Engineering device pairing with fuzzy cryptography
Abstract
Device pairing protocols are a subset of secure communication protocols used to bootstrap a secure channel over an insecure communication link between two or more devices. Example protocols use technologies such as Bluetooth or infrared light and are mostly based on user-entered secret keys or secrets directly verified and authenticated manually by users. However, in this thesis we focus on four different areas that complement the existing protocols. Firstly, we overview protocols that are based on fuzzy secrets and that utilize contextual information to pair device. Secondly, we analyze a particular method that uses contextual information, synchronized drawing with two fingers of the same hand on two touch screens or surfaces, to derive a shared secret by applying various metrics and conducting measurements and comparisons. The main results from this parts are new, improved metrics for comparing fuzzy secrets that consist of a drawing or movement path Thirdly, we overview the mathematical constructions that support fuzzy cryptography schemes and describe our own system architecture based on these. Fourthly, we develop a secure device pairing protocol based on synchronized drawing that uses fuzzy cryptography and error-correction codes in order to derive a shared secret between devices that share similar, but not exactly the same, secret noisy inputs. While the protocol is based on an information-theoretically secure construction, we find that the security of the practical implementations is harder to prove because of uncertainty about the amounts of entropy in the shared noisy inputs. The protocol nevertheless has the characteristics of practical security. Additionally, we describe information-theoretically secure alternatives derived from available theorems in the literature.