Abstract
One of the main challenges in pervasive computing is how we can establish secure communication over an untrusted high-bandwidth network without any initial knowledge or a Public Key Infrastructure. An approach studied by a number of researchers is building security though involving humans in a low-bandwidth “empirical” out-of-band channel where the transmitted information is authentic and cannot be faked or modified. A survey of such protocols can be found in [9]. Many protocols discussed there achieve the optimal amount of authentication for a given amount of human work. However it might still be attractive to attack them if a failed attack might be misdiagnosed as a communication failure and therefore remain undetected. In this paper we show how to transform protocols of this type to make such misdiagnosis essentially impossible. We introduce the concept of auditing a failed protocol run and show how to enable this.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In a more extreme case, Eve may be in a position to control both runs’ strings and use a birthday-style attack.
- 2.
If the value x has had to be salted to make the delay secure, it would then be necessary for the direct communication of x to include the salt as well.
- 3.
These are exactly the primes in which cubing \(x^3\) is invertible. Squaring is not invertible for primes other than 2.
- 4.
The calculation of \(x^3\) will clearly take more time, the more digits there are. Note that there are multiplication algorithms faster than the usual “schoolbook” one that can be expected to give significant advantages when p is very long.
References
Time-Lock Encryption (2011). http://www.gwern.net/Self-decrypting
Wikipedia article on ZRTP. https://en.wikipedia.org/wiki/ZRTP
Bangdao, C., Roscoe, A.W.: Mobile electronic identity: securing payment on mobile phones. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 22–37. Springer, Heidelberg (2011). doi:10.1007/978-3-642-21040-2_2
Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)
Hoepman, J.-H.: Ephemeral pairing on anonymous networks. In: Hutter, D., Ullmann, M. (eds.) SPC 2005. LNCS, vol. 3450, pp. 101–116. Springer, Heidelberg (2005). doi:10.1007/978-3-540-32004-3_12
Hoepman, J.-H.: The ephemeral pairing problem. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 212–226. Springer, Heidelberg (2004). doi:10.1007/978-3-540-27809-2_22
Nguyen, L.H., Roscoe, A.W.: Efficient group authentication protocol based on human interaction. In: Proceedings of the Joint Workshop on Foundation of Computer Security and Automated Reasoning Protocol Security Analysis (FCS-ARSPA 2006), pp. 9–31 (2006)
Nguyen, L.H., Roscoe, A.W.: Authenticating ad-hoc networks by comparison of short digests. Inf. Comput. 206(2–4), 250–271 (2008)
Nguyen, L.H., Roscoe, A.W.: Authentication protocols based on low-bandwidth unspoofable channels: a comparative survey. J. Comput. Secur. 19(1), 139–201 (2011)
Nguyen, L.H., Roscoe, A.W.: Short-output universal hash functions and their use in fast and secure data authentication. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 326–345. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34047-5_19
Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto (1996). http://bitsavers.trailing-edge.com/pdf/mit/lcs/tr/MIT-LCS-TR-684.pdf
Roscoe, A.W.: Human-centred computer security (2005). http://web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/113.pdf
Vaudenay, S.: Secure communications over insecure channels based on short authenticated strings. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 309–326. Springer, Heidelberg (2005). doi:10.1007/11535218_19
Zimmerman, P.: ZRTP (2010). https://tools.ietf.org/html/draft-zimmermann-avt-zrtp-22
The author thanks Long Nguyen, Peter Ryan, Catherine Meadows and Thomas Gibson-Robinson for useful conversations on this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Roscoe, A.W. (2017). Detecting Failed Attacks on Human-Interactive Security Protocols. In: Anderson, J., Matyáš, V., Christianson, B., Stajano, F. (eds) Security Protocols XXIV. Security Protocols 2016. Lecture Notes in Computer Science(), vol 10368. Springer, Cham. https://doi.org/10.1007/978-3-319-62033-6_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-62033-6_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-62032-9
Online ISBN: 978-3-319-62033-6
eBook Packages: Computer ScienceComputer Science (R0)