Usable bootstrapping of secure ad hoc communication

Many security services rely on trusted third parties (TTPs), such as off-line Certification Authorities (CA-s) or online key servers, to enable authentication and secure communication among devices and their users. However, in many applications it is impractical to assume the existence of such trusted TTPs. In particular, some applications require direct communication between two or more wireless personal devices that have no prior context and no common point of trust or pre-shared secrets.;In this thesis, we look into the problem of establishing secure ad-hoc communication among devices that have no prior security context or a TTP. The main research contributions of this thesis are: (1) Show how to establish secure ad-hoc communication over a short-range wireless communication channel using three new approaches each having some obvious advantages over the currently available solutions. (a) We demonstrate how audio can be utilized in establishing secure communication. Our methods enable secure pairing of devices, such as a cell phone and a bluetooth headset or a smart phone and a laptop. We argue that using audio as the human-perceivable channel in secure communication establishment has some distinct advantages. (b) We introduce a suite of secure pairing protocols tailored for interface-constraint devices. These protocols impose truly minimal user interface constraints: a single button or a means of one-bit output such as an LED. (c) We introduce a new method of bootstrapping secure communication in sensor networks, taking into account unique requirements of the underlying environment. We use the fact that sensors have identical wireless transceivers and symmetrical physical properties of wireless signals between communicating parties can be utilized to derive secrets that are then used to secure communication. (2) Analyze security and usability of various secure bootstrapping methods. After implementing the methods within a common software platform, we conducted extensive user studies. We conducted these studies in two flavors: (a) Bootstrapping secure communication in one-user setting: a single user establishing secure communication between two of his/her devices. (b) Bootstrapping secure communication in social settings: multiple users establishing secure communication among their respective devices. We conducted separate studies for two-user and group scenarios.