Rene Mayrhofer

Shake well before use: authentication based on accelerometer data

Small, mobile devices without user interfaces, such as Bluetooth headsets, often need to communicate securely over wireless networks. Active attacks can only be prevented by authenticating wireless communication, which is problematic when devices do not have any a priori information about each other. We introduce a new method for device-to-device authentication by shaking devices together. This paper describes two protocols for combining cryptographic authentication techniques with known methods of accelerometer data analysis to the effect of generating authenticated, secret keys. The protocols differ in their design, one being more conservative from a security point of view, while the other allows more dynamic interactions. Three experiments are used to optimize and validate our proposed authentication method.

Shake Well Before Use: Intuitive and Secure Pairing of Mobile Devices

A challenge in facilitating spontaneous mobile interactions is to provide pairing methods that are both intuitive and secure. Simultaneous shaking is proposed as a novel and easy-to-use mechanism for pairing of small mobile devices. The underlying principle is to use common movement as a secret that the involved devices share for mutual authentication. We present two concrete methods, ShaVe and ShaCK, in which sensing and analysis of shaking movement is combined with cryptographic protocols for secure authentication. ShaVe is based on initial key exchange followed by exchange and comparison of sensor data for verification of key authenticity. ShaCK, in contrast, is based on matching features extracted from the sensor data to construct a cryptographic key. The classification algorithms used in our approach are shown to robustly separate simultaneous shaking of two devices from other concurrent movement of a pair of devices, with a false negative rate of under 12 percent. A user study confirms that the method is intuitive and easy to use, as users can shake devices in an arbitrary pattern.

A Human-Verifiable Authentication Protocol Using Visible Laser Light

Securing wireless channels necessitates authenticating communication partners. For spontaneous interaction, authentication must be efficient and intuitive. One approach to create interaction and authentication methods that scale to using hundreds of services throughout the day is to rely on personal, trusted, mobile devices to interact with the environment. Authenticating the resulting device-to-device interactions requires an out-of-band channel that is verifiable by the user. We present a protocol for creating such an out-of-band channel with visible laser light that is secure against man-in-the-middle attacks even when the laser transmission is not confidential. A prototype implementation shows that an appropriate laser channel can be constructed with simple off-the-shelf components

The candidate key protocol for generating secret shared keys from similar sensor data streams

Secure communication over wireless channels necessitates authentication of communication partners to prevent man-in-the-middle attacks. For spontaneous interaction between independent, mobile devices, no a priori information is available for authentication purposes. However, traditional approaches based on manual password input or verification of key fingerprints do not scale to tens to hundreds of interactions a day, as envisioned by future ubiquitous computing environments. One possibility to solve this problem is authentication based on similar sensor data: when two (or multiple) devices are in the same situation, and thus experience the same sensor readings, this constitutes shared, (weakly) secret information. This paper introduces the Candidate Key Protocol (CKP) to interactively generate secret shared keys from similar sensor data streams. It is suitable for two-party and multi-party authentication, and supports opportunistic authentication.

A Survey of User Interaction for Spontaneous Device Association

In a wireless world, users can establish ad hoc virtual connections between devices that are unhampered by cables. This process is known as spontaneous device association. A wide range of interactive protocols and techniques have been demonstrated in both research and practice, predominantly with a focus on security aspects. In this article, we survey spontaneous device association with respect to the user interaction it involves. We use a novel taxonomy to structure the survey with respect to the different conceptual models and types of user action employed for device association. Within this framework, we provide an in-depth survey of existing techniques discussing their individual characteristics, benefits, and issues.

An Analysis of Different Approaches to Gait Recognition Using Cell Phone Based Accelerometers

Biometric gait authentication using Personal Mobile Device (PMD) based accelerometer sensors offers a user-friendly, unobtrusive, and periodic way of authenticating individuals on PMD. In this paper, we present a technique for gait cycle extraction by incorporating the Piecewise Linear Approximation (PLA) technique. We also present two new approaches to classify gait features extracted from the cycle-based segmentation by using Support Vector Machines (SVMs); a) pre-computed data matrix, b) pre-computed kernel matrix. In the first approach, we used Dynamic Time Warping (DTW) distance to compute data matrices, and in the later DTW is used for constructing an elastic similarity measure based kernel function called Gaussian Dynamic Time Warp (GDTW) kernel. Both approaches utilize the DTW similarity measure and can be used for classifying equal length gait cycles, as well as different length gait cycles. To evaluate our approaches we used normal walk biometric gait data of 51 participants. This gait data is collected by attaching a PMD to the belt around the waist, on the right-hand side of the hip. Results show that these new approaches need to be studied more, and potentially lead us to design more robust and reliable gait authentication systems using PMD based accelerometer sensor.

On the Security of Ultrasound as Out-of-band Channel

Ultrasound has been proposed as out-of-band channel for authentication of peer devices in wireless ad hoc networks. Ultrasound can implicitly contribute to secure communication based on inherent limitations in signal propagation, and can additionally be used explicitly by peers to measure and verify their relative positions. In this paper we analyse potential attacks on an ultrasonic communication channel and peer-to-peer ultrasonic sensing, and investigate how potential attacks translate to application-level threats for peers seeking to establish a secure wireless link. Based on our analysis we propose a novel method for authentic communication of short messages over an ultrasonic channel.

Towards face unlock: on the difficulty of reliably detecting faces on mobile phones

Currently, reliable face detection and recognition are becoming more important on mobile devices -- e.g. to unlock the screen. However, using only frontal face images for authentication purposes can no longer be considered secure under the assumption of easy availability of frontal snapshots of the respective device owners from social networks or other media. In most current implementations, a sufficiently high-resolution face image displayed on another mobile device will be enough to circumvent security measures. In this paper, we analyze current methods to face detection and recognition regarding their usability in the mobile domain, and then propose an approach to a Face Unlock system on a smart phone intended to be more secure than current approaches while still being convenient to use: we use both frontal and profile face information available during a pan shot around the users head, by combining camera images and movement sensor data. Current results to face detection are promising, but reliable face recognition needs further research.

Security by spatial reference: using relative positioning to authenticate devices for spontaneous interaction

Spontaneous interaction is a desirable characteristic associated with mobile and ubiquitous computing. The aim is to enable users to connect their personal devices with devices encountered in their environment in order to take advantage of interaction opportunities in accordance with their situation. However, it is difficult to secure spontaneous interaction as this requires authentication of the encountered device, in the absence of any prior knowledge of the device. In this paper we present a method for establishing and securing spontaneous interactions on the basis of spatial references that capture the spatial relationship of the involved devices. Spatial references are obtained by accurate sensing of relative device positions, presented to the user for initiation of interactions, and used in a peer authentication protocol that exploits a novel mechanism for message transfer over ultrasound to ensures spatial authenticity of the sender.

UACAP: A Unified Auxiliary Channel Authentication Protocol

Authenticating spontaneous interactions between devices and users is challenging for several reasons: the wireless (and therefore invisible) nature of device communication, the heterogeneous nature of devices, and lack of appropriate user interfaces in mobile devices, and the requirement for unobtrusive user interaction. The most promising approach that has been proposed in literature involves the exploitation of the so-called auxiliary channels for authentication to bridge the gap between usability and security. This concept has spawned the independent development of various authentication methods and research prototypes, that, unfortunately, remain hard to compare and interchange and are rarely available to potential application developers. We present a novel, unified cryptographic authentication protocol framework (UACAP) to unify these approaches on using auxiliary channels and analyze its security properties. This protocol and a selection of auxiliary channels aimed at authentication of mobile devices has been implemented and released in an open-source ubiquitous authentication toolkit (OpenUAT). We also present an initial user study evaluating four of these channels.