bridging the ui gap for authentication in smart environments sebastian unger prof. dirk timmermann...
TRANSCRIPT
Bridging the UI Gap for Authentication in Smart Environments
Sebastian UngerProf. Dirk Timmermann
University of Rostock, GermanyMuSAMA DFG Graduate Program
Problem statement
What is it about?
?© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 225.06.2014
How to mutually authenticate a light bulb and a switch?
3
• Motivation
• Basic Principles
• Approach
• Prototype Implementation
• Conclusion & Future Work
Agenda
25.06.2014 © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“
4
• Motivation
• Basic Principles
• Approach
• Prototype Implementation
• Conclusion & Future Work
Agenda
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“25.06.2014
What it is about
Motivation
AALIoTWoT
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 525.06.2014
Confidentiality
Security?
Motivation
Authorization
Integrity
Prerequisite: Authentication / Authenticity© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 625.06.2014
Authentication
Motivation
Authentication = Identification
+ Keying
+ Parameter negotiation
AES-CBC-256
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 725.06.2014
8
• Motivation
• Basic Principles on Authentication
• Approach
• Prototype Implementation
• Conclusion & Future Work
Agenda
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“25.06.2014
Delegated
Basic Authentication Approaches
Basic Principles
vs.
Direct
Trust Authority (TA)
implicit trust relationship
Usually hybrid approachHow is trust established between endpoints and TA?
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 925.06.2014
Delegated authentication example: certificate hierarchies
Basic Principles
root CA
CAs
end points
certificate hierarchies: authentication is delegated by certificate authorities (CA) with the root CA at the top of the tree
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 1025.06.2014
can reduce endpoint’s efforts
easier to manage (one vendor)
transparent to user
requires (vendor-independent) infrastructure
single point(s) of failure
authentication in field cumbersome
Delegated authentication: pros and cons
Basic Principles
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 1125.06.2014
Direct Authentication
Basic Principles
Direct Authentication: Exchange a PIN out-of-band (OOB)
OOB channels can be
1234 1234
e.g. challenge-response
OOB:1234
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 1225.06.2014
Direct authentication: pros and cons
Basic Principles
no trusted 3rd parties
no infrastructure necessary
no single point of failure
authentication / connection establishment at runtime
# of connections per device: n (instead of 1)
OOB channel must be possible
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 1325.06.2014
14
• Motivation
• Basic Principles
• Approach to bridge UI gaps
• Prototype Implementation
• Conclusion & Future Work
Agenda
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“25.06.2014
Problem statement
Approach
?© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 1525.06.2014
Common approach to bridge the gap
Approach
Supply every device with NFC capabilities ( NFC hype)Example:
Is it possible to bridge the gap w/o supplying peripherals the device does not need?
?© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 1625.06.2014
Our approach to bridge the gap
Approach
Approach: Incorporate user interface capabilities of omnipresent multimedia devices
?© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 1725.06.2014
Multimedia device properties
Approach
Multimedia devices…
… have plenty of user interface capabilities
… are literally everywhere in today’s homes
… are often carried with their users
Example: Smartphone LG Nexus 4
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 1825.06.2014
The complete protocol
Approach
Client Devicephone
discoverydiscovery
Metadata: Matching authentication mechanism?
MetadataRequest authentication w/ Device
Request authentication w/ Client
PIN oob-channel 1PIN oob-channel 2
Remainder of authentication handshake
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 1925.06.2014
How to translate the OOB channel: ECDH
Approach
Elliptic Curve Diffie Hellman (ECDH)
Alice Bob
pick SKA
PKA=SKA×G
pick SKB
PKB=SKB×GPKA
PKB
S=SA=PKB×SKA S=SB=PKA×SKB
Adversary cannot calculate S BUT Man-in-the-Middle (MITM) attack is possible
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 20
publicly agree on elliptic curve G
25.06.2014
How to translate the OOB channel: ECDH
Approach
Elliptic Curve Diffie Hellman (ECDH): MITM
Alice Bob
pick SKA
PKA=SKA×G
pick SKB
PKB=SKB×GPKA
PKM
S1=SA=PKM×SKA S2=SB=PKM×SKB
Alice an Bob are not aware of MITM’s presence
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 21
MITM
PKM
PKB
S1=PKA×SKM S2=PKB×SKM
25.06.2014
How to translate the OOB channel: authenticated ECDH
Approach
Authenticated Elliptic Curve Diffie Hellman (ECDH) by Ho
Alice Bobpublicly agree on elliptic curve G, exchange PW OOB
pick SKA
PKA=SKA×G
PK‘A=PKA-Q(PW)
pick SKB
PKB=SKB×G
PK‘A, nonceA,idA,idB
PKB, nonceB, idA, idB, HB
S=SA=PKB×SKA
verify HB
HA=cmac(S,parm) verify HA
PKA=PK‘A+Q(PW)
S=SB=PKA×SKB
HB=cmac(S,parm)
HA
MK = cmac(S, nonceA | nonceB)
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 22
• Assume previously (OOB) exchanged PIN PW• Distort Alice‘s PK with PW• Use keyed hashes of IDs and parameters to
authenticate handshake• Derive master key MK from S
25.06.2014
How to translate the OOB channel: authenticated ECDH
Approach
Authenticated Elliptic Curve Diffie Hellman (ECDH) by Ho
Alice Bob
pick SKA
PKA=SKA×G
PK‘A=PKA-Q(PW)
pick SKB
PKB=SKB×G
PK‘A, nonceA,idA,idB
PKB, nonceB, idA, idB, HB
S=SA=PKB×SKA
verify HB
HA=cmac(S,parm) verify HA
PKA=PK‘A+Q(PW)
S=SB=PKA×SKB
HB=cmac(S,parm)
HA
MK = cmac(S, nonceA | nonceB)© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 23
MK = cmac(S, nonceA | nonceB)
phone
PK‘A, nonceA,idA,idB
PKB, nonceB, idA, idB, HB
HA
PW• Parameters contain the requested OOB
authentication mechanism• This must be changed to preserve transparency• Phone cannot recompute HA/B as it has no
knowledge of S
25.06.2014
How to translate the OOB channel: authenticated ECDH
Approach
Authenticated Elliptic Curve Diffie Hellman (ECDH) by Ho variant
Alice Bob
pick SKA
PKA=SKA×G
PK‘A=PKA-Q(PW)
pick SKB
PKB=SKB×G
S=SA=PKB×SKA
verify HB
HA=cmac(S,parm) verify HA
PKA=PK‘A+Q(PW)
S=SB=PKA×SKB
HB=cmac(S,parm)
PW+PKB
PW
+PKA
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 24
PK‘A, nonceA,idA,idB
PKB, nonceB, idA, idB, HB
HA
PK‘A, nonceA,idA,idB
PKB, nonceB, idA, idB, HB
HA
PWphone
• HA/B = f(S(PW)) = f(PW)• Use PW directly to compute hashes• Add public keys to hashes to detect
MITM as early as possible
MK = cmac(S, nonceA | nonceB)MK = cmac(S, nonceA | nonceB)25.06.2014
25
• Motivation
• Basic Principles
• Approach
• Prototype Implementation
• Conclusion & Future Work
Agenda
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“25.06.2014
Hardware Setup
Prototype Implementation
Device: Light Bulb
Client: Light Switch
Multimedia device:Smart phone (LG Nexus 4)
+App: WS4D Mobile Authenticator© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 2625.06.2014
Flow I
Prototype Implementation
Discovery
Discovery
Request authentication
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 2725.06.2014
Flow II
Prototype Implementation
Metadata
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 2825.06.2014
Flow II
Prototype Implementation
Request Authentication
Metadata
Response to request
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 2925.06.2014
Flow II
Prototype Implementation
OOB Pin Exchange
Request Authentication
Metadata
Response to request
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 3025.06.2014
Flow III
Prototype Implementation
Request Authentication
Response to request
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 3125.06.2014
Flow III
Prototype Implementation
Request Authentication
Response to request
OOB Pin Exchange
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 3225.06.2014
Flow IV
Prototype Implementation
Request authentication
Request authentication
Response
Response
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 3325.06.2014
Summary
Prototype Implementation
devices are authenticated indirectly
+ keying + parameter negotiation
completely transparent to Device
mostly transparent to Client + less effort for Client
no delegated authentication, phone remains unauthenticated© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 3425.06.2014
35
• Motivation
• Basic Principles
• Approach
• Prototype Implementation
• Conclusion & Future Work
Agenda
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“25.06.2014
Conclusion
solution for bridging possible UI Gaps
increases usability of authentication
transparent to user and device
developed high-level protocol / flow
developed cryptographic protocol for indirect authentication
open-source prototype by means of hardware + Android app
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 3625.06.2014
The Big Picture
Future Work
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 37
Indirect Authentication part of project to create security framework for
distributed embedded systems based on WS Security suite
• Integrate message level security
• Combine with delegated authentication to increase transparency and
usability
• Current communication: DPWS, future: REST
25.06.2014
Additional mechanisms
Future Work
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 3825.06.2014
Thank you very much for your attention!
Any questions?
Questions?
Thank you!
Sebastian UngerInstitute for Applied Microelectronics and Computer Engineering,
University of Rostock, [email protected]
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 3925.06.2014
Bridging Larger Gaps
Backup
?
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 40
Completely
transparent
for Device
and Client
25.06.2014
Why public keys in hash?
Backup
Authenticated Elliptic Curve Diffie Hellman (ECDH) by Ho variant
Alice Bob
© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 41
phone MITMPW PW PW PWPKA‘ PKA‘ PKM[…]
S1=PK‘M x SKBS2=PKB x SKMS4=PKM x SKA S3=PK‘A x SKM
Man-in-the-Middle (MITM) attack is not detected. It’s simply not possible for Alice and Bob (via MITM) to communicate b/c different sessions keys Si are calculated.
Including public keys in hashes however makes it possible to detect MITM.
25.06.2014