Rainbow Crypt: Securing Communication through a Protected Visual Channel
Alberto Bartoli, Giorgio Davanzo, Eric Medvet DI3 Università di Trieste, Italy http://bartoli.inginf.units.it
November 2011
Scenario Environment with “a lot” of wireless-enabled devices, sensor, gadgets
Patient / hospital monitoring Home automation Access control
... “Ambient Intelligence” “Internet of Things” ...
Problem Ensure Mutual Authentication of devices (Secure Pairing) Device A should communicate with device B (Possibly hostile) Device X must not be able to impersonate either device to the other Very difficult: Wireless medium ⇒ Messages may be intercepted and replayed easily Hostile devices may be easily concealed
Theory: Simple Practice: Very difficult Theory Establish secret key between devices (somehow) Plenty of protocols ensuring mutual authentication and secrecy Practice VERY difficult to deploy these protocols They rely on assumptions not met in this scenario Their use is often difficult for the unexperienced user
Example (basic idea) User identifies devices A and B “visually” (with his hands) and wants a secure pairing User must tell A that its partner is B A must have a suitable input channel (e.g. a keyboard) How to identify B ? B must have a suitable output channel (e.g. an LCD screen) B must be certificated by a trusted authority, or None of the above holds in practice
Real-world example: Wi-Fi “Protected Setup” (I) Part of Wi-Fi specification Enables “easy and secure setup” between pairs of devices (secure pairingsort of) Implemented in thousands of products
PIN-based The device must support the entering of a password Inconvenient or unfeasible for many kinds of devices …
Real-world example: Wi-Fi “Protected Setup” (II-a) Push Button Configuration (PBC) The user pushes a (possibly virtual) button on the devices more or less at the same time The devices establish a shared secret key
Real-world example: Wi-Fi “Protected Setup” (II-b) The problem is, it does not ensure secure pairing !
“Users should be aware that during the two-minute setup period which follows the push of the button, unintended devices could join the network if they are in range.”
Wi-Fi Protected Setup FAQ @ Wi-Fi Alliance
Proposed solutions Out-of-band channel An additional channel is assumed to exist …and this channel is secure by definition Shared secrets are established on this channel Devices must have I/O capabilities for this channel and for the user Several examples: text-to-speech, displays and alike
Novel Wi-Fi protocols Recent proposal by MIT researchers USENIX Security Symposium 2011
A very simple solution Physical contact (Stajano and Anderson 2000) User places devices A and B in physical contact (electrical) While in contact, devices establish a shared secret Systematic, Simple, Effective: User selects exactly the devices he needs (no concealed devices) Attacker cannot intercept anything (no communication attacks)
Did not succeed due to the lack of common interfaces
Our work We demonstrate the Stajano&Anderson approach May indeed be applied in practice For a very specific, but very important, class of devices Smartphones (and potentially many other devices) Small LCD color screen on one device Low-end color camera on the other device We place the two devices next to each other A few seconds suffice to establish “reasonably long” keys (≈10 bps; 42 bits in 5 sec) Keys cannot be intercepted Quite more difficult than it seems. An empirical work
Receiver • Receives the key through its cam (on the backside)
Transmitter • Selects a key • Shows the key as a sequence of colored frames on its screen
Short demo app (video) Transmitter Sends key K and text string encrypted in K Receiver Displays on its screen what is being received (obviously it should not)
http://www.youtube.com/watch?v=FHPa_hx1RlM
Practical problems: Focus distance Fact Cameras of our interest require at least 50 cm from the subject We use them instead at near-zero distance Key consequence Every received frame is going to be a single blurred color Solution (fundamental constraint) Each transmitted frame must be a uniform color image
Practical problems: White balancing Fact White balancing camera software attempts to average the image color to a neutral gray Key consequence When the transmitted frame is a uniform color image, the received frame is a uniform but different color Result hardly predictable: depends on settings and type of the device Solution Disable white balancing software :-)
Practical problems: Exposure Fact Camera software modifies exposure interval of the sensor to obtain a standard luminosity Key consequence The transmitted uniform color tonality may be received as an entirely different uniform color tonality Solution (...no, cannot be disabled in software...) Quite a few experiments to figure out how many different colors can be detected reliably… and which ones
Symbol alphabet As it turns out: Only 4 colors may be discerned (2 bits / frame) It does not matter which ones, as long as they are “sufficiently different” from each other We used Red Blue Violet Black
255 0 255 0
0 0 0 0
0 255 255 0
Receiver: algorithm YUV ⇒ RGB
Transmission rate Fact: Maximum frame sampling rate depends on the hw Our cheapest platform supported 21 fps (42 bps) Early experiments Transmission rate 10 fps (20 bps)
Very bad results
Practical Problem: Platform Limitations Fact Android API allows applications to specify the desired frame sampling rate But: frame rate is not uniform there may be significant variance desired rate guaranteed only over “long periods”
Example Transmitted (5 fps)
Received (20 fps) IDEAL
One in excess
One in excess
One missing
Two in excess
REAL
Obvious consequence: Out of sync BBBBGGGGRRRRBBBB
B
G
R
Sequence of received frames Chosen symbol
B
BBBBBGGGGGRRRBBB ? ? ?
BBBBBBGGGGGGBBBBBBBBGGGGGGGGGG BBG BGG BG ?
RB RBB ?
BGG GG GGG ?
Our solution (I) Upon receiving a frame F ⇒ Associate F with timestamp t(F)
Received timestamps
T
Frame transmission period
t0
t0+T
t0+2T
t0+3T
Expected timestamps
Middle of first period
Methods for Choosing F at each expectedTimestamp Based on sequence of < Fi receivedTimestampi >
Our solution (II) The K-th symbol is selected as follows: Nearest Frame with timestamp closer to t0+KT Mean Associate each frame with closest expected timestamp Average all frames in each group Weighed Mean Like Mean, with weights depending on squared distance from t0+KT Weighed Mean with Sync Like Weighed Mean, with initial RBRB sync sequence
Solution (III) Quite a few exploratory experiments for choosing: Transmission rate: 5 fps (10 bit/s) Sampling rate: 20 fps
Concluding remarks Secure pairing for an important class of devices Several (potential) interesting applications Systematic, Simple, EffectiveStajano&Anderson Pairing channel 10 bps Severely limited, but suffices for initial key exchange (42-bits in ≈5 sec) Certainly many opportunities for improvement (transmission method quite naive) Hardware will certainly improve
Thanks for your attention…
Practical Problem: Exposure (again) Transmitted symbol is “too dark” Receiver increases exposure: Sampling interval much greater than 50 ms May even be greater than 1 s (with black frames) Transmitter sends K symbols Receiver merges them all into one symbol
Not quite predictable Not controllable in software / Cannot be disabled
Practical Problem: Exposure (again) Transmitted symbol is “too dark” ⇒ Receiver increases exposure: Sampling interval much greater than 50 ms May even be greater than 1 s (with black frames) Transmitter sends K symbols Receiver merges them all into one symbol
Not quite predictable Not controllable in software / Cannot be disabled
electronic payment, monitoring of medical devices, home automation are just a ... his phone next to the screen of a control system (or maybe even the phone of ...
header format. In the format, the TC bit is set when a server sends a truncated reply, ..... cert.org/vuls/id/370308. [13] CERT/CC: Integer Overflow In XDR. Library.
is just another variant of protecting data communications between ... tacks, message insertion, deletion and modification, man-in- ... its security property. Finally, we describe how to estimate the computation overhead of handling a BGP UPDATE messa
Jun 8, 2008 - generated data with business partners and/or have vulnerabilities that may lead to ... risks and send confidential data to untrusted sites in order to use .... applications involving multiple websites, as shown in Section 3.3. In Sweb,
frastructure, the Border Gateway Protocol (BGP) is vulnerable ... tree called KC-MT. After characterizing the overheads of KC-. RSA and KC-MT, we evaluate their performance with real BGP workloads. Our experimental results show that KC-RSA is as effi
for efficiency in both computation and storage, aggregated path authentication [1] has been proposed. Among its software options, the Sequential Aggregated Signature with bit Vector. (SAS-V) ... is just another variant of protecting data communicatio
Overview of keychain-based signature scheme a major concern for BGP, and if necessary, can be achieved by employing IPsec [13] between peering speakers. Active attacks are more sophisticated as attackers can manipulate routing messages in the network
... apps below to open or edit this item. pdf-1441\securing-communication-of-legacy-applications- ... ting-data-in-transit-without-changes-in-your-existi.pdf.
May 25, 2008 - The legitimate users do not know how many ... They are guaranteed by a system administrator that their buffers will not overflow under the ... Further, Alice's jamming strategy must not make the overall system unstable [2].
May 25, 2008 - Wireless Networking and Communications Group. Department of Electrical and Computer Engineering .... has varying degrees of side-information on the channel state. ⢠We derive an upper ... natural. They are guaranteed by a system admi
Try one of the apps below to open or edit this item. tales from the crypt comic.pdf. tales from the crypt comic.pdf. Open. Extract. Open with. Sign In. Main menu.
d IBM Canada CAS Research, Markham, Ontario, Canada e Department of Computer .... forms the UPC source code to an intermediate representation (W-Code); (ii). 6 ...... guages - C, Tech. rep., http://www.open-std.org/JTC1/SC22/WG14/.
In E. Briscoe, editor, Linguistic. Evolution through Language Acquisition: Formal and Computational Models, pages 173â203. Cam- bridge University Press ...
texts in which particular words are used, or the way in which they are ... rules of grammar can only be successfully transmit- ted if the ... are much more likely to pass through the bottleneck into the ... ternal world is not sufficient to avoid the
Mar 8, 2010 - communication can be informative and effective in deterring DAC ...... cent overall) is not significantly different from the best repeated play no communication ... significantly deter communication through micro blogs (Phys.