GAnGS: Gather, Authenticate 'n Group Securely∗ Chia-Hsin Owen Chen†, Chung-Wei Chen‡, Cynthia Kuo§, Yan-Hao Lai∗, Jonathan M. McCune§, Ahren Studer§⋄, Adrian Perrig§, Bo-Yin Yang†, Tzong-Chen Wu∗∗ † Academia Sinica ‡ National Tsing Hua University § Carnegie Mellon University ∗ National Chung Hsing University ∗∗ National Taiwan University of Science and Technology ⋄Correspondence should be addressed to [email protected] ABSTRACT 1. INTRODUCTION Establishing secure communication among a group of phys- Humans often form groups when meeting in person: po- ically collocated people is a challenge. This problem can tential collaborators exchange ideas and data after a con- be reduced to establishing authentic public keys among all ference, opposing parties communicate during contract ne- the participants – these public keys then serve to establish gotiation, and political cabinets meet and later disseminate a shared secret symmetric key for encryption and authenti- strategies during a campaign. In all of these scenarios, mem- cation of messages. Unfortunately, in most real-world set- bers of a group want to communicate without allowing oth- tings, public key infrastructures (PKI) are uncommon and ers to access the information. Communication is secured distributing a secret in a public space is difficult. Thus, it is using cryptographic keys, which enable the encryption and a challenge to exchange authentic public keys in a scalable, authentication of messages. The challenge is to establish secure, and easy to use fashion. these cryptographic keys in a secure, usable manner. In this paper, we propose GAnGS, a protocol for the se- The goal of this work is to help establish keys within a cure exchange of authenticated information among a group group over a wireless medium. Wireless communication is of people. In contrast to prior work, GAnGS resists Group- invisible to humans and thus fails to indicate the source of in-the-Middle and Sybil attacks by malicious insiders, as well information to the user. An attacker can thus easily per- as infiltration attacks by malicious bystanders. GAnGS is form a Man-in-the-Middle (MitM) attack and expose keys to designed to be robust to user errors, such as miscounting the outsiders or establish different keys within the group. Prior number of participants or incorrectly comparing checksums. work relies on pre-existing associations or secrets within the We have implemented and evaluated GAnGS on Nokia N70 group to secure wireless channels. In addition, prior work phones. The GAnGS system is viable and achieves a good assumes that users can accurately count or compare strings balance between scalability, security, and ease of use. of hexadecimal digits. Unfortunately, these assumptions of- Categories and Subject Descriptors C.2.0 [Computer – ten do not hold, and an alternative solution is necessary to Communication Networks]: General – security and protec- establish group keys. tion; H.1.2 [Models and Principles] User/Machine Systems Prior work on group communication leverages a Public – human factors Key Infrastructure (PKI) to authenticate public keys or a group password to secure communication. However, a PKI General Terms: Security, Human Factors may be impractical outside corporate settings, and a shared password needs to be securely exchanged between group ∗This research was supported in part by the iCAST project members. When an ad-hoc group meets in a public space under grant NSC96-3114-P-001-002-Y from the National (e.g., an airport), an attacker can intercept all communica- Science Council Taiwan, CyLab at Carnegie Mellon under tion (electronic, spoken, or written), most likely observe the grants DAAD19-02-1-0389 and MURI W 911 NF 0710287 group’s password and thus subvert the group. To protect from the Army Research Office, grants CCF-0424422 and wireless communication with no prior associations or shared CNS-0627357 from the National Science Foundation, and General Motors through the GM-CMU Collaborative Re- secrets, Demonstrative Identification (DI) allows a user to search Laboratory. The views and conclusions contained indicate via physical actions which two devices should com- here are those of the authors and should not be interpreted municate (e.g., touching devices together, one device taking as representing the official policies or endorsements, either a picture of the other, etc.) [3, 21, 22, 24]. However, cur- express or implied, of ARO, CMU, GM, iCast, NSF, or the rent DI schemes only work for pairwise communication. We U.S. Government or any of its agencies. extend DI to the group setting and introduce the notion of Physical Articulation to Authenticate Legitimate Parties (PAALP). With PAALP, members of a group can verify the information they have wirelessly received originated from Permission to make digital or hard copies of all or part of this work for the expected physical devices. In essence, a protocol sup- personal or classroom use is granted without fee provided that copies are porting PAALP (a “PAALPable” protocol) enables conver- not made or distributed for profit or commercial advantage and that copies sion of physical presence within a group into digital trust. bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific Even with a PKI or a group password, user errors can permission and/or a fee. cause vulnerabilities when establishing keys. Prior works MobiCom'08, September 14–19, 2008, San Francisco, USA. assume humans can accurately count the number of mem- Copyright 2008 ACM 978-1-60558-096-8/08/09 ...$5.00. bers in the group and compare random strings (tasks which information IX from member X. This includes“In- cannot be automated by a device). Other work has shown clusivity” in that when a member X has a copy of that users often commit errors in these simple tasks [15,28]. the list, the list must include IX. When groups members fail to compare accurately, an at- 2. Exclusivity. Λ contains information from the ℓ in- tacker can split the group as part of a Group in the Middle tended group members, and no other individuals. (GitM) Attack [16]. When group members count incorrectly, X an outsider can add himself to the group or an insider can 3. Uniqueness. Each member can only contribute add multiple identities (a Sybil attack [8]) without changing one piece of information (IX) to Λ. the checksum values used to verify successful completion. • Resistance to Human Error. As group size in- Given these errors, we would like to design a protocol that creases, the likelihood that a user will make a mistake is secure in the presence of miscounts (Enumeration Error also increases. Groups must be able to exchange au- Proof (EEP)) and resilient to failed comparisons (Compari- thentic information accurately. In the event of user son Error Proof (CEP)). error(s), GAnGS should fail safely (discard the list). We present GAnGS (Gather, Authenticate ’n Group Se- curely), a system that gathers, distributes, and verifies au- 2.2 Assumptions thentic information among a group of collocated mobile de- We assume that: vices. GAnGS exchanges group members’ public keys such • Group members are physically located in the same that each group member obtains the authentic public key of room during group formation; every other member. Knowing every other members’ pub- • Group members can distinguish legitimate members lic key can be used to encrypt messages or distribute group from non-members; keys among any subset of the group. Our key insight is that verifying the group list via physical interaction in ran- • Members possess devices that support the same phys- domly assigned subgroups reduces user error while providing ical method for exchanging information (e.g., our im- a probabilistic security guarantee. plementation of GAnGS requires Bluetooth support, a GAnGS is PAALPable, EEP, and CEP. As such, a group camera, and programmable software); and using GAnGS can exclude outsiders and detect GitM and • Members accurately count less than ten individuals. Sybil attacks. Achieving these usability goals presents a tradeoff for security. For 100% EEP and CEP, each device 2.3 Attacker Model must interact with every other device (for a total of O(n2) in- Attackers may be located inside or outside of the room teractions). GAnGS provides greater than 95% probability before, during, and after GAnGS is performed. If attack- of attack detection while requiring only O(n) interactions. ers are in the same room as group members, information displayed on a screen or written down may be seen by the Contributions. With PAALP, we extend the idea of attackers, and verbal communication may be heard by the physically identifying parties which communicate wirelessly attackers. With their devices, attackers can overhear, inter- via physical actions in a group setting. We quantify the cept, and inject any wireless communication. As part of an user effort in our PAALPable system by comparing the num- insider attack, a member of the group may be an attacker. ber of interactions between devices in a run of the protocol. An attacker’s goal is to add unintended entities’ informa- These physical interactions provide resilience to user error tion to the list of public keys, edit or remove valid members’ and contribute the resilience to counting and comparison information from the list, and/or contribute multiple iden- errors, EEP and CEP respectively. We present the first im- tities to the list (a Sybil attack [8]). An attacker can also plementation of a system to bootstrap scalable, secure group perform a denial of service (DoS) attack such that GAnGS communication and evaluate our approaches on Bluetooth- fails to complete successfully. The impact of a DoS attack enabled Nokia N70 camera phones. is limited, since the attacker would fail to compromise the group’s communication. GAnGS addresses attacks against 2.