Center for Cyber-Security and Privacy 1

Loud And Clear Security

Michael T. Goodrich, Michael Sirivianos, John Solis, Gene Tsudik and Ersin Uzun.

{goodrich,msirivia,jsolis,gts,euzun}@ics.uci.edu

Center for Cyber-Security and Privacy 2

Problem Statement• Αuthentication of communication channels between devices that lack any previous secure association.

Alice Bob

Eve

??

??

Center for Cyber-Security and Privacy 3

Challenges

• Human verifiable authentication.• Introduce user in the authentication

loop.

• No previous shared secrets.• No online or offline authority.• Limited computational resources

on portable devices.• Support for multiple broadcast

mediums.

Center for Cyber-Security and Privacy 4

Previous Approaches

• Human Comparable Visual Hashes• Cumbersome Task• High Error Rate

• Seeing is Believing • 2D barcodes to authenticate

devices with camera phones• Many devices lack a camera or

barcode scanner• Need graphical display or

sticker• Visually-impaired users• Poor visibility scenarios (e.g.,

smoke, darkness)• Requires sufficiently clear

picture

Center for Cyber-Security and Privacy 5

Our Solution: L&C

• Audio channel for human-assisted authentication of previously un-associated devices• Derive auditorially-robust, syntactically

correct sentence (MadLib) from hash of a public key

• Vocalize sentence

• Combine vocalization on one (or both) devices with the display of the same information on other device• Suitable for secure device pairing (e.g key

exchange) and similar tasks• Only need speaker on one device and small

(text) display on the other

Center for Cyber-Security and Privacy 6

Personal Device Target Device

Cell phone:speaker &small display

Handheld/PDA:speaker &display

Smart Watch:tiny speaker &tiny display

MP3 player:audio out &no display

Printer or FAX:speaker &small display

Base Station:no speaker &no display

Mutual authenticationpossiblyrequired

Sample Use Scenarios

Center for Cyber-Security and Privacy 7

L&C Use Types

• TYPE 4: Compare text displayed on each device.

• TYPE 1: Hear and compare two audible sequences, one from each device

• TYPE 2: Hear audible sequence from target device, compare it to text displayed by personal device

• TYPE 3: Hear audible sequence from personal device, compare it to text displayed by target device.

Center for Cyber-Security and Privacy 8

Implementation-Performance

Programming System• Built on highly-

portable Ewe Java VM.

• Runs on any Pocket or Windows PC.

TTS Engine• Can use any

portable TTS engine

• Digit for PC and Pocket PC (uses Elan Speech Engine)

• Now porting Sun’s Java FreeTTS and JSAPI to Ewe

L&C Processing times in ms