I have a task at hand on designing security on Bluetooth Low Energy application layer. The system is created so that only smartphones with symmetric key (long term) could communicate and control my BLE device. The symmetric key will be stored securely on cloud server and programmed on BLE device with JTAG read protection. The mechanism to distribute this symmetric key to intended smartphone is outside the scope of this thread.
I use AES-GCM on my embedded processor and phone app. It can be summarized like this:
At first I though it would be secure but later I found that it might break if someone impersonate BLE device (MAC address clone) and replay the previous legitimate response such as:
It leads into condition where different data is encrypted and authenticated with same nonce. I am worry that adversaries could recover the long term key.
My problem seems similar with these:
But it uses ECDH while my system does not use public key cryptography
My questions are about:
What is the good mechanism to securely generate session key when both parties have that same long term symmetric key?
I have a true random number generator on my BLE hardware and for apps I can use secure random number generator library but my knowledge is limited on key exchange technique.
Using GCM with a long term fixed key is dangerous; if you repeat the nonce, you can leak the authentication piece.
Instead, what I would suggest is that you use AES-SIV instead. It doesn't have the problems with repeating a nonce. It is more complex, and slower, however it is far better suited if you have to use a long term key.
External links referenced by this document: