Abstract
People increasingly depend on the digital world to communicate with one another, but such communication is rarely secure. Users typically have no common administrative control to provide mutual authentication, and sales of certified public keys to individuals have made few inroads. The only remaining mechanism is key exchange. Because they are not authenticated, users must verify the exchanged keys through some out-of-band mechanism. Unfortunately, users appear willing to accept any key at face value, leaving communication vulnerable. This paper describes LoKey, a system that leverages the Short Message Service (SMS) to verify keys on users’ behalf. SMS messages are small, expensive, and slow, but they utilize a closed network, between devices—phones—that are nearly ubiquitous and authenticate with the network operator. Our evaluation shows LoKey can establish and verify a shared key in approximately 30 seconds, provided only that one correspondent knows the other’s phone number. By verifying keys asynchronously, two example applications—an instant messaging client and a secure email service—can provide assurances of message privacy, integrity, and source authentication while requiring only that users know the phone number of their correspondent.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
CCITT, Draft Recommendation X.509: The Directory-Authentication Framework. Consultation Committee, International Telecommunications Union, Geneva (1989)
Freier, A., Karlton, P., Kocher, P.: Secure Socket Layer 3.0. Internet Draft (1996)
Warner, B.: Billions of “phishing” scam emails sent monthly. Reuters News Service (2004)
Bellovin, S.M.: Using the Domain Name System for system break-ins. In: Proceedings of the 5th USENIX Security Symposium (1995)
Xia, H., Brustoloni, J.C.: Hardening web browsers against man-in-the-middle and eavesdropping attacks. In: Proceedings of the 14th International World Wide Web Conference, WWW 2005 (2005)
Neuman, B., Ts’o, T.: Kerberos: An authentication service for computer networks. IEEE Communications Magazine 32, 33–38 (1994)
Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In: Proceedings of the 8th USENIX Security Symposium (1999)
Dohrmann, S., Ellison, C.: Public-key Support for Collaborative Groups. In: Proceedings of the First Annual PKI Research Workshop (2002)
Garfinkel, S., Margrave, D., Schiller, J., Nordlander, E., Miller, R.: How to make secure email easier to use. In: Proceedings of the Conference on Human Factors in Computing Systems, CHI (2005)
Perrig, A., Song, D.: Hash Visualization: A New Technique to Improve Real-World Security. In: Proceedings of the International Workshop on Cryptographic Techniques and E-Commerce, CryptEC (1999)
Peersman, C., Cvetkovic, S.: The global system for mobile communications: Short Message Service. IEEE Personal Communications 7, 15–23 (2000)
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Transactions on Information Theory 6, 644–654 (1976)
Maurer, U.M.: Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing Discrete Logarithms. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 271–281. Springer, Heidelberg (1994)
Diffie, W., Oorschot, P., Wiener, M.: Authentication and Authenticated Key Exchanges. Designs, Codes, and Cryptography 2, 107–125 (1992)
Kaminsky, M., Savvides, G., Mazieres, D., Kaashoek, M.: Decentralized User Authentication in a Global File System. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles (2003)
Burkholder, P.: SSL Man-in-the-middle Attacks. The SANS Institute (2002)
Xu, H., Teo, H., Wang, H.: Foundations of SMS Commerce Success: Lessions from SMS Messaging and Co-opetition. In: Proceedings of the 36th Hawaii International Conference on System Sciences, HICSS (2003)
Naor, M., Yung, M.: Universal one-way hash functions and their crytographic applications. In: Proceedings of the 21st ACM Symposium on the Theory of Computing, STOC 1989 (1989)
National Institute of Standards and Technology (NIST): Secure Hash Standard (SHS). National Technical Information Service (2002)
Bluetooth SIG: Specification of the Bluetooth System (2005), http://www.bluetooth.org/spec/
Shaked, Y., Wool, A.: Cracking the Bluetooth PIN. In: Proceedings of the Third International Conference on Mobile Systems, Applications, and Services, MobiSys 2005 (2005)
Anderson, R.: Security Engineering. Wiley, Chichester (2001)
Nicholson, A.J., Han, J., Watson, D., Noble, B.D.: Exploiting Mobility for Key Establishment. In: Proceedings of the Seventh IEEE Workshop on Mobile Computing Systems and Applications, WMCSA 2006 (2006)
Smith, I., Consolvo, S., LaMarca, A., Hightower, J., Scott, J., Sohn, T., Hughes, J., Iachello, G., Abowd, G.D.: Social disclosure of place: From location technology to communication practices. In: Gellersen, H.-W., Want, R., Schmidt, A. (eds.) PERVASIVE 2005. LNCS, vol. 3468, pp. 134–151. Springer, Heidelberg (2005)
Biggadike, A., Ferullo, D., Wilson, G., Perrig, A.: NATBLASTER: Establishing TCP Connections Between Hosts Behind NATs. In: Proceedings of the SIGCOMM Asia Workshop (2005)
Ford, B., Srisuresh, P., Kegel, D.: Peer-to-Peer Communication Across Network Address Translators. In: Proceedings of the USENIX Annual Technical Conference (2005)
Daemen, J., Rijmen, V.: AES Proposal: Rijndael. NIST (2000)
Fischer, K.: Bluetooth Wireless Technology. In: Proceedings of the IEEE EMC Wireless Workshop (2000)
Thompson, K.: A Security Review of the ASB Bank Netcode Authentication System (2004), http://www.crypt.gen.nz/papers/asb_netcode.html
Claessens, J., Preneel, B., Vandewalle, J.: Combining World Wide Web and Wireless Security. In: Proceedings of IFIP Network Security (2001)
Maher, D.: Secure communication method and apparatus. U.S. Patent Number 5,450,493 (1995)
Gehrmann, C., Mitchell, C., Nyberg, K.: Manual Authentication for Wireless Devices. RSA Cryptobytes 7 (2004)
Hoepman, J.H.: The Ephemeral Pairing Problem. In: Proceedings of the 8th International Conference on Financial Cryptography (2004)
Madhavapeddy, A., Sharp, R., Scott, D., Tse, A.: Audio Networking: The Forgotten Wireless Technology. IEEE Pervasive Computing 4 (2005)
Stajano, F., Anderson, R.: The Resurrecting Duckling. In: Proceedings of the 7th International Workshop on Security Protocols (1999)
Balfanz, D., Smetters, D., Stewart, P., Wong, H.C.: Talking to Strangers: Authentication in Ad-Hoc Wireless Networks. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2002), San Diego, California, USA (2002)
Capkun, S., Hubaux, J.P., Buttyan, L.: Mobility Helps Security in Ad Hoc Networks. In: Proceedings of the Fourth ACM International Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc 2003), Annapolis, Maryland, USA (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nicholson, A.J., Smith, I.E., Hughes, J., Noble, B.D. (2006). LoKey: Leveraging the SMS Network in Decentralized, End-to-End Trust Establishment. In: Fishkin, K.P., Schiele, B., Nixon, P., Quigley, A. (eds) Pervasive Computing. Pervasive 2006. Lecture Notes in Computer Science, vol 3968. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11748625_13
Download citation
DOI: https://doi.org/10.1007/11748625_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-33894-9
Online ISBN: 978-3-540-33895-6
eBook Packages: Computer ScienceComputer Science (R0)