Summary of Bluetooth Security Modes
(Spring - 2025)
- 1. No Pairing
- No authentication (Identity)
- No Pairing
- Open connection - anyone can listen
- 2. Pairing "Just Works" (used when device lacks I/O)
- Unauthenticated Pairing
- Encryption
- Vulnerable to [[04282507300 MITM Man in the Middle Attack]]
- TK → STK → LTK, but (?) TK = 0
- 3. Authorized Pairing with encryption
- Uses one of the following methods to confirm identity when pairing…
- (i) OOB association model
- (ii) Passkey entry
- aka LE legacy pairing; TK → STK → LTK
- Uses one of the following methods to confirm identity when pairing…
- 4. LE Secure Connections w/ 128-bit ENC key (LESC)
- Better Cryptography
- LTK derived directly via ECDH (Elliptic-Curve Diffie-Hellman)
Authentication Pairing models...
- Passkey Entry (6-digit code) - user types code
- Numeric Key Comparison - user verifies code matches
- OOB / Out of Band method
Key Terms
- TK (Temporary Key)
- Only used in Pairing Phase
- Not stored
- STK (Short Term Key)
- Derived from TK & random values
- Encrypt connection after Legacy Pairing
- Not stored, only used for current session
- LTK (Long Term Key)
- Legacy Pairing: derived from STK
- Secure Connections: derive directly from ECDH
- Stored for future connections
'Bonding': Process of storing LTK & other security information for future connections.