Secure Device Pairing

The burgeoning popularity of wireless devices and gadgets, such as PDAs, cell-phones, headsets, cameras, media players brought new services and possibilities to ordinary users. There are many current everyday usage scenarios where two or more devices need to "work together", e.g., a Bluetooth headset and a cell phone, a PDA and a wireless printer, or a wireless access point and a laptop. Other emerging scenarios that involve sensors and personal RFID tags (e.g., in e-passports) are expected to become commonplace in the near future. Before they can work together, devices must be securely associated or paired. However, since wireless communication is human-imperceptible, there is the very real threat of Man-in-the-Middle (MiTM) attacks and some form of user involvement becomes necessary.

One of the main challenges in secure device pairing is that, due to sheer diversity of devices and lack of standards, no global security infrastructure exists today and none is likely for the foreseeable future. Consequently, traditional cryptographic means (such as authenticated key exchange protocols) are unsuitable, since unfamiliar devices have no prior secure context and no common point of trust. The research community has thereby recognized that some form of human involvement is imperative to address the problem of secure device pairing. At the same time, many devices have limited hardware or user interfaces, thus complicating user involvement.

Pairing Phone and Laptop

Pairing Two Phones

Many current pairing methods require hardware or interfaces not common across the entire spectrum of devices, e.g.: photo or video cameras (figures above illustrate our pairing methods based on visual channels), infrared or laser transceivers, accelerometers, speakers, microphones, NFC transceivers, USB ports, keypads and displays. Such features, though present on some devices, are not universal. While the design space has not been fully explored, there is a stable set of device pairing methods, geared towards specific scenarios. However, there is no panacea -- no single method can address all possible combinations of device features, human (dis) abilities and environmental conditions. It has also become clear that methods developed by security researchers are not as usable or useful as they seem. The reason for this is two-fold: (1) average users are often mal-adapt at manipulating new devices, and (2) not being security professionals, average users have insufficient comprehension of security issues and the meaning of their participation in the device pairing. To this end, the initial goal of this project is to develop a thorough typology of device pairing methods, implement them using a common software platform and conduct a comprehensive and large-scale investigation, focusing not only on usability and security, but also on user comprehension of the process. Through this (most probably iterative) study, we will determine (1) the most appropriate method for a given combination of devices, and (2) how these methods can be improved in terms of both usability and security. Our ultimate goal, however, is to design a universal secure device pairing method, i.e., amenable to most (or at least maximum number of) device pairing scenarios and highly usable by an user under normal operating conditions.
Next, we consider secure pairing of devices that are inherently not geared for human interface: RFID tags and sensor motes. In the context of RFID, our focus is on personal passive tags (e.g., those in e-passports or next-generation credit cards) for which secure pairing is both natural and important. For example a user might want to securely pair her cellphone or PDA with her US passport in order to control when and where the latter can be read. However, with no power source of its own, an RFID tag presents a major challenge as far as human involvement in the pairing process. (Another issue is the RFID tags' extreme cost sensitivity.) We aim to develop innovative ways of minimizing both user requirements and RFID tag features, while allowing for meaningful and secure pairing.
In the context of sensor motes, the problem occurs at deployment when a set of sensor motes needs to be securely associated with a sink or a base station. Although not as resource-constrained as RFID tags, sensor motes are not typically equipped with user-perceptible input/output interfaces.

Sensor Network Initialization Using Blinking LEDs

Moreover, since they are often deployed in large numbers, scalability of sensor mote pairing is very important; methods for pairing of personal devices are thus not directly applicable. Our goal is thus to design scalable methods with minimal device interface requirements and minimal user burden. Figure above illustrates our sensor initialization method based on a visual channel.

Home | Publication | People | Links
Last updated: 07/04/09.