Misbinding attacks on secure device pairing and bootstrapping

Tutkimustuotos: Artikkeli kirjassa/konferenssijulkaisussaConference contributionScientificvertaisarvioitu

100 Lataukset (Pure)

Abstrakti

In identity misbinding attacks against authenticated key-exchange protocols, a legitimate but compromised participant manipulates the honest parties so that the victim becomes unknowingly associated with a third party. These attacks are well known, and resistance to misbinding is considered a critical requirement for security protocols on the Internet. In the context of device pairing, on the other hand, the attack has received little attention outside the trusted-computing community. This paper points out that most device pairing protocols are vulnerable to misbinding. Device pairing protocols are characterized by lack of a-priory information, such as identifiers and cryptographic roots of trust, about the other endpoint. Therefore, the devices in pairing protocols need to be identified by the user's physical access to them. As case studies for demonstrating the misbinding vulnerability, we use Bluetooth and a protocol that registers new IoT devices to authentication servers on wireless networks.We have implemented the attacks.We also show how the attacks can be found in formal models of the protocols with carefully formulated correspondence assertions. The formal analysis yields a new type of double misbinding attack. While pairing protocols have been extensively modelled and analyzed, misbinding seems to be an aspect that has not previously received sufficient attention. Finally, we discuss potential ways to mitigate the threat and its significance to security of pairing protocols.

AlkuperäiskieliEnglanti
OtsikkoAsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security
KustantajaACM
Sivut453-464
Sivumäärä12
ISBN (elektroninen)9781450367523
DOI - pysyväislinkit
TilaJulkaistu - 2 heinäkuuta 2019
OKM-julkaisutyyppiA4 Artikkeli konferenssijulkaisuussa
TapahtumaACM Asia Conference on Computer and Communications Security - Auckland, Uusi-Seelanti
Kesto: 9 heinäkuuta 201912 heinäkuuta 2019

Conference

ConferenceACM Asia Conference on Computer and Communications Security
LyhennettäAsiaCCS
MaaUusi-Seelanti
KaupunkiAuckland
Ajanjakso09/07/201912/07/2019

Sormenjälki Sukella tutkimusaiheisiin 'Misbinding attacks on secure device pairing and bootstrapping'. Ne muodostavat yhdessä ainutlaatuisen sormenjäljen.

  • Siteeraa tätä

    Sethi, M., Peltonen, A., & Aura, T. (2019). Misbinding attacks on secure device pairing and bootstrapping. teoksessa AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (Sivut 453-464). ACM. https://doi.org/10.1145/3321705.3329813