LMP supports various security services:
- Authentication:
Authentication is defined in the baseband specification but
involves the exchange of two LMP PDUs, one containing the random number
and one containing the signed response.
- Pairing:
This service allows mutually authenticated users to automatically
establish a link encryption key. As a first step, an initialization key is generated
by both sides and used in the authentication procedure to authenticate that
the two sides have the same key. The initialization key is generated from a
common personal identification number (PIN) entered in both devices. The
two sides then exchange messages to determine if the link key to be used for future encryptions will be a secret key already configured or a combination
key that is calculated based on the master's link key.
- Change link key:
If two devices are paired and use a combination key, then
that key can be changed. One side generates a new key and sends it to the
other side XORed with the old link key. The other side accepts or rejects
the key.
Change current link key:
The current link key can be changed temporarily. The
exchange involves the use of random numbers and XOR calculations to gen-
erate the temporary key, which is used for a single session.
Encryption:
LMP is not directly involved in link encryption but provides services to manage the encryption process. A number of parameters may be
negotiated, including the operating encryption mode (no encryption, point-to-
point only, point-to-point and broadcast), the size of the key, and the random
seed key use to start a new encryption session. LMP is also used to begin and
end the use of encryption.