I’m trying to grok how SSP works, and I’ve not much exposure on security. I think I grok OOB SSP and just works SSP, and so the following description borrows from that vocabulary. But I am making several guesses, so can someone check my understanding?
One way or another, you have to get a Hash (not sure what this is, but its required for authentication and link key generation) and a randomizer (a random number) over to the other device that you want to set up a link key with. But if you just report it over the bluetooth radio, Mallory the Malicious could MitM you and steal your lunch money. The 4 pairing options bluetooth supports are various ways you can keep Mallory in the dark.
1: Just works; basically, you’re hoping Mallory isn’t listening while you send the Hash and Randomizer. But if Mallory only tunes in after you have sent those, he’s out of luck.
2: OOB: You’re switching to some other medium of communication so that Mallory has to also be listening on that medium as well. But he might be, so you’d better do what you can to protect the hash/randomizer.
Also, follow up question; they tout near field communication as the best way of using OOB, and I can see why; it’s extremely limited range is an asset in this context. But, in my use case, my only OOB option is wifi. Does that defeat the purpose of OOB, since its just as insecure as putting it out over bluetooth in the first place?
3: Numeric Comparison & Passkey: You’re passing the Hash and Randomizer over bluetooth as in the Just Works model, but then your… asking the user to confirm some numbers? Which, somehow, keep Mallory away?
I don’t really get how these models work. I’ve looked at the agent-api in blueZ, and it seems like there isn’t any relationship between the passkey generated and any secure information at all… in the following snippet of the python script simple-agent, you literally take keyboard input from the user and ask the other device to punch in the same code.
def RequestPinCode(self, device): print("RequestPinCode (%s)" % (device)) set_trusted(device) omgwtfbbq = ask("Enter PIN Code: ") return omgwtfbbq
I don’t understand how that helps at all.