed
Many implementations support the transfer or arbitrary files
Also considered a Printing profile since the target device may be a printer
• Roles
• Object Push Client
• Object Push Server
64
Input Profiles
There is only one Input profile – HID
Human Interface Device Profile (HID)
• Based on computing industry standard Human Interface Device
specifications
• Used for computer keyboards, mice, etc
• Roles
• Host: Computer or other device needing input
• Device: Mouse, Keyboard, etc
65
Music Profiles
The Music profiles are used to transmit high quality audio
(music) from MP3 players, home stereo systems, etc. In
addition, the Music profiles provide a means to remotely
control such systems
Advanced Audio Distribution Profile (A2DP)
• Streaming audio transfer from a music source to headphone, speakers
or other devices
• Roles
• Source: MP3 player, home stereo, etc
• Sink: Stereo headphones, speakers, etc
66
Music Profiles
Audio/Video Remote Control Profile
• Remote control of an entertainment device such as an MP3 player,
television, home stereo etc
• Often used in conjuction with A2DP devices to allow the A2DP Sink to
control the A2DP Source
• Roles
• Controller: The remote control unit
• Target: The device being controlled
67
Miscellaneous Profiles
Serial Port Profile (SPP)
• Wireless serial cable emulation
• Commonly used for cable elimination between devices using
asynchronous serial communications
• Roles
• Device A: The device that initiates a serial port connection
• Device B: The device that accepts a serial port connection
• Note that “Device A” and “Device B” have no correspondence to the
common “DTE” (Data Terminal Equipment) and “DCE” (Data
Communications Equipment) terminology. “Device A” may be a “DTE” or a
“DCE”; “Device B” may be either as well
68
Miscellaneous Profiles
SIM Access Profile
• This profile is used to allow HandsFree car kits and similar devices to
access the setup information of a mobile phone
• The setup information can be used to allow the car kit to disable the
mobile phone and operate on its behalf
• Roles
• SIM Access Client
• SIM Access Server
69
Miscellaneous Profiles
Phone Book Access Profile (PBAP)
• The Profile provides a standardized way for a car kit or similar device
to access the address book in a mobile phone
• Roles
• Client
• Server
70
References
71
Books
"Bluetooth 1.1: Connect Without Cables"
• By Jennifer Bray, Charles F Sturman
• Generally considered a good place to start when learning about Bluetooth
• Some parts are technical but can be skimmed over
"Bluetooth Application Developer's Guide"
• Edited by Jennifer Bray
• This book is often mentioned as the next place to go for those who will be
working with Bluetooth
72
Websites
www.bluetooth.org
• Profile and protocol specifications
• Test specifications
• Much more
73

similar documents