Abstract—Near field communication (NFC) systems providea good location-limited channel so that many security systemscan use it to force the participants to stay close to each other.Unfortunately, only a small number of smart devices in themarket are equipped with NFC chips that are essential for NFCsystems. The purpose of this paper is to provide the same feature,called near field authentication (NFA), without using NFC chips.We propose an easy-to-use system to achieve NFA by usinghuman finger movement on the touch screens of two nearby smartdevices. Our system does not need any prior secret informationshared between two devices and generates the same high-entropycryptographic key for both devices in a successful authentication.The efficiency of the system is demonstrated by our evaluationon a Motorola Droid smartphone.
I. INTRODUCTION
Our work is motivated by a common scenario of usingsmart devices, such as smartphones or tablets. Two people,say Alice and Bob, meet each other in person with theirsmart devices. They want to set up a one-time secure channelbetween the two devices so that Alice can send files to Bobconfidentially. They should first invoke some key exchange(KE) protocol, such as Diffie-Hellman KE protocol, to agreeon a one-time session key. Without authentication, such a KEprotocol is usually vulnerable to man-in-the-middle (MITM)attacks. In our case, Alice and Bob can carry out the KEprotocol on a near field communication (NFC) system todefend against MITM attacks, because the NFC can only workwithin a distance less than a few centimeters. However, not allsmart devices are equipped with a NFC chip. The goal of thiswork is to help those smart devices, that do not have NFCchips and can only have access to insecure public networks,such as wireless LAN, to authenticate another smart device inthe near field. We call this kind of authentication near fieldauthentication (NFA).
With the widespread usage of smart devices, we will see alarge amount of near field applications. One example is pay-with-smartphones, which is currently one of the hottest appli-cations on smartphone platforms. People store their credit cardinformation in smartphones and make purchases by puttingtheir smartphones close to a reader. In order to promote nearfield applications and let more smart devices benefit from thisnew technique, it is necessary to have a system that performsNFA on smart devices which do not have NFC chips.
The basic idea of a near field authentication is to compeltwo smart devices to appear together and stay close whenthe authentication is carried out. Due to the single point of
Li, Zhao and Xue are all affiliated with Arizona State University, Tempe,AZ 85287. Email: {li.lingjun, zhao.xinxin, xue}@asu.edu. This research wassupported in part by NSF grants 0901451 and 1217611. The informationreported here does not reflect the position or the policy of the federalgovernment.
failure and the fact that the Internet access may not always beavailable. , it is preferable to perform NFA over local networks,such as bluetooth or wireless LAN. Mayrhofer and Gellersenproposed two authentication protocols in [9] with the purposeof pairing two devices. Their protocols are not suitable forsome large or fixed devices, such as tablets and self-servicecheck in machines.
We propose to use a new motion, finger movement on touchscreen, to construct a near field authentication system. In orderto force two smart devices to be spatially close to each other,we let a person use two fingers of one hand — usually theindex finger and the middle finger — to simultaneously moveon the screens of the two smart devices, as illustrated in Fig. 1.Since the two finger movements are done by one hand, they
peak points
curve
starting point
Fig. 1. Finger movements on two screens
are highly coherent to each other. We leverage this coherenceto generate the session key for the two smart devices.
We make the following contributions in this paper.
• We propose to use finger movement to perform near fieldauthentication between two smart devices. Compared withthe previous motion patterns, such as bump, shake, etc.,finger movement is easier to carry out on devices andprovides better user experience.
• We design a robust feature so that two extracted featuredata sets are similar to each other. We propose to use thetime between the starting point and a peak point as thefeature to be extracted in our system.
• We propose an efficient system to remove the differencesbetween two extracted feature data sets and generate ahigh-entropy cryptographic key.
• Our system is efficient and proved to be secure in therandom oracle model.
The rest of this paper is organized as follows. We introducerelated works in Sec. II. We formulate the NFA problem anddiscuss the design goals in Sec. III. We present the design andconstructions in Sec. IV and Sec. V, respectively. We analyzethe system in Sec. V and present the experiment results inSec. VII. We conclude our work in Sec. VIII.
Many other prior works used various sensors on smart-phones to achieve location enforcement. The commercial appBUMP [1] uses accelerometer to quickly match two smart-phones for data transmission. As we introduced previously,BUMP system compares the data measured during a bumpbetween two intended devices to match the two devices andprovides confidential communications. The app is intuitive touse and needs less human involvement. Their system securityand efficiency rely on the BUMP server, modeled as a trustedcenter. However, the server itself may suffer from single-point-of-failure problem [8]. For our scenario, the trusted centerscheme is not a suitable choice either, because the Internetaccessibility is not always available when people want toperform authentication on smart devices. Some works [9, 11]proposed to use a different motion pattern — shake by a person— so as to achieve location enforcement. The accelerometersensor was used to sense the motion once again. Mayrhoferand Gellersen used a signal processing approach to removethe differences between sensed data sets and a key exchangeprotocol to generate a session key [9]. The protocols in [9]do not need a trusted center, which is the same as oursystem. Although shake may provide the sensed data withmore variations [9], it is difficult to hold and shake a big smartdevice, such as tablet. Another interesting near field channelis to use vibrations to transmit secret, which was proposed by[10] and [5]. The authors used the vibration that is producedby one device to encode the secret and the accelerometer ofthe other to sense and decode the secret. Recently, Studer etal. [11] proposed a MITM attack against those motion basedapproaches. They assumed that there is a powerful adversarywho can observe the user’s motion, such as shake or bump,so that he can emulate a similar motion pattern to carry outa MITM attack. While the success rate of their attack wassensitive to the delay induced by the attacker, their work didsuggest that a smaller motion pattern is preferred than shakeand bump when a third person is standing nearby.
III.PROBLEM FORMULATION
A. System Model
A near field authentication system is a mutual authenti-cation system between two parties. When the authenticationis successfully passed, the system convinces both parties thatthey are separated in a distance less than a few centimeters.In addition, at the end of a successful authentication, a NFAsystem assigns the same cryptographic session key to bothparties. For convenience, we use two human names Aliceand Bob to denote these two parties, which are actually twodevices. Our construction asks a user, who is called conductorin this paper, to slide two fingers of one hand over the twoscreens to achieve location enforcement.
B. Attack Model
The two smart devices involved in the authentication,including their executing applications, are considered trustedand not compromised. Safeguarding a smart device againstbeing compromised by an outside attacker has been well
studied in the area of intrusion detection and is out of thestudy of this work.
In this paper, we consider a fully malicious adversary, whocontrols public communication channels. The adversary is ableto eavesdrop any communication, tamper, delay, replay, injectand block messages. During a protocol instance, the adversarycan carry out a MITM attack, impersonating one party tocommunicate with the other honest one. The purpose of theadversary in this work is to obtain the session key generated bya NFA system without being captured, so that he can decryptand obtain the succeeding communication messages.
C. Design Goals
In addition to defending against the adversary that ismodeled in Sec. III-B, we expect a NFA system to achievethe following design goals.
- It needs less human involvement and is intuitive to use.- It does not rely on prior knowledge.- It is decentralized and uses local network.
IV.DESIGN OF AN NFA SYSTEM
A. System Overview
Fig. 2 shows the architecture of our NFA system. In our
local processing
screen dataacquisition
feature extraction
interaction
feature reconciliation
feature reconciliation
key generation
key generation
authenticatedsession key
key confirmation
upper levelconfidential
communications
Fig. 2. The architecture of our NFA system
system, when a conductor triggers an authentication process,two devices sense finger movements on their individual touchscreens and extract the feature data locally. Using the extracteddata, the two devices interact with each other to agree ona series of the same data and generate the same sessionkey. Finally, the two devices verify that the generated sessionkeys are identical before they use them to protect succeedingcommunications.
B. Feature Design
A zigzag movement forms a series of curves, which providemany features to be extracted. We propose to use a newtemporal feature — the time between a peak point and thestarting point, i.e., the peak point’s elapsed time. As shown inFig. 1, the starting point is the point where a finger first touchesthe screen and peak points are the points where the fingermoving direction changes. A time value collected by touchscreen is accurate to 10−6 second, but such a high accuracyalso causes high sensitiveness and low robustness. Hence, weround a time value to the nearest decimal fraction with 2-digitfractional part. Finally, we drop off the decimal separator tomake the value an integer.
2013 Proceedings IEEE INFOCOM
376
1) Variations
A feature with more variations is more difficult to beguessed by attackers. The variations of our feature can bereflected by the distribution of time intervals between eachtwo continuous peak points. Fig. 3(a) shows the histogramof the time intervals in a person’s zigzag finger movementon one screen. The data collection was carried out on two
time between peaks0 20 40 60 80 100 130
010
2030
4050
Time between two peaks
(a) Features from one person
0 20 40 60 80 100
0.0
0.2
0.4
0.6
0.8
1.0
Time between peaks
person 1person 2person 3person 4P
ropo
rtio
n <
= x
(b) Features from 4 persons
Fig. 3. Variations of the time between two continuous peaks
Motorola Droid smartphones running Android 2.2 OS. Fromthe figure, we can see that the time intervals distribute fromless than 0.1 second (10× 10−2) to around 1.4 seconds. Thisshows that the variation of a person’s feature value is large.We collected data from four different persons. Fig. 3(b) showsthe empirical cumulative distribution function (ECDF) curvesof the four time interval sets. It shows that there is an obviousgap between each two ECDF curves, indicating that differentpeople have different finger movement patterns. For example,person 2 moves fingers fast so that all his time intervals aresmaller than 0.5 second while person 1 would like to movefingers much slower.
2) Similarity
We call a peak point in one sequence and its counterpart inthe other a pair. Finally, we calculated the absolute differencebetween the two elapsed time values in each pair. A set of suchabsolute difference values can be viewed as a measurement ofthe similarity between two sensed feature data sets. Fig. 4shows the distribution of the absolute differences between twopeak point sequences. The experiments represented by the yel-low bars were carried out on two Motorola Droid smartphones,while the experiments represented by the green bars werecarried out on two different smart devices — one is MotorolaDroid smartphone and the other one is HP TouchPadTM tablet.For comparison purpose, we also calculated the absolute differ-ence sets for another two spatial features, curvature angle andcurvature distance, proposed by and defined in [12]. We cansee that most differences between two corresponding elapsedtime values, 82.97% of differences on the same device typeand 74.73% on the different device types, are less than 3.
V. SYSTEM CONSTRUCTION
Fig. 5 shows the construction of our NFA system. Oursystem uses three hash functions H1 : {0, 1}∗ → G, H2 :
0 1 2 3 (3,10] (10, 20] >20
time-sametime-diffcurvaturecurve dist
0%
5%
10%
15%
20%
25%
30%
35%
Pro
port
ion
Absolute difference values
Fig. 4. Similarity of our designed feature
G2 → {0, 1}l, and H3 : G3 → {0, 1}l, where l is determined
by the security level. Our system consists of three phases:feature reconciliation, key generation, and key confirmation.Feature reconciliation is to remove differences between Alice’sand Bob’s sensed data sets. First, Alice and Bob choose mpairs of elapsed time values. Since the difference between thetwo values in most pairs is less than 3, we let Alice extend herselected set by including a±1, a±2, a±3 for every a in the set(step 5). Then, Alice and Bob privately find the set intersection.We use a private set intersection protocol proposed by [7] tolet both parties find the same intersection set Vb (step 6).
In step 3, Alice needs to generate a non-interactive zeroknowledge proof π of knowledge of k s.t. ∀i=1,··· ,mzi =(yi)
k. Alice randomly chooses t ←R Zq and calculatesc = H(z1|| · · · ||zm||y1|| · · · ||ym||yt1|| · · · ||ytm) and s =(t − ck) mod q, where H is a cryptographic hash func-tion. The proof π is tuple <c, s, z1, · · · , zm, y1, · · · , ym>.To verify the proof, Bob checks c = H(z1|| · · · ||zm||y1|| · · ·||ym||ys1zc1|| · · · ||ysmzcm).
When the same intersection set is obtained by both parties,the binary strings of its elements are concatenated togetherin a string w. Since w may be of low entropy, we proposeto use encrypted key exchange approach [2]. In the protocol,a session key is the hash of all the previous messages andthe secret string KA or KB . In this way, a MITM attackwill be effectively defended because two honest parties obtaindifferent messages in a MITM attack. The last phase is tolet two parties explicitly confirm that the generated keys aresame.
VI. SYSTEM ANALYSIS
A. Performance Analysis
Our system may still fail when most selected data are verydifferent from its counterpart. Given a pair of peak points, iftheir value difference is less than 3, we call them a valid pair.We have shown in Sec. IV-B2 that it is of high rate to select avalid pair. Particularly, more than 70% pairs in our experimentsare valid. The failure probability of our system is also affectedby the number of the selected elements, m. Having m and theproportion of valid pairs, it is straightforward to calculate thesuccess probability of the reconciliation phase. For example,if m ≥ 7 and the proportion is more than 70%, the successprobability is more than 98%.
2013 Proceedings IEEE INFOCOM
377
A conductor puts the two smart devices side by side, slides his twofingers of one hand zigzag on the two screens, and then triggersthe authentication process. The two smart devices, Alice and Bob,sense and calculate two elapsed time sets A = {a1, a2, · · · , an}and B = {b1, b2, · · · , bn}, respectively.
Feature Reconciliation
1 Given a security level κ, Alice generates a cyclic group G ofprime order q, written in a multiplicative notation, and sends itto Bob. Alice randomly selects m elements at1 , at2 , · · · , atm
and sends t1, t2, · · · , tm to Bob.2 For every ti, 1 ≤ i ≤ m, Bob selects αi ←R Zq , calculates
hi = H1(bti), yi = (hi)αi , and finally sends yi’s to Alice.
3 Alice selects a random number k ←R Zq . For every yi, 1 ≤i ≤ m, Alice calculates zi = (yi)
k. Alice prepares a non-interactive zero knowledge proof π for the knowledge of k s.t.∀i=1,··· ,m zi = (yi)
k. Alice sends zi’s to Bob along with proofπ.
4 Bob aborts if π is not verified. Bob calculates xi =H2(hi, (zi)
1/αi) for 1 ≤ i ≤ m. Let X = {x1, · · · , xm}.5 Alice extends {at1 , at2 , · · · , atm} to set A′ = {ati+ 3, ati+
2, ati+ 1, ati , ati− 1, ati− 2, ati− 3}1≤i≤m. For each elementa′j in the set, Alice calculates uj = H2(H1(a
′j), (H1(a
′j))
k).Alice randomly permutes all uj’s and sends the final set U toBob.
6 Bob calculates set Vb = {bti | (1 ≤ i ≤ m) ∧ (xi ∈ U ∩ X )}.If |V| < 4 and it is their first execution, Bob informs Aliceand they re-execute step 1-6. If |V| < 4 and it is their secondexecution, this authentication fails; Bob informs the conductorthe failure reason and asks the conductor to start over theauthentication. Otherwise, Bob sends set Vx = {xi|bti ∈ Vb}to Alice. By comparing Vx against U , Alice also learns set Vb.
Alice and Bob now have the same data set Vb. Alice (Bob)sorts the elements in the non decreasing order, represents them inbinary strings, and concatenates them together in a string, whichis denoted by w hereafter.
Key Generation.
7 Alice randomly picks one generator g, two elements M , Nfrom G and sends them to Bob. Alice randomly picks r ←R Zq ,calculates R = gr , R′ = R ·Mw, and sends R′ to Bob.
8 Bob randomly picks s←R Zq , calculates S = gs, S′ = S·Nw,and sends S′ to Alice.
9 Alice calculates the session key as skA = H3(R′, S′,KA),
where KA = (S′/Nw)r . Bob calculates the session key asskB = H3(R
′, S′,KB), where KB = (R′/Mw)s.
Key Confirmation.
10 Alice generates a nonce c and sends CA = EncskA(c) to Bob.Bob generates a nonce d and sends CB = EncskB (d) to Alice.
11 Upon receiving CA from Alice, Bob decrypts it under keyskB , obtains c′, increases it by one, re-encrypts the resultC′A = EncskB (c′ +1), and sends the ciphertext back to Alice.Similarly, Alice sends a ciphertext C′B back to Bob.
12 Upon receiving C′A, Alice decrypts it, obtains c′′, and passes thekey confirmation if c′′ = c+1. Similarly, Bob checks whetherd′′ = d+ 1.
Fig. 5. Construction of a NFA system
Our system is fully decentralized and does not need anythird trusted center or server. The feature reconciliation phaseperforms O(m log q) group multiplications, where q is grouporder. The key generation phase needs O(m log q) group
multiplications. The key confirmation is done in constant time.
B. Security Analysis
Most security threatens to a NFA system come from MITMattacks and dictionary attacks. In the first phase, the privateset intersection protocol guarantees that only a set providercan learn the final intersection set and nothing beyond theintersection. In the second phase, if a MITM adversary changesany intermediate message, Alice and Bob will derive differentsession keys. This alerts both parties to the existence of anadversary. Further more, if the adversary does not have theintersection set, he cannot get the keys derived by Alice andBob.
In the traditional private set intersection protocol, an adver-sary may impersonate one party in the protocol and generate aset of all possible values so that he can infer the honest party’swhole input set. However, the feature reconciliation phaserestricts the set size, m for Bob and 7m for Alice, to makeit difficult for an adversary to enumerate all possible values.Offline dictionary attacks to the key generation phase is alsoimpossible because r, s, M, and N are randomly selected.For an example, R′ can be viewed as an encryption of messageM using key w. Given R′ = R · Mw, an adversary iteratesevery possible key w to decrypt the ciphertext. However, sincethe message M itself is chosen randomly and of no meaning,the adversary cannot verify the validity of the obtained plaintext. An adversary can carry out online dictionary attacks,guessing a w and interacting with an honest party. But everyfailure will be captured by an honest party.
VII. EVALUATION
In this section, we demonstrate the performance of oursystem. We made a proof-of-concept implementation of ourNFA system on a Motorola Droid smartphone, which has a550MHz ARM A8 processor, 256MB memory, a 16GB SDcard, and Android 2.2 OS. This bland specification makesDroid a good representative of the low-end smart devices intoday’s market.
We first tested whether our feature reconciliation can finishsuccessfully with a high probability. In other words, out ofm randomly selected pairs, is it of high probability that twodevices can find at least 4 valid pairs? To answer this question,we did 100 experiments on two Droid smartphones and another100 experiments on a Droid smartphone and a HP TouchPadtablet. Each experiment collected at least 10 peak points. Wetested the success rate under different m values. Fig. 6(a)shows the proportion of the experiments in which our systemcan finish successfully. From the figure, we can see that evenif m is only 5, our system can succeed with probability closeto 80%. When m increases to 7, data collected from twoDroid phones showed a success rate of 97.8% while the ratefrom two different devices was 90% . When m is 10, theexperiments on two different devices also showed a very highsuccess probability, 97%.
For a smartphone protocol, the execution time is criticalin the sense that smartphones usually have limited compu-tational and storage resources. As pointed out previously,
2013 Proceedings IEEE INFOCOM
378
5 6 7 8 9 10
same screendifferent screen
increasing m
prop
ortio
n of
suc
cess
ful t
ries
0.0
0.2
0.4
0.6
0.8
1.0
(a) Success rate of feature reconciliation
increasing m
runn
ing
time(
s)
increasing m
4060
80100
34
56
78
DLECC
7 8 9 11 13 15 17 19
(b) Time of feature reconciliation
increasing m
runn
ing
time(
s)
i i
runn
ing
time(
s)1.76
1.80
1.84
1.88
0.13
0.15
0.17
0.19
DLECC
7 8 9 10 12 14 16 18 20
(c) Time of key generation
Fig. 6. Evaluation results
all our simulation were carried out on a low-end MotorolaDroid smartphone. We tested the running time of the featurereconciliation phase, and the key generation phase. We did nottest the key confirmation phase since it does not take up muchproportion in the system execution time and actually alwayscosts the same time when the security parameter is determined.Our system was implemented in two types of groups: a 1024-bit quadratic residue subgroup of a Galois field modulo asafe prime p and a 160-bit elliptic curve group. According toNIST’s guidance [6], the two groups both have 80-bit securitylevel. The results are shown in 6(b), and 6(c). We remark thatthe time of the feature reconciliation phase contains the time ofgenerating and verifying zero knowledge proof. We note thatthe y-axis in the figures are not continuous and we skipped inthe middle because there was a big gap between the executiontime of the two implementations. To show the details of theplots, we stretched the y-axis and cut off the middle blank area.We evaluated the implementations under different m valuesintroduced in step 1 of the construction.
All the execution time increased linearly with the increaseof m. Another obvious observation is that the ECC implemen-tation was overwhelmingly faster than the DL implementationin zero knowledge proof, feature reconciliation, and key gen-eration. The difference is due to the different group size usedby the two implementations: the DL implementation used a1024-bit group and the ECC implementation used a 160-bitgroup. We thus recommend to use ECC group as the realimplementation of our NFA system. In practice, m = 10 issufficiently large to select 4 pairs of valid peak points. In thiscase, the ECC implementation took 3.71 and 0.14 seconds tofinish first phase and the second phase.
VIII. CONCLUSION
In this paper, we have designed a near field authenticationsystem which uses a novel and natural human motion, zigzagfinger movement, to enforce the spatial closeness. In orderto remove the differences between sensed feature data andgenerate high-entropy session key, we have proposed to useprivate set intersection and encrypted key exchange in oursystem.
REFERENCES
[1] BUMP TECHNOLOGIES. [Online]. Available: http://bu.mp..[2] M. Abdalla and D. Pointcheval, “Simple password-based en-
crypted key exchange protocols,” in CT-RSA, 2005, pp. 191–208.
[3] G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik, “A prac-tical and provably secure coalition-resistant group signaturescheme,” in CRYPTO, 2000, pp. 255–270.
[4] E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid, “Nistspecial publication 800-57,” NIST Special Publication, vol.800, no. 57, pp. 1–142, 2007.
[5] D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark,B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel,“Pacemakers and implantable cardiac defibrillators: softwareradio attacks and zero-power defenses,” in IEEE Symposiumon Security and Privacy, 2008, pp. 129–142.
[6] Implementation guidance for fips pub 140-2 and thecryptographic module validation program, Available athttp://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf, NIST, CSE, 2011.
[7] S. Jarecki and X. Liu, “Fast secure computation of set inter-section,” in SCN, 2010, pp. 418–435.
[8] G. Lynch, Single Point of Failure: The Ten Essential Laws ofSupply Chain Risk Management. Wiley, 2009.
[9] R. Mayrhofer and H. Gellersen, “Shake well before use:intuitive and secure pairing of mobile devices,” IEEE Trans.Mob. Comput., vol. 8, no. 6, pp. 792–806, 2009.
[10] N. Saxena and J. Watt, “Authentication technologies for theblind or visually impaired,” in Proceedings of the 4th USENIXconference on Hot topics in security, USENIX Association,2009, pp. 7–7.
[11] A. Studer, T. Passaro, and L. Bauer, “Don’t bump, shake onit: the exploitation of a popular accelerometer-based smartphone exchange and its secure replacement,” in Proceedings ofthe 27th Annual Computer Security Applications Conference,ACM, 2011, pp. 333–342.
[12] N. Zheng, A. Paloski, and H. Wang, “An efficient user verifi-cation system via mouse movements,” in ACM Conference onComputer and Communications Security, 2011, pp. 139–150.
