Serial hook-ups

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Serial hook-ups: a comparative usability study of secure device pairing methods

Full text

Pdf (470 KB)

Source

ACM International Conference Proceeding Series archive
Proceedings of the 5th Symposium on Usable Privacy and Security table of contents

Mountain View, California

SESSION: Small devices table of contents

Article No. 10

Year of Publication: 2009

ISBN:978-1-60558-736-3

Authors

Alfred Kobsa	University of California, Irvine
Rahim Sonawalla	University of California, Irvine
Gene Tsudik	University of California, Irvine
Ersin Uzun	University of California, Irvine
Yang Wang	University of California, Irvine

Sponsors

: Carnegie Mellon CyLab
: Google

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 28, Downloads (12 Months): 49, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1572532.1572546 What is a DOI?

ABSTRACT

Secure Device Pairing is the bootstrapping of secure communication between two previously unassociated devices over a wireless channel. The human-imperceptible nature of wireless communication, lack of any prior security context, and absence of a common trust infrastructure open the door for Man-in-the-Middle (aka Evil Twin) attacks. A number of methods have been proposed to mitigate these attacks, each requiring user assistance in authenticating information exchanged over the wireless channel via some human-perceptible auxiliary channels, e.g., visual, acoustic or tactile.

In this paper, we present results of the first comprehensive and comparative study of eleven notable secure device pairing methods. Usability measures include: task performance times, ratings on System Usability Scale (SUS), task completion rates, and perceived security. Study subjects were controlled for age, gender and prior experience with device pairing. We present overall results and identify problematic methods for certain classes of users as well as methods best-suited for various device configurations.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Dirk Balfanz , Glenn Durfee , Rebecca E. Grinter , D. K. Smetters , Paul Stewart, Network-in-a-box: how to set up a secure wireless network in under a minute, Proceedings of the 13th conference on USENIX Security Symposium, p.15-15, August 09-13, 2004, San Diego, CA
	2	D. Balfanz, D. Smetters, P. Stewart, and H. Wong. Talking to strangers: Authentication in ad-hoc wireless networks. In Network and Distributed System Security Symposium (NDSS), 2002.
	3	A. Bangor, P. T. Kortum, and J. T. Miller. An empirical evaluation of the system usability scale. International Journal of Human-Computer Interaction, 24(6):574--594, 2008. DOI 10.1080/10447310802205776.
	4	Philip D. MacKenzie , Sarvar Patel , Ram Swaminathan, Password-Authenticated Key Exchange Based on RSA, Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, p.599-613, December 03-07, 2000
	5	J. Brooke. SUS: a "quick and dirty" usability scale. In P. W. Jordan, B. Thomas, B. A. Weerdmeester, and A. L. McClelland, editors, Usability Evaluation in Industry. Taylor and Francis, London, 1996.
	6	J. Cohen, P. Cohen, S. G. West, and L. S. Aiken. Applied multiple regression/correlation analysis for the behavioral sciences. Lawrence Erlbaum Associates, Hillsdale, NJ, 1983.
	7	Carl Ellison , Steve Dohrmann, Public-key support for group collaboration, ACM Transactions on Information and System Security (TISSEC), v.6 n.4, p.547-565, November 2003 [doi>10.1145/950191.950195]
	8	Erik Frøkjær , Morten Hertzum , Kasper Hornbæk, Measuring usability: are effectiveness, efficiency, and satisfaction really correlated?, Proceedings of the SIGCHI conference on Human factors in computing systems, p.345-352, April 01-06, 2000, The Hague, The Netherlands [doi>10.1145/332040.332455]
	9	C. Gehrmann, C. J. Mitchell, and K. Nyberg. Manual authentication for wireless devices. RSA CryptoBytes, 7(1):29--37, 2004.
	10	I. Goldberg. Visual key fingerprint code. http://www.cs.berkeley.edu/iang/visprint.c, 1996.
	11	Michael T. Goodrich , Michael Sirivianos , John Solis , Gene Tsudik , Ersin Uzun, Loud and Clear: Human-Verifiable Authentication Based on Audio, Proceedings of the 26th IEEE International Conference on Distributed Computing Systems, p.10, July 04-07, 2006 [doi>10.1109/ICDCS.2006.52]
	12	Y. Hochberg , A. C. Tamhane, Multiple comparison procedures, John Wiley & Sons, Inc., New York, NY, 1987
	13	Lars Erik Holmquist , Friedemann Mattern , Bernt Schiele , Petteri Alahuhta , Michael Beigl , Hans-Werner Gellersen, Smart-Its Friends: A Technique for Users to Easily Establish Connections between Smart Artefacts, Proceedings of the 3rd international conference on Ubiquitous Computing, p.116-122, September 30-October 02, 2001, Atlanta, Georgia, USA
	14	Ronald Kainda , Ivan Flechais , A. W. Roscoe, Usability and security of out-of-band channels in secure device pairing protocols, Proceedings of the 5th Symposium on Usable Privacy and Security, July 15-17, 2009, Mountain View, California [doi>10.1145/1572532.1572547]
	15	T. Kindberg and K. Zhang. Validating and securing spontaneous associations between wireless devices. In Information Security Conference (ISC), pages 44--53, 2003.
	16	K. Kostiainen. Personal Communication, Mar 2008.
	17	K. Kostiainen and E. Uzun. Framework for comparative usability testing of distributed applications. In Security User Studies: Methodologies and Best Practices Workshop, 2007.
	18	Arun Kumar , Nitesh Saxena , Gene Tsudik , Ersin Uzun, Caveat eptor: A comparative study of secure device pairing methods, Proceedings of the 2009 IEEE International Conference on Pervasive Computing and Communications, p.1-10, March 09-13, 2009 [doi>10.1109/PERCOM.2009.4912753]
	19	S. Laur and K. Nyberg. Efficient mutual data authentication using manually authenticated strings. In International Conference on Cryptology and Network Security (CANS), volume 4301, pages 90--107, 2006.
	20	R. Mayrhofer and H. Gellersen. Shake well before use: Authentication based on accelerometer data. In Pervasive Computing (PERVASIVE), pages 144--161.
	21	Rene Mayrhofer , Martyn Welch, A Human-Verifiable Authentication Protocol Using Visible Laser Light, Proceedings of the The Second International Conference on Availability, Reliability and Security, p.1143-1148, April 10-13, 2007 [doi>10.1109/ARES.2007.5]
	22	Jonathan M. McCune , Adrian Perrig , Michael K. Reiter, Seeing-Is-Believing: Using Camera Phones for Human-Verifiable Authentication, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.110-124, May 08-11, 2005 [doi>10.1109/SP.2005.19]
	23	J. M. McCune. Personal Communication, Mar 2008.
	24	S. Pasini and S. Vaudenay. SAS-Based Authenticated Key Agreement. In Public key cryptography-PKC 2006: 9th International Conference on Theory And Practice in Public-Key Cryptography, pages 395--409, 2006.
	25	A. Perrig and D. Song. Hash visualization: a new technique to improve real-world security. In International Workshop on Cryptographic Techniques and E-Commerce, 1999.
	26	R. Prasad and N. Saxena. Efficient device pairing using "human-comparable" synchronized audiovisual patterns. In Conference on Applied Cryptography and Network Security (ACNS), pages 328--345, 2008.
	27	Nitesh Saxena , Jan-Erik Ekberg , Kari Kostiainen , N. Asokan, Secure Device Pairing based on a Visual Channel (Short Paper), Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.306-313, May 21-24, 2006 [doi>10.1109/SP.2006.35]
	28	Nitesh Saxena , Md. Borhan Uddin, Automated Device Pairing for Asymmetric Pairing Scenarios, Proceedings of the 10th International Conference on Information and Communications Security, October 20-22, 2008, Birmingham, UK [doi>10.1007/978-3-540-88625-9_21]
	29	C. Soriente, G. Tsudik, and E. Uzun. BEDA: button-enabled device association. In UbiComp Workshop Proceedings: International Workshop on Security for Spontaneous Interaction (IWSSI), 2007.
	30	Claudio Soriente , Gene Tsudik , Ersin Uzun, HAPADEP: Human-Assisted Pure Audio Device Pairing, Proceedings of the 11th international conference on Information Security, September 15-18, 2008, Taipei, Taiwan [doi>10.1007/978-3-540-85886-7_27]
	31	Frank Stajano , Ross J. Anderson, The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks, Proceedings of the 7th International Workshop on Security Protocols, p.172-194, April 19-21, 1999
	32	J. Suomalainen, J. Valkonen, and N. Asokan. Security associations in personal networks: A comparative analysis. In F. Stajano, C. Meadows, S. Capkun, and T. Moore, editors, Security and Privacy in Ad-hoc and Sensor Networks Workshop (ESAS), pages 43--57, 2007.
	33	E. Uzun, K. Karvonen, and N. Asokan. Usability analysis of secure pairing methods. In Financial Cryptography and Data Security (FC'07)&Usable Security (USEC'07), pages 307--324, 2007.
	34	S. Vaudenay. Secure communications over insecure channels based on short authenticated strings. In Advances in Cryptology-CRYPTO, pages 309--326, 2005.