secure and flexible wireless communication model

Secure and Flexible Wireless Communication Model

M A R C U S B E R G E N L I D

Master of Science Thesis Stockholm, Sweden 2011

Secure and Flexible Wireless Communication Model

M A R C U S B E R G E N L I D

Master’s Thesis in Computer Science (30 ECTS credits) at the School of Computer Science and Engineering Royal Institute of Technology year 2011 Supervisor at CSC was Douglas Wikström Examiner was Johan Håstad TRITA-CSC-E 2011:132 ISRN-KTH/CSC/E--11/132--SE ISSN-1653-5715 Royal Institute of Technology School of Computer Science and Communication KTH CSC SE-100 44 Stockholm, Sweden URL: www.kth.se/csc

Abstract

Today, almost every household has a wireless network and this de-velopment has increased the demands of wireless network security. Thesecurity issues has been addressed over the years and standards havebeen developed that meets all requirements in most situations. A veryimportant security factor is to not use short and predictable keys, in-stead long and randomized keys should be used but these are difficultfor a normal user to remember. It could also be quite difficult (if notimpossible) and error prone to enter a long random password on de-vices with a very limited user interface such as mobile phones and webcameras. This thesis mainly investigates different ways of performingsecure device pairing that is still simple to perform for the end user. Themain focus lies on the ability to use the visual channel as an alternativecommunication channel.

Referat

Säker och flexibel trådlös kommunikationsmodell

Säkerhetskraven på trådlösa nätverk har ökat i takt med att dessablivit allt mer vanliga och idag finns standarder som uppfyller kraven ide flesta fall. En mycket viktig komponent i nätverkssäkerhet är dockatt inte använda korta eller förutsägbara nycklar, utan istället långa ochslumpmässigt valda. Sådana nycklar är dock svåra för användaren attkomma ihåg och det kan vara ganska svårt (för att inte säga omöjligt)att felfritt mata in dessa på enheter med ett begränsat användargränss-nitt såsom mobiltelefoner eller web-kameror. Det här exjobbet går ihuvudsak ut på att undersöka olika sätt att para ihop enheter som harett väldigt begränsat användargränssnitt och samtidigt hålla nere enkel-heten för användaren. Huvuddelen kommer att fokusera på att användaden visuella kanalen som en alternativ kommunikationskanal.

Contents

List of Figures

List of Tables

1 Introduction 1

1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Problem specification . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.3 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Previous work 7

2.1 Existing standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.1.1 Security in IEEE 802.11 . . . . . . . . . . . . . . . . . . . . . 72.1.2 Security in IEEE 802.11i . . . . . . . . . . . . . . . . . . . . . 8

2.1.3 WPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.2 Cryptographic hash functions . . . . . . . . . . . . . . . . . . . . . . 92.3 Identification and key agreement . . . . . . . . . . . . . . . . . . . . 10

2.3.1 Diffie-Hellman Key agreement . . . . . . . . . . . . . . . . . . 10

2.3.2 Public key infrastructure . . . . . . . . . . . . . . . . . . . . 112.3.3 Diffie-Hellman with certificates . . . . . . . . . . . . . . . . . 12

2.3.4 Manual Authentication . . . . . . . . . . . . . . . . . . . . . 12

2.3.5 SiB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.3.6 Commitment schemes . . . . . . . . . . . . . . . . . . . . . . 13

3 Identify the options 15

3.1 Data protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.2 Device pairing and key agreement . . . . . . . . . . . . . . . . . . . . 15

3.2.1 External pairing server . . . . . . . . . . . . . . . . . . . . . . 163.2.2 Out-of-Band channels . . . . . . . . . . . . . . . . . . . . . . 16

3.3 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

4 Device pairing 19

4.1 Pairing via visual indication to user . . . . . . . . . . . . . . . . . . 20

4.1.1 Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204.1.2 Improvements of the visual indication scheme . . . . . . . . . 22

4.2 Analysis of Out-of-Band channels . . . . . . . . . . . . . . . . . . . . 23

4.2.1 Physical channel . . . . . . . . . . . . . . . . . . . . . . . . . 24

4.2.2 Visual channel . . . . . . . . . . . . . . . . . . . . . . . . . . 24

4.2.3 Barcode as visual channel . . . . . . . . . . . . . . . . . . . . 24

4.2.4 LED as visual channel . . . . . . . . . . . . . . . . . . . . . . 25

4.2.5 Push button . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.3 Pairing through visual channel . . . . . . . . . . . . . . . . . . . . . 29

4.3.1 High bandwidth visual channel . . . . . . . . . . . . . . . . . 29

4.3.2 Low bandwidth visual channel . . . . . . . . . . . . . . . . . 31

5 Conclusions 37

5.1 Device pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

5.2 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Bibliography 39

List of Figures

1.1 Communication in the alarm system. . . . . . . . . . . . . . . . . . . . . 3

4.1 A typical LSC used in this thesis . . . . . . . . . . . . . . . . . . . . . . 19

4.2 A first approach to a scheme using visual indication . . . . . . . . . . . 20

4.3 Man in the middle attack on the first approach to visual indication. . . 21

4.4 Improved identification scheme. . . . . . . . . . . . . . . . . . . . . . . 22

4.5 Man-in-the-middle attempt on the improved scheme in figure 4.4. . . . 23

4.6 Transmitting the string 0111001. . . . . . . . . . . . . . . . . . . . . . . 28

4.7 Authentication through high-bandwidth visual channel. . . . . . . . . . 30

4.8 Man-in-the-middle attempt on the high-bandwidth visual channel. . . . 31

4.9 Authentication through visual channel. . . . . . . . . . . . . . . . . . . 32

List of Tables

4.1 Errors in receiving the bit string 3295F4A16 with maximum differencevs sliding mean. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4.2 Average error rate with different time intervals using a camera at about6cm from the light source. . . . . . . . . . . . . . . . . . . . . . . . . . 26

4.3 Error correcting code with two symbols and three bits. . . . . . . . . . . 274.4 Comparison of the probability of forging the confirmation value when

transmitting for 5 seconds. . . . . . . . . . . . . . . . . . . . . . . . . . 334.5 Comparison of the probability of forging the confirmation value when

transmitting for 10 seconds. . . . . . . . . . . . . . . . . . . . . . . . . . 35

Chapter 1

Introduction

Wireless alarms for personal use in houses or apartments usually consists of a set ofsensors, a user control panel and some kind of central unit responsible for handlingthe behaviour of the alarm. They all communicate via a wireless network, thesensors must notify the central unit if an intruder is detected and the user controlpanel should be able to send a disarm command when the user comes home andenters the correct PIN code. It is relatively easy for a user to add new sensors inthese wireless alarms, as opposed to their wired counterpart, since no cables hasto be laid across the room to connect the different components. To be as flexibleas possible, the components themselves should not be configured to belong to aspecific alarm system in advance. Instead a user should be able to take any device,compatible with the alarm system, and add it to his or her own alarm.

Since it is easy for anyone in the close vicinity to intercept messages and transmitmessages on a wireless network, it is important to consider some security issues thatcould appear in the alarm system. For example, we do not want any unauthorizedpersons to be able to look at images from our cameras so they have to be protectedsomehow. Similarly, an intruder should not be able to send a disarm commandto the components in the system and then simply walk into the house withouttriggering the alarm. It would therefore be good if we could distinguish a realcomponent from a fake one. Let us say we encrypt all messages with a secret keyknown only to the components. This way, only devices can read messages and anyattempt from a fake device in sending a message will result in an invalid messagethat the receiver will discard.

However, this raises the question of how to handle the situation where an in-truder actually uses a component to send the message in the first place. Consider,for example, a situation where two neighbours, Alice and Bob, both have an alarminstalled at home. They live close enough that both alarm systems are in eachother’s range. It would be bad if one of Alice’s components suddenly starts sendingmessages to a component of Bob’s alarm. In this situation, both devices are andthere is no actual adversary that actively tries to sabotage the alarm, but we couldstill run into problems with which components to trust. Clearly, just being able to

1

CHAPTER 1. INTRODUCTION

tell a and a fake component apart is not enough to solve the problem. All com-ponents belonging to a particular alarm should therefore be distinguishable from acomponent of any other alarm.

If the components all look the same when delivered, it is far from trivial totell any two apart. Consider the neighbour situation again, where Alice and Bobare about to add a sensor to their respective alarms. The expected outcome is ofcourse that the sensor Alice is holding in her hand are added in a secure way toher alarm and vice versa. This should work even if the sensors got mixed up inthe shipping and delivered to the wrong customer, the sensor to be connected isstill the sensor that the user is looking at. This indicates that the decision aboutwhat alarm a device should belong to is not made until the user actually adds thedevice to his or her particular system. Obvious issues that needs to be consideredare for example, how do we prevent the new device from accidentally connect toour neighbour’s alarm? More seriously, how do we prevent or detect an intrudertrying to impersonate the device at the same time we are connecting it? This iswhat device pairing is all about, taking any two wireless devices without any priorknowledge about each other and trying to establish a secure connection betweenthem.

1.1 Background

The alarm system is built on standard hardware such as routers, web cameras andAndroid devices. By not using custom built hardware, the product becomes cheaperthan similar alarms on the market since the hardware is mass produced and not justmade for this particular system. One of the major features in this system whichdiffer from traditional alarms seen today is that the users are able to control thealarm remotely through a web interface and also look at the latest events.

Typically, a customer has a central unit, the master in the system, which holdsthe state of the alarm and all peripheral components connected to the system,basically just a wireless router running custom software. Peripheral componentsare the sensors which react on events from the outside world and triggers an alarmif an intruder is detected. A panel with a user interface from which the end user cancontrol the alarm is also connected to this wireless network. At present, the routeris a Cisco wrt160nl running an OpenWrt Linux distribution1 which is designed tobe a general purpose operating system for wireless routers. The only sensors in usetoday are Acelink IP camera IC-3030 2, the operating system on those are a Linux2.4 kernel. Finally, the last component is the user interface, an Android tablet withAPI level 8 of the Android operating system 3

Figure 1.1 illustrates the basic communication flow between the components,the router broadcasts events about everything that happens in the alarm such as

1OpenWrt Backfire 10.03, https://openwrt.org/2http://www.acelink.com.tw/web/product_detail/show/en/3/683http://developer.android.com/reference/packages.html

2

1.2. PROBLEM SPECIFICATION

Figure 1.1. Communication in the alarm system.

the alarm is triggered, the alarm is activated etc. It also issues commands to thecamera sensors in order to control their behaviour. The Android tablet listens to theevents from the router and updates the GUI appropriately and sends commands tothe router when the user interacts with it, such as alarm/disarm. Also, the camerasensors notifies the central unit about possible intruders that they detect.

1.2 Problem specification

Wireless networks has been protected and encrypted for years and standards havebeen developed and are well used such as the Wifi Protected Access (WPA andWPA2). It is up to the end user to ensure that the network is set up properlyand that keys are generated and kept private. When selling a product that isin itself a wireless network, especially when it comes to an alarm system withhigh security demands, the responsibility for security should not be put upon thecustomer. Therefore, the security should be implicit and somewhat transparent forthe user so that it is simple to install.

The security requirements for the alarm that are considered in this thesis arelisted below.

• Data protection: Due to the sensitivity of the data being sent by camerasensors, an important security requirement is that all data is encrypted.

• Replay protection: It should not be possible to re-send a command.

• Availability: The system should be able to detect and handle all kinds ofsituations where one of the components is overloaded.

• Simplicity: The simplicity for the end user to install the system and addmore devices is essential.

The first item is quite obvious, the data should be kept private so that nounauthorized persons are able to read it. Next, a threat that could be serious in analarm system are replay attacks, where an intruder records a command, for examplea disarm command, in order to resend it later. This would not even require theattacker to understand the content of the command itself, it would be sufficient toknow the effect of the command. Replay attacks could be avoided by including someunique information in each command such as a sequence number that is incremented

3

CHAPTER 1. INTRODUCTION

for each command. Another option is to use a challenge-response procedure, beforea command is processed the receiver sends a random challenge to the sender ofthe command and expects a result including a modification of that same randomchallenge.

In a real time system, such as this, deadlines are essential which means thatthe components of the system should be available at all times. There could be aserious threat if one sensor fails because it is overloaded, because of network failureor any other reason. Imagine an attack where an intruder in some way keeps acamera sensor busy and prevents it from doing its intended job, then the intrudercould just walk in without triggering the alarm. The system should include meansto prevent attacks like those.

In addition to those requirements, it should still be simple for the end user toinstall the system and the user should not be required to handle long passwords orcryptographic keys. The most difficult part, as we will see, is to simplify the processof secure device pairing, especially on devices with a very limited user interface suchas the sensors. A customer should be able to obtain any device, compatible withthis system, and connect it to his or her alarm in a secure way.

This authentication problem is usually solved by letting the two devices sharea secret known only to those two devices. Some shared secret knowledge is even arequirement for secure authentication, because if A and B knows exactly the samethings, there is no way for C to tell them apart. In many pairing situations, thedevices does not share a secret and does not know anything about the other deviceeither. This is especially true in an ad-hoc situation such as when paring two mobilephones via bluetooth or when connecting a laptop to a wireless network for the firsttime. The only one who knows which phones to connect in the bluetooth case isthe user. In bluetooth pairing, the problem is commonly solved by letting the usercome up with a secret, e.g a four digit PIN, just before the pairing and enter thatsecret into both devices. That gives the two devices a common secret and they willboth require that the other device proves knowledge of this secret before continuingwith the connection. However, this solution is not applicable when dealing withdevices with a very limited user interface. It is difficult to enter even a simple fourdigit PIN on devices without a keypad for instance.

An important part in the authentication process is also that this secret is neverrevealed so that someone else can use it later. Consider the example where userslog on to a remote server. They enter their password on their local machine whichsends the password to the server. The server checks if the password is correct and ifso grants access to the server. What if someone eavesdrops on the communicationbetween the client and the server? They would then be able to obtain the passwordand use it later to impersonate the real user and access the server in his name. Wewould like to provide this password information in a secure way so that no one butthe server can read it. The interesting part here is the question of why we send thepassword to the server in the first place. Do we want to let the server know thereal password? No, all we wanted to do was to provide enough information so thatthe server could answer the question: Does this user know the password or not?

4

1.3. NOTATION

That is all the server needs to know to determine if the user should have accessor not and sending the real password is just one way of letting the server answerthis question. It would be better if we could design a protocol after which theserver can determine, with high confidence, whether the user knows the passwordor not without revealing the real password. In the best case, the protocol should bedesigned in a way so that listening to the communication between client and serverdoes not help an adversary at all in guessing the user’s password.

1.3 Notation

Some words about the notation in this thesis is included here to minimize theconfusion. A symmetric encryption key that is intended to be known only to theusers A and B is denoted as KA,B. On the other hand, to make a distinction from thesymmetric ones, pkA and skA are used for A’s public and private keys respectively.KA,B(m) means that the message m has been encrypted with a key KA,B . When amessage consists of a concatenation of smaller messages, say m1, m2 and m3, twovertical bars || are used as concatenation operator, e.g. KA,B(m1||m2||m3). Othersymbols are explained in the context they appear in.

5

Chapter 2

Previous work

2.1 Existing standards

The standards most commonly used today to protect a wireless network is IEEE802.11, which introduced Wired Equivalent privacy (WEP) and Wifi ProtectedAccess (WPA) [2]. The Wifi Alliance1 has also developed a standard to simplify theprocess of connecting new devices to a wireless network [3]. The following sectionswill briefly describe these standards.

2.1.1 Security in IEEE 802.11

Wired Equivalent Privacy (WEP) was introduced in the IEEE 802.11 standard [2]to encrypt the data in a wireless network. As the name indicates, the data privacywas meant to be equivalent to a wired network. This section will briefly explainhow WEP operates.

WEP uses the RC4 encryption algorithm which is a stream cipher that usesa key of the same length as the plain text and encrypts the message by XORingthe plain text P with the key K, i.e. the encrypted text C is C = P ⊕ K. Thismeans that the key must be of the same length as the message being encryptedwhich makes it impractical since you would need very long keys to encrypt mostmessages. To solve this, the algorithm uses a shorter key (the WEP key that theuser uses to connect to the network) as a seed to a random generator that producesa bit stream with sufficient length for each message. That bit stream is then usedas the actual key to XOR with the plain text. The receiver who also has the sameWEP key can upon reception generate the exact same bit stream by using the samerandom generator and decrypt the message with that. The decryption is done thesame way, XORing the encrypted text C with the key stream K, P = C ⊕ K, thisworks since c = x ⊕ y ⇒ x = c ⊕ y.

Due to the fact that packets can be lost during transit in a wireless network,the random generator is restarted for each frame being sent. Otherwise the two

1http://www.wi-fi.org/

7

CHAPTER 2. PREVIOUS WORK

communicating parties’ random generators would be out of synch if a packet waslost. However, to use the same key stream to encrypt all messages introducesanother problem, namely that an attacker are able to guess the key stream by usingthe fact that C1 ⊕ C2 = P1 ⊕ P2. Perform XOR on two cipher texts gives the sameresult as performing XOR on the corresponding plain texts. By guessing pieces ofthe plain text packets, could for instance be done quite easily with ARP2 packets,an attacker can soon retrieve the whole plain text packets and then the key streamK is obtained with K = C ⊕ P . To prevent the key stream to be repeated foreach packet WEP uses a 24-bit initialisation vector (IV) randomly generated by thesender for each frame which is appended to the shared key before feeding it to therandom generator. The IV must then be transmitted to the receiver in clear textalong with the packet.

We will not look any deeper into the flaws of the initial WEP protocol, it shouldbe sufficient to say that it is possible for an adversary to recover the key with highprobability in less than 60 seconds. Some attacks on WEP discovered over the yearscan be found in [22] and [9].

2.1.2 Security in IEEE 802.11i

Many of the flaws with WEP were fixed in Wireless Protected Access (WPA andWPA2) [2]. One of the key features is the new key hierarchy where each client hasa unique key with the access point (AP ). The top level key is the pre-shared key(PSK) or a master session key (MSK) depending on the authentication mode used.These keys are used to derive a pairwise master key (PMK) which the client andthe AP uses to agree upon a pairwise transient key (PTK). The PTK is then usedin all further communication between the client and the AP. Because of this, eachclient connected to the same AP will still use different keys to encrypt the packets.

Authentication can be done in two different ways, with Pre-shared key PSKor using an external authentication server (enterprise mode). The only differencebetween those two are the way that the PMK is obtained, once a client has thePMK both versions function in the same way. In the pre-shared key version, themost common mode for home networks, PMK is the same as the pre-shared key.In the enterprise mode, users send their personal credentials to an external serverwhich responds with the PMK.

When two parties agree on a PTK they conduct a four way handshake includingthe client’s and the access point’s MAC addresses and a random number generatedby each of the two parties. This makes the PTK unique for every pair of stations sono other party can decrypt the messages sent between them. Of course, if someonewho knows PMK observes the traffic in the handshake, he or she could also deter-mine the same PTK and thus listen to all traffic between the two stations.

In IEEE 802.11i, encryption can be done in two different ways, WPA uses the old

2Address Resolution Protocol, http://tools.ietf.org/html/rfc826

8

2.2. CRYPTOGRAPHIC HASH FUNCTIONS

RC4 algorithm as in WEP and WPA2 uses AES encryption. The RC4 is just thereto be compatible with old hardware, but the key hierarchy improvements makes itharder for an attacker to launch some of the attacks on WEP.

2.1.3 WPS

The Wifi Alliance has introduced something they call Wifi Protected Setup (WPS)[3] that is intended to simplify the process of configure and connecting to a wirelessnetwork. WPS specifies a couple of standard methods to be used and two of themost common ones, that all Wifi Alliance certified products must support is thepush button and PIN method.

In the push button method, a user presses a button on the wireless access point toinitiate the pairing and distributing of the pre-shared key. There is no authenticationinvolved in this method so anyone within range could potentially obtain the pre-shared key. Aside from that, it is a very user-friendly method that does not requireany manual configuration.

In the PIN code method, every device has a pin code that could be printed on asticker attached to the device or shown on a display on the device. The user givesthe PIN code to the access point and the two parties now shares a secret whichis used to authenticate the device to be connected. This requires of course thatthe user has access to some sort of interface to the access point, normally a webinterface.

2.2 Cryptographic hash functions

A cryptographic hash function is a one way function h : X → Y , where Y is a setof strings with a fixed length L, the result y = h(x) is often called a message digest.

The security of a hash function can be summarized by three different propertieswhich corresponds to problems that should be hard to solve for the particular hashfunction [19][16].

• Pre-image resistance: Given a hash value h1 it should be hard to find avalue x ∈ X such that h1 = h(x).

• Second pre-image resistance: Given a value x1 ∈ X, it should be hard tofind another value x2 ∈ X such that x2 6= x1 and h(x1) = h(x2).

• Collision resistance: It should be hard to find two different values x1, x2 ∈X such that h(x1) = h(x2).

The term hard used above refers to the amount of work required to find a matchwith high probability, it should be computationally hard to find such a match. Ifthe amount of work required to find a collision for example is 2n, we will say thatthe hash function’s collision resistance is n bits. Launching a pre-image attack ona hash function can always be done by brute force in 2L evaluations even if we do

9


not know anything about the hash function. A collision attack could theoreticallybe launched in 2L/2 evaluations so in the best case, a hash function is L bits secureagainst pre-image attacks and L/2 bits secure against a collision attack.

2.3 Identification and key agreement

We want two devices to, in a secure way, identify each other and also agree upon akey to use in further communication. In a secure way means that no adversary canobtain the key or successfully impersonate one of the devices. There are two typesof adversaries, an attacker that only listens to the traffic between the two honestdevices is called passive. An attacker that actively alters the message flow, couldbe by adding additional messages, intercepting messages or alter messages, duringthe session is called an active attacker. We say that an honest party accepts whenhe or she concludes that the identification has been successful. An authenticatedkey agreement scheme is a scheme with the following properties, as defined in [20]:

• mutual identification: The scheme is a secure mutual identification schemeif no honest party "accepts" if an adversary has been active in the session.

• key agreement: When no active adversary is present, both parties will agreeupon the same key K and also no passive adversary may be able to obtain K.

The first property says that the scheme should be designed in such a way so thatevery honest party are able to detect if an active adversary has been present. Thesecond property handles the confidentiality of the key agreement, even a passiveadversary that listens to all messages should not have enough information to beable to compute the key.

2.3.1 Diffie-Hellman Key agreement

A common, well known, key agreement scheme is the Diffie-Hellman Key agreementprotocol [18], [8], which is briefly explained below. The global parameters is a group(G, ·) and an element α ∈ G having order p.

1. U chooses a random number aU , 0 ≤ aU ≤ p − 1, and computes bU = αaU andsends bU to V .

2. V chooses a random number aV , 0 ≤ aV ≤ p − 1, and computes bV = αaV

and sends bV to U .

3. Now, U computes K = bVaU = αaV aU and V computes K = bU

aV = αaU aV .

In the last step, both U and V computes the same key K = αaU aV . The schemebuilds its security on the Decisional Diffie-Hellman problem [4], given the values αa

and αb it is hard to distinguish αab from a random element in G. Since the values

10

2.3. IDENTIFICATION AND KEY AGREEMENT

aU and aV are kept private, an adversary has to solve the Diffie-Hellman problemto also compute K. The scheme satisfies the second property of an authenticatedkey agreement scheme, no adversary will be able to compute K. However, it iswell known that it is vulnerable to a man-in-the-middle attack where the adversaryreplaces the messages bU , bV with b′

U and b′

V respectively. That leads to a situationwhere both U and V believes they have successfully established a secret key together,but instead they have both established a key with the adversary. Since the problemis well known, there exists solutions of how to extend the original Diffie-Hellmanscheme to also include mutual identification as we will see in Section 2.3.3.

2.3.2 Public key infrastructure

A public key infrastructure (PKI) is an infrastructure designed to ensure the au-thenticity of public keys. Any user in the domain should be able to verify that apublic key actually belongs to the user claiming it. The most essential componentsof a PKI is some Certificate Authority (CA), certificates and a digital signature al-gorithm. The CA is a third party that all users trust who is responsible for issuingpublic and private keys to the users in the system. A digital signature algorithm,first introduced in [8], is a procedure used for signing a piece of data in an attemptto simulate a traditional signature. It should be infeasible for an adversary to forgethe signature but any user in the domain should be able to verify the authenticityof the signature. The signing process is denoted sigA(x), where user a A is sign-ing message x using some digital signature algorithm. To verify that signature thereceiver uses verA(sigA(x)).

A certificate is basically a token that authenticates a public key signed by theCA. The information in a certificate may differ from implementation to implemen-tation but will typically consist of some identifier of the owner of the certificate, thepublic key used by that owner and an expiration date. A commonly used certificateformat is the X.509 [12]. When using a PKI, a user U can send its public key pkU tothe user V along with his certificate Cert(U). V can then be certain that pkU reallyis a public key belonging to U by verifying the certificate using verCA. Assume thatan adversary C wants to impersonate U , he then has to forge U ’s certificate so thatit looks like it was created by CA and contains pkC . That would require C to forgethe CA’s signature which is assumed to be infeasible.

The issues with a PKI is the complicated structure, it requires a CA and forthe CA to be able to generate certificates and distribute them to the users alongwith the corresponding private key in a secure way. Additionally it should includefunctionality to revoke certificates that might have been compromised. The list ofall revoked certificates must also be made available to the users, so that they uponreceiving a certificate are able to check if the certificate is still valid.

11


2.3.3 Diffie-Hellman with certificates

One solution to the identification problem in section 2.3.1 is to include certificatesin the original Diffie-Hellman scheme [21]. This extension of the scheme is listedbelow.

1. U chooses a random number aU and computes bU = αaU and sends Cert(U)and bU to V .

2. V chooses a random number aV and computes:

bV = αaV

K = bUaV

yV = sigV (ID(U)||bV ||bU )

Then sends Cert(V), bV and yV to U .

3. U verifies that the signature of yV is valid using verV , if not U rejects otherwiseU accepts and then computes:

K = bVaU

yU = sigU (ID(V )||bU ||bV )

Then sends yU to V .

4. V now verifies that the signature of yU is valid using verU , if not V rejectsotherwise V accepts.

In this version both U and V signs a message containing their id and the valuesbV and bU . This is a confirmation that both U and V has received the correctvalues. In the original version of Diffie-Hellman, the adversary would change thevalues of bU , bV but this can not be done here since that would require that he alsochange the values of yV and yU .

However, the use of certificates for authentication requires both that the devicesacquire a certificate and a corresponding private key and that the devices knowwhich other device it is intended to connect to. The distribution of the certificateand private keys has to be done in a secure way.

2.3.4 Manual Authentication

Maher [15] suggested a solution to the identification problem in the original Diffie-Hellman scheme in order to perform mutual identification without a trusted thirdparty. In this solution, upon completion of the original scheme, one of the devicesdisplays the a hash of the key K, i.e h(K), to the user. The user is then supposedto enter that hash into the other device which compares it to its own version ofthat hashed key. If the hashes match, the device signals ok to the user. The keyassumption here is that the communication between user and device is secure.

12

2.3. IDENTIFICATION AND KEY AGREEMENT

If none of the devices have a keypad to interact with, they can both show theirversion of the hash on their displays and let the user compare them manually andsignal ok to both devices by pressing a button. An important question is whatlength to use on the hash value, too long and it would be difficult and error pronefor the user to enter, too short and it would impose a serious security threat [6].

A similar method but slightly different is MANA (MANual Authentication) [6],[10] that are able to use short check-values as the confirmation string and still pre-serving the high security. From the user’s point of view these schemes works inthe same way as the Diffie-Hellman version above, where the user is supposed toenter a random number r (16-20 bits) into both devices. As shown in [6], the bestapproach for an attacker to launch a man-in-the-middle attack would be to guess rwhich he could only do with a probability p = 1

2n where n is the number of bits in r.

The manual authentication techniques here uses the user and visual communi-cation as a secure channel to share secrets that only the two participating devicesshould know about and builds on the assumption that the user is the only onehaving physical access to the devices.

2.3.5 SiB

As seen in section 2.3.4, MANA requires both devices to have either an advancedinput or an advanced display, some devices has neither which makes them unfit forthe manual authentication. Seeing-is-Believing (SiB)[13] takes this one step furtherand uses the visual channel between two devices directly without going through theuser. This requires of course that one device has a display of some sort and that theother has a light sensor that can read the display. In [13], they suggest a method ofauthenticated key agreement where one device is equipped with a camera and theother with a display or even a single light source such as an LED. This scheme isdiscussed more thoroughly in section 4.3.2.

2.3.6 Commitment schemes

In an authentication or key exchange process, a commitment is when one partycommits the content of a message without revealing it to the other party. Oncecommitted to it, it can not be altered and can not be read by anyone else unlessthey are given the key to read it. The purpose is that one party should have tomake a choice at some point and not be able to change his mind later dependingon later events. Conversely the other party should be certain that the committedvalue has not changed since it was committed.

As an example, Alice claims to be a mind reader and tells Bob to pick a numberbetween 1 and 10 and says that she will know what number he is thinking about.Neither of them trust the other one, so no one wants to be the first one to revealits choice. So to ensure that Alice actually is psychic, Bob writes the number on

13


a piece of paper without Alice seeing it and puts it in a box with a lock and givesit to Alice. That is the commitment part, once the box is given to Alice, Bob cannot change his choice of number. Additionally, Alice can not see the number thatBob has chosen since she does not have the key to the box. Finally, Alice uses hermagical skills and tells Bob what number he was thinking about and when Bobgives Alice the key to the box, she can open it and both parties can verify that shereally is psychic.

The example above illustrates the properties of a commitment scheme, essen-tially Bob has to make a choice first which he can not change later, also Alice doesnot know what Bob chose so she has to make her choice independent of the choiceof Bob. A formal definition of commitments are explained in [7], [14] and [23] butinformally a commitment should have the following two properties.

• Binding: The committed message should be binding, meaning that it shouldbe infeasible to alter it once committed.

• Hiding: The committed message should be hidden, meaning that is shouldbe infeasible to reveal the actual message before the author opens it.

If, in the example above, Bob did not have to commit to his choice of randomnumber, there would be no way for Alice to prove that she really guessed right.Bob could just tell her that he picked another number and no one would be able toprove otherwise. It would be equally bad if the committed value was not hidden,then Alice could just look at the value and no magical skills would be needed.

14

Chapter 3

Identify the options

3.1 Data protection

It turns out that WPA2 is a good solution for the security of the network, it is welltested and is implemented in most commercial devices. An alternative would be toadd the encryption in the application layer.

The benefits of using WPA2 instead of application level encryption is summa-rized in the list bellow.

• Simplicity: Existing implementation exists in most commercial devices, andthe protocol is commonly used and tested.

• Performance: Application level encryption requires more computationalpower which in turn can be difficult for real time embedded devices.

• Replay attacks: WPA2 has a built in protection against replay attacks sinceit includes a sequence number in each frame.

The biggest advantage of using application level encryption is the ability for theapplication protocol to determine which messages to encrypt. This can be useful inauthentication and key exchange protocols where some messages for obvious reasonsshould not be encrypted. By using an existing implementation of WPA2 requiresthe devices to switch to an open network before proceeding with the key exchange.That advantage alone does not in my opinion weigh up to the advantages withWPA2.

3.2 Device pairing and key agreement

As discussed in section 2.3, the goal of pairing two devices is to perform an authenti-cated key agreement in a secure way. Both devices should also be certain that it hasperformed this key agreement with its intended peer and not a malicious one. Thissection will briefly look at three options in the pairing problem to get a picture of

15

CHAPTER 3. IDENTIFY THE OPTIONS

the actual problem. These are not intended to be complete solutions, just touchingthe surface of some options available to get a feeling for the problem at hand.

3.2.1 External pairing server

As explained in section 2.1.2, IEEE 802.11X authentication standard has an optionof using an external authentication server which handle the authentication and keyexchange. This however, requires the system to have access to the Internet for theauthentication to work. Additionally, the devices need to authenticate themselvesto the external server leaving us with the same problem as before. Even if the devicesomehow is able to authenticate itself to the external server, that is it can provethat it really is device X, the external server has to know what network device Xshould belong to. This requires the devices to be marked to a certain network beforebeing shipped to the end user and imposes additional administration. The externalserver could be used in conjunction with certificates, the server first performs thepairing and then the clients uses the certificates to authenticate their keys.

3.2.2 Out-of-Band channels

The second option we consider is to use an alternative channel of communication oran out-of-band channel (OOB) in addition to the main channel as done by MANAin section 2.3.4. This is the most flexible option since it does not depend on anexternal server or an Internet connection but can simply be done by the user inisolation which is preferable if possible. Chapter 4 investigates this further.

3.3 Denial of Service

In this section, Denial of Service (DoS) is used as a generalized term for all situationswhere a device in the network for some reason is unable to perform its intended workwithin the expected time limit. It does not necessarily have to be due to a maliciousattacker, it could also be some other device malfunction or network failure. It ishard if not impossible to let the device itself be able to detect and handle all thesituations that can arise, even if we can identify all these situations. Consider forexample the situation with network failure, the device could probably detect itbut could not really do anything to fix it. Whatever strategy is used to preventthese attacks, an adversary could always launch an attack by disturbing the radiofrequency.

To solve the DoS threat, the complete alarm system is a hierarchy of deviceswhich all reports to the device above them in the hierarchy tree. Those reports areheartbeats or keep-alive messages that the devices are expected to send at predefinedtime intervals. We have not obtained DoS prevention but at least DoS detectionand the responsibility of detecting a DoS attack is moved to the parent device whichhas to keep track of all child nodes attached to it and issue a warning if one of itschildren stop sending heartbeats. This setting gives us more options to handle the

16

3.3. DENIAL OF SERVICE

situation since the parent detecting a device failure to send heartbeats might notbe affected by the failure itself. On the other hand, it does not know the reason ofthe failure, only that the device no longer sends heartbeats.

17

Chapter 4

Device pairing

The authentication and key exchange schemes in this chapter uses Live SequenceCharts (LSC) [5] to illustrate the message flow between two or more parties.

A

x = 17

B

t1(1)

t1

ordinary message

out-of-band message

Figure 4.1. A typical LSC used in this thesis

Figure 4.1 shows a demonstration of a typical LSC used in this thesis betweenthe parties A and B, the solid arrows are messages sent over the main channel ofcommunication, the dashed arrows are messages sent over any OOB channel and ofcourse the text above the line is the message content. The condition x = 17 is aninvariant that is expected to be true at that time, if it is not true A will abort thescheme in this example. The hour glasses demonstrates a timer labelled t1 that isstarted by B, this emphasizes that the time is important in this particular scheme.

Chapter 2 explained some existing schemes to perform the device pairing withouta trusted third party, by taking advantage of the fact that in a wireless network,the user has control of all devices. Section 4.1 will discuss a first attempt to solvethe problem when the user is unable to interact with one of the devices. Later, wewill come back to SiB as mentioned in 2.3.5.

19

CHAPTER 4. DEVICE PAIRING

4.1 Pairing via visual indication to user

Some devices, particularly small sensors, do not even have simple input or simpleoutput so MANA, section 2.3.4, can not be used. Recall that in MANA, the userhas to transfer a small random number from one device to the other. This sectiondiscusses a different approach where one of the devices is a very simple one, withonly one light source, the other can be any kind of device whose public key is knownto the first device. It does not matter for the scheme how the public key was ob-tained just that the device is certain that it belongs to the intended device. A firstapproach, and not a very secure one, to an authenticated key agreement schemeusing this approach is shown in figure 4.2 and as in MANA, the goal is to agreeupon a secret string D.

User A

(1)

(4)

B

(2)

(3)

pkB(ID(A)||KA,B)

KA,B(ID(A))

KA,B(D)

OK

Figure 4.2. A first approach to a scheme using visual indication

In figure 4.2, A generates a temporary session key KA,B and encrypts it, alongwith its own id, with B’s public key and sends it to B. Now, A can be certainthat only B can know the key KA,B. Next B sends a message telling A to visuallyidentify himself, this message is encrypted with KA,B so only A and B can readit. When A receives this message, he visually indicate success to the user. At thesame time, B prompts the user whether the correct device indicated and if so itsends D encrypted with KA,B. B has to be certain that the channel through whichit prompts the user is secure, it could for example be by physically push a button.

4.1.1 Issues

The scheme in figure 4.2 is in fact vulnerable to a man-in-the-middle attack wherean adversary initiates a parallel session and intercepts message (3) in order to useit later. Consider the following scenario, which is illustrated in figure 4.3. Boththe honest party A and the adversary M initiates a session with B (messages (1)and (2)). M intercepts message (3) and since it never reaches A, the pairing is

20

4.1. PAIRING VIA VISUAL INDICATION TO USER

User

(6)

A

(1)pkB(ID(A)||KA,B)

(5)

M

(2)

B

(3)

(4)

(7)

pkB(ID(M)||KM,B)

KA,B(ID(A))

KM,B(ID(M))KA,B(ID(A))

OK

KM,B(D)

Figure 4.3. Man in the middle attack on the first approach to visual indication.

unsuccessful. Later, B tries to make M identify itself by sending KM,B(ID(M))to M who simply forwards the previously stored message KA,B(ID(A)), making Aindicate success to the user.

The problem with this scheme is not the authenticity of the identify messageKA,B(ID(A)), in fact it is a valid message generated by B itself and it is neveraltered by anyone in the network, it just arrives a little later than the user expect itto. This imposes a serious real time problem on the scheme namely that timing isan essential factor in the success of the scheme. Is there a way to circumvent thesetiming issues? One could suggest a time stamp to be included in the message. Inthis way an honest device would not respond to an old message that is being sentby the adversary. This requires synchronized clocks on all devices, which could bedifficult on embedded devices.

The user, A, needs some way to ensure that it is in fact B who is sending the mes-sage, consider the following attempt to a solution to the problem. Upon receivingthe message KA,B(ID(A)), A responds with KA,B(ID(A)||r) where r is a randomnumber generated by A. B is then expected to respond with KA,B(ID(A)||r − 1).Now it seems like A can be certain that it actually talks to B but this does notreally solve the problem because, as discussed above, the issue is timing. It doesnot matter how complicated message scheme we come up with when an adversaryonly has to delay some of the messages to impersonate an honest device.

21


4.1.2 Improvements of the visual indication scheme

We would want to prevent an adversary from initiating a parallel session, an im-proved scheme is illustrated in 4.4.

A

t : start timer(3)

t

x is valid

B

pkB(ID(A)||KA,B)

KA,B(ID(A))

KA,B(ID(A)||r)

x = KA,B(ID(A)||r − 1)

Figure 4.4. Improved identification scheme.

This scheme uses a time t during which the challenge and the session is valid,if the response arrive after that time has expired the device does not identify itself.Additionally B does not allow any other devices to initiate a session during thistime. The goal of the adversary is to make B send him KM,B(D). B only does thatif A indicates success to the user which requires that A receives a valid response tothe challenge KA,B(ID(A)||r) within the specified time frame. The adversary cannot generate that response since he does not know the key KA,B, he can not use amessage from a previous session because of the unique random number. Finally, Bdoes not allow parallel sessions and A’s challenge expires after a specified time.

Figure 4.5 illustrates an attempt to a man-in-the-middle attack, similar to theone in figure 4.3, where M tries to forge the identity of A. M first obtains a validresponse to A’s challenge from B. He then has to wait until the session expires, B’stimer in the figure, before starting his own session with B. When M receives theresponse of his challenge from B it it to late to send the previously stored responseto A’s challenge since that challenge is no longer valid.

This method requires that one of the parties know the other’s public key, thepublic key could have been transferred via a trusted channel or it could have beenverified via a certificate in which case the identity of the corresponding device wouldhave had to be transferred via a trusted channel. So the scheme itself is only useful

22

4.2. ANALYSIS OF OUT-OF-BAND CHANNELS

A

t1(3)

t1

Man in the middle M B

t2(3)

t2

pkB(ID(A)||KA,B)

pkB(ID(M)||KM,B)

KM,B(ID(A))KA,B(ID(A))

KA,B(ID(A)||rA) KA,B(ID(A)||rA)

KA,B(ID(A)||rA − 1)

KM,B(ID(M)||rB)

KM,B(ID(M)||rB − 1)KA,B(ID(A)||rA − 1)

Figure 4.5. Man-in-the-middle attempt on the improved scheme in figure 4.4.

if we do not require mutual authentication or if we have some other measure ofensuring the authenticity of pkB.

4.2 Analysis of Out-of-Band channels

An Out-of-Band channel (OOB) is an alternative channel of communication otherthan the main channel, in this case the main channel is the wireless network. Weshall say that a secure channel is a channel of communication that only the intendedreceiver can listen to and a trusted channel is a channel that only the intendedsender can send messages on. This section investigates three OOB channels thatcould be used in addition to the wireless network. The channels are chosen fromthe characteristics of the different components in the alarm system.

• Physical channel - A physical cable, e.g a USB cable.

• Visual channel - Using a camera on one device to read data presented bythe other.

23


• Push button - A user physically pushes a button on the devices.

4.2.1 Physical channel

A physical channel could both be a trusted and a secure channel, and could possiblybe used to connect two devices and simply transfer the key from one device to theother. It is hard to eavesdrop on it and the receiver can be certain that the senderis legitimate.

The device with a USB socket used in the alarm system of this thesis howeverruns the Android OS (API level 8) which do not let applications directly controlthe USB device 1. The system only supports USB file transfer using the device’sexternal storage which is accessible to all applications. The communication in thiscase is done via the file system, the sender creates a file which the receiver can read.In this case the channel is neither secure, since any application on the device canread the files, nor is it trusted since any application on the device can write to theexternal storage.

We have implemented a proof of concept scheme where two devices A (theAndroid device) and B agrees upon a string D. A creates a file in a known locationon its external storage containing its public key. When the user connects A andB via the USB socket, B reads the public key and encrypts D with it and storeit in another file on the external storage. A can now read the file containing Dand use that to connect to the encrypted network. What an adversary could doto impersonate A is to replace the real public key with its own and then read theresult.

4.2.2 Visual channel

The visual channel requires a camera on at least one of the devices and also a wayto display data by the other device. This type could be divided into two categories,one where the sending device has a high resolution display that is able to present alot of information and one where the sending device has a limited display such as asingle flashing Light Emitting Diode (LED).

4.2.3 Barcode as visual channel

With a high resolution display the sender can present the data in form of a two-dimensional barcode. We have used QR-codes (Quick Response) [1] mostly due to itsspecifications being open and the great support in the Android operating system.The amount of data that a QR-code can contain depends on the size of it andthe level of error correction being used, but the maximum value when operatingin binary mode and version 40 with error correction level L is 2,953 bytes. Thebarcodes could potentially contain all security information needed if the channelis considered to be secure, that is no adversary can eavesdrop on it. However,

1USB support is added in API level 12. See http://developer.android.com/guide/topics/usb/index.html

24


they could at least be considered a trusted channel, meaning that no one otherthan the intended sender can send messages on the channel. Many open sourceimplementations exist for reading and generating QR-codes such as Zebra Crossing(ZXing)2 and ZBar3.

4.2.4 LED as visual channel

The idea of this visual channel is taken from [13] where a single flashing LED is usedto encode a data stream. The encoding process works by turning the light source onand off repeatedly and every transition between on and off indicates a new bit. Thetime between two consecutive transitions determines the value of that bit, a shorttime means a ’0’ and a long means a ’1’. The receiver uses a camera to detect thetransitions in the LED state. The major factor that limits the transmission speedis the frame rate of the camera on the receiving device, due to Nyquist’s samplingtheorem [17] the transmission rate can not be more than half of the frame rateof the camera. Another factor is the minimum time difference needed to reliablydistinguish between a ’0’ and a ’1’. Transmitting a lot of data through this channelwould take time and not be very useful in practice.

The receiving device must be able to determine a transition in the LED betweentwo consecutive frames. In [13] they use an approach of computing a single value (thesum of all pixels) for each frame and when the difference between two consecutiveframes is large enough, it is considered to be a state transition in the LED. Todo that one could compare it to an absolute value calculated in advance but thatis a poor solution since the environment has a great impact on the frame valuedifferences. In a very bright room there is not much difference between the LEDbeing turned on and it being turned off, whereas in a dark room the frame couldbe almost totally black when the light is off and very bright when the light is on.A better way is to compare it to a value taken from the same session as the actualscanning, that way the environment will be the same. Table 4.1 shows the resultsof using two approaches for generating that value to compare with:

• Maximum difference: For each frame i, compute the sum of all pixels andcall it Si, then for each pair of consecutive frames (i, j such that i = j + 1)compute ∆i = |Si − Sj|. Keep track of the maximum difference between twoconsecutive frames ∆max = ∆k if and only if ∆k > ∆i, 0 < i ≤ k − 1, if thecurrent frame difference ∆i ≥ k∆max where k > 0 we conclude that there hasbeen a transition in the LED state. In table 4.1 k = 0.5 in the maximumdifference approach.

• Sliding mean: ∆i = |Si − Sj| is computed as above. Let ∆kmean be the

average of every ∆i, 0 < i ≤ k, that is ∆kmean = 1

k

∑ki=1 ∆i. Then again, if

the current frame difference ∆i ≥ k∆imean we conclude that there has been a

transition in the LED state. In table 4.1 k = 0.8 in the sliding mean approach.

2http://code.google.com/p/zxing/3http://zbar.sourceforge.net

25


The message being transmitted is the random bit stream 3295F4A16 (encodedas a hexadecimal number) so the length n = 28. The tests have been made indaylight but without direct sun light on the light source and for every distance thetable shows the average of five attempts.

Distance to source Error % (max difference) Error % (sliding mean)

2cm 0 03cm 0 06cm 19 010cm 30 2920cm Unable to read Unable to read

Table 4.1. Errors in receiving the bit string 3295F 4A16 with maximum differencevs sliding mean.

As seen in table 4.1, the sliding mean approach are able to get further awayfrom the source and still keeping the error bits quite low. This approach is betterat adapting to changes in the background and the table shows that it can handledistance a little better, it can easily read the LED from 6cm. The testing is done ona Cisco router 4 with a cover which shields the light quite a bit and makes it harderfor the camera to distinguish between off and on. If we try without the cover wewill get good results even from 20 cm distance (error of about 5%).

Time in ms for a 0 Time in ms for a 1 Error bits Error % Bit rate (b/s)

500 1000 0.3 1.07 1.2500 700 3.6 12.9 1.0400 800 3 10.7 1.1400 600 1 3.6 1.6300 500 2.3 8.2 1.4200 500 1 3.6 2.4200 400 2.6 9.3 2.1200 300 6.6 23.6 1.8

Table 4.2. Average error rate with different time intervals using a camera at about6cm from the light source.

Table 4.2 shows the error rate obtained with different time intervals for zeros andones. As in table 4.1 the error rate is the average of five attempts. For comparison,the table also includes a logical maximum bit rate that we could expect if we hadused a perfect error correcting code to encode the data. An error correcting codeworks by including some redundancy in the message in such a way that the receiverare able to correct any likely errors introduced during transmission.

If we for example want to encode two different symbols using three bits andbeing able to correct one error bit, it could be done as shown in table 4.3 where the

4Linksys wrt160nl

26


two symbols are encoded as 000 and 111 respectively. The first column shows thereceived message and the second column is the corresponding symbol. We can seethat if only one bit changes at any position during transmission, the receiver willbe able to correct the error. What we have done in this encoding table is mappingeach of the 23 messages to one of the two valid symbols. In general, we could saythat each symbol holds four 3-bit messages, e.g symbol 000 holds 000,001,010 and100. When constructing an error correcting code, we have to make sure that eachsymbol holds a distinct set of messages so that, for every message, there must beonly one symbol holding that message. For a message of b bits there are

(b1

)

ways of

flipping one bit so every symbol has to hold 1 +(b

1

)

messages. Similarly to be able

to correct at most two error bits, every symbol must hold 1 +(b

1

)

+(b

2

)

messages.All of these symbols must also fit in the total b-bit space of 2b messages. [11]

Received message Corrected message

000 000001 000010 000100 000111 111110 111101 111011 111

Table 4.3. Error correcting code with two symbols and three bits.

Generalizing this gives us the following relation: if an error correcting codeshould be able to encode n symbols using b bits so that the receiver are able tocorrect at most k error bits, then equation 4.1 must hold.

nk∑

i=0

(

b

i

)

≤ 2b (4.1)

So to correct 1 error out of a symbol of 28 bits, we have n = 228 and 228(1+33) >233 but 228(1+34) < 234, which means we have to use at least 34 bits. Note that weare not interested in the construction of that particular error correcting code, onlythe minimum number of bits b required to produce such a code. As we will see insection 4.3.2, error correcting codes will not be used in the implementation of thiscommunication channel but included here only to be able to compare the bit rate.

Synchronization

Synchronization is difficult with the visual channel since there is no way for thesending station to know when the receiving station is ready to receive data. Thismeans that the sending station has to repeatedly send the same information and thereceiver reads until it has received enough data. The receiver can not know where

27


the message started so the actual message being sent could have been any rotationof the received bit stream. For a bit stream of length n there are at most n uniquerotations of that stream, so if the sending station intends to send 0110 the receivercould receive any of the following: 0110, 1100, 1001 and 0011. A possible solutionto this could be to include a marker that marks the start of the message, could bea special bit sequence or the light stays on for a longer period.

Other transmission and receiving methods

One problem with the encoding used by [13] is that ’1’s takes longer to transmitthan ’0’s, which leads to a non-consistent bit rate. The sending device could insteadencode the data so that each bit is of the same length in time and light off means’0’ and light on means ’1’. Figure 4.6 shows the bit string 0111001 encoded usingthis format. Using this technique with the camera held about 6cm from the lightsource gives one error bit on average out of 28, that is about 3.6% and a bit rate of4.1b/s, the environmental conditions are the same as in table 4.2. One advantage ofusing this approach over the one in section 4.2.4 is that every bit is the same lengthin time and thus the bit rate does not depend on the fraction of ones and zeros inthe stream. A 28 bit long stream takes with this method 5.6s (200ms for each bit)to transmit.

Figure 4.6. Transmitting the string 0111001.

Summary

We have investigated two different ways of sending and receiving data through alow-bandwidth visual channel such as an LED. The methods are listed below alongwith their properties.

• Time difference: Using the time difference ∆t between LED state as bitvalue, has the drawback of ones taking longer to transmit which leads to anon-consistent bit rate. The best bit rate recorded using this technique is onaverage 2.4b/s.

28

4.3. PAIRING THROUGH VISUAL CHANNEL

• Absolute bit values: Uses the time difference ∆t between LED state as thenumber of bits transferred, the value of the bits is taken from the actual stateof the LED. The bit rate now gets up to 4.1b/s and is consistent since all bitsare of equal length.

4.2.5 Push button

As with WPS 2.1.3 a secure enough solution could be to let the user physically pusha button on the central unit initiating a process to connect a device to it. Doingso means that we will prohibit any attacker from initiating this process becausethe attacker would need physical access to the central unit. However, there is noguarantee that an attacker is not launching a man-in-the-middle attack as soon asthe user presses the button to connect an honest device. One might argue that it isonly during a very short period of time that this is possible so there might not bea practical problem, but it is very easy to launch the attack on a location where itis known that the installation is going to take place in the near future.

4.3 Pairing through visual channel

As mentioned in section 2.3.5, it is possible to perform an authenticated key agree-ment without having the user to manually enter or compare two values. The schemesare taken from [13] and are explained in detail in the following sections. They usethe visual channel as an OOB channel to transfer a confirmation message fromone party to the other. This requires of course that at least one of the devices isequipped with the camera and the other has some sort of display. There are twoschemes proposed by [13], one using a high bandwidth visual channel such as atwo-dimensional barcode shown on a high resolution display and one using a lowbandwidth visual channel as discussed in section 4.2.4. In both cases the visualchannel is assumed to be trusted but not secure, i.e. an adversary can not sendmessages on it but eavesdrop on it.

4.3.1 High bandwidth visual channel

The first version uses two-dimensional barcodes, e.g. QR-codes, to transfer datafrom one device to the other. This requires that one of the devices is equipped witha high resolution display to show the barcode on and that the other has a camerato read the barcode. Since a two-dimensional barcode is able to contain so muchdata, there is no need to shorten the confirmation codes and the pairing schemesuggested in [13] just uses a hash h(pkA||pkB) as confirmation message. Brieflythe scheme works as follows: both parties, A and B, openly exchange their publickeys and then one of them computes a hash, h(pkA||pkB), and sends it over thevisual channel. The receiver can then verify that the hashed keys corresponds tothe expected value. Figure 4.7 illustrates this.

29


User A

h(pkA||pkB) = hB

(4)

B

pkA

pkB

hB = h(pkA||pkB)

OK

Figure 4.7. Authentication through high-bandwidth visual channel.

The security of the scheme in figure 4.7 relies on the problem for an adversaryto find two values x1 and x2 such that h(x1||pkB) = h(pkA||x2). If the adversaryis able to do that, he can change the first two messages pkA and pkB to x1 and x2

respectively and A will accept since the hash values match. This is hard to do ifthe hash function h is collision resistant as explained in 2.2. On the other hand,if the public keys are renewed every time the scheme is performed, that is theynever have the same value, the adversary can not know the value of pkB before hehas to choose x1. In the next message when pkB is received, the adversary knowsthe message m1 = (x1||pkB), which will be B’s version of the confirmation, and hemust be able to find a value x2 such that m2 = (x2||pkA) and h(m1) = h(m2). Thiscorresponds to the second pre-image resistance property of a hash function (givena message m1, it is hard to find a message m2 such that h(m1) = h(m2), section2.2).

Figure 4.8 illustrates an attempt where C is trying to forge the public key ofA. When C sends message number (2) to B, he does not know the value of pkB

because B has not revealed it yet (maybe not even generated it), so C has to choosepkC before even knowing pkB . So whatever strategy C is using when choosing pkC

there is no way for C to estimate the value of h(pkC ||pkB). Now when C receivespkB in (3) he can calculate hB (B’s hash) and need to make a choice of whatto send to A. The only thing C cares about now is to find a value x such thath(pkA||x) = h(pkC ||pkB) ⇔ h(pkA||x) = h(m) which is considered infeasible or atleast very unlikely if h is second pre-image resistant.

30


A

(1)

h(pkA||x) = h(pkC ||pkB)

Man in the middle C

(2)

(4)

B

(3)

(5)

pkA

pkC

pkB

x : h(pkA||x) = h(pkC ||pkB)

h(pkC ||pkB)

Figure 4.8. Man-in-the-middle attempt on the high-bandwidth visual channel.

4.3.2 Low bandwidth visual channel

When using the low-bandwidth visual channel, such as an LED (see section 4.2.4),it is not practically possible to transfer a large amount of data as is required bythe method used in section 4.3.1. Therefore, a scheme using short confirmationmessages should be used such as MANA as explained in section 2.3.4 where therandom number, originally transferred from one device to the other manually bythe user, could be transmitted through the visual channel. However, as explainedin [13], there is an even simpler scheme that could be used that does not require somany messages on the in-band channel.

In the following scheme, figure 4.9, h is a globally known cryptographic hashfunction and hs is some mixing function, with a short output. That could just bea hash function truncated to the desired number of bits.

Below follows a detailed description of the scheme which is also illustrated infigure 4.9.

1. B chooses a random challenge RB and sends hB = h(RB) and its own publickey pkB to A over the main channel.

2. A chooses its own random challenge RA and sends it along with its public keypkA to B over the main channel.

3. B now sends RB over the main channel to A who verifies that h(RB) = hB ,if it does not A declines.

31


4. B computes and sends hsB = hs(RB ||RA||pkB ||pkA) over the visual channeland A can compute its own version hsA and verify that they match.

5. If hsA = hsB , A signals OK to the user, if not it will signal NOT OK. Theuser is then required to tell B of the response of A.

User A

(2)

hsB = hs(RB ||RA||pkB ||pkA)

(5)

B

(1)

(3)

(4)

hB = h(RB), pkB

RA, pkA

RB

hsB = hs(RB ||RA||pkB ||pkA)

OK

Figure 4.9. Authentication through visual channel.

The commitment part is where B sends the hash of its random value h(RB)(1), note that A can not know the value of RB , provided that the hash functionh is pre-image resistant, but A can later verify the commitment when B sends theactual value of RB (3).

If an adversary C tries to impersonate A and fool B into accepting his public keypkC he needs to make sure that hsA = hsB. The adversary can control A’s versionof the parameters RB and pkB , and also B’s version of RA and pkA. If C interceptsthe second message, he knows that hsA = hs(Y ||RA||Z||pkA) for some values ofY and Z that C might have changed in the first message. At this stage, C alsoknows that hsB = hs(RB ||X||pkB ||pkC) and has to choose X so that hsA = hsB .However, C does not know the value of RB yet so when choosing X, C does notknow the value of hsB. The same holds if C tries to impersonate B instead.

Whatever strategy C uses to choose the parameters, the probability of successis still

p =1

2n(4.2)

32


where n is the number of bits in the output of hs. This is provided of course thatboth the hash function h and the mixing function hs has output that is uniformlydistributed.

Now, if we do not use any synchronization as discussed in 4.2.4 there are atmost n different values of hsB that will be accepted by A since we allow everyrotation of the message. This means that the probability of successfully launch aman-in-the-middle attack is in worst case

p =n

2n(4.3)

Additionally, since the visual channel is a bit unreliable we might accept a fewerrors in the received string, say we allow k bits or less to be incorrect for thereceiver to accept. That means that for every n different rotations of the expectedstring, there are

∑ki=0

(ni

)

different ways to alter that rotation and still produce astring that would be accepted. This gives us the worst case probability of forging aconfirmation string:

p = n

∑ki=0

(ni

)

2n(4.4)

If we are using n = 20 bits as hs output an error tolerance of k = 2, the prob-ability of an adversary successfully launching an attack is, using equation 4.4, isp ≈ 4 · 10−3 and using synchronization will reduce the probability of success top ≈ 2 · 10−4

Security as a function of transmission time

The critical parameter for the user experience is the transmission time and we wouldtherefore like to investigate the security of the scheme in terms of that. Let us say,

Method n k Error probability p1 Forging probability p2

Time difference (500/1000) 6 0 5.9 · 10−2 9.4 · 10−2

Time difference (500/1000) 6 1 1.4 · 10−3 0.66Time difference (200/500) 14 0 0.4 8.5 · 10−4

Time difference (200/500) 14 1 8.9 · 10−2 1.3 · 10−2

Time difference (200/500) 14 2 1.3 · 10−2 9.0 · 10−2

Time difference (200/300) 20 4 0.53 0.1Time difference (200/300) 20 5 0.33 0.41Absolute bit value 25 0 0.6 7.5 · 10−7

Absolute bit value 25 1 0.2 1.9 · 10−5

Absolute bit value 25 2 5.9 · 10−2 2.4 · 10−4

Table 4.4. Comparison of the probability of forging the confirmation value whentransmitting for 5 seconds.

33


without any deeper investigation in the matter, that 10 seconds is the maximumtime that a user will be patient enough to hold the camera in front of the lightsource. That is a quite long time and we would like to reduce that as much aspossible. Table 4.4 and 4.5 compares the forging and error probability when usingdifferent transmitting times, 5s and 10s respectively, and different values on theerror parameter k. The error probability p1 in the tables is the probability that thetransmission fails, i.e more than k errors was introduced, and the forging probabilityp2 is the probability with which an adversary could forge a public key and stillproduce a hash value that the receiver will accept.

The probability for introducing exactly k errors in a message of length n isP (e = k) =

(nk

)

pk(1 − p)n−k where p is the probability for the receiver to reada bit incorrectly. There are

(nk

)

ways of introducing k errors among n bits andthe probability for each of those are pk(1 − p)n−k. This formula assumes that theprobability of reading a bit incorrectly is independent of the result of all previouslyread bits. In reality though, it is intuitively more likely that the probability ofmisinterpret the second bit for instance is higher if the first bit was read incorrectlythan if it was read correctly. These probabilities should be investigated further butwe will assume independent probabilities here. The probability for introducing morethan k errors in a message of length n is then P (e > k) = P (e = k + 1) + P (e >k + 1) = P (e = k + 1) + P (e = k + 2) + · · · + P (e = n)

The forging probabilities are computed with equation (4.4) and the bit lengthn is the average number of bits that the particular method are able to transmitduring the specified time. Both probabilities should, of course, be as low as possible.Increasing p1 will make the pairing more likely to fail and increasing p2 will makeit easier to forge the public key. It is hard to come up with a reasonable limit ofthe two probabilities but it is clear that p2 is more important than p1 because if thepairing fails, the user can always make another try. The lowest forging probabilityp2 with an error probability p1 under 10% in table 4.4 is 2.4 ·10−4 using an absolutebit value and error parameter k = 2.

34


Method n k Error probability p1 Forging probability p2

Time difference (500/1000) 13 0 0.12 1.6 · 10−3

Time difference (500/1000) 13 1 7.2 · 10−3 2.2 · 10−2

Time difference (200/500) 28 0 0.64 1.0 · 10−7

Time difference (200/500) 28 1 0.27 3.0 · 10−6

Time difference (200/500) 28 2 7.8 · 10−2 4.2 · 10−5

Time difference (200/300) 40 5 0.94 2.8 · 10−5

Time difference (200/300) 40 6 0.87 1.7 · 10−4

Time difference (200/300) 40 7 0.76 8.5 · 10−4





Table 4.5. Comparison of the probability of forging the confirmation value whentransmitting for 10 seconds.

35

Chapter 5

Conclusions

In the previous chapters we investigated different methods for device pairing anddata protection, this chapter will look at how these can be applied to the alarmsystem explained in Section 1.1. As argued earlier, WPA2 covers most of the re-quirements for the alarm, including the data protection and the replay attacks.Adding that it is widely used and implemented in most commercial devices, makesit a good choice over an application protocol.

5.1 Device pairing

There are essentially two major ways to perform the pairing discussed in this thesis,by using an out-of-band channel or by using an external server to map two devicestogether. In the former case the authentication is somewhat implicit in the pairingwhereas in the latter case the pairing is done by requesting a server about theid of a matching device. The OOB pairing schemes explained in 4.3 works withthe alarm components used at present and does not, as opposed to the externalserver, require an Internet connection to function. The devices used for testing anddevelopment are a router from Cisco1 running a custom build of the OpenWrt Linuxdistribution2. An Android tablet, running Android API level 8 and an Acelink webcamera3 with a custom build of a Linux 2.4 operating system.

The barcode approach works well for the cameras in the alarm system when thebarcode is displayed on the tablet. The tablets can be connected to the router usingthe low bandwidth visual channel as discussed in section 4.3.2. They have a cameraand the router is equipped with an LED. The tablet also has a good display whichcan be used to show the reading progress to the user and it is easy to notify theuser of possible errors occurring during the pairing. It should be noted however,that the LED approach is far from perfect and should be tested more thoroughlybefore it can be used by ordinary users.

1Linksys wrt160nl2OpenWrt Backfire 10.03, http://wiki.openwrt.org/3Acelink IC-3030

37

CHAPTER 5. CONCLUSIONS

One of the drawbacks with the OOB channels is that they are very device spe-cific, to use the visual channel for example, one of the devices need a camera and theother a light source of some sort. Similarly, a specific device might not have a cam-era but instead a USB socket in which case that could be used as the OOB channel.The problem then is the confusion for the end user, to connect device X you needto use method Y but for device A, use instead method B. In our case with thealarm system, all devices at present are equipped with a camera and even thoughthe process of connecting them differ in terms of using the LED reader versus thebarcode reader, the user experience is still quite similar. To connect a device, justhold it up in front of another device until notified. In any case a standardization ofOOB channel used for device pairing would be preferable, maybe through infra redlight.

5.2 Future work

A concern that could be important to consider in the future is the renewal ofcryptographic keys. In the final setting we have got two types of keys, the networkkey which is the pre-shared key of the WPA2 protected wireless network but also thepublic keys used in the key agreements. Clearly if the public keys are compromised,the attacker will also likely have access to the network key since that key has oncebeen encrypted with the corresponding public keys. If the public keys has not beencompromised, the new pre-shared key could just be distributed with those publickeys and no pairing would have to be done again. When it comes to the renewalof the public keys however, a device could distribute its new public key signed byits current private key well before it has expired. However, it might not even be aproblem, since the current lifetime of say, an RSA key of 2048 bits, is about 20 yearswhich is probably much longer than the lifetime of the hardware in the devices. Ifthis is the case then the device will die before the key expires and the user will haveto get a new one and perform an initial pairing again.

38

Bibliography

[1] Qr-code. Available at: http://www.denso-wave.com/qrcode/aboutqr-e.html.

[2] Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Spec-ifications, 2007. Chapter 8 (Security).

[3] Wifi Alliance. Wi-fi protected setup specification v1.0. Available athttps://www.wi-fi.org/knowledge_center_overview.php?type=4.

[4] Dan Boneh. The decision diffie-hellman problem. In Joe Buhler, editor, Algo-rithmic Number Theory, volume 1423 of Lecture Notes in Computer Science,pages 48–63. Springer Berlin / Heidelberg, 1998.

[5] Matthias Brill, Werner Damm, Jochen Klose, Bernd Westphal, and HartmutWittke. Live sequence charts. In Hartmut Ehrig, Werner Damm, Jörg De-sel, Martin Große-Rhode, Wolfgang Reif, Eckehard Schnieder, and EngelbertWestkämper, editors, Integration of Software Specification Techniques for Ap-plications in Engineering, volume 3147 of Lecture Notes in Computer Science,pages 374–399. Springer Berlin / Heidelberg, 2004.

[6] Chis J. Mitchell Christian Gehrmann and Kaisa Nyberg. Manual authentica-tion for wireless devices. CryptoBytes, pages 29–37, 2004.

[7] Ivan Damgård. Commitment schemes and zero-knowledge protocols. In IvanDamgård, editor, Lectures on Data Security, volume 1561 of Lecture Notes inComputer Science, pages 63–86. Springer Berlin / Heidelberg, 1999.

[8] W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transac-tions on Information Theory, pages IT–22:644–654, 1976.

[9] Scott Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the key schedulingalgorithm of rc4. In Serge Vaudenay and Amr Youssef, editors, Selected Areasin Cryptography, volume 2259 of Lecture Notes in Computer Science, pages1–24. Springer Berlin / Heidelberg, 2001.

[10] G. Gehrmann and K. Nyberg. Enhancements to bluetooth baseband security.Proceedings of Nordsec 2001, Copenhagen, Denmark, November 2001.

39

BIBLIOGRAPHY

[11] R. W. Hamming. Error detecting and error correcting codes. The Belll SystemTechnical Journal, 29, April 1950.

[12] M. Cooper Y. Dzambasow P. Hesse S. Joseph and R. Nicholas. Rfc 4158,internet x. 509 public key infrastructure: Certification path building. Availableat: http://tools.ietf.org/html/rfc4158, September 2005.

[13] N. Saxena J-E. Ekberg K. Kostiainen and N. Asokan. Secure device pairingbased on visual channel. Security and Privacy, 2006 IEEE Symposium on, May2006.

[14] Sven Laur and Kaisa Nyberg. Efficient mutual data authentication using man-ually authenticated strings. In David Pointcheval, Yi Mu, and Kefei Chen,editors, Cryptology and Network Security, volume 4301 of Lecture Notes inComputer Science, pages 90–107. Springer Berlin / Heidelberg, 2006.

[15] D. P. Maher. Secure communication method and apparatus. U.S. PatentNumber 5,450,493, September 1995.

[16] National Institute of Standards and Technology. Secure Hash Standard, Octo-ber 2008.

[17] H. Nyquist. Certain topics in telegraph transmission theory. Trans. AIEE,47:617–644, April 1928.

[18] E. Rescorla. Rfc 2631, diffie-hellman key agreement method. Available at:http://tools.ietf.org/html/rfc2631, June 1999.

[19] Douglas R. Stinson. Cryptography, Theory and Practice, chapter 4. Chapman& Hall/CRC, 3rd edition edition, 2006.

[20] Douglas R. Stinson. Cryptography, Theory and Practice, chapter 11. Chapman& Hall/CRC, 3rd edition edition, 2006.

[21] Douglas R. Stinson. Cryptography, Theory and Practice, pages 431–438. Chap-man & Hall/CRC, 3rd edition edition, 2006.

[22] Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin. Breaking 104 bit wepin less than 60 seconds. In Proceedings of the 8th international conference onInformation security applications, WISA’07, pages 188–202, Berlin, Heidelberg,2007. Springer-Verlag.

[23] Serge Vaudenay. Secure communications over insecure channels based on shortauthenticated strings. Advances in cryptology – CRYPTO 2005, number 3621in Lecture Notes in Computer Science, pages 309–326, 2005.

40

TRITA-CSC-E 2011:132 ISRN-KTH/CSC/E--11/132-SE

ISSN-1653-5715

www.kth.se

secure and flexible wireless communication model

Documents