diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c9ac301 --- /dev/null +++ b/.gitignore @@ -0,0 +1,13 @@ +# Ignore generated files +article.pdf + +# Ignore intermediate files +*.aux +*.bbl +*.bcf +*.blg +*.fdb_latexmk +*.fls +*.log +*.out +*.run.xml diff --git a/README.md b/README.md new file mode 100644 index 0000000..1bb2740 --- /dev/null +++ b/README.md @@ -0,0 +1,16 @@ +# SecretSharing + +This describes how to share secrets between two mobile devices using QR codes. The goal is to exchange information without the need of using network, bluetooth, or NFC connections, while an adversary is observing the displays of the devices, e.g., shoulder surfer, surveillance camera. + +Mockup of the user interface of the demo application. + +For a demo-application see [SecretSharing-iOS](https://github.com/AppPETs/SecretSharing-iOS). + +## Compilation + +The article can be compiled using `latexmk`: + +```sh +latexmk -pdf -interaction=nonstopmode -f article.tex +``` + diff --git a/article-content.tex b/article-content.tex new file mode 100644 index 0000000..0949517 --- /dev/null +++ b/article-content.tex @@ -0,0 +1,112 @@ +\begin{abstract} + In this paper we show how to use the Elliptic-curve Diffie-Hellman protocol with ephemeral keys (ECDHE) in order to share a secret message between two mobile devices by using QR codes. + An iOS application demonstrating this approach is presented. +\end{abstract} + +% ------------------------------------------------------------------------------ + +\section{Introduction} + +Sharing secrets while an attacker is eavesdropping on the process is a problem solved a while ago. +\textcite{DBLP:journals/cacm/Merkle78} has proposed an idea that serves as a foundation for exchanging keys securely. +Modern adoptions thereof, such as the Elliptic-curve Diffie-Hellman (ECDH), are widely used in current implementations such as the TLS protocol. + +Assume that two persons want to share a secret between their mobile devices without disclosing their secret to other persons looking over their shoulders. +They do not want to upload the secret to a web service, as they do not trust the service provider, and they cannot establish direct network, Bluetooth or NFC connections. +The secret could then be shared by exchanging QR codes between those devices. +Since QR codes are displayed on the device's screen, an observer could decode it. +Password protection of the shared secret is not effective, as entering the password could also be observed. +Therefore, we employ a cryptographically secure key exchange mechanism in order to protect the exchanged secret. + +First, the attacker model is described. +Then the process of the protected key exchange is detailed. +In the end, an app is presented that demonstrates the described key exchange mechanism. + +% ------------------------------------------------------------------------------ + +\section{Attacker Model} + +The attacker, against whom our system is still able to protect the secret, is an outsider and has no direct access to the devices. +He could be someone, who is looking at the devices in question (shoulder surfer) or he could own surveillance cameras capturing the key exchange process. +He can capture and observe the screen of both devices at any given time. +The attacker behaves passively and only observes the key exchange process. +He is limited in his computational complexity and cannot break cryptographic systems. + +% ------------------------------------------------------------------------------ + +\section{Process} + +\begin{figure*}[t] + \centering + \input{figures/key-exchange-sequence} + \caption{The process of the key exchange mechanism in detail.}% + \label{fig:key-exchange-sequence} +\end{figure*} + +Assume that the two persons from the introduction are called Alice and Bob. +The Alice wants to share a secret message $m$ with Bob. +The key exchange mechanism is basically Elliptic-curve Diffie-Hellman with ephemeral keys (ECDHE)~\cite[56~pp.]{Brown:2009}. +First, both of them create ephemeral key pairs, where $k_A$ is Alice's secret and $K_A$ Alice's public key, $k_B$ and $K_B$ are Bob's keys respectively. +Bob first has to share his public key $K_B$ with Alice, so that she can determine a common session secret $t = k_A K_B = k_B K_A$ from which the actual symmetric session key $k = \Function{h}{t \concat K_B \concat K_A}$ is derived using a cryptographic hash function $h$. +Next, she sends Bob her public key $K_A$ as well as the encrypted message $c = \Function{E}{s, m}$. +Bob can now calculate the common session secret $t$ and derive the symmetric key $k$ in order to decrypt the message $m = \Function{E^{-1}}{s, c}$. +This requires two messages to be transmitted, which can be done be reading QR codes mutually from each others screens. +The process is also depicted in figure~\ref{fig:key-exchange-sequence}. + +The attacker can observe both messages but can still calculate neither $t$ nor $k$ since he does know neither $k_A$ nor $k_B$. + +% ------------------------------------------------------------------------------ + +\section{Demonstrator} + +\begin{figure}[t] + \centering + \includegraphics[width=\columnwidth]{figures/mockup.pdf} + \caption{Mockup of the user interface of the demo application.}% + \label{fig:mockup} +\end{figure} + +In order to demonstrate this mechanism, a demo application has been designed as depicted in figure~\ref{fig:mockup}. +The application has a demonstration area, which allows the user to enter the message that should be shared with the other device. +Obviously, the demonstration area should not be present in productive apps, as the attacker would see the shared message directly. +The app works as follows: +\begin{enumerate} + \item + Alice enters a message on her device. + \item + Bob clicks \emph{Import} on his device. + A QR code containing Bob's public key $K_B$ will be displayed there. + \item + Alice clicks \emph{Export} on her device. + The camera will activate in order to scan the QR code displayed on Bob's device. + The camera permission has to be granted for this. + The QR code from Bob's device will automatically be detected and a QR code will be shown on Alice's device containing Alice's public key $K_A$ and the payload $c$. + \item + Bob clicks \emph{Continue} on his device. + The camera will active as described for Alice's device in the previous step. + After the QR code from Alice's device was scanned the shared message is then displayed in the demo area on Alice's device as well. +\end{enumerate} + +The demo application was implemented as an open source application for iOS\footnote{AppPETs/SecretSharing-iOS: Exchange secrets between devices using QR codes: \url{https://github.com/AppPETs/SecretSharing-iOS}}. +The Sodium crypto library\footnote{The Sodium crypto library (libsodium): \url{https://libsodium.org}} library is used as implementation of the key exchange mechanism, which is using X25519~\cite{DBLP:journals/rfc/rfc7748} and Blake2b-512~\cite{Aumasson:2013, DBLP:journals/rfc/rfc7693, Aumasson:2016} internally. + +% ------------------------------------------------------------------------------ + +\section{Limitations} + +This approach might be less comfortable to users than entering a password than mutually scanning screens of two devices. +But even though the usability is impacted, it offers higher security with respect to the described attacker model. + +Another limitation is that QR codes are limited in size. +This means that the shared message $m$ cannot be of arbitrary length. + +The standard iOS SDK, which is used for scanning QR codes, does not support scanning QR codes in binary format, therefore the values of the QR codes are Base64 encoded. +Due to the QR code format specification, this allows slightly more data to be packed into a single QR code. + +% ------------------------------------------------------------------------------ + +\section{Conclusion} + +We presented a method for exchanging secret keys of mobile devices by mutually scanning QR codes. +The described approach uses state-of-the-art technology and protects against a passive attacker that could capture and observe the whole process. +It works without network or Bluetooth access and can be used to quickly and securely share secrets between two devices, such as exchanging addresses without the usage of a secure messenger or encrypted mail. diff --git a/article.tex b/article.tex new file mode 100644 index 0000000..73b3dd6 --- /dev/null +++ b/article.tex @@ -0,0 +1,119 @@ +\documentclass[ + parskip = half, + headings = small, + twocolumn = true, + bibliography = totoc, +]{scrartcl} + +% --- Encoding ----------------------------------------------------------------- +\usepackage[T1]{fontenc} +\usepackage[utf8]{inputenc} + +% --- Language & Regional Formatting ------------------------------------------- +\usepackage[ + main = USenglish, + ngerman, +]{babel} +\usepackage[useregional]{datetime2} + +% --- Bibliography ------------------------------------------------------------- +\usepackage[ + style = numeric-comp, + backend = biber, + urldate = long, +]{biblatex} +\addbibresource{references.bib} + +% --- Document Style ----------------------------------------------------------- +\usepackage{microtype} +\usepackage[autostyle]{csquotes} +\usepackage{lmodern} +\usepackage[light, semibold, scaled = 0.85]{sourcecodepro} +%\usepackage[scaled = 0.85]{sourcecodepro} % PRINT + +\DisableLigatures{encoding = T1, family = tt*} + +\usepackage[ + a4paper, + margin = 2.54cm, + marginparwidth = 2.0cm, + footskip = 1.0cm, +]{geometry} + +\pagestyle{plain} + +\AtBeginEnvironment{abstract}{\itshape} + +% --- TIKZ --------------------------------------------------------------------- +\usepackage{tikz} +\usetikzlibrary{arrows} +\usepackage{pgf-umlsd} + +% --- Formulas ----------------------------------------------------------------- +\usepackage{mathtools} + +\DeclarePairedDelimiter{\Paren}{\lparen}{\rparen} + +\DeclarePairedDelimiterX{\concat}[2]{}{}{% + #1\;\delimsize\|\;#2% +} + +\newcommand{\Function}[2]{#1\Paren*{#2}} +\def\concat{\;\|\;} + +% --- TODOs -------------------------------------------------------------------- +\usepackage[ + textwidth=\marginparwidth, + textsize=footnotesize, +]{todonotes} + +\presetkeys{todonotes}{fancyline, color=orange!25}{} + +% Taken from `todonotes` documentation +\newcommand\todoin[2][]{% + \todo[ + inline, + caption = {[\ldots]}, + size = \normalsize, + #1 + ]{% + \begin{minipage}{\textwidth-4pt}#2\end{minipage}% + }% +} + +% --- Meta --------------------------------------------------------------------- +\def\DocumentTitle{Sharing Secrets between Mobile Devices} + +\author{% + Maximilian Blochberger\\ + \small\texttt{blochberger@informatik.uni-hamburg.de} +} +\title{\DocumentTitle} +\date{\today} + +% --- URLs --------------------------------------------------------------------- +\PassOptionsToPackage{hyphens}{url} +\usepackage[ + bookmarks = true, + bookmarksdepth = 4, + breaklinks, + unicode = true, + pdfdisplaydoctitle, + pdfpagemode = {UseOutlines}, + pdfpagelabels, + pdftitle = {{\DocumentTitle}}, + pdfauthor = {{Maximilian Blochberger}}, + linktoc = all, +]{hyperref} + +% --- Document ----------------------------------------------------------------- +\begin{document} + \maketitle + + \input{article-content} + + \section*{Acknowledgements} + This work was done in the AppPETs project\footnote{\begin{otherlanguage*}{ngerman}AppPETs – Datenschutzfreundliche Smartphone Anwendungen ohne Kompromisse\end{otherlanguage*}: \url{http://app-pets.org}} and supported by the BMBF. + + \printbibliography% +\end{document} diff --git a/figures/Mockup.graffle b/figures/Mockup.graffle new file mode 100644 index 0000000..a3de4d1 Binary files /dev/null and b/figures/Mockup.graffle differ diff --git a/figures/key-exchange-sequence.tex b/figures/key-exchange-sequence.tex new file mode 100644 index 0000000..da71604 --- /dev/null +++ b/figures/key-exchange-sequence.tex @@ -0,0 +1,24 @@ +\noindent% +\begin{sequencediagram}% + \newthread[white]{Bob}{Bob} + \newinst[3]{Alice}{Alice} + \begin{call}{Bob}{$K_B$}{Alice}{$K_A \concat c$} + \begin{callself}{Alice}{}{% + \shortstack[l]{% + $t = k_A K_B$\\ + $k = \Function{h}{t \concat K_A \concat K_B}$\\ + $c = \Function{E}{k, m}$ + } + } + \end{callself} + \end{call} + \postlevel% + \begin{callself}{Bob}{}{% + \shortstack[l]{% + $t = k_B K_A$\\ + $k = \Function{h}{t \concat K_A \concat K_B}$\\ + $m = \Function{E^{-1}}{k, c}$ + } + } + \end{callself} +\end{sequencediagram} diff --git a/figures/mockup.pdf b/figures/mockup.pdf new file mode 100644 index 0000000..6f544e8 Binary files /dev/null and b/figures/mockup.pdf differ diff --git a/figures/mockup@3x.png b/figures/mockup@3x.png new file mode 100644 index 0000000..cc20641 Binary files /dev/null and b/figures/mockup@3x.png differ diff --git a/references.bib b/references.bib new file mode 100644 index 0000000..39fc261 --- /dev/null +++ b/references.bib @@ -0,0 +1,58 @@ +@article{DBLP:journals/cacm/Merkle78, + author = {Ralph C. Merkle}, + journal = {Commun. {ACM}}, + number = {4}, + pages = {294–299}, + title = {Secure Communications Over Insecure Channels}, + volume = {21}, + year = {1978}, +} + +@article{DBLP:journals/rfc/rfc7693, + author = {Markku{-}Juhani O. Saarinen and Jean{-}Philippe Aumasson}, + journal = {{RFC}}, + pages = {1--30}, + title = {The {BLAKE2} Cryptographic Hash and Message Authentication Code {(MAC)}}, + volume = {7693}, + year = {2015} +} + +@article{DBLP:journals/rfc/rfc7748, + author = {Adam Langley and Mike Hamburg and Sean Turner}, + title = {Elliptic Curves for Security}, + journal = {{RFC}}, + volume = {7748}, + pages = {1–22}, + year = {2016} +} + +@techreport{Aumasson:2013, + author = {Aumasson, Jean-Philippe and Neves, Samuel and Wilcox-O'Hearn, Zooko and Winnerlein, Christian}, + date = {2013-01-29}, + pages = {1–20}, + title = {BLAKE2: Simpler, Smaller, Fast as MD5}, + url = {https://blake2.net/blake2.pdf}, + urldate = {2018-08-08}, + year = {2013}, +} + +@techreport{Aumasson:2016, + author = {Aumasson, Jean-Philippe and Neves, Samuel and Wilcox-O'Hearn, Zooko and Winnerlein, Christian}, + pages = {1–4}, + title = {BLAKE2X}, + url = {https://blake2.net/blake2x.pdf}, + year = {2016}, +} + +@techreport{Brown:2009, + author = {Brown, Daniel R. L. and {Certicom Research}}, + date = {2009-05-21}, + institution = {Standards for Efficient Cryptography Group (SECG)}, + pages = {1–138}, + title = {Standards for Efficient Cryptography: SEC 1: Elliptic Curve Cryptography}, + type = {Commercial standard}, + url = {http://www.secg.org/sec1-v2.pdf}, + urldate = {2018-08-08}, + version = {2.0}, + year = {2009}, +}