Evaluation of Out-of-Band Channels for IoT Security

Secure bootstrapping is the process by which a device gets the necessary configuration information and security credentials to become operational. In many pervasive computing and Internet-of-Things scenarios, it is often not possible to rely on the existence of a trusted third party or other network infrastructure for bootstrapping. Therefore, several device bootstrapping protocols rely on an out-of-band (OOB) channel for initial device authentication and configuration. We begin this paper by understanding the need for OOB channels and performing a literature survey of existing standards and devices that rely on OOB channels. We then look at one candidate bootstrapping protocol: Nimble out-of-band authentication for EAP (EAP-NOOB). We provide a brief overview of the EAP-NOOB protocol and describe its unique OOB channel requirements. Thereafter, we implement three OOB channels for EAP-NOOB using near-field communication, quick response codes, and sound. Using our implementation, we evaluate the usability, security, benefits, and limitations of each of the OOB channels.

[1]  Tuomas Aura,et al.  Misbinding Attacks on Secure Device Pairing and Bootstrapping , 2019, AsiaCCS.

[2]  Jaemin Jung,et al.  The psychology behind QR codes: User experience perspective , 2012, Comput. Hum. Behav..

[3]  Jari Arkko,et al.  Network Discovery and Selection Problem , 2008, RFC.

[4]  Joanna Bergstrom-Lehtovirta,et al.  Modeling the functional area of the thumb on mobile touchscreen surfaces , 2014, CHI.

[5]  Yang Wang,et al.  Serial hook-ups: a comparative usability study of secure device pairing methods , 2009, SOUPS.

[6]  Dirk Westhoff,et al.  Security and Privacy in Ad-hoc and Sensor Networks: Third European Workshop, ESAS 2006, Hamburg, Germany, September 20-21, 2006, Revised Selected Papers (Lecture Notes in Computer Science) , 2007 .

[7]  René Mayrhofer,et al.  On the Security of Ultrasound as Out-of-band Channel , 2007, 2007 IEEE International Parallel and Distributed Processing Symposium.

[8]  Parth H. Pathak,et al.  Visible Light Communication, Networking, and Sensing: A Survey, Potential and Challenges , 2015, IEEE Communications Surveys & Tutorials.

[9]  Moni Naor,et al.  The Security of Lazy Users in Out-of-Band Authentication , 2018, IACR Cryptol. ePrint Arch..

[10]  A. W. Roscoe,et al.  Usability and security of out-of-band channels in secure device pairing protocols , 2009, SOUPS.

[11]  Raghavendra Mudugodu Seetarama Secure Device Bootstrapping with the Nimble Out of Band AuthenticationProtocol , 2017 .

[12]  Junyi Li,et al.  Visible light communication: opportunities, challenges and the path to market , 2013, IEEE Communications Magazine.

[13]  Brian Jepson,et al.  Beginning NFC: Near Field Communication with Arduino, Android, and PhoneGap , 2014 .

[14]  Shiva Thagadur Prakash Enhancements to Secure Bootstrapping of Smart Appliances , 2017 .

[15]  N. Asokan,et al.  Security Associations in Personal Networks: A Comparative Analysis , 2007, ESAS.

[16]  Larry J. Blunk,et al.  PPP Extensible Authentication Protocol (EAP) , 1998, RFC.

[17]  Roy T. Fielding,et al.  Hypertext Transfer Protocol (HTTP/1.1): Authentication , 2014, RFC.

[18]  Bernard Aboba,et al.  Extensible Authentication Protocol (EAP) , 2004, RFC.

[19]  Edgar R. Weippl,et al.  QR Code Security: A Survey of Attacks and Challenges for Usable Security , 2014, HCI.

[20]  Tuomas Aura,et al.  Nimble Out-of-Band Authentication for EAP (EAP-NOOB) , 2021, RFC.

[21]  Suat Özdemir,et al.  Security in internet of things: A survey , 2017, 2017 International Symposium on Networks, Computers and Communications (ISNCC).

[22]  C. Gehrmann Mobile Platform Security , 2006 .

[23]  Xiaojiang Du,et al.  An Out-of-band Authentication Scheme for Internet of Things Using Blockchain Technology , 2018, 2018 International Conference on Computing, Networking and Communications (ICNC).

[24]  Rainer Böhme,et al.  The security cost of cheap user interaction , 2011, NSPW '11.

[25]  Dirk Westhoff,et al.  Security and Privacy in Ad-Hoc and Sensor Networks, Third European Workshop, ESAS 2006, Hamburg, Germany, September 20-21, 2006, Revised Selected Papers , 2006, ESAS.

[26]  Shasha Li,et al.  The effects of visual feedback designs on long wait time of mobile application user interface , 2019, Interact. Comput..

[27]  Aleksi Peltonen Formal Modelling and Verification of the EAP-NOOB Protocol , 2018 .

[28]  Tuomas Aura,et al.  Commitment-based device pairing with synchronized drawing , 2014, 2014 IEEE International Conference on Pervasive Computing and Communications (PerCom).

[29]  Markus Jakobsson,et al.  Mind your SMSes: Mitigating social engineering in second factor authentication , 2017, Comput. Secur..

[30]  Ruji P. Medina,et al.  Securing One Time Password (OTP) for Multi-Factor Out-of-Band Authentication through a 128-bit Blowfish Algorithm , 2018, Int. J. Commun. Networks Inf. Secur..

[31]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .