Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
2009-03-02 Authenticating Spontaneous Interactions
1
Ubiquitous Computing Security:Authenticating Spontaneous Interactions
Habilitation Thesis (Sammelhabilitation)
2. March 2009, 9:30Habilitation Colloquium
Rene Mayrhofer
2009-03-02 Authenticating Spontaneous Interactions
2
The most profound technologies are those that disappear. They
weave themselves into the fabric of everyday life until they are
indistinguishable from it.
Mark Weiser, 1991, „The Computer for the 21st Century“
2009-03-02 Authenticating Spontaneous Interactions
3
Any sufficiently advanced technology is indistinguishable
from magic.
Arthur C. Clarke, 1973, „Profiles of the Future“
2009-03-02 Authenticating Spontaneous Interactions 4
Spontaneous interaction to do it now
Core topic of Pervasive/Ubiquitous and Mobile Computing:
use of service when and where it is most appropriate
● everywhere, anytime
● triggered by the user or automatically
● highly dependent on the specific situation
Interaction that can happen spontaneously without administrative overhead
● Spontaneous as in “unplanned”: encounters, opportunities, serendipity ● Spontaneous as in “self-acting”: operation out of the box, “plug and play”
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 5
Ubiquitous Computing – Everything new?
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 6
Wireless communication
Small, mobile devices
● limited user interfaces
● limited resources (run time!)
Many devices
● integrated with/into physical objects
● communicate among each other
● communicate with the user
Sensing
⇒ (mobile and stationary) devices and communication become more and moreinvisible, unobservable and uncontrollable
Ubiquitous Computing – Everything new?
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions
7
We already have too many fast, insecure systems. Let's design future systems to be secure, even if that makes them slower.
2009-03-02 Authenticating Spontaneous Interactions 8
What is this all about?
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
Securing communication
● between mobile (and/or stationary) devices
● that are under direct user control or human-verifiable
● for a specific interaction
⇒ associating with THIS device
Example applications
● Bluetooth headset
● printer in airport lounge
● projector in conference room
● Vcard exchange
● micro payment
● ...
2009-03-02 Authenticating Spontaneous Interactions 9
The “don't get in my way” principle
User chooses communication partner / service:
● Intention to interact
● creates reference
Everything else should happen automatically!
⇒ no additional steps to choose appropriate communication parameters
⇒ no additional steps “just for security”
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 10
Security for Ubiquitous Computing
Security for whom?
● user
● mobile device
● used service
How much security?
Specific issues of security for ubiquitous / mobile computing
● wireless communication
● user interfaces
● scalability
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 11
Research area structuring 1: Three issues
Specific issues of security for spontaneous interaction:
● wireless communication
● user interfaces
● scalability
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 12
Main issue 1: Wireless communication is insecure
● Potential attacker can
– eavesdrop
– modify
– remove
– insert
● Especially problematic for spontaneous interaction: no a priori information about communication partners available
⇒ User is the only instance that can decide upon trust needs to establish shared secret between devices
Wireless communication
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 13
Secret key exchange over wireless channels
● Can use Diffie-Hellman (DH) for key agreement
● Problem of Man-in-the-Middle (MITM) attacks:
⇒ Secret keys need to be authenticated
Why is wireless a problem?
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 14
Options for authentication
● Entering PINs (e.g. Bluetooth), passwords (e.g. WEP/WPA)
● Verifying hashes of public keys (e.g. web site certificates)
Main issue 2: Lack of powerful user interfaces
● A headset doesn't have a classical user interface (display + keypad)
User interfaces
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 15
Main issue 3: User attention does not scale
● Vision of ubiquitous computing: using hundreds of services each day, seamlessly embedded into daily live, spontaneous usage, different realms of control
● Who would like to enter passwords or biometric data into each of them?
And somebody needs to do it...
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 16
● Security for whom and how much?
● Mobile devices
– attacker may have physical access to device
– losing devices ⇒ losing keys/access/money? (revocation issues)
– different security levels of environment
● Privacy
– which sensors record what about whom, when, and who has access?
– what can a personal, trusted, mobile device reveal about its owner?
● Physical replacement, matching physical with virtual entities
● Understanding how the whole system works (mental models)
What else is difficult?
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 17
Approach: Trusting your mobile phone
● Intuitive alternative to direct user authentication: a trusted personal device that authenticates its user once (e.g. when being switched on) and is assumed to be owned and used by a single user:
– comparable to conventional key chain
– mobile phone, wrist watch, etc.
● Important: personal device device may be trusted, but wireless connections are not
● Authentication is thus shifted from user-to-device to device-to-device
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 18
Research area structuring 2: Model
Main threat scenario: MITM on wireless communication channel
– all parties have full access to the wireless (in-band) channel
– intended communication partners (A and B) share some context (out-of-band)
– attacker (E) has inferior access to this context
– respective aspect of context represented by sensor data streams ⇒ shared (weakly) secret information
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 19
Security properties of out-of-band channels
Verification of wireless communication over out-of-band (auxiliary) channels
● confidentiality
● complete (human-verifiable) authenticity
● partial (non-user-verifiable) authenticity
● integrity
● stall-freeness
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 20
Taxonomy of security properties
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 21
Taxonomy of user interaction
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels
2009-03-02 Authenticating Spontaneous Interactions 22
Spatial References:
verifiable by the user and the device – both can come to the same conclusions as to
which device they are interacting with
[MGH 2007] R. Mayrhofer, H. Gellersen, M.Hazas: “Security by spatial reference: Using relative positioning to authenticate devices for spontaneous interaction”, Ubicomp 2007
[MaGe 2007a] R. Mayrhofer, H. Gellersen: “On the security of ultrasound as out-of-band channel”, IPDPS 2007
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
Security by Spatial Reference
2009-03-02 Authenticating Spontaneous Interactions 23
● Ultrasound signals travel comparatively slowly in air ⇒ possible to measure time of flight ⇒ distance estimation
● Angle-of-arrival estimation using multiple receivers difficult based on relative time of arrival
● Angle-of-arrival estimation based on relative signal strengths works in practice
Quantitative measurements with ultrasound
Relate:● <10 cm accuracy for
distance measurements● ~33° accuracy for local
angle-of-arrival● without infrastructure● implemented as USB
dongles + Java host software
[HKG+ 2005] G. Kortuem, C. Kray, H. Gellersen: “Sensing and visualizing spatial relations of positioning system for co-located mobile devices”, In: Proc. MobiSys 2005
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
2009-03-02 Authenticating Spontaneous Interactions 24
Noise in US measurements
● leads to authentication failures without attack (false negatives)
● can be improved with re-transmits
Ultrasonic authentication in practice
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
2009-03-02 Authenticating Spontaneous Interactions 25
General assumption: all wireless attacks possible
● E0 outside room: only RF, no US
● E1 in room: E0 + US eavesdropping, insert own messages
● E2 equidistant positions: E1 + US correct distance measurements
● E3 in line: E1 + US correct angle measurements from A
● E4 in between: R3 + US correct angle measurements from A and B
Threats depending on attacker position
[MG 2007] R. Mayrhofer, H. Gellersen: “On the security of ultrasound as out-of-band channel”, in Proc. IPDPS 2007
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
2009-03-02 Authenticating Spontaneous Interactions 26
● Replacement: DoS attack on B, E3 or E4 misrepresented as Bno interaction between A and B
● Asynchronous MITM: replacement, then interaction between E and Bapplication-level interaction between A and B with delay
● Synchronous MITM: full attack, only possible as E4
Difficult when:
● A and B are mobile
● B positioned so as to make E3 impossible
Threats depending on applications
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
[MGH 2007] R. Mayrhofer, H. Gellersen, M.Hazas: “Security by spatial reference: Using relative positioning to authenticate devices for spontaneous interaction”, Ubicomp 2007
2009-03-02 Authenticating Spontaneous Interactions 27
Visible laser channel as intuitive means of selecting THIS device
But, in contrast to previous assumptions:
● Laser channel is not confidential
attacker can read
● Laser channel is not completely authentic ⇒ “semi-authentic”
attacker can modify (add but not subtract)
Visible laser for authentication
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
[MaWe 2007] R. Mayrhofer, M. Welch: “A human-verifiable authentication protocol using visible laser light”, ARES 2007
2009-03-02 Authenticating Spontaneous Interactions 28
Sender
● Prototype with pulsed laser based on iMote1 (ARM7, 12 MHz) and TinyOS
Receiver
● Prototype for connecting to standard serial port based on photo resistor and simple high-pass and thresholding
Protocol
● DH key agreement and verification
● continuous stream of nonces over laser with double commitments over wireless
Prototype implementation
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
[MaWe 2007] R. Mayrhofer, M. Welch: “A human-verifiable authentication protocol using visible laser light”, ARES 2007
2009-03-02 Authenticating Spontaneous Interactions 29
Shaking as shared context
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
Shaking is common movement
● both (all) devices will experience very similar movement patterns
● both (all) devices will experience very similar accelerations
Acceleration is a local physical phenomenon
⇒ difficult for an attacker (MITM) to estimate or replicate
● Not used for identifying users, only as shared context!
[MaGe 2007b] R. Mayrhofer, H. Gellersen: “Shake well before use: Authentication based on accelerometer data”, Pervasive 2007[May 2007c] R. Mayrhofer: “The candidate key protocol for generating secret shared keys from similar sensor data streams”, ESAS 2007
2009-03-02 Authenticating Spontaneous Interactions 30
Shaking is
● intuitive
● vigorous
● varying
Accelerometers are
● small
● cheap
● (relatively) power-efficient
Reasons for using shaking
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
[MaGe 2007b] R. Mayrhofer, H. Gellersen: “Shake well before use: Authentication based on accelerometer data”, Pervasive 2007[May 2007c] R. Mayrhofer: “The candidate key protocol for generating secret shared keys from similar sensor data streams”, ESAS 2007
2009-03-02 Authenticating Spontaneous Interactions 31
„Shake well before use“ in products
● J2ME: MIDP2.0 and CLDC1.1
● Bluetooth with JSR82
● multiple off-the-shelf platforms(Nokia 5500, Nokia N95, Samsung Omnia i900, HTC Touch Diamond)
⇒ improvements in sensor data analysis
⇒ challenges due to integer processing
⇒ “opportunistic” key agreement
⇒ current contacts with Nokia
⇒ European patent applications submitted
[MaGe 2007c] R. Mayrhofer, H. Gellersen: “Shake well before use: two implementations for implicit context authentication”, Ubicomp 2007
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
2009-03-02 Authenticating Spontaneous Interactions 32
What if devices can not share context?
[May 2006] R. Mayrhofer: “A context authentication proxy for IPSec using spatial reference”, TwUC 2006[MaGo 2007a] R. Mayrhofer, R. Gostner: “Using a spatial context authentication proxy for establishing secure wireless connections”, Journal of Mobile Multimedia, 2007(3)[May 2005] R. Mayrhofer: “Technische Hintergründe für das rechtliche Handeln im Internet”, Aktuelles zum Internet-Recht, 1-16, pro Libris, 2005
⇒ Authentication proxies
● pre-authenticated to onedevice (host)
● context authentication withanother (guest)
Different options:
● Trust relationships: e.g., passwords/shared secrets, OpenPGP, X.509 cert.
● Interaction in context: passive vs. active
● Contact with service: online vs. offline
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
2009-03-02 Authenticating Spontaneous Interactions 33
Online vs. Offline Relationship
Online⇒ less trust in proxy
required (authenticate, but not authorize)
Offline⇒ can be used even
when no contact to service is available
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
2009-03-02 Authenticating Spontaneous Interactions 34
IPSecME: using Spatial References
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
2009-03-02 Authenticating Spontaneous Interactions 35
IPSecME: Implementation details
Trust relationship between proxy and service: via X.509 certificates● Accepted standard, flexible● Allows to implement both online and offline proxy/service interactions● Current implementation: Proxy acts as certification authority (CA), and service trusts
certificates signed by it ⇒ Active proxy can be used anywhere, anytime
Secure channel between client and service: IPSec● Secure● Accepted standard, flexible● Available in most current client operating systems
Platform:● Java Webstart package for clients and in J2ME for proxies● Any off-the-shelf access point and IPSec gateway will do (only need to support X.509)● Demonstrator: Asus WL-500G access point with OpenWRT, PocketPC PDA as proxy,
Windows, Linux, or MacOS/X as client
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
[May 2006] R. Mayrhofer: “A context authentication proxy for IPSec using spatial reference”, TwUC 2006[MaGo 2007a] R. Mayrhofer, R. Gostner: “Using a spatial context authentication proxy for establishing secure wireless connections”, Journal of Mobile Multimedia, 2007(3)
2009-03-02 Authenticating Spontaneous Interactions 36
„Passive Objects“
O AID: AB1Pubkey: 01001...01
Objects seen: ID: AB1 with pubkey 01001...01 ID: CE1 with pubkey 11010...00
read
AObjects seen: ID: AB1 with pubkey 01001...01 ID: CE1 with pubkey 11010...00B
E
Responsible for: AB*Private key: 11001..11
Responsible for: *
encrypted
signed
034758493
Mobile„Peer“
Proxy Peer
Object
[MOFH 2003] R. Mayrhofer, F. Ortner, A. Ferscha, and M. Hechinger: “Securing passive objects in mobile ad-hoc peer-to-peer networks”, SecCo 2003
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies
2009-03-02 Authenticating Spontaneous Interactions 37
Creating keys from common sensor data
Candidate Key Protocol (CKP)
● generates secret shared keys directly from sensor data streams
● computes feature vectors (e.g. of quantized FFT coefficients)
● exchanges and compares hashes of feature vectors ⇒ candidate key parts
● matching vectors concatenated⇒ candidate keys
[May 2007b] R. Mayrhofer: “The candidate key protocol for generating secret shared keys from similar sensor data streams”. In Proc. ESAS 2007: 4th European Workshop on Security and Privacy in Ad hoc and Sensor Networks. Springer-Verlag, July 2007
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel AuthenticationData Analysis
2009-03-02 Authenticating Spontaneous Interactions 38
Unified Auxiliary Channel Authentication Protocol (UACAP)
● uses Diffie-Hellman for key agreement
● exchanges sensor time series (after pre-processing) for key verification (e.g. with interlock* protocol)
● both devices verify locally (e.g. compare time series with coherence)
Creating short key verifiers
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel Auth.Data Analysis
[MaGe 2007b] R. Mayrhofer, H. Gellersen: “Shake well before use: Authentication based on accelerometer data”, Pervasive 2007
2009-03-02 Authenticating Spontaneous Interactions 39
Unified Auxiliary Channel Authentication Protocol (UACAP)
● Need to distinguish between different scenarios
– transfer
– input
– verify
● and channels
– Long / short
– Confidential / non-confidential
UACAP overview
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel Auth.Data Analysis
[MaIo 2009] R. Mayrhofer and I. Ion: “OpenUAT: The Open Source Ubiquitous Authentication Toolkit”. Submitted to USENIX Security 2009
2009-03-02 Authenticating Spontaneous Interactions 40
UACAP specification
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel Auth.Data Analysis
[MaIo 2009] R. Mayrhofer and I. Ion: “OpenUAT: The Open Source Ubiquitous Authentication Toolkit”. Submitted to USENIX Security 2009
2009-03-02 Authenticating Spontaneous Interactions 41
Protocol properties
UACAP
● Two phases:
– Key agreement
– Key verification
● Either with opportunistic key agreement or slight delay
● Only one-off chance for online attack
● Independent signal analysis
CKP
● Single, continuous phase
● Devices “tune into” each other's key streams
● Multi-device authentication
● Offline lookup table attacks possible when feature vectors have insufficient entropy(can be prevented with asymmetric key agreement and additional commitment)
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel Auth.Data Analysis
[MaGe 2007b] R. Mayrhofer, H. Gellersen: “Shake well before use: Authentication based on accelerometer data”, Pervasive 2007[MaGe 2009] R. Mayrhofer, H. Gellersen: “Shake well before use: Intuitive and Secure Pairing of Mobile Devices”, accepted for IEEE Transactions on Mobile Computing
2009-03-02 Authenticating Spontaneous Interactions 42
Main aspects of the protocol
● uses 2 (3) channels: RF and US
● with 2 phases: key agreement and peer authentication
● Diffie-Hellman for key agreement in phase 1
● Exchange random nonces with interlock protocol in phase 2, both via RF (encrypted) and via US (plaintext)
● Interlock exchange tightly coupled with US measurements
● Both devices check locally that nonces received via RF and US match
Spatial authentication protocol: concept
[MGH 2006] R. Mayrhofer, H. Gellersen, M. Hazas: “An Authentication Protocol using Ultrasonic Ranging”, Technical Report COMP-002-2006, Lancaster University, 2006
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel AuthenticationInterlockData Analysis
2009-03-02 Authenticating Spontaneous Interactions 43
Transfer of verification material over insecure channels: interlock protocol
● RF transmission encrypted with block cipher and split into multiple parts
● Peers adhere to strict turn-taking
⇒ effectively a size-efficient commitment scheme
Spatial authentication protocol: interlock
[MGH 2007] R. Mayrhofer, H. Gellersen, M.Hazas: “Security by spatial reference: Using relative positioning to authenticate devices for spontaneous interaction”, Ubicomp 2007
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel AuthenticationInterlockData Analysis
2009-03-02 Authenticating Spontaneous Interactions 44
Sender
Trick: mapping messages to distances
Receiver
● (plaintext) message transmission over US channel depends implicitly on reference measurement
● delta is derived from nonce and thus unknown to attackers in advance
[MGH 2007] R. Mayrhofer, H. Gellersen, M.Hazas: “Security by spatial reference: Using relative positioning to authenticate devices for spontaneous interaction”, Ubicomp 2007
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel AuthenticationInterlockData Analysis
2009-03-02 Authenticating Spontaneous Interactions 45
Data collection from accelerometers
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel AuthenticationData Analysis
[MaGe 2009] R. Mayrhofer, H. Gellersen: “Shake well before use: Intuitive and Secure Pairing of Mobile Devices”, accepted for IEEE Transactions on Mobile Computing
2009-03-02 Authenticating Spontaneous Interactions 46
1. Sensor data acquisition
● Potential problem: side-channel attacks
2. Temporal alignment
● Triggering
● Synchronization
⇒ use motion detection
3. Spatial alignment
● Devices arbitrarily aligned in 3D
● Alignment changes when picked up (between “silent” and “active”)
⇒ reduce to 1 dimension (magnitude)
Pre-processing
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel AuthenticationData Analysis
[MaGe 2009] R. Mayrhofer, H. Gellersen: “Shake well before use: Intuitive and Secure Pairing of Mobile Devices”, accepted for IEEE Transactions on Mobile Computing
2009-03-02 Authenticating Spontaneous Interactions 47
Features for shaking:
● Frequency domain
– less accuracy required for synchronization
– less sensitive to noise and alignment problems
● Coherence: measures power spectrum correlation between two signals split into overlapping slices, produces similarity value in [0; 1]
● Quantized FFT coefficients: pairwise added FFT coefficients quantized into exponential bands as feature vectors, compare equality
Feature extraction
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel AuthenticationData Analysis
[MaGe 2009] R. Mayrhofer, H. Gellersen: “Shake well before use: Intuitive and Secure Pairing of Mobile Devices”, accepted for IEEE Transactions on Mobile Computing
2009-03-02 Authenticating Spontaneous Interactions 48
3 experiments:– How do people shake?– “Hacking” competition– Live mode – does it work?
Quantitative evaluation
Results:– Parameters for no false positives– False negatives 10.24%, 11.96%– 25/30 subjects successful
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel AuthenticationData Analysis
[MaGe 2009] R. Mayrhofer, H. Gellersen: “Shake well before use: Intuitive and Secure Pairing of Mobile Devices”, accepted for IEEE Transactions on Mobile Computing
2009-03-02 Authenticating Spontaneous Interactions 49
Quantitative evaluation
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel AuthenticationData Analysis
[MaGe 2009] R. Mayrhofer, H. Gellersen: “Shake well before use: Intuitive and Secure Pairing of Mobile Devices”, accepted for IEEE Transactions on Mobile Computing
06.05.2008 Ubiquitous Computing 50
Currently:
● Interesting proposals to solve the authentication problem
● Using different terminology, different underlying concepts
● Implementations specific to the approach, and sometimes to a single demonstration application
● No re-usability of protocols, cryptographic primitives, sensor data handling, user interfaces, etc.
● Hard to reproduce published results
Don't re-invent the primitives
To foster research in the area:
● Have a repository of authentication techniques, methods, and protocols
● Provide tested and re-usable primitives for creating new protocols
● Make proposals and protocols comparable and interchangeable
● Provide real-world sensory data sets for reproducibility and for testing new approaches
⇒ allow to focus on new and interesting applications that use these primitives
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
OpenUATFuture Work
06.05.2008 Ubiquitous Computing 51
OpenUAT: Ubicomp Authentication Toolkit
Documentation, demo applications, data sets: http://www.openuat.org
Source code, mailing list, bug tracker: http://sourceforge.net/projects/openuat
[R. Mayrhofer: “Towards an open source toolkit for ubiquitous device authentication”, PerSec/PerCom 2007]
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
OpenUATFuture Work
06.05.2008 Ubiquitous Computing 52
● Cryptographic primitives: ciphers, hashes (JCE and Bouncycastle with wrappers), DH with default parameters and utility methods, interlock*, on-the-fly creation of X.509 CAs and certificates
● Communication channels: threaded TCP and Bluetooth RFCOMM servers using same interface (transparently interchangeable), UDP multicast, Bluetooth background discovery and peer management (opportunistic authentication)
● Key management protocols: DH-over-streams (TCP or RFCOMM), Candidate Key Protocol
● Sensors and feature extractors: ASCII line reader with various implementations for accelerometers, simple statistics, time series aggregation, activity detection/segmentation, FFT, quantizer
● Context authentication protocols: spatial references, shared motion (shaking), visual (mobile phone camera), audio (MIDI tunes), synchronous input (button presses), manual comparison (short key strings)
● Secure channels: IPSec tunnel and transport (Linux, MacOS/X, Windows)
Utilizing Log4j, JUnit, Ant build system including J2ME builds
Components in the current release
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
OpenUATFuture Work
[MaIo 2009] R. Mayrhofer and I. Ion: “OpenUAT: The Open Source Ubiquitous Authentication Toolkit”. Submitted to USENIX Security 2009
2009-03-02 Authenticating Spontaneous Interactions 53
Research area structuring 3: Future model
A complete model of spontaneous authentication would need to include:
● In-band and out-of-band channels (and how their physical properties map to security guarantees)
● Cryptographic protocols (how the channel security guarantees are exploited to generate secure channels)
● User behavior and mental models (how users understand and use the whole system, while being an essential part of it)
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
OpenUATFuture Work
06.05.2008 Ubiquitous Computing 54
Security needs users!
● Unobtrusive, but not invisible
● Supporting spontaneous interaction
– mobile devices with direct contact
– mobile device with remote gateways
– integrating with web services, client-less authentication approaches
● Re-use of existing metaphors
– passing on keys, revoking?
● New metaphors
– „Shake well before use“
Authentication in Ubiquitous ComputingContributions
Protocols and AnalysisConclusions
OpenUATFuture Work
2007-05-15 Shake well before use
55
“But what ... is it good for?”
Engineer at the Advanced Computing Systems Division of IBM, 1968, commenting on the microchip.
2009-03-02 Authenticating Spontaneous Interactions
56
Thank you for your attention!
Slides: http://www.mayrhofer.eu.org/presentationsLater questions: [email protected]
OpenPGP key: 0xC3C24BDE7FE4 0DB5 61EC C645 B2F1 C847 ABB4 8F0D C3C2 4BDE