蓝牙之SSP过程分析
[TOC]
背景
- Kernel: v5.4.18
- Bluetooth:v5.2
- Bluez: v5.53
相关概念
SSP:Secure Simple Pairing
OOB: Out of Band
Host A: 手机
Host B: PC
手机主动连接PC(Linux)的蓝牙,配对走的是SSP,IO Capability Exchange为DisplayYesNo,使用的是Numeric Comparison
这里我们不讨论OOB的情况,所谓OOB就是通过其他渠道途径来交换蓝牙相关的信息,比如通过NFC交换蓝牙双方的MAC地址,配对等
SSP过程分析
主流程图(MSC):
BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 2, Part F page 732
主要几个步骤:
主要列举与HCI相关的步骤
Enable Simple Pairing:
在ssp过程开始之前,两方都需要enable ssp:
Start Simple Pairing:
只与发起方手机(Host A)有关系:
IO capabilities:
这步会决定下面Authentication的算法
几种IO capabilities:
Authentication:
有3种: Numeric Comparison、Passkey Entry、 OOB
选择哪一种算法由前面的IO capabilities IO能力协商确定
具体每种的流程可参见官方的蓝牙协议文档
Enable encryption:
其他步骤
有些步骤HCI接口是看不到的,完全由双方的底层控制器完成,比如:Public key exchange
有些步骤只会返回HCI event结果给上层:比如DHKey checks只返回HCI_Simple_Pairing_Complete结果给HCI,Calculate link key
Log 分析
air log需要专业的sniffer工具获取
用btmon抓取的PC(Host B)端HCI的log :
> HCI Event: IO Capability Response (0x32) plen 9 #30 [hci0] 16.718820
Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
IO capability: DisplayYesNo (0x01)
OOB data: Authentication data not present (0x00)
Authentication: Dedicated Bonding - MITM required (0x03)
> HCI Event: IO Capability Request (0x31) plen 6 #31 [hci0] 16.719738
Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
< HCI Command: IO Capability Reque.. (0x01|0x002b) plen 9 #32 [hci0] 16.719797
Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
IO capability: DisplayYesNo (0x01)
OOB data: Authentication data not present (0x00)
Authentication: Dedicated Bonding - MITM required (0x03)
> HCI Event: Command Complete (0x0e) plen 10 #33 [hci0] 16.720826
IO Capability Request Reply (0x01|0x002b) ncmd 1
Status: Success (0x00)
Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
> HCI Event: User Confirmation Request (0x33) plen 10 #34 [hci0] 17.400994
Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
Passkey: 249124
@ MGMT Event: User Confirmation R.. (0x000f) plen 12 {0x0002} [hci0] 17.401041
BR/EDR Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
Confirm hint: 0x00
Value: 0x0003cd24
@ MGMT Event: User Confirmation R.. (0x000f) plen 12 {0x0001} [hci0] 17.401041
BR/EDR Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
Confirm hint: 0x00
Value: 0x0003cd24
@ MGMT Command: User Confirmation... (0x001c) plen 7 {0x0001} [hci0] 25.154600
BR/EDR Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
< HCI Command: User Confirmation R.. (0x01|0x002c) plen 6 #35 [hci0] 25.154609
Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
> HCI Event: Command Complete (0x0e) plen 10 #36 [hci0] 25.271832
User Confirmation Request Reply (0x01|0x002c) ncmd 1
Status: Success (0x00)
Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
@ MGMT Event: Command Complete (0x0001) plen 10 {0x0001} [hci0] 25.271879
User Confirmation Reply (0x001c) plen 7
Status: Success (0x00)
BR/EDR Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
> HCI Event: Simple Pairing Complete (0x36) plen 7 #37 [hci0] 25.328999
Status: Success (0x00)
Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
> HCI Event: Link Key Notification (0x18) plen 23 #38 [hci0] 25.422024
Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
Link key: e4731f27c44769f4987264bc0e7f2fc0
Key type: Authenticated Combination key from P-256 (0x08)
@ MGMT Event: New Link Key (0x0009) plen 26 {0x0002} [hci0] 25.422085
Store hint: Yes (0x01)
BR/EDR Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
Key type: Authenticated Combination key from P-256 (0x08)
Link key: e4731f27c44769f4987264bc0e7f2fc0
PIN length: 0
@ MGMT Event: New Link Key (0x0009) plen 26 {0x0001} [hci0] 25.422085
Store hint: Yes (0x01)
BR/EDR Address: 50:3D:C6:9A:B9:36 (OUI 50-3D-C6)
Key type: Authenticated Combination key from P-256 (0x08)
Link key: e4731f27c44769f4987264bc0e7f2fc0
PIN length: 0
> HCI Event: Encryption Change (0x08) plen 4 #39 [hci0] 25.445839
Status: Success (0x00)
Handle: 256
Encryption: Enabled with AES-CCM (0x02)参考
- BLUETOOTH CORE SPECIFICATION Version 5.2
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 DD'Notes!
微信
支付宝
评论
公告
欢迎加入QQ交流群:934149291 
欢迎关注公众号:
欢迎关注公众号:
