Loud and Clear: Human Verifiable Authentication Based on Audio Michael Goodrich Michael Sirivianos John Solis Gene Tsudik Ersin Uzun Computer Science Department University of California, Irvine July 5, 2006 @
Download
Report
Transcript Loud and Clear: Human Verifiable Authentication Based on Audio Michael Goodrich Michael Sirivianos John Solis Gene Tsudik Ersin Uzun Computer Science Department University of California, Irvine July 5, 2006 @
Loud and Clear: Human
Verifiable Authentication
Based on Audio
Michael Goodrich
Michael Sirivianos
John Solis
Gene Tsudik
Ersin Uzun
Computer Science Department
University of California, Irvine
July 5, 2006 @ ICDCS, Lisbon
06/11/201506/11/06
1
Problem
Wallet phone
Goal: Establish a secure channel between devices that lack
prior association
Problem
Eve can launch man-in-the-middle attack
Goal: Establish a secure channel between devices that lack
prior association
Challenges
Human-assisted authentication
Involve human user in the process
No pre-established shared secrets
No on-line or off-line authority
no common PKI, TTP, etc
Support for multiple communication media
e.g., Bluetooth, Infrared, 802.11, etc
Limited computational resources on portable
devices
Outline
Related work and our motivation
Our Solution
System overview
Sample use scenarios
Use types
Vocalizable representations
Unidirectional authentication
Implementation and performance
Conclusions
Related work-Secondary Channels
Stajano et. al. [Security Protocols ‘99]
Use a physical link a secondary authentication
channel
Not all devices have suitable interfaces
Balfanz et. al. [NDSS ‘02]
Uses an infrared link as secondary channel
Still susceptible to man-in-the-middle attack
Related work–Human verifiable channels
Maher [US Patent, ‘95]
Users compare 4 hex digit truncated hash of the
shared key. Not enough bits for security.
Cagalj et. al. and Laur et. al.
Commitment-based short authenticated string schemes
20 bit verification code is sufficient for security
Do not address verification code representation
Related work–Textual representations
Haller [S/KEY, RFC 1760]
Textual representation of cryptographic strings
Pass-phrases not auditorially robust nor
syntactically-correct
Juola and Zimmermann [PGPfone, ICSLP ‘96]
Uses auditorially robust word list. Not syntacticallycorrect, hard for human users to parse it
Related work-SiB
Human readable visual hashes
Cumbersome task
High error rate
McCune et al [Oakland ‘05]
Seeing is Believing
Uses camera phones and bar codes
to create a visual secondary channel
The visual channel is not always plausible
Motivation
Many personal devices not equipped with
cameras
Cameras unsuitable for visually-impaired users
Bar-code scanning requires ample light and
sufficient proximity between devices
Camera-equipped devices typically prohibited
in high-security areas
Outline
Related work and our motivation
Our Solution
System overview
Sample use scenarios
Use types
Vocalizable representations
Unidirectional authentication
Implementation and performance
Conclusions
Loud and Clear
Audio channel for human-assisted
authentication of un-associated devices
Derive a robust-sounding, syntactically-correct
sentence from a hash of a public key
Vocalize the sentence
L&C couples vocalization and/or display of the
public authentication object on two devices
Suitable for secure device pairing
Sample use scenarios
Personal Device
Target Device
Printer or FAX:
speaker &
small display
Cell phone:
speaker &
small display
Handheld/PDA:
speaker &
display
Smart Watch:
tiny speaker &
tiny display
MP3 player:
audio out &
no display
Base Station:
no speaker &
no display
Mutual
authentication
possibly
required
L&C use types
TYPE 1: Hear and compare two
TYPE 2: Hear audible sequence
two audible sequences, one from
each device
from target device, compare to
text displayed by personal
device
TYPE 3: Hear audible sequence
TYPE 4: Compare text displayed
from personal device, compare it
to text displayed by target device
on each device
Device requirements
Device requirements for various use types
Vocalizable representations
Represent the authentication object as a syntacticallycorrect, auditorially robust sentence
Generate a non-sensical, English-like sentence (MadLib)
from the output of a one-way hash
S/KEY-based word generation.
Divide truncated hash into 10-bit sections
Use each 10-bit section as index into a catalogue
One catalogue for each part of speech, e.g., verb, noun etc
Number of 10-bit sections = number of words contributing
entropy in the MadLib sentence
Vocalizable representations
Within a catalogue, no two words sound the same
Create auditorially robust word lists for each
catalogue, based on PGPfone’s phonetic distance
Second pre-image resistance
For ephemeral Diffie-Hellman key agreement
5 S/KEY-generated words needed
For one-year-term Diffie-Hellman public keys
8 S/KEY-generated words needed
Vocalizable representations
Within a catalogue, no two words sound the same
Create auditorially robust word lists for each
catalogue, based on PGPfone’s phonetic distance
Second pre-image resistance
For ephemeral Diffie-Hellman key agreement
5 S/KEY-generated words needed
For one-year-term Diffie-Hellman public keys
8 S/KEY-generated words needed
CALLIE FLEXIBLY owns FLUFFY BINTURONGs that ABUSE.
Auditorially robust word lists
Using PGPfone’s phonetic distance, create auditoriallyrobust word lists, unique for each catalogue
1) Construct a large set C of candidate words.
2) Select a random subset W of 2k words from C, where k is
the number of hash bits we wish to have this type of word
represent.
3) Repeatedly find the phonetically closest pair (p, q) of words
in W and replace q with a word from C - W whose distance
to any word in W is more than distance(p, q), if such word
exists.
Auditorially robust word lists (2)
4) Order W so that each pair of consecutive words in W are
as distant as possible.
5) Assign integer values to words in W, so that consecutive
integers differ in exactly one bit but their respective code
words are distant.
Unidirectional authentication
Step 1:
PDA and fax send to each other their Diffie-Hellman
public keys
Unidirectional authentication
Step 2:
PDA and fax compute the MadLib for fax’s public key
Unidirectional authentication
Step 3:
Alice instructs PDA and fax to speak the MadLibs out
Unidirectional authentication
Step 3:
Alice instructs PDA and fax to speak the MadLib out
Unidirectional authentication
Step 4:
Alice compares the MadLibs
Unidirectional authentication
Step 5:
Alice instructs the devices to compute the secret key
Implementation
Programming System
Built on the highly portable
Ewe Java VM
Text-to-Speech Engine
Can utilize a variety of portable TTS engines
Prototype uses Digit for PC and Pocket PC, which
uses the Elan Speech Engine
Porting Sun’s clean Java FreeTTS and JSAPI to Ewe
Implementation
Crypto API
Ported Bouncy-Castle
lightweight crypto package
to implement DH- and
RSA-based key agreement
Memory utilization
Digit and Ewe program reside on ~10800 KB
Performance
Processing times (in milliseconds) of L&C operations
PC: 1.7 GHZ/2MB, 512MB RAM
iPAQ: 206 MHZ, 32 MB RAM
10 word MadLib, 7 of which S/Key generated
Performance
Excluding initialization and shared secret
computation:
~12 secs for TYPE 1 unidirectional session
~7 secs for TYPE 2 unidirectional session
With a commitment-based SAS protocol:
Number of S/Key generated words can be
reduced to only 2!
~6 secs for TYPE 1 unidirectional session
Conclusions
Loud-and-Clear (L&C) for human-assisted
device authentication
Light burden for human user
Based on the audio channel
Uses a TTS engine to vocalize a robust-sounding,
syntactically-correct word sequence derived from
some authentication object
Discussed some anticipated use cases
Provided experimental results for a prototype
Formal and comprehensive usability studies in
progress
In case you wonder …
Binturong
a.k.a Bearcat
Leaves in the forest canopy,
of southeast Asia, Borneo
Vietnam, Malaysia, Indonesia
Belongs in the Viverridae
family
Endangered
Thank you
Latest paper version available at:
www.ics.uci.edu/~msirivia/publications/icdcs.pdf
Questions?
Cagalj et al, DH-SC
Performance
Timings (in ms) for L&C sessions
Loud and Clear
Loud and Clear (L&C) system.
Light burden for the human user
Uses spoken natural language for human-assisted
authentication
Suitable for secure device pairing
e.g., key exchange or similar tasks
Outline
Related work and our motivation
Our Solution
System overview
Sample use scenarios
Use types
Vocalizable representations
Unidirectional authentication
Implementation and performance
Conclusions