Skip to main content
SpringerLink
Log in

How to Pair with a Human

  • Conference paper
Book cover Security and Cryptography for Networks (SCN 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6280))

Included in the following conference series:

Abstract

We introduce a protocol, that we call Human Key Agreement, that allows pairs of humans to establish a key in a (seemingly hopeless) case where no public-key infrastructure is available, the users do not share any common secret, and have never been connected by any physically-secure channel. Our key agreement scheme, while vulnerable to the human-in-the-middle attacks, is secure against any malicious machine-in-the middle. The only assumption that we make is that the attacker is a machine that is not able to break the Captcha puzzles (introduced by von Ahn et al., EUROCRYPT 2003).

Our main tool is a primitive that we call a Simultaneous Turing Test, which is a protocol that allows two users to verify if they are both human, in such a way that if one of them is not a human, then he does not learn whether the other one is human, or not.

To construct this tool we use a Universally-Composable Password Authenticated Key Agreement of Canetti et al. (EUROCRYPT 2005).

The European Research Council has provided financial support under the EuropeanCommunity’s Seventh Framework Programme (FP7/2007-2013) / ERC grant agreement no CNTM-207908

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abdalla, M., Catalano, D., Chevalier, C., Pointcheval, D.: Efficient two-party password-based key exchange protocols in the uc framework. In: Malkin, T.G. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 335–351. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  2. Anderson, R.: Two remarks on public key cryptology. Technical report, University of Cambridge, Computer Laboratory, Technical report (2002)

    Google Scholar 

  3. Balfanz, D., Smetters, D.K., Stewart, P., Chi Wong, H.: Talking to strangers: Authentication in ad-hoc wireless networks. In: NDSS. The Internet Society (2002)

    Google Scholar 

  4. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  5. Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: IEEE Security and Privacy, pp. 72–84 (May 1992)

    Google Scholar 

  6. Boyd, C.A., Mathuria, A.: Protocols for Key Establishment and Authentication. Springer, New York (2003)

    Google Scholar 

  7. Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using diffie-hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  8. Bresson, E., Chevassut, O., Pointcheval, D.: Security proofs for an efficient password-based key exchange. In: ACM Conference on Computer and Communications Security, pp. 241–250 (2003)

    Google Scholar 

  9. Cagalj, M., Capkun, S., Hubaux, J.P.: Key agreement in peer-to-peer wireless networks. Proceedings of the IEEE 94(2), 467–478 (2006)

    Article  Google Scholar 

  10. Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: FOCS, pp. 136–145 (2001), Extended version avaialble at http://eprint.iacr.org/2000/067

  11. Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.D.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  12. Canetti, R., Halevi, S., Steiner, M.: Mitigating dictionary attacks on password-protected local storage. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 160–179. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  13. Cramer, R.: Introduction to secure computation. In: Damgård, I.B. (ed.) EEF School 1998. LNCS, vol. 1561, pp. 16–62. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  14. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory IT-22(6), 644–654 (1976)

    Google Scholar 

  15. Diffie, W., van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Designs, Codes, and Cryptography 2(2), 107–125 (1992)

    Article  MathSciNet  Google Scholar 

  16. Dziembowski, S.: How to pair with a human. Cryptology ePrint Archive, Report 2009/562 (2009), http://eprint.iacr.org/

  17. Ellison, C., Schneier, B.: Ten risks of pki: What you’re not being told about public key infrastructure. Computer Security Journal 16(1), 1–7 (2000)

    Google Scholar 

  18. Goldreich, O., Lindell, Y.: Session-key generation using human passwords only. J. Cryptology 19(3), 241–340 (2006)

    Article  MATH  MathSciNet  Google Scholar 

  19. Günther, C.G.: An identity-based key-exchange protocol. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 29–37. Springer, Heidelberg (1990)

    Google Scholar 

  20. Katz, J., Lindell, Y.: Introduction to Modern Cryptography. Chapman & Hall/CRC Press, Boca Raton (August 2007)

    Google Scholar 

  21. Katz, J., Ostrovsky, R., Yung, M.: Forward secrecy in password-only key exchange protocols. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 29–44. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  22. Keizer, G.: Spammers’ bot cracks microsoft’s captcha. Computerworld (February 2008), http://www.computerworld.com/s/article/9061558/Spammers_bot_cracks_Microsoft_s_CAPTCHA_

  23. Kumar, A., Saxena, N., Tsudik, G., Uzun, E.: A comparative study of secure device pairing methods. Pervasive and Mobile Computing Journal, PMC (2009)

    Google Scholar 

  24. Laur, S., Nyberg, K.: Efficient mutual data authentication using manually authenticated strings. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 90–107. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  25. Lillibridge, M., Abadi, M., Bharat, K., Broder, A.: Method for selectively restricting access to computer systems. US patent US6195698 (Filling date: April 13, 1998)

    Google Scholar 

  26. MacKenzie, P.D., Patel, S., Swaminathan, R.: Password-authenticated key exchange based on rsa. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 599–613. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  27. Naor, M.: Verification of a human in the loop or identification via the turing test (1996), http://www.wisdom.weizmann.ac.il/~naor/PAPERS/human.pdf

  28. Nguyen, M.-H., Vadhan, S.P.: Simpler session-key generation from short random passwords. J. Cryptology 21(1), 52–96 (2008)

    Article  MATH  MathSciNet  Google Scholar 

  29. Pasini, S., Vaudenay, S.: Sas-based authenticated key agreement. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 395–409. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  30. Perrig, A., Song, D.: Hash visualization: A new technique to improve real-world security. In: International Workshop on Cryptographic Techniques and E-Commerce (1999)

    Google Scholar 

  31. Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: ACM CCS 2002, pp. 161–170 (2002)

    Google Scholar 

  32. Reuters Press Release. D-link first to add captcha to its home routers to help prevent against attacks (2009), http://www.reuters.com/article/pressRelease/idUS118678+12-May-2009+MW20090512

  33. Soriente, C., Tsudik, G., Uzun, E.: Secure pairing of interface constrained devices. Int. J. Secur. Netw. 4(1/2), 17–26 (2009)

    Article  Google Scholar 

  34. Stajano, F., Anderson, R.J.: The resurrecting duckling: Security issues for ad-hoc wireless networks. In: Malcolm, J.A., Christianson, B., Crispo, B., Roe, M. (eds.) Security Protocols 1999. LNCS, vol. 1796, pp. 172–194. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  35. Carnegie Mellon University. The official captcha site, http://www.captcha.net/

  36. Vaudenay, S.: Secure communications over insecure channels based on short authenticated strings. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 309–326. Springer, Heidelberg (2005)

    Google Scholar 

  37. von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: Captcha: Using hard ai problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  38. von Ahn, L., Maurer, B., Mcmillen, C., Abraham, D., Blum, M.: recaptcha: Human-based character recognition via web security measures. Science, 1465–1468 (August 2008)

    Google Scholar 

  39. BBC News website. Pc stripper helps spam to spread (October 2007), http://news.bbc.co.uk/2/hi/technology/7067962.stm (accessed on June 19, 2007)

  40. BBC News website. China spying on skype messages (October 2008), http://news.bbc.co.uk/2/hi/technology/7649761.stm (accessed on June 19, 2010)

  41. Wikipedia. Captcha, http://en.wikipedia.org/wiki/CAPTCHA (accessed on June 19, 2010)

  42. Zimmermann, P., Johnston, A., Callas, J.: Zrtp: Media path key agreement for secure rtp. Internet draft available at, http://zfoneproject.com/docs/ietf/draft-zimmermann-avt-zrtp-16.html

  43. Zisiadis, D., Kopsidas, S., Tassiulas, L.: Vipsec defined. Comput. Netw. 52(13), 2518–2528 (2008)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Rome, La Sapienza

    Stefan Dziembowski

Authors
  1. Stefan Dziembowski
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. AT&T Labs Research, Florham Park, NJ, USA

    Juan A. Garay

  2. Dipartimento di Informatica ed Applicazioni, Università di Salerno, via Ponte don Melillo, 84084, Fisciano, (SA), Italy

    Roberto De Prisco

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dziembowski, S. (2010). How to Pair with a Human. In: Garay, J.A., De Prisco, R. (eds) Security and Cryptography for Networks. SCN 2010. Lecture Notes in Computer Science, vol 6280. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15317-4_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-15317-4_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-15316-7

  • Online ISBN: 978-3-642-15317-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation