Alfred Kobsa
Rahim Sonawalla
Gene Tsudik
Ersin Uzun
ABSTRACT
Secure Device Pairing is the bootstrapping of secure communication between two previously unassociated devices over a wireless channel. The human-imperceptible nature of wireless communication, lack of any prior security context, and absence of a common trust infrastructure open the door for Man-in-the-Middle (aka Evil Twin) attacks. A number of methods have been proposed to mitigate these attacks, each requiring user assistance in authenticating information exchanged over the wireless channel via some human-perceptible auxiliary channels, e.g., visual, acoustic or tactile.
In this paper, we present results of the first comprehensive and comparative study of eleven notable secure device pairing methods. Usability measures include: task performance times, ratings on System Usability Scale (SUS), task completion rates, and perceived security. Study subjects were controlled for age, gender and prior experience with device pairing. We present overall results and identify problematic methods for certain classes of users as well as methods best-suited for various device configurations.
- ]]D. Balfanz, G. Durfee, R. Grinter, D. Smetters, and P. Stewart. Network-in-a-Box: how to set up a secure wireless network in under a minute. In USENIX Security, pages 207--222, 2004. Google Scholar
Digital Library
- ]]D. Balfanz, D. Smetters, P. Stewart, and H. Wong. Talking to strangers: Authentication in ad-hoc wireless networks. In Network and Distributed System Security Symposium (NDSS), 2002.Google Scholar
- ]]A. Bangor, P. T. Kortum, and J. T. Miller. An empirical evaluation of the system usability scale. International Journal of Human-Computer Interaction, 24(6):574--594, 2008. DOI 10.1080/10447310802205776.Google ScholarCross Ref
- ]]V. Boyko, P. MacKenzie, and S. Patel. Provably secure password-authenticated key exchange using diffie-hellman. In Advances in Cryptology-Eurocrypt, pages 156--171. Springer, 2000. Google ScholarDigital Library
- ]]J. Brooke. SUS: a "quick and dirty" usability scale. In P. W. Jordan, B. Thomas, B. A. Weerdmeester, and A. L. McClelland, editors, Usability Evaluation in Industry. Taylor and Francis, London, 1996.Google Scholar
- ]]J. Cohen, P. Cohen, S. G. West, and L. S. Aiken. Applied multiple regression/correlation analysis for the behavioral sciences. Lawrence Erlbaum Associates, Hillsdale, NJ, 1983.Google Scholar
- ]]C. M. Ellison and S. Dohrmann. Public-key support for group collaboration. ACM Transactions on Information and System Security (TISSEC), 6(4):547--565, 2003. Google ScholarDigital Library
- ]]E. Frøkjær, M. Hertzum, and K. Hornbæk. Measuring usability: are effectiveness, efficiency, and satisfaction really correlated? In CHI '00: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 345--352, 2000. Google ScholarDigital Library
- ]]C. Gehrmann, C. J. Mitchell, and K. Nyberg. Manual authentication for wireless devices. RSA CryptoBytes, 7(1):29--37, 2004.Google Scholar
- ]]I. Goldberg. Visual key fingerprint code. http://www.cs.berkeley.edu/iang/visprint.c, 1996.Google Scholar
- ]]M. T. Goodrich, M. Sirivianos, J. Solis, G. Tsudik, and E. Uzun. Loud and clear: Human-verifiable authentication based on audio. In ICDCS '06: Proceedings of the 26th IEEE International Conference on Distributed Computing Systems, page 10, 2006. Google ScholarDigital Library
- ]]Y. Hochberg and A. C. Tamhane. Multiple Comparison Procedures. Wiley, New York, 1987. Google ScholarDigital Library
- ]]L. Holmquist, F. Mattern, B. Schiele, P. Alahuhta, M. Beigl, and H. Gellersen. Smart-its friends: A technique for users to easily establish connections between smart artefacts. In Ubiquitous Computing (UbiComp), pages 116--122, London, UK, 2001. Springer-Verlag. Google ScholarDigital Library
- ]]R. Kainda, I. Flechais, and A. W. Roscoe. Usability and security of out-of-band channels in secure device pairing protocols. In 2009 Symposium On Usable Privacy and Security (SOUPS), Mountain View, CA (this volume), 2009. Google ScholarDigital Library
- ]]T. Kindberg and K. Zhang. Validating and securing spontaneous associations between wireless devices. In Information Security Conference (ISC), pages 44--53, 2003.Google ScholarCross Ref
- ]]K. Kostiainen. Personal Communication, Mar 2008.Google Scholar
- ]]K. Kostiainen and E. Uzun. Framework for comparative usability testing of distributed applications. In Security User Studies: Methodologies and Best Practices Workshop, 2007.Google Scholar
- ]]A. Kumar, N. Saxena, G. Tsudik, and E. Uzun. Caveat Emptor: A Comparative Study of Secure Device Pairing Methods. In IEEE International Conference on Pervasive Computing and Communications (IEEE PerCom'09), 2009. Google ScholarDigital Library
- ]]S. Laur and K. Nyberg. Efficient mutual data authentication using manually authenticated strings. In International Conference on Cryptology and Network Security (CANS), volume 4301, pages 90--107, 2006. Google ScholarDigital Library
- ]]R. Mayrhofer and H. Gellersen. Shake well before use: Authentication based on accelerometer data. In Pervasive Computing (PERVASIVE), pages 144--161. Google ScholarDigital Library
- ]]R. Mayrhofer and M. Welch. A human-verifiable authentication protocol using visible laser light. In International Conference on Availability, Reliability and Security (ARES), pages 1143--1148, 2007. Google ScholarDigital Library
- ]]J. McCune, A. Perrig, and M. Reiter. Seeing-Is-Believing: using camera phones for human-verifiable authentication. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 110--124, 2005. Google ScholarDigital Library
- ]]J. M. McCune. Personal Communication, Mar 2008.Google Scholar
- ]]S. Pasini and S. Vaudenay. SAS-Based Authenticated Key Agreement. In Public key cryptography-PKC 2006: 9th International Conference on Theory And Practice in Public-Key Cryptography, pages 395--409, 2006. Google ScholarDigital Library
- ]]A. Perrig and D. Song. Hash visualization: a new technique to improve real-world security. In International Workshop on Cryptographic Techniques and E-Commerce, 1999.Google Scholar
- ]]R. Prasad and N. Saxena. Efficient device pairing using "human-comparable" synchronized audiovisual patterns. In Conference on Applied Cryptography and Network Security (ACNS), pages 328--345, 2008. Google ScholarDigital Library
- ]]N. Saxena, J. Ekberg, K. Kostiainen, and N. Asokan. Secure device pairing based on a visual channel. In 2006 IEEE Symposium on Security and Privacy, pages 306--313, 2006. Google ScholarDigital Library
- ]]N. Saxena and M. B. Uddin. Automated device pairing for asymmetric pairing scenarios. In Information and Communications Security (ICICS), pages 311--327, 2008. Google ScholarDigital Library
- ]]C. Soriente, G. Tsudik, and E. Uzun. BEDA: button-enabled device association. In UbiComp Workshop Proceedings: International Workshop on Security for Spontaneous Interaction (IWSSI), 2007.Google Scholar
- ]]C. Soriente, G. Tsudik, and E. Uzun. HAPADEP: human-assisted pure audio device pairing. In Information Security, pages 385--400, 2008. Google ScholarDigital Library
- ]]F. Stajano and R. J. Anderson. The resurrecting duckling: Security issues for ad-hoc wireless networks. In Security Protocols Workshop, 1999. Google ScholarDigital Library
- ]]J. Suomalainen, J. Valkonen, and N. Asokan. Security associations in personal networks: A comparative analysis. In F. Stajano, C. Meadows, S. Capkun, and T. Moore, editors, Security and Privacy in Ad-hoc and Sensor Networks Workshop (ESAS), pages 43--57, 2007. Google ScholarDigital Library
- ]]E. Uzun, K. Karvonen, and N. Asokan. Usability analysis of secure pairing methods. In Financial Cryptography and Data Security (FC'07) & Usable Security (USEC'07), pages 307--324, 2007. Google ScholarDigital Library
- ]]S. Vaudenay. Secure communications over insecure channels based on short authenticated strings. In Advances in Cryptology-CRYPTO, pages 309--326, 2005. Google ScholarDigital Library
Index Terms
- Serial hook-ups: a comparative usability study of secure device pairing methods
Recommendations
Promoting Hook-Ups or Filling Sexual Health Information Gaps?: Exploring Young People's Sex Talk on Facebook
#SMSociety17: Proceedings of the 8th International Conference on Social Media & SocietySocial media hold enormous potential for sexuality education and sexual health promotion among young people given the audience reach and interactive functions that could be adapted for intervention delivery. This paper reports the preliminary findings ...
The Hook-ups initiative: how youth can learn by creating their own computer interfaces and programs
Special issue on community-based learning: explorations into theoretical groundings, empirical findings and computer supportThis paper introduces the Hook-ups initiative. In this initiative, young people learn by designing and constructing "Hook-ups" - physical objects that can control games, animations, and other computer programs which they create. Hook-ups can be inspired ...
Baiting the hook: factors impacting susceptibility to phishing attacks
Over the last decade, substantial progress has been made in understanding and mitigating phishing attacks. Nonetheless, the percentage of successful attacks is still on the rise. In this article, we critically investigate why that is the case, and seek ...
Comments