Bluetooth mesh - network architecture and security

Finishing the topic of the bluetooth mesh network (the first note , the second note ), today we will briefly review its architecture and security.

Welcome.

Architecture

The network architecture is similar to the OSI network model and consists of 8 levels. Consider them from the bottom up.

Level BLE (Bluetooth Low Energy) - located at the very bottom of the stack. This is not just one of the layers of the architecture, but in fact, it is a complete BLE stack, which is necessary for providing a network with wireless communication. Thus, the network is completely dependent on the availability of the BLE stack on the device.
')
The link layer (Bearer Layer) defines the principles for processing a network PDU. Currently two channels are defined:

• Advertisment Channel (Advertising Bearer) —Uses the ability to advertize and scan the BLE level to receive and transmit PDU packets;
• GATT channel (GATT Bearer) - allows a device that does not support the “Advertising Bearer” to communicate with network nodes using the “Proxy” protocol. The "Proxy" protocol is encapsulated in a GATT (Generic Attributes Profile) operation using specifically defined GATT characteristics. The proxy host implements these characteristics and supports both channels in order to be able to convert and transfer messages between two types of media.

Network layer (Network Layer) - defines various types of message addresses and their format, and also transfers PDU packets from the transport layer to the link layer. A layer can support several channels, each of which can have several network interfaces, including a local interface used for communication between elements that are part of the same node. The layer also determines which network interfaces should transmit messages. An input filter is applied to messages coming from the link layer to determine whether these messages should be delivered higher. Output messages are processed by the output filter for and do the same thing only for the delivery below. Thus, the functions of the “Relay” and “Proxy” nodes can be implemented by the network layer.

Lower Transport Layer — Receives PDU packets from the upper transport layer and sends them to the lower transport layer of another device. If necessary, segmentation and assembly packages. For packets whose length exceeds the length of one transport PDU, the layer performs segmentation, dividing the packet into several transport PDUs. The receiving party will assemble these segments into one packet of the upper transport layer PDU and transmit it higher.

Upper Transport Layer (Upper Transport Layer) - is responsible for encrypting, decrypting, and authenticating application data passing through the access layer.

Access Level - is responsible for how applications can use the upper transport layer by:

• determine the format of the application data;
• manage the encryption and decryption process performed at the upper transport layer;
• checks before sending the data upwards that the data received from the upper transport layer is intended for the current network and a specific application.

Foundation Models Layer level - responsible for the implementation of those models related to network configuration and management.

Models Layer (Models Layer) - implements the model, thereby implementing the behavior, messages, states, state bindings, etc., in accordance with the definitions of the model specifications.

Security

BLE allows the creator of profiles to use a variety of different security mechanisms, from different approaches to pairing, to individual security requirements related to individual characteristics. In fact, security in BLE is absolutely optional, it is simply allowed to have a device. The developer or device manufacturer is responsible for the threats himself and determines the security requirements for his product. However, in a Bluetooth network, security is a prerequisite for network operation and this condition cannot be changed or disabled.

We list the fundamental components of security:

1. All network messages are encrypted and authenticated.
2. Network security, application security and device security are considered as separate components.
3. Security keys can be changed during the life of the network using the Key Refresh procedure.
4. Obfuscating messages makes it difficult to track them, ensuring confidentiality.
5. The process of adding a device to a network is itself a process in the context of security.
6. Deleting nodes from the network is done in such a way as to exclude an attack of the “trashcan” type.

Division of responsibility

Network security is based on three types of security keys. These keys provide security for various aspects of the network, thereby improving overall network security.

To understand the term “delineation of responsibility”, consider a lighting lamp having a relay function (Relay). As a repeater, it can process messages related to a door or window security system, which is part of this network. The lamp does not have the ability to access and process the details of such messages, but must transmit them to other nodes. To ensure that access to such messages is denied, the network uses different security keys to protect messages at the network level from those used to protect data related to specific applications: lighting, security, heating, etc.

All nodes in the network have a network key (NetKey). But this key makes the device a node and a member of the network. But the encryption key and private key are generated directly from the NetKey key.
Possession of a NetKey key allows a node to decrypt data and authenticate to the “network layer” of the network stack, in order to be able to perform certain network functions, such as relaying. But the possession of them does not allow to decrypt these applications.

A network can be divided into subnets, and each subnet has its own NetKey key belonging only to nodes that are members of that subnet. This feature can be used to isolate specific physical areas, such as each room in a hotel.

The data of a particular application can only be decrypted by nodes that have the correct application key (“AppKey”). A large number of keys of this type can pass through nodes in the network, but, as a rule, a limited set of nodes having this application will have a certain key. For example, lamps and light switches will have the AppKey key for the lighting application, but not the key for the heating system, which will only have thermostats, radiator valves, etc.

The “AppKey” keys are used by the upper transport layer of the network stack to decrypt and authenticate messages before passing their access level.

“AppKey” keys are associated with only one “NetKey” key. This association is called “key binding” and means that specific applications that own a specific “AppKey” key can work only on one specific network, while the network can contain several independent applications.

And the last key, the device key "DevKey". This is a special type of application key. Each node has a unique DevKey, known only to the device with the function of the registrar in the network (Provisioner) and to no one else. DevKey is used in the preparation process to ensure secure communication between the Provisioner and the host.

Deleting a node, updating a key, and trashcan attacks

And so, the nodes contain different security keys. If a node has broken down and needs to be disposed of, or if the owner decides to give the node to another owner, it is important that the device and the keys it contains cannot be used to install an attack on the network in which it previously was. For this, the procedure for removing a node from the network has been defined. The application on the Provisioner device adds the node to the blacklist, and then initiates the Key Refresh Procedure. This procedure causes all nodes on the network, with the exception of those that are members of the blacklist, to receive new network keys, application keys and all other derived data. In other words, it replaces the entire set of security keys that form the basis of network security and applications. Thus, a node that has been removed from the network and which contains the old “NetKey” and the old set of keys “AppKey” is no longer a member of the network and poses no threat.

Confidentiality

The private key (privacy key) obtained from the “NetKey” is used to obfuscate the values ​​of the PDU headers, such as the source address, for example. Obfuscation ensures that random, passive message interception cannot be used to track the devices and people who use these devices. Obfuscation also makes it difficult to attack based on traffic analysis.

Repeat based attacks

This attack is a technique in which the interceptor intercepts one or more messages and simply re-transmits them later in order to deceive the recipient by doing what the attacking device is not authorized to do. Example: a car keyless entry system always has the risk of intercepting data between the car owner and the car.
The bluetooth network has protection against such attacks. Protection is based on the use of two fields in the PDU package:

• " Sequence Number " (Sequence Number (SEQ)). Elements of the network each time you send a message, increase the value of SEQ. A node receiving a message with an SEQ value less than or equal to the previous valid message will cancel it, since it is likely that this message refers to a replay attack.
• “IV Index” is a field considered with SEQ. Its value within the message from this element must always be equal to or greater than the value of this field in the last valid message of this element.

That's all.

I hope the information provided gives a complete overview of the new technology.

For those who want to learn more about it, there are 3 wonderful specifications:
- profile specification;
- model specification;
- device specification.
All of them are available here .

Thanks for attention.