article

Seeing-Is-Believing: using camera phones for human-verifiable authentication

Authors:

Jonathan M. McCune,

Michael K. ReiterAuthors Info & Claims

International Journal of Security and Networks, Volume 4, Issue 1/2

Pages 43 - 56

https://doi.org/10.1504/IJSN.2009.023425

Published: 01 February 2009 Publication History

Abstract

Current mechanisms for authenticating communication between devices that share no prior context are inconvenient for ordinary users, without the assistance of a trusted authority. We present and analyse Seeing-Is-Believing (SiB), a system that utilises 2D barcodes and camera-phones to implement a visual channel for authentication and demonstrative identification of devices. We apply this visual channel to several problems in computer security, including authenticated key exchange between devices that share no prior context, establishment of the identity of a TCG-compliant computing platform, and secure device configuration in the context of a smart home.

References

[1]

Balfanz, D., Smetters, D., Stewart, P. and Wong, H.C. (2002) 'Talking to strangers: authentication in ad-hoc wireless networks', Proceedings of the Symposium on Network and Distributed Systems Security (NDSS), pp. 23-35.

[2]

Bauer, L., Garriss, S., McCune, J.M., Reiter, M.K., Rouse, J. and Rutenbar, P. (2005) 'Device-enabled authorization in the Grey system', Information Security: 8th International Conference, ISC 2005, Lecture Notes in Computer Science, Vol. 3650, pp. 431-445.

Digital Library

[3]

Bellare, M., Boldyreva, A., Desai, A. and Pointcheval, D. (2001) 'Key-privacy in public-key encryption', Proceedings of Advances in Cryptology (ASIACRYPT), pp. 568-584.

Digital Library

[4]

Bellovin, S. and Merrit, M. (1993) 'Augmented encrypted key exchange: a password-based protocol secure against dictionary atttacks and password file compromise', Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 244-250.

Digital Library

[5]

Bellovin, S.M. and Merrit, M. (1992) 'Encrypted key exchange: password-based protocols secure against dictionary attacks', Proceedings of the IEEE Symposium on Security and Privacy, pp. 72-84.

Digital Library

[6]

Boyko, V., MacKenzie, P. and Patel, S. (2000) 'Provably secure password authentication and key exchange using Diffie-Hellman', Proceedings of Advances in Cryptology (EUROCRYPT), pp. 156-171.

Digital Library

[7]

¿agalj, M., ¿apkun, S. and Hubaux, J-P. (2006) 'Key agreement in peer-to-peer wireless networks', Proceedings of the IEEE (Special Issue on Cryptography and Security), Vol. 94, pp. 467-478.

[8]

¿apkun, S., Hubaux, J. and Buttyán, L. (2003) 'Mobility helps security in ad hoc networks', Proceedings of the ACM Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc), pp. 46-56.

Digital Library

[9]

Dawson, F. and Howes, T. (1998) vCard MIME Directory Profile, RFC 2426.

[10]

Dierks, T. and Rescorla, E. (2006) The Transport Layer Security (TLS) Protocol: Version 1.1, RFC 4346.

[11]

Diffie, W. and Hellman, M.E. (1976) 'New directions in cryptography', IEEE Trans. Inform. Theory, IT-22:644-654.

Digital Library

[12]

Dohrmann, S. and Ellison, C. (2002) 'Public key support for collaborative groups', Proceedings of the PKI Research Workshop, pp. 139-148.

[13]

Goldberg, I. (1996) Visual Key Fingerprint Code, http://www.cs.berkeley.edu/iang/visprint.c.

[14]

Goodrich, M.T., Sirivianos, M., Solis, J., Tsudik, G. and Uzun, E. (2006) 'Loud and clear: human-verifiable authentication based on audio', Proceedings of the IEEE International Conference on Distributed Computing Systems (ICDCS), pp. 1-10.

Digital Library

[15]

Haartsen, J.C. (2000) 'The Bluetooth radio system', IEEE Personal Communications Magazine, pp. 28-36.

[16]

Hanna, S.R. (2002) Configuring Security Parameters in Small Devices, draft-hanna-zeroconf-seccfg-00.txt.

[17]

Harkins, D. and Carrel, D. (1998) The Internet Key Exchange (IKE), RFC 2409.

[18]

Howes, T. and Smith, M. (1998) MIME Content-Type for Directory Information, RFC 2425.

[19]

ISO/IEC (2006) IS 16022:2006: Information Technology - Automatic Identification and Data Capture Techniques - Data Matrix Bar Code Symbology Specification, For review, International Organization for Standardization, Geneva, Switzerland.

[20]

Jones, P. (2001) US Secure Hash Algorithm 1 (SHA-1), RFC 3174.

[21]

JSR-257 (2006) JSR-257: Contactless Communication API, Java Community Process.

[22]

Karn, P. (2002) Reed-Solomon Encoding/Decoding, http://www.ka9q.net/code/fec/

[23]

Kuhn, M.G. (2002) 'Optical time-domain eavesdropping risks of CRT displays', Proceedings of the IEEE Symposium on Security and Privacy, pp. 3-18.

Digital Library

[24]

Kuhn, M.G. and Anderson, R.J. (1998) 'Soft tempest: hidden data transmission using electromagnetic emanations', Proceedings of the Information Hiding Workshop (IHW), pp. 124-142.

[25]

Laur, S. and Nyberg, K. (2006) 'Efficient mutual data authentication using manually authenticated strings', Proceedings of Cryptology and Network Security (CANS), pp. 90-107.

Digital Library

[26]

Levien, R. (1996) PGP Snowflake, Personal communication.

[27]

MacKenzie, P., Patel, S. and Swaminathan, R. (2000) 'Password authenticated key exchange based on RSA', Proceedings of Advances in Cryptology (ASIACRYPT), pp. 599-613.

Digital Library

[28]

Madhavapeddy, A., Scott, D., Sharp, R. and Upton, E. (2004) 'Using camera-phones to enhance human-computer interaction', Proceedings of Ubiquitous Computing (Adjunct Proceedings: Demos), pp. 1-2.

[29]

Madhavapeddy, A., Scott, D., Sharp, R. and Upton, E. (2005) 'Using visual tags to bypass Bluetooth device discovery', Proceedings of the ACM Mobile Computing and Communications Review (MC2R), pp. 41-53.

Digital Library

[30]

McCune, J.M., Perrig, A. and Reiter, M.K. (2004) Seeing-is-Believing: Using Camera Phones for Human-Verifiable Authentication, Technical Report CMU-CS-04-174, Carnegie Mellon University, pp. 1-22.

[31]

McCune, J.M., Perrig, A. and Reiter, M.K. (2005) 'Seeing-is-believing: using camera phones for human-verifiable authentication', Proceedings of the IEEE Symposium on Security and Privacy, pp. 110-124.

Digital Library

[32]

Parno, B., Kuo, C. and Perrig, A. (2006). 'Phoolproof phishing prevention', Proceedings of the Financial Cryptography and Data Security 10th International Conference, pp. 1-19.

Digital Library

[33]

Perrig, A. and Song, D. (1999) 'Hash visualization: a new technique to improve real-world security', Proceedings of the Workshop on Cryptographic Techniques and E-Commerce (CrypTEC), pp. 131-138.

[34]

Reed, I.S. and Solomon, G. (1960) 'Polynomial codes over certain finite fields', J. Society for Industrial and Applied Mathematics, pp. 300-304.

[35]

Rohs, M. and Gfeller, B. (2004) 'Using camera-equipped mobile phones for interacting with real-world objects', Proceedings of Advances in Pervasive Computing, pp. 265-271.

[36]

Sailer, R., Zhang, X., Jaeger, T. and van Doorn, L. (2004) 'Design and implementation of a TCG-based integrity measurement architecture', Proceedings of the USENIX Security Symposium, pp. 223-238.

Digital Library

[37]

Saroiu, S., Gribble, S.D. and Levy, H.M. (2004). 'Measurement and analysis of spyware in a university environment', Proceedings of the Symposium on Networked Systems Design and Implementation (NSDI), pp. 141-153.

Digital Library

[38]

Saxena, N., Ekberg, J-E., Kostiainen, K. and Asokan, N. (2006) 'Secure device pairing based on a visual channel (short paper)', Proceedings of the IEEE Symposium on Security and Privacy, pp. 306-313.

Digital Library

[39]

Stajano, F. and Anderson, R. (1999) 'The resurrecting duckling: security issues for ad-hoc wireless networks', Proceedings of the Security Protocols Workshop, pp. 172-194.

Digital Library

[40]

Trusted Computing Group (2007) Trusted Platform Module Main Specification, Parts 1-3, Version 1.2, Revision 103.

[41]

Uzun, E., Karvonen, K. and Asokan, N. (2007) 'Usability analysis of secure pairing methods', Proceedings of the Usable Security Workshop, pp. 307-324.

Digital Library

[42]

Vaudenay, S. (2005) 'Secure communications over insecure channels based on short authenticated strings', Advances in Cryptology (CRYPTO), Lecture Notes in Computer Science, Vol. 3621.

Digital Library

[43]

Wu, T. (1999) 'The secure remote password protocol', Proceedings of the Network and Distributed System Security Symposium (NDSS), pp. 97-111.

Cited By

Zhang BRen KXing GFu XWang C(2016)SBVLC: Secure Barcode-Based Visible Light Communication for SmartphonesIEEE Transactions on Mobile Computing10.1109/TMC.2015.241379115:2(432-446)Online publication date: 1-Feb-2016
https://dl.acm.org/doi/10.1109/TMC.2015.2413791
Jewell MCostanza EKittley-Davies JMase KLangheinrich MGatica-Perez DGellersen HChoudhury TYatani K(2015)Connecting the things to the internetProceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing10.1145/2750858.2807535(767-778)Online publication date: 7-Sep-2015
https://dl.acm.org/doi/10.1145/2750858.2807535
Ahmed IYe YBhattacharya SAsokan NJacucci GNurmi PTarkoma SMase KLangheinrich MGatica-Perez DGellersen HChoudhury TYatani K(2015)Checksum gesturesProceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing10.1145/2750858.2807521(391-401)Online publication date: 7-Sep-2015
https://dl.acm.org/doi/10.1145/2750858.2807521
Show More Cited By

Index Terms

Seeing-Is-Believing: using camera phones for human-verifiable authentication

Recommendations

Using audio in secure device pairing

Secure pairing of electronic devices is an important issue that must be addressed in many contexts. In the absence of prior security context, the need to involve the user in the pairing process is a prominent challenge. In this paper, we investigate the ...
Secure pairing of interface constrained devices

Secure initial pairing of electronic gadgets is a challenging problem because of the usual lack of a common security infrastructure and the threat of so-called Man-in-the-Middle (MiTM) attacks. A number of techniques have been proposed to address the ...
Privacy preserving smartcard-based authentication system with provable security

In this paper, we suggest a new privacy preserving smartcard-based password authenticated key exchange SC-PAKE with provable security. Only the user who has two secrets smartcard and password can go through authentication with key exchange while ...

Comments

Information & Contributors

Information

Published In

cover image International Journal of Security and Networks

International Journal of Security and Networks Volume 4, Issue 1/2

February 2009

131 pages

ISSN:1747-8405

EISSN:1747-8413

Issue’s Table of Contents

Publisher

Inderscience Publishers

Geneva 15, Switzerland

Publication History

Published: 01 February 2009

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

20
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhang BRen KXing GFu XWang C(2016)SBVLC: Secure Barcode-Based Visible Light Communication for SmartphonesIEEE Transactions on Mobile Computing10.1109/TMC.2015.241379115:2(432-446)Online publication date: 1-Feb-2016
https://dl.acm.org/doi/10.1109/TMC.2015.2413791
Jewell MCostanza EKittley-Davies JMase KLangheinrich MGatica-Perez DGellersen HChoudhury TYatani K(2015)Connecting the things to the internetProceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing10.1145/2750858.2807535(767-778)Online publication date: 7-Sep-2015
https://dl.acm.org/doi/10.1145/2750858.2807535
Ahmed IYe YBhattacharya SAsokan NJacucci GNurmi PTarkoma SMase KLangheinrich MGatica-Perez DGellersen HChoudhury TYatani K(2015)Checksum gesturesProceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing10.1145/2750858.2807521(391-401)Online publication date: 7-Sep-2015
https://dl.acm.org/doi/10.1145/2750858.2807521
Ikematsu KSiio IManweiler JChoudhury R(2015)Memory StonesProceedings of the 16th International Workshop on Mobile Computing Systems and Applications10.1145/2699343.2699352(3-8)Online publication date: 12-Feb-2015
https://dl.acm.org/doi/10.1145/2699343.2699352
Jakobsson MSiadati H(2015)SpoofKillerLNCS Essays on The New Codebreakers - Volume 910010.1007/978-3-662-49301-4_13(177-194)Online publication date: 1-Nov-2015
https://dl.acm.org/doi/10.1007/978-3-662-49301-4_13
Chong MMayrhofer RGellersen H(2014)A Survey of User Interaction for Spontaneous Device AssociationACM Computing Surveys10.1145/259776847:1(1-40)Online publication date: 1-May-2014
https://dl.acm.org/doi/10.1145/2597768
Xiao ZFu BXiao YChen CLiang W(2013)A review of GENI authentication and access control mechanismsInternational Journal of Security and Networks10.1504/IJSN.2013.0550468:1(40-60)Online publication date: 1-Jul-2013
https://dl.acm.org/doi/10.1504/IJSN.2013.055046
Kang SKim JHong M(2013)Go anywherePersonal and Ubiquitous Computing10.1007/s00779-012-0531-417:5(933-943)Online publication date: 1-Jun-2013
https://dl.acm.org/doi/10.1007/s00779-012-0531-4
Liu JXiao YChen C(2012)Internet of things' authentication and access controlInternational Journal of Security and Networks10.1504/IJSN.2012.0534617:4(228-241)Online publication date: 1-Apr-2012
https://dl.acm.org/doi/10.1504/IJSN.2012.053461
Shikfa AÖnen MMolva R(2012)Local key management in opportunistic networksInternational Journal of Communication Networks and Distributed Systems10.1504/IJCNDS.2012.0478989:1/2(97-116)Online publication date: 1-Jul-2012
https://dl.acm.org/doi/10.1504/IJCNDS.2012.047898
Show More Cited By

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents