Abstract
When users wish to establish wireless communication between their devices, the channel needs to be bootstrapped first. Usually, the channel is desired to be authenticated and confidential, in order to mitigate any malicious control of or eavesdropping over the communication. When there is no prior security context, such as, shared secrets, common key servers or public key certificates, device association necessitates some level of user involvement into the process. A wide variety of user-aided security association techniques have been proposed in the past. A promising set of techniques require out-of-band communication between the devices (e.g., auditory, visual, or tactile). The usability evaluation of such techniques has been an active area of research.
In this paper, our focus is on the usability of an alternative method of secure association – Integrity regions (I-regions) [40] – based on distance bounding. I-regions achieves secure association by verification of entity proximity through time-to-travel measurements over ultrasonic or radio channels. Security of I-regions crucially relies on the assumption that human users can correctly gauge the distance between two communicating devices. We demonstrate, via a thorough usability study of the I-regions technique and related statistical analysis, that such an assumption does not hold in practice. Our results indicate that I-regions can yield high error rates, undermining its security and usability under common communication scenarios.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Balfanz, D., Smetters, D., Stewart, P., Wong, H.: Talking to Strangers: Authentication in Ad-Hoc Wireless Networks. In: Proceedings of the 9th Annual Network and Distributed System Security Symposium (NDSS) (2002)
Bangor, A., Kortum, P.T., Miller, J.T.: An empirical evaluation of the system usability scale. International Journal of Human-Computer Interaction 24(6), 574–594 (2008)
Boyko, V., MacKenzie, P., Patel, S.: Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)
Brands, S., Chaum, D.: Distance-bounding protocols. In: Workshop on the theory and application of cryptographic techniques on Advances in cryptology, pp. 344–359. Springer-Verlag New York, Inc., Heidelberg (1994)
Brooke, J.: SUS: a quick and dirty usability scale. In: Jordan, P.W., Thomas, B., Weerdmeester, B.A., McClelland, A.L. (eds.) Usability Evaluation in Industry, Taylor and Francis, London (1996)
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)
Ellison, C.M., Dohrmann, S.: Public-key support for group collaboration. ACM Transactions on Information and System Security 6(4), 547–565 (2003)
Faulkner, L.: Beyond the five-user assumption: Benefits of increased sample sizes in usability testing. Behavior Research Methods, Instruments, & Computers 35(3), 379–383 (2003)
Fontana, R.J.: Experimental Results from an Ultra Wideband Precision Geolocation System. Ultra-Wideband, Short-Pulse Electromagnetics (May 2000)
Goldberg, I.: Visual Key Fingerprint Code (1996), http://www.cs.berkeley.edu/iang/visprint.c
Goodrich, M., et al.: Loud and Clear: Human-Verifiable Authentication Based on Audio. In: International Conference on Distributed Computing Systems (2006)
Goodrich, M.T., et al.: Using audio in secure device pairing. International Journal of Security and Networks 4(1), 57–68 (2009)
Holmquist, L.E., et al.: Smart-its friends: A technique for users to easily establish connections between smart artefacts. In: Abowd, G.D., Brumitt, B., Shafer, S. (eds.) UbiComp 2001. LNCS, vol. 2201, pp. 116–122. Springer, Heidelberg (2001)
Kainda, R., et al.: Usability and security of out-of-band channels in secure device pairing protocols. In: Symposium On Usable Privacy and Security (SOUPS) (2009)
Kindberg, T., Zhang, K.: Validating and securing spontaneous associations between wireless devices. In: Information Security Conference, pp. 44–53 (2003)
Kobsa, A., et al.: Serial hook-ups: A comparative usability study of secure device pairing methods. In: Symposium On Usable Privacy and Security (SOUPS) (2009)
Kostiainen, K., Uzun, E.: Framework for comparative usability testing of distributed applications. In: Security User Studies: Methodologies and Best Practices Workshop (2007)
Kumar, A., et al.: Caveat Emptor: A Comparative Study of Secure Device Pairing Methods. In: IEEE International Conference on Pervasive Computing and Communications (PerCom) (2009)
Landsberger, H.A.: Hawthorne revisited. Cornell University Press (1968)
Laur, S., Nyberg, K.: Efficient mutual data authentication using manually authenticated strings. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 90–107. Springer, Heidelberg (2006)
Mao, W.: Modern Cryptography, Theory & Practice. Prentice Hall PTR, Englewood Cliffs (2004)
Mayrhofer, R., Gellersen, H.-W.: Shake Well Before Use: Authentication Based on Accelerometer Data. In: LaMarca, A., Langheinrich, M., Truong, K.N. (eds.) Pervasive 2007. LNCS, vol. 4480, pp. 144–161. Springer, Heidelberg (2007)
Mayrhofer, R., Welch, M.: A Human-Verifiable Authentication Protocol Using Visible Laser Light. In: International Conference on Availability, Reliability and Security (ARES), pp. 1143–1148 (2007)
McCune, J.M., Perrig, A., Reiter, M.K.: Seeing-is-believing: Using camera phones for human-verifiable authentication. In: IEEE Symposium on Security and Privacy (2005)
Pasini, S., Vaudenay, S.: SAS-Based Authenticated Key Agreement. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 395–409. Springer, Heidelberg (2006)
Perrig, A., Song, D.: Hash visualization: a new technique to improve real-world security. In: International Workshop on Cryptographic Techniques and E-Commerce (1999)
Piontek, H., Seyffer, M., Kaiser, J.: Improving the accuracy of ultrasound-based localisation systems. Personal and Ubiquitous Computing 11(6), 439–449 (2007)
Prasad, R., Saxena, N.: Efficient device pairing using Human-comparable synchronized audiovisual patterns. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 328–345. Springer, Heidelberg (2008)
Priyantha, N.B., Chakraborty, A., Balakrishnan, H.: The Cricket location-support system. In: Proceedings of the ACM/IEEE International Conference on Mobile Computing and Networking (MobiCom), pp. 32–43. ACM Press, New York (2000)
Roth, V., et al.: Simple and effective defense against evil twin access points. In: ACM conference on Wireless network security (WISEC), pp. 220–235 (2008)
Saxena, N., et al.: Extended abstract: Secure device pairing based on a visual channel. In: IEEE Symposium on Security and Privacy (2006)
Soriente, C., Tsudik, G., Uzun, E.: Secure pairing of interface constrained devices. International Journal of Security and Networks 4(1), 17–26 (2009)
Soriente, C., Tsudik, G., Uzun, E.: BEDA: Button-Enabled Device Association. In: International Workshop on Security for Spontaneous Interaction (IWSSI), UbiComp Workshop Proceedings (2007)
Soriente, C., Tsudik, G., Uzun, E.: HAPADEP: human-assisted pure audio device pairing. In: Information Security, pp. 385–400 (2008)
Stajano, F., Anderson, R.: The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks. In: International Workshop on Security Protocols (1999)
Stajano, F.: Security for Ubiquitous Computing. John Wiley & Sons, Ltd., Chichester (2002)
Suomalainen, J., Valkonen, J., Asokan, N.: Security Associations in Personal Networks: A Comparative Analysis. In: Stajano, F., Meadows, C., Capkun, S., Moore, T. (eds.) ESAS 2007. LNCS, vol. 4572, pp. 43–57. Springer, Heidelberg (2007)
Uzun, E., Karvonen, K., Asokan, N.: Usability analysis of secure pairing methods. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 307–324. Springer, Heidelberg (2007)
Varshavsky, A., et al.: Amigo: Proximity-Based Authentication of Mobile Devices. In: Krumm, J., Abowd, G.D., Seneviratne, A., Strang, T. (eds.) UbiComp 2007. LNCS, vol. 4717, pp. 253–270. Springer, Heidelberg (2007)
Čapkun, S., Čagalj, M.: Integrity regions: authentication through presence in wireless networks. In: WiSe 2006: Proceedings of the 5th ACM workshop on Wireless security (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cagalj, M., Saxena, N., Uzun, E. (2009). On the Usability of Secure Association of Wireless Devices Based on Distance Bounding. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds) Cryptology and Network Security. CANS 2009. Lecture Notes in Computer Science, vol 5888. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10433-6_30
Download citation
DOI: https://doi.org/10.1007/978-3-642-10433-6_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-10432-9
Online ISBN: 978-3-642-10433-6
eBook Packages: Computer ScienceComputer Science (R0)