Secure Pairing of “Interface-Constrained” Devices Resistant against Rushing User Behavior

  • Nitesh Saxena
  • Md. Borhan Uddin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5536)

Abstract

“Secure Device Pairing” is the process of bootstrapping secure communication between two devices over a short- or medium-range wireless channel (such as Bluetooth, WiFi). The devices in such a scenario can neither be assumed to have a prior context with each other nor do they share a common trusted authority. Fortunately, the devices can generally be connected using auxiliary physical channel(s) (such as audio, visual, tactile) that can be authenticated by the device user(s), thus forming the basis for pairing. However, lack of good quality output interfaces (e.g, a speaker, display) and/or receivers (e.g., microphone, camera) on certain devices makes pairing a very challenging problem in practice.

We consider the problem of “rushing user” behavior in device pairing. A rushing user is defined as a user who in a rush to connect her devices, would skip through the pairing process, if possible. Most prior pairing methods, in which the user decides the final outcome of pairing, are vulnerable to rushing user behavior – the user can simply “accept” the pairing, without having to correctly take part in the decision process. In this paper, we concentrate on most common pairing scenarios (such as pairing of a WiFi laptop and an access point), whereby one device (access point) is constrained in terms output interfaces, while the other (laptop) has a decent quality output interface but no receiver. We present the design and usability analysis of two novel pairing methods, which are resistant to a rushing user and require only minimal device interfaces on the constrained device. One of the most appealing applications of our proposal is in defending against common threat of “Evil Twin” attacks in public places (e.g, cyber-cafes, airport lounges).

Keywords

Device Pairing Authentication Usability Security Evil Twin Attacks Wireless Communication 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Color blindness. On-line article Published by University of Illinois Eye and Ear Infirmary, http://www.uic.edu/com/eye/LearningAboutVision/EyeFacts/ColorBlindness.shtml
  2. 2.
    Datasheet and Specification for Multi-Color LED. Electronix Express/RSR Electronics, http://www.elexp.com/a_data/08l5015rgbc.pdf
  3. 3.
    Datasheet and Specification of Sixteen Segment Display, http://www.purdyelectronics.com/pdf/AND8010-B.pdf
  4. 4.
    Balfanz, D., Smetters, D., Stewart, P., Wong, H.C.: Talking to strangers: Authentication in ad-hoc wireless networks. In: Network & Distributed System Security (NDSS) (2002)Google Scholar
  5. 5.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 453. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Dhamija, R., Tygar, J.D., Hearst, M.A.: Why phishing works. In: International Conference for Human-Computer Interaction (CHI) (2006)Google Scholar
  7. 7.
    Gehrmann, C., Mitchell, C.J., Nyberg, K.: Manual authentication for wireless devices. RSA CryptoBytes 7(1), 29–37 (Spring 2004)Google Scholar
  8. 8.
    Glasbey, C., van der Heijden, G., Toh, V., Gray, A.: Colour displays for categorical images. Color Research and Application 32, 304–309 (2007)CrossRefGoogle Scholar
  9. 9.
    Goldberg, I.: Visual Key Fingerprint Code (1996), http://www.cs.berkeley.edu/iang/visprint.c
  10. 10.
    Goodrich, M.T., Sirivianos, M., Solis, J., Tsudik, G., Uzun, E.: Loud and Clear: Human-Verifiable Authentication Based on Audio. In: International Conference on Distributed Computing Systems (ICDCS) (2006)Google Scholar
  11. 11.
    Kuo, C., Walker, J., Perrig, A.: Low-cost manufacturing, usability, and security: An analysis of bluetooth simple pairing and wi-fi protected setup. In: Dietrich, S., Dhamija, R. (eds.) USEC 2007. LNCS, vol. 4886, pp. 325–340. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Laur, S., Asokan, N., Nyberg, K.: Efficient mutual data authentication using manually authenticated strings. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 90–107. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    McCune, J.M., Perrig, A., Reiter, M.K.: Seeing-is-believing: Using camera phones for human-verifiable authentication. In: IEEE Symposium on Security and Privacy (2005)Google Scholar
  14. 14.
    Pasini, S., Vaudenay, S.: An optimal non-interactive message authentication protocol. In: The Cryptographers’ Track at the RSA Conference (CT-RSA) (2006)Google Scholar
  15. 15.
    Pasini, S., Vaudenay, S.: SAS-Based Authenticated Key Agreement. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 395–409. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Perrig, A., Song, D.: Hash visualization: a new technique to improve real-world security. In: International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC) (1999)Google Scholar
  17. 17.
    Prasad, R., Saxena, N.: Efficient Device Pairing using Human-Comparable Synchronized Audio Visual Patterns. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 328–345. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Roth, V., Polak, W., Rieffel, E., Turner, T.: Simple and effective defenses against evil twin access points. In: ACM Conference on Wireless Network Security (WiSec) (2008)Google Scholar
  19. 19.
    Saxena, N., Ekberg, J.-E., Kostiainen, K., Asokan, N.: Secure device pairing based on a visual channel. In: IEEE Symposium on Security & Privacy, short paper (2006)Google Scholar
  20. 20.
    Saxena, N., Uddin, M.B., Voris, J.: Universal Device Pairing using an Auxiliary Device. In: Symposium On Usable Privacy and Security (SOUPS) (2008)Google Scholar
  21. 21.
    Soriente, C., Tsudik, G., Uzun, E.: BEDA: Button-Enabled Device Association. In: International Workshop on Security for Spontaneous Interaction (IWSSI) (2007)Google Scholar
  22. 22.
    Soriente, C., Tsudik, G., Uzun, E.: HAPADEP: Human Asisted Pure Audio Device Pairing. In: International Information Security Conference (ISC), Taipei, Taiwan (September 2008)Google Scholar
  23. 23.
    Stajano, F., Anderson, R.J.: The resurrecting duckling: Security issues for ad-hoc wireless networks. In: Security Protocols Workshop (1999)Google Scholar
  24. 24.
    Suomalainen, J., Valkonen, J., Asokan, N.: Security associations in personal networks: A comparative analysis. In: Stajano, F., Meadows, C., Capkun, S., Moore, T. (eds.) ESAS 2007. LNCS, vol. 4572, pp. 43–57. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  25. 25.
    Uzun, E., Karvonen, K., Asokan, N.: Usability analysis of secure pairing methods. In: Dietrich, S., Dhamija, R. (eds.) USEC 2007. LNCS, vol. 4886, pp. 307–324. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  26. 26.
    Vaudenay, S.: Secure communications over insecure channels based on short authenticated strings. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 309–326. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  27. 27.
    Čagalj, M., Čapkun, S., Hubaux, J.-P.: Key agreement in peer-to-peer wireless networks. Proceedings of the IEEE 94(2), 467–478 (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Nitesh Saxena
    • 1
  • Md. Borhan Uddin
    • 1
  1. 1.Computer Science and EngineeringPolytechnic Institute of New York UniversityUSA

Personalised recommendations