As I understand it, the Bluetooth specs include decent cryptography,
including a pass phrase mechanism that allows for reasonably long
pass phrases.
However, most peripheral vendors don't allow the user to supply
their own pass phrase, and instead hard-wire the pass phrase
at the factory, often to . They also try to shape consumer
expectations by calling it a PIN instead of a pass phrase.
On Thu, Jan 20, 2011 at 2:12 PM, Tom Metro tmetro-...@vl.com wrote:
Matthew Gillen wrote:
I can't bring myself to use a wireless keyboard. I just don't like the
idea of broadcasting my passwords out to anyone within listening
distance.
The Security Now podcast has covered the security of wireless keyboards
a few times. In episode 269 Steve Gibson says:
...the wireless keyboards have such weak security that essentially,
when you turn the keyboard on, it chooses an eight-bit byte randomly
and XORs the data that's being sent with that byte. ...the data is
not technically in the clear. It's not plaintext. But, boy, I mean,
it would just be a fun and relatively short exercise to decrypt that
stream. It would be trivial to decrypt it. ... So the encryption of
wireless keyboards is virtually ineffective.
And in episode 271 he says:
Yeah, I wanted to quickly calm everyone's nerves over the issue of
keyboard security. ... I did some research, read some whitepapers and
some security evaluations and so forth. And the good news is Logitech
got it 100 percent correct. They did a beautiful job. ... There's
nonvolatile memory in the keyboard and in what they call their little
unifying receiver. This is Logitech's new technology.
So at the factory, nonvolatile memory in the keyboard and in the
unifying receiver are synchronized with the same 128-bit symmetric
key, which the AES algorithm uses to encrypt keystrokes. So if you
repair the keyboard, because for example you might pair it with a
different receiver that hasn't seen that keyboard before, the pairing
process does exactly the right thing. There are pseudorandom number
generators at each end. They're able to establish a new key without
it ever going over the wire, over the air, in the clear, in order to
synchronize a new key that they agree upon on the fly. That's written
into nonvolatile RAM and kept there.
...I haven't looked at anybody else's. But I know that the unifying
receiver technology that Logitech has is doing this. And it does say
in the specs, just in the regular top-level specs, 128-bit AES
encryption. So that's the way they implemented it. I would imagine
anything that Logitech has done, even if it's not the K320 wireless
keyboard, that also says that would be using the same technology,
which means you can trust it.
So the level of security depends on the keyboard, with at least some of
the newer models having adequate security.
And elsewhere in that episode:
...anything Bluetooth is, well, okay. Anything Bluetooth is way more
secure than a simple 8-bit XOR, if for no other reason than almost
nothing could be less secure than an 8-bit XOR. ... Bluetooth is good
security, very good security.
Episodes 280 and 283 cover BlueTooth in depth. (I haven't listened to
them yet.)
Episode 269:
transcript: http://www.grc.com/sn/sn-269.txt
audio: http://media.grc.com/sn/sn-269.mp3
Episode 271:
transcript: http://www.grc.com/sn/sn-271.txt
audio: http://media.grc.com/sn/sn-271.mp3
Other episodes:
http://www.grc.com/securitynow.htm
-Tom
--
Tom Metro
Venture Logic, Newton, MA, USA
Enterprise solutions through open source.
Professional Profile: http://tmetro.venturelogic.com/
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss
--
John Abreau / Executive Director, Boston Linux Unix
GnuPG KeyID: 0xD5C7B5D9 / Email: abre...@gmail.com
GnuPG FP: 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss