T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices

Secure pairing is key to trustworthy deployment and application of Internet of Things (IoT) devices. However, IoT devices lack conventional user interfaces, such as keyboards and displays, which makes many traditional pairing approaches inapplicable. Proximity-based pairing approaches are very usable, but can be exploited by co-located malicious devices. Approaches based on a user's physical operations on IoT devices are more secure, but typically require inertial sensors, while many devices do not satisfy this requirement. A secure and usable pairing approach that can be applied to heterogeneous IoT devices still does not exist. We develop a technique, Universal Operation Sensing, which allows an IoT device to sense the user's physical operations on it without requiring inertial sensors. With this technique, a user holding a smartphone or wearing a wristband can finish pairing in seconds through some very simple operations, e.g., pressing a button or twisting a knob. Moreover, we reveal an inaccuracy issue in original fuzzy commitment and propose faithful fuzzy commitment to resolve it. We design a pairing protocol using faithful fuzzy commitment, and build a prototype system named Touch-to-Pair (T2Pair, for short). The comprehensive evaluation shows that it is secure and usable.

[1]  Ken Hinckley,et al.  Synchronous gestures for multiple persons and computers , 2003, UIST '03.

[2]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[4]  Zhenyu Yan,et al.  Towards Touch-to-Access Device Authentication Using Induced Body Electric Potentials , 2019, MobiCom.

[5]  Tuomas Aura,et al.  Commitment-based device pairing with synchronized drawing , 2014, 2014 IEEE International Conference on Pervasive Computing and Communications (PerCom).

[6]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[7]  Elaine B. Barker,et al.  A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications , 2000 .

[8]  James R. Lewis,et al.  IBM computer usability satisfaction questionnaires: Psychometric evaluation and instructions for use , 1995, Int. J. Hum. Comput. Interact..

[9]  Kenneth H. Norwich,et al.  Information, sensation, and perception , 1993 .

[10]  Farinaz Koushanfar,et al.  Heart-to-heart (H2H): authentication for implanted medical devices , 2013, CCS.

[11]  René Mayrhofer,et al.  Shake Well Before Use: Intuitive and Secure Pairing of Mobile Devices , 2009, IEEE Transactions on Mobile Computing.

[12]  Antti Oulasvirta,et al.  Impact Activation Improves Rapid Button Pressing , 2018, CHI.

[13]  Fabian Monrose,et al.  Authentication via keystroke dynamics , 1997, CCS '97.

[14]  Stephan Sigg,et al.  Secure Communication Based on Ambient Audio , 2013, IEEE Transactions on Mobile Computing.

[15]  Ahmad-Reza Sadeghi,et al.  Context-Based Zero-Interaction Pairing and Key Evolution for Advanced Personal Devices , 2014, CCS.

[16]  David Kotz,et al.  ZEBRA: Zero-Effort Bilateral Recurring Authentication , 2014, IEEE Symposium on Security and Privacy.

[17]  Paul Barford,et al.  A System for Clock Synchronization in an Internet of Things , 2018, ArXiv.

[18]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[19]  Xiang-Yang Li,et al.  Instant and Robust Authentication and Key Agreement among Mobile Devices , 2016, CCS.

[20]  Yang Wang,et al.  Fast and practical secret key extraction by exploiting channel response , 2013, 2013 Proceedings IEEE INFOCOM.

[21]  Distribution of Human Reaction Time , 1965, Perceptual and motor skills.

[22]  Hae Young Noh,et al.  Do You Feel What I Hear? Enabling Autonomous IoT Device Pairing Using Different Sensor Types , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[23]  Sneha Kumar Kasera,et al.  High-Rate Uncorrelated Bit Extraction for Shared Secret Key Generation from Channel Measurements , 2010, IEEE Transactions on Mobile Computing.

[24]  F. Moore,et al.  Polynomial Codes Over Certain Finite Fields , 2017 .

[25]  Ming Li,et al.  SFIRE: Secret-Free-in-band Trust Establishment for COTS Wireless Devices , 2018, IEEE INFOCOM 2018 - IEEE Conference on Computer Communications.

[26]  J. B. Brooke,et al.  SUS: A 'Quick and Dirty' Usability Scale , 1996 .

[27]  Wade Trappe,et al.  Radio-telepathy: extracting a secret key from an unauthenticated wireless channel , 2008, MobiCom '08.

[28]  David Kotz,et al.  SAW: Wristband-based Authentication for Desktop Computers , 2018, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[29]  N. Asokan,et al.  Secure device pairing based on a visual channel , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[30]  Yina Ye,et al.  Checksum gestures: continuous gestures as an out-of-band channel for secure pairing , 2015, UbiComp.

[31]  H. Lilliefors On the Kolmogorov-Smirnov Test for Normality with Mean and Variance Unknown , 1967 .

[32]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[33]  Nitesh Saxena,et al.  Noisy Vibrational Pairing of IoT Devices , 2019, IEEE Transactions on Dependable and Secure Computing.

[34]  Qian Zhang,et al.  Resonance-Based Secure Pairing for Wearables , 2018, IEEE Transactions on Mobile Computing.

[35]  Xiaopeng Li,et al.  Touch Well Before Use: Intuitive and Secure Authentication for IoT Devices , 2019, MobiCom.

[36]  Martin Wattenberg,et al.  A fuzzy commitment scheme , 1999, CCS '99.

[37]  Gregory D. Abowd,et al.  A gesture-based authentication scheme for untrusted public terminals , 2004, UIST '04.

[38]  Nitesh Saxena,et al.  A Sound for a Sound: Mitigating Acoustic Side Channel Attacks on Password Keystrokes with Active Sounds , 2016, Financial Cryptography.

[39]  Per Ola Kristensson,et al.  Observations on Typing from 136 Million Keystrokes , 2018, CHI 2018.

[40]  Qian Zhang,et al.  Proximity based IoT device authentication , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.