Results 1  10
of
25
Cracking the Bluetooth PIN
 in Proc. 3rd USENIX/ACM Conf. Mobile Systems, Applications, and Services (MobiSys
, 2005
"... This paper describes the implementation of an attack on the Bluetooth security mechanism. Specifically, we describe a passive attack, in which an attacker can find the PIN used during the pairing process. We then describe the cracking speed we can achieve through three optimizations methods. Our fas ..."
Abstract

Cited by 51 (2 self)
 Add to MetaCart
This paper describes the implementation of an attack on the Bluetooth security mechanism. Specifically, we describe a passive attack, in which an attacker can find the PIN used during the pairing process. We then describe the cracking speed we can achieve through three optimizations methods. Our fastest optimization employs an algebraic representation of a central cryptographic primitive (SAFER+) used in Bluetooth. Our results show that a 4digit PIN can be cracked in less than 0.3 sec on an old Pentium III 450MHz computer, and in 0.06 sec on a Pentium IV 3Ghz HT computer.
BDDbased cryptanalysis of keystream generators
 Advances in Cryptology – EUROCRYPT’02, LNCS 1462
, 2002
"... Abstract. Many of the keystream generators which are used in practice are LFSRbased in the sense that they produce the keystream according to a rule y = C(L(x)), where L(x) denotes an internal linear bitstream, produced by a small number of parallel linear feedback shift registers (LFSRs), and C de ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Many of the keystream generators which are used in practice are LFSRbased in the sense that they produce the keystream according to a rule y = C(L(x)), where L(x) denotes an internal linear bitstream, produced by a small number of parallel linear feedback shift registers (LFSRs), and C denotes some nonlinear compression function. We present an n O(1) 2 (1−α)/(1+α)n time bounded attack, the FBDDattack, against LFSRbased generators, which computes the secret initial state x ∈ {0, 1} n from cn consecutive keystream bits, where α denotes the rate of information, which C reveals about the internal bitstream, and c denotes some small constant. The algorithm uses Free Binary Decision Diagrams (FBDDs), a data structure for minimizing and manipulating Boolean functions. The FBDDattack yields better bounds on the effective key length for several keystream generators of practical use, so a 0.656n bound for the selfshrinking generator, a 0.6403n bound for the A5/1 generator, used in the GSM standard, a 0.6n bound for the E0 encryption standard in the one level mode, and a 0.8823n bound for the twolevel E0 generator used in the Bluetooth wireless LAN system. 1
Faster Correlation Attack on Bluetooth Keystream Generator E0
 Advances on Cryptography  CRYPTO 2004, Lecture Notes in Computer Science
, 2004
"... Abstract. We study both distinguishing and keyrecovery attacks against E0, the keystream generator used in Bluetooth by means of correlation. First, a powerful computation method of correlations is formulated by a recursive expression, which makes it easier to calculate correlations of the finite s ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We study both distinguishing and keyrecovery attacks against E0, the keystream generator used in Bluetooth by means of correlation. First, a powerful computation method of correlations is formulated by a recursive expression, which makes it easier to calculate correlations of the finite state machine output sequences up to 26 bits for E0 and allows us to verify the two known correlations to be the largest for the first time. Second, we apply the concept of convolution to the analysis of the distinguisher based on all correlations, and propose an efficient distinguisher due to the linear dependency of the largest correlations. Last, we propose a novel maximum likelihood decoding algorithm based on fast Walsh transform to recover the closest codeword for any linear code of dimension L and length n. It requires time O(n + L · 2 L) and memory min(n, 2 L). This can speed up many attacks such as fast correlation attacks. We apply it to E0, and our best keyrecovery attack works in 2 39 time given 2 39 consecutive bits after O(2 37) precomputation. This is the best known attack against E0 so far. 1
The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption
 In the Proceedings of The 25th Annual International Cryptology Conference
, 2005
"... Abstract. Motivated by the security of the nonlinear filter generator, the concept of correlation was previously extended to the conditional correlation, that studied the linear correlation of the inputs conditioned on a given (short) output pattern of some specific nonlinear function. Based on the ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Motivated by the security of the nonlinear filter generator, the concept of correlation was previously extended to the conditional correlation, that studied the linear correlation of the inputs conditioned on a given (short) output pattern of some specific nonlinear function. Based on the conditional correlations, conditional correlation attacks were shown to be successful and efficient against the nonlinear filter generator. In this paper, we further generalize the concept of conditional correlations by assigning it with a different meaning, i.e. the correlation of the output of an arbitrary function conditioned on the unknown (partial) input which is uniformly distributed. Based on this generalized conditional correlation, a general statistical model is studied for dedicated keyrecovery distinguishers. It is shown that the generalized conditional correlation is no smaller than the unconditional correlation. Consequently, our distinguisher improves on the traditional one (in the worst case it degrades into the traditional one). In particular, the distinguisher may be successful even if no ordinary correlation exists. As an application, a conditional correlation attack is developed and optimized against Bluetooth twolevel E0. The attack is based on a recently detected flaw in the resynchronization of E0, as well as the investigation of conditional correlations in the Finite State Machine (FSM) governing the keystream output of E0. Our best attack finds the original encryption key for twolevel E0 using the first 24 bits of 2 23.8 frames and with 2 38 computations. This is clearly the fastest and only practical knownplaintext attack on Bluetooth encryption compared with all existing attacks. Current experiments confirm our analysis.
A Linearization Attack on the Bluetooth Key Stream Generator
, 2002
"... In this paper we propose an attack on the key stream generator underlying the encryption system E0 used in the Bluetooth speci cation. We show that the initial value can be recovered by solving a system of nonlinear equations of degree 4 over the nite eld GF(2). This system of equations can be ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
In this paper we propose an attack on the key stream generator underlying the encryption system E0 used in the Bluetooth speci cation. We show that the initial value can be recovered by solving a system of nonlinear equations of degree 4 over the nite eld GF(2). This system of equations can be transformed by linearization into a system of linear equations with at most 2 unknowns. To our knowledge, this is the best attack on the key stream generator underlying the E0 yet.
Linear cryptanalysis of bluetooth stream cipher
 Advances in Cryptology  EUROCRYPT 2002, Lecture Notes in Computer Science
, 2002
"... Abstract. A general linear iterative cryptanalysis method for solving binary systems of approximate linear equations which is also applicable to keystream generators producing short keystream sequences is proposed. A linear cryptanalysis method for reconstructing the secret key in a general type of ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
(Show Context)
Abstract. A general linear iterative cryptanalysis method for solving binary systems of approximate linear equations which is also applicable to keystream generators producing short keystream sequences is proposed. A linear cryptanalysis method for reconstructing the secret key in a general type of initialization schemes is also developed. A large class of linear correlations in the Bluetooth combiner, unconditioned or conditioned on the output or on both the output and one input, are found and characterized. As a result, an attack on the Bluetooth stream cipher that can reconstruct the 128bit secret key with complexity about 2 70 from about 45 initializations is proposed. In the precomputation stage, a database of about 2 80 103bit words has to be sorted out. Key words Linear cryptanalysis, linear correlations, iterative probabilistic decoding, reinitialization. 1
Improved key recovery of level 1 of the Bluetooth Encryption System
 http://eprint.iacr.org/2002/068 [8] Goldreich O. (2001), Foundations of Cryptography – Basic Tools
, 2002
"... The encryption system E0 , which is the encryption system used in the Bluetooth speci cation, is a two level system where a key and a packet nonce is given to a level 1 key stream generator, which produces the key for a level 2 key stream generator, whose output is used to encrypt. We give a me ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
The encryption system E0 , which is the encryption system used in the Bluetooth speci cation, is a two level system where a key and a packet nonce is given to a level 1 key stream generator, which produces the key for a level 2 key stream generator, whose output is used to encrypt. We give a method for recovering the key for the level 1 key stream generator given the internal keys for two or three level 2 key stream generators. This method, combined with published methods for recovering keys for the level 2 key stream generator, can be used to recover the E0 second key with O(2 ) work, and O(2 ) precomputation time.
Cryptanalysis of Bluetooth keystream generator twolevel E0
 in Advances in CryptologyASIACRYPT 2004, Lecture Notes in Computer Science
, 2004
"... Abstract. In this paper, we carefully study both distinguishing and keyrecovery attacks against Bluetooth twolevel E0 given many short frames. Based on a flaw in the resynchronization of Bluetooth E0, we are able to fully exploit the largest bias of the finite state machine inside E0 for our attack ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we carefully study both distinguishing and keyrecovery attacks against Bluetooth twolevel E0 given many short frames. Based on a flaw in the resynchronization of Bluetooth E0, we are able to fully exploit the largest bias of the finite state machine inside E0 for our attacks. Our keyrecovery attack works with 2 40 simple operations given the first 24 bits of 2 35 frames. Compared with all existing attacks against twolevel E0, this is the best one so far. 1
A Uniform Framework for Cryptanalysis of the Bluetooth E_0 Cipher
, 2005
"... In this paper we analyze the E 0 cipher, which is the encryption system used in the Bluetooth specification. We suggest a uniform framework for cryptanalysis of the E 0 cipher. Our method requires 128 known bits of the keystream in order to recover the initial state of the LFSRs, which reflects the ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
In this paper we analyze the E 0 cipher, which is the encryption system used in the Bluetooth specification. We suggest a uniform framework for cryptanalysis of the E 0 cipher. Our method requires 128 known bits of the keystream in order to recover the initial state of the LFSRs, which reflects the secret key of this encryption engine. In one setting, our framework reduces to an attack of D. Bleichenbacher. In another setting, our framework is equivalent to an attack presented by Fluhrer and Lucks. Our best attack can recover the initial state of the LFSRs after solving 2 boolean linear systems of equations, which is roughly equivalent to the results obtained by Fluhrer and Lucks.