Implementing a Secure BLE Digital Key Using ECDHE and AES-CCM with UWB Ranging for Passive Entry
Modern passive entry systems for vehicles, buildings, and secure areas demand both high security and precise location awareness. Traditional Bluetooth Low Energy (BLE)-based digital keys are vulnerable to relay attacks, where an attacker extends the range of the legitimate key using a proxy. To counter this, we combine BLE for secure communication and key exchange with Ultra-Wideband (UWB) ranging for accurate distance measurement. This article details a robust architecture that implements a secure digital key using Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key agreement, AES-CCM encryption, and UWB-based ranging for passive entry.
1. System Architecture and Protocol Overview
The system consists of two primary entities: the Digital Key (DK) – typically a smartphone or dedicated fob – and the Vehicle or Access Point (AP). The protocol operates in three phases: Key Agreement and Session Establishment (via BLE), Secure Ranging (via UWB), and Action Triggering (e.g., unlock door).
We assume the DK has been provisioned with a long-term public key (PK_DK) and the AP with its corresponding private key (SK_AP) during a secure initial pairing process (e.g., using out-of-band methods or a trusted PKI). This long-term key pair is used only for authenticating the initial ECDHE exchange.
2. Phase 1: ECDHE Key Agreement over BLE
Before any ranging or action, the DK and AP must establish a short-lived session key. We use ECDHE over the BLE GATT (Generic Attribute Profile) protocol. The steps are as follows:
- Step 1 - Public Key Exchange: The DK generates an ephemeral ECDH key pair (d_DK_eph, Q_DK_eph). The AP generates its own ephemeral pair (d_AP_eph, Q_AP_eph). The DK sends its ephemeral public key Q_DK_eph to the AP, along with a nonce N_DK, all signed using its long-term private key SK_DK. The AP verifies the signature using PK_DK.
- Step 2 - Shared Secret Computation: Both parties compute the shared secret S = ECDH(d_DK_eph, Q_AP_eph) = ECDH(d_AP_eph, Q_DK_eph).
- Step 3 - Session Key Derivation: A key derivation function (KDF), such as HKDF (HMAC-based Extract-and-Expand Key Derivation Function), is used to derive two session keys: an encryption key (K_enc) and an authentication/message integrity key (K_auth). The KDF input includes S, both ephemeral public keys, and both nonces.
// Simplified C-like pseudocode for key derivation
#include <stdint.h>
#include <string.h>
#include "hkdf.h" // Assume HKDF implementation
#include "ecc.h" // Assume ECC library
#define SHARED_SECRET_LEN 32 // 256-bit key
#define SESSION_KEY_LEN 16 // 128-bit AES key
typedef struct {
uint8_t k_enc[SESSION_KEY_LEN];
uint8_t k_auth[SESSION_KEY_LEN];
} session_keys_t;
session_keys_t derive_session_keys(
const uint8_t *shared_secret,
const uint8_t *q_dk_eph, size_t q_dk_len,
const uint8_t *q_ap_eph, size_t q_ap_len,
const uint8_t *nonce_dk, size_t nonce_len)
{
session_keys_t keys;
uint8_t salt[32] = {0}; // Optional salt
uint8_t info[128];
size_t info_len = 0;
// Construct info parameter with public keys and nonces
memcpy(info + info_len, q_dk_eph, q_dk_len);
info_len += q_dk_len;
memcpy(info + info_len, q_ap_eph, q_ap_len);
info_len += q_ap_len;
memcpy(info + info_len, nonce_dk, nonce_len);
info_len += nonce_len;
// Derive 32 bytes of key material (2 x 16 bytes)
uint8_t key_material[2 * SESSION_KEY_LEN];
hkdf_extract_expand(key_material, sizeof(key_material),
shared_secret, SHARED_SECRET_LEN,
salt, sizeof(salt),
info, info_len);
memcpy(keys.k_enc, key_material, SESSION_KEY_LEN);
memcpy(keys.k_auth, key_material + SESSION_KEY_LEN, SESSION_KEY_LEN);
return keys;
}
3. Phase 2: Secure UWB Ranging with AES-CCM Protection
UWB ranging provides centimeter-level accuracy, making it ideal for detecting the exact proximity of the key. The IEEE 802.15.4a/z UWB standards support two-way ranging (TWR) and time difference of arrival (TDOA) methods. We implement a secure TWR protocol where each ranging message is authenticated and encrypted using AES-CCM (Counter with CBC-MAC) with the session keys derived earlier.
The AP sends a ranging poll (R_POLL) encrypted with K_enc and authenticated with K_auth. The DK decrypts it, calculates the round-trip time (RTT), and responds with a ranging response (R_RESP), also encrypted. The AP then computes the distance d = (RTT * c) / 2, where c is the speed of light. The nonce counter (N_AP) prevents replay attacks.
// Pseudocode for secure UWB ranging message structure
typedef struct __attribute__((packed)) {
uint32_t counter; // Nonce/sequence number
uint64_t timestamp_tx; // Transmit timestamp in UWB clock ticks
uint8_t reserved[4]; // Padding for AES-CCM
} uwb_payload_t;
typedef struct {
uint8_t nonce[12]; // 96-bit nonce (counter + fixed prefix)
uwb_payload_t payload;
uint8_t mic[8]; // Message Integrity Code (AES-CCM output)
} secure_uwb_frame_t;
// Encrypt and authenticate the payload
void send_secure_ranging_poll(session_keys_t *keys, uint32_t counter) {
secure_uwb_frame_t frame;
uint8_t nonce[12] = {0};
memcpy(nonce, &counter, sizeof(counter)); // First 4 bytes = counter
frame.payload.counter = counter;
frame.payload.timestamp_tx = get_uwb_timestamp();
// ... set reserved to zero ...
// AES-CCM encryption (encrypts payload, generates MIC)
aes_ccm_encrypt(keys->k_enc, keys->k_auth,
nonce, sizeof(nonce),
(uint8_t*)&frame.payload, sizeof(uwb_payload_t),
frame.mic, sizeof(frame.mic));
memcpy(frame.nonce, nonce, sizeof(nonce));
uwb_send_frame(&frame, sizeof(frame));
}
4. Phase 3: Action Triggering Based on Distance Threshold
After several successful secure ranging exchanges, the AP computes a filtered distance estimate (e.g., using a moving average or a Kalman filter). If the distance falls below a predefined threshold (e.g., 1.5 meters for unlock), the AP sends a secure action command (e.g., UNLOCK_DOOR) over BLE. This command is encrypted and authenticated using the same session keys. The DK must respond with an acknowledgment (ACK) to prevent denial-of-service.
5. Performance and Security Analysis
Security: The combination of ECDHE and AES-CCM provides forward secrecy—even if the long-term private key is compromised, past session keys remain secure. The UWB ranging is protected from distance manipulation because each message includes a unique nonce and is authenticated. An attacker cannot forge a valid ranging response without the session keys, thus preventing relay attacks. The use of IEEE 802.15.4a UWB's inherent resistance to multipath interference further strengthens the accuracy of the distance measurement.
Performance: ECDHE key agreement over BLE typically completes in under 100 ms on modern hardware. UWB ranging with AES-CCM adds approximately 10-20 ms per exchange. For a typical passive entry scenario, 3-5 ranging exchanges are sufficient, yielding a total latency of 150-200 ms—well within acceptable limits for user experience. The AES-CCM implementation on a Cortex-M4 class MCU can process a 64-byte payload in under 5 µs, making it suitable for real-time operation.
As noted in the reference materials, UWB technology offers "low power consumption, strong anti-interference ability, and strong penetration" (陆冰琳, 2022). The IEEE 802.15.4a channel model used in those studies is directly applicable to our ranging scenario. Additionally, the hardware design principles from the mining platform (严威, 2020) inform our selection of UWB transceivers (e.g., Decawave DW1000 or Qorvo DWM3000) and antenna placement to minimize NLOS (Non-Line-of-Sight) errors.
6. Conclusion
Implementing a secure BLE digital key with ECDHE and AES-CCM, combined with UWB ranging, creates a robust passive entry system that is resistant to relay attacks and provides sub-meter localization accuracy. The protocol leverages the strengths of both wireless technologies: BLE for low-power, long-range key exchange, and UWB for precise, secure distance measurement. This architecture is not only suitable for automotive passive entry but also for access control in smart buildings and industrial environments where security and precision are paramount.
常见问题解答
问: What is the primary security vulnerability in traditional BLE-based digital keys that this article addresses?
答: Traditional BLE-based digital keys are vulnerable to relay attacks, where an attacker uses a proxy to extend the range of the legitimate key, allowing unauthorized access. The article addresses this by combining BLE for secure key exchange with Ultra-Wideband (UWB) ranging for precise distance measurement, ensuring that the digital key must be physically close to the access point.
问: How does the ECDHE key agreement phase ensure both security and freshness of the session keys?
答: The ECDHE key agreement phase uses ephemeral key pairs generated by both the Digital Key (DK) and Access Point (AP), along with nonces, to compute a shared secret. The ephemeral nature ensures forward secrecy, meaning that compromise of long-term keys does not compromise past sessions. The inclusion of nonces and both ephemeral public keys in the key derivation function (KDF) ensures uniqueness and freshness of the derived session keys (K_enc and K_auth) for each session.
问: What is the role of long-term public/private keys in the protocol, and how are they provisioned?
答: Long-term public/private keys are used to authenticate the initial ECDHE exchange. The Digital Key (DK) is provisioned with a long-term public key (PK_DK), and the Access Point (AP) has its corresponding private key (SK_AP). This provisioning occurs during a secure initial pairing process, such as using out-of-band methods or a trusted public key infrastructure (PKI), to ensure that only legitimate devices can participate in the key agreement.
问: Why is a key derivation function (KDF) like HKDF used after the ECDHE shared secret computation?
答: A KDF like HKDF is used to derive two separate session keys (K_enc for encryption and K_auth for authentication/message integrity) from the shared secret. This ensures that the keys are cryptographically strong, independent, and tailored for their specific purposes. The KDF also incorporates both ephemeral public keys and nonces to bind the keys to the specific session, preventing replay attacks and ensuring that the keys are unique per session.
问: How does the integration of UWB ranging enhance the security of the passive entry system beyond BLE alone?
答: UWB ranging provides precise distance measurement, typically with centimeter-level accuracy, which allows the system to verify that the Digital Key is within a short, authorized range (e.g., less than 2 meters) before triggering an action like unlocking a door. This mitigates relay attacks because an attacker cannot easily spoof the UWB signal to make the key appear closer than it actually is, unlike BLE which can be more easily extended via proxy.
💬 欢迎到论坛参与讨论: 点击这里分享您的见解或提问