On the Usability of Secure Association of Wireless Devices Based on Distance Bounding

  • Mario Cagalj
  • Nitesh Saxena
  • Ersin Uzun
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5888)


When users wish to establish wireless communication between their devices, the channel needs to be bootstrapped first. Usually, the channel is desired to be authenticated and confidential, in order to mitigate any malicious control of or eavesdropping over the communication. When there is no prior security context, such as, shared secrets, common key servers or public key certificates, device association necessitates some level of user involvement into the process. A wide variety of user-aided security association techniques have been proposed in the past. A promising set of techniques require out-of-band communication between the devices (e.g., auditory, visual, or tactile). The usability evaluation of such techniques has been an active area of research.

In this paper, our focus is on the usability of an alternative method of secure association – Integrity regions (I-regions) [40] – based on distance bounding. I-regions achieves secure association by verification of entity proximity through time-to-travel measurements over ultrasonic or radio channels. Security of I-regions crucially relies on the assumption that human users can correctly gauge the distance between two communicating devices. We demonstrate, via a thorough usability study of the I-regions technique and related statistical analysis, that such an assumption does not hold in practice. Our results indicate that I-regions can yield high error rates, undermining its security and usability under common communication scenarios.


Authentication Distance Bounding Usable Security Wireless Networks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Balfanz, D., Smetters, D., Stewart, P., Wong, H.: Talking to Strangers: Authentication in Ad-Hoc Wireless Networks. In: Proceedings of the 9th Annual Network and Distributed System Security Symposium (NDSS) (2002)Google Scholar
  2. 2.
    Bangor, A., Kortum, P.T., Miller, J.T.: An empirical evaluation of the system usability scale. International Journal of Human-Computer Interaction 24(6), 574–594 (2008)CrossRefGoogle Scholar
  3. 3.
    Boyko, V., MacKenzie, P., Patel, S.: Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Brands, S., Chaum, D.: Distance-bounding protocols. In: Workshop on the theory and application of cryptographic techniques on Advances in cryptology, pp. 344–359. Springer-Verlag New York, Inc., Heidelberg (1994)Google Scholar
  5. 5.
    Brooke, J.: SUS: a quick and dirty usability scale. In: Jordan, P.W., Thomas, B., Weerdmeester, B.A., McClelland, A.L. (eds.) Usability Evaluation in Industry, Taylor and Francis, London (1996)Google Scholar
  6. 6.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Ellison, C.M., Dohrmann, S.: Public-key support for group collaboration. ACM Transactions on Information and System Security 6(4), 547–565 (2003)CrossRefGoogle Scholar
  8. 8.
    Faulkner, L.: Beyond the five-user assumption: Benefits of increased sample sizes in usability testing. Behavior Research Methods, Instruments, & Computers 35(3), 379–383 (2003)Google Scholar
  9. 9.
    Fontana, R.J.: Experimental Results from an Ultra Wideband Precision Geolocation System. Ultra-Wideband, Short-Pulse Electromagnetics (May 2000)Google Scholar
  10. 10.
    Goldberg, I.: Visual Key Fingerprint Code (1996),
  11. 11.
    Goodrich, M., et al.: Loud and Clear: Human-Verifiable Authentication Based on Audio. In: International Conference on Distributed Computing Systems (2006)Google Scholar
  12. 12.
    Goodrich, M.T., et al.: Using audio in secure device pairing. International Journal of Security and Networks 4(1), 57–68 (2009)CrossRefGoogle Scholar
  13. 13.
    Holmquist, L.E., et al.: Smart-its friends: A technique for users to easily establish connections between smart artefacts. In: Abowd, G.D., Brumitt, B., Shafer, S. (eds.) UbiComp 2001. LNCS, vol. 2201, pp. 116–122. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Kainda, R., et al.: Usability and security of out-of-band channels in secure device pairing protocols. In: Symposium On Usable Privacy and Security (SOUPS) (2009)Google Scholar
  15. 15.
    Kindberg, T., Zhang, K.: Validating and securing spontaneous associations between wireless devices. In: Information Security Conference, pp. 44–53 (2003)Google Scholar
  16. 16.
    Kobsa, A., et al.: Serial hook-ups: A comparative usability study of secure device pairing methods. In: Symposium On Usable Privacy and Security (SOUPS) (2009)Google Scholar
  17. 17.
    Kostiainen, K., Uzun, E.: Framework for comparative usability testing of distributed applications. In: Security User Studies: Methodologies and Best Practices Workshop (2007)Google Scholar
  18. 18.
    Kumar, A., et al.: Caveat Emptor: A Comparative Study of Secure Device Pairing Methods. In: IEEE International Conference on Pervasive Computing and Communications (PerCom) (2009)Google Scholar
  19. 19.
    Landsberger, H.A.: Hawthorne revisited. Cornell University Press (1968)Google Scholar
  20. 20.
    Laur, S., Nyberg, K.: Efficient mutual data authentication using manually authenticated strings. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 90–107. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Mao, W.: Modern Cryptography, Theory & Practice. Prentice Hall PTR, Englewood Cliffs (2004)Google Scholar
  22. 22.
    Mayrhofer, R., Gellersen, H.-W.: Shake Well Before Use: Authentication Based on Accelerometer Data. In: LaMarca, A., Langheinrich, M., Truong, K.N. (eds.) Pervasive 2007. LNCS, vol. 4480, pp. 144–161. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    Mayrhofer, R., Welch, M.: A Human-Verifiable Authentication Protocol Using Visible Laser Light. In: International Conference on Availability, Reliability and Security (ARES), pp. 1143–1148 (2007)Google Scholar
  24. 24.
    McCune, J.M., Perrig, A., Reiter, M.K.: Seeing-is-believing: Using camera phones for human-verifiable authentication. In: IEEE Symposium on Security and Privacy (2005)Google Scholar
  25. 25.
    Pasini, S., Vaudenay, S.: SAS-Based Authenticated Key Agreement. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 395–409. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  26. 26.
    Perrig, A., Song, D.: Hash visualization: a new technique to improve real-world security. In: International Workshop on Cryptographic Techniques and E-Commerce (1999)Google Scholar
  27. 27.
    Piontek, H., Seyffer, M., Kaiser, J.: Improving the accuracy of ultrasound-based localisation systems. Personal and Ubiquitous Computing 11(6), 439–449 (2007)CrossRefGoogle Scholar
  28. 28.
    Prasad, R., Saxena, N.: Efficient device pairing using Human-comparable synchronized audiovisual patterns. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 328–345. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  29. 29.
    Priyantha, N.B., Chakraborty, A., Balakrishnan, H.: The Cricket location-support system. In: Proceedings of the ACM/IEEE International Conference on Mobile Computing and Networking (MobiCom), pp. 32–43. ACM Press, New York (2000)Google Scholar
  30. 30.
    Roth, V., et al.: Simple and effective defense against evil twin access points. In: ACM conference on Wireless network security (WISEC), pp. 220–235 (2008)Google Scholar
  31. 31.
    Saxena, N., et al.: Extended abstract: Secure device pairing based on a visual channel. In: IEEE Symposium on Security and Privacy (2006)Google Scholar
  32. 32.
    Soriente, C., Tsudik, G., Uzun, E.: Secure pairing of interface constrained devices. International Journal of Security and Networks 4(1), 17–26 (2009)CrossRefGoogle Scholar
  33. 33.
    Soriente, C., Tsudik, G., Uzun, E.: BEDA: Button-Enabled Device Association. In: International Workshop on Security for Spontaneous Interaction (IWSSI), UbiComp Workshop Proceedings (2007)Google Scholar
  34. 34.
    Soriente, C., Tsudik, G., Uzun, E.: HAPADEP: human-assisted pure audio device pairing. In: Information Security, pp. 385–400 (2008)Google Scholar
  35. 35.
    Stajano, F., Anderson, R.: The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks. In: International Workshop on Security Protocols (1999)Google Scholar
  36. 36.
    Stajano, F.: Security for Ubiquitous Computing. John Wiley & Sons, Ltd., Chichester (2002)CrossRefGoogle Scholar
  37. 37.
    Suomalainen, J., Valkonen, J., Asokan, N.: Security Associations in Personal Networks: A Comparative Analysis. In: Stajano, F., Meadows, C., Capkun, S., Moore, T. (eds.) ESAS 2007. LNCS, vol. 4572, pp. 43–57. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  38. 38.
    Uzun, E., Karvonen, K., Asokan, N.: Usability analysis of secure pairing methods. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 307–324. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  39. 39.
    Varshavsky, A., et al.: Amigo: Proximity-Based Authentication of Mobile Devices. In: Krumm, J., Abowd, G.D., Seneviratne, A., Strang, T. (eds.) UbiComp 2007. LNCS, vol. 4717, pp. 253–270. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  40. 40.
    Čapkun, S., Čagalj, M.: Integrity regions: authentication through presence in wireless networks. In: WiSe 2006: Proceedings of the 5th ACM workshop on Wireless security (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Mario Cagalj
    • 1
  • Nitesh Saxena
    • 2
  • Ersin Uzun
    • 3
  1. 1.FESBUniversity of SplitCroatia
  2. 2.Computer Science and EngineeringPolytechnic Institute of New York University 
  3. 3.Information and Computer SciencesUniversity of CaliforniaIrvine

Personalised recommendations