[Bluez-users] Smartcard replacement security?

[Bluez-users] Smartcard replacement security?

[Ronny L Nilsson]

Hi
I'd like to know your general opinion on using a Bluetooth enabled 
device (cell phone) as a smart card replacement.

I'm thinking of using a phone to automaticly unlocking e.g. my computer 
screensaver when I'm nearby. The devices needs to be paired of course. 
But then, how "unsafe" is this realy? Can someone else spoof my phone 
and thus fooling my computer other than using some kind of brute force? 
Authentication is made two-ways, right?


Best regards
/Ronny Nilsson




-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users

Re: [Bluez-users] Smartcard replacement security?

[Marcel Holtmann]

Hi Ronny,

> I'd like to know your general opinion on using a Bluetooth enabled 
> device (cell phone) as a smart card replacement.
> 
> I'm thinking of using a phone to automaticly unlocking e.g. my computer 
> screensaver when I'm nearby. The devices needs to be paired of course. 
> But then, how "unsafe" is this realy? Can someone else spoof my phone 
> and thus fooling my computer other than using some kind of brute force? 
> Authentication is made two-ways, right?

this depends on how your automatic unlocking is working. If you know the
link key and the BD_ADDR you can spoof anything.

Regards

Marcel




-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users

Re: [Bluez-users] Smartcard replacement security?

[Ronny L Nilsson]

> > paired of course. But then, how "unsafe" is this realy? Can someone
> > else spoof my phone and thus fooling my computer other than using
> > some kind of brute force? Authentication is made two-ways, right?
>
> this depends on how your automatic unlocking is working. If you know
> the link key and the BD_ADDR you can spoof anything.
> Marcel


Sure, but I was woundering how hard it is for an intruder to guess the 
link key. Of course if he sniff the traffic while doing the pairing 
with PIN he knows my code, but if he misses this pairing, then what is 
his chanses? The BD_ADDR is of course public (via a nearby scan).

I haven't read the whole spec but minor parts of it. It says 
authentication can be made one-way or both-ways. Do BlueZ support both 
of these ways? Which is the most commonly used?

Regards
/Ronny




-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users

Re: [Bluez-users] Smartcard replacement security?

[Marcel Holtmann]

Hi Ronny,

> > > paired of course. But then, how "unsafe" is this realy? Can someone
> > > else spoof my phone and thus fooling my computer other than using
> > > some kind of brute force? Authentication is made two-ways, right?
> >
> > this depends on how your automatic unlocking is working. If you know
> > the link key and the BD_ADDR you can spoof anything.
> 
> Sure, but I was woundering how hard it is for an intruder to guess the 
> link key. Of course if he sniff the traffic while doing the pairing 
> with PIN he knows my code, but if he misses this pairing, then what is 
> his chanses? The BD_ADDR is of course public (via a nearby scan).
> 
> I haven't read the whole spec but minor parts of it. It says 
> authentication can be made one-way or both-ways. Do BlueZ support both 
> of these ways? Which is the most commonly used?

this all depends on. Unless you don't tell us something more about how
do you plan to realize the unlock thing this talking makes no sense. I
don't understand what you mean by one/two-way authentication. However
the Bluetooth authentication is weak if you don't enable encryption
directly afterwards.

Regards

Marcel




-------------------------------------------------------
This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
Embedded(r) & Windows Mobile(tm) platforms, applications & content.  Register
by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
_______________________________________________
Bluez-users mailing list
Bluez-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-users