Skip to main content
SpringerLink
Log in

Go anywhere: user-verifiable authentication over distance-free channel for mobile devices

  • Original Article
  • Published:
Personal and Ubiquitous Computing Aims and scope Submit manuscript

Abstract

Current mobile technology gives us ubiquitous services with personal mobile devices such as smart phones, tablet PCs, and laptops. With these mobile devices, the human users may wish to exchange sensitive data with others (e.g., their friends or their colleagues) over a secure channel. Public key cryptography is a good solution for establishing this secure channel. However, it is vulnerable to man-in-the-middle attack, if the entities have no shared information. A number of techniques based on human-assisted out-of-band channels have been proposed to solve this problem. Unfortunately, these works have a common shortcoming: The human users must be colocated in close proximity. In this paper, we focus on how to construct a distance-free channel, which is not location-limited for establishing a secure channel between two users (devices). The proposed distance-free channel provides identification and authentication of the devices at the different locations using taken pictures or pre-stored images. The human user participates in the authentication process by sending and verifying an image. We describe the prototype implementation operated on a smart phone and show the experimental results when actually two smart phones share a common key using Diffie–Hellman key agreement over the proposed distance-free channel.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. Its hexadecimal value is: FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 C4B1FE6 49286651 ECE65381 FFFFFFFF FFFFFFFF.

  2. The average trials to find hash collision is 2k−1 where one way hash function is h: {0,1}* → {0,1}k. If the attacker(s) could compute at most 1 trillion 1,024-bit modular exponentiations and hash operations per second, and we apply timeout rule to wait MMS message to ‘2 min’ (in worst case of very loose network), the attacker can succeed with probability 247/2255 = 2−208 (120 s → 120 trillion trials → 47 bits). It is very trivial possibility.

References

  1. Rivest RL, Shamir A, Adleman L (1978) A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 21(2):120–126

    Article  MathSciNet  MATH  Google Scholar 

  2. Diffie W, Hellman ME (1976) New directions in cryptography. IEEE Trans Inf Theory, IT-22, pp. 644–654

  3. Stajano F, Anderson R (1999) The resurrecting duckling: security issues for ad hoc wireless networks. In: Proceedings of 7th international workshop security protocols, pp 172–194

  4. Balfanz D, Smetters D, Stewart P, Wong H (2002) Talking to strangers: authentication in ad hoc wireless networks. In: Proceedings of 9th annual network and distributed system security symposium, San Diego, CA

  5. McCune JM, Perrig A, Reiter MK (2009) Seeing-is-believing: using camera phones for human-verifiable authentication. Int J Secur Netw 4(1/2):43–56

    Article  Google Scholar 

  6. Kim J-J, Yoo D-Y, Choi J-Y, Hong S-P (2011) A method of risk assessment for multi-factor authentication. J Inf Proc Syst 7(1):187–198

    Google Scholar 

  7. Bellovin S, Merrit M (1993) Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise. In: Proceedings of first ACM conference on Computer and Communications Security CCS-1, pp 244–250

  8. Boyko V, MacKenzie P, Patel S (2000) Provably secure password authentication and key exchange using diffie-hellman. In: Proceedings of advances in cryptology—EUROCRYPT, vol 1807 of lecture notes in computer science, pp 156–171

  9. MacKenzie P, Patel S, Swaminathan R (2000) Password authenticated key exchange based on RSA. In: Proceedings of advances in cryptology—ASIACRYPT, pp 599–613

  10. Wu T (1999) The secure remote password protocol. In: Proceedings of network and distributed system security symposium

  11. Capkun S, Hubaux J, Buttyan L (2003) Mobility helps security in ad hoc networks. In: Proceedings of the ACM symposium on mobile ad hoc networking and computing (MobiHoc 2003)

  12. Cagalj M, Capkun S, Hubaux J-P (2006) Key agreement in peer-to-peer wireless networks. In: Proceedings of the IEEE special issue on cryptography and security, vol 94, pp 467–478

  13. Laur S, Nyberg K (2006) Efficient mutual data authentication using manually authenticated strings. In: Proceedings of Cryptology and Network Security (CANS), pp 90–107

  14. Vaudenay S (2005) Secure communications over insecure channels based on short authenticated strings. In: Proceedings of advances in cryptology (CRYPTO), lecture notes in computer science, vol 3621

  15. Uzun E, Karvonen K, Asokan N (2007) Usability analysis of secure pairing methods. In: Proceedings of the usable security workshop, pp 307–324

  16. Roth V, Polak W, Rieffel E, Turner T (2008) Simple and effective defenses against evil twin access points. In: Proceedings of ACM conference wireless network security (WiSec), pp 220–235, short paper

  17. Perrig A, Song D (1999) Hash visualization: a new technique to improve real-world security. In: Proceedings of the workshop on cryptographic techniques and E-commerce (CrypTEC), pp 131–138

  18. Ellison C, Dohrmann S (2003) Public-key support for group collaboration. ACM Trans Inf Syst Secur 6(4):547–565

    Article  Google Scholar 

  19. Saxena N, Ekberg J-E, Kostiainen K, Asokan N (2006) Secure device pairing based on a visual channel (short paper). In: Proceedings of the IEEE symposium on security and privacy, pp 306–313

  20. Saxena N, Ekberg J-E, Kostiainen K, Asokan N (2011) Secure device pairing based on a visual channel: design and usability study. IEEE Trans Inf Forensics Secur 6(1):28–38

    Article  Google Scholar 

  21. Goodrich MT, Sirivianos M, Solis J, Tsudik G, Uzun E (2006) Loud and clear: human-verifiable authentication based on audio. In: Proceedings of the IEEE international conference on distributed computing systems (ICDCS), pp 1–10

  22. Soriente C, Tsudik G, Uzun E (2007) Hapadep: human assisted pure audio device pairing. Rep. 2007/093, Cryptology ePrint Archive

  23. Pyshkin E, Kuznetsov A (2010) Approaches for web search user interfaces: how to improve the search quality for various types of information. J Converg 1(1):1–8

    Google Scholar 

  24. Orman H (1998) The OAKLEY key determination protocol. RFC 2412

  25. Javed K, Saleem U, Hussain K, Sher M (2011) An enhanced technique for vertical handover of multimedia traffic between WLAN and EVDO. J Converg 1(1):107–112

    Google Scholar 

  26. Wang S-J, Tsai Y-R, Shen C-C, Chen P-Y (2010) Hierarchical key derivation scheme for group-oriented communication systems. Int J Inf Technol Commun Converg 1(1):66–76

    Google Scholar 

  27. Chen C-HO, Chen C-W, Kuo C, Lai Y-H, McCune JM, Studer A, Perrig A, Yang B-Y, Wu T-C (2008) GAnGS: gather authenticate’n group securely. Proceedings of MobiCom’08

  28. Lin Y-H, Studer A, Hsiao H-C, McCune JM, Wang K-H, Krohn M, Lin P-L, Perrig A, Sun H-M, Yang B-Y (2009) Spate: small-group pki-less authenticated trust establishment. In: Proceedings of MobiSys’09

  29. Andreeva E, Mennink B, Preneel B (2010) Security properties of domain extenders for cryptographic hash functions. J Inf Proc Syst 6(4):453–480

    Google Scholar 

  30. Xie B, Kumar A, Zhao D, Reddy R, He B (2010) On secure communication in integrated heterogeneous wireless networks. Int J Inf Technol Commun Converg 1(1):4–23

    Google Scholar 

Download references

Acknowledgments

We appreciate anonymous reviewers for their helpful comments. This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (2011-0011289).

Author information

Authors and Affiliations

  1. The Graduate School of Ajou University, Suwon, Republic of Korea

    Sukin Kang

  2. The Graduate School of Information and Communication, Ajou University, Suwon, Republic of Korea

    Jonguk Kim & Manpyo Hong

Authors
  1. Sukin Kang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jonguk Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Manpyo Hong
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sukin Kang.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Kang, S., Kim, J. & Hong, M. Go anywhere: user-verifiable authentication over distance-free channel for mobile devices. Pers Ubiquit Comput 17, 933–943 (2013). https://doi.org/10.1007/s00779-012-0531-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00779-012-0531-4

Keywords

Search

Navigation