Bit Commitment Adventures in Wi-Fi and Bluetooth
Tomáš Rosa
Wi-Fi Protected Setup (WPS), Secure Simple Pairing (SSP) of Bluetooth, and Security Manager (SM) of Bluetooth Low Energy (BLE). Despite their variations, all these radio communication standards share the same cryptographic idea on how to perform a mutual authentication with low-entropy secrets (e.g. PIN). They all employ a Bit Commitment scheme to establish the identity in between two potentially dishonest parties. And yes, they all have to cope with the same security issues.
We begin be reviewing the attack on WPS (independently by Stefan Viehboeck and Tactical Network Solutions) that alarmed newspapers worldwide in 2011/2012. We clarify the role of Bit Commitment in this case and also show why particular things had to be done in their particular way, despite seeming totally foolish in the light of this attack. For instance, why were the two PIN halves verified separately?! As we will see, there is another practical attack that can be considered as a dual approach to what has been echoed in the media. It follows defeating both attacks simultaneously requires certain compromise.
Despite having been reported as such astonishing result, the attack on WPS was principally already described by Lindell far sooner - in June 2008! The prime target was, however, the SSP in Bluetooth and the direct, trivial extension on WPS has passed unnoticed. This emphasises the importance of recalling the common properties of all these radio standards that are directly dictated by their common usage of a Bit Commitment scheme.
Armed with these observations, we will also look at Bluetooth Low Energy which is the newest and very promising communication standard of the Bluetooth family. We present a new attack on the BLE pairing protocol that was discovered by the author this year. Contrary to the previous vulnerabilities (that, of course, principally apply to BLE as well), the new attack is rooted directly in the Bit Commitment mechanism itself. We show the primitives employed here are flawed, so they lack so-called binding property. We also describe practical hardening of the commitment functions. Actually the fix is such simple and straightforward, so we may even ask whether it has not been omitted accidentally as a typo during the standard preparation...
Finally, we also discuss on how to cope with the principal "q-th root" reduction of complexity of active attacks on quasi-static PIN in case of WPS, where q is the PIN splitting factor (in particular, WPS uses PIN halving, so q = 2 here). When the aforementioned attack was echoed in the media, it was also discussed briefly whether the protocol can be patched somehow - i.e. to get rid of the square root reduction of brute force complexity. The motivation was natural and similar to, for instance, TLS hardening against attacks on PKCS#1 ver. 1.5 (which is extensively elaborated in RFC 5246, now). There were rather categoric claims saying this is either easy or totally impossible. We show that neither of these statements is true. WPS patching is uneasy, but possible under certain realistic assumptions. It can help when the technical measures suggested by the WPS standard are not achievable. Due to their common nature the algorithm also directly applies to SSP of Bluetooth (we have q = k, where k is the Passkey bit-length). However, the effect in SM of BLE is none, since q = 1 here, so the "q-th root" reduction issue does not occur (for the price of requiring dynamic PIN or other technical measures to prevent the dual attack which is eminent for q = 1).