Meng Jin,Xinbing Wang,Chenghu Zhou

DOI: https://doi.org/10.1109/tnet.2022.3230642

2023-01-01

Abstract:Secure Device-to-Device (D2D) communication is important for the Internet-of-Things (IoT) devices. Key agreement between devices is the important first step in building a secure D2D channel. Due to the lack of third-party certification, key agreement for IoT devices has to rely on the untrusted channel between them, which makes the pairing process vulnerable to attacks such as eavesdropping, jamming, and predictable channel attack. We solve this problem with a novel key agreement method named EchoKey, where two nearby devices can generate a symmetric key independently, leveraging the ambient sound signal that can be locally collected by devices. The intuition of this idea is that the propagation delays of the ambient sounds and the echoes will carry fine-grained information about the spatial context of the receiving device, which can be transformed to a special key for that device. So, nearby devices which have similar spatial context will generate similar echo profiles. We implement a prototype of EchoKey and evaluate its performance in resisting different attacks. The results tell that, with EchoKey, the key agreement process is even undetectable by an attacker which is only 50cm away from the pairing devices, and is thus resistant to all attacks mentioned above.

Weitao Xu,Zhenjiang Li,Wanli Xue,Xiaotong Yu,Jia Wang,Chengwen Luo,Wei Li,Albert Y. Zomaya

DOI: https://doi.org/10.1145/3384419.3430424

2020-01-01

Abstract:Secure Device-to-Device (D2D) communication is becoming increasingly important with the ever-growing number of Internet-of-Things (IoT) devices in our daily life. To achieve secure D2D communication, the key agreement between different IoT devices without any prior knowledge is becoming desirable. Although various approaches have been proposed in the literature, they suffer from a number of limitations, such as low key generation rate and short pairing distance. In this paper, we present an inaudible acoustic signal based key generation protocol for mobile devices. Based on acoustic channel reciprocity, our system exploits channel frequency response of two legitimate devices as a common secret to generate keys. Extensive experiments are conducted to evaluate the proposed system in different real environments. Evaluation results show that the proposed system can generate the same secret key for two mobile devices with high probability.

Weitao Xu,Zhenjiang Li,Wanli Xue,Xiaotong Yu,Bo Wei,Jia Wang,Chengwen Luo,Wei Li,Albert Y. Zomaya

DOI: https://doi.org/10.1145/3412382.3458260

2021-03-26

Abstract:Secure Device-to-Device (D2D) communication is becoming increasingly important with the ever-growing number of Internet-of-Things (IoT) devices in our daily life. To achieve secure D2D communication, the key agreement between different IoT devices without any prior knowledge is becoming desirable. Although various approaches have been proposed in the literature, they suffer from a number of limitations, such as low key generation rate and short pairing distance. In this paper, we present InaudibleKey, an inaudible acoustic signal-based key generation protocol for mobile devices. Based on acoustic channel reciprocity, InaudibleKey exploits the acoustic channel frequency response of two legitimate devices as a common secret to generating keys. InaudibleKey employs several novel technologies to significantly improve its performance. We conduct extensive experiments to evaluate the proposed system in different real environments. Compared to state-of-the-art works, InaudibleKey improves key generation rate by 3-145 times, extends pairing distance by 3.2-44 times, and reduces information reconciliation counts by 2.5-16 times. Security analysis demonstrates that InaudibleKey is resilient to a number of malicious attacks. We also implement InaudibleKey on modern smartphones and resource-limited IoT devices. Results show that it is energy-efficient and can run on both powerful and resource-limited IoT devices without incurring excessive resource consumption.

Networking and Internet Architecture,Cryptography and Security

Xiaoyu Ji,Chaohao Li,Xinyan Zhou,Juchuan Zhang,Yanmiao Zhang,Wenyuan Xu

DOI: https://doi.org/10.1145/3399432

2020-01-01

ACM Transactions on Internet of Things

Abstract:Nowadays, most Internet of Things devices in smart homes rely on radio frequency channels for communication, making them exposed to various attacks such as spoofing and eavesdropping attacks. Existing methods using encryption keys may be inapplicable on these resource-constrained devices that cannot afford the computationally expensive encryption operations. Thus, in this article, we design a key-free communication method for such devices in a smart home. In particular, we introduce the Home-limited Channel (HLC) that can be accessed only within a house yet inaccessible for outside-house attackers. Utilizing HLCs, we propose HlcAuth, a challenge-response mechanism to authenticate the communications between smart devices without keys. The advantages of HlcAuth are low cost, lightweight as well as key-free, and requiring no human intervention. According to the security analysis, HlcAuth can defeat replay attacks, message-forgery attacks, and man-in-the-middle (MiTM) attacks, among others. We further evaluate HlcAuth in four different physical scenarios, and results show that HlcAuth achieves 100% true positive rate (TPR) within 4.2m for in-house devices while 0% false positive rate (FPR) for outside attackers, i.e., guaranteeing a high-level usability and security for in-house communications. Finally, we implement HlcAuth in both single-room and multi-room scenarios.

Huaiyu Jia,Dajiang Chen,Zhidong Xie,Zhiguang Qin

DOI: https://doi.org/10.1108/ijwis-06-2024-0169

2024-01-01

International Journal of Web Information Systems

Abstract:Purpose This paper aims to provide a secure and efficient pairing protocol for two devices. Due to the large amount of data involving sensitive information transmitted in Internet of Things (IoT) devices, generating a secure shared key between smart devices for secure data sharing becomes essential. However, existing smart devices pairing schemes require longer pairing time and are difficult to resist attacks caused by context, as the secure channel is established based on restricted entropy from physical context. Design/methodology/approach This paper proposes a fuzzy smart IoT device pairing protocol via speak to microphone, FS2M. In FS2M, the device pairing is realized from the speaking audio of humans in the environment around the devices, which is easily implemented in the vast majority of Internet products. Specifically, to protect the privacy of secret keys and improve efficiency, this paper presents a single-round pairing protocol by adopting a recently published asymmetric fuzzy encapsulation mechanism (AFEM), which allows devices with similar environmental fingerprints to successfully negotiate the shared key. To instantiate AFEM, this paper presents a construction algorithm, the AFEM-ECC, based on elliptic curve cryptography. Findings This paper analyzes the security of the FS2M and its pairing efficiency with extensive experiments. The results show that the proposed protocol can achieve a secure device pairing between two IoT devices with high efficiency. Originality/value In FS2M, a novel cryptographic primitive (i.e., AFEM-ECC) are designed for IoT device pairing by using a new context-environment (i.e., human voice) . The experimental results show that FS2M has a good performance in both communication cost (i.e., 130 KB) and running time (i.e., 10 S).

Yuchen Miao,Chaojie Gu,Zhenyu Yan,Sze Yiu Chau,Rui Tan,Qi Lin,Wen Hu,Shibo He,Jiming Chen

DOI: https://doi.org/10.1145/3596264

2023-01-01

Abstract:Secure device pairing is important to wearables. Existing solutions either degrade usability due to the need of specific actions like shaking, or they lack universality due to the need of dedicated hardware like electrocardiogram sensors. This paper proposes TouchKey, a symmetric key generation scheme that exploits the skin electric potential (SEP) induced by powerline electromagnetic radiation. The SEP is ubiquitously accessible indoors with analog-to-digital converters widely available on Internet of Things devices. Our measurements show that the SEP has high randomness and the SEPs measured at two close locations on the same human body are similar. Extensive experiments show that TouchKey achieves a high key generation rate of 345 bit/s and an average success rate of 99.29%. Under a range of adversary models including active and passive attacks, TouchKey shows a low false acceptance rate of 0.86%, which outperforms existing solutions. Besides, the overall execution time and energy usage are 0.44 s and 2.716 mJ, which make it suitable for resource-constrained devices.

Wei Xi,Chen Qian,Jinsong Han,Kun Zhao,Sheng Zhong,Xiang-Yang Li,Jizhong Zhao

DOI: https://doi.org/10.1145/2976749.2978298

2016-01-01

Abstract:Device-to-device communication is important to emerging mobile applications such as Internet of Things and mobile social networks. Authentication and key agreement among multiple legitimate devices is the important first step to build a secure communication channel. Existing solutions put the devices into physical proximity and use the common radio environment as a proof of identities and the common secret to agree on a same key. However they experience very slow secret bit generation rate and high errors, requiring several minutes to build a 256-bit key. In this work, we design and implement an authentication and key agreement protocol for mobile devices, called The Dancing Signals (TDS), being extremely fast and error-free. TDS uses channel state information (CSI) as the common secret among legitimate devices. It guarantees that only devices in a close physical proximity can agree on a key and any device outside a certain distance gets nothing about the key. Compared with existing solutions, TDS is very fast and robust, supports group key agreement, and can effectively defend against predictable channel attacks. We implement TDS using commodity off-the-shelf 802.11n devices and evaluate its performance via extensive experiments. Results show that TDS only takes a couple of seconds to make devices agree on a 256-bit secret key with high entropy.

Chuxiong Wu,Xiaopeng Li,Lannan Luo,Qiang Zeng

2024-09-25

Abstract:Secure pairing is crucial for ensuring the trustworthy deployment and operation of Internet of Things (IoT) devices. However, traditional pairing methods are often unsuitable for IoT devices due to their lack of conventional user interfaces, such as keyboards. Proximity-based pairing approaches are usable but vulnerable to exploitation by co-located malicious devices. While methods based on a user's physical operations (such as shaking) on IoT devices offer greater security, they typically rely on inertial sensors to sense the operations, which most IoT devices lack. We introduce a novel technique called Universal Operation Sensing, enabling IoT devices to sense the user's physical operations without the need for inertial sensors. With this technique, users can complete the pairing process within seconds using simple actions such as pressing a button or twisting a knob, whether they are holding a smartphone or wearing a smartwatch. Moreover, we reveal an inaccuracy issue in the fuzzy commitment protocol, which is frequently used for pairing. To address it, we propose an accurate pairing protocol, which does not use fuzzy commitment and incurs zero information loss. The comprehensive evaluation shows that it is secure, usable and efficient.

Cryptography and Security

Congcong She,Lei Xie,Chuyu Wang,PeiCheng Yang,Yubo Song,Sanglu Lu

DOI: https://doi.org/10.1109/icpads47876.2019.00098

2019-01-01

Abstract:In conventional device-to-device (D2D) communication through wireless channels, it is an essential demand to authenticate with each other and establish spontaneous secure connections among the smart devices. In this paper, we propose an imitation-resistant mutual authentication and key generation framework for smart devices, by shaking these devices together. According to the multi-sensor data collected from smart devices, these devices are able to authenticate each other and generate a unique and consistent symmetric key if and only if they are shaken together. We have conducted comprehensive experimental study on shaking various devices, illustrated several novel observations and extracted some important clues for efficient key generation. We propose a series of novel techniques to make the key generation robust to noise and privacy-preserving, and generate highly distinctive and fully randomized symmetric keys among these devices. Realistic experiment results indicate that our solution is able to authenticate with each other and generate the symmetric keys with high accuracy and time-efficiency.

Mingsheng Cao,Luhan Wang,Hua Xu,Dajiang Chen,Chunwei Lou,Ning Zhang,Yixin Zhu,Zhiguang Qin

DOI: https://doi.org/10.1109/access.2019.2900727

IF: 3.9

2019-01-01

IEEE Access

Abstract:Device-to-Device (D2D) communication is a promising method for the emerging Internet of Things. Secure information exchange plays a key role in the application of D2D communication. Considering that the wireless devices are powered by batteries, in this paper, a lightweight secure D2D system is designed by using multiple sensors on mobile devices. Specifically, by leveraging an acceleration sensor equipped in two wireless devices, a lightweight and efficient key distribution scheme for secure D2D communication is proposed. Based on the distributed secure key, an efficient near-field authentication is developed with a speaker and a microphone to determine whether these two devices are physically close; and a secure information exchange scheme with high efficiency, which includes message encryption/decryption and message authentication, is presented over the audio channel and the RF channel. The Extensive experiments are provided to demonstrate that our system can achieve a secure information exchange between two wireless devices with low energy consumption and computing resources.

Congcong Shi,Lei Xie,Chuyu Wang,Peicheng Yang,Yubo Song,Sanglu Lu

DOI: https://doi.org/10.1155/2021/6668478

2021-01-01

Wireless Communications and Mobile Computing

Abstract:In traditional device-to-device (D2D) communication based on wireless channel, identity authentication and spontaneous secure connections between smart devices are essential requirements. In this paper, we propose an imitation-resistant secure pairing framework including authentication and key generation for smart devices, by shaking these devices together. Based on the data collected by multiple sensors of smart devices, these devices can authenticate each other and generate a unique and consistent symmetric key only when they are shaken together. We have conducted comprehensive experimental study on shaking various devices. Based on this study, we have listed several novel observations and extracted important clues for key generation. We propose a series of innovative technologies to generate highly unique and completely randomized symmetric keys among these devices, and the generation process is robust to noise and protects privacy. Our experimental results show that our system can accurately and efficiently generate keys and authenticate each other.

Zhijian Shao,Jian Weng,Yue Zhang,Yongdong Wu,Ming Li,Jiasi Weng,Weiqi Luo,Shui Yu

DOI: https://doi.org/10.48550/arXiv.2002.11288

2020-02-26

Abstract:The popularity of Internet-of-Things (IoT) comes with security concerns. Attacks against wireless communication venues of IoT (e.g., Man-in-the-Middle attacks) have grown at an alarming rate over the past decade. Pairing, which allows the establishment of the secure communicating channels for IoT devices without a prior relationship, is thus a paramount capability. Existing secure pairing protocols require auxiliary equipment/peripheral (e.g., displays, speakers and sensors) to achieve authentication, which is unacceptable for low-priced devices such as smart lamps. This paper studies how to design a peripheral-free secure pairing protocol. Concretely, we design the protocol, termed SwitchPairing, via out-of-box power supplying chargers and on-board clocks, achieving security and economics at the same time. When a user wants to pair two or more devices, he/she connects the pairing devices to the same power source, and presses/releases the switch on/off button several times. Then, the press and release timing can be used to derive symmetric keys. We implement a prototype via two CC2640R2F development boards from Texas Instruments (TI) due to its prevalence. Extensive experiments and user studies are also conducted to benchmark our protocol in terms of efficiency and security.

Cryptography and Security

Ziqi Xu,Jingcheng Li,Yanjun Pan,Ming Li,Loukas Lazos

2023-06-30

Abstract:Many Next Generation (NextG) applications feature devices that are capable of communicating and sensing in the Millimeter-Wave (mmWave) bands. Trust establishment is an important first step to bootstrap secure mmWave communication links, which is challenging due to the lack of prior secrets and the fact that traditional cryptographic authentication methods cannot bind digital trust with physical properties. Previously, context-based device pairing approaches were proposed to extract shared secrets from common context, using various sensing modalities. However, they suffer from various limitations in practicality and security. In this work, we propose the first secret-free device pairing scheme in the mmWave band that explores the unique physical-layer properties of mmWave communications. Our basic idea is to let Alice and Bob derive common randomness by sampling physical activity in the surrounding environment that disturbs their wireless channel. They construct reliable fingerprints of the activity by extracting event timing information from the channel state. We further propose an uncoordinated path hopping mechanism to resolve the challenges of beam alignment for activity sensing without prior trust. A key novelty of our protocol is that it remains secure against both co-located passive adversaries and active Man-in-the-Middle attacks, which is not possible with existing context-based pairing approaches. We implement our protocol in a 28GHz mmWave testbed, and experimentally evaluate its security in realistic indoor environments. Results show that our protocol can effectively thwart several different types of adversaries.

Cryptography and Security,Signal Processing

Binbin Yu,Hongtu Li

DOI: https://doi.org/10.1177/1550147719879379

IF: 1.938

2019-09-01

International Journal of Distributed Sensor Networks

Abstract:Home-based multi-sensor Internet of Things, as a typical application of Internet of Things, interconnects a variety of intelligent sensor devices and appliances to provide intelligent services to individuals in a ubiquitous way. As families become more and more intelligent, complex, and technology-dependent, there is less and less need for human intervention. Recently, many security attacks have shown that Internet home-based Internet of Things have become a vulnerable target, leading to personal privacy problems. For example, eavesdroppers can acquire the identity of specific devices or sensors through public channels, which is not secure, to infer individual public life in the home area network. Authentication is the essential portion of many secure systems processing of verifying and declaring identity. Before providing confidential information, home-based-Internet of Things service authenticates users and devices. The communication and processing capabilities of intelligent devices are limited. Therefore, in home-based Internet of Things, lightweight authentication and key agreement technology are very important to resist known attacks. This article proposes an anonymous authenticated key agreement protocol using pairing-based cryptography. The protocol proposed in this article provides lightweight computation and ensures the security of communication between home-based multi-sensor Internet of Things network and Internet network.

computer science, information systems,telecommunications

Wei Xi,Meichen Duan,Xiuxiu Bai,Kun Zhao,Lufeng Mo,Jizhong Zhao

DOI: https://doi.org/10.1109/JIOT.2020.3011558

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:Security over mobile Internet-of-Things (IoT) devices is critical due to the open nature of distributed wireless communication. To efficiently establish a secure connection between two communication parties, a fast mobile key extraction protocol, KEEP, is proposed. KEEP fastly generates similar bit sequences from two communication parties' measurements of channel-state information (CSI) of different subcarriers. Then, a distributed “verification-recombination” mechanism is introduced to generate the same encryption key from bit sequences without the public-key authentication, digital signature, or key distribution center of the other party. We implemented real-world experiments using commercial off-the-shelf 802.11n devices to evaluate the performance of KEEP in various scenarios. Theoretical analysis and experimental verification show that KEEP is more secure, effective, and reliable than the state-of-the-art methods.

Yaqi He,Kai Zeng,Long Jiao,Brian L. Mark,Khaled N. Khasawneh

DOI: https://doi.org/10.1145/3643833.3656127

2024-05-06

Abstract:Wireless device pairing is a critical security mechanism to bootstrap the secure communication between two devices without a pre-shared secret. It has been widely used in many Internet of Things (IoT) applications, such as smart-home and smart-health. Most existing device pairing mechanisms are based on out-of-band channels, e.g., extra sensors or hardware, to validate the proximity of pairing devices. However, out-of-band channels are not universal across all wireless devices, so such a scheme is limited to certain application scenarios or conditions. On the other hand, in-band channel-based device pairing seeks universal applicability by only relying on wireless interfaces. Existing in-band channel-based pairing schemes either require multiple antennas separated by a good distance on one pairing device, which is not feasible in certain scenarios, or require users to repeat multiple sweeps, which is not optimal in terms of usability.

Cryptography and Security,Networking and Internet Architecture

Dajiang Chen,Ning Zhang,Zhen Qin,Xufei Mao,Zhiguang Qin,Xuemin Shen,Xiang-Yang Li

DOI: https://doi.org/10.1109/jiot.2016.2619679

IF: 10.6

2016-01-01

IEEE Internet of Things Journal

Abstract:Device authentication is a critical and challenging issue for the emerging Internet of Things (IoT). One promising solution to authenticate IoT devices is to extract a fingerprint to perform device authentication by exploiting variations in the transmitted signal caused by hardware and manufacturing inconsistencies. In this paper, we propose a lightweight device authentication protocol [named speaker-to-microphone (S2M)] by leveraging the frequency response of a speaker and a microphone from two wireless IoT devices as the acoustic hardware fingerprint. S2M authenticates the legitimate user by matching the fingerprint extracted in the learning process and the verification process, respectively. To validate and evaluate the performance of S2M, we design and implement it in both mobile phones and PCs and the extensive experimental results show that S2M achieves both low false negative rate and low false positive rate in various scenarios under different attacks.

Youjing Lu,Fan Wu,Qianyi Huang,Shaojie Tang,Linghe Kong,Guihai Chen

DOI: https://doi.org/10.1145/3480461

2021-01-01

ACM Transactions on Sensor Networks

Abstract:To build a secure wireless networking system, it is essential that the cryptographic key is known only to the two (or more) communicating parties. Existing key extraction schemes put the devices into physical proximity and utilize the common inherent randomness between the devices to agree on a secret key, but they often rely on specialized hardware (e.g., the specific wireless NIC model) and have low bit rates. In this article, we seek a key extraction approach that only leverages off-the-shelf mobile devices, while achieving significantly higher key generation efficiency. The core idea of our approach is to exploit the fast varying inaudible acoustic channel as the common random source for key generation and wireless parallel communication for exchanging reconciliation information to improve the key generation rate. We have carefully studied and validated the feasibility of our approach through both theoretical analysis and a variety of measurements. We implement our approach on different mobile devices and conduct extensive experiments in different real scenarios. The experiment results show that our approach achieves high efficiency and satisfactory robustness. Compared with state-of-the-art methods, our approach improves the key generation rate by 38.46% and reduces the bit mismatch ratio by 42.34%.

Xiao Zhang,Jiqiang Liu,Si Chen,Yongjun Kong,Kui Ren

DOI: https://doi.org/10.1109/jiot.2018.2850524

IF: 10.6

2018-01-01

IEEE Internet of Things Journal

Abstract:The recent proliferation of Internet of Things (IoT) device coupled with the demand for an inexpensive way of transmitting data has been the primary factors behind the popularity of the short-range acoustic communication. It enables a seamless transfer of digital information via soundwaves, using device’s loudspeaker and microphone only and the whole interaction takes place without the need for network connection. Due to the limited computational power of the IoT device, the short-range acoustic communication system has adopted the friendly jamming technology to save energy. However, the security of the friendly jamming technology in mobile applications has not been thoroughly studied. When propagating sound in public, the soundwaves are subject to eavesdropping by nature. In particular, the friendly jamming technology is vulnerable to the separation attacks which can separate data signals from mixed signals. In this paper, we propose PriWhisper+—a secure acoustic short-range communication system between IoT devices. We analyze the security of PriWhisper+ via information theory and propose physical security enhancement mechanisms for acoustic communication by combining device mobility with secret sharing scheme. We then design a secure data communication scheme that transmits data in acoustic signals. This scheme can be applied in many security-sensitive situations, such as device pairing, contactless payments, and privacy data sharing. At last, we evaluate the performance of our proposed PriWhisper+ by extensive experiments on Android smartphones. The results of the experiment show that the PriWhisper+ can protect the data confidentiality within thirty centimeters of communication range.

Mingping Qi,Jianhua Chen

DOI: https://doi.org/10.1007/s11227-021-03836-y

IF: 3.3

2021-01-01

The Journal of Supercomputing

Abstract:Wireless sensor networks (WSNs) are the key technological building block of Internet of Things (IoT), by which remote users can access the real-time data from the sensor nodes. Due to the openness and mobility of such network, it is essential to establish secure links for end-to-end communication with proper authentication. Although amount of research works in this area have been made, so far designing a secure and efficient authenticated key exchange (AKE) protocol for this setting is still an open topic. So, the authors in this paper design a two-factor AKE protocol using elliptic curve cryptography (ECC) for WSNs in the context of IoT, allowing the end users and sensor nodes to exchange information directly after a secure link is established with the help of the corresponding gateway node. The heuristic security analysis has shown that the new protocol can provide various expected security attributes and resist various known attacks. Moreover, the performance study states that the new protocol is efficient enough and has certain efficiency advantages in the aspects of computation and communication costs compared with the same type of ECC-based AKE protocols for IoT applications.