Seeing-Is-Believing: using camera phones for human-verifiable authentication Jonathan M. McCune, Adrian Perrig and Michael K. Reiter Int. J. Security and Networks Payas Gupta

Problem  How do we authenticate each other on daily basis? By seeing each other  In real-life we do authenticate to various devices using Physical connection such as cable  Cumbersome to carry with you all the time  Not feasible Wireless communication  Invisible to humans  Open to MITM attacks Infrared rays etc…

Problem  MITM attack An out-of-band communication channel that provides authenticity suffices to defeat MITM attacks.  Diffie and Hellman key establishment The challenge is to construct this kind of channel Many techniques provide key exchange but all require a shared secret password between the two entities, which may be cumbersome to establish in many mobile settings. May be manual transmission or comparison.

Seeing-Is-Believing (SiB)  A visual channel to achieve demonstrating identification of communicating devices.  In SiB, one device uses its camera to take a snapshot of a barcode encoding cryptographic material identifying, e.g., the public key of another device. We term this a visual channel.

Seeing-Is-Believing (SiB)  In SiB, a mobile phone’s integrated camera serves as a visual channel to provide demonstrative identification Meaning the property that the user is sure her device is communicating with that other device. In SiB this is done visually Defeating MITM attacks and can authenticate and exchange keys.  What better way for a user to tell device A that it should communicate securely with device B than to take a picture of device B using device A’s integrated camera?

Find mode Show mode  In later sections we will discuss on using SiB with devices that may be lacking a display or a camera or Both  Assumptions Mobile phone is not compromised Mobile phones are secure against active adversaries

2D barcodes as a visual channel  Bob use his camera in viewfinder mode  Updating the image in real time  Once barcode is recognized, stop  Barcode recognition and error-correcting algorithms

Pre-authentication

Can a device of type X authenticate a device of type Y? Camera Display

Bidirectional authentication  Both devices should have cameras

 Privacy can be protected by avoiding the transmission of their public key on the wireless network.  Key can be encoded in a barcode directly, or in a sequence of barcodes if a single barcode has insufficient data capacity.

Unidirectional Authentication  Device X has a camera and device Y lacks a display and a camera. Mobile phone with camera and Access Point (AP)

 Device Y must be equipped with a long-term public/private keypair, and a sticker containing a barcode of a commitment to its public key must be affixed to its housing.  As device Y is displayless, so per-interaction public keys no longer applies.  Example – Printer in a public place

Presence Confirmation  A display-only device (cameraless, but display equipped) is unable to strongly authenticate other devices using SiB.  But they can obtain a property called ‘presence’. Meaning confirming the presence of some other device in line-of-sight with its display.

Presence confirmation  TV wants to authenticate DVD Player  Both are cameraless devices, but equipped with display.  A user can use SiB to stringly authenticate the DVD player to her phone through the barcode attached to the DVD player.  She can demonstrate the DVD player’s presence to the TV by sending it the public key of the DVD player, along with a MAC over the DVD player’s public key.

 Presence property is quite weak The display-only device has no way of knowing how many device can see its display. It can only compute MAC over the data received And can measure the time delay between the displaying the barcode and receiving the MAC on the wireless channel.

Implementation Details  Application was developed on Series 60 phones  File size 52 KB  For a secure and usable Sib exchange, Show device needs to convey 48 bits of Bluetooth address 160 bits of SHA-1 output  Visual Code barcode has a useful data capacity of only 68 bits So need 4 barcodes to accommodate all

Application of Seeing-Is-Believing  Seeing-Is-Believing and the Grey Project  SiB has been in use at Carnegie Mellon for several years (around 5-6)

 Group Key establishment It is same as bidirectional authentication using SiB But noticed few difficulties in using  User’s usually switch to other phones without completing the second half of authentication

Security Analysis  Cryptography Implementation uses cycling barcodes that provide sufficient bandwidth to convey a full 160-bit SHA-1 hash. Barcodes need to be secure against active attacks, which can be achieved using SiB.

 Selecting an authentication channel  COTS – Commercial Off-The-Shelf products

Attacks against SiB  A sophisticated adversary may be able to measure emitted electromagnetic radiation (Kuhn and Anderson, 1998), or to assemble the contents of the CRT by looking at reflected light from the CRT (Kuhn, 2002).  An attacker can disrupt the lighting conditions in an attempt to disrupt SiB.  A more sophisticated, and subtle, attack is to use infrared radiation or a carefully aimed laser to overwhelm the CCD in a phone’s camera.

Concluding Remarks  Nice and interesting approach of authentication.  Analysed the establishment of secure, authenticated sessions between SiB-enabled devices and devices missing either a camera, a display, or both, and found that secure communication is possible in many situations.  The visual channel has the desirable property that it provides demonstrative identification of the communicating parties.