713 research outputs found
Survey and Systematization of Secure Device Pairing
Secure Device Pairing (SDP) schemes have been developed to facilitate secure
communications among smart devices, both personal mobile devices and Internet
of Things (IoT) devices. Comparison and assessment of SDP schemes is
troublesome, because each scheme makes different assumptions about out-of-band
channels and adversary models, and are driven by their particular use-cases. A
conceptual model that facilitates meaningful comparison among SDP schemes is
missing. We provide such a model. In this article, we survey and analyze a wide
range of SDP schemes that are described in the literature, including a number
that have been adopted as standards. A system model and consistent terminology
for SDP schemes are built on the foundation of this survey, which are then used
to classify existing SDP schemes into a taxonomy that, for the first time,
enables their meaningful comparison and analysis.The existing SDP schemes are
analyzed using this model, revealing common systemic security weaknesses among
the surveyed SDP schemes that should become priority areas for future SDP
research, such as improving the integration of privacy requirements into the
design of SDP schemes. Our results allow SDP scheme designers to create schemes
that are more easily comparable with one another, and to assist the prevention
of persisting the weaknesses common to the current generation of SDP schemes.Comment: 34 pages, 5 figures, 3 tables, accepted at IEEE Communications
Surveys & Tutorials 2017 (Volume: PP, Issue: 99
Acoustic Integrity Codes: Secure Device Pairing Using Short-Range Acoustic Communication
Secure Device Pairing (SDP) relies on an out-of-band channel to authenticate
devices. This requires a common hardware interface, which limits the use of
existing SDP systems. We propose to use short-range acoustic communication for
the initial pairing. Audio hardware is commonly available on existing
off-the-shelf devices and can be accessed from user space without requiring
firmware or hardware modifications. We improve upon previous approaches by
designing Acoustic Integrity Codes (AICs): a modulation scheme that provides
message authentication on the acoustic physical layer. We analyze their
security and demonstrate that we can defend against signal cancellation attacks
by designing signals with low autocorrelation. Our system can detect
overshadowing attacks using a ternary decision function with a threshold. In
our evaluation of this SDP scheme's security and robustness, we achieve a bit
error ratio below 0.1% for a net bit rate of 100 bps with a signal-to-noise
ratio (SNR) of 14 dB. Using our open-source proof-of-concept implementation on
Android smartphones, we demonstrate pairing between different smartphone
models.Comment: 11 pages, 11 figures. Published at ACM WiSec 2020 (13th ACM
Conference on Security and Privacy in Wireless and Mobile Networks). Updated
reference
FastZIP: Faster and More Secure Zero-Interaction Pairing
With the advent of the Internet of Things (IoT), establishing a secure
channel between smart devices becomes crucial. Recent research proposes
zero-interaction pairing (ZIP), which enables pairing without user assistance
by utilizing devices' physical context (e.g., ambient audio) to obtain a shared
secret key. The state-of-the-art ZIP schemes suffer from three limitations: (1)
prolonged pairing time (i.e., minutes or hours), (2) vulnerability to
brute-force offline attacks on a shared key, and (3) susceptibility to attacks
caused by predictable context (e.g., replay attack) because they rely on
limited entropy of physical context to protect a shared key. We address these
limitations, proposing FastZIP, a novel ZIP scheme that significantly reduces
pairing time while preventing offline and predictable context attacks. In
particular, we adapt a recently introduced Fuzzy Password-Authenticated Key
Exchange (fPAKE) protocol and utilize sensor fusion, maximizing their
advantages. We instantiate FastZIP for intra-car device pairing to demonstrate
its feasibility and show how the design of FastZIP can be adapted to other ZIP
use cases. We implement FastZIP and evaluate it by driving four cars for a
total of 800 km. We achieve up to three times shorter pairing time compared to
the state-of-the-art ZIP schemes while assuring robust security with
adversarial error rates below 0.5%.Comment: ACM MobiSys '21 - Code and data at:
https://github.com/seemoo-lab/fastzi
- …