LoKey: Leveraging the SMS Network in Decentralized, End-to-End Trust Establishment

  • Anthony J. Nicholson
  • Ian E. Smith
  • Jeff Hughes
  • Brian D. Noble
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3968)


People increasingly depend on the digital world to communicate with one another, but such communication is rarely secure. Users typically have no common administrative control to provide mutual authentication, and sales of certified public keys to individuals have made few inroads. The only remaining mechanism is key exchange. Because they are not authenticated, users must verify the exchanged keys through some out-of-band mechanism. Unfortunately, users appear willing to accept any key at face value, leaving communication vulnerable. This paper describes LoKey, a system that leverages the Short Message Service (SMS) to verify keys on users’ behalf. SMS messages are small, expensive, and slow, but they utilize a closed network, between devices—phones—that are nearly ubiquitous and authenticate with the network operator. Our evaluation shows LoKey can establish and verify a shared key in approximately 30 seconds, provided only that one correspondent knows the other’s phone number. By verifying keys asynchronously, two example applications—an instant messaging client and a secure email service—can provide assurances of message privacy, integrity, and source authentication while requiring only that users know the phone number of their correspondent.


Short Message Service Mobile Phone Number Short Message Service Message Buddy List Service Daemon 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    CCITT, Draft Recommendation X.509: The Directory-Authentication Framework. Consultation Committee, International Telecommunications Union, Geneva (1989)Google Scholar
  2. 2.
    Freier, A., Karlton, P., Kocher, P.: Secure Socket Layer 3.0. Internet Draft (1996)Google Scholar
  3. 3.
    Warner, B.: Billions of “phishing” scam emails sent monthly. Reuters News Service (2004)Google Scholar
  4. 4.
    Bellovin, S.M.: Using the Domain Name System for system break-ins. In: Proceedings of the 5th USENIX Security Symposium (1995)Google Scholar
  5. 5.
    Xia, H., Brustoloni, J.C.: Hardening web browsers against man-in-the-middle and eavesdropping attacks. In: Proceedings of the 14th International World Wide Web Conference, WWW 2005 (2005)Google Scholar
  6. 6.
    Neuman, B., Ts’o, T.: Kerberos: An authentication service for computer networks. IEEE Communications Magazine 32, 33–38 (1994)CrossRefGoogle Scholar
  7. 7.
    Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In: Proceedings of the 8th USENIX Security Symposium (1999)Google Scholar
  8. 8.
    Dohrmann, S., Ellison, C.: Public-key Support for Collaborative Groups. In: Proceedings of the First Annual PKI Research Workshop (2002)Google Scholar
  9. 9.
    Garfinkel, S., Margrave, D., Schiller, J., Nordlander, E., Miller, R.: How to make secure email easier to use. In: Proceedings of the Conference on Human Factors in Computing Systems, CHI (2005)Google Scholar
  10. 10.
    Perrig, A., Song, D.: Hash Visualization: A New Technique to Improve Real-World Security. In: Proceedings of the International Workshop on Cryptographic Techniques and E-Commerce, CryptEC (1999)Google Scholar
  11. 11.
    Peersman, C., Cvetkovic, S.: The global system for mobile communications: Short Message Service. IEEE Personal Communications 7, 15–23 (2000)CrossRefGoogle Scholar
  12. 12.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Transactions on Information Theory 6, 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Maurer, U.M.: Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing Discrete Logarithms. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 271–281. Springer, Heidelberg (1994)Google Scholar
  14. 14.
    Diffie, W., Oorschot, P., Wiener, M.: Authentication and Authenticated Key Exchanges. Designs, Codes, and Cryptography 2, 107–125 (1992)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Kaminsky, M., Savvides, G., Mazieres, D., Kaashoek, M.: Decentralized User Authentication in a Global File System. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles (2003)Google Scholar
  16. 16.
    Burkholder, P.: SSL Man-in-the-middle Attacks. The SANS Institute (2002)Google Scholar
  17. 17.
    Xu, H., Teo, H., Wang, H.: Foundations of SMS Commerce Success: Lessions from SMS Messaging and Co-opetition. In: Proceedings of the 36th Hawaii International Conference on System Sciences, HICSS (2003)Google Scholar
  18. 18.
    Naor, M., Yung, M.: Universal one-way hash functions and their crytographic applications. In: Proceedings of the 21st ACM Symposium on the Theory of Computing, STOC 1989 (1989)Google Scholar
  19. 19.
    National Institute of Standards and Technology (NIST): Secure Hash Standard (SHS). National Technical Information Service (2002)Google Scholar
  20. 20.
    Bluetooth SIG: Specification of the Bluetooth System (2005),
  21. 21.
    Shaked, Y., Wool, A.: Cracking the Bluetooth PIN. In: Proceedings of the Third International Conference on Mobile Systems, Applications, and Services, MobiSys 2005 (2005)Google Scholar
  22. 22.
    Anderson, R.: Security Engineering. Wiley, Chichester (2001)Google Scholar
  23. 23.
    Nicholson, A.J., Han, J., Watson, D., Noble, B.D.: Exploiting Mobility for Key Establishment. In: Proceedings of the Seventh IEEE Workshop on Mobile Computing Systems and Applications, WMCSA 2006 (2006)Google Scholar
  24. 24.
    Smith, I., Consolvo, S., LaMarca, A., Hightower, J., Scott, J., Sohn, T., Hughes, J., Iachello, G., Abowd, G.D.: Social disclosure of place: From location technology to communication practices. In: Gellersen, H.-W., Want, R., Schmidt, A. (eds.) PERVASIVE 2005. LNCS, vol. 3468, pp. 134–151. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Biggadike, A., Ferullo, D., Wilson, G., Perrig, A.: NATBLASTER: Establishing TCP Connections Between Hosts Behind NATs. In: Proceedings of the SIGCOMM Asia Workshop (2005)Google Scholar
  26. 26.
    Ford, B., Srisuresh, P., Kegel, D.: Peer-to-Peer Communication Across Network Address Translators. In: Proceedings of the USENIX Annual Technical Conference (2005)Google Scholar
  27. 27.
    Daemen, J., Rijmen, V.: AES Proposal: Rijndael. NIST (2000)Google Scholar
  28. 28.
    Fischer, K.: Bluetooth Wireless Technology. In: Proceedings of the IEEE EMC Wireless Workshop (2000)Google Scholar
  29. 29.
    Thompson, K.: A Security Review of the ASB Bank Netcode Authentication System (2004),
  30. 30.
    Claessens, J., Preneel, B., Vandewalle, J.: Combining World Wide Web and Wireless Security. In: Proceedings of IFIP Network Security (2001)Google Scholar
  31. 31.
    Maher, D.: Secure communication method and apparatus. U.S. Patent Number 5,450,493 (1995)Google Scholar
  32. 32.
    Gehrmann, C., Mitchell, C., Nyberg, K.: Manual Authentication for Wireless Devices. RSA Cryptobytes 7 (2004)Google Scholar
  33. 33.
    Hoepman, J.H.: The Ephemeral Pairing Problem. In: Proceedings of the 8th International Conference on Financial Cryptography (2004)Google Scholar
  34. 34.
    Madhavapeddy, A., Sharp, R., Scott, D., Tse, A.: Audio Networking: The Forgotten Wireless Technology. IEEE Pervasive Computing 4 (2005)Google Scholar
  35. 35.
    Stajano, F., Anderson, R.: The Resurrecting Duckling. In: Proceedings of the 7th International Workshop on Security Protocols (1999)Google Scholar
  36. 36.
    Balfanz, D., Smetters, D., Stewart, P., Wong, H.C.: Talking to Strangers: Authentication in Ad-Hoc Wireless Networks. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2002), San Diego, California, USA (2002)Google Scholar
  37. 37.
    Capkun, S., Hubaux, J.P., Buttyan, L.: Mobility Helps Security in Ad Hoc Networks. In: Proceedings of the Fourth ACM International Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc 2003), Annapolis, Maryland, USA (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Anthony J. Nicholson
    • 1
  • Ian E. Smith
    • 2
  • Jeff Hughes
    • 3
  • Brian D. Noble
    • 1
  1. 1.University of MichiganUSA
  2. 2.Intel ResearchSeattleUSA
  3. 3.University of WashingtonUSA

Personalised recommendations