956 research outputs found
Survey and Systematization of Secure Device Pairing
Secure Device Pairing (SDP) schemes have been developed to facilitate secure
communications among smart devices, both personal mobile devices and Internet
of Things (IoT) devices. Comparison and assessment of SDP schemes is
troublesome, because each scheme makes different assumptions about out-of-band
channels and adversary models, and are driven by their particular use-cases. A
conceptual model that facilitates meaningful comparison among SDP schemes is
missing. We provide such a model. In this article, we survey and analyze a wide
range of SDP schemes that are described in the literature, including a number
that have been adopted as standards. A system model and consistent terminology
for SDP schemes are built on the foundation of this survey, which are then used
to classify existing SDP schemes into a taxonomy that, for the first time,
enables their meaningful comparison and analysis.The existing SDP schemes are
analyzed using this model, revealing common systemic security weaknesses among
the surveyed SDP schemes that should become priority areas for future SDP
research, such as improving the integration of privacy requirements into the
design of SDP schemes. Our results allow SDP scheme designers to create schemes
that are more easily comparable with one another, and to assist the prevention
of persisting the weaknesses common to the current generation of SDP schemes.Comment: 34 pages, 5 figures, 3 tables, accepted at IEEE Communications
Surveys & Tutorials 2017 (Volume: PP, Issue: 99
Securing Cyber-Physical Social Interactions on Wrist-worn Devices
Since ancient Greece, handshaking has been commonly practiced between two people as a friendly gesture to express trust and respect, or form a mutual agreement. In this article, we show that such physical contact can be used to bootstrap secure cyber contact between the smart devices worn by users. The key observation is that during handshaking, although belonged to two different users, the two hands involved in the shaking events are often rigidly connected, and therefore exhibit very similar motion patterns. We propose a novel key generation system, which harvests motion data during user handshaking from the wrist-worn smart devices such as smartwatches or fitness bands, and exploits the matching motion patterns to generate symmetric keys on both parties. The generated keys can be then used to establish a secure communication channel for exchanging data between devices. This provides a much more natural and user-friendly alternative for many applications, e.g., exchanging/sharing contact details, friending on social networks, or even making payments, since it doesnât involve extra bespoke hardware, nor require the users to perform pre-defined gestures. We implement the proposed key generation system on off-the-shelf smartwatches, and extensive evaluation shows that it can reliably generate 128-bit symmetric keys just after around 1s of handshaking (with success rate >99%), and is resilient to different types of attacks including impersonate mimicking attacks, impersonate passive attacks, or eavesdropping attacks. Specifically, for real-time impersonate mimicking attacks, in our experiments, the Equal Error Rate (EER) is only 1.6% on average. We also show that the proposed key generation system can be extremely lightweight and is able to run in-situ on the resource-constrained smartwatches without incurring excessive resource consumption
FastZIP: Faster and More Secure Zero-Interaction Pairing
With the advent of the Internet of Things (IoT), establishing a secure
channel between smart devices becomes crucial. Recent research proposes
zero-interaction pairing (ZIP), which enables pairing without user assistance
by utilizing devices' physical context (e.g., ambient audio) to obtain a shared
secret key. The state-of-the-art ZIP schemes suffer from three limitations: (1)
prolonged pairing time (i.e., minutes or hours), (2) vulnerability to
brute-force offline attacks on a shared key, and (3) susceptibility to attacks
caused by predictable context (e.g., replay attack) because they rely on
limited entropy of physical context to protect a shared key. We address these
limitations, proposing FastZIP, a novel ZIP scheme that significantly reduces
pairing time while preventing offline and predictable context attacks. In
particular, we adapt a recently introduced Fuzzy Password-Authenticated Key
Exchange (fPAKE) protocol and utilize sensor fusion, maximizing their
advantages. We instantiate FastZIP for intra-car device pairing to demonstrate
its feasibility and show how the design of FastZIP can be adapted to other ZIP
use cases. We implement FastZIP and evaluate it by driving four cars for a
total of 800 km. We achieve up to three times shorter pairing time compared to
the state-of-the-art ZIP schemes while assuring robust security with
adversarial error rates below 0.5%.Comment: ACM MobiSys '21 - Code and data at:
https://github.com/seemoo-lab/fastzi
- âŠ