Security Associations in Personal Networks: A Comparative Analysis

Short-range communication standards have brought a large number of new services to the reach of common users. For instance, standards for personal networking technologies such as Bluetooth1,Wi-Fi2,Wireless Universal Serial Bus (WUSB), and HomePlugAV enable users to easily introduce, access, and control services and devices both in home and mobile environments.

The initial process of introducing a new device to another device or to a network is called an association. Association consists of the participating devices finding each other, and possibly setting up a security association, such as a shared secret key, between them. The part of the association procedure that is visible to the user is called an association model.

NRC-TR-2007-004Security Associations in Personal Networks:A Comparative AnalysisJani Suomalainen1, Jukka Valkonen2and N. Asokan21VTT Technical Research Centre of Finlandhttp://www.vtt. /2Nokia Research Center Helsinkihttp://research.nokia.com9.1.2007Abstract:Introducing a new device to a network or to another device is one of the most security critical phases ofcommunication in personal networks. There have been several dierent proposals to make this process ofassociating devices both easy-to-use and secure. Some of them have been adapted by emerging standardspeci cations. In this paper, we rst present a taxonomy of protocols for creating security associations inpersonal networks.  We  then  make  use  of  this  taxonomy in  surveying and comparing association modelsproposed in several emerging standards. We also identify new potential attack scenarios and discuss how tomitigate them.Index Terms:personal networkssecurity associationstandardscomparative surveyattacksNRC-TR-2007-004Copyrightc2007, Nokia, N. Asokan, Jukka ValkonenCopyrightc2007, Jani SuomalainenUntitled Document21   IntroductionShort-rangecommunicationstandardshavebroughtalargenumberofnewservicestothereachofcommonusers.Forinstance,standardsforpersonalnetworkingtechnologiessuchasBluetooth1,Wi-Fi2,WirelessUniversalSerialBus(WUSB)3,andHomePlugAV4enableuserstoeasilyintroduce,access,andcontrolservicesanddevicesbothinhomeandmobileenvironments.Theinitialprocessofintroducinganewdevicetoanotherdeviceortoanetworkiscalledanassociation.Associationconsistsoftheparticipatingdevices ndingeachother,andpossiblysettingupasecurityassociation,suchasasharedsecretkey,betweenthem.Thepartoftheassociationprocedurethatisvisibletotheuseriscalledanassociationmodel.Associationmodelsintoday spersonalnetworkssuchasthosebasedonWi-FiorBluetooth,typicallyconsistoftheuserscanningtheneighborhoodfromonedevice,selectingtheotherdeviceornetworktoassociatewith,andthentypinginasharedpasskey.Thesecurrentassociationprocedureshaveseveralusabilityandsecuritydrawbacksarisingprimarilyfromthefactthattheyareusedbyordinarynon-expertusers.5Toaddresstheseconcerns,variousnewideashavebeenproposedwiththeintentofprovidingasecureyetus-ableassociationmodel.Forinstance,therehavebeenproposalsforschemesutilizingshortpasswords/checksums[5,9,21,22]orout-of-bandchannels,suchasphysical[19],audio[6],visual[11,17]orveryshort-rangewirelesschannels.Inreality,itisimpracticaltomandateasingleassociationmodelforallkindsofdevicesbecausedif-ferentdeviceshavedierenthardwarecapabilities.Also,dierentusersandapplicationcontextshavedierentusabilityandsecurityrequirements.Becauseofthis,forthcomingstandardsareadoptingmultipleassociationmodels.Althoughlow-enddeviceslikeheadsetsandwirelessaccesspointsmaybelimitedtooneassociationmodel,richerdeviceslikemobilephonesandpersonalcomputerswillnaturallysupportmorethanoneassocia-tionmodel.Thesecurityofindividualassociationmodelshasbeenstudiedwidely.Butnewkindsofthreatsmayemergewhenseveralmodelsaresupportedinpersonaldevicesandseveralstandards,bothnewandold,areinusesimultaneously.Inthispaper,wemakeacomparativeanalysisofproposedassociationmodelsindierentstandardsfromapracticalpointofview.ThesurveyedstandardsareBluetoothSimplePairing[18],Wi-FiProtectedSetup[23],WirelessUSBAssociationModels[24],andHomePlugAVsecuritymodes[7].Thestandardshavesomesimilarities.Allofthethemcanaddresstheproblemof ndingtherightpeerdeviceusuallybysupportingsomevariationofthenotionofuser-conditioning:adeviceparticipatesintheassociationonlywhenitisinaspecialassociationmode;typicallyadeviceenterstheassociationmodeinresponsetoanexplicituseraction,suchaspressingabutton.Allofthemaretargetedforpersonalnetworksandsupportmultipleassociationmodels.Also,allofthestandardsutilizesomesortofkeyestablishmentprocedureforagreeingonasharedsecretkeybetweenthedevices.Therestofthepaperisorganizedasfollows.Section2providesasystematictaxonomyofdierentprotocolsforkeyestablishment.Section3describeshowandwhichkeyestablishmentprotocolsandrelatedassociationmodelsareusedinthesurveyedstandards.Section4presentsacomparativeanalysisonthesecurityofthesestandards.Section5describesnovelattackscenarioswhereattackersutilizesimultaneousavailabilityofdierentassociationmodels.Finally,Section6presentsadiscussiononpotentialcountermeasuresagainsttheseattacks.2 AssociationProtocolsAlloftheassociationmodelswewillsurveyinSection3arebasedononeormoreprotocolsforhumanmediatedestablishmentofasharedkeybetweentwodevices.Thesharedkeyistypicallyusedtoprotectsubsequent1http://bluetooth.org2http://wi-fi.org3http://usb.org/wusb4http://homeplug.org5First,whentherearemanydevicesornetworksinthescannedneighborhood,users nditdi culttochoosethecorrectonefroma,possiblylong,listofchoices.Second,thesecurityoftheassociationprotocoldependsonthestrengthofthesharedpasskey.Makingthepasskeylongandhard-to-guessimpactsusability.Usingashortormemorablepasskeyleavestheprotocolvulnerabletodictionaryattacks,evenbypassiveeavesdroppers.Also,overthelastfewyearsseveralothercryptographicweaknesseshavealsobeendiscoveredintheassociationprotocolsusedinWi-FiandBluetooth.NRC-TR-2007-004Copyrightc2007,Nokia,N.Asokan,JukkaValkonenCopyrightc2007,JaniSuomalainenUntitled Document3Fig. 1. Classi cation of Key Agreement Protocolscommunication and, possibly, in authentication for other access control decisions. We show that the same basicprotocols are used in dierent standard speci cations, even though the exact instantiations naturally dier.As a prelude to identifying and comparing these dierent instantiations, we present a systematic classi cationof human-mediated key establishment protocols that can be used in personal networks. Figure 1 provides anoverview of  this  classi cation.  At  a  high  level,  key  establishment  may  be  a  simple  key  transport  or  involverunning a key agreement protocol.Key  transport: In key transport, one device chooses the key and transmits it directly to the second deviceusing an out-of-band communication channel (P1). Typical out-of-band channels used for key transport includea direct USB cable connection or the use of ash drives. The security of key transport depends on the out-of-bandchannel being secret and unspoofable: a man-in-the-middle must not be able to modify the data transmittedbetween the devices.Key Agreement: Key agreement protocols may be based purely on symmetric key cryptography, or may bebased on asymmetric key cryptography as well. In the latter case, the typical protocol is Di e-Hellman keyexchange [4].Key agreement may be unauthenticated  or authenticated. Unauthenticated symmetric key agreement (P9)is vulnerable even to passive eavesdroppers. Unauthenticated asymmetric key agreement (P2) is secure againstpassive eavesdroppers but is vulnerable to active man-in-the-middle (MitM).The only way to authenticate key agreement based on symmetric key cryptography is by using a su cientlylong pre-shared  secret  (P10). The security of such protocols depend on the length of the pre-shared secret.Authentication of asymmetric key agreement can be performed using some form of integrity  checking, or byusing a pre-shared secret or using a combination of these two. There are two ways to authenticate by integrity-checking: by exchanging commitments to public keys, or by verifying a short integrity checksum. Now we take acloser look at the protocols involved in the dierent ways of authenticating key agreement based on asymmetrickey cryptography.Authentication by exchanging key commitments: Balfanz, et al., propose in [1] to exchange commitmentsto public keys using an out-of-band channel (P3). The commitments can be the public keys of the devices ortheir hashes. When the devices exchange public keys via the in-band channel, they can validate the authenticityof these public keys by using the information exchanged via the out-of-band channel.NRC-TR-2007-004Copyrightc2007, Nokia, N. Asokan, Jukka ValkonenCopyrightc2007, Jani SuomalainenUntitled Document4The security of the protocols depends on the out-of-band channel being unspoofable. Also, the commitmentsof public keys must be strong enough (e.g., a cryptographic hash function with at least 80 bits of output) toresist the attacker nding a second pre-image to the commitment.Authentication  by short integrity  checksum: Several researchers have proposed authentication by usingshort checksums [16, 9, 22, 21], sometimes referred to as short authenticated string protocols. In such protocols,each device computes a short checksum from the messages exchanged during the key agreement protocol. If thetwo checksums are the same, the exchange is authenticated. A basic three round mutual authentication protocolfrom [9] is depicted, in a simpli ed form, in Figure 2. Devices D1and D2 rst exchange their public keys PK1and PK2. The protocol is used to mutually authenticate public keys. The notations are as follows: in practice,h() is a cryptographic hash function like SHA-256; f() is also a cryptographic hash function, but with a shortoutput mapped to a human-readable string of digits. The hat ( ) symbol is used to denote the receiver s viewof a value sent in protocol message.1.  D1generates a long random value R1, computes commitment h = h(R1) and sends it to D2D1 D2: h2.  D2generates a long random value R2and sends it to D1D1 D2: R23.  D1opens its commitment by sending R1to D2D1 D2: R14.  D2checks if h?= h( R1) If equality holds, D2computes v2= f( PK1,PK2, R1,R2), otherwise it aborts .D1computes v1= f(PK1, PK2,R1, R2).5.  Both devices check if v1equals v2.Fig. 2. Authentication by Short Integrity ChecksumThe check in the last step can be done in many dierent ways. One way is to ask the user to do the comparison(P4): Each device displays its own string to the user and ask whether it is the same as what the other device isdisplaying. If the checksums are identical, the user indicates this to both devices and both devices conclude thatthe authentication is successful. Otherwise, the user indicates a mismatch to both devices and both conclude thatthe authentication did not succeed. An alternative way is to do the check using a physical out-of-band channel(P5) as in [17].To succeed a man-in-the-middle attacker has to choose such R21and R22that f(PK21, PK2, R21, R2) is the sameas f(PK1, PK22, R1, R22) where PK21and PK22are attacker s public keys. The security of the protocol depends onthe quality of the functions h() and f(). If h() is collision-resistant, attacker has to choose R21without knowinganything about R2. If h() is one-way, attacker has to choose R22without knowing about R1. If the output of f()is a uniformly distributed n-bit value, then the chance of a man-in-the-middle attacker succeeding is 2 nbecausethe attacker cannot in uence the outcome of f(). This success probability is unconditional; it does not rely onany assumptions about the computational capabilities of the attacker. See [10] for a formal proof.Authentication by (short) shared secret: Key exchange can also be authenticated using a short pre-sharedsecret passkey. A number of dierent methods have been proposed for password-authenticated key exchange sinceBellovin and Merrit introduced the idea in [3]. In Figure 3 we describe a variant of the MANA III protocol byGehrmann, et al., in [5]. It uses a one-time passkey P  to authenticate PK1and PK2. P  is split into k pieces,labelled P1. . . Pk. The steps in the protocol are repeated k times. The gure shows the exchanges in the ithround.In each round, each party demonstrates its knowledge of Pi. A man-in-the-middle can easily learn P1bysending  garbage in  message  2,  and   guring  out  P1by  exhaustive  search  once  D1reveals R1in  message  3.However, without knowing Pi, i = 2 . . . n, the attacker cannot successfully complete the protocol run (recall thatP  is a one-time passkey). With n-bit passkey and k rounds the probability for a successful man-in-the-middleattack is 2 (n nk). As in the case of short authentication string, the man-in-the-middle success probabilities areunconditional.NRC-TR-2007-004Copyrightc2007, Nokia, N. Asokan, Jukka ValkonenCopyrightc2007, Jani SuomalainenUntitled Document51.D1generatesalongrandomvalueRi1,computescommitmenthi1=h(1,PK1, PK2,Pi,Ri1)andsendsittoD2D1 D2:hi12.D2generatesalongrandomvalueR2,computescommitmenthi2=h(2,PK2, PK1,Pi,Ri2)andsendsittoD1D1 D2:hi23.D1respondsbyopeningitscommitmentandsendingRi1toD2D1 D2:Ri1D2nowchecksif hi1?=h(1, PK1,PK2,Pi, Ri1)andabortsifitdoesnothold.4.D2respondsbyopeningitscommitmentandsendingRi2toD1D1 D2:Ri2D1checksif hi2?=h(2,PK1, PK2,Pi, Ri2)andabortsifitdoesnothold.Fig.3.RoundiofAuthenticationby(Short)SharedSecretTherearemanydierentwaysforarrangingforbothdevicestoknowthesameP.Onewayistohavetheuserastheintermediary(P6):theusermaychoosePandenteritintobothdevices,oronedevicemayshowavalueforPwhichtheuserisaskedtoenterintotheseconddevice.Alternatively,Pmaybetransportedfromonedevicetoanotherusinganout-of-bandchannel(P7).Insuchmethods,asthereisnoneedforahumantotransferthesharedsecretbetweenthedevices,itcanbelonger,thusmakingprobabilityforasuccessfulattacksmaller.Notethatthepasskeyisstillusedonlytoauthenticatethekeyagreement,ratherthanasthelongtermsecret.Hybridauthentication:Hybridauthenticationprotocolsareusedtoachievemutualauthenticationwhenonlyaone-wayout-band-channelisavailable(P8).Theone-waychannelisusedtotransmitthesharedsecretvalueandahashofthepublickeyfromthe rstdevicetothesecond.Theseconddeviceauthenticatesthe rstbasedonthepublickeyhash.The rstdeviceauthenticatesthesecondbasedonitsknowledgeofthesharedsecret.AbasicprotocolisdepictedinFigure4.Thefunctionc(M,K)isamessageauthenticationcodeonmessageMusingakeyK.1.D1picksalongrandomvalueR1,computesacommitmentctopublickeyPK1asC1=h(PK1,R1)andsendsthiswithasecretSusingOOBchannelD1 D2:S,C(OOB).2.D1sendsitspublickeyandrandomvalueusingin-bandchannel.D1 D2:PK1,R13.D2checksif C1?=h( PK1, R1)andabortsifitdoesnothold.Otherwise,D2picksitsownlongrandomvalueR2,computesC2=c( PK1|PK2| R1|R2, S)andsendstheresulttoD1withitsownpublickeyandrandomvalue.D1 D2:PK2,R2,C24.D1checksif C2?=c(PK1| PK2|R1| R2,S)andabortsifitdoesnothold.Fig.4.HybridAuthenticationProtocolThesecurityoftheprotocoldependsontheout-of-bandbeingsecretandunspoofable,aswellasonstrengthofthecommitmentfunctionh()andthemessageauthenticationcodefunctionc().3   AssociationModelsinStandardsforPersonalNetworksInthissection,wesurveytheassociationmodelsproposedinfouremergingstandards[18,23,24,14].Wethencomparethembyreferringtotheclassi cationpresentedinSection2.NRC-TR-2007-004Copyrightc2007,Nokia,N.Asokan,JukkaValkonenCopyrightc2007,JaniSuomalainenUntitled Document63.1    Bluetooth Simple PairingBluetooth Simple Pairing [18] is a standard developed by Bluetooth Special Interest Group. It is intended toprovide better usability and security than the original Bluetooth pairing mechanism, and is expected to replaceit. Simple pairing consists of three phases. In the rst phase, the devices nd each other and exchange informationabout their user input/output capabilities and their elliptic curve Di e-Hellman public keys for the FIPS P-192curve [15]. In the second phase, the public keys are authenticated and the Di e-Hellman key is calculated. Theexact authentication protocol, and hence the association model, is determined based on the device user-I/Ocapabilities. In the third phase, the agreed key is con rmed (in one association model, the authentication spansboth the second and third phase, as we will see below).Simple Pairing supports four dierent association models: Numeric Comparison, Passkey entry, Just Works and Out-of-band models. Now we will examine each of these models and the protocols they use for authenticationin phase 2.Numeric comparison model  is  where  the  user  manually compares and  con rms whether  the  short  integritychecksum displayed by both devices are identical (Figure 1: P4). The compared checksum is 6 digits long.The phase 2 protocol is an instantiation of the protocol in Figure 2. The exact instantiation is depicted inFigure 5. At this point the devices have already completed phase 1 and possess both public keys PKaandPKb.1.  DBcomputes a commitment Cb= f1(PKb, PKa,Nb,0) using the one-way functionaf1 with 128-bit outputand 128-bit fresh random nonce Nband sends the value to DA.DA DB: Cb2.  DAresponds by sending 128-bit fresh random nonce Nato DB.DA DB: Na3.  DBopens the commitment by sending Nbto DA.DA DB: Nb4.  DArecomputes Cbas f1( PKb,PKa, Nb,0) and checks if Cb?= Cb. If it is, DAcomputes short a checksumusing one-way functionbg as Va= g(PKa, PKb,Na, Nb), otherwise DAaborts.DBcomputes checksum Vb= g( PKa,PKb, Na,Nb).Each device displays the six least signi cant digits of its own checksum.5.  Each device prompts the user to check and con rm if the checksum it displays is the same as the checksumdisplayed by the peer device.af1(U,V,X,Z) = HMAC-SHA-256X(U|V |Z)/2128bg(U,V,X,Y ) = SHA-256(U|V |X|Y )  mod 232Fig. 5. Bluetooth Simple Pairing: Numeric Comparison ModelThe protocol is straightforward implementation of authentication protocol for P4 depicted in Figure 2, whereDBplays the role of D1, DAplays the role of D1. Similar to Figure 2, the protocol structure ensures thatthe DAand DBhave to choose Naand Nb, respectively, independently of each other.Passkey entry model  is targeted primarily for the case where only one device has a display but the other devicehas a keypad. The rst device displays the 6-digit secret passkey, and the user is required to type it intothe second device. The passkey is used to authenticate the Di e-Hellman key agreement (Figure 1: P6).The protocol is based on user-assisted authentication by shared secret in Figure 3 with 20 rounds (k = 20).Devices prove knowledge of one bit of the passkey in each round. The exact instantiation of the phase 2protocol is depicted in Figure 6. As before, phase 1 has been completed and both devices know PKaandPKb. This is essentially the protocol in Figure 3 executed 20 times. Just works model  is targeted for cases where at least one of the devices has neither a display nor a keypad.Therefore, unauthenticated Di e-Hellman key agreement is used (Figure 1: P2) to protect against passiveeavesdroppers but not against man-in-the-middle attacks.NRC-TR-2007-004Copyrightc2007, Nokia, N. Asokan, Jukka ValkonenCopyrightc2007, Jani SuomalainenUntitled Document7Letraandrbdenotethevalueofthe6-digitpasskeyasseenbyDAandDBrespectively(inthenormalcase,raandrbhavethesamevalue).raiandrbidenotetheithmostsigni cantbitofraandrbrespectively.Thedevicesexecutethefollowing20times:1.DAgeneratesa128-bitrandomvalueNai,computescommitmentCai=f1(PKa, PKb,Nai,rai)andsendsittoDB.DA DB:Cai2.DBgeneratesa128-bitrandomvalueNbi,computescommitmentCbi=f1(PKb, PKa,Nbi,rbi)andsendsittoDA.DA DB:Cbi3.DAsendsNaitoDB.DA DB:NaiDBrecomputesCaiasf1( PKa,PKb, Nai,rbi)andchecksifCai?= Cai.Ifitisnot,DBaborts.4.OtherwiseDBsendsNbitoDA.DA DB:NbiDArecomputesCbiasf1( PKb,PKa, Nbi,rai)andchecksifCbi?= Cbi.Ifitisnot,DBabortstheprotocol.Fig.6.BluetoothSimplePairing:PasskeyEntryModelTheprotocolusedinthismodelisthesameasinthenumericcomparisonmodel,buttheintegritycheckvaluesareacceptedbythedeviceswithoutcheckingforequality.Thespeci cationallowsadevicetooptionallyasktheuserforacon rmationtoaccepttheconnection,withoutdisplayingthechecksumoraskingforanequalitycheck.Out-of-bandmodelisintendedtobeusedwithdierentout-of-bandchannels,inparticularwithNearFieldCommunicationtechnology.DeviceDAusestheout-of-bandchanneltosenda128-bitsecretraandacom-mitmentCatoitspublickeyPKa.Similarly,DBusestheout-of-bandchanneltosendrbandCb.Ifout-of-bandcommunicationisbidirectional,mutualauthenticationisachievedbyeachpartyverifyingthatthepeer spublickeymatchesthecommitmentreceivedviatheout-of-bandchannel.(Figure1:P3).Thephase2protocolinstantiationisdepictedinFigure7.Asbefore,thedevicesareexpectedtoknowPKaandPKbattheendofphase1.DAsetsratoafresh128-bitrandomvalueandrbto0;DAcomputescommitmentCaasf1(PKa,PKa,ra,0).DBsetsrbtoafresh128-bitrandomvalueandrato0;DBcomputescommitmentCbasf1(PKb,PKb,rb,0).1.DAthensendsitsdeviceaddressalongwithra,andCaviatheout-of-bandchannel.DA DB:Ca,ra,AIfDBreceivesandout-of-bandmessage,itupdatesratobethereceivedvalue ra,recomputesCaasf1( PKa, PKa, ra,0)andchecksifCa?= Ca.Iftheequalitydoesnothold,DBaborts.2.DBsimilarlysendsitsowndeviceaddressalongwithrb,andCb.DA DB:Cb,rb,BIfDAreceivesanout-of-bandmessage,itupdatesrbtobethereceivedvalue rb,recomputesCbasf1( PKb, PKb, rb,0)andchecksifCb?= Cb.Iftheequalitydoesnothold,DAaborts.3.DAchoosesafreshrandomnonceNaandsendsittoDBin-band.DA DB:Na4.DBchoosesafreshrandomnonceNbandsendsittoDAin-band.DA DB:NbFig.7.BluetoothSimplePairing:Out-of-bandModelIftheout-of-bandchannelistwoway,thenmessage1andmessage2willbothbesent.Mutualauthenticationiscompleteattheendofstep2.NRC-TR-2007-004Copyrightc2007,Nokia,N.Asokan,JukkaValkonenCopyrightc2007,JaniSuomalainenUntitled Document8Iftheout-of-bandchannelisonlyoneway,thepartyreceivingtheout-of-bandmessagecanauthenticatethepublickeyofitspeer.However,thepartysendingtheout-of-bandmessagemustwaituntilthethird,keycon rmation,phaseofSimplePairingwhichwenowdescribe.Inphase3,thesamekeycon rmationprotocolisexecutedinallassociationmodelstocon rmsuccessfulkeyexchangebyexchangingmessageauthenticationcodesusingthenewlycomputedDi e-Hellmankey.Thecon rmationphaseisdepictedinFigure8.Thenotationsareasfollows:AandBdenotethedeviceaddressesofDAandDBrespectively;IOCapAandIOCapBaretheuserinput/outputcapabilitiesexchangedbetweenDAandDBinphase1ofSimplePairing;DHKeyistheDi e-HellmankeycomputedusingthepublickeysexchangedbetweenDAandDBinphase1.Bothdevicessetthevaluesofraandrbalreadyinphase2:Inthenumericassociationmodel,bothdevicessettheirraandrbvaluesto0.Inthepasskeymodel,bothdevicessetraandrbtothevalueoftheshared6-digitpasskey.Intheout-of-bandmodelDAresetsitsravalueto0eitherifitcannotsendanout-of-bandmessage,orifitreceivesrbviaout-of-bandbutlearnsviain-bandthatDBwasnotabletoreadraoutofband.DBfollowssimilarrules.Toseehowthisservestocompletemutualauthenticationinthecaseofone-wayout-of-bandchannels,supposetheout-of-bandchannelinFigure7hadbeenunidirectionalfromDAtoDB.Inthiscase,DBwouldhavereceivedthesecretrawhichwillbeincludedinthecomputationofEb6.Ebthusservesasaproof-of-knowledgeofthesharedsecretra.Intermsofthenotationsinthehybridauthenticationprotocol(Figure4),raisthesharedsecretSandEbservesasthemessageauthenticationcodeC2.1.DAcomputesacon rmationmessageEaasf3(DHKey,Na, Nb,rb,IOCapA,A,B)usingaonewayfunc-tionaf3andsendsEatoDB.DA DB:EaDBrecomputesEa.Iftherecomputedvaluedoesnotmatchthereceivedvalue Ea,DBaborts.2.Otherwise,DBcomputesEbasf3(DHKey,Nb, Na,ra,IOCapB,B,A)andsendsEbtoDA.DA DB:EbDArecomputesEb.Iftherecomputedvaluedoesnotmatchthereceivedvalue Eb,DAaborts.Otherwise,thedeviceshavesuccessfullyperformedtheexchangeandcancontinue.af3(X,A,B,C,D,E,F)=HMAC-SHA-256X(A|B|C|D|E|F)/2128Fig.8.BluetoothSimplePairing:Con rmationPhasePeerdiscovery:IncurrentBluetoothpairing,peerdiscoveryislefttotheuser:theuserinitiatespairingfromonedevicewhichconstructsalistofallotherBluetoothdevicesintheneighborhoodthatarepubliclydiscoverableandaskstheusertochoosetherightonetopairwith.InSimplePairingout-of-bandassociationmodel,deviceaddressesaresentviatheout-of-bandchannel.Thismakesitpossibletouniquelyidentifythepeertopairwith,withoutrequiringuserselection.SimplePairingdoesnotcontainanynewmechanismstomakepeerdiscoveryeasierintheotherassociationmodels.IndividualimplementationscoulduseexistingBluetoothmodes,likethe limiteddiscoverablemode and pairablemode tosupportuser-conditioningonthepeerdevice.However,sincesuchuser-conditioningisnotmandatedbythespeci cation,itisquitepossiblethattheSimplePairingimplementationsmaystillneedtoresorttoaskingtheusertochoosetherightpeerdevicefromalist.Modelselection:Theassociationmodeltobeusedisuniquelyselectedduringtheinitializationofthesession.Iftheassociationprocessisinitiatedbyout-of-bandinteraction,andsecurity-informationissentthroughtheout-of-bandchannel,thentheout-of-bandmodelischosenautomatically.Otherwise,inphase1,thedevicesexchangetheirinput-outputcapabilities.TheSimplePairingspeci cationdescribeshowthesecapabilitiesshouldbeusedtoselecttheassociationmodel.6TheSimplePairingWhitePaper[18]incorrectlyshowedthatrbwasincludedinthecomputationofEb.ThiswasreportedtotheBluetoothSIGandwillbecorrectedintheactualspeci cation.NRC-TR-2007-004Copyrightc2007,Nokia,N.Asokan,JukkaValkonenCopyrightc2007,JaniSuomalainenUntitled Document93.2    Wi-Fi Protected SetupWi-Fi Protected Setup (WPS) is Wi-Fi alliance s speci cation for secure association of wireless LAN devices.Microsoft s Windows Connect Now (WCN) [12, 13] includes a subset of association models described in WPS.The objective of WPS is to mutually authenticate the enrolling device with the Wi-Fi network and to delivernetwork access keys to the enrolling device. This is done by having the enrolling device interact with a deviceknown as the registrar , responsible for controlling the Wi-Fi network. The registrar may be, but does not haveto be, located in the Wi-Fi access point itself. WPS supports three con guration methods: In-band, out-of-band,and push-button con gurations.In-band con guration enables associations based on a shared secret passkey (Figure 1: P6). The user is requiredto enter a passkey of enrollee to the registrar. This passkey may be temporary (and displayed by the enrollee)or static (and printed to a label). 8-digit passkeys are recommended but 4-digit passkeys are allowed. Thepasskey is used to authenticate the Di e-Hellman key agreement between the enrollee and the registrar. Theprotocol used is an instantiation of the modi ed MANA III protocol in Figure 3 with two rounds (k = 2).The exact instantiation described in Figure 9, where the following notation is used:   N1, N2: 128-bit nonces chosen by enrollee and registrar respectively.   PKaand PKb: D-H public keys (for the 1536-bit MODP group 5 de ned in [8]) of enrollee and registrarrespectively.   M j: The message Mjwithout the HMAC authenticator.   AuthKey and KeyWrapKey: Keys derived from the Di e-Hellman key.   ENCKey( ): AES-CBC encryption using a 128-bit key Key.   ESiand RSi: The random values used to prove knowledge of the ithcomponent of the passkey (similarto Ri1and Ri2in Figure 3).   EHashiand RHashi: Commitments used in the proof of knowledge (similar to hi1and hi2in Figure 3),Unlike in  Figure 3  each party sends both of  its passkey commitments in  a  single message (M3and M4respectively). The commitment EHashi, i = 1, 2 is computed asPSKi= 128 bits of HMAC-SHA256AuthKey(ithhalf of passkey)EHashi= HMAC-SHA256AuthKey(ESi|| PSKi|| PK1|| PK2)Messages M3 M6constitute the two rounds of the authentication protocol. In Message M8, the access keyfor the network is delivered to the enrollee as Con gData .7As in the other passkey authentication mechanisms (Figures 3 and 6), once a passkey is used in a protocolrun, an attacker can recover the passkey by dictionary attack (although in this instantiation, the attackerneeds to be active since the computation of the commitments EHASHiincludes AuthKey, which is derivedfrom the Di e-Hellman key).In-band con guration can also be authenticated using hybrid authentication (Figure 1: P8) by transmittingthe passkeys and key commitments using NFC-tokens or USB ash drives. This way, longer passkeys can besupported, as the users do not need to type the passkey into a device.Out-of-band con guration  is intended to be used with channels like USB- ash drives, NFC-tokens or two-wayNFC interfaces. There are three dierent scenarios:1.  Exchange of public key commitments (Figure 1: P3), typically intended for two-way NFC interfaces,where the entire Di e-Hellman exchange and the delivery of access keys takes place over the out-of-bandchannel.  The OOB channel is used to transmit messages M1and M2(Figure 9) between the devices.No in-band communication takes place. The access keyss are delivered in message M2.2.  Unencrypted key transfer (Figure 1: P1). An access key is transmitted from a registrar to enrollees inunecrypted form, either using USB- ash drives or NFC-tokens. The same out-of-band channel can beused to con gure multiple enrollees.7Con gData also appears in Messsage M7. This is used when a registrar, acting as DAtakes ownership of an access point,acting as DB, and initializes the network access key.NRC-TR-2007-004Copyrightc2007, Nokia, N. Asokan, Jukka ValkonenCopyrightc2007, Jani SuomalainenUntitled Document10DA DB:M1=Version||N1||Description||PKADA DB:M2=Version||N1||N2||Description||PKB[||Con gData]||HMACAuthKey(M1||M 2)DA DB:M3=Version||N2||E-Hash1||E-Hash2||HMACAuthKey(M1||M 3)DA DB:M4=Version||N1||R-Hash1||R-Hash2||ENCKeyWrapKey(R-S1)||HMACAuthKey(M4||M 4)DA DB:M5=Version||N2||ENCKeyWrapKey(E-S1)||HMACAuthKey(M4||M 5)DA DB:M6=Version||N1||ENCKeyWrapKey(R-S2)||HMACAuthKey(M5||M 6)DA DB:M7=Version||N2||ENCKeyWrapKey(E-S2[||Con gData]))||HMACAuthKey(M6||M 7)DA DB:M8=Version||N1[||ENCKeyWrapKey(Con gData)]||HMACAuthKey(M7||M 8)Fig.9.WindowsConnectNow-NETRegistrationProtocol3.Encryptedkeytransfer.Thisissimilartothepreviouscase,exceptthatthekeyisencryptedusingakeyderivedfromthe(unauthenticated)Di e-Hellmankeyagreedin-band. (Thein-bandinteractionconsistsofmessagesM1andM2inFigure9).Fromasecurityperspective,thisisessentiallyout-of-bandkeytransfer(Figure1:P1).Theadvantageofthemethodisthatifthe ashdriveislost,nooneexceptadeviceholdingtheencryptionkeyisabletogettheaccesskey.The ashdriveshouldbestillkeptsecretsinceaman-in-the-middledoeshavetheencryptionkeyandcanabletodecrypttheaccesskeyfromthedrive.Pushbuttoncon gurationisanoptionalmethodthatprovidesanunauthenticatedkeyexchange(Figure1:P2).TheuserinitiatesthePushButtoncon guration(PBC)byconditioningtheenrollee(e.g.,bypushingabutton),andthen,within120secondstheuserhastoconditiontheregistraraswell.TheenrolleewillstartsendingoutproberequeststoallvisibleaccesspointsinquiringiftheyareenabledforPBC.Accesspointsaresupposedtoresponda rmativelyonlywhentheirregistrarhasbeenconditionedbytheuserforPBC.IfadeviceorregistrarseesmultiplepeersreadytostartPBC,theyarerequiredtoaborttheprocessandinformtheuser.Otherwise,theycarryoutthebasicprotocol,withoutapasskey.Peerdiscovery:Enrolleesstartassociationinresponsetoexplicituserconditioning.TheyscantheneighborhoodforavailableaccesspointsandsendProbeRequestmessages.TheProbeResponsemessagehasa SelectedReg-istrar agtoindicateiftheuserhasrecentlyconditionedaregistrarofthataccesspointtoacceptregistrations.Thisismandatoryforpushbuttoncon gurationbutisoptionalforothermodels.ThusitispossiblethatusermayhavetobeaskedtoselectthecorrectWi-Finetworkfromalistofavailablenetworks.Modelselection:Themodelisexplicitlynegotiatedatthebeginning.3.3 WirelessUSBAssociationModelsWirelessUSB(WUSB)isashort-rangewirelesscommunicationtechnologyforhighspeeddatatransmission.WUSBAssociationModelsSupplement1.0speci cation[24]supportstwoassociationmodelsforcreatingtrustrelationshipsbetweenWUSBhostsanddevices:Cablemodelusesout-of-bandkeytransfer(Figure1:P1)andutilizeswiredUSBconnectiontoassociatedevices.ConnectingtwoWUSBdevicestogetherisconsideredasanimplicitdecisionand,hence,thestandarddoesnotrequireuserstoperformadditionalactionslikeacceptuserprompts.NumericmodelreliesontheuserstoauthenticatetheDi e-Hellmankeyagreement(forthe3072-bitMODPgroup15de nedin[8])bycomparingshortintegritychecksumvalues(Figure1:P4).TheprotocolisaninstantiationoftheprotocolinFigure2.FirstDAandDBnegotiatethelengthofthechecksumtobeused.NRC-TR-2007-004Copyrightc2007,Nokia,N.Asokan,JukkaValkonenCopyrightc2007,JaniSuomalainenUntitled Document111.  DAgenerates random secret a1, computes PKa= ga1mod p and sends a hash cA= h(PKa||n) to DB,where n is the number of digits DAis capable of displaying.DA DB: cA2.  DBgenerates random secret a2, computes PKb= ga2mod p and sends the value to DA.DA DB: PKb3.  DAsends PKaand n to DB.DA DB: PKa4.  DBnow veri es the equality cA= h( PKa|| n) and aborts if it does not hold. Otherwise DBcomputes achecksum Vbasaf( PKa|PKb|22displayed digest22) and shows  the n least signi cant  digits of  Vbon itsdisplayb.DAcomputes a checksum Vaas f(PKa| PKb|22displayed digest22) and shows the n least signi cant digits ofVaon its display.5.  The user prompted to compare and con rm if both devices output the same stringaf() is SHA-256.bn is either 2 or 4, and is agreed at the beginning of the association.Fig. 10. Wireless USB: Numeric Association ModelThe speci cation requires that WUSB hosts must support 4-digit checksums whereas WUSB devices mustsupport either 2 or 4-digit checksums.  The exact instation is described in Figure 10.The protocol is similar to the ones described in Figures 2 and 5. The main dierence is that in Figures 2 and5, the commitments are computed from fresh random values, whereas in WUSB numeric association modelthe commitments are computed from the public Di e-Hellman values. This implies that in WUSB numericassociation models, each run of the protocol requires the use of fresh Di e-Hellman keypairs.Peer discovery: The association is initialized by implicit or explicit user conditioning. Attaching a USB-cableis interpreted as an implicit conditioning. The user pressing a button is an example of explicit user conditioning.In numeric model the user sets a USB device to search for devices and a USB host to accept connections. Thehost advertise their willingness to accept a new association in the control messages it transmits on the WUSBcontrol channel.Model selection: The choice of the association model is based on the type of user conditioning done. In casea cable is plugged, the devices exchange information on whether they support cable association. If so, they usecable model. If conditioning is explicit, they use numeric model.3.4    HomePlugAV Protection ModesHomePlugAV is a power-line communication standard for broadband data transmission inside home and buildingnetworks. In addition to protecting deliberate attacks, association mechanisms are used to create logically separatesubnetworks by distributing an 128-bit AES network encryption key (NEK) for devices in each subnetwork. Aswith WPS, each HomePlugAV network has a controller device. HomePlugAV supports the following associationmodels [14]:Simple connect mode  uses unauthenticated symmetric crypto based key agreement to agree on a shared key(Figure 1: P9). This network membership key (NMK), is used to transport NEK to the new device. The keyagreement process is as follows. To admit a new device, the user is required to rst condition the controllerdevice, and then condition the new device, e.g., by turning on its power. The devices nd each other andexchange nonces. A temporary encryption key (TEK) is formed by hashing the two nonces together. Thecontroller encrypts the NMK using the TEK and sends it to the new device.If a new device notices more than one controller, it uses signal strength to choose the right one. Still, thereis a possibility that it may connect to the wrong controller. The user will notice this if/when a device doesnot work as expected, and must retry.NRC-TR-2007-004Copyrightc2007, Nokia, N. Asokan, Jukka ValkonenCopyrightc2007, Jani SuomalainenUntitled Document12Securemodeallowsnewdevicestohaveasecretpasskey,ofatleast12alphanumericcharacterslong,typicallyprintedonalabel.Theuserisrequiredtotypeinthispasskeytothecontrollerdevice.ThecontrollerdeviceusesittoconstructanencryptionofNMKandsendittothenewdevice.Thekeysfordevicesjoininginsecuremodeisdierentfromthekeysfordevicesjoininginsimpleconnectmode.Thisisanexampleofauthenticatedsymmetriccryptokeyagreement(Figure1:P10).Optionalmodesenablealternativeuseofalternativemodelsfordistributingnetworkmembershiporencryptionkeysbetweendevices.Theseinclude manufacturerkeying whereagroupofdeviceshaveafactoryinstalledsharedsecret,andexternalkeying,wheretrustisbootstrappedfromothermethodssuchasBluetoothPairingorWindowsConnectNow.Man-in-the-middleattacksarepreventedinsimpleconnectmodebyutilizingcharacteristicsofpowerlinemedium.Beforetwonodescancommunicate,theymustnegotiatetonemaps,whichenabledevicestocompensatedisturbancescausedbypowerlinechannel.Thisnegotiationisdoneinareliable,narrow-bandbroadcastchannel.Thusaman-in-the-middletryingtonegotiatetonemapswiththelegitimateendpointswillbedetected.Passiveeavesdroppinginthepoint-to-pointchannelisdi cultsinceanattacker,evenwiththeknowledgeofthetonemapsusedbetweenthelegitimateendpoints,willnotbeabletoextractthesignalfromthechannelbecausethesignal-to-noiseratiowillbetoopooratdierentlocations,particularly,whentheattackerisoutsideabuildingandthelegitimateendpointsareinside.Also,licenseesofHomePlugAVtechnologydonotprovidedevicesthatcanextractsignalwithoutnegotiatingtonemaps.Hence,attackersmustbeabletobuildexpensivedevicesforeavesdropping.Peerdiscovery:Insimpleconnectmodethepeerdiscoveryisperformedbytheuserconditioningthedevicesintoasuitablemodes,andthenewdevicescanningthenetworkto ndacontrollerthatiswillingtoacceptnewdevices.devicessharingtheNMKcanaccesstheNEKsandthusjointhenetwork.ModelSelection:Themodelisselectedbyuserconditioning.Thereisnoautomaticnegotiation.4   ComparisonofProposedAssociationModelsInthissection,wesummarizeandcomparethesecuritylevelsprovidedbythedierentassociationmodelsdiscussedinSection3. Figure11presentshowthemodelscanbemappedintotheclassi cationpresentedinSection2.Acomparativesummaryofmodels securitycharacteristicsarepresentedinTable1.4.1 O ineAttacksTheout-of-bandassociationmodelsrelyonthesecrecyofout-of-bandcommunicationtoprotectagainstpassiveattacksagainstkeyagreement.Thein-bandandhybridmodelsinallofthestandardsexceptHomePlugAVuseDi e-Hellmankeyagreementtoprotectagainstpassiveattacks.Thelevelofprotectiondependsonthestrengthofthealgorithmsandthelengthofthekeysused.Inthe Workeort subcolumnunderthe O ineAttacks columnofTable1,weusesomerecentsources[8,2]toestimatetheamountofworkanattackerhastodoinordertobesuccessful.The gurescorrespondtoapproximatelowerbounds,andshouldbetreatedasroughballbarkestimatesonly.O ineattackprotectioninHomePlugAVreliesonthecharacteristicsofthepower-linecommunications:namelythesignal-to-noiseratio(SNR)makeitdi cultforanattackertoeavesdrop.TheHomePlugAVSecureModeusessymmetrickeyencryptionasprotection.4.2 OnlineActiveAttacksMountinganonlineactiveattackasaman-in-the-middleagainstkeyagreementissigni cantlymoredi cultthanpassiveeavesdropping.Severalofthemodels( JustWorks inSimplePairing,and PushButton inWiFiProtectedSetup)tradeoprotectionagainstman-in-the-middleattacks,inreturnforincreasedease-of-use.HomePlugAVSimpleConnectalsofallsintothiscategory.Otherin-bandassociationmodelsrelyonauthenticationasthemeanstoprotectagainstonlineactiveattacks.Theprobabilityofsuccessforanonlineactiveattackdependsonthelengthofthekeyaswellastheprotocol.BluetoothSimplePairingnumericcomparisonmodeluses6-digitchecksumsleadingtoasuccessprobabilityNRC-TR-2007-004Copyrightc2007,Nokia,N.Asokan,JukkaValkonenCopyrightc2007,JaniSuomalainenUntitled Document13Fig.11.Classi cationofStandardizedAssociationProtocolsof11000000.WUSBnumericmodelallowsasuccessprobabilityof1100whentwodigitchecksumisused,and110000,whenfourdigitchecksumisused.Theseprobabilitiesareunconditionalsincetheydonotrelyonanyassumptionsaboutthecomputationalcapabilitiesoftheman-in-the-middle.Alloftheseusehashfunctionswith128-bitoutputstocomputecommitments.Inprinciple,aman-in-the-middlewhocan ndasecondpre-imageofahashcommitment,duringthekeyagreementprocesscanalsosucceed.WeshowthisinTable1,inthe Workeort subcolumnunderthe OnlineActiveAttacks columnbyindicatingtheamountofon-lineworktheattackerhastoperforminordertosucceed.Inthiscase,assumingthatthehashfunctionisstrong,andrequiresexhaustivesearchto ndasecondpre-imageweusethe gure2128.RecallfromSection2thatwithnbitsandkroundsthesuccessprobabilityforanonlineactiveattackis2 (n nk).BluetoothSimplePairingpasskeyentrymodeluses6-digit(nH20)one-timepasswordsink=20rounds.Thisleadstoapproximately11000000unconditionalsuccessprobability.WPSnetworkusesessentiallythesameprotocol,butintworoundsonly.Thisleadstounconditionalsuccessprobabilitiesof1100when4-digitpasskeysareused,and110000when8-digitpasskeysareused.Inbothcases,thepasskeymustbesingle-use.Ifthepasskeyisre-used,thesuccessprobabilityofman-in-the-middlerisesdramatically,reaching1afterthekthre-use,wherekisthenumberofroundsintheoriginalprotocol.Inotherwords,ifthesame xedpasskeyinWPSnetworkmodelisre-usedevenonce,theman-in-the-middlecansucceedinthenextattemptwithcertainty.Asbefore,wecanestimatetheon-lineworkeorttheattackerhastodotobreakthehashcommitments.InHomePlugAVsecuremodeusesa12characterpasskeywhichisusedtogenerateakeyforAESencryption,leadingtoapropabilityof2 72andtheamountofon-lineworkeortis272.Thehybridmodelsusingaone-directionalout-of-bandchannel,therandomsecrettransferredusingtheout-of-bandchannelis128bitslongleadingtoacomputationalsecurityof2 128.Wi-FiandBluetoothhavelegacyassociationmodels.Ifadevicesupportsboththeimprovedandthelegacyassociationmodels,itisvulnerabletoabiddingdownattack,whichisdi culttodetectwithoutrelyingontheuser.4.3 AssociationswithWrongPeersUnauthenticatedassociationmodelsfacetheriskofadevicebeingassociatedwithawrongpeer.Forinstance,inWPSpushbuttonmodel,theusermaycondition rsttheenrolleetosearchforregistrarsbeforeconditioningtheNRC-TR-2007-004Copyrightc2007,Nokia,N.Asokan,JukkaValkonenCopyrightc2007,JaniSuomalainenUntitled Document14AssociationModelO ineAttacksOnlineActiveAttacksProtectionWorkeort1ProtectionSuccessProb-abilityWorkeort2BluetoothsimplepairingNumericComparisonDH280[2]6digitchecksum10 62128JustworksDH280[2]-10PasskeyEntryDH280[2]6digitpasskey10 62128Out-of-bandDH280[2]OOBsecurity-2128Wi-FiProtectedSetupIn-bandDH290[8]8digitpasskey310 42256In-band+OOBforpasskey,pubkeyhashDH290[8]OOBsecurity2 1282256Out-of-bandOOB290[8]OOBsecurity--PushButtonDH290[8]-10WUSBAssociationModelsNumericmodelDH2128[2]2/4digitchecksum10 2or10 42256CablemodelOOB2128[2]OOB--HomePlugAVProtectionModesSimpleConnectSNRAssumedhighTra cmonitoringAssumedlowAssumedhighSecureModeAES27212charpasskey42 72272Table1.Comparisonofsecuritycharacteristicsofassociationmodels1RoughestimatesbasedonTable2of[2]andSection8of[8]2Workeorttobreakcommitmentsexchanged34digitpasskeysareallowed,too4Permanentlong-termsecretregistrar.Iftheattackersetsabogusregistrartoacceptconnectionsbeforetheusersdoesitwiththelegitimateregistrar,theenrolleeassociateswiththeattacker sregistrar.Onlyinthecasewhenbothregistrars,thebogusandthelegitimateone,aresimultaneouslyacceptingconnections,istheprocedureaborted.InHomePlugAVSimpleConnectmode,theusersetsthecontroldevicetoacceptconnectionsbeforestartingthejoiningdeviceup.Thiscanbeusedtoreducetheprobabilityforanattackertosuccessfullymasqueradingasaboguscontroldevicebecausesince,ifthenewdeviceseesmultiplecontrolpoints,itcanabortassociation.However,themodeispotentiallyvulnerableforfatalerrorswheretheuserisslowtoswitchpowertothenewdevice.Inthiscaseanattackermayconnecttouser scontrolpointandgetthenetworkencryptionkey.5   AttacksagainstMultipleAssociationModelsSimultaneoussupportformultipleassociationmodelsmaybeutilizedindierentattacks.Inthissection,weexaminesuchthreats.NRC-TR-2007-004Copyrightc2007,Nokia,N.Asokan,JukkaValkonenCopyrightc2007,JaniSuomalainenUntitled Document155.1 Man-in-the-MiddlebetweenDierentAssociationModelsConsiderspeci cationsthatsupportanunauthenticatedassociationmodelaswellasuser-assistedcomparisonofintegritychecksums.AnexampleisaBluetoothSimplePairingdevicethatsupportsthenumericassociationmodelandthe justworks model.Figure12illustratesaman-in-the-middleattackerwhocaninterceptmessagesexchangedduringanassociation.The rstassociateddevicehasadisplayandthesecondmayormaynothaveadisplay.Theattackerchangesdevicecapabilityinformationsothatthe rstdevicewillbeusingthenumericcomparisonmodelandthattheseconddevicewillbeusing justworks model.Thisleadstoasituationwherethe rstdeviceshowsa6-digitchecksumandtheseconddevice,using justworks model,doesnotdisplayachecksum,evenifitwouldhaveadisplay.Theuserhasbeeneducatedtodetectifdisplayedchecksumsaredierent.However,now,whenonlyanotherdevicedisplaysachecksum,theusermayeasilyacceptassociationwithoutnoticinganyattack.Device 2MitMattackerDevice 1Display:123456Connect?Capabilities (display)Capabilities ([no display/display])Capabilities (no display)Capabilities (display)Associate (numeric comparison)Associate (just works)[Display:Connect?]Fig.12.Man-in-the-middlebetweenDierentAssociationModelsTogetanideaaboutwhethersuchuserconfusionislikely,weincludedthesituationdepictedinFigure12asatestscenarioinoneroundofanon-goingseriesofusabilitytesting[20].Outof40testusers,6acceptedthepairingonbothdevices,11noticedtheproblemandrejectedthepairingonbothdevices,andtherestrejectedpairingonDevice1butaccepteditonDevice2.Weexpecttoincludemoredetailsandanalysisinaforthcomingreport.Thisattackhastwoimplications.Firstly,whentheseconddevicehasadisplay,itisabiddingdownattackagainstthisdevice.Theseconddevicewillknowthattheassociationisunauthenticated.However,theusermaystillallowtheassociationtohappen.Secondly,itisabiddingupattackagainstthe rstdevicesinceitbelievesthattheassociationismadeusingasecureprotocolresistanttoman-in-the-middleattacks.Consequently,the rstdevicemaychoosetotrustthissecurityassociationmorethanitwouldtrusta justworks securityassociation.Forinstance,itmayhaveapolicyrule,whichallowsmoretrustworthydevicestoinitiateconnectionswithoutusercon rmations.5.2 UnconditionedAssociationsAscenariorelatedtotheattackonFigure12ariseswithdevicesthatarewillingtoparticipateinsettingupasecurityassociationwithoutimmediateuserconditioning.Publicprintersandaccesspointsareexamplesofdevicesthatmaybepermanentlyconditionedforassociation.SupposeauserstartsassociatingDevice1withDevice2usinganassociationmodelthatdoesnotrequireanyuserdialog(e.g.,WUSBcablemodel,orHomePlugAVSimpleConnectmode)andthatDevice2ispermanentlyconditionedtoacceptincomingassociationrequests,asillustratedinFigure13.IfanattackernowinitiatesassociationwithDevice2,sayusingBluetoothSimplePairingnumericassociation,auserdialogwillpopuponDevice2.SincetheuserisinthemiddleofNRC-TR-2007-004Copyrightc2007,Nokia,N.Asokan,JukkaValkonenCopyrightc2007,JaniSuomalainenUntitled Document16associating Device  1  and  Device 2,  he might  answer the  dialog thinking  that it  is a  query about  Device  1.Depending on the nature of the dialog, the attacker may end up gaining unintended privileges on Device 2.AttackerDevice 2Device 1Associate (explicit_model)Display:[123456]Accept?Associate (implicit model)Fig. 13. Initiating Explicit Association in the Side of Implicit5.3    Jamming AttacksA man-in-the-middle attacker may try to prevent associations until a frustrated user decides to try the alternativeless secure model  as illustrated in Figure 14.  The attack is applicable to situations where the end-user is allowedto select the association model. Particularly, when detecting that the HomePlugAV secure mode is used, anattacker may disturb communication until the user selects Simple Connect mode.Device 2MitMattackerDevice 1Associate (secure_mode)Associate (secure_mode)Inter-ceptAssociate (simple_connect)Fig. 14. Jamming a Secure Model to get the User to Switch into a Less Secure Model6   Strengthening DevicesIn this section, we discuss some implementation guidelines that can help address the kind of attacks identi edin Section 5.When a security association is stored persistently, information about its level of security should be storedas  well.  HomePlugAV  already does  this  indirectly  by  using  dierent  keys  with  dierent  association models.Furthermore, this security-level information should be used in deciding the level of trust granted to the peerdevice.  For  instance,  devices  associated  using  BTSP   Just  Works   or  HomePlugAV  Simple  Connect  modelsNRC-TR-2007-004Copyrightc2007, Nokia, N. Asokan, Jukka ValkonenCopyrightc2007, Jani SuomalainenUntitled Document17should not be allowed to install or con gure software, at least, without explicit authorization from the user. Thisprecaution would help with bidding down attacks.The man-in-the-middle attack between numeric comparison and unauthenticated protocols (Figure 12) couldbe addressed with two alternative strategies:1.  Bidding down the second device from using numeric comparison to the just works model could be addressedby requiring that devices believing to be in just works association would anyway show the checksum if theyare able to do so. However, this solution does not prevent the bidding up attack against the rst device.2.  Bidding down and bidding up attacks can both be countered by querying the user appropriately to con rmthe I/O capabilities of the peer device. For instance, if the capability negotiation messages indicate thatthe peer device has no display, a device could ask the user if the peer device does indeed have a display. Ifthe user gives answers a rmatively, it is an indication of a man-in-the-middle. However, such an additionaldialogue is likely to impair usability.7   ConclusionsNew standards for associating devices in personal networks are emerging. The objective of the new standards isto make the association process more user-friendly while improving the security at the same time. We surveyedthe protocols and association models used in dierent standards speci cations. We presented a systematic clas-si cation of protocols for human-mediated establishment of session keys. We showed how the dierent protocolsin standard speci cations are related by using our classi cation.The exibility of the new proposals also introduce potential for some new attacks. We described some suchthreats, and discussed possible measures to reduce their impact. Careful design of user dialogs may reduce thelikelihood of these attacks. However, how exactly to design the user dialogs to preserve security without harmingusability remains an open issue.8   AcknowledgmentsWe  thank  Dan  Forsberg,  Kristiina  Karvonen, Janne  Marin,  Seamus  Moloney,  and  Kaisa  Nyberg  for  highlyvaluable feedback. We are particularly grateful to Kaisa for her many suggestions for improving the paper.References1.  Dirk Balfanz, Diana K. Smetters, Paul Stewart, and H. Chi Wong.  Talking to strangers: authentication in ad-hocwireless networks. In Proceedings of the Network and Distributed System Security Symposium, pages 207 222, 2002.2.  Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid. Recommendation for key management- part 1: General (revised), 2006. http://csrc.nist.gov/CryptoToolkit/kms/SP800-57Part16-30-06.pdf.3.  Steven M. Bellovin and Michael Merritt. Encrypted key exchange: Password-based protocols secureagainst dictionaryattacks.  In SP 92: Proceedings of the 1992 IEEE Symposium on Security and Privacy, page 72, Washington, DC,USA, 1992. IEEE Computer Society.4.  Whit eld Di e and Martin E. Hellman. New Directions In Cryptography. IEEE Transactions on Information Theory,IT-22:644 654, 1976.5.  Christian Gehrmann, Chris J. Mitchell, and Kaisa Nyberg. Manual authentication for wireless devices. RSA Crypto-Bytes, 7(1):29 37, Spring 2004.6.  Michael T. Goodrich, Michael Sirivianos, John Solis, Gene Tsudik, and Ersin Uzun. Loud and clear: Human-veri ableauthentication based on audio. In ICDCS 06: Proceedings of the 26th IEEE International Conference on DistributedComputing Systems, page 10, Washington, DC, USA, 2006. IEEE Computer Society.7.  HomePlug AV whitepaper. HomePlug Powerline Alliance. Http://www.homeplug.org/, 2005.8.  Tero Kivinen and Markku Kojo.  RFC3526: More Modular Exponential (MODP) Di e-Hellman groups for InternetKey Exchange (IKE), May 2003. http://www.ietf.org/rfc/rfc3526.txt.9.  Sven Laur, N. Asokan, and Kaisa Nyberg.  E cient Mutual Data Authentication Using Manually AuthenticatedStrings. Cryptology ePrint Archive, Report 2005/424, 2005. http://eprint.iacr.org/.NRC-TR-2007-004Copyrightc2007, Nokia, N. Asokan, Jukka ValkonenCopyrightc2007, Jani SuomalainenUntitled Document1810.  Sven Laur and Kaisa Nyberg. E cient mutual data authentication using manually authenticated strings. In Proceed-ings of the 5th International Conference on Cryptology and Network Security, Suzhou, China, number 4301 in LectureNotes in Computer Science, pages 90 107. Springer, 2006.11.  Jonathan M. McCune, Adrian Perrig, and Michael K. Reiter.  Seeing-is-believing: Using camera phones for human-veri able authentication. In SP 05: Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 110 124,Washington, DC, USA, 2005. IEEE Computer Society.12.  Windows Connect Now-NET.  Version 1.0. Microsoft. Http://www.microsoft.com/whdc/Rally/WCN-Netspec.mspx,2006.13.  Windows Connect Now-UFD and Windows Vista Speci cation. Version 1.0. Microsoft. Http://www.microsoft.com/whdc/Rally/WCN-UFDVistaspec.mspx, 2006.14.  Richard Newman, Sherman Gavette, Larry Yonge, and Ross Anderson. Protecting domestic power-line communica-tions. In SOUPS 06: Proceedings of the second symposium on Usable privacy and security, pages 122 132, New York,NY, USA, 2006. ACM Press.15.  NIST:  National  Institute  of  Standards  and  Technology.    DIGITAL  SIGNATURE  STANDARD  (DSS).    U.S.DEPARTMENT  OF  COMMERCE,  January  2000.http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf.16.  Sylvain Pasini and Serge Vaudenay. Sas-based authenticated key agreement. In Public Key Cryptography - PKC 06:The 9th international workshop on theory and practice in public key cryptography, volume 3958 of Lecture Notes inComputer Science, pages 395 409. Springer, 2006.17.  Nitesh Saxena, Jan-Erik Ekberg, Kari Kostiainen, and N. Asokan.  Secure device pairing based on a visual channel(short paper). In SP 06: Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P 06), pages 306 313,Washington, DC, USA, 2006. IEEE Computer Society.18.  Simple  Pairing  Whitepaper.   Bluetooth  Special  Interest  Group.  Http://www.bluetooth.com/Bluetooth/Apply/Technology/Research/SimplePairing.htm, 2006.19.  Frank Stajano and Ross Anderson.   The resurrecting duckling: Security issues for ad-hoc wireless  networks.   InProceedings of the 7th International Workshop on Security Protocols, pages 172 194, 1999.20.  Ersin Uzun, Kristiina Karvonen, and N. Asokan.  Usability analysis of secure pairing methods.  Technical ReportNRC-TR-2007-xyz, Nokia Research Center, 2007.21.  Serge Vaudenay. Secure communications over insecure channels based on short authenticated strings. In Advances inCryptology - CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, pages 309 326. Springer, 2005.22.  Mario Cagalj, Srdjan Capkun, and Jean-Pierre Hubaux.  Key agreement in peer-to-peer wireless networks.  In Pro-ceedings of the IEEE (Special Issue on Cryptography and Security), volume 94, pages 467 478, 2006.23.  WiFi Alliance. Wi-Fi Protected Setup Speci cation. Wi-Fi Alliance Document, January 2007.24.  Wireless USB Speci cation. Association Models Supplement. Revision 1.0. USB Implementers Forum. Http://www.usb.org/developers/wusb/, 2006.NRC-TR-2007-004Copyrightc2007, Nokia, N. Asokan, Jukka ValkonenCopyrightc2007, Jani Suomalainen