Commitment-based device pairing with synchronized drawing

Secure device pairing is a widely studied problem. Local wireless connections such as Bluetooth and WiFi typically rely on user-entered secret keys or manually verified authentication codes. Several recent proposals replace these with contextual or location-dependent sensor inputs, which are assumed to be secret from anyone not present at the location where the pairing takes place. These protocols have to cope with a fuzzy secret, i.e. noisy secret input that differs between the devices. In this paper, we overview such protocols and propose a new variation using time-based opening of commitments. Our protocol has the advantage of treating the fuzzy secret as one piece of data rather than requiring it to be partitioned into time intervals, and being more robust against variations in input entropy than those based on error correction codes. The protocol development is motivated by the discovery of a novel human source for the fuzzy secret: synchronized drawing with two fingers of the same hand on two touch screens or surfaces. Metrics for measuring the distance between the drawings are described and evaluated. We implement a prototype of this surprisingly simple and natural pairing mechanism and show that it accurately differentiates between true positives and man-in-the-middle attackers.

[1]  Yusheng Ji,et al.  Pattern-Based Alignment of Audio Data for Ad Hoc Secure Device Pairing , 2012, 2012 16th International Symposium on Wearable Computers.

[2]  T.E. Boult,et al.  Cracking Fuzzy Vaults and Biometric Encryption , 2007, 2007 Biometrics Symposium.

[3]  Eyal de Lara,et al.  Amigo: Proximity-Based Authentication of Mobile Devices , 2007, UbiComp.

[4]  Li Yujian,et al.  A Normalized Levenshtein Distance Metric , 2007, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[5]  Maurice Maes,et al.  Polygonal shape recognition using string-matching techniques , 1991, Pattern Recognit..

[6]  René Mayrhofer,et al.  SAPHE: simple accelerometer based wireless pairing with heuristic trees , 2012, MoMM '12.

[7]  Darko Kirovski,et al.  The Martini Synch , 2007 .

[8]  René Mayrhofer,et al.  Shake Well Before Use: Authentication Based on Accelerometer Data , 2007, Pervasive.

[9]  Serkan Kaygin,et al.  Shape recognition using attributed string matching with polygon vertices as the primitives , 2002, Pattern Recognit. Lett..

[10]  Yevgeniy Dodis,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, EUROCRYPT.

[11]  Shaogang Gong,et al.  Audio- and Video-based Biometric Person Authentication , 1997, Lecture Notes in Computer Science.

[12]  Yusheng Ji,et al.  AdhocPairing : Spontaneous audio based secure device pairing for Android mobile devices , 2012 .

[13]  Yusheng Ji,et al.  Using ambient audio in secure mobile phone communication , 2012, 2012 IEEE International Conference on Pervasive Computing and Communications Workshops.

[14]  Michael Sirivianos,et al.  Loud and Clear: Human-Verifiable Authentication Based on Audio , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[15]  Michael K. Reiter,et al.  The Practical Subtleties of Biometric Key Generation , 2008, USENIX Security Symposium.

[16]  TsudikGene,et al.  A comparative study of secure device pairing methods , 2009 .

[17]  Pieter H. Hartel,et al.  Feeling Is Believing: A Secure Template Exchange Protocol , 2007, ICB.

[18]  Pieter H. Hartel,et al.  Secure Ad-hoc Pairing with Biometrics: SAfE , 2007 .

[19]  E. Uzun,et al.  BEDA : Button-Enabled Device Association , 2007 .

[20]  Mario Huemer,et al.  Key Generation Based on Acceleration Data of Shaking Processes , 2007, UbiComp.

[21]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[22]  Adi Shamir,et al.  How to expose an eavesdropper , 1984, CACM.

[23]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[24]  Charalampos Manifavas,et al.  A new family of authentication protocols , 1998, OPSR.

[25]  Sharath Pankanti,et al.  Fuzzy Vault for Fingerprints , 2005, AVBPA.

[26]  René Mayrhofer,et al.  The Candidate Key Protocol for Generating Secret Shared Keys from Similar Sensor Data Streams , 2007, ESAS.

[27]  Frans M. J. Willems,et al.  Information Leakage in Fuzzy Commitment Schemes , 2010, IEEE Transactions on Information Forensics and Security.

[28]  Wade Trappe,et al.  ProxiMate: proximity-based secure pairing using ambient wireless signals , 2011, MobiSys '11.

[29]  Claudio Soriente,et al.  HAPADEP: Human-Assisted Pure Audio Device Pairing , 2008, ISC.

[30]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[31]  Stephan Sigg,et al.  Secure Communication Based on Ambient Audio , 2013, IEEE Transactions on Mobile Computing.

[32]  N. Asokan,et al.  Standards for security associations in personal networks: a comparative analysis , 2009, Int. J. Secur. Networks.