You are here: Configuration > Sodera LE > Sodera LE I/O Settings - Datasource > Sodera LE Datasource Security Pane > Bluetooth low energy Encryption/Decryption

Bluetooth low energy Encryption/Decryption

Long Term Key

The Long Term Key (LTK) in Bluetooth low energy is similar to the Link Key in Classic Bluetooth.  It is a persistent key that is stored in both devices and used to derive a fresh encryption key each time the devices go encrypted. In the Sodera Security pane the LTK is entered in the Link Key field so the following discussion will use Link Key instead of LTK.

Click here to learn more about the Long Term KeyClosed.
The Long Term Key is similar to the Link key in Classic; it is a persistent key that is stored in both devices and used to derive a fresh  encryption key each time the devices go encrypted.

There are a few differences though:
In Classic the Link key is derived from inputs from both devices and is calculated in the same way independently by both devices and then stored persistently. The link key itself is never transmitted over the air during pairing.

In LE, the long term key is generated solely on the slave device and then, during pairing, is distributed to a master device that wants to establish an encrypted connection to that slave in the future. Thus the long term key is transmitted over the air, albeit encrypted with a one-time key derived during the pairing process and discarded afterward (the so called short term key).

Unlike the link key, this long term key is directional, i.e. it is only used to for connections from the master to the slave (referring to the roles of the devices during the pairing process). If the devices also want to connect the other way round in the future, the device in the master role (during the pairing process) also needs to send its own long term key to the device in the slave role during the pairing process (also encrypted with the short term key of course), so that the device which was in the slave during the pairing process can be a master in the future and connect to the device which was master during the pairing process (but then would be in a slave role).

Since most simple LE devices are only ever slave and never master at all, the second long term key exchange is optional during the pairing process.

Static Address not paired image

Bluetooth low energy Static Address Link Key Required

In this example a low energy device requires Link Key entry for the Frontline software to decrypt the data. To enter the Link Key click on Enter link key and type or paste in the Link Key in hex format.

Note: It is not necessary to precede the Link Key with "0x" to signify a hex format. The software will automatically add "0x" to the front of the Link Key.

Static Address not paired link key entered image

Bluetooth low energy Enter Link Key

Press the Enter key or click outside the Link Key box. If the Link Key is valid the box will be green, beneath the Link Key will appear "Valid, and the Status will show an open, green lock indicating that decryption is enabled.

If the Link Key is not valid the box will be red, beneath the entered Link Key will appear "Invalid", and the Status will show a closed, red lock indicating that decryption is not enabled.

Static Address not paired valid link key entered image

Bluetooth low energy Valid Link Key

Static Address not paired invalid link key entered image

Bluetooth low energy Invalid Link Key

Legacy Just Works Pairing

In this example the devices under test use Legacy Just Works pairing to calculate a Short-Term Key (STK) in order to securely transfer the device's Long-Term Key (LTK). The LTK is then used to encrypt the subsequent security contexts.

low energy public and private key encryption

Bluetooth low energy Piconet Public Key and Private Key Encryption

Legacy Passkey Pairing

PIN is a six-digit decimal number. If a passkey is required by the device "Enter passkey" will appear in the device's PIN/TK field.

low energy passkey pairing not enabled

Bluetooth low energy Passkey Decryption Not Enabled

This example uses Passkey Pairing to enable decryption. The user clicks on "Enter passkey" in the device PIN/TK field.

low energy passkey pairing entry

Bluetooth low energy Passkey Entry

Press Enter or click outside the field. If the Passkey is correct it will appear in the PIN/TK field with "Valid" appearing below the passkey, Link Key field will automatically fill with the Link Key that will show "Valid" and appear green. The Status field will show an open, green lock to show that encryption is enabled and the analyzer can show decrypted data.

If the entered Passkey is incorrect, the PIN/TK field will be red and "Invalid" will appear below the entered PIIN. The Status field will show a closed, red lock to indicate that encryption is not enabled.

low energy passkey pairing enabled

Bluetooth low energy Passkey Decryption Enabled

low energy passkey pairing invalid

Bluetooth low energy Passkey Invalid

Legacy Out-of-Band(OOB) Pairing

Out-of-Band (OOB) data is a 16-digit hexadecimal code preceded by "0x" which the devices exchange via a channel that is different than the le transmission itself. This channel is called OOB. For off-the-shelf devices we cannot sniff OOB data, but in the lab you may have access to the data exchanged through this channel. 

If a device requires OOB data the device Link Key field will show "Enter OOB TK".

Also see these related topics...Related Topics Link Icon

The Bluetooth SIG, Inc. owns the Bluetooth word mark and logos, and use of such marks is under license.

Help Categories

Additional Help

About Us

Get to Know Us

 

Copyright © Teledyne LeCroy, Inc. All Rights Reserved | Privacy Policy | Terms of Use