Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 8: User-Enabled Device Authentication CS 436/636/736 Spring 2014 Nitesh Saxena.

Published byTrevor Owen Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 8: User-Enabled Device Authentication CS 436/636/736 Spring 2014 Nitesh Saxena."— Presentation transcript:

1

2 Lecture 8: User-Enabled Device Authentication CS 436/636/736 Spring 2014 Nitesh Saxena

3 Course Admin HW3 graded  Solution provided; to be distributed today HW4 posted  The conceptual part was just due  Includes programming part related to Buffer Overflow  Programming part needs demo – we will do so next week Demo slot sign-up – today  You are allowed to work on the programming part in teams of two each Please form your own team

4 Course Admin Final Exam – Apr 24 (Thursday)  7 to 9:30pm  Venue – CH 430 Covers everything (cumulative)  35% -- pre mid-term material  65% -- post mid-term material Again, close-book, just like the mid-term Review today Extended office hours – all Thurs

5 The Problem: “Pairing” How to bootstrap secure communication between Alice’s and Bob’s devices when they have  no prior context  no common trusted CA or TTP Examples (single user setting)  Pairing a bluetooth cell phone with a headset  Pairing a WiFi laptop with an access point  Pairing two bluetooth cell phones

6 PIN-based Bluetooth Pairing

7 Authentication 1 2

8 PIN-based Bluetooth Pairing

9 Authentication 1 2

10 (In)Security of PIN-based Pairing Long believed to be insecure for short PINs  Why? First to demonstrate this insecurity; Shaked and Wool [Mobisys’05]

11 Attack Implementation Coded in C on linux platform  Given a piece of code for SAFER algorithm, implemented the encryption functions E 22, E 21, E 1 Hardware for sniffing: bluetooth packet analyzer with windows software Log Parser (in perl): reads the sniffer log, and parses it to grab IN_RAND, RAND_A \xor K init, RAND_B \xor K init, AU_RAND_A, AU_RAND_B, SRES

12 Timing Measurements of Attack Theoretically: O(10^L), with decimal digits  Assuming the PINs are chosen uniformly at random Empirically, on a PIII 700MHz machine: No. of digits in PIN (L) CPU time (sec) 41.294 512.915 6129.657 71315.332

13 Timing of Attack and User Issues ASCII PINs: O(90^L), assuming there are 90 ascii characters that can be typed on a mobile phone  Assuming random PINs However, in practice the actual space will be quite small  Users choose weak PINs;  Users find it hard to type in ascii characters on mobile devices Another problem: shoulder surfing (manual or automated)

14 The Problem: “Pairing” Idea  make use of a physical channel between devices  Also know as out-of-band (OOB) channel  with least involvement from Alice and Bob Authenticated: Audio, Visual, Tactile

15 Seeing-is-Believing (McCune et al. [Oakland’05]) Protocol ( Balfanz, et al. [NDSS’02] ) AB pk A pk B H(pk A ) H(pk B ) Insecure Channel Rohs, Gfeller [PervComp’04] Secure if  H(.) weak CR 80-bit for permanent 48-bit for ephemeral Authenticated Channel

16 Challenges OOB channels are low-bandwidth! One of the device might not have a keypad/receiver! Neither has a receiver and only one has a good quality transmitter  (Non-)Universality! Usability Evalutation

17 Challenges OOB channels are low-bandwidth! One of the device might not have a keypad/receiver! One of the device might not have a keypad/receiver! Neither has a receiver and only one has a good quality transmitter Neither has a receiver and only one has a good quality transmitter  (Non-)Universality! Usability! Usability!

18 Protocol: Short Authenticated Strings (SAS) A B pk A,c A pk B,c B dAdA dBdB Secure (with prob. 1-2 -k ) Insecure Channel Authenticated Channel SAS A SAS B c A,d A  comm(pk A,R A ) R A ε {0,1} k R B ε {0,1} k c B,d B  comm(pk B,R B ) SAS A = R A R B SAS B = R A R B Accept (pk B,B) if SAS B = R A R B Accept (pk B,A) if SAS A = R A R B Vaudenay [Crypto’05] R A  open(pk A,c A,d A ) R B  open(pk B,c B,d B ) Laur et al. [eprint’05] Pasini-Vaudenay [PKC’06]

19 Challenges OOB channels are low-bandwidth! OOB channels are low-bandwidth! One of the devices might not have a keypad/receiver  e.g., keyboard-desktop; AP-phone Neither has a receiver and only one has a good quality transmitter Neither has a receiver and only one has a good quality transmitter  (Non-)Universality! Usability Usability

20 Unidirectional SAS (Saxena et al. [S&P’06]) A B pk A, H(R A ) pk B, R B RARA hs(R A,R B ;pk A,pk B ) Galois MAC Success/Failure Secure (with prob. 1-2 -15 ) if  15-bit AU hs() Blinking-Lights Insecure Channel Authenticated Channel User I/O Muliple Blinking LEDs (Saxena-Uddin [MWNS’08])

21 Challenges OOB channels are low-bandwidth! OOB channels are low-bandwidth! One of the device might not have a receiver! One of the device might not have a receiver! Neither has a receiver and only one has a display  e.g., AP-laptop/PDA Usability! Usability!

22 A Universal Pairing Method Prasad-Saxena [ACNS’08] Use existing SAS protocols The strings transmitted by both devices over physical channel should be  the same, if everything is fine  different, if there is an attack/fault Both devices encode these strings using a pattern of  Synchronized beeping/blinking  The user acts as a reader and verifies if the two patterns are same or not

23 Is This Usable? Our test results are promising  Users can verify both good test cases and bad ones Blink-Blink the easiest  Very low errors (less than 5%)  Execution time ~22s Then, Beep-Blink  Very low errors with a learning instance (less than 5%)  Execution time ~15s Beep-Beep turns out error-prone

24 Further Improvement: Auxiliary Device Saxena et al. [SOUPS’08] Auxiliary device needs a camera and/or microphone – a smart phone Does not need to be trusted with cryptographic data Does not need to communicate with the devices A B Success/Failure

25 Further Improvement: Auxiliary Device Blink-Blink  ~14s (compared to 22s of manual scheme) Beep-Blink  Approximately takes as long as the same as manual scheme  No learning needed In both cases,  Fatal errors (non-matching instances decided as matching) are eliminated  Safe errors (matching instances decided as non-matching) are reduced It was preferred by most users

26 Challenges OOB channels are low-bandwidth! OOB channels are low-bandwidth! One of the device might not have a receiver! One of the device might not have a receiver! Neither has a receiver and only one has a good quality transmitter Neither has a receiver and only one has a good quality transmitter  (Non-)Universality! Comparative Usability!

27 Many Mechanisms Exist See survey: [Kumar, et al. @ Percom’09]  Manual Comparison or Transfer: Numbers [Uzun, et al. @ USEC’06] Spoken/Displayed Phrases: Loud & Clear [Goodrich, et al. @ ICDCS’06] Images: [Goldberg’96][Perrig-Song’99][Ellison-Dohrman @ TISSEC’03] Button-enabled data transfer (BEDA) [Soriente, et al. @ IWSSI’07] Synchronized Patterns [Saxena et al. @ ACNS’08 & SOUPS’08]  Automated: Seeing-is-Believing (SiB) [McCune, et al. @ S&P’05] Blinking Lights [Saxena, et al. @ S&P’06] Audio Transfer [Soriente, et al. @ ISC’08] 26

28 A Comparative Usability Study How do these mechanisms compare with one another in terms of usability?  Timing; error rates; user preferences Needed a formal usability study Automated testing framework 40 participants; over a 2 month long period Surprise:  Users don’t like automated methods: handling cameras not easy

29 Tested methods (1/5) Number Comparison “65473” =? “75853” Phrase Comparison “ Alice buys jackets” =? “John likes elephants” Image Comparison =?

30 Tested Methods (2/5) Audiovisual synchronization methods  Beep-Blink.. ….. …  Blink-Blink … … … …

31 Button enabled (BEDA) methods  LED-Button  Vibrate-Button  Button-Button Tested methods (3/5)

32 Tested methods (4/5) Loud and Clear (L&C) variants  Speaker-Speaker =?  Display-Speaker =? John buys a car

33 Tested Methods (5/5) Seeing is Believing (SiB) Blinking Lights … … ….. HAPADEP Variant

34 Comparative Usability Study: Time

35

36 Comparative Usability Study: Ease-of-Use

37 Cluster Analysis: Big Picture!

38 Conclusions from the study Both devices have a display  Numeric Comparison One device does not have a display but an audio interface  L&C Display-Speaker if one has a display and the other has a speaker  Audio Transfer if microphone is available on one, and speaker on the other Interface constraint device(s)  BEDA Vibrate-Button, if possible  BEDA LED-Button otherwise

39 Other open questions Scalability and group setting Rushing user behavior Extending to Internet setting  Secure VoIP communications

40 References Cracking Bluetooth PINs: http://www.eng.tau.ac.il/~yash/shaked-wool- mobisys05/ http://www.eng.tau.ac.il/~yash/shaked-wool- mobisys05/ OOB channel related references:  Many on my publications page:  http://spies.cis.uab.edu/research/secure- device-pairing/overview/ http://spies.cis.uab.edu/research/secure- device-pairing/overview/

Download ppt "Lecture 8: User-Enabled Device Authentication CS 436/636/736 Spring 2014 Nitesh Saxena."

Similar presentations

Usable Bootstrapping of Secure Ad Hoc Communication Ersin Uzun PARC 1.

Usable Bootstrapping of Secure Ad Hoc Communication Ersin Uzun PARC 1.
A mobile single sign-on system Master thesis 2006 Mats Byfuglien.

A mobile single sign-on system Master thesis 2006 Mats Byfuglien.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi.

Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Internet Vision - Lecture 3 Tamara Berg Sept 10. New Lecture Time Mondays 10:00am-12:30pm in 2311 Monday (9/15) we will have a general Computer Vision.

Internet Vision - Lecture 3 Tamara Berg Sept 10. New Lecture Time Mondays 10:00am-12:30pm in 2311 Monday (9/15) we will have a general Computer Vision.
Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan and John Canny UC Berkeley.

Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan and John Canny UC Berkeley.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
09/23/05 1/27 Usable Security Bluetooth Pairing Nitesh Saxena Polytechnic University.

09/23/05 1/27 Usable Security Bluetooth Pairing Nitesh Saxena Polytechnic University.
Device(-to-Device) Authentication Nitesh Saxena Polytechnic Institute of NYU.

Device(-to-Device) Authentication Nitesh Saxena Polytechnic Institute of NYU.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Device-to-Device Authentication Nitesh Saxena Polytechnic Institue of NYU.

Device-to-Device Authentication Nitesh Saxena Polytechnic Institue of NYU.
SOUPS July 24, 2008 Universal Device Pairing using an Auxiliary Device Nitesh Saxena, Md. Borhan Uddin and Jonathan Voris Polytechnic Institute of New.

SOUPS July 24, 2008 Universal Device Pairing using an Auxiliary Device Nitesh Saxena, Md. Borhan Uddin and Jonathan Voris Polytechnic Institute of New.
CS 235: User Interface Design January 22 Class Meeting

CS 235: User Interface Design January 22 Class Meeting
Seeing-Is-Believing: Using Camera Phones for Human- Verifiable Authentication Jonathan M. McCune Adrian Perrig Michael K. Reiter Carnegie Mellon University.

Seeing-Is-Believing: Using Camera Phones for Human- Verifiable Authentication Jonathan M. McCune Adrian Perrig Michael K. Reiter Carnegie Mellon University.
Seeing-Is-Believing: using camera phones for human-verifiable authentication Jonathan M. McCune, Adrian Perrig and Michael K. Reiter Int. J. Security and.

Seeing-Is-Believing: using camera phones for human-verifiable authentication Jonathan M. McCune, Adrian Perrig and Michael K. Reiter Int. J. Security and.
Lecture 9: Email Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 9: Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.
Physical Contact in Ad-Hoc Wireless Network Nie Pin 27.10.2006.

Physical Contact in Ad-Hoc Wireless Network Nie Pin
Information Systems and Internet Security (ISIS) Lab Research overview and some recent projects Nasir Memon Polytechnic Institute of NYU.

Information Systems and Internet Security (ISIS) Lab Research overview and some recent projects Nasir Memon Polytechnic Institute of NYU.

Similar presentations

Ads by Google