research-article

Serial hook-ups: a comparative usability study of secure device pairing methods

Authors:

Rahim Sonawalla,

Yang WangAuthors Info & Claims

SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security

Article No.: 10, Pages 1 - 12

https://doi.org/10.1145/1572532.1572546

Published: 15 July 2009 Publication History

Abstract

Secure Device Pairing is the bootstrapping of secure communication between two previously unassociated devices over a wireless channel. The human-imperceptible nature of wireless communication, lack of any prior security context, and absence of a common trust infrastructure open the door for Man-in-the-Middle (aka Evil Twin) attacks. A number of methods have been proposed to mitigate these attacks, each requiring user assistance in authenticating information exchanged over the wireless channel via some human-perceptible auxiliary channels, e.g., visual, acoustic or tactile.

In this paper, we present results of the first comprehensive and comparative study of eleven notable secure device pairing methods. Usability measures include: task performance times, ratings on System Usability Scale (SUS), task completion rates, and perceived security. Study subjects were controlled for age, gender and prior experience with device pairing. We present overall results and identify problematic methods for certain classes of users as well as methods best-suited for various device configurations.

References

[1]

]]D. Balfanz, G. Durfee, R. Grinter, D. Smetters, and P. Stewart. Network-in-a-Box: how to set up a secure wireless network in under a minute. In USENIX Security, pages 207--222, 2004.

Digital Library

[2]

]]D. Balfanz, D. Smetters, P. Stewart, and H. Wong. Talking to strangers: Authentication in ad-hoc wireless networks. In Network and Distributed System Security Symposium (NDSS), 2002.

[3]

]]A. Bangor, P. T. Kortum, and J. T. Miller. An empirical evaluation of the system usability scale. International Journal of Human-Computer Interaction, 24(6):574--594, 2008. DOI 10.1080/10447310802205776.

[4]

]]V. Boyko, P. MacKenzie, and S. Patel. Provably secure password-authenticated key exchange using diffie-hellman. In Advances in Cryptology-Eurocrypt, pages 156--171. Springer, 2000.

Digital Library

[5]

]]J. Brooke. SUS: a "quick and dirty" usability scale. In P. W. Jordan, B. Thomas, B. A. Weerdmeester, and A. L. McClelland, editors, Usability Evaluation in Industry. Taylor and Francis, London, 1996.

[6]

]]J. Cohen, P. Cohen, S. G. West, and L. S. Aiken. Applied multiple regression/correlation analysis for the behavioral sciences. Lawrence Erlbaum Associates, Hillsdale, NJ, 1983.

[7]

]]C. M. Ellison and S. Dohrmann. Public-key support for group collaboration. ACM Transactions on Information and System Security (TISSEC), 6(4):547--565, 2003.

Digital Library

[8]

]]E. Frøkjær, M. Hertzum, and K. Hornbæk. Measuring usability: are effectiveness, efficiency, and satisfaction really correlated? In CHI '00: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 345--352, 2000.

Digital Library

[9]

]]C. Gehrmann, C. J. Mitchell, and K. Nyberg. Manual authentication for wireless devices. RSA CryptoBytes, 7(1):29--37, 2004.

[10]

]]I. Goldberg. Visual key fingerprint code. http://www.cs.berkeley.edu/iang/visprint.c, 1996.

[11]

]]M. T. Goodrich, M. Sirivianos, J. Solis, G. Tsudik, and E. Uzun. Loud and clear: Human-verifiable authentication based on audio. In ICDCS '06: Proceedings of the 26th IEEE International Conference on Distributed Computing Systems, page 10, 2006.

Digital Library

[12]

]]Y. Hochberg and A. C. Tamhane. Multiple Comparison Procedures. Wiley, New York, 1987.

Digital Library

[13]

]]L. Holmquist, F. Mattern, B. Schiele, P. Alahuhta, M. Beigl, and H. Gellersen. Smart-its friends: A technique for users to easily establish connections between smart artefacts. In Ubiquitous Computing (UbiComp), pages 116--122, London, UK, 2001. Springer-Verlag.

Digital Library

[14]

]]R. Kainda, I. Flechais, and A. W. Roscoe. Usability and security of out-of-band channels in secure device pairing protocols. In 2009 Symposium On Usable Privacy and Security (SOUPS), Mountain View, CA (this volume), 2009.

Digital Library

[15]

]]T. Kindberg and K. Zhang. Validating and securing spontaneous associations between wireless devices. In Information Security Conference (ISC), pages 44--53, 2003.

[16]

]]K. Kostiainen. Personal Communication, Mar 2008.

[17]

]]K. Kostiainen and E. Uzun. Framework for comparative usability testing of distributed applications. In Security User Studies: Methodologies and Best Practices Workshop, 2007.

[18]

]]A. Kumar, N. Saxena, G. Tsudik, and E. Uzun. Caveat Emptor: A Comparative Study of Secure Device Pairing Methods. In IEEE International Conference on Pervasive Computing and Communications (IEEE PerCom'09), 2009.

Digital Library

[19]

]]S. Laur and K. Nyberg. Efficient mutual data authentication using manually authenticated strings. In International Conference on Cryptology and Network Security (CANS), volume 4301, pages 90--107, 2006.

Digital Library

[20]

]]R. Mayrhofer and H. Gellersen. Shake well before use: Authentication based on accelerometer data. In Pervasive Computing (PERVASIVE), pages 144--161.

Digital Library

[21]

]]R. Mayrhofer and M. Welch. A human-verifiable authentication protocol using visible laser light. In International Conference on Availability, Reliability and Security (ARES), pages 1143--1148, 2007.

Digital Library

[22]

]]J. McCune, A. Perrig, and M. Reiter. Seeing-Is-Believing: using camera phones for human-verifiable authentication. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 110--124, 2005.

Digital Library

[23]

]]J. M. McCune. Personal Communication, Mar 2008.

[24]

]]S. Pasini and S. Vaudenay. SAS-Based Authenticated Key Agreement. In Public key cryptography-PKC 2006: 9th International Conference on Theory And Practice in Public-Key Cryptography, pages 395--409, 2006.

Digital Library

[25]

]]A. Perrig and D. Song. Hash visualization: a new technique to improve real-world security. In International Workshop on Cryptographic Techniques and E-Commerce, 1999.

[26]

]]R. Prasad and N. Saxena. Efficient device pairing using "human-comparable" synchronized audiovisual patterns. In Conference on Applied Cryptography and Network Security (ACNS), pages 328--345, 2008.

Digital Library

[27]

]]N. Saxena, J. Ekberg, K. Kostiainen, and N. Asokan. Secure device pairing based on a visual channel. In 2006 IEEE Symposium on Security and Privacy, pages 306--313, 2006.

Digital Library

[28]

]]N. Saxena and M. B. Uddin. Automated device pairing for asymmetric pairing scenarios. In Information and Communications Security (ICICS), pages 311--327, 2008.

Digital Library

[29]

]]C. Soriente, G. Tsudik, and E. Uzun. BEDA: button-enabled device association. In UbiComp Workshop Proceedings: International Workshop on Security for Spontaneous Interaction (IWSSI), 2007.

[30]

]]C. Soriente, G. Tsudik, and E. Uzun. HAPADEP: human-assisted pure audio device pairing. In Information Security, pages 385--400, 2008.

Digital Library

[31]

]]F. Stajano and R. J. Anderson. The resurrecting duckling: Security issues for ad-hoc wireless networks. In Security Protocols Workshop, 1999.

Digital Library

[32]

]]J. Suomalainen, J. Valkonen, and N. Asokan. Security associations in personal networks: A comparative analysis. In F. Stajano, C. Meadows, S. Capkun, and T. Moore, editors, Security and Privacy in Ad-hoc and Sensor Networks Workshop (ESAS), pages 43--57, 2007.

Digital Library

[33]

]]E. Uzun, K. Karvonen, and N. Asokan. Usability analysis of secure pairing methods. In Financial Cryptography and Data Security (FC'07) & Usable Security (USEC'07), pages 307--324, 2007.

Digital Library

[34]

]]S. Vaudenay. Secure communications over insecure channels based on short authenticated strings. In Advances in Cryptology-CRYPTO, pages 309--326, 2005.

Digital Library

Cited By

Li MLou W(2025)Secure Device PairingEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_53(2234-2240)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_53
Putz FHaesler SHollick M(2024)Sounds Good? Fast and Secure Contact Exchange in GroupsProceedings of the ACM on Human-Computer Interaction10.1145/36869648:CSCW2(1-44)Online publication date: 8-Nov-2024
https://dl.acm.org/doi/10.1145/3686964
Turner DShahandashti SPetrie H(2023)The Effect of Length on Key Fingerprint Verification Security and UsabilityProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600187(1-11)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3600187
Show More Cited By

Index Terms

Serial hook-ups: a comparative usability study of secure device pairing methods

Recommendations

Promoting Hook-Ups or Filling Sexual Health Information Gaps?: Exploring Young People's Sex Talk on Facebook
#SMSociety17: Proceedings of the 8th International Conference on Social Media & Society

Social media hold enormous potential for sexuality education and sexual health promotion among young people given the audience reach and interactive functions that could be adapted for intervention delivery. This paper reports the preliminary findings ...
The Hook-ups initiative: how youth can learn by creating their own computer interfaces and programs
Special issue on community-based learning: explorations into theoretical groundings, empirical findings and computer support

This paper introduces the Hook-ups initiative. In this initiative, young people learn by designing and constructing "Hook-ups" - physical objects that can control games, animations, and other computer programs which they create. Hook-ups can be inspired ...
Baiting the hook: factors impacting susceptibility to phishing attacks

Over the last decade, substantial progress has been made in understanding and mitigating phishing attacks. Nonetheless, the percentage of successful attacks is still on the rise. In this article, we critically investigate why that is the case, and seek ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '09: Proceedings of the 5th Symposium on Usable Privacy and Security

July 2009

205 pages

ISBN:9781605587363

DOI:10.1145/1572532

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2009 Copyright held by the author/owner.

Sponsors

Carnegie Mellon CyLab
Google Inc.

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 July 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Division of Computer and Network Systems

Conference

SOUPS '09

Sponsor:

SOUPS '09: Symposium on Usable Privacy and Security

July 15 - 17, 2009

California, Mountain View, USA

Acceptance Rates

SOUPS '09 Paper Acceptance Rate 15 of 49 submissions, 31%;

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

57
Total Citations
View Citations
595
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)3

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Li MLou W(2025)Secure Device PairingEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_53(2234-2240)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_53
Putz FHaesler SHollick M(2024)Sounds Good? Fast and Secure Contact Exchange in GroupsProceedings of the ACM on Human-Computer Interaction10.1145/36869648:CSCW2(1-44)Online publication date: 8-Nov-2024
https://dl.acm.org/doi/10.1145/3686964
Turner DShahandashti SPetrie H(2023)The Effect of Length on Key Fingerprint Verification Security and UsabilityProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600187(1-11)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3600187
Yin HHuang XXing BHuang JSun XLi JChai SZhang DBakar RWang W(2023)LSNCP: Lightweight and Secure Numeric Comparison Protocol for Wireless Body Area NetworksIEEE Internet of Things Journal10.1109/JIOT.2023.326249810:15(13247-13263)Online publication date: 1-Aug-2023
https://doi.org/10.1109/JIOT.2023.3262498
Malkin N(2022)Incidental Incremental In-Band Fingerprint Verification: a Novel Authentication Ceremony for End-to-End Encrypted MessagingProceedings of the 2022 New Security Paradigms Workshop10.1145/3584318.3584326(104-116)Online publication date: 24-Oct-2022
https://dl.acm.org/doi/10.1145/3584318.3584326
Mehr Nezhad MHao F(2021)OPay: an Orientation-based Contactless Payment Solution Against Passive AttacksProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485887(375-384)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3485887
Xu WZhang JHuang SLuo CLi W(2021)Key Generation for Internet of ThingsACM Computing Surveys10.1145/342974054:1(1-37)Online publication date: 2-Jan-2021
https://dl.acm.org/doi/10.1145/3429740
Fassl MGröber LKrombholz KKitamura YQuigley AIsbister KIgarashi TBjørn PDrucker S(2021)Exploring User-Centered Security Design for Usable Authentication CeremoniesProceedings of the 2021 CHI Conference on Human Factors in Computing Systems10.1145/3411764.3445164(1-15)Online publication date: 6-May-2021
https://dl.acm.org/doi/10.1145/3411764.3445164
Livsey LPetrie HShahandashti SFray A(2021)Performance and Usability of Visual and Verbal Verification of Word-Based Key FingerprintsHuman Aspects of Information Security and Assurance10.1007/978-3-030-81111-2_17(199-210)Online publication date: 8-Jul-2021
https://doi.org/10.1007/978-3-030-81111-2_17
Sluganovic ILiskij MDerek AMartinovic IRoussev VThuraisingham BCarminati BKantarcioglu M(2020)Tap-PairProceedings of the Tenth ACM Conference on Data and Application Security and Privacy10.1145/3374664.3375740(61-72)Online publication date: 16-Mar-2020
https://dl.acm.org/doi/10.1145/3374664.3375740
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten