What is Key 2.0?
Key 2.0 (or Key20 for short) is a Bluetooth IoT Door Lock controller. It turns a conventional electric door lock into a smart door lock that can be opened using a smartphone without the need for a physical key. Thus, Key20 is the modern version of a physical key, or, as the name suggests, the key version 2.0 for the Internet of Things (IoT) era.
Key20 consists of two parts:
- Key20 door lock controller device, which is physically connected to the electric door lock and wirelessly via BLE to the mobile app.
- Key20 mobile app implementing the user interface to unlock the door and communicating with the door lock controller through BLE.
[ Mobile Phone w/ ] [ Key20 App ] | | Bluetooth Low Energy (BLE) Connection | |---[ Key20 Door Lock Controller ]---[ Electric Door Lock ]---| | [ Device ] | | | | | | | |----------------------(Voltage Source)-----------------------| ( 12 VAC )
The following image shows the Key20 door lock controller device and the Key20 app running on a smartphone.
You can get a quick impression on how Key20 works watching the following video:
The main features of Key20 are:
- Using state-of-the-art security mechanisms (Elliptic Curve Diffie-Hellman Key Exchange (ECDH), HMAC) to protect against attacks.
- Open-source software and hardware, including an open implementation of the security mechanisms. No security by obscurity! Source code for the app and door lock controller as well as Eagle files (schematic and board layout) are provided.
- Maker-friendly: using easily available cheap standard components (nRF51822 BLE chip, standard electronic parts), easy to manufacture circuit board, and open-source software and hardware design.
- Works with BLE-enabled Android 4.3 mobile devices (and of course newer versions). Porting to other mobile operating systems like iOS should be straightforward.
- Liberal licensing of software and hardware under the Apache License 2.0 and the CERN Open Hardware License 1.0, respectively.
A door lock obviously requires security mechanisms to protect from unauthorized requests to open the door. To this end, Key20 implements the following state of the art security mechanisms.
Authorization of Door Open Requests with HMAC
All door open requests are authorized through a Keyed Hash Message Authentication Code (HMAC). A 16 byte nonce (big random number) is generated by the door lock controller for each door open request as soon as a BLE connection is made to the door lock controller. The nonce is sent to the mobile app. Both, the nonce and the shared secret, are used by the mobile app to calculate a 512 bit HMAC using the SHA-2 hashing algorithm, which is then truncated to 256 bits (HMAC512-256), and sent to the door lock controller. The door lock controller also calculates an HMAC based on the nonce and the shared secret, and only if both HMACs match, the door will be opened.
The nonce is only valid for one door open request and effectively prevents replay attacks, i.e., an attacker sniffing on the radio channel and replaying the sniffed HMAC later. Note that the BLE radio communication is not encrypted, and it actually does not need to be encrypted since a captured HMAC is useless when re-played.
Moreover, each nonce is only valid for 15 s to prevent man-in-the-middle attacks where an attacker intercepts the HMAC and does not forward it immediatelly but waits until the (authorized) user walks away after he is not able to open the door. Later the attacker would then send the HMAC to the door lock controller to open the door. With a time window of only 15 s (which could be reduced further), such attacks are futile since the authorized user will still be at the door.
Note that the whole authentication procedure does not include heavy-weight asymmetric crypto functions, but only light-weight hashing algorithms, which can be performed on the door lock device featuring an nRF51822 micro-controller (ARM Cortex M0) very fast in order not to delay door unlocking.
With respect to the random nonce we would like to note the following. First, the nRF51822 chip includes a random number generator for generating random numbers from thermal noise, so nonces should be of high quality, i.e., truly random. An attack by cooling down the Bluetooth chip to reduce randomness due to thermal noise is not relevant here since this requires physical access to the lock controller installed within the building, i.e., the attacker is then already in your house.
Secondly, 128 bit nonces provide reasonable security for our purpose. Assume one door open request per millisecond (very pessimistic assumption!) and 100 years of operation, i.e., less than n = 2^42 requests to be protected. With 128 bit nonces, we have m = 2^128 possible nonce values. Then the birthday paradox can be used to calculate the probability p of at least one pair of requests sharing the same nonce, or, inversely, no nonces shared by any pair of requests. An approximation of p for n << m is p(n,m) = 1 - e^((-n^2)/(2*m)), which practically evaluates to 0 for n = 2^42 and m = 2^128. Even for n = 2^52 (one request per us; actually not possible with BLE), p(2^52,2^128) < 3e-8, which is about the probability to be hit by lightning, which is about 5.5e-8.
Exchanging Keys with Elliptic Curve Diffie Hellman Key Exchange (ECDH)
Obviously, the critical part is the establishment of a shared secret between the door lock controller and the mobile app. Anybody in possession of the shared secret can enter the building, thus, we must ensure that only the lock controller and the Key20 app know the secret. To this end, we use Elliptic Curve Diffie-Hellman (ECDH) key exchange based on Curve 25519. We assume that the door lock controller is installed inside the building that is secured by the lock---if the attacker is already in your home, the door lock is futile anyway. Thus, only the authorized user (owner of the building) has physical access to the door lock controller.
First, the user needs to press a button on the door lock controller device to enter key exchange mode (the red button in the pictures). Then both, the mobile app and the door lock controller calculate different key pairs based on the Elliptic Curve 25519 and exchange their public keys, which anyone can know. Using the public key of the other party and their own private keys, the lock controller and the app can calculate the same shared secret.
Using Curve 25519 and the Curve 25519 assembler implementation optimized for ARM Cortex-M0 from the Micro NaCl project, key pairs and shared secrets can be calculated in sub-seconds on the nRF51822 BLE chip (ARM Cortex M0).
Without further measures, DH is susceptible to man-in-the-middle attacks where an attacker actively manipulates the communication between mobile app and door lock controller. With such attacks, the attacker could exchange his own public key with both, the lock controller and the app to establish two shared secrets between him and the door lock controller, and between him and the mobile app. We prevent such attacks with the following mechanism. After key exchange, the mobile app and the door lock device both display a checksum (hash) of their version of the exchanged shared secret. The user will visually check these checksums to verify that they are the same. If they are the same, no man-in-the-middle attack has happened since the man in the middle cannot calculate the same shared secret as the door lock controller and the mobile app (after all, the private keys of door lock controller and mobile app remain private). Only then the user will confirm the key by pressing buttons on the door lock controller and the mobile app. Remember that only the authorized user has physical access to the door lock controller since it is installed within the building to be secured by the lock.
The following image shows the mobile app and the door lock controller displaying a shared secret checksum after key exchange. The user can confirm this secret by pushing the green button the the lock controller device and the Confirm Key button of the app.
Why not Standard Bluetooth Security?
Actually, Bluetooth 4.2 implements security concepts similar to the mechanisms described above. So it is a valid question why don't we just rely on the security concepts implemented by Bluetooth?
A good overview why Bluetooth might not be as secure as we would like it to be is provided by Francisco Corella. So we refer the interested reader to his page for the technical details and a discussion of Bluetooth security. We also would like to add that many mobile devices still do not implement Bluetooth 4.2 but only Bluetooth 4.0, which is even less secure than Bluetooth 4.2.
So we decided not to rely on Bluetooth security mechanisms, but rather implement all security protocols on the application layer using state of the art security mechanisms as described above.
Bluetooth Door Lock Controller Device
The Door Lock Controller Device needs to be connected to the electric door lock (2 cables). You can simply replace a manual switch by the door lock controller device.
The door lock controller needs to be placed in Bluetooth radio range to the door and inside the building. Typical radio ranges are about 10 m. Depending on the walls, the distance might be shorter or longer. In our experience, one concrete wall is no problem, but two might block the radio signal.
Door Lock Controller Hardware
The door lock controller hardware is designed for operating AC (alternating current) electric door locks, which typically run from 6-12 VAC.
The hardware design (schematics and board layout for Eagle) for the door lock controller device can be found in folder
The following images show the hardware and schematic. The hardware basically concists of one circuit board (PCB). We deliberately used a simple single-sided through-hole design to help makers producing their own boards. An LCD, a power switch, and two push buttons for user interaction are connected to the main PCB. An ob-board voltage regulator provides 3.3 V fed by an external DC power supply (anything between 4 V and 30 V will work). The circuit draws less than 50 mA when the lock is operated, thus, you can use a cheap 5.0 V USB power supply. With a little modification, we could also switch off the LCD when not needed, and the device could run from 4 AA-size batteries most probably for years.
The main part of the hardware is an nRF51822 BLE chip from Nordic Semiconductors. You can buy so-called "Bluetooth 4.0" breakout boards with an nRF51822 (version 3, variant AA w/ 16 kB of RAM and 256 kB flash memory) and two 2x9 connectors (2 mm pitch) for about 6 US$ including shipping. To connect the Bluetooth 4.0 board hosting the nRF51822, the PCB has two 2x9 pin connectors (no SMD soldering required). The nRF51822 features an ARM Cortex M0 micro-controller and a so-called softdevice implementing the Bluetooth stack, which runs together with the application logic on the ARM Cortex M0 processor. Key20 uses the S110 softdevice version 8.0 (see next sub-section on how to flash the softdevice and the Key20 application code).
The nRF51822 operates the electric door lock through a TRIAC. Note that most electric door locks use alternating current (AC), so a transistor will not work. We have added a snubber circuit (capacitor and resistor) to drive the inductive load (electric door lock) since TRIACs are sensitive to sudden voltage jumps possibly leading to unwanted turn-on, i.e., door unlocking. The TRIAC is operated in quadrant 2 and 3 (current flowing out of the gate) to avoid the less sensitive quadrant 4. Since the TRIAC needs about 30 mA to trigger reliably, a transistor is used to drive the TRIAC by the nRF51822, reducing the current on the micro-controller's GPIO to less than 1 mA.
Note that our design is targeting electric door locks using small AC voltages (typically 6-12 V AC). Theoretically, the TRIAC can drive 230 V loads up to 16 A. However, for safe 230 V and higer current operation the design has to be adapted, e.g., X2 snubber capacitor, isolation of the low-voltage part (3.3 V microcontroller) from the 230 V part through an opto-TRIAC, larger trace width and distances, etc.
An LCD is used to implement the secure key exchange procedure described above (visual key verification to avoid man-in-the-middle attacks). We used a common HD44780-compatible LCD display with 2x16 characters (1602A, 2-3 US$ including shipping). The LCD is connected to the main PCB through a ribbon cable. We designed a custom adapter board for connecting and mounting the 1602A LCD (see folder
Lock Controller Software
The software for the door lock controller can be found in folder
Keys (shared secrets) are persistently stored in flash. Currently, we store 4 keys, but you can easily increase this number up to the limit of the flash size (nRF51822 version 3, variant AA comes with 256 kB flash, and each key consumes only 32 bytes).
Application events and a state machine approach are used to implement the application logic. Events are handled outside the interrupt context to avoid blocking the softdevice. In particular, actions like calculating keys or hashes can take significant time, although the crypto implementations used by Key20 can also process such compute-heavy tasks in just hundreds of milliseconds.
A lean-and-mean library was implemented for the nRF51822 chip to drive the LCD.
For more details, please have a look at the source code.
Prerequisites for Building the Software
No heavy-weight IDE is required to build the code. However, still a few tools are required to build and flash the code (tested with the given version numbers):
- nRF51 SDK, version 10.0.0
- nRF5x Command Line Tools, version 8.2.0
- Softdevice S110, version 8.0.0
- Flashing and debugging hardware, e.g., Segger J-Link EDU (about 50 US$, only for non-commerical use!). The nRF51 Developers Kit (DK) comes with an on-board Segger programmer, but for flashing the Key20 board, you need an external programmer like the J-Link EDU.
- Tool chain (compiler, linker, etc.) for ARM
Building and Flashing the Software
First, adapt the Makefile by defining the following variables:
NRF51_SDK: path to the nRF51 SDK directory
CROSS: path to the compiler tools
-DTARGET_BOARD_NRF51DKif you compile for the nRF51 Development Kit (DK); if this definition is not set, you compile for the Key20 board.
LINKER_SCRIPT: set to
nrf51422_ac_s110.ldfor the nRF51 DK (nRF51422, variant AC) or to
nrf51822_aa_s110.ldfor the Key20 board (nRF51822, variant AA).
Compiling the code:
$ cd nrf51 $ make
Flashing the softdevice:
$ nrfjprog --family NRF51 --program s110_nrf51_8.0.0_softdevice.hex --chiperase --verify
Flashing the application:
nrfjprog --family NRF51 --program key20.hex --verify --sectorerase
Rebooting after flashing:
The source code of the Key20 app for Android can be found in folder
android/Key20. The code was developed with Android Studio 2.1.
The app requires a BLE-enabled mobile device running Android version 4.3 "Jelly Bean" (API level 18) or higher.
The following images show the two major tabs of the app: one for opening the door, and the second for exchanging keys between the app and the door lock controller.
License and Acknowledgments
The Key20 software (contents of folders
android) is licensed under the Apache License, Version 2.0.
The Key20 hardware documentation (contents of folder
pcb) is licensed under the CERN Open Hardware Licence, Version 1.2
Both licenses are included in the repository in the files
Key20 uses the Micro-NaCl crypto library, specifically, AVRNaCl (folder
avrnacl) by Michael Hutter and Peter Schwabe, and M0NaCl (folder
curve25519-cortexm0) by Björn Haase and Ana Helena Sánchez. The authors have released Micro-NaCl to the public domain, and we gratefully acknowledge their generous contribution.