Bluetooth mesh - network architecture and security

Concluding the topic about the bluetooth mesh network ( first note , second note ), today we will briefly review its architecture and security.

Welcome.

Architecture

The network architecture is similar to the OSI network model and consists of 8 layers. Consider them from the bottom up.

Level BLE (Bluetooth Low Energy) - located at the very bottom of the stack. This is not just one of the layers of architecture, but in fact, it is a complete BLE stack, which is necessary to provide a wireless network. Thus, the network is completely dependent on the availability of the BLE stack on the device.

Link layer (Bearer Layer) - defines the principles of processing PDU network. Two channels are currently defined:

• advertising channel (Advertising Bearer) - uses the capabilities of consulting and scanning of the BLE level for receiving and transmitting PDU packets;
• GATT channel (GATT Bearer) - allows a device that does not support Advertising Bearer to communicate with hosts using the Proxy protocol. The proxy protocol is encapsulated in a GATT (Generic Attributes Profile) operation using specially defined GATT characteristics. A proxy node implements these characteristics and supports both channels in order to be able to convert and transfer messages between two types of media.

Network Layer - defines various types of message addresses and their format, and also transfers PDU packets from the transport layer to the channel one. A layer can support several channels, each of which can have several network interfaces, including a local interface used for communication between elements that are part of the same node. The layer also determines which network interfaces should send messages. For messages arriving from the link layer, an input filter is applied to determine whether these messages should be delivered higher. Output messages are processed by the output filter for and do the same only for delivery below. Thus, the functions of the Relay and Proxy nodes can be implemented by the network layer.

Lower Transport Layer — Receives PDUs from the upper transport layer and sends them to the lower transport layer of another device. If necessary, segmentation and assembly of packages is performed. For packets whose length exceeds the length of one transport PDU, the layer performs segmentation, dividing the packet into several transport PDUs. The receiving side will collect these segments into one upper transport layer PDU and transmit it higher.

Upper Transport Layer — Encrypts, decrypts, and authenticates application data passing through the access layer.

Access Level - is responsible for how applications can use the upper transport layer by:

• determine the application data format;
• management of the encryption and decryption process performed at the upper transport level;
• checking before sending the data up that the data received from the upper transport layer is for the current network and a specific application.

Level of basic models (Foundation Models Layer) - is responsible for the implementation of those models that are related to the configuration and management of the network.

Model Level (Models Layer) - implements models, thereby realizing behavior, messages, states, state bindings, etc., in accordance with the definitions of the model specifications.

Security

BLE allows the profile creator to use a number of different security mechanisms, from different pairing approaches to individual security requirements associated with individual characteristics. In fact, security in BLE is absolutely optional, it is simply allowed to have the device. The developer or device manufacturer is responsible for the threats himself and determines the security requirements for his product. However, in a Bluetooth network, security is a prerequisite for the network to work and this condition cannot be changed or disabled.

We list the fundamental components of security:

1. All network messages are encrypted and authenticated.
2. Network security, application security, and device security are all considered separate components.
3. Security keys can be changed over the life of the network using the Key Refresh procedure.
4. Obfuscating messages makes them difficult to track, ensuring confidentiality.
5. The process of adding a device to a network is itself a process in the security context.
6. Removing nodes from the network takes place in such a way as to exclude an attack of the “trashcan” type.

Division of responsibility

Network security is based on three types of security keys. These keys provide security for various aspects of the network, thereby improving overall network security.

To understand the term “delineation of responsibility”, consider a lighting lamp with a relay function (Relay). As a relay, it can process messages related to a door or window security system that is part of this network. The lamp does not have the ability to access and process the details of such messages, but must transmit them to other nodes. To ensure that access to such messages is prohibited, the network uses different security keys to protect messages at the network level from those used to protect data related to specific applications: lighting, security, heating, etc.

All nodes in the network have a network key (NetKey). But this key makes the device a host and a member of the network. But the encryption key and private key are generated directly from the NetKey key.
Owning a NetKey key allows a node to decrypt data and authenticate to the "network level" of the network stack so that certain network functions, such as relaying, can be performed. But possession of it does not allow to decrypt application data.

The network can be divided into subnets, and each subnet has its own NetKey, which belongs only to nodes that are members of this subnet. Such an opportunity can be used to isolate specific physical areas, such as, for example, each room in a hotel.

Application-specific data can only be decrypted by nodes that have the correct application key (“AppKey”). A large number of keys of this type can pass through nodes in the network, but, as a rule, a limited number of nodes having this application will have a certain key. For example, lamps and light switches will have the AppKey key for the lighting application, but not the key for the heating system, which will only contain thermostats, radiator valves, etc.

The AppKey keys are used by the upper transport layer of the network stack to decrypt and authenticate messages before passing their access level.

AppKey keys are associated with only one NetKey key. This association is called “key binding” and means that specific applications that own a specific “AppKey” can only work on one particular network, while a network can contain several independent applications.

And the last key, the DevKey device key. This is a special type of application key. Each node has a unique DevKey, known only to a device with the function of a registrar in the network (Provisioner) and not to anyone else. DevKey is used in the preparation process to ensure secure communication between the Provisioner and the host.

Removing a node, updating a key, and trashcan attacks

And so, the nodes contain various security keys. If the node is broken and needs to be disposed of, or if the owner decides to give the node to another owner, it is important that the device and the keys that it contains could not be used to establish an attack on the network of which it was a member before. For this, the procedure for removing a node from the network was determined. The application on the Provisioner device adds the node to the black list, and then initiates the Key Refresh Procedure. This procedure causes all nodes in the network, with the exception of those that are members of the blacklist, to receive new network keys, application keys, and all other derived data. In other words, the entire set of security keys, which form the basis of network and application security, is being replaced. So the node,

Confidentiality

A private key obtained from NetKey is used to obfuscate the values ​​of PDU headers, such as for example the source address. Obfuscation ensures that random, passive message interception cannot be used to track the devices and people who use these devices. Obfuscation also makes traffic-based attacks difficult.

Replay-based attacks

This attack is a technique in which an interceptor device intercepts one or more messages and simply retransmits them later, in order to trick the recipient into doing what the attacking device is not authorized to do. Example: a car keyless entry system always has the risk of intercepting data between the car owner and the car.
The bluetooth network has protection against such attacks. Protection is based on the use of two fields in the PDU package:

• "Sequence number» (the Sequence Number The (of SEQ)). Elements of the network every time you send a message, increase the value of SEQ. A node receiving a message with an SEQ value less than or equal to the previous valid message will cancel it, since it is likely that this message is a replay attack.
• “IV Index” - a field considered together with SEQ. Its value inside the message from this element should always be equal to or greater than the value of this field in the last valid message of this element.

That's all.

I hope the information provided gives a complete overview of the new technology.

For those who want to get to know her more deeply, there are 3 wonderful specifications:
- profile specification;
- model specification;
- device specification.
All of them are available here .

Thanks for attention.