Bluetooth protocol analysis_BLE address type

1 Introduction

Maybe students who are concerned about BLE have noticed that BLE devices have various types of device addresses, such as Public Device Address, Random Device Address, Static Device Address, Private Device Address, and so on. If you don't know the inside story, everyone will definitely be confused by them. However, it is reasonable to exist. Such a seemingly strange design actually reflects the design idea of ​​BLE and the application scenarios it is aimed at. Let's take a look through this article.

2. The address type of the BLE device

A BLE device can use two types of addresses ( a BLE device can have two addresses at the same time ): Public Device Address and Random Device Address. The Random Device Address is divided into two categories: Static Device Address and Private Device Address. The Private Device Address can be further divided into Non-resolvable Private Address and Resolvable Private Address. Their relationship is as follows:

1. Public Device
2. +--->Address
3. +-------------+|
4. |||
5. | BLE | |
6. |Device+---+ or/and StaticDevice
7. |||+-->Address
8. +-------------+||
9. |RandomDevice|
10. +---->Address+-+ or Non-resolvable
11. |+->private address
12. ||
13. |PrivateDevice| or
14. +-->Address+--+
15. |Resolvable
16. +->private address

3. Public Device Address

In a communication system, the device address is used to uniquely identify a physical device, such as the MAC address in the TCP/IP network, the Bluetooth address in the traditional Bluetooth, and so on. For device addresses, an important feature is uniqueness (or uniqueness within a certain range), otherwise it is likely to cause many problems. Bluetooth communication systems are no exception.

For classic Bluetooth (BR/EDR), the device address is a 48bit number called "48-bit universal LAN MAC addresses (same as the computer's MAC address)". Under normal circumstances, the address needs to be applied to IEEE (in fact, it is to buy ^[1] , huh!). The company pays the money, and IEEE guarantees the uniqueness of the address. Everyone is happy.

Of course, this address allocation method is also retained in BLE, which is the Public Device Address. The Public Device Address consists of a 24-bit company_id and a 24-bit company_assigned. For details, please refer to the relevant instructions in the Bluetooth Spec ^[2] .

4. Random Device Address

However, in the BLE era, only the Public Device Address is not enough for the following reasons:

1) Public Device Address needs to be purchased from IEEE. Although it is not expensive, in the BLE era, compared with the cost of BLE IC, it is still a lot of overhead.

2) The application and management of the Public Device Address is quite cumbersome and complicated, coupled with the large number of BLE devices (not the same order of magnitude as traditional Bluetooth devices), resulting in increased maintenance costs.

3) Safety factor. A large part of the application scenario of BLE is broadcast communication, which means that as long as you know the address of the device, you can get all the information, which is not secure. Therefore, the fixed device address increases the risk of information leakage.

In order to solve the above problems, the BLE protocol adds an address: Random Device Address, that is, the device address is not fixedly assigned, but randomly generated after the device is started. According to different purposes, Random Device Address is divided into Static Device Address and Private Device Address.

4.1 Static Device Address

Static Device Address是设备在上电时随机生成的地址，格式如下：

1. LSB MSB
2. +------------------------------------+---+---+
3. | Random part of static address | 1 | 1 |
4. +------------------------------------+---+---+
5. static address
6. <--------------+ (48 bits) +--------------->

Static Device Address的特征可总结为：

1）最高两个bit为“11”。

2）剩余的46bits是一个随机数，不能全部为0，也不能全部为1。

3）在一个上电周期内保持不变。

4）下一次上电的时候可以改变。但不是强制的，因此也可以保持不变。如果改变，上次保存的连接等信息，将不再有效。

Static Device Address的使用场景可总结为：

1）46bits的随机数，可以很好地解决“设备地址唯一性”的问题，因为两个地址相同的概率很小。

2）地址随机生成，可以解决Public Device Address申请所带来的费用和维护问题。

4.2 Private Device Address

Static Device Address通过地址随机生成的方式，解决了部分问题，Private Device Address则更进一步，通过定时更新和地址加密两种方法，提高蓝牙地址的可靠性和安全性。根据地址是否加密，Private Device Address又分为两类，Non-resolvable private address和Resolvable private address。下面我们分别描述。

4.2.1 Non-resolvable private address

Non-resolvable private address和Static Device Address类似，不同之处在于，Non-resolvable private address会定时更新。更新的周期称是由GAP规定的，称作T_GAP(private_addr_int) ，建议值是15分钟。其格式如下：

1. LSB MSB
2. +----------------------------------------+---+
3. |Random part of nonresolvable address| 0 | 0 |
4. +----------------------------------------+---+
5. nonresolvable address
6. <--------------+ (48 bits) +--------------->

特征可总结为：

1）最高两个bit为“00”。

2）剩余的46bits是一个随机数，不能全部为0，也不能全部为1。

3）以T_GAP(private_addr_int)为周期，定时更新。

注1：Non-resolvable private address有点奇怪，其应用场景并不是很清晰。地址变来变去的，确实是迷惑了敌人，但自己人不也一样被迷惑了吗？因此，实际产品中，该地址类型并不常用。

4.2.2 Resolvable private address

Resolvable private address比较有用，它通过一个随机数和一个称作identity resolving key (IRK) 的密码生成，因此只能被拥有相同IRK的设备扫描到，可以防止被未知设备扫描和追踪。其格式如下：

1. LSB MSB
2. +--------------------------+----------------------+---+---+
3. | | Random part of prand | 1 | 0 |
4. +--------------------------+----------------------+---+---+
5.  
6. <--------+ hash +---------> <-----------+ prand +------->
7. (24 bits) （24 bits）

特征如下：

1）由两部分组成： 
     高位24bits是随机数部分，其中最高两个bit为“10”，用于标识地址类型； 
     低位24bits是随机数和IRK经过hash运算得到的hash值，运算的公式为hash = ah(IRK, prand)。

2）当对端BLE设备扫描到该类型的蓝牙地址后，会使用保存在本机的IRK，和该地址中的prand，进行同样的hash运算，并将运算结果和地址中的hash字段比较，相同的时候，才进行后续的操作。这个过程称作resolve（解析），这也是Non-resolvable private address/Resolvable private address命名的由来。

3）以T_GAP(private_addr_int)为周期，定时更新。哪怕在广播、扫描、已连接等过程中，也可能改变。

4）Resolvable private address不能单独使用，因此需要使用该类型的地址的话，设备要同时具备Public Device Address或者Static Device Address中的一种。

5. Resolvable private address应用场景及HCI命令介绍

BLE Resolvable private address的解析和过滤操作是在Link Layer实现的，因而为BLE的广播通信提供了一个相对安全的加密环境。Link Layer以Resolving List的形式，通过HCI向Host提供相关的控制API，以实现相应的功能，相关的HCI命令介绍如下：

LE Set Random Address Command，设置一个新的Random地址，包括Resolvable private address类型的地址。

 

LE Add Device to Resolving List Command，将指定的设备添加到本机的Resolving List中，需要指定的参数包括：需要添加设备的地址（包括地址类型）、需要添加设备的IRK、本设备的IRK。

LE Remove Device From Resolving List Command，将指定设备从本机的Resolving List中删除。

LE Clear Resolving List Command，清除本机的Resolving List。

LE Read Resolving List Size Command，读取本机Resolving List的大小。

LE Read Peer Resolvable Address Command，读取对端设备解析后的Resolvable private address。

LE Read Local Resolvable Address Command，读取本机设备解析后的Resolvable private address。

LE Set Address Resolution Enable Command，禁止/使能地址解析功能。

总结和说明：

1）Resolvable private address的生成，是Host以T_GAP(private_addr_int)为周期，主动进行的，并通过“LE Set Random Address Command”告知Controller的Link Layer。因此，如果本地设备需要安全的环境，可以使用Resolvable private address作为广播和连接地址。

2）如果本地设备需要和某一个使用Resolvable private address的设备通信（扫描、连接等），则需要将该设备添加到Resolving List中，并使能地址解析功能。只有地址解析正确的时候，Link Layer才会继续后续的通信动作。

3）如果地址解析不正确，本地设备向对方发送的所有的数据包（扫描请求、连接请求等），都不能被正确接收（因为目的地址不正确）。但有一个例外，如果本地设备直接关闭地址解析功能，还是能收到对方的广播包，因此，Resolvable private address并不能保护广播包的数据。如果有敏感信息，放到scan response packet中应该是一个不错的选择。

4）上面分析是否正确？我也不是十分有把握，后续可以做个实验看看。

6. 参考文档

[1] OUI购买链接，http://cn.ieee.org/OUI_introduction.html,http://standards.ieee.org/develop/regauth/oui/index.html

[2] Core_v4.2.pdf