The secure "pairing" of wireless devices based on auxiliary or out-of-band (OOB) communication, such as audio, visual, or tactile channels, is a well-established research direction. However, prior work shows that this approach to pairing can be prone to human errors of different forms that may directly or indirectly translate into man-in-the-middle attacks. To address this problem, we propose a general direction of the use of computer games for pairing. Since games are a popular means of entertainment, our hypothesis is that they may serve as an incentive to users and make the pairing process enjoyable for them, thus improving the usability, as well as the security, of the pairing process. We consider an emerging use case of pairing whereby two different users are involved, each in possession of his or her own device (e.g., Alice and Bob pairing their smartphones for social interactions). We develop "Alice Says," a pairing game based on a popular memory game called Simon (Says), and discuss the underlying design challenges. We also present a preliminary evaluation of Alice Says via a usability study and demonstrate its feasibility in terms of usability and security. Our results indicate that overall Alice Says was deemed as a fun and an enjoyable way to pair devices, confirming our hypothesis. However, contrary to our intuition, the relatively slower speed of Alice Says pairing was found to be a cause of concern and prompts the need for the design of faster pairing games. We put forth several ways in which this issue can be ameliorated. In addition, we also discuss several other security problems which are lacking optimal solutions and suggest ideas on how entertainment can be used to improve the current state of the art solutions that have been developed to address them.
Short and medium-range wireless communication based on technologies such as Bluetooth, WiFi, and RFID (Radio Frequency IDentification), is becoming increasingly popular and promises to remain so in the future. This surge in popularity unfortunately brings various security risks along with it. Wireless communication channels are easy to eavesdrop upon and manipulate. Therefore, a fundamental security objective is to secure such data transfer mediums. In this paper, we use the term "pairing" to refer to the operation of bootstrapping secure communication between two wireless devices in a way that is resistant to eavesdropping and man-in-the-middle attacks. Examples of common use cases for this operation include pairing between a headset and phone, or between two smartphones. The initialization of secure communication would be easy to achieve if there existed a global infrastructure enabling devices to share an on or off-line trusted third party, certification authority, PKI or pre-configured secrets. However, such a global infrastructure may not be possible in practice, thereby making pairing an interesting and a challenging research problem.
A promising and well-established research direction to solving the pairing dilemma is to leverage an auxiliary channel, also called an out-of-band (OOB) channel, which is governed by the users operating the devices to be paired. Examples of OOB channels include audio, visual, and tactile channels. Unlike classical radio channels, OOB channels are “human-perceptible,” i.e., the underlying transmission and reception that drives these avenues of communication can be perceived by one or more of human senses. Due to this property, OOB communication naturally provides authentication and integrity, unlike radio communication. In other words, a user can validate the intended source of an OOB message and an adversary can not manipulate the OOB messages in transit, although he can perform a variety of other actions, such as eavesdropping upon data sent across the channel.
The usability of pairing based on OOB channels is clearly very important. Since the OOB channels typically have low bandwidth, the shorter the data that a pairing method needs to transmit over these channels, the better the method becomes in terms of usability. To this end, a recent innovation in pairing are the so-called Short Authenticated String (SAS) based protocols [16,22,6,8,34] that limit the length of data to be transmitted over OOB channels to only 15 bits or so, while achieving a reasonable level of security. Using these protocols, a wide-variety of pairing methods based on visual, audio, tactile, and infrared OOB channels have been proposed. We refer the reader to a survey and comparative analysis of various OOB pairing methods [11]. (We will later summarize these in Section 2.1).
The focus of this paper is on social pairing scenarios [12], whereby two different users (Alice and Bob) control their respective devices while pairing them. Examples include pairing between Alice’s and Bob’s PDAs, laptops, or cell phones for social or professional reasons, such as sharing files and music, exchanging digital business cards, multiplayer games, messaging, chatting, or collaborative applications. The main advantage of using Bluetooth or WiFi in such scenarios is that no infrastructure is needed and thus ad hoc communication can take place without any extra cost to the users. For this reason, social scenarios have been emerging rapidly and are already quite popular, especially in developing countries. Secure pairing of users’ devices is a natural and recommended way to prevent any eavesdropping and/or malicious intervention during their intended communication. Furthermore, note that most scenarios necessitating OOB pairing techniques are by definition social in nature. This is because of the fact that if a single user is the administrator of both of the devices to be paired, he or she can simply use a pre-shared secret on both devices to accomplish pairing in a straightforward fashion.
We remark that the problem of social pairing is simpler than a commonplace problem of personal pairing, whereby both devices are controlled by a single user (Alice). Examples of personal pairing include pairing between Alice’s Bluetooth headset and her cell phone, her PDA and her wireless printer, or her laptop and a wireless access point. This is because, unlike personal pairing, the devices taking part in social pairing are not usually constrained in terms of input/output interfaces. In fact, most modern cell phone class of devices are equipped with a wide variety of interfaces which make establishment of OOB channels much simpler.
Unfortunately, even the seemingly simple problem of social pairing turns out to be daunting in practice and remains unsolved despite being subject to several recent years of research. Prior work on pairing raises several usability and security related concerns and fundamental research challenges.
This content is AI-processed based on open access ArXiv data.
