Secure Device Pairing Based on a Visual Channel: Design and Usability Study

“Pairing” is the establishment of authenticated key agreement between two devices over a wireless channel. Such devices are ad hoc in nature as they lack any common preshared secrets or trusted authority. Fortunately, these devices can be connected via auxiliary physical (audio, visual, tactile) channels which can be authenticated by human users. They can, therefore, be used to form the basis of a pairing operation. Recently proposed pairing protocols and methods are based upon bidirectional physical channels. However, various pairing scenarios are asymmetric in nature, i.e., only a unidirectional physical channel exists between two devices (such as between a cell phone and an access point). In this paper, we show how strong mutual authentication can be achieved even with a unidirectional visual channel, where prior methods could provide only a weaker property termed as presence. This could help reduce the execution time and improve usability of prior pairing methods. In addition, by adopting recently proposed improved pairing protocols, we propose how visual channel authentication can be used even on devices that have very limited displaying capabilities, all the way down to a device whose display consists of a cheap single light-source, such as a light-emitting diode. We present the results of a preliminary usability study evaluating our proposed method.

[1]  Frank Stajano,et al.  The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks , 1999, Security Protocols Workshop.

[2]  Dawn Song,et al.  Hash Visualization: a New Technique to improve Real-World Security , 1999 .

[3]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[4]  Serge Vaudenay,et al.  An Optimal Non-interactive Message Authentication Protocol , 2006, CT-RSA.

[5]  Steve Hanna Configuring Security Parameters in Small Devices , 2002 .

[6]  Nitesh Saxena,et al.  Efficient Device Pairing Using "Human-Comparable" Synchronized Audiovisual Patterns , 2008, ACNS.

[7]  Christian Gehrmann,et al.  Manual authentication for wireless devices , 2004 .

[8]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[9]  Diana K. Smetters,et al.  Network-in-a-Box: How to Set Up a Secure Wireless Network in Under a Minute , 2004, USENIX Security Symposium.

[10]  A. Madhavapeddy,et al.  Using Camera-Phones to Enhance Human–Computer Interaction , 2004 .

[11]  Volker Roth,et al.  Simple and effective defense against evil twin access points , 2008, WiSec '08.

[12]  Diana K. Smetters,et al.  Talking to Strangers: Authentication in Ad-Hoc Wireless Networks , 2002, NDSS.

[13]  Michael Sirivianos,et al.  Loud and Clear: Human-Verifiable Authentication Based on Audio , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[14]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[15]  Nitesh Saxena,et al.  Universal device pairing using an auxiliary device , 2008, SOUPS '08.

[16]  H. Nyquist,et al.  Certain Topics in Telegraph Transmission Theory , 1928, Transactions of the American Institute of Electrical Engineers.

[17]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[18]  Serge Vaudenay,et al.  Secure Communications over Insecure Channels Based on Short Authenticated Strings , 2005, CRYPTO.

[19]  L. Faulkner Beyond the five-user assumption: Benefits of increased sample sizes in usability testing , 2003, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[20]  Ersin Uzun,et al.  Usability Analysis of Secure Pairing Methods , 2007, Financial Cryptography.

[21]  E. Uzun,et al.  BEDA : Button-Enabled Device Association , 2007 .

[22]  Jaap-Henk Hoepman The Ephemeral Pairing Problem , 2004, Financial Cryptography.

[23]  N. Asokan,et al.  Secure device pairing based on a visual channel , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[24]  Claudio Soriente,et al.  HAPADEP: Human-Assisted Pure Audio Device Pairing , 2008, ISC.

[25]  Michael Rohs,et al.  USING CAMERA-EQUIPPED MOBILE PHONES FOR INTERACTING WITH REAL-WORLD OBJECTS , 2004 .