Checksum gestures: continuous gestures as an out-of-band channel for secure pairing

We propose the use of a single continuous gesture as a novel, intuitive, and efficient mechanism to authenticate a secure communication channel. Our approach builds on a novel algorithm for encoding (at least 20-bits) authentication information as a single continuous gesture, referred to as a checksum gesture. By asking the user to perform the generated gesture, a secure channel can be authenticated. Results from a controlled user experiment (N = 13 participants, 1022 trials) demonstrate the feasibility of our technique, showing over 90% success rate in establishing a secure communication channel despite relying on complex gesture patterns. The authentication times of our method are over three-folds faster than with previous gesture-based solutions. The average execution time of a gesture is 5:7 seconds in our study, which is comparable to the input time of conventional text input based PIN authentication. Our approach is particularly well-suited for scenarios involving wearable devices that lack conventional input capabilities, e.g., pairing a smartwatch with an interactive display.

[1]  Albrecht Schmidt,et al.  Requirements and design space for interactive public displays , 2010, ACM Multimedia.

[2]  Srdjan Capkun,et al.  Influence of user perception, security needs, and social factors on device pairing method choices , 2010, SOUPS.

[3]  Sebastian Madgwick,et al.  Estimation of IMU and MARG orientation using a gradient descent algorithm , 2011, 2011 IEEE International Conference on Rehabilitation Robotics.

[4]  Michael Sirivianos,et al.  Loud and Clear: Human-Verifiable Authentication Based on Audio , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[5]  N. Asokan,et al.  Secure device pairing based on a visual channel , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[6]  Yina Ye Gestimator : A Fast, Accurate and Robust Gesture Recognition Method , 2015 .

[7]  Dawn Song,et al.  Hash Visualization: a New Technique to improve Real-World Security , 1999 .

[8]  Yuval Elovici,et al.  Google Android: A Comprehensive Security Assessment , 2010, IEEE Security & Privacy.

[9]  Yina Ye,et al.  Gestimator: Shape and Stroke Similarity Based Gesture Recognition , 2015, ICMI.

[10]  Rafael Ballagas,et al.  Spontaneous marriages of mobile devices and interactive spaces , 2005, CACM.

[11]  Yang Li,et al.  Gestures without libraries, toolkits or training: a $1 recognizer for user interface prototypes , 2007, UIST.

[12]  Gerhard Tröster,et al.  Gestures are strings: efficient online gesture spotting and classification using string matching , 2007, BODYNETS.

[13]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[14]  René Mayrhofer,et al.  On the Security of Ultrasound as Out-of-band Channel , 2007, 2007 IEEE International Parallel and Distributed Processing Symposium.

[15]  Tuomas Aura,et al.  Commitment-based device pairing with synchronized drawing , 2014, 2014 IEEE International Conference on Pervasive Computing and Communications (PerCom).

[16]  Serge Vaudenay,et al.  Secure Communications over Insecure Channels Based on Short Authenticated Strings , 2005, CRYPTO.

[17]  Hans-Werner Gellersen,et al.  GesturePIN: using discrete gestures for associating mobile devices , 2010, Mobile HCI.

[18]  Claude Castelluccia,et al.  Shake them up!: a movement-based pairing protocol for CPU-constrained devices , 2005, MobiSys '05.

[19]  I. Scott MacKenzie,et al.  Gathering text entry metrics on android devices , 2011, CHI EA '11.

[20]  Andrew D. Wilson,et al.  BlueTable: connecting wireless mobile devices on interactive surfaces using vision-based handshaking , 2007, GI '07.

[21]  Shumin Zhai,et al.  SHARK2: a large vocabulary shorthand writing system for pen-based computers , 2004, UIST '04.

[22]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[23]  Wenyuan Xu,et al.  KinWrite: Handwriting-Based Authentication Using Kinect , 2013, NDSS.

[24]  Hans-Werner Gellersen,et al.  Usability classification for spontaneous device association , 2011, Personal and Ubiquitous Computing.

[25]  Frank Stajano,et al.  The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks , 1999, Security Protocols Workshop.

[26]  Tim Kindberg,et al.  Secure Spontaneous Device Association , 2003, UbiComp.

[27]  A. W. Roscoe,et al.  Two heads are better than one: security and usability of device associations in group scenarios , 2010, SOUPS.

[28]  Nitesh Saxena,et al.  Universal device pairing using an auxiliary device , 2008, SOUPS '08.

[29]  René Mayrhofer,et al.  A Survey of User Interaction for Spontaneous Device Association , 2014, CSUR.

[30]  Duck Gun Park,et al.  TAP: touch-and-play , 2006, CHI.

[31]  Stephan Sigg,et al.  Secure Communication Based on Ambient Audio , 2013, IEEE Transactions on Mobile Computing.

[32]  N. Asokan,et al.  Standards for security associations in personal networks: a comparative analysis , 2009, Int. J. Secur. Networks.

[33]  Yang Li,et al.  Teaching motion gestures via recognizer feedback , 2014, IUI.

[34]  Yang Li,et al.  Protractor: a fast and accurate gesture recognizer , 2010, CHI.

[35]  René Mayrhofer,et al.  A Human-Verifiable Authentication Protocol Using Visible Laser Light , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[36]  Radu-Daniel Vatavu,et al.  The effect of sampling rate on the performance of template-based gesture recognizers , 2011, ICMI '11.

[37]  William Buxton,et al.  The limits of expert performance using hierarchic marking menus , 1993, INTERCHI.

[38]  Sven Laur,et al.  Efficient Mutual Data Authentication Using Manually Authenticated Strings , 2006, CANS.

[39]  Antti Oulasvirta,et al.  Dynamic tactile guidance for visual search tasks , 2012, UIST '12.

[40]  Pieter H. Hartel,et al.  Secure pairing with biometrics , 2009, Int. J. Secur. Networks.

[41]  Ersin Uzun,et al.  Usability Analysis of Secure Pairing Methods , 2007, Financial Cryptography.

[42]  René Mayrhofer,et al.  Shake Well Before Use: Intuitive and Secure Pairing of Mobile Devices , 2009, IEEE Transactions on Mobile Computing.

[43]  Romit Roy Choudhury,et al.  Using mobile phones to write in air , 2011, MobiSys '11.

[44]  Sasu Tarkoma,et al.  Gravity and linear acceleration estimation on mobile devices , 2014, MobiQuitous.

[45]  Antti Oulasvirta,et al.  Information capacity of full-body movements , 2013, CHI.

[46]  Antonio Krüger,et al.  Adaptive navigation support with public displays , 2005, IUI '05.

[47]  Diana K. Smetters,et al.  Talking to Strangers: Authentication in Ad-Hoc Wireless Networks , 2002, NDSS.

[48]  Gregory D. Abowd,et al.  A gesture-based authentication scheme for untrusted public terminals , 2004, UIST '04.

[49]  Jiro Tanaka,et al.  Gesture Input as an Out-of-band Channel , 2014, J. Inf. Process. Syst..