Detecting Failed Attacks on Human-Interactive Security Protocols
One of the main challenges in pervasive computing is how we can establish secure communication over an untrusted high-bandwidth network without any initial knowledge or a Public Key Infrastructure. An approach studied by a number of researchers is building security though involving humans in a low-bandwidth “empirical” out-of-band channel where the transmitted information is authentic and cannot be faked or modified. A survey of such protocols can be found in . Many protocols discussed there achieve the optimal amount of authentication for a given amount of human work. However it might still be attractive to attack them if a failed attack might be misdiagnosed as a communication failure and therefore remain undetected. In this paper we show how to transform protocols of this type to make such misdiagnosis essentially impossible. We introduce the concept of auditing a failed protocol run and show how to enable this.
The author thanks Long Nguyen, Peter Ryan, Catherine Meadows and Thomas Gibson-Robinson for useful conversations on this work.
- 1.Time-Lock Encryption (2011). http://www.gwern.net/Self-decrypting
- 2.Wikipedia article on ZRTP. https://en.wikipedia.org/wiki/ZRTP
- 7.Nguyen, L.H., Roscoe, A.W.: Efficient group authentication protocol based on human interaction. In: Proceedings of the Joint Workshop on Foundation of Computer Security and Automated Reasoning Protocol Security Analysis (FCS-ARSPA 2006), pp. 9–31 (2006)Google Scholar
- 11.Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto (1996). http://bitsavers.trailing-edge.com/pdf/mit/lcs/tr/MIT-LCS-TR-684.pdf
- 12.Roscoe, A.W.: Human-centred computer security (2005). http://web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/113.pdf
- 14.Zimmerman, P.: ZRTP (2010). https://tools.ietf.org/html/draft-zimmermann-avt-zrtp-22