bridging the ui gap for authentication in smart environments sebastian unger prof. dirk timmermann...

Bridging the UI Gap for Authentication in Smart Environments

Sebastian UngerProf. Dirk Timmermann

University of Rostock, GermanyMuSAMA DFG Graduate Program

Problem statement

What is it about?

?© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 225.06.2014

How to mutually authenticate a light bulb and a switch?

3

• Motivation

• Basic Principles

• Approach

• Prototype Implementation

• Conclusion & Future Work

Agenda

25.06.2014 © 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“

4

• Motivation


• Approach



Agenda

© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“25.06.2014

What it is about

Motivation

AALIoTWoT

© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 525.06.2014

Confidentiality

Security?

Motivation

Authorization

Integrity

Prerequisite: Authentication / Authenticity© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 625.06.2014

Authentication

Motivation

Authentication = Identification

+ Keying

+ Parameter negotiation

AES-CBC-256


8

• Motivation

• Basic Principles on Authentication

• Approach



Agenda


Delegated

Basic Authentication Approaches

Basic Principles

vs.

Direct

Trust Authority (TA)

implicit trust relationship

Usually hybrid approachHow is trust established between endpoints and TA?


Delegated authentication example: certificate hierarchies

Basic Principles

root CA

CAs

end points

certificate hierarchies: authentication is delegated by certificate authorities (CA) with the root CA at the top of the tree


can reduce endpoint’s efforts

easier to manage (one vendor)

transparent to user

requires (vendor-independent) infrastructure

single point(s) of failure

authentication in field cumbersome

Delegated authentication: pros and cons

Basic Principles


Direct Authentication

Basic Principles

Direct Authentication: Exchange a PIN out-of-band (OOB)

OOB channels can be

1234 1234

e.g. challenge-response

OOB:1234


Direct authentication: pros and cons

Basic Principles

no trusted 3rd parties

no infrastructure necessary

no single point of failure

authentication / connection establishment at runtime

# of connections per device: n (instead of 1)

OOB channel must be possible


14

• Motivation


• Approach to bridge UI gaps



Agenda


Problem statement

Approach


Common approach to bridge the gap

Approach

Supply every device with NFC capabilities ( NFC hype)Example:

Is it possible to bridge the gap w/o supplying peripherals the device does not need?


Our approach to bridge the gap

Approach

Approach: Incorporate user interface capabilities of omnipresent multimedia devices


Multimedia device properties

Approach

Multimedia devices…

… have plenty of user interface capabilities

… are literally everywhere in today’s homes

… are often carried with their users

Example: Smartphone LG Nexus 4


The complete protocol

Approach

Client Devicephone

discoverydiscovery

Metadata: Matching authentication mechanism?

MetadataRequest authentication w/ Device

Request authentication w/ Client

PIN oob-channel 1PIN oob-channel 2

Remainder of authentication handshake


How to translate the OOB channel: ECDH

Approach

Elliptic Curve Diffie Hellman (ECDH)

Alice Bob

pick SKA

PKA=SKA×G

pick SKB

PKB=SKB×GPKA

PKB

S=SA=PKB×SKA S=SB=PKA×SKB

Adversary cannot calculate S BUT Man-in-the-Middle (MITM) attack is possible

© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 20

publicly agree on elliptic curve G

25.06.2014

How to translate the OOB channel: ECDH

Approach

Elliptic Curve Diffie Hellman (ECDH): MITM

Alice Bob

pick SKA

PKA=SKA×G

pick SKB

PKB=SKB×GPKA

PKM

S1=SA=PKM×SKA S2=SB=PKM×SKB

Alice an Bob are not aware of MITM’s presence


MITM

PKM

PKB

S1=PKA×SKM S2=PKB×SKM

25.06.2014

How to translate the OOB channel: authenticated ECDH

Approach

Authenticated Elliptic Curve Diffie Hellman (ECDH) by Ho

Alice Bobpublicly agree on elliptic curve G, exchange PW OOB

pick SKA

PKA=SKA×G

PK‘A=PKA-Q(PW)

pick SKB

PKB=SKB×G

PK‘A, nonceA,idA,idB

PKB, nonceB, idA, idB, HB

S=SA=PKB×SKA

verify HB

HA=cmac(S,parm) verify HA

PKA=PK‘A+Q(PW)

S=SB=PKA×SKB

HB=cmac(S,parm)

HA

MK = cmac(S, nonceA | nonceB)


• Assume previously (OOB) exchanged PIN PW• Distort Alice‘s PK with PW• Use keyed hashes of IDs and parameters to

authenticate handshake• Derive master key MK from S

25.06.2014


Approach

Authenticated Elliptic Curve Diffie Hellman (ECDH) by Ho

Alice Bob

pick SKA

PKA=SKA×G

PK‘A=PKA-Q(PW)

pick SKB

PKB=SKB×G



S=SA=PKB×SKA

verify HB


PKA=PK‘A+Q(PW)

S=SB=PKA×SKB

HB=cmac(S,parm)

HA

MK = cmac(S, nonceA | nonceB)© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 23

MK = cmac(S, nonceA | nonceB)

phone



HA

PW• Parameters contain the requested OOB

authentication mechanism• This must be changed to preserve transparency• Phone cannot recompute HA/B as it has no

knowledge of S

25.06.2014


Approach

Authenticated Elliptic Curve Diffie Hellman (ECDH) by Ho variant

Alice Bob

pick SKA

PKA=SKA×G

PK‘A=PKA-Q(PW)

pick SKB

PKB=SKB×G

S=SA=PKB×SKA

verify HB


PKA=PK‘A+Q(PW)

S=SB=PKA×SKB

HB=cmac(S,parm)

PW+PKB

PW

+PKA




HA



HA

PWphone

• HA/B = f(S(PW)) = f(PW)• Use PW directly to compute hashes• Add public keys to hashes to detect

MITM as early as possible

MK = cmac(S, nonceA | nonceB)MK = cmac(S, nonceA | nonceB)25.06.2014

25

• Motivation


• Approach



Agenda


Hardware Setup

Prototype Implementation

Device: Light Bulb

Client: Light Switch

Multimedia device:Smart phone (LG Nexus 4)

+App: WS4D Mobile Authenticator© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 2625.06.2014

Flow I


Discovery

Discovery

Request authentication


Flow II


Metadata


Flow II


Request Authentication

Metadata

Response to request


Flow II


OOB Pin Exchange


Metadata

Response to request


Flow III



Response to request


Flow III



Response to request

OOB Pin Exchange


Flow IV




Response

Response


Summary


devices are authenticated indirectly

+ keying + parameter negotiation

completely transparent to Device

mostly transparent to Client + less effort for Client

no delegated authentication, phone remains unauthenticated© 2009 UNIVERSITÄT ROSTOCK | S.Unger: „Bridging the UI Gap for Authentication in Smart Environments“ 3425.06.2014

35

• Motivation


• Approach



Agenda


Conclusion

solution for bridging possible UI Gaps

increases usability of authentication

transparent to user and device

developed high-level protocol / flow

developed cryptographic protocol for indirect authentication

open-source prototype by means of hardware + Android app


The Big Picture

Future Work


Indirect Authentication part of project to create security framework for

distributed embedded systems based on WS Security suite

• Integrate message level security

• Combine with delegated authentication to increase transparency and

usability

• Current communication: DPWS, future: REST

25.06.2014

Additional mechanisms

Future Work


Thank you very much for your attention!

Any questions?

Questions?

Thank you!

Sebastian UngerInstitute for Applied Microelectronics and Computer Engineering,

University of Rostock, [email protected]


Bridging Larger Gaps

Backup

?


Completely

transparent

for Device

and Client

25.06.2014

Why public keys in hash?

Backup

Authenticated Elliptic Curve Diffie Hellman (ECDH) by Ho variant

Alice Bob


phone MITMPW PW PW PWPKA‘ PKA‘ PKM[…]

S1=PK‘M x SKBS2=PKB x SKMS4=PKM x SKA S3=PK‘A x SKM

Man-in-the-Middle (MITM) attack is not detected. It’s simply not possible for Alice and Bob (via MITM) to communicate b/c different sessions keys Si are calculated.

Including public keys in hashes however makes it possible to detect MITM.

25.06.2014

bridging the ui gap for authentication in smart environments sebastian unger prof. dirk timmermann...

Documents

authentication authenticity

ui gap

universitt rostock s

cons basic principles

motivation aal iot

hybrid approach

band oob oob channels

certificate authorities