Bridging the UI Gap for Authentication in Smart Environments Sebastian Unger Prof. Dirk Timmermann University of Rostock, Germany MuSAMA DFG Graduate Program

Problem statement What is it about? ? © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ How to mutually authenticate a light bulb and a switch?

Motivation Basic Principles Approach Prototype Implementation Conclusion & Future Work Agenda © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 3

Motivation Basic Principles Approach Prototype Implementation Conclusion & Future Work Agenda © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

What it is about Motivation AAL IoT WoT © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Confidentiality Security? Motivation Authorization Integrity Prerequisite: Authentication / Authenticity © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Authentication Motivation Authentication= Identification + Keying + Parameter negotiation AES-CBC-256 © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Motivation Basic Principles on Authentication Approach Prototype Implementation Conclusion & Future Work Agenda © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Delegated Basic Authentication Approaches Basic Principles vs. Direct Trust Authority (TA) implicit trust relationship  Usually hybrid approach How is trust established between endpoints and TA? © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Delegated authentication example: certificate hierarchies Basic Principles root CA CAs end points certificate hierarchies: authentication is delegated by certificate authorities (CA) with the root CA at the top of the tree © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

can reduce endpoint’s efforts easier to manage (one vendor) transparent to user requires (vendor-independent) infrastructure single point(s) of failure authentication in field cumbersome Delegated authentication: pros and cons Basic Principles © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Direct Authentication Basic Principles Direct Authentication: Exchange a PIN out-of-band (OOB) OOB channels can be 1234 e.g. challenge-response OOB:1234 © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Direct authentication: pros and cons Basic Principles no trusted 3 rd parties no infrastructure necessary no single point of failure authentication / connection establishment at runtime # of connections per device: n (instead of 1) OOB channel must be possible © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Motivation Basic Principles Approach to bridge UI gaps Prototype Implementation Conclusion & Future Work Agenda © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Problem statement Approach ? © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Common approach to bridge the gap Approach Supply every device with NFC capabilities (  NFC hype) Example: Is it possible to bridge the gap w/o supplying peripherals the device does not need? ? © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Our approach to bridge the gap Approach Approach: Incorporate user interface capabilities of omnipresent multimedia devices ? © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Multimedia device properties Approach Multimedia devices… … have plenty of user interface capabilities … are literally everywhere in today’s homes … are often carried with their users Example: Smartphone LG Nexus 4 © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

The complete protocol Approach ClientDevicephone discovery Metadata: Matching authentication mechanism? Metadata Request authentication w/ Device Request authentication w/ Client PIN oob-channel 1 PIN oob-channel 2 Remainder of authentication handshake © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

How to translate the OOB channel: ECDH Approach Elliptic Curve Diffie Hellman (ECDH) AliceBob pick SK A PK A = SK A ×G pick SK B PK B = SK B ×G PK A PK B S = S A = PK B × SK A S = S B = PK A × SK B Adversary cannot calculate S BUT Man-in-the-Middle (MITM) attack is possible © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 20 publicly agree on elliptic curve G

How to translate the OOB channel: ECDH Approach Elliptic Curve Diffie Hellman (ECDH): MITM AliceBob pick SK A PK A = SK A ×G pick SK B PK B = SK B ×G PK A PK M S 1 = S A = PK M × SK A S 2 = S B = PK M × SK B Alice an Bob are not aware of MITM’s presence © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 21 MITM PK M PK B S 1 = PK A × SK M S 2 = PK B × SK M

How to translate the OOB channel: authenticated ECDH Approach Authenticated Elliptic Curve Diffie Hellman (ECDH) by Ho AliceBob publicly agree on elliptic curve G, exchange PW OOB pick SK A PK A =SK A ×G PK‘ A =PK A -Q( PW ) pick SK B PK B =SK B ×G PK‘ A, nonce A,id A,id B PK B, nonce B, id A, id B, H B S=S A =PK B ×SK A verify H B H A =cmac(S,parm) verify H A PK A =PK‘ A +Q( PW ) S=S B =PK A ×SK B H B =cmac(S,parm) HAHA MK = cmac(S, nonce A | nonce B ) © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 22 Assume previously (OOB) exchanged PIN PW Distort Alice‘s PK with PW Use keyed hashes of IDs and parameters to authenticate handshake Derive master key MK from S Assume previously (OOB) exchanged PIN PW Distort Alice‘s PK with PW Use keyed hashes of IDs and parameters to authenticate handshake Derive master key MK from S

How to translate the OOB channel: authenticated ECDH Approach Authenticated Elliptic Curve Diffie Hellman (ECDH) by Ho AliceBob pick SK A PK A =SK A ×G PK‘ A =PK A -Q(PW) pick SK B PK B =SK B ×G PK‘ A, nonce A,id A,id B PK B, nonce B, id A, id B, H B S=S A =PK B ×SK A verify H B H A =cmac(S,parm) verify H A PK A =PK‘ A +Q(PW) S=S B =PK A ×SK B H B =cmac(S,parm) HAHA MK = cmac(S, nonce A | nonce B ) © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 23 MK = cmac(S, nonce A | nonce B ) phone PK‘ A, nonce A,id A,id B PK B, nonce B, id A, id B, H B HAHA PW Parameters contain the requested OOB authentication mechanism This must be changed to preserve transparency Phone cannot recompute H A/B as it has no knowledge of S Parameters contain the requested OOB authentication mechanism This must be changed to preserve transparency Phone cannot recompute H A/B as it has no knowledge of S

How to translate the OOB channel: authenticated ECDH Approach Authenticated Elliptic Curve Diffie Hellman (ECDH) by Ho variant AliceBob pick SK A PK A =SK A ×G PK‘ A =PK A -Q(PW) pick SK B PK B =SK B ×G S=S A =PK B ×SK A verify H B H A =cmac(S,parm) verify H A PK A =PK‘ A +Q(PW) S=S B =PK A ×SK B H B =cmac(S,parm) PW +PK B PW +PK A © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 24 PK‘ A, nonce A,id A,id B PK B, nonce B, id A, id B, H B HAHA PK‘ A, nonce A,id A,id B PK B, nonce B, id A, id B, H B HAHA PW phone H A/B = f(S(PW)) = f(PW) Use PW directly to compute hashes Add public keys to hashes to detect MITM as early as possible H A/B = f(S(PW)) = f(PW) Use PW directly to compute hashes Add public keys to hashes to detect MITM as early as possible MK = cmac(S, nonce A | nonce B )

Motivation Basic Principles Approach Prototype Implementation Conclusion & Future Work Agenda © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Hardware Setup Prototype Implementation Device: Light Bulb Client: Light Switch Multimedia device: Smart phone (LG Nexus 4) +App: WS4D Mobile Authenticator © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Flow I Prototype Implementation Discovery Request authentication © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Flow II Prototype Implementation Metadata © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Flow II Prototype Implementation Request Authentication Metadata Response to request © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Flow II Prototype Implementation OOB Pin Exchange Request Authentication Metadata Response to request © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Flow III Prototype Implementation Request Authentication Response to request © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Flow III Prototype Implementation Request Authentication Response to request OOB Pin Exchange © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Flow IV Prototype Implementation Request authentication Response © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Summary Prototype Implementation devices are authenticated in directly + keying + parameter negotiation completely transparent to Device mostly transparent to Client + less effort for Client no delegated authentication, phone remains unauthenticated © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Motivation Basic Principles Approach Prototype Implementation Conclusion & Future Work Agenda © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Conclusion solution for bridging possible UI Gaps increases usability of authentication transparent to user and device developed high-level protocol / flow developed cryptographic protocol for indirect authentication open-source prototype by means of hardware + Android app © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

The Big Picture Future Work © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 37 Indirect Authentication part of project to create security framework for distributed embedded systems based on WS Security suite Integrate message level security Combine with delegated authentication to increase transparency and usability Current communication: DPWS, future: REST

Additional mechanisms Future Work © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Thank you very much for your attention! Any questions? Questions? Thank you! Sebastian Unger Institute for Applied Microelectronics and Computer Engineering, University of Rostock, Germany © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

Bridging Larger Gaps Backup ? © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 40 Completely transparent for Device and Client

Why public keys in hash? Backup Authenticated Elliptic Curve Diffie Hellman (ECDH) by Ho variant AliceBob © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 41 phoneMITM PW PK A ‘ PK M […] S 1 =PK‘ M x SK B S 2 =PK B x SK M S 4 =PK M x SK A S 3 =PK‘ A x SK M Man-in-the-Middle (MITM) attack is not detected. It’s simply not possible for Alice and Bob (via MITM) to communicate b/c different sessions keys S i are calculated. Including public keys in hashes however makes it possible to detect MITM