6. Bluetooth Security

6.2 Security Architecture

The general Bluetooth security architecture is shown in Figure 4.

Figure 4: Bluetooth Security Architecture

Bluetooth security implementation is based on a challenge-response system using the passkey (PIN) as the secret key. The Security Manager (key unit) performs the following tasks:

• Stores security related information for all services (Service Database);
• Stores security related information for available devices in range (Device Database);
• Processes access requests by protocol implementations or applications (grants access or denies connection);
• Enforces authentication and/or encryption before connection can be established;
• Initiates and processes input from a device user (called External Security Control Entity (ESCE) - a human operating a device) to setup trusted relationship;
• Initiates pairing and queries PIN (PIN entry may be done by an ESCE or an application).

For connection-oriented L2CAP data (setup to connect to the next higher protocol or application) security check is performed at the onset of the request while for connectionless data packets the Security Manager checks the Service Database (for services that does not allow connectionless packets)  to decide whether the packet will be allowed or denied.