15 research outputs found
Lights, Camera, Action! Exploring Effects of Visual Distractions on Completion of Security Tasks
Human errors in performing security-critical tasks are typically blamed on
the complexity of those tasks. However, such errors can also occur because of
(possibly unexpected) sensory distractions. A sensory distraction that produces
negative effects can be abused by the adversary that controls the environment.
Meanwhile, a distraction with positive effects can be artificially introduced
to improve user performance.
The goal of this work is to explore the effects of visual stimuli on the
performance of security-critical tasks. To this end, we experimented with a
large number of subjects who were exposed to a range of unexpected visual
stimuli while attempting to perform Bluetooth Pairing. Our results clearly
demonstrate substantially increased task completion times and markedly lower
task success rates. These negative effects are noteworthy, especially, when
contrasted with prior results on audio distractions which had positive effects
on performance of similar tasks. Experiments were conducted in a novel (fully
automated and completely unattended) experimental environment. This yielded
more uniform experiments, better scalability and significantly lower financial
and logistical burdens. We discuss this experience, including benefits and
limitations of the unattended automated experiment paradigm
Use Your Words: Designing One-time Pairing Codes to Improve User Experience
The Internet of Things is connecting an ever-increasing number
of devices. These devices often require access to personal
information, but their meagre user interfaces usually do not
permit traditional modes of authentication. On such devices,
one-time pairing codes are often used instead. This pairing
process can involve transcribing randomly generated alphanumeric
codes, which can be frustrating, slow and error-prone.
In this paper, we present an improved pairing method that uses
sets of English words instead of random strings. The word
method, although longer in terms of character length, allows
users to pair devices more quickly, whilst still maintaining the
complexity necessary for secure interactions
Survey and Systematization of Secure Device Pairing
Secure Device Pairing (SDP) schemes have been developed to facilitate secure
communications among smart devices, both personal mobile devices and Internet
of Things (IoT) devices. Comparison and assessment of SDP schemes is
troublesome, because each scheme makes different assumptions about out-of-band
channels and adversary models, and are driven by their particular use-cases. A
conceptual model that facilitates meaningful comparison among SDP schemes is
missing. We provide such a model. In this article, we survey and analyze a wide
range of SDP schemes that are described in the literature, including a number
that have been adopted as standards. A system model and consistent terminology
for SDP schemes are built on the foundation of this survey, which are then used
to classify existing SDP schemes into a taxonomy that, for the first time,
enables their meaningful comparison and analysis.The existing SDP schemes are
analyzed using this model, revealing common systemic security weaknesses among
the surveyed SDP schemes that should become priority areas for future SDP
research, such as improving the integration of privacy requirements into the
design of SDP schemes. Our results allow SDP scheme designers to create schemes
that are more easily comparable with one another, and to assist the prevention
of persisting the weaknesses common to the current generation of SDP schemes.Comment: 34 pages, 5 figures, 3 tables, accepted at IEEE Communications
Surveys & Tutorials 2017 (Volume: PP, Issue: 99
AEROKEY: Using Ambient Electromagnetic Radiation for Secure and Usable Wireless Device Authentication
Wireless connectivity is becoming common in increasingly diverse personal devices, enabling various interoperation- and Internet-based applications and services. More and more interconnected devices are simultaneously operated by a single user with short-lived connections, making usable device authentication methods imperative to ensure both high security and seamless user experience. Unfortunately, current authentication methods that heavily require human involvement, in addition to form factor and mobility constraints, make this balance hard to achieve, often forcing users to choose between security and convenience. In this work, we present a novel over-the-air device authentication scheme named AEROKEY that achieves both high security and high usability. With virtually no hardware overhead, AEROKEY leverages ubiquitously observable ambient electromagnetic radiation to autonomously generate spatiotemporally unique secret that can be derived only by devices that are closely located to each other. Devices can make use of this unique secret to form the basis of a symmetric key, making the authentication procedure more practical, secure and usable with no active human involvement. We propose and implement essential techniques to overcome challenges in realizing AEROKEY on low-cost microcontroller units, such as poor time synchronization, lack of precision analog front-end, and inconsistent sampling rates. Our real-world experiments demonstrate reliable authentication as well as its robustness against various realistic adversaries with low equal-error rates of 3.4% or less and usable authentication time of as low as 24 s
A proof-of-proximity framework for device pairing in ubiquitous computing environments
Ad hoc interactions between devices over wireless networks in ubiquitous
computing environments present a security problem: the generation of shared secrets
to initialize secure communication over a medium that is inherently vulnerable to
various attacks. However, these ad hoc scenarios also offer the potential for physical
security of spaces and the use of protocols in which users must visibly demonstrate
their presence and/or involvement to generate an association. As a consequence,
recently secure device pairing has had significant attention from a wide community of
academic as well as industrial researchers and a plethora of schemes and protocols
have been proposed, which use various forms of out-of-band exchange to form an
association between two unassociated devices. These protocols and schemes have
different strengths and weaknesses – often in hardware requirements, strength against
various attacks or usability in particular scenarios. From ordinary user‟s point of
view, the problem then becomes which to choose or which is the best possible scheme
in a particular scenario.
We advocate that in a world of modern heterogeneous devices and
requirements, there is a need for mechanisms that allow automated selection of the
best protocols without requiring the user to have an in-depth knowledge of the
minutiae of the underlying technologies. Towards this, the main argument forming the
basis of this dissertation is that the integration of a discovery mechanism and several
pairing schemes into a single system is more efficient from a usability point of view
as well as security point of view in terms of dynamic choice of pairing schemes. In
pursuit of this, we have proposed a generic system for secure device pairing by
demonstration of physical proximity. Our main contribution is the design and
prototype implementation of Proof-of-Proximity framework along with a novel Co-
Location protocol. Other contributions include a detailed analysis of existing device
pairing schemes, a simple device discovery mechanism, a protocol selection
mechanism that is used to find out the best possible scheme to demonstrate the
physical proximity of the devices according to the scenario, and a usability study of
eight pairing schemes and the proposed system
NFC and mobile payments today
Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011NFC (Near Field Communication) e pagamentos móveis são duas áreas que se tornaram muito populares ultimamente, ambas duplicaram o seu índice de volume de pesquisas medido pelo Google Trends no último ano. NFC é uma tecnologia de comunicação sem fios já disponível em alguns telemóveis, sendo que mais estão anunciados para breve, e os pagamentos móveis são um serviço cuja utilização se espera que cresça a um ritmo bastante acelerado nos próximos anos. Este crescimento já foi previsto antes, e as expectativas saíram goradas, mas pensa-se que a NFC seja a tecnologia que vai trazer os pagamentos móveis às massas. Esta tese foca-se nestas duas áreas e em como a NFC pode ser útil num protocolo para executar pagamentos móveis nos dias de hoje. Para isto, um novo protocolo chamado mTrocos é apresentado. Este possui várias características desejáveis tais como anonimato, alta segurança, boa usabilidade, a não dependência de bancos ou instituições financeiras tradicionais, o suporte para micro-pagamentos e não requer nenhum hardware especial. O seu desenho é baseado no conceito de dinheiro digital e em protocolos de estabelecimento de chaves ad-hoc. Estes últimos são úteis visto que a NFC é um meio sem fios que não oferece nenhuma segurança de raiz para além do seu curto alcance. É detalhada uma prova de conceito da implementação usando um telefone com o sistema operativo Android e um leitor NFC de secretária, provando que ela funciona usando apenas hardware comum disponível actualmente. No entanto, a API (Application Programming Interface) de NFC do Android revelou-se limitada, o que influenciou o desenho do mTrocos, e o impediu de fazer uso apenas da NFC para a troca das suas mensagens. Como parte da avaliação do protocolo, foram feitos testes com utilizadores que mostram que o mTrocos é fácil de usar e que é indicado para o cenário pensado: máquinas de venda automática. Outra conclusão a que se pode chegar é que a NFC é uma tecnologia que melhora a experiência de utilização e que vai ser de grande utilidade para o crescimento dos pagamentos móveis.NFC (Near Field Communication) and mobile payments are two areas that have received a significant amount of attention lately. NFC is a wireless communication technology already available on some mobile phones, with more to come in the near future, and mobile payments are a service whose usage is expected to grow at a significant rate in the coming years. This growth has been predicted before, and expectations have been let down, but NFC is thought to be the technology that will bring mobile payments to the masses. This thesis is focused on these two areas and how NFC can be of use in a protocol to conduct mobile payments. For this, a new protocol called mTrocos is presented that possesses several desirable characteristics such as anonymity, high security, good usability, unbanked, support for micropayments and no special hardware requirements. Its design is based on digital money concepts and ad-hoc key establishment protocols. The latter are useful because NFC is a wireless medium and offers no built-in security other than its limited range. A proof-of-concept implementation with an Android phone and a desktop NFC reader is detailed, proving that it works using only commodity equipment currently available. However, Android’s NFC API (Application Programming Interface) was found to be limited, which influenced the design of mTrocos, preventing it from relying only on NFC for the exchange of the messages. As part of the protocol’s evaluation, user tests were conducted which show that mTrocos is easy to use and that it is suited to the envisaged scenario: vending machines. Another conclusion is that NFC is a technology that improves the user experience and will be of great help for the growth of mobile payments