A Scalable Transitive Human-Verifiable Authentication Protocol for Mobile Devices

The man-in-the-middle (MITM) attack is the major threat for handheld devices to agree on a session key in which they do not share any prior secret in advance, even if these devices are physically located in the same place. Apart from insecurely typing passwords into handheld devices or comparing long hexadecimal keys displayed on the devices' screens, many other human-verifiable protocols have been proposed in the literature to solve the problem. Unfortunately, most of these schemes are unscalable to more users. Even when there are only three entities attempting to agree on a session key, these protocols need to be rerun three times. In this paper, we present a bipartite and a tripartite authentication protocol using a temporary confidential channel. Besides, we further extend the system into a transitive authentication protocol that allows multiple handheld devices to establish a conference key securely and efficiently. In addition, we provide a formal proof to our protocol to demonstrate our scheme is indeed secure. We also implement the prototype of the system on a mobile phone with satisfying performance.

[1]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[2]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[3]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[4]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.

[5]  Alfred Menezes,et al.  Entity Authentication and Authenticated Key Transport Protocols Employing Asymmetric Techniques , 1997, Security Protocols Workshop.

[6]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[7]  Dawn Song,et al.  Hash Visualization: a New Technique to improve Real-World Security , 1999 .

[8]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[9]  Markus Jakobsson,et al.  Security Weaknesses in Bluetooth , 2001, CT-RSA.

[10]  Diana K. Smetters,et al.  Talking to Strangers: Authentication in Ad-Hoc Wireless Networks , 2002, NDSS.

[11]  Markus G. Kuhn,et al.  Optical time-domain eavesdropping risks of CRT displays , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[12]  Ratna Dutta,et al.  Extending Joux's Protocol to Multi Party Key Agreement (Extended Abstract) , 2003, INDOCRYPT.

[13]  Srdjan Capkun,et al.  Mobility helps security in ad hoc networks , 2003, MobiHoc '03.

[14]  Christian Gehrmann,et al.  Manual authentication for wireless devices , 2004 .

[15]  Reihaneh Safavi-Naini,et al.  An Efficient Signature Scheme from Bilinear Pairings and Its Applications , 2004, Public Key Cryptography.

[16]  Michael Rohs,et al.  USING CAMERA-EQUIPPED MOBILE PHONES FOR INTERACTING WITH REAL-WORLD OBJECTS , 2004 .

[17]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[18]  Serge Vaudenay,et al.  Secure Communications over Insecure Channels Based on Short Authenticated Strings , 2005, CRYPTO.

[19]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[20]  Sven Laur,et al.  Efficient Mutual Data Authentication Using Manually Authenticated Strings , 2006, CANS.

[21]  Michael Sirivianos,et al.  Loud and Clear: Human-Verifiable Authentication Based on Audio , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[22]  Ersin Uzun,et al.  Usability Analysis of Secure Pairing Methods , 2007, Financial Cryptography.

[23]  Adrian Perrig,et al.  Reduction of end user errors in the design of scalable, secure communication , 2008 .

[24]  Bo-Yin Yang,et al.  GAnGS: gather, authenticate 'n group securely , 2008, MobiCom '08.

[25]  Vashek Matyas,et al.  Generating Random and Pseudorandom Sequences in Mobile Devices , 2009, MobiSec.

[26]  G. Edward Suh,et al.  Flash Memory for Ubiquitous Hardware Security Functions: True Random Number Generation and Device Fingerprints , 2012, 2012 IEEE Symposium on Security and Privacy.

[27]  M. G. Kuhn,et al.  Compromising Emanations of LCD TV Sets , 2013, IEEE Transactions on Electromagnetic Compatibility.

[28]  Liu Zhenhu Revocable ID-based Signcryption Scheme , 2014 .