LMP supports various security services:

• Authentication: Authentication is defined in the baseband specification but involves the exchange of two LMP PDUs, one containing the random number and one containing the signed response.
• Pairing: This service allows mutually authenticated users to automatically establish a link encryption key. As a first step, an initialization key is generated by both sides and used in the authentication procedure to authenticate that the two sides have the same key. The initialization key is generated from a common personal identification number (PIN) entered in both devices. The two sides then exchange messages to determine if the link key to be used for future encryptions will be a secret key already configured or a combination key that is calculated based on the master's link key.
• Change link key: If two devices are paired and use a combination key, then that key can be changed. One side generates a new key and sends it to the other side XORed with the old link key. The other side accepts or rejects the key.

• Change current link key: The current link key can be changed temporarily. The exchange involves the use of random numbers and XOR calculations to gen- erate the temporary key, which is used for a single session.

• Encryption: LMP is not directly involved in link encryption but provides services to manage the encryption process. A number of parameters may be negotiated, including the operating encryption mode (no encryption, point-to- point only, point-to-point and broadcast), the size of the key, and the random seed key use to start a new encryption session. LMP is also used to begin and end the use of encryption.