340 likes | 609 Views
Simple Bluetooth Security Manager based on the Open Bluetooth stack. Dec. 18. 2001 Jongbae Park (+82-42-866-6162 ) ( jbpark@icu.ac.kr ). Contents. Bluetooth Introduction Bluetooth security architecture Axis Bluetooth stack Simple Security Manager Implementation Result.
E N D
Simple Bluetooth Security Manager based on the Open Bluetooth stack Dec. 18. 2001 Jongbae Park (+82-42-866-6162 ) (jbpark@icu.ac.kr)
Contents • Bluetooth Introduction • Bluetooth security architecture • Axis Bluetooth stack • Simple Security Manager Implementation • Result
Bluetooth : a short-range radio technology for integration into mobile and handheld devices that is targeted to replace cables. • Forget Plug and Play - just Play • 1Mbps(Sync), 723kbps(Async) • 2.4GHz ISM band • 1 or 100mW, 10 m, $4 @2003 ~ 4 • 3 voice channels • 8 participants in a piconet Nobody loves wires!
Landline Cable Replacement Data/Voice Access Points Personal Ad-hoc Networks What Does Bluetooth Wireless Technology Do For You?
Baseband (BT1/BT2) IF/RF (BT1/BT2) Bluetooth Protocol Stack
Bluetooth Products R520 T39 T28 w/ Adapter
Products • 3Com PC Card, • USB Adapter • - CSR, Parthus • ATO Headset • - Ericsson • Axis AP • Brain Boxes – PC Card, RS232 Adapter, CF Card • - CSR, Socket Comm.
Bluetooth security architecture • 3 Security modes are defined • Security Mode 1: non-secure • Security Mode 2: service level enforced security • Security Mode 3: link level enforced security • Security Mode 2 • Bluetooth device initiates security procedures after the channel is established (at the higher layers) • Security Mode 3 • Bluetooth device initiates security procedures before the channel is established (at the lower layers).
Example Bluetooth Security Architecture Bluetooth security architecture
Bluetooth security architecture • Store security-related information on services & devices • Answer access requests by protocol implementations or applications (either access granted or refused) • Enforce authentication and/or encryption before connecting to the application. • Initiate or process input from the device user to set-up trusted relationships on device level. • Initiate pairing and query PIN entry by the user. PIN entry might also be done by an application.
AXIS BLUETOOTH STACK • The AXIS OpenBT Stack • Implementation of Bluetooth stack for Linux. • Bluetooth Driver for Linux Kernel v2.0, v2.2 and v2.4 • http://sourceforge.net/projects/openbt/
AXIS BLUETOOTH STACK • Structure of AXIS Openbt bluetooth Stack
AXIS BLUETOOTH STACK- Sec_manager 함수명 설명 sec_client_shutdown static void sec_client_shutdown() security_query.originator = KERNEL Kernel version이 정의되어 있을 경우 “wake_up process~~”문장을 출력 sec_man_init static void sec_man_init(enum security_requests user) Kernel version이 정의되어 있을 경우 open_socket()함수를 호출.
AXIS BLUETOOTH STACK- Sec_manager sec_man_check static void sec_man_check(enum security_requests user, BD_ADDR bd_addr, u32 service_data, u32 user_data) Kernel version이 정의되어 있을 경우 sec_man_sock이 0보다 작을 경우(security manager가 있지 않을 경우 error 메시지를 출력) Kernel version이 정의되어 있지 않은 경우 sec_man_doquery()함수를 호출. sec_man_event static void sec_man_event(enum security_requests user, BD_ADDR bd_addr, u8 event, u8 *param, u8 param_len)
AXIS BLUETOOTH STACK- Sec_manager param_len과 MAX_EVENT_DATA_LENGTH의 크기를 비교해서 param_len이 더 큰 경우는 “event data length too long”을 찍고 param의 MAX_EVENT_DATA_ LENGTH값만큼을 security_query.event_param에 memcpy해줌. 그 반대의 경우는 param_len을 memcpy. sec_man_doquery()함수를 호출 open_socket int open_socket(char *name) Socket을 open함. Connection이 0보다 작으면 socket을 열수 없으므로 security manager를 사용할 수 없다는 에러 메시지를 출력. sec_man_proc_dir_entry_read
AXIS BLUETOOTH STACK- Sec_manager static s32 sec_man_proc_dir_entry_read(char *buf, char **start, off_t offset, s32 len, s32 unused) sec_man_read()함수를 호출. sec_man_read static s32 sec_man_read(struct inode *inode, struct file * file, char * buf, s32 count) security_query.originator가 BT_SEC_MAN이 아닌 경우 no response라는 메시지를 출력하고 interruptible_sleep_on() 함수를 호출.
AXIS BLUETOOTH STACK- Sec_manager sec_man_write static s32 sec_man_write(struct inode *inode, struct file * file, const char * buf, s32 count) sec_hdl->originator == BT_SEC_MAN(새로운 request를 받을 수 있으면) 인 경우 security_query.originator = SEC_CLIENT로 하고 sec_hdl->request_type가 L2CAP인 경우 l2cap_process_sec_man_response() 함수 호출 sec_hdl->request_type가 RFCOMM 경우 rfcomm_process_sec_man_response() 함수 호출 sec_man_doquery static s32 sec_man_doquery(s32 fd, u8 *request) sec_man_sock에서 security_query 크기만큼 읽어서 request에 저장
AXIS BLUETOOTH STACK- Sec_manager n= sec_man_sock에서 BUFFER_SIZE만큼 읽어와서 tmpbuf에 저장 한 수. n이 security_query의 크기보다 작으면 db_hdl len만큼 response했다고 출력 sec_hdl->request_type가 L2CAP인 경우 l2cap_process_sec_man_response() 함수 호출 sec_hdl->request_type가 RFCOMM 경우 rfcomm_process_sec_man_response() 함수 호출 sec_client_shutdown static void sec_client_shutdown ( ) Wait_up process가 awaikening하다는 문장을 출력
AXIS BLUETOOTH STACK- Sec_manager init_link_key_list static void init_link_key_list ( ) link_key_list.first = NULL; link_key_list.last = NULL; link_key_list.cur = NULL; link_key_list.count = 0; free_link_key_list static void free_link_key_list ( ) delete_link_key ( )함수를 호출
AXIS BLUETOOTH STACK- Sec_manager create_link_key link_key_information_type* create_link_key(unsigned char *bd_addr, unsigned char *link_key_str) Link key list 크기를 보고 새로운 link key element를 할당할 수 있는지 없는지를 출력 link_key_list.count값이 MAX_LINKKEYLISTSIZE면 connection list full 에러 메시지가 뜸 get_next_link_key link_key_information_type* get_next_link_key(link_key_information_type* link_key) link_key_list.first값이 link_key->next값과 같으면 Null을 return
AXIS BLUETOOTH STACK- Sec_manager insert_link_key static void insert_link_key(link_key_information_type *new_link_key) List가 빈 경우 link_key_list.first = new_link_key; link_key_list.cur = new_link_key; link_key_list.last = new_link_key; link_key_list.count++; new_link_key->next = link_key_list.first; /* Pos32 at itself new_link_key->prev = link_key_list.first
AXIS BLUETOOTH STACK- Sec_manager List가 비어있지 않은 경우 old_link_key = link_key_list.first; /* mark oldlink_key first new_link_key->next = old_link_key; link_key_list.last->next = new_link_key; old_link_key->prev = new_link_key; new_link_key->prev = link_key_list.last; link_key_list.cur = new_link_key; /* Set current to new element */ link_key_list.first = new_link_key; /* Set first to new element */ link_key_list.count++; delete_link_key Static s32 delete_link_key(link_key_information_type *link_key)
AXIS BLUETOOTH STACK- Sec_manager Element를 지우고 pointer를 update함 Last element인 경우 (link_key_list.count == 1) link_key_list.count--; link_key_list.first = NULL; link_key_list.cur = NULL; link_key_list.last = NULL; kfree(link_key);
AXIS BLUETOOTH STACK- Sec_manager sec_man_create_proc_file Static s32 sec_man_create_proc_file(void) Wait queue를 초기화시켜줌. init_waitqueue_head () 함수를 호출 Proc entry 가 성공적으로 register되면 (create_proc_entry () 함수 호출) 필요한 structure 정보를 set함 sec_man_remove_proc_file Static s32 sec_man_remove_proc_file (void) LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,0)인 경우 remove_proc_entry () 함수를 호출. 그렇지 않은 경우 proc_unregister() 함수를 호출.
AXIS BLUETOOTH STACK- Sec_manager sec_man_get_cached_link_key Static void sec_man_get_cached_link_key(u8 *param) get_first_link_key () 함수를 호출 link key가 null이 아닐 경우 link_key->bd_addr를 param으로 BD_ADDRESS_SIZE만큼 memcpy해 줌. 그 후 link_key->link_key를 param + BD_ADDRESS_SIZE에다 LINK_KEY_SIZE만큼 memcpy해 줌. Link key가 null인 경우는 memset을 해줌.
AXIS BLUETOOTH STACK- Sec_manager • HCI: process_event, REMOTE_NAME_REQUEST_COMPLETE AXIS 9010 (129.132.164.116) HCI: send_cmd_queue, start: Num_HCI_Command_Packets=1 BT DATA <--|X| 8 HCI: send_cmd_queue, end : 0 cmds left in queue HCI: send_acl_data_task, 0 bytes BT DATA -->|X| 9 hci_receive_data, hci-9 HCI: hci_receive_data, WAIT_FOR_PACKET_TYPE HCI: hci_receive_data, WAIT_FOR_EVENT_TYPE HCI: hci_receive_data, WAIT_FOR_EVENT_LENGTH HCI: process_event, COMMAND_COMPLETE HCI: <CC> process_return_param, WRITE_LINK_POLICY_SETTINGS HCI: update_nhcp, Num_HCI_Command_Packets=1 HCI: send_cmd_queue, start: Num_HCI_Command_Packets=1 HCI: send_cmd_queue, end : 0 cmds
Result • left in queue BT DATA -->|X| 9 hci_receive_data, hci-9 HCI: hci_receive_data, WAIT_FOR_PACKET_TYPE HCI: hci_receive_data, WAIT_FOR_EVENT_TYPE HCI: hci_receive_data, WAIT_FOR_EVENT_LENGTH HCI: process_event, • PIN_CODE_REQUEST forwarding event to security manager Called my_sec_man We are in SEC_MAN_LOOPBACK mode ...
Result • We are in SEC_MAN_LOOPBACK mode ... hci_pin_code_request_reply New pin is (3): 0x31 0x32 0x33 hci_pin_code_request_reply BD_addr (6): 0x73 0x85 0x58 0x8c 0x40 0x00 hci_pin_code_request_reply, pin (3): 0x31 0x32 0x33 HCI: start_cmd_timer HCI: insert_cmd Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664
Result • my sec_manager: -----------------------------------------------------void my_sec_man(BD_ADDR bd_addr) { BD_ADDR address; char pin[ ]="123"; char len = 3; printk("We are in SEC_MAN_LOOPBACK mode ...\n"); memcpy(address, bd_addr, BD_ADDRESS_SIZE); hci_pin_code_request_reply(address, pin, len); }