18-03-2014, 04:09 PM
Wireless Commerce Ensuring Bluetooth Security
[attachment=60204]
Overview of Bluetooth security mechanisms
Bluetooth lower layers (baseband & link manager)
LMP_Paring
LMP_Authentication
Encryption
Bluetooth higher layers (Generic Access Profile)
Bonding
Authentication
Authorization - service access control
References
The Bluetooth specification, part B, Baseband [BB] - algorithms
The Bluetooth specification, part C, Link manager [LMP] - link level procedures
The Bluetooth specification, part K:1, Generic Access Profile [GAP] - security modes and user procedures
Bluetooth SIG WP, Security Architecture [SA] - framework and examples for service level enforced security
Bluetooth e-commerce vs. Mobile e-commerce
Based on the same application principles, i.e. link & transport layer security is not enough - an application layer framework is needed.
Mobile commerce is depending on equipment in mobile network and subscription for mobile service while Bluetooth commerce only depends on existence of a personal secure mobile device.
User interaction in mobile commerce is “internet like” while in Bluetooth commerce it is “contact based”.
On-site commerce vs. On-line commerce
Example: purchase of physical goods
On-line commerce (internet)
User initiates session
User invokes service
Purchased goods are delivered separately
Service available anywhere
On-site commerce (point of sale)
System detects user device
System offers service
Purchased goods are delivered direct
Service available only on sites (cord/contact replacement)
Certain services have on-line character (e.g. trading, ordering) while others have on-site character (e.g. retail shopping, travelling)
Secure WAP commerce: Provisioning of keys
Three basic ways of providing the Bluetooth device with the keys (authentication key and non-repudiation key) needed to enable secure mobile transactions:
Public/private key pair stored on WIM issued by service provider (issuing agent)
Public/private key pair stored on SWIM (SIM with WIM) issued by mobile operator
Public/private key pair created and stored in the secure Bluetooth device
The public/private key pairs are handled in the secure Bluetooth device according to WIM.
[attachment=60204]
Overview of Bluetooth security mechanisms
Bluetooth lower layers (baseband & link manager)
LMP_Paring
LMP_Authentication
Encryption
Bluetooth higher layers (Generic Access Profile)
Bonding
Authentication
Authorization - service access control
References
The Bluetooth specification, part B, Baseband [BB] - algorithms
The Bluetooth specification, part C, Link manager [LMP] - link level procedures
The Bluetooth specification, part K:1, Generic Access Profile [GAP] - security modes and user procedures
Bluetooth SIG WP, Security Architecture [SA] - framework and examples for service level enforced security
Bluetooth e-commerce vs. Mobile e-commerce
Based on the same application principles, i.e. link & transport layer security is not enough - an application layer framework is needed.
Mobile commerce is depending on equipment in mobile network and subscription for mobile service while Bluetooth commerce only depends on existence of a personal secure mobile device.
User interaction in mobile commerce is “internet like” while in Bluetooth commerce it is “contact based”.
On-site commerce vs. On-line commerce
Example: purchase of physical goods
On-line commerce (internet)
User initiates session
User invokes service
Purchased goods are delivered separately
Service available anywhere
On-site commerce (point of sale)
System detects user device
System offers service
Purchased goods are delivered direct
Service available only on sites (cord/contact replacement)
Certain services have on-line character (e.g. trading, ordering) while others have on-site character (e.g. retail shopping, travelling)
Secure WAP commerce: Provisioning of keys
Three basic ways of providing the Bluetooth device with the keys (authentication key and non-repudiation key) needed to enable secure mobile transactions:
Public/private key pair stored on WIM issued by service provider (issuing agent)
Public/private key pair stored on SWIM (SIM with WIM) issued by mobile operator
Public/private key pair created and stored in the secure Bluetooth device
The public/private key pairs are handled in the secure Bluetooth device according to WIM.