Article in Press Pervasive and Mobile Computing ( ) – Pervasive and Mobile Computing a Comparative Study of Secure Device Pairing Methods

“Secure Device Pairing” is the process of bootstrapping a secure channel between two previously unassociated devices over a (usually wireless) human-imperceptible communication channel. Lack of prior security context and common trust infrastructure open the door for Man-in-the-Middle (also known as Evil Twin) attacks. Mitigation of these attacks requires user involvement in the device pairing process. Prior research yielded a number of interesting methods utilizing various auxiliary human-perceptible channels, e.g., visual, acoustic or tactile. These methods engage the user in authenticating information exchanged over human-imperceptible channels, thus mitigating MiTM attacks and forming the basis for secure pairing. We present the first comprehensive comparative evaluation of notable secure device pairing methods. Our results identify methods best-suited for a given combination of devices and human abilities. This work is both important and timely, since it sheds light on usability in one of the very few settings where a wide range of users (not just specialists) are confronted with security techniques.

[1]  Serge Vaudenay,et al.  SAS-Based Authenticated Key Agreement , 2006, Public Key Cryptography.

[2]  TsudikGene,et al.  A comparative study of secure device pairing methods , 2009 .

[3]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[4]  René Mayrhofer,et al.  Shake Well Before Use: Authentication Based on Accelerometer Data , 2007, Pervasive.

[5]  Arun Kumar,et al.  Caveat Emptor: A Comparative Study of Secure Device Pairing Methods , 2009, PerCom.

[6]  Frank Stajano,et al.  The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks , 1999, Security Protocols Workshop.

[7]  Serge Vaudenay,et al.  Secure Communications over Insecure Channels Based on Short Authenticated Strings , 2005, CRYPTO.

[8]  Sven Laur,et al.  Efficient Mutual Data Authentication Using Manually Authenticated Strings , 2006, CANS.

[9]  Bernt Schiele,et al.  Smart-Its Friends: A Technique for Users to Easily Establish Connections between Smart Artefacts , 2001, UbiComp.

[10]  Claudio Soriente,et al.  Using audio in secure device pairing , 2009, Int. J. Secur. Networks.

[11]  L. Faulkner Beyond the five-user assumption: Benefits of increased sample sizes in usability testing , 2003, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[12]  Tim Kindberg,et al.  Validating and Securing Spontaneous Associations between Wireless Devices , 2003, ISC.

[13]  Uwe Hansmann,et al.  Pervasive Computing , 2003 .

[14]  Carl M. Ellison,et al.  Public-key support for group collaboration , 2003, TSEC.

[15]  Kasper Hornbæk,et al.  Measuring usability: are effectiveness, efficiency, and satisfaction really correlated? , 2000, CHI.

[16]  Michael Sirivianos,et al.  Loud and Clear: Human-Verifiable Authentication Based on Audio , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[17]  Srdjan Capkun,et al.  Key Agreement in Peer-to-Peer Wireless Networks , 2006, Proceedings of the IEEE.

[18]  A Min Tjoa,et al.  First International Conference on Availability, Reliability and Security (ARES´06) , 2006 .

[19]  Ersin Uzun,et al.  Usability Analysis of Secure Pairing Methods , 2007, Financial Cryptography.

[20]  E. Uzun,et al.  BEDA : Button-Enabled Device Association , 2007 .

[21]  Diana K. Smetters,et al.  Talking to Strangers: Authentication in Ad-Hoc Wireless Networks , 2002, NDSS.

[22]  M. Weiser,et al.  Hot topics-ubiquitous computing , 1993 .

[23]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[24]  René Mayrhofer,et al.  A Human-Verifiable Authentication Protocol Using Visible Laser Light , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[25]  N. Asokan,et al.  Secure device pairing based on a visual channel , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[26]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[27]  Erik Frekjmr,et al.  Measuring Usability: Are Effectiveness, Efficiency, and Satisfaction Really Correlated? , 2000 .

[28]  Dawn Song,et al.  Hash Visualization: a New Technique to improve Real-World Security , 1999 .

[29]  Claudio Soriente,et al.  HAPADEP: Human-Assisted Pure Audio Device Pairing , 2008, ISC.

[30]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[31]  Markus Jakobsson,et al.  Security Weaknesses in Bluetooth , 2001, CT-RSA.

[32]  Christian Gehrmann,et al.  Manual authentication for wireless devices , 2004 .

[33]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[34]  Arto Salomaa,et al.  Public-Key Cryptography , 1991, EATCS Monographs on Theoretical Computer Science.

[35]  Diana K. Smetters,et al.  Network-in-a-Box: How to Set Up a Secure Wireless Network in Under a Minute , 2004, USENIX Security Symposium.

[36]  Jacob Cohen,et al.  Applied multiple regression/correlation analysis for the behavioral sciences , 1979 .

[37]  Nitesh Saxena,et al.  Automated Device Pairing for Asymmetric Pairing Scenarios , 2008, ICICS.

[38]  N. Asokan,et al.  Security Associations in Personal Networks: A Comparative Analysis , 2007, ESAS.

[39]  Nitesh Saxena,et al.  Efficient Device Pairing Using "Human-Comparable" Synchronized Audiovisual Patterns , 2008, ACNS.

[40]  Volker Roth,et al.  Simple and effective defense against evil twin access points , 2008, WiSec '08.