Wednesday 24th October - Bluetooth Security Workshop


	Wednesday 24th October - Bluetooth Security Workshop

Wednesday 24th October - Bluetooth Security Workshop
Page 1 of 1

First Previous [1] Next Last

24-Oct-2001 09:40 - Amsterdam - Richard Barber - Richard Barber chaired the session and his opening presentation, Bluetooth in an Information Security Landscape, set the challenge for subsequent presenters. Citing figures from www.attrition.org and the FBI and a list of large enterprises who have admitted to being hacked in the last 12 months, Richard demonstrated that security breaches are increasing exponentially and the estimated losses are currently running at $10 billion per year. With hacking tools getting easier to use and new versions appearing with increasing frequency, the balance of power currently rests with the hacker, not the enterprise security defense. Bluetooth is a new technology that introduces new areas of risk. Until those risks have been addressed, enterprises will be reluctant to permit the deployment of Bluetooth technology.

PA242118 .JPG

24-Oct-2001 09:40 - Amsterdam - Richard Barber

PA242119 .JPG

24-Oct-2001 10:02 - Amsterdam - Christain Gehrmann - Dr. Christian Gehrmann addressed both the existing security within Bluetooth and planned enhancements. The use of unit keys, where a unit uses a single key for all its secure connections and shares that key with all units that it trusts, is the prevalent form of Bluetooth security. It is recognized that this is not sufficient. An alternative approach, involving pairing between devices was described, based on the use of PIN values to establish the first connection. This approach, when using short PIN values, does not provide adequate security in public places. The use of PIN values 20characters or more in length is recommended. A new security white paper is under development. This will include an analysis of Bluetooth security threats and guidelines for implementers on how and when common security protocols and mechanisms can be used, together with proposals for higher level key exchange. This white paper will be available within a few weeks from the Bluetooth SIG WEB site.

PA242121 .JPG

24-Oct-2001 10:03 - Amsterdam - Christain Gehrmann

PA242122 .JPG

24-Oct-2001 10:03 - Amsterdam - Christain Gehrmann

PA242123 .JPG

24-Oct-2001 10:03 - Amsterdam - Christain Gehrmann - Jan-Ove Larsson expanded on proposals for Higher Layer Key Exchange Techniques for Bluetooth Security. The 802.1X framework, developed for 802.11 wireless local area networks is also applicable to Bluetooth. The adoption of such a common framework, and the use of an external authentication server, would permit roaming across different bearers (including Bluetooth, wireless LANs, GPRS etc.). EAP (Extended Authentication Protocol) and PEAP (Protected EAP) being developed by IETF support this model and provide higher levels of security. All of these provide secure authentication with provision for end-to-end encryption to provide secure pipers. The SHAKE Protocol (SHared key Authenticated Key Exchange) proposed by RSA is designed to protect against so-called man-in-the-middle attacks and to be sufficiently efficient for use in clients with limited computing power.

PA242124 .JPG

24-Oct-2001 12:19 - Amsterdam - Cher Nam Yap - Finally, Cher Nam Yap in a high level assessment of Bluetooth Security scenarios identified the need for appropriate profiling to match the security level to the nature of the service and in particular the need to support ad hoc scenarios.

PA242125 .JPG

24-Oct-2001 12:19 - Amsterdam - Cher Nam Yap

PA242126 .JPG

24-Oct-2001 12:20 - Amsterdam - Richard Barber - A particularly interesting discussion arising from a question from one of the WEBcast participants identified the trade-off between security and usability. Bluetooth is very broad in application and may for example be used to link a video camera. The user of video camera is unlikely to accept the need to enter long PIN values and yet there is a security risk associated with the kind of data transfer activity. This leads to a need to be able to authenticate device types.

PA242127 .JPG

24-Oct-2001 12:20 - Amsterdam - Cher Nam Yap

PA242128 .JPG

24-Oct-2001 12:30 - Amsterdam - Richard Barber - In summary, Richard Barber observed that security technology is there, the necessary capabilities are provided for. It is up to implementers to ensure that they are effectively deployed.

PA242129 .JPG

First Previous [1] Next Last

Page 1 of 1