Abstract
New families of protocol, based on communication over human-based side channels, permit secure pairing or group formation in ways such that no party has to prove its name. Rather, individuals are able to hook up devices in their possession to others that they can identify by context. We examine a model in which, to prove his or her identity to a party, the user first uses one of these “human-interactive security protocols” or HISPs to connect to it. Thus, when authenticating A to B, A first authenticates a channel she has to B: the reverse direction. This can be characterised as bootstrapping a secure connection using human trust. This provides new challenges to the formal modelling of trust and authentication.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
The upper bound takes account of the common hash block size of 512 and the extra initial bit inserted by the protocol.
The key certainly needs to be strong enough so that there is no realistic chance of it being broken during the life of the session being established. Further strength is required to ensure that the contents of that session remain secret after it ends.
Formal analysis later, in Section 6, will show us that there are advantages in replacing this encryption by {k,hash(hk M )} pk .
This did not prove to be an issue in our implementations: see Section 8.
The fact that hk C is independent of the value of hk M it accepts depends on the tagging of these values by 0 and 1.
As we will see, good old fashioned cash transactions resemble our connection.
We note that in some present credit card transactions, especially on-line ones, she does not have to do this.
In fact we argue that our methods provide a higher degree of security than the traditional use of https sites, since we are only relying on the communication through it being authenticated, not secret. Thus neither screen-shot grabbing nor key-sniffing would benefit an attacker.
There are two important caveats we must make to this claim. The first is that our checks were carried out on models in which we only examine a single pair of trustworthy nodes able to run the protocol up to twice each against an intruder with a single identity to use. There is good reason to believe that that this would find any attack, but we have yet to integrate our model of combinatorial search into the CSP techniques [22] that prove general versions of protocols under strong encryption. The second caveat is that nothing can prevent the possibility of the intruder making a single lucky guess that results in a digest collision with a probability of about 2 − b where b is the width of the digest.
In the mobile banking variant discussed earlier there is no payment message from customer to merchant, rather the payment goes through the banking system.
The example file supporting this paper splits it into two: hk C and {k,hash(1:hk M )} pk . In cases like this where a message consists of the concatenation of two or more parts, rather than being the result of a cryptographic operation, it is always legitimate to make this transformation: it does not change the security properties of the protocol. The reason for the transformation is to reduce the sizes of the types that a tool like FDR has to consider: the alphabet is cut from from 43,668 to 12,920 in this case.
References
Abadi M, Needham R (1996) Prudent engineering practice for cryptographic protocols. IEEE Trans Softw Eng 22(1)
Black J, Halevi S, Krawczyk H, Krovetz T, Rogaway P (1999) UMAC: fast and secure message authentication. In: CRYPTO. LNCS, vol 1666, pp 216–233
Carter JL, Wegman MN (1979) Universal classes of hash functions. J Comput Syst Sci 18:143–154
Dietzfelbinger M, Hagerup T, Katajainen J, Penttonen M (1997) A reliable randomized algorithm for the closest-pair problem. J Algorithm 25:19–51
Gehrmann C, Mitchell C, Nyberg K (2004) Manual authentication for wireless devices. RSA Cryptobytes 7(1):29–37
Halevi S, Krawczyk H (1997) MMH: software message authentication in the Gbit/second rates. In: The proceedings of FSE 1997. LNCS, vol 1267, pp 172–189
ISO/IEC 9798-6, Nguyen LH (ed) (2010) Information technology – security techniques – entity authentication – part 6: mechanisms using manual data transfer
Kainda R, Flechais I, Roscoe AW (2009) Usability and security of out-of-band channels in secure device pairing protocols. In: The proceedings of SOUPS
Laur S, Nyberg K (2006). Efficient mutual data authentication using manually authenticated strings. In: LNCS, vol 4301, pp 90–107
Lindell AY (2009) Comparison-based key exchange and the security of the numeric comparison mode in bluetooth v2.1. In: The proceedings of RSA conference, pp 66–83
Lowe G (2004) Analysing protocol subject to guessing attacks. J Comput Security 12(1):83–98
McCune JM, Perrig A, Reiter MK (2005) Seeing is believing: using camera phones for human-verifiable authentication. In: The proceedings of IEEE symposium on security and privacy, pp 110–124
Menezes AJ, van Oorschot PC, Vanstone SA Handbook of applied cryptography. ISBN: 0-8493-8523-7
Nguyen LH, Roscoe AW (2006) Efficient group authentication protocol based on human interaction. In: The proceedings of FCS-ARSPA, pp 9–31
Nguyen LH, Roscoe AW (2008) Authenticating ad hoc networks by comparison of short digests. Inform Comput 206:250–271
Nguyen LH, Roscoe AW (2008) Separating two roles of hashing in one-way message authentication. In: The proceedings of FCS-ARSPA-WITS, pp 195–210
Nguyen LH, Roscoe AW (2011) Authentication protocols based on low-bandwidth unspoofable channels: a comparative survey. J Comput Security 19(1):139–201
Nguyen LH, Roscoe AW (2012) Short-output universal hash functions, and their use in fast and secure message authentication. In: The proceeding of the 19th international workshop on fast software encryption FSE
Roscoe AW (1998) The theory and practice of concurrency. Prentice Hall. ISBN-10: 0136744095. ISBN-13: 978-0136744092
Roscoe AW (2005) Human-centred computer security. web.cs.ox.ac.uk/oucl/work/bill.roscoe/publications/113.pdf
Roscoe AW, Smyth T, Nguyen LH (2012) Model checking cryptographic protocols subject to combinatorial attack (submitted for publication). http://www.cs.ox.ac.uk/publications/publication5266-abstract.html
Ryan P, Schneider S, Goldsmith M, Lowe G, Roscoe AW (2000) Modelling and analysis of security protocols. Addison-Wesley Professional. ISBN-10: 0201674718, ISBN-13: 978-0201674712
Suomalainen J, Valkonen J, Asokan N (2007) Security associations in personal networks: a comparative analysis. In: LNCS, vol 4572, pp 43–57
Vaudenay S (2005) Secure communications over insecure channels based on short authenticated strings. In: Advances in cryptology – crypto 2005. LNCS, vol 3621, pp 309–326
Wegman MN, Carter JL (1981) New hash functions and their use in authentication and set equality. J Comput Syst Sci 22:265–279
Acknowledgements
We are grateful to Ronald Kainda and Ivan Flechais for their work with Andrew William Roscoe on the human factors of HISPs and to Toby Smyth for his work on the formal verification of these protocols with Roscoe and Nguyen. A number of researchers from the banking industry have helped us to understand what is required there and enabled us to understand the real-life problems that protocols for financial transactions need to solve.
Parts of the work reported in this paper have benefited from funding from QinetiQ and the US Office of Naval Research.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Chen, B., Nguyen, L.H. & Roscoe, A.W. Reverse Authentication in Financial Transactions and Identity Management. Mobile Netw Appl 18, 712–727 (2013). https://doi.org/10.1007/s11036-012-0366-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11036-012-0366-2