Secure communications over insecure channels based on short authenticated strings

We propose a way to establish peer-to-peer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SAS-based authentication as for authentication based on short authenticated strings. The extra channel uses a weak notion of authentication in which strings cannot be forged nor modified, but whose delivery can be maliciously stalled, canceled, or replayed. Our protocol is optimal and relies on an extractable or equivocable commitment scheme. This approach offers an alternative (or complement) to public-key infrastructures, since we no longer need any central authority, and to password-based authenticated key exchange, since we no longer need to establish a confidential password. It can be used to establish secure associations in ad-hoc networks. Applications could be the authentication of a public key (e.g. for SSH or PGP) by users over the telephone, the user-aided pairing of wireless (e.g. BIuetooth) devices, or the restore of secure associations in a disaster case, namely when one remote peer had his long-term keys corrupte

MobileCA: Accumulative Secure Group Association with a Certification Path

AbstractIn recent years, there has been growing interest in secure pairing, which refers to the establishment of a secure connection between two mobile devices. Many published studies have described the various types of out-of-band (OOB) channels through which authentication data can be transferred with user control and involvement. However, there has been little discussion of setting up secure connections between groups of mobile devices. Some security protocols have been proposed, but they have tended to focus on a scenario whereby all devices must be located in one place to perform the association.In this paper, we describe a new group association method, called MobileCA. Our method is designed for a broader range of scenarios and does not require all devices to be in one place at one time. MobileCA extends the OOB channel concept and utilizes digital certification. We have implemented a prototype system using smart phone handsets

Practical Unconditionally Secure Two-channel Message Authentication

We investigate unconditional security for message authentication protocols that are designed using two-channel cryptography. We look at both noninteractive message authentication protocols (NIMAPs) and interactive message authentication protocols (IMAPs). We provide a new proof of nonexistence of nontrivial unconditionally secure NIMAPs. This proof consists of a combinatorial counting argument and is much shorter than the previous proof by Wang et al., which was based on probability distribution arguments. Further, we propose a generalization of an unconditionally secure 3-round IMAP due to Naor, Segev and Smith. With a careful choice of parameters, our scheme improves that of Naor et al. Our scheme is very close to optimal for most parameter situations of practical interest.

Security Analysis of Olvid's SAS-based Trust Establishment Protocol

In this report, we analyze the security of the trust establishment protocol used in the Olvid messaging protocol. The latter relies on the PV-SAS-MCA message cross-authentication protocol by Pasini an Vaudenay based on short authenticated strings (SAS). In order to make the implementation portable across different platforms, Olvid proposed particular instantiations of the underlying primitives used in PV-SAS-MCA in addition to some other minor modifications. Here, we show that these changes have no impact on the security of the scheme. More precisely, we formally prove that the trust establishment protocol used in Olvid is a secure message cross-authentication protocol. The proof of security is in the random-oracle model and relies on the security of the underlying pseudorandom generator. It also assumes users know each other and have an authentic channel between them

Key Generation in Wireless Sensor Networks Based on Frequency-selective Channels - Design, Implementation, and Analysis

Key management in wireless sensor networks faces several new challenges. The scale, resource limitations, and new threats such as node capture necessitate the use of an on-line key generation by the nodes themselves. However, the cost of such schemes is high since their secrecy is based on computational complexity. Recently, several research contributions justified that the wireless channel itself can be used to generate information-theoretic secure keys. By exchanging sampling messages during movement, a bit string can be derived that is only known to the involved entities. Yet, movement is not the only possibility to generate randomness. The channel response is also strongly dependent on the frequency of the transmitted signal. In our work, we introduce a protocol for key generation based on the frequency-selectivity of channel fading. The practical advantage of this approach is that we do not require node movement. Thus, the frequent case of a sensor network with static motes is supported. Furthermore, the error correction property of the protocol mitigates the effects of measurement errors and other temporal effects, giving rise to an agreement rate of over 97%. We show the applicability of our protocol by implementing it on MICAz motes, and evaluate its robustness and secrecy through experiments and analysis.Comment: Submitted to IEEE Transactions on Dependable and Secure Computin