ubiquitous computing security: authenticating spontaneous

2009-03-02 Authenticating Spontaneous Interactions

1

Ubiquitous Computing Security:Authenticating Spontaneous Interactions

Habilitation Thesis (Sammelhabilitation)

2. March 2009, 9:30Habilitation Colloquium

Rene Mayrhofer


2

The most profound technologies are those that disappear. They

weave themselves into the fabric of everyday life until they are

indistinguishable from it.

Mark Weiser, 1991, „The Computer for the 21st Century“


3

Any sufficiently advanced technology is indistinguishable

from magic.

Arthur C. Clarke, 1973, „Profiles of the Future“

2009-03-02 Authenticating Spontaneous Interactions 4

Spontaneous interaction to do it now

Core topic of Pervasive/Ubiquitous and Mobile Computing:

use of service when and where it is most appropriate

● everywhere, anytime

● triggered by the user or automatically

● highly dependent on the specific situation

Interaction that can happen spontaneously without administrative overhead

● Spontaneous as in “unplanned”: encounters, opportunities, serendipity ● Spontaneous as in “self-acting”: operation out of the box, “plug and play”

Authentication in Ubiquitous ComputingContributions

Protocols and AnalysisConclusions

Ubiquitous ComputingIssues of AuthenticationModelTaxonomy of Auxiliary Channels


Ubiquitous Computing – Everything new?





Wireless communication

Small, mobile devices

● limited user interfaces

● limited resources (run time!)

Many devices

● integrated with/into physical objects

● communicate among each other

● communicate with the user

Sensing

⇒ (mobile and stationary) devices and communication become more and moreinvisible, unobservable and uncontrollable

Ubiquitous Computing – Everything new?





7

We already have too many fast, insecure systems. Let's design future systems to be secure, even if that makes them slower.


What is this all about?




Securing communication

● between mobile (and/or stationary) devices

● that are under direct user control or human-verifiable

● for a specific interaction

⇒ associating with THIS device

Example applications

● Bluetooth headset

● printer in airport lounge

● projector in conference room

● Vcard exchange

● micro payment

● ...


The “don't get in my way” principle

User chooses communication partner / service:

● Intention to interact

● creates reference

Everything else should happen automatically!

⇒ no additional steps to choose appropriate communication parameters

⇒ no additional steps “just for security”





Security for Ubiquitous Computing

Security for whom?

● user

● mobile device

● used service

How much security?

Specific issues of security for ubiquitous / mobile computing

● wireless communication

● user interfaces

● scalability





Research area structuring 1: Three issues

Specific issues of security for spontaneous interaction:

● wireless communication

● user interfaces

● scalability





Main issue 1: Wireless communication is insecure

● Potential attacker can

– eavesdrop

– modify

– remove

– insert

● Especially problematic for spontaneous interaction: no a priori information about communication partners available

⇒ User is the only instance that can decide upon trust needs to establish shared secret between devices

Wireless communication





Secret key exchange over wireless channels

● Can use Diffie-Hellman (DH) for key agreement

● Problem of Man-in-the-Middle (MITM) attacks:

⇒ Secret keys need to be authenticated

Why is wireless a problem?





Options for authentication

● Entering PINs (e.g. Bluetooth), passwords (e.g. WEP/WPA)

● Verifying hashes of public keys (e.g. web site certificates)

Main issue 2: Lack of powerful user interfaces

● A headset doesn't have a classical user interface (display + keypad)

User interfaces





Main issue 3: User attention does not scale

● Vision of ubiquitous computing: using hundreds of services each day, seamlessly embedded into daily live, spontaneous usage, different realms of control

● Who would like to enter passwords or biometric data into each of them?

And somebody needs to do it...





● Security for whom and how much?

● Mobile devices

– attacker may have physical access to device

– losing devices ⇒ losing keys/access/money? (revocation issues)

– different security levels of environment

● Privacy

– which sensors record what about whom, when, and who has access?

– what can a personal, trusted, mobile device reveal about its owner?

● Physical replacement, matching physical with virtual entities

● Understanding how the whole system works (mental models)

What else is difficult?





Approach: Trusting your mobile phone

● Intuitive alternative to direct user authentication: a trusted personal device that authenticates its user once (e.g. when being switched on) and is assumed to be owned and used by a single user:

– comparable to conventional key chain

– mobile phone, wrist watch, etc.

● Important: personal device device may be trusted, but wireless connections are not

● Authentication is thus shifted from user-to-device to device-to-device





Research area structuring 2: Model

Main threat scenario: MITM on wireless communication channel

– all parties have full access to the wireless (in-band) channel

– intended communication partners (A and B) share some context (out-of-band)

– attacker (E) has inferior access to this context

– respective aspect of context represented by sensor data streams ⇒ shared (weakly) secret information





Security properties of out-of-band channels

Verification of wireless communication over out-of-band (auxiliary) channels

● confidentiality

● complete (human-verifiable) authenticity

● partial (non-user-verifiable) authenticity

● integrity

● stall-freeness





Taxonomy of security properties





Taxonomy of user interaction





Spatial References:

verifiable by the user and the device – both can come to the same conclusions as to

which device they are interacting with

[MGH 2007] R. Mayrhofer, H. Gellersen, M.Hazas: “Security by spatial reference: Using relative positioning to authenticate devices for spontaneous interaction”, Ubicomp 2007

[MaGe 2007a] R. Mayrhofer, H. Gellersen: “On the security of ultrasound as out-of-band channel”, IPDPS 2007



Spatial ReferencesVisible LaserCommon MotionAuthentication Proxies

Security by Spatial Reference


● Ultrasound signals travel comparatively slowly in air ⇒ possible to measure time of flight ⇒ distance estimation

● Angle-of-arrival estimation using multiple receivers difficult based on relative time of arrival

● Angle-of-arrival estimation based on relative signal strengths works in practice

Quantitative measurements with ultrasound

Relate:● <10 cm accuracy for

distance measurements● ~33° accuracy for local

angle-of-arrival● without infrastructure● implemented as USB

dongles + Java host software

[HKG+ 2005] G. Kortuem, C. Kray, H. Gellersen: “Sensing and visualizing spatial relations of positioning system for co-located mobile devices”, In: Proc. MobiSys 2005





Noise in US measurements

● leads to authentication failures without attack (false negatives)

● can be improved with re-transmits

Ultrasonic authentication in practice





General assumption: all wireless attacks possible

● E0 outside room: only RF, no US

● E1 in room: E0 + US eavesdropping, insert own messages

● E2 equidistant positions: E1 + US correct distance measurements

● E3 in line: E1 + US correct angle measurements from A

● E4 in between: R3 + US correct angle measurements from A and B

Threats depending on attacker position

[MG 2007] R. Mayrhofer, H. Gellersen: “On the security of ultrasound as out-of-band channel”, in Proc. IPDPS 2007





● Replacement: DoS attack on B, E3 or E4 misrepresented as Bno interaction between A and B

● Asynchronous MITM: replacement, then interaction between E and Bapplication-level interaction between A and B with delay

● Synchronous MITM: full attack, only possible as E4

Difficult when:

● A and B are mobile

● B positioned so as to make E3 impossible

Threats depending on applications






Visible laser channel as intuitive means of selecting THIS device

But, in contrast to previous assumptions:

● Laser channel is not confidential

attacker can read

● Laser channel is not completely authentic ⇒ “semi-authentic”

attacker can modify (add but not subtract)

Visible laser for authentication




[MaWe 2007] R. Mayrhofer, M. Welch: “A human-verifiable authentication protocol using visible laser light”, ARES 2007


Sender

● Prototype with pulsed laser based on iMote1 (ARM7, 12 MHz) and TinyOS

Receiver

● Prototype for connecting to standard serial port based on photo resistor and simple high-pass and thresholding

Protocol

● DH key agreement and verification

● continuous stream of nonces over laser with double commitments over wireless

Prototype implementation




[MaWe 2007] R. Mayrhofer, M. Welch: “A human-verifiable authentication protocol using visible laser light”, ARES 2007


Shaking as shared context




Shaking is common movement

● both (all) devices will experience very similar movement patterns

● both (all) devices will experience very similar accelerations

Acceleration is a local physical phenomenon

⇒ difficult for an attacker (MITM) to estimate or replicate

● Not used for identifying users, only as shared context!

[MaGe 2007b] R. Mayrhofer, H. Gellersen: “Shake well before use: Authentication based on accelerometer data”, Pervasive 2007[May 2007c] R. Mayrhofer: “The candidate key protocol for generating secret shared keys from similar sensor data streams”, ESAS 2007


Shaking is

● intuitive

● vigorous

● varying

Accelerometers are

● small

● cheap

● (relatively) power-efficient

Reasons for using shaking




[MaGe 2007b] R. Mayrhofer, H. Gellersen: “Shake well before use: Authentication based on accelerometer data”, Pervasive 2007[May 2007c] R. Mayrhofer: “The candidate key protocol for generating secret shared keys from similar sensor data streams”, ESAS 2007


„Shake well before use“ in products

● J2ME: MIDP2.0 and CLDC1.1

● Bluetooth with JSR82

● multiple off-the-shelf platforms(Nokia 5500, Nokia N95, Samsung Omnia i900, HTC Touch Diamond)

⇒ improvements in sensor data analysis

⇒ challenges due to integer processing

⇒ “opportunistic” key agreement

⇒ current contacts with Nokia

⇒ European patent applications submitted

[MaGe 2007c] R. Mayrhofer, H. Gellersen: “Shake well before use: two implementations for implicit context authentication”, Ubicomp 2007





What if devices can not share context?

[May 2006] R. Mayrhofer: “A context authentication proxy for IPSec using spatial reference”, TwUC 2006[MaGo 2007a] R. Mayrhofer, R. Gostner: “Using a spatial context authentication proxy for establishing secure wireless connections”, Journal of Mobile Multimedia, 2007(3)[May 2005] R. Mayrhofer: “Technische Hintergründe für das rechtliche Handeln im Internet”, Aktuelles zum Internet-Recht, 1-16, pro Libris, 2005

⇒ Authentication proxies

● pre-authenticated to onedevice (host)

● context authentication withanother (guest)

Different options:

● Trust relationships: e.g., passwords/shared secrets, OpenPGP, X.509 cert.

● Interaction in context: passive vs. active

● Contact with service: online vs. offline





Online vs. Offline Relationship

Online⇒ less trust in proxy

required (authenticate, but not authorize)

Offline⇒ can be used even

when no contact to service is available





IPSecME: using Spatial References





IPSecME: Implementation details

Trust relationship between proxy and service: via X.509 certificates● Accepted standard, flexible● Allows to implement both online and offline proxy/service interactions● Current implementation: Proxy acts as certification authority (CA), and service trusts

certificates signed by it ⇒ Active proxy can be used anywhere, anytime

Secure channel between client and service: IPSec● Secure● Accepted standard, flexible● Available in most current client operating systems

Platform:● Java Webstart package for clients and in J2ME for proxies● Any off-the-shelf access point and IPSec gateway will do (only need to support X.509)● Demonstrator: Asus WL-500G access point with OpenWRT, PocketPC PDA as proxy,

Windows, Linux, or MacOS/X as client




[May 2006] R. Mayrhofer: “A context authentication proxy for IPSec using spatial reference”, TwUC 2006[MaGo 2007a] R. Mayrhofer, R. Gostner: “Using a spatial context authentication proxy for establishing secure wireless connections”, Journal of Mobile Multimedia, 2007(3)


„Passive Objects“

O AID: AB1Pubkey: 01001...01

Objects seen: ID: AB1 with pubkey 01001...01 ID: CE1 with pubkey 11010...00

read

AObjects seen: ID: AB1 with pubkey 01001...01 ID: CE1 with pubkey 11010...00B

E

Responsible for: AB*Private key: 11001..11

Responsible for: *

encrypted

signed

034758493

Mobile„Peer“

Proxy Peer

Object

[MOFH 2003] R. Mayrhofer, F. Ortner, A. Ferscha, and M. Hechinger: “Securing passive objects in mobile ad-hoc peer-to-peer networks”, SecCo 2003





Creating keys from common sensor data

Candidate Key Protocol (CKP)

● generates secret shared keys directly from sensor data streams

● computes feature vectors (e.g. of quantized FFT coefficients)

● exchanges and compares hashes of feature vectors ⇒ candidate key parts

● matching vectors concatenated⇒ candidate keys

[May 2007b] R. Mayrhofer: “The candidate key protocol for generating secret shared keys from similar sensor data streams”. In Proc. ESAS 2007: 4th European Workshop on Security and Privacy in Ad hoc and Sensor Networks. Springer-Verlag, July 2007



CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel AuthenticationData Analysis


Unified Auxiliary Channel Authentication Protocol (UACAP)

● uses Diffie-Hellman for key agreement

● exchanges sensor time series (after pre-processing) for key verification (e.g. with interlock* protocol)

● both devices verify locally (e.g. compare time series with coherence)

Creating short key verifiers



CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel Auth.Data Analysis

[MaGe 2007b] R. Mayrhofer, H. Gellersen: “Shake well before use: Authentication based on accelerometer data”, Pervasive 2007


Unified Auxiliary Channel Authentication Protocol (UACAP)

● Need to distinguish between different scenarios

– transfer

– input

– verify

● and channels

– Long / short

– Confidential / non-confidential

UACAP overview




[MaIo 2009] R. Mayrhofer and I. Ion: “OpenUAT: The Open Source Ubiquitous Authentication Toolkit”. Submitted to USENIX Security 2009


UACAP specification






Protocol properties

UACAP

● Two phases:

– Key agreement

– Key verification

● Either with opportunistic key agreement or slight delay

● Only one-off chance for online attack

● Independent signal analysis

CKP

● Single, continuous phase

● Devices “tune into” each other's key streams

● Multi-device authentication

● Offline lookup table attacks possible when feature vectors have insufficient entropy(can be prevented with asymmetric key agreement and additional commitment)




[MaGe 2007b] R. Mayrhofer, H. Gellersen: “Shake well before use: Authentication based on accelerometer data”, Pervasive 2007[MaGe 2009] R. Mayrhofer, H. Gellersen: “Shake well before use: Intuitive and Secure Pairing of Mobile Devices”, accepted for IEEE Transactions on Mobile Computing


Main aspects of the protocol

● uses 2 (3) channels: RF and US

● with 2 phases: key agreement and peer authentication

● Diffie-Hellman for key agreement in phase 1

● Exchange random nonces with interlock protocol in phase 2, both via RF (encrypted) and via US (plaintext)

● Interlock exchange tightly coupled with US measurements

● Both devices check locally that nonces received via RF and US match

Spatial authentication protocol: concept

[MGH 2006] R. Mayrhofer, H. Gellersen, M. Hazas: “An Authentication Protocol using Ultrasonic Ranging”, Technical Report COMP-002-2006, Lancaster University, 2006



CKP: Candidate Key ProtocolUACAP: Unified Auxiliary Channel AuthenticationInterlockData Analysis


Transfer of verification material over insecure channels: interlock protocol

● RF transmission encrypted with block cipher and split into multiple parts

● Peers adhere to strict turn-taking

⇒ effectively a size-efficient commitment scheme

Spatial authentication protocol: interlock






Sender

Trick: mapping messages to distances

Receiver

● (plaintext) message transmission over US channel depends implicitly on reference measurement

● delta is derived from nonce and thus unknown to attackers in advance






Data collection from accelerometers




[MaGe 2009] R. Mayrhofer, H. Gellersen: “Shake well before use: Intuitive and Secure Pairing of Mobile Devices”, accepted for IEEE Transactions on Mobile Computing


1. Sensor data acquisition

● Potential problem: side-channel attacks

2. Temporal alignment

● Triggering

● Synchronization

⇒ use motion detection

3. Spatial alignment

● Devices arbitrarily aligned in 3D

● Alignment changes when picked up (between “silent” and “active”)

⇒ reduce to 1 dimension (magnitude)

Pre-processing






Features for shaking:

● Frequency domain

– less accuracy required for synchronization

– less sensitive to noise and alignment problems

● Coherence: measures power spectrum correlation between two signals split into overlapping slices, produces similarity value in [0; 1]

● Quantized FFT coefficients: pairwise added FFT coefficients quantized into exponential bands as feature vectors, compare equality

Feature extraction






3 experiments:– How do people shake?– “Hacking” competition– Live mode – does it work?

Quantitative evaluation

Results:– Parameters for no false positives– False negatives 10.24%, 11.96%– 25/30 subjects successful






Quantitative evaluation





06.05.2008 Ubiquitous Computing 50

Currently:

● Interesting proposals to solve the authentication problem

● Using different terminology, different underlying concepts

● Implementations specific to the approach, and sometimes to a single demonstration application

● No re-usability of protocols, cryptographic primitives, sensor data handling, user interfaces, etc.

● Hard to reproduce published results

Don't re-invent the primitives

To foster research in the area:

● Have a repository of authentication techniques, methods, and protocols

● Provide tested and re-usable primitives for creating new protocols

● Make proposals and protocols comparable and interchangeable

● Provide real-world sensory data sets for reproducibility and for testing new approaches

⇒ allow to focus on new and interesting applications that use these primitives



OpenUATFuture Work


OpenUAT: Ubicomp Authentication Toolkit

Documentation, demo applications, data sets: http://www.openuat.org

Source code, mailing list, bug tracker: http://sourceforge.net/projects/openuat

[R. Mayrhofer: “Towards an open source toolkit for ubiquitous device authentication”, PerSec/PerCom 2007]



OpenUATFuture Work


● Cryptographic primitives: ciphers, hashes (JCE and Bouncycastle with wrappers), DH with default parameters and utility methods, interlock*, on-the-fly creation of X.509 CAs and certificates

● Communication channels: threaded TCP and Bluetooth RFCOMM servers using same interface (transparently interchangeable), UDP multicast, Bluetooth background discovery and peer management (opportunistic authentication)

● Key management protocols: DH-over-streams (TCP or RFCOMM), Candidate Key Protocol

● Sensors and feature extractors: ASCII line reader with various implementations for accelerometers, simple statistics, time series aggregation, activity detection/segmentation, FFT, quantizer

● Context authentication protocols: spatial references, shared motion (shaking), visual (mobile phone camera), audio (MIDI tunes), synchronous input (button presses), manual comparison (short key strings)

● Secure channels: IPSec tunnel and transport (Linux, MacOS/X, Windows)

Utilizing Log4j, JUnit, Ant build system including J2ME builds

Components in the current release



OpenUATFuture Work



Research area structuring 3: Future model

A complete model of spontaneous authentication would need to include:

● In-band and out-of-band channels (and how their physical properties map to security guarantees)

● Cryptographic protocols (how the channel security guarantees are exploited to generate secure channels)

● User behavior and mental models (how users understand and use the whole system, while being an essential part of it)



OpenUATFuture Work


Security needs users!

● Unobtrusive, but not invisible

● Supporting spontaneous interaction

– mobile devices with direct contact

– mobile device with remote gateways

– integrating with web services, client-less authentication approaches

● Re-use of existing metaphors

– passing on keys, revoking?

● New metaphors

– „Shake well before use“



OpenUATFuture Work

2007-05-15 Shake well before use

55

“But what ... is it good for?”

Engineer at the Advanced Computing Systems Division of IBM, 1968, commenting on the microchip.


56

Thank you for your attention!

Slides: http://www.mayrhofer.eu.org/presentationsLater questions: [email protected]

OpenPGP key: 0xC3C24BDE7FE4 0DB5 61EC C645 B2F1 C847 ABB4 8F0D C3C2 4BDE

ubiquitous computing security: authenticating spontaneous

Documents