1

I'm working on pentesting over a BLE connection between an Android and a Sensor and I'm having problems when I try to decrypt Wireshark .pcap files, because I'm not very sure how the LTK is formed.

There is a screenshot with the packets [Encryption_Req] & [Encryption_Rsp] about what I get using a Texas Instrument Dongle with a sniffer.

Encryption_Req & Encryption_Rsp

I think that the LTK is formed matching the [SKDm & SKDs] or [SKDs & SKDm].

That means: BE952D3D760331A834CC6A4274417E48 (SKDm -> SKDs)

Or: A834CC6A4274417E48BE952D3D760331 (SKDs -> SKDm)

I'm not sure if this is correct or I'm missing something.

Improve this question
2
  • What type of file are you trying to open in Wireshark? Is it an Android HCI snoop log, a Nordic Semiconductor sniffer file, or something else?
    – Emil
    Commented May 24, 2018 at 22:09
  • Im using Ubertooth One for sniffing and Crackle for decrypt. Ubertooth stores the data in a .pcap or pcapng file and then I use Crackle to decrypt it.
    – A. Lage
    Commented May 25, 2018 at 7:23

1 Answer 1

Reset to default
10

LTK is the Long term key stored in the device, that is exchanged after bonding. In the Legacy pairing the slave device just picks a random LTK and sends it over to the master. In LE Secure Connections the LTK is derived from a diffie hellman exchange.

The LL_ENC_REQ and LL_ENC_RSP packets contain "session key diversifiers" and not the LTK (since that would kind of destroy the security if the key was sent in cleartext before encryption was enabled). In order to make each new connection secure, a new session key is used for every connection. To create this session key, each device generates 8+4 bytes random data. The SKDm and SKDs values are concatenated to a 16 byte SKD. The session key is generated by AES-ECB-encryption using the LTK as key and SKD as plaintext. Note that after concatenating SKDm and SKDs, reverse all whole 16 bytes before you input it to a standard AES function, since Bluetooth uses little endian but the AES standard uses big endian.

So 487E4174426ACC34A83103763D2D95BE is your SKD on the format expected by all AES libs.

The Rand and EDIV fields in the LL_ENC_REQ are sent to the slave as identifier to the key so it can look the LTK up in its database.

The IVm and IVs value should be concatenated to get IV (not reversed). This IV is used as part of the nonce in the AES-CCM encryption. See Bluetooth Core Specification 5.0, Vol 6, Part E, Chapter 2.1.

Improve this answer
3
  • Wow man, thanks you so much for your answer, you have clarified many things.
    – A. Lage
    Commented May 25, 2018 at 11:09
  • "...and not the LTK (since that would kind of destroy the security if the key was sent in cleartext before encryption was enabled).". But in case of Legacy Pairing, is the actual LTK shared since the link is already encrypted using an STK?
    – Sohail
    Commented Apr 26, 2023 at 6:13
  • There are two completely separate mechanisms in BLE regarding keys. The first mechanism is how the host/SMP establishes a key that will be used for encryption (STK or LTK). The second is the Link Layer mechanism that creates a unique session key for AES-CCM that takes a 128-bit key as input (here always called LTK, regardless if it's an actual LTK or just an STK), 128-bit random SKD (each part provides 64 bits each) and a random IV. So during Legacy Pairing, an STK is calculated and fed as LTK to the Link Layer. Then once encrypted, the actual LTK used for future connections, is distributed.
    – Emil
    Commented Apr 26, 2023 at 9:12

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.