The developers of Wireless USB have strived to maintain the same usage and architecture as wired USB with a high-speed host-to-device connection. However, the increased attention to security issues has compelled the USB-IF to mandate comprehensive authentication and security support within the MAC layer of the wireless USB protocol. These requirements are defined in the Certified Wireless USB Association Model Specification v1.0 and govern how devices will discover and establish secure connections.
Association vs. security
The terms "association" and "security" are separate but related concepts in wireless USB.
Association is the process of establishing a trusted relationship between two wireless devices. This is a one-time event that requires user involvement to ensure devices are authorized to communicate, and is designed to prevent unauthorized or accidental connections between two unrelated devices. Security refers to the encryption mechanism used for protection of data in transit (AES 128).
Click here for Figure 1
Figure 1: In Wireless USB, the payload portion of the frame will be encrypted, which will prevent radio-based analyzers from decoding the "scrambled" USB traffic.
Complete security encryption keys are a combination of a predetermined connection key established during the association process and a second temporary "session key" which is generated between devices using a 4-way handshake that occurs every time two devices establish a connection.
With most early prototype chipsets, encryption can be disabled to allow analysis tools to record protocol traffic unencumbered by scrambled data packets. However all wireless USB logical transfers must be encrypted once pre-production devices undergo certification testing by the USB-IF.
The ability to decode the protocol events requires that the analysis tools can decrypt the traffic to identify the logical USB transfers. Conventional protocol analyzer tools must be pre-configured with the encryption key or the system will be unable to trigger in real-time or display the logical USB protocol events.
The association process
In an environment where there may be many Wireless USB hosts and many Wireless USB devices belonging to multiple users, there is a need to identify which devices are allowed to communicate with each other.
When two Wireless Wireless USB devices are brought together for the first time, they must identify themselves and the user must verify they are authorized to communicate. If there is no record that they have previously been authorized, they must perform a first-time association. The Certified Wireless USB spec defines two methods of establishing this trusted relationship: cable association and numeric association.
Cable Association
With the cable association model, users must associate a host to a device by physically connecting the two devices together with a standard USB cable. The two devices then exchange a unique 384-bit identifier over the USB cable that is known as the "connection context."
Click here for Figure 2
Figure 2: Wireless USB requires a one-time association to occur between host and device to establish the connection context. All subsequent communications automatically derive a session key from the shared communication context and use this key for encrypted communication.