Emerging contactless authentication applications such as NFC payment and RFID car keys are aimed at delivering fast and pleasant user experience. Some of these applications aim at Zero-Interaction Authentication(ZIA)[1]. “Zero interaction” is important for user experience in certain scenarios, e.g., a user tries to open a car with his hands full. In this case, a car key with ZIA enables opening the car by simply approaching the door without the user’s involvement. On the other hand, ZIA has been proved vulnerable to specific relay attacks esp. “ghost-and-leech”[2]. The existing solution, distance bounding[3], denotes the accurate estimation of the upper bound of physical distance between two devices in secure communication by measuring the round-trip time (RTT) of challenge-response phase. It is not a good solution, however, since the measurement is sensitive to time delays and thus calls for external hardware not available for ordinary users. Hence the concept of co-presence between two paired devices are proposed to defend against such attacks, ensuring all participants in contactless authentication being secured with close proximity.
The main challenge is how to prove co-presence. Previous works have revealed the significant potential of proving co-presence using context tags (i.e. contextual attributes) such as audio fingerprints, radio signals, GPS fix data, wireless broadcast traffic, ambient light, acceleration, and nearby device-IDs. Therefore, it is possible to develop a Contextual Co-presence Detection (CCD) approach, where chosen context tags are expected to be identical in close proximity and unique at distinct locations. By that co-presence and non-co-presence are distinguished by comparing corresponding tags. Moreover, we prefer to combine multiple context tags instead of a single one, because multiple context tags are considered complementary in minimizing the false-positives (FPs) and false negatives (FNs) and can overcome the differences in scopes of application. The objective of this project is to realize an augmented CCD library to secure a demo ZIA application with the help of multiple context tags and to prove its feasibility in practical scenarios.
We use BlueProximity as an example to clarify the ZIA use case required for this project. BlueProximity is a ZIA application that automates locking/unlocking the laptop screen with the user’s handset by estimating the proximity. We plan to develop our ZIA demo application based on modified BlueProximity. In our use case, the communication between a handset and a laptop takes place via a short-range channel, e.g., Bluetooth or NFC. First, the handset registers its ID in the laptop. Then the two devices start pairing by establishing a shared session key. It is important to secure the communication since unpaired BlueProximity is vulnerable to mimicry attacks. After pairing, the laptop is locked(unlocked) when the handset leaves(enters) the predefined positive range of co-presence. The authentication starts when the laptop sends a challenge (i.e. both IDs and a nonce) encrypted with the session key to the handset. Upon reception, the handset sends the encrypted response (i.e. both IDs, the nonce and its context vector) back to the laptop. Then the laptop determines co-presence by comparing the received context vector with its local one. If co-presence is validated, physical access to the protected resource is enabled, i.e. the screen is unlocked, otherwise the screen is locked. We emphasize that the authentication protocol involves a challenge-response exchange of context information, which differs from unmodified BlueProximity that estimates the proximity by directly measuring the received signal strength indicators (RSSIs).
Partners
Aalto University and University of Helsinki, Finland
University of Alabama at Birmingham, USA
Results
- Paper: “Using contextual co-presence to strengthen Zero-Interaction Authentication: Design, integration and usability.” (Pervasive and Mobile Computing journal 2014)
- Full version: PDF
- Paper: “Comparing and Fusing Different Sensor Modalities for Relay Attack Resistance in Zero-Interaction Authentication.” (PerCom 2014)
Data sets are available for research use on request. Contact us via asokan[at]acm[dot]org or saxena[at]uab[dot]edu.
Data Collector: app
If you use our dataset or the data collector application, please cite our paper as below:
@inproceedings{TruongPerCom14, author = {Hien Thi Thu Truong and Xiang Gao and Babins Shrestha and Nitesh Saxena and N.Asokan and Petteri Nurmi}, title = {Comparing and Fusing Different Sensor Modalities for Relay Attack Resistance in Zero-Interaction Authentication}, booktitle = {IEEE International Conference on Pervasive Computing and Communications, PerCom 2014, Budapest, Hungary, March 24-28, 2014}, year = {2014}, pages = {163-171}, }
- Paper: “Drone to the Rescue: Relay-Resilient Authentication using Ambient Multi-Sensing”. (FC 2014)
- Preprint: PDF
- Slides: PDF
@inproceedings{ShresthaFC14, author = {Babins Shrestha and Nitesh Saxena and Hien Thi Thu Truong and N.Asokan}, title = {Drone to the Rescue: Relay-Resilient Authentication using Ambient Multi-Sensing}, booktitle = {Eighteenth International Conference on Financial Cryptography and Data Security, FC 2014, Barbados, March 3-7, 2014}, year = {2014}, pages = {-}, }
Application: BlueProximity++
We designed and implemented BlueProximity++ by incorporating contextual co-presence detection to BlueProximity. BlueProximity++ consists of two components: Linux terminal package written in Python and an Android application for mobile device written in Java. In BlueProximity++ the event locking/unlocking is triggered by using the bluetooth signal strength and the similarity of context.
Wiki page: BlueProximity++
User study materials:
- Demography form PDF
- User study informed consent form PDF
- SUS forms and comparison form PDF
- Open-ended form PDF
Reports
Thesis: “Strengthening Zero-Interaction Authentication Using Contextual Co-presence Detection” PDF