Context-Based Zero-Interaction Pairing and Key Evolutionfor Advanced Personal Devices

Markus MiettinenTechnische Universität

Darmstadtmarkus.miettinen@

trust.cased.de

N. AsokanAalto University and University

of Helsinkiasokan@acm.org

Thien Duc NguyenTechnische Universität

Darmstadtducthien.nguyen@

trust.cased.deAhmad-Reza Sadeghi

Technische UniversitätDarmstadt

ahmad.sadeghi@trust.cased.de

Majid SobhaniTechnische Universität

Darmstadtmajid.sobhani@trust.cased.de

ABSTRACTSolutions for pairing devices without prior security associa-tions typically require users to actively take part in the pair-ing process of the devices. Scenarios involving new types ofdevices like Internet-of-Things (IoT) appliances and wear-able devices make it, however, desirable to be able to pairusers’ personal devices without user involvement.

In this paper, we present a new approach for secure zero-interaction pairing suitable for IoT and wearable devices.We primarily require pairing to happen between “correct”devices – the devices that the user intends to pair. Our pair-ing scheme identifies the correct devices based on measuringsustained co-presence over time. We do this by having thedevices compute a fingerprint of their ambient context us-ing information gathered through commonly available sensormodalities like ambient noise and luminosity. We introducea novel robust and inexpensive approach for fingerprintingcontexts over time. Co-present devices will observe roughlysimilar context fingerprints that we use in a key evolutionprotocol to gradually increase the confidence in the authen-ticity of the correct devices. Our experiments show the ef-fectiveness of this approach for zero-interaction pairing.

Categories and Subject DescriptorsK.6.5 [Management of computing and informationsystems]: Security and Protection—Authentication

Keywordscontextual security; context-based pairing; zero-interaction

Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full cita-tion on the first page. Copyrights for components of this work owned by others thanACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re-publish, to post on servers or to redistribute to lists, requires prior specific permissionand/or a fee. Request permissions from permissions@acm.org.CCS’14, November 3–7, 2014, Scottsdale, Arizona, USA.Copyright 2014 ACM 978-1-4503-2957-6/14/11 ...$15.00.http://dx.doi.org/10.1145/2660267.2660334.

1. INTRODUCTIONTraditional approaches for key agreement between per-

sonal devices without any prior security association (alsoknown as“pairing”) typically rely on some form of active userinvolvement to authenticate the key agreement. For exam-ple, the user may be asked to compare authentication stringsdisplayed on the devices or to bring the devices close enoughso that they can communicate via a Near Field Communi-cation channel [17]. Such measures are required to thwartman-in-the middle attacks targeting the initial key agree-ment. Relying on user involvement to authenticate pairingis cumbersome, error-prone and does not scale well. It istherefore desirable to devise zero-interaction pairing mech-anisms which do not require any user interaction.

In this paper, we consider the challenge of zero-interactionpairing for two particularly important emerging classes ofpersonal devices: Internet-of-Things (IoT) appliances andwearables. There has been an increasing interest in bothof these classes accompanied by a steady stream of prod-uct announcements and media coverage. IoT devices areintelligent network-enabled appliances utilizing connectiv-ity and local computation to enable richer functionality andimproved user experience. Examples of IoT devices includeNest smoke detectors and thermostats [12], the Oral-B con-nected toothbrush [13], the Bee+ smart injection trackerfor diabetic patients [21], and the Spotter smart home sen-sor [14]. According to a recent Gartner forecast, the totalinstalled base of IoT devices will grow to 26 billion units by2020 [8]. Such devices will therefore play a significant rolein the future end-user computing infrastructures. Similarly,new wearable devices include wristbands used for activitymonitoring (e.g., LG LifeBand Touch, POLAR Loop Ac-tivity Tracker), augmented reality gadgets like the GoogleGlass near-eye display device, smart watch devices (e.g.,Samsung Galaxy Gear) and many more. It is estimatedthat by 2017, 50% of all smartphone app interactions willinvolve wearable devices [7], emphasizing the important rolethat wearables are expected to play in future smartphoneusage scenarios.

Both IoT devices and wearables process sensitive informa-tion and critical operations. Thus securing their communi-cations is essential. On the other hand, in both cases ordi-

nary users may own and manage many devices. The devicesthemselves may not have any user interfaces. Therefore,zero-interaction pairing will greatly improve the usability ofconfiguring these devices.

The security goal of pairing personal devices is to en-sure that the key agreement takes place between the de-vices owned by the user. In traditional pairing schemes,users are required to demonstratively identify the correctdevices [1]. The requirement of zero-interaction, however,rules out demonstrative identification.

Existing pairing solutions that do not require direct userinvolvement can be broadly divided into two classes: keypredistribution and context-based pairing approaches. Keypredistribution-based approaches (e.g., [6, 2, 10, 18]) aremainly intended for digital sensor network (DSN) scenariosand require key material to be distributed to all networknodes before their deployment in the field. In IoT scenar-ios, however, such predistribution is not feasible due to theoverwhelmingly large number of devices deployed and thefact that there are hundreds if not thousands of differentdevice vendors that do not necessarily share any securityassociations with each other. Furthermore, in our scenariosmultiple authentication domains may exist in overlappingphysical spaces, such as the IoT domains of two neighboringapartments. Therefore the pairing solution must be capa-ble of automatically distinguishing between such overlappingdomains.

Context-based pairing approaches (e.g., [20, 16]), on theother hand, use co-presence of devices to identify the de-vices to be paired. These schemes leverage the fact thatco-present devices will perceive roughly the same ambientcontext via their on-board sensors – thus each device takesa momentary snapshot of its ambient context using a givensensor modality (e.g., acoustic or electromagnetic) and usesthe resulting “context fingerprint” to authenticate key agree-ment. Relying on a one-shot fingerprint for zero-interactionpairing has some drawbacks in the scenarios we consider.First, to ensure security the context fingerprint must havesufficient entropy (e.g., 128 bits). This imposes strict re-quirements on the fingerprinting technique such as the needfor tight time synchronization between devices (as in [16]) oraccess to low-level information like raw WiFi packets that istypically not available to apps in commodity devices (as in[20]). Second, momentary co-presence of two devices doesnot always imply that the devices belong to the same user.

Our goal and contributions. In this paper, we presenta novel approach for zero-interaction pairing that is suit-able for IoT and wearable device scenarios. Unlike previousschemes, we identify correct devices based on the notion ofsustained co-presence: our scheme uses sensed context fin-gerprints to evolve the pairing key periodically in a way thatis only possible for devices co-present over extended periodsof time. This is based on the intuition that in the long run, auser’s personal devices are much more likely to be co-presentwith one another as compared to other users’ devices. Weuse readily available context sensor modalities like audio andluminosity. An initial (potentially insecure) pairing is grad-ually strengthened using a key evolution approach that step-by-step establishes and increases the authenticity of correctpeers, while making it increasingly difficult for wrong de-vices to maintain an authenticated pairing with the user’sdevices.

The context fingerprints we use are based on observablechanges in the average luminosity and noise levels of thedevices’ ambient context over a longer time period. Use oflonger time periods implies that our fingerprinting schemedoes not require tight time synchronization and is thus ro-bust. Fingerprints are used to authenticate each key evolu-tion step.

Our main contributions are the following:

• We describe a robust context-based shared en-tropy extraction scheme for audio and luminositymodalities and demonstrate its effectiveness using realcontext data (Section 4).

• We incorporate the entropy extraction into a novel keyevolution approach for automatically pairing personaldevices of the user (Section 3) and reason about its se-curity (Section 5). The key evolution ensures that pair-ing succeeds between devices that exhibit sustained co-presence, which is typical for personal devices in IoTand wearable device scenarios.

The rest of this paper is structured as follows: In Sect. 2,we describe the context-based pairing scenario and problemsetting. In Sect. 3 we describe the key evolution approach,which utilizes a fingerprinting scheme presented and evalu-ated in Sect. 4. An analysis of the security properties of ourapproach is presented in Sect. 5. We conclude the paper witha presentation of related work in Sect. 6 and a conclusion inSect. 7.

2. PROBLEM DESCRIPTIONWe focus on the problem of pairing between two devices.

By ”pairing”, we mean the process of setting up a sharedsecurity association (e.g., a shared symmetric key) betweenthe devices. Pairing must be established only between thedevices that the user intends to pair, i.e., devices belongingto the same user. We refer to these as the correct peers.Conversely devices owned by other users are wrong peers.The security goal of pairing is to ensure that only a pairingbetween correct peers is accepted as genuine. Our approachis to develop a context-based pairing scheme to this end.“Context” means here the ambient environment of a device.A device can characterize its context by using context datathat can be sensed using on-board sensor modalities. Inthis paper, we use ambient audio (sensed by microphones)and luminosity (sensed by lux sensors) for characterizing acontext.

We consider the pairing problem in two particular sce-narios: a static setting primarily concerning IoT devices in-stalled at the user’s home, and, a mobile setting for wearablepersonal devices.

IoT Scenario. The IoT scenario is shown in Fig. 1. Auser has installed some IoT devices d1 and d2. Her neigh-bor also has an IoT device A in his apartment. IoT devicesare typically equipped with WiFi or Bluetooth connectivityand hence may be placed within each other’s communicationrange. We can assume that all devices are able to communi-cate with one another and are equipped with context sensorsto sense contextual parameters. Over time, the devices d1

and d2 in the user’s home should establish a secure pairingbetween each other without user interaction, while makingsure that a trusted pairing is not erroneously establishedwith device A.

User’s home

Neighbour’s home

d1

d2A

Figure 1: Scenario 1: Pairing of personal IoT devices

Device d2

MITM A

Impersonator A

Device d1

Figure 2: Scenario 2: Pairing of personal wearabledevices

Wearable Scenario. The second scenario is concernedwith the secure pairing of personal wearable devices, as de-picted in Fig. 2. The user has a smartphone d1 and buys asmart watch d2, turns it on and starts using it. The newlyactivated smart watch d2 actively searches for smartphonesnearby and establishes an initial pairing with all such de-vices that it can find nearby. Similarly d1 will accept anyinitial pairing from any wearable device that contacts it.

In order to establish the authenticity of such initial pair-ings, the two devices then attempt to evolve their pairingkey using a key evolution protocol during a gestation period.If at the end of the gestation period the two devices havesufficient confidence in the authenticity of each other belong-ing to the same domain, i.e., being owned by the same user,they accept the pairing key as genuine. Otherwise, they dis-card the pairing the key. If the wearable device d2 acceptsa key, it stops making new key pairing requests, since it isalready associated with the correct user’s smartphone. Alsoin this scenario, we need to make sure that the pairing keyof a device A not belonging to the user is not erroneouslyaccepted as genuine.

2.1 Threat Model and AssumptionsThe threat we are concerned with is that an adversary

device A succeeds in making a legitimate device d1 accept apairing with A as genuine.

IoT Scenario. In the IoT scenario, the adversary A is anIoT device in the neighbor’s apartment. This device can bebenign, just trying to pair with other devices it can discoverin its proximity, or, malicious, if infected with malware, ag-gressively trying to pair with and infiltrate any IoT networksit can discover. The wrong peer A is permanently near de-vice d1 and can communicate with it over a wireless link,but it is not able to monitor d1’s ambient context, since itis separated from it by a solid wall.

If the neighboring apartment where the wrong device A islocated has large windows facing the same direction as the

user’s apartment, A may have visibility to any changes inthe outside luminosity affecting the lighting conditions in theuser’s apartment, but it is not able to directly observe thelighting conditions in the ambient context of d1. Specifically,A is not capable of mounting targeted attacks, i.e., attacksthat are executed by directly monitoring the target apart-ment where d1 is located, e.g., from another apartment overthe street. Since A is assumed to be a regular IoT device,it neither has the directional high-fidelity sensors requiredfor monitoring a specific target over large distances nor thefunctional logic for mounting such attacks.

Wearable Scenario. In the wearable device scenario, theadversary A is either a malicious attacker trying to play aman-in-the-middle attack on the user and his wearable de-vice, in order to obtain sensitive information exchanged be-tween them, or it could be just someone else’s device search-ing for its own peer device. We assume that the wrong peerA is from time to time present in the same context as d1,e.g., while d1 is visiting a place where also A is located (cf.Fig 2) and hence A can observe the same contextual pa-rameters as d1. However, A is not able to follow the userconstantly. The amount of time A is able to monitor d1’scontext is therefore limited and significantly smaller thanthe time that d1 and d2 spend co-located in the same con-texts. We follow a standard Dolev-Yao adversary model [4]and assume that A has full control over all communicationchannels.

In both scenarios we assume that the user’s own devicesd1 and d2 consistently spend most of the time in the samecontexts. In the IoT scenario, the context is spatially static,e.g., the user’s home, since typically IoT devices are house-hold appliances (smart TVs, smart thermostats, etc.) thatare relatively static objects. Wearable devices like a smartwatch, on the other hand, are continuously carried by theuser and are therefore sharing the same, although changingcontext during the day as the user moves around.

2.2 ObjectivesOur main objectives are as follows.

Authenticated pairing. User devices (IoT devices andwearables) securely establish authenticated pairings with thecorrect peer devices, i.e., a user’s device d1 accepts a pairingwith d2 after a gestation period if, and only if, d1 and d2 areowned by the same user and thus are co-present for longerperiods of time. Authenticated pairings are not establishedwith wrong peers A, including attacker devices playing man-in-the middle and impersonation attacks against the correctpeers.Zero-interaction. The pairing must happen without userinteraction, i.e., based solely on information that the in-volved devices can communicate and sense from their ambi-ent context without human involvement.

2.3 Solution ApproachPrevious approaches for context-based pairing presented

in literature use context information to establish a one-shotsecure pairing [20, 16]. The security of these approaches de-pends on the assumption that the adversary is not presentsufficiently close in the context of the user devices d1 and d2

when the pairing is performed and thus unable to observe thesame contextual parameters as d1 and d2. These approachesrely, however, on the user to visually determine that no ad-versary A is present in the proximity of the devices d1 and d2

before the pairing is initiated. In a zero-interaction setting,this is not possible. For example, in a situation in whichwearable devices are taken into use at a moment when sev-eral parties are present in the same room, an adversary Amight very well be present.

Therefore, we follow a more in-depth defense strategy byutilizing a key evolution approach described in Sect. 3. Inour approach, the target device d1 is initially entitled to es-tablish pairings with all other devices in proximity, includingcorrect and wrong peers. These pairings are, however, as-signed an authenticity rating that is initially zero, meaningthat the authenticity of the counterpart has not been veri-fied. Key evolution is then used to gradually increment theauthenticity rating of correct peers, so that over time onlypairings with correct peers will be accepted as genuine.

In earlier approaches, context fingerprints used for one-shot pairing must have sufficient entropy (e.g. 128 bits).Obtaining a sufficient amount of entropy from a short con-text snapshot requires therefore tight time synchronizationbetween the devices d1 and d2 to be paired [16]. On com-modity devices achieving sufficiently accurate synchroniza-tion might not be technically feasible. To overcome thislimitation, we utilize a more robust fingerprinting approachthat operates on longitudinal context measurements and isthus not as sensitive to time synchronization issues. Thefingerprinting scheme used is described in Sect. 4.

3. CONTEXT-BASED KEY EVOLUTIONOur key evolution approach is based on the assumption

that two devices that have established an initial pairing canutilize the common information about their ambient contextobserved over time to iteratively evolve their pairing key.With each successful iteration, the belief in the authenticityof the counterpart is increased, since the protocol is designedin a way that makes it hard for devices not continuouslysharing the same context to execute it successfully.

In the approach, both peers extract context fingerprintsfrom their surroundings by continuously monitoring theircontext. If the peers spend prolonged periods of time in thesame context, observing the same contextual information,the fingerprints they extract will be similar as well. We willdefine the extraction of fingerprints in section 4.

The key evolution approach utilizes three conceptual com-ponents: key evolution, key confirmation, and, key accep-tance. Key evolution and key confirmation are executed it-eratively between the peer devices in what we call a keyevolution step: evolving the pairing key and verifying thesuccess or failure of each key evolution. After a sufficientnumber of key evolution steps have been performed, key ac-ceptance is used to ultimately determine, whether a pairingcounterpart is a correct or wrong peer.

To perform a key evolution based on context fingerprints,we require a fuzzy commitment scheme that is ideal w.r.t.the hiding property. Such a scheme is able to transform asecret value s into a commitment / opening value pair (δ, λ),such that δ does not reveal any information about the secrets, and all pairs (δ, λ) will reveal s if the Hamming distance

Ham(λ, λ) ≤ t, but it is not feasible to find an opening valueλ′, for which Ham(λ, λ′) > t, such that (δ, λ′) would revealthe secret s. In this scheme, the value t is a parameter anddenotes the maximum Hamming distance that the schemeallows for an opening value λ to have from λ, so that thesecret s is revealed. In other words, if party d1 commits to

a secret s to obtain a commitment / opening pair (δ, λ) ←Commit(s), and a subsequent opening of the commitment by

party d2 yields s← Open(δ, λ), then s = s iff Ham(λ, λ) ≤ t.We could utilize any key agreement scheme that provides

such a fuzzy commitment (e.g., [3]), but for the purpose ofthis paper, we adopt and adapt the approach of Schurmannand Sigg in [16]. It is based on the fuzzy vault construc-tion of Juels and Sudan [9]. It utilizes the error-correctingproperties of Reed-Solomon codes [15] to enable two peers toagree on a common key, if the context fingerprints that peersextracted from information in their ambient context differin at most t bits. The value of t depends on the parameter-ization of the Reed-Solomon code and can thus be selectedfreely based on the number of bit errors to be expected be-tween the fingerprints of legitimate peers. The details of thekey evolution approach are shown in Fig. 3.

3.1 Key EvolutionInitially, two devices d1 and d2 look for other devices to

pair with. When they encounter each other for the first time,they establish an initial pairing key K0

d1,d2(e.g., by using a

Diffie-Hellman key exchange). This initial key agreementis unauthenticated, i.e., neither device knows, whether thepairing counterpart belongs to the same owner or not. Ourgoal is to use subsequent key evolution to determine whetherthe pairing counterpart belongs to the same user or not.

Device d1 initiates the protocol by sending a key evolu-tion request EVO_REQ to device d2. The request containstimestamps t1 and t2, specifying the starting and endingtimes on which to synchronize the generation of the contextfingerprints. From the context observations Cd1(t1, t2) andCd2(t1, t2) falling between the specified timestamps, bothpeers extract context fingerprints FCd1

= φ(Cd1(t1, t2)) and

FCd2= φ(Cd2(t1, t2)), respectively, by applying a fingerprint

extraction function φ(·) on the collected context sequences.The extraction function is defined in Def. 3 in Sect. 4.

After generating the fingerprints, device d1 selects a ran-dom key evolution diversifier Kr ∈ Fm2k , and uses the fuzzycommitment scheme to transform it into a commitment /opening value pair (δ, λ)← Commit(Kr). The opening valueλ ∈ Fn2k is calculated as the codeword for Kr using Reed-

Solomon (RS) encoding: λ ← RS(2k,m, n,Kr). The com-mitment value δ is then calculated as the difference of thefingerprint FCd1

and the codeword λ: δ = FCd1 λ, where

denotes subtraction in the field Fn2k .Device d1 then transmits the commitment value δ to de-

vice d2, which in turn obtains an opening value λ and re-trieves the key evolution diversifier by opening the commit-ment of d1 : Kr

′ ← Open(δ, λ). It does so by decoding theopening value using the Reed-Solomon decoding function.Given that the fuzzy commitment scheme fulfils the hidingproperty requirement, Kr = Kr

′ only if Ham(λ, λ) ≤ t. Since

λ is calculated as λ = FCd2 δ, and δ as δ = FCd1

λ, itmeans that the fingerprints FCd1

and FCd2can differ in at

most t bits, which in this case is the maximum number ofbits the RS coding can correct. Otherwise, d2 will not beable to open the commitment correctly, and the retrievedkey derivation keys will not be identical, i.e., Kr 6= Kr

′.

3.2 Key ConfirmationTo determine whether the key evolution was successful,

both devices calculate candidate pairing keys by using a keyderivation function KDF applied on the old pairing key Ki

d1,d2

Device d1Ki

d1,d2 Device d2

EVO_REQ‖(t1, t2)

FCd1= φ(Cd1(t1, t2)) FCd2

= φ(Cd2(t1, t2))

random Kr ∈ Fm2k

encode: λ ∈ Fn2k ← RS(2k,m, n,Kr)

δ = FCd1 λ λ = FCd2

δδ

decode: Kr′ ← RS(2k,m, n, λ)

K+′ = KDF(Kid1,d2

,Kr′)K+ = KDF(Ki

d1,d2,Kr)

Symmetric-key authentication protocol

Ki+1d1,d2

= K+ Ki+1d1,d2

= K+′if result == success

Figure 3: The Key Evolution Protocol

and the key evolution diversifier, i.e., Kr or Kr′, respec-

tively. The peers then execute a symmetric-key authentica-tion protocol with the candidate keys to determine, whetherthey are identical. The used protocol needs to be toler-ant to offline guessing attacks. For example, a password-authenticated key-exchange scheme [22] can be used (al-though they are intended for long-lived short shared secrets).If the protocol succeeds, the key evolution step is consid-ered successfully completed and the peers start using thecandidate keys as their new pairing keys, i.e., device d1 setsKi+1

d1,d2= K+ and device d2 sets Ki+1

d1,d2= K+′.

3.3 Key AcceptanceTo ultimately determine whether a pairing counterpart is

a correct or a wrong peer, we apply the following strategy:assuming that a wrong peer A is spatially or temporally lim-ited in its ability to continuously monitor the context of atarget device d1, it is likely that A will fail in key evolutionmuch more often than a correct peer d2, who is predomi-nantly co-present in d1’s context. By keeping track of thenumber of successful key evolutions each pairing counterpartis able to follow, it becomes therefore possible to distinguishthe correct peer d2 from wrong peer A.

We need to take into account that wrong peers may ap-pear at any point in the pairing and key evolution process. Awrong peer A may initiate the pairing first and impersonatea correct peer d2 which will come into communication rangeonly later, or, A may appear after an initial pairing with thecorrect peer d2 has already been established, and may claimto be d2. Since we assume that there is no prior security asso-ciation between any of the devices, we can’t distinguish withcertainty whether the former or the latter device requestingthe pairing is the correct personal device d2. Therefore, weneed to initially accept all pairing requests for a particulardevice identity and use the key evolution protocol to verify,which device actually is the authentic one.

To be able to distinguish different devices from each other,we assign a key chain identifier IDX

d = Hash(K0d) for each

device d . The chain identifier is a hash value of the key K0d

derived during the initial unauthenticated pairing with d ,and X is the identity that d claims to represent. We de-note the set of all devices d claiming identity X with DX .We evolve the pairing key Ki

d independently for each de-vice’s key chain and keep track of the number of successfulkey evolution steps associated with each key chain identifierIDX

d as well as the total number of successful key evolutionsteps for the claimed identity X . The ratio of successful keyevolution steps for each key chain identifier IDX

d to the to-tal number of successful key evolution steps for the relatedidentity X becomes therefore a measure for the authenticityof the device associated with that key chain identifier.

Definition 1 (Authenticity rating α). Let γ(IDXd )

denote the number of successful key evolution steps that a de-vice has performed with a peer device d with key chain iden-tifier IDX

d under the claimed identity X . The authenticityrating α(IDX

d ) is the ratio of successful key evolution stepsfor the key chain IDX

d to the overall number of successfulkey evolution steps for identity X :

α(IDXd ) =

γ(IDXd )∑

di∈DXγ(IDX

di). (1)

The key evolution is performed during predetermined keyevolution cycles. During each key evolution cycle, device d1

will try to perform key evolution for an identity X with eachdevice d ∈ DX claiming to represent that identity. If theseattempts succeed, the count of successful key evolution stepsfor identity X is incremented. Our key evolution approachis designed in a way that only devices d that are in thesame context as the target device d1 for the majority of thetime during a key evolution cycle will succeed in the keyevolution step. Thus, since correct peers are significantlymore often in the same context than wrong peers, the valueγ(IDX

d ) for any correct peers d will, over time, grow largerthan for any wrong peers that will inevitably ’miss’ such keyevolution steps during which the wrong peers are not in thesame context as d1, or are unable to observe d1’s context.

The context-based pairing approach can therefore be sum-marized as follows:

1. Establish pairing key with device d claiming to be X .Assign initial authenticity rating α(IDX

d ) = 0 to it.

2. Monitor the context and regularly evolve pairing keyswith other devices based on derived context informa-tion.

3. After the number of successful key evolution steps foridentity X reaches a specified threshold value αthr ,check if the acceptance criteria listed below hold. Ifeither criterion does not hold, the key evolution pro-cess is continued, and acceptance criteria re-evaluatedafter each successful key evolution step for identity X .

The first acceptance criterion requires that in order to beaccepted as genuine, a peer device d ’s pairing key underan identity X needs to have a sufficient authenticity ratingα(IDX

d ), and this rating has to be higher than any otherpeer’s rating for X by a specified margin αmarg in order tomake the determination of the correct peer unambiguous.

Criterion 1 (Authenticity dominance).Let αmin , αmarg ∈ [0, 1] denote a minimal authenticity thresh-old and an authenticity margin, respectively. If there is adevice d ∈ DX claiming to represent identity X , such thatα(IDX

d ) > αmin ∧ ∀di ∈ DX , di 6= d : α(IDXd ) · αmarg >

α(IDXdi

), accept d as authentic, if also criterion 2 for dholds. If |DX | = 1, i.e., there is only one device d claimingthe identity X , d is accepted as authentic, if α(IDX

d ) > αmin ,and criterion 2 holds for it.

Threshold αmin determines the minimal authenticity rat-ing required for a peer to be considered genuine. Marginfactor αmarg ∈ [0, 1] determines, how much the authenticityrating of a correct peer has to dominate over the authentic-ity ratings of all other peers in order for it to be consideredgenuine.

The second criterion requires that the key evolution witha device needs to be attempted at least ρmin times, beforethe authenticity rating can be regarded as representative. Inaddition, the number of key evolution cycles during whichthe key evolution is attempted needs to cover at least a frac-tion of ρcov of the total key evolution cycles after the initialpairing. Otherwise, an adversary A in the wearable sce-nario could just selectively attempt key evolution only whend1 is in its context and thereby slowly accumulate a highauthenticity rating even though it only occasionally sharesthe same context with d1.

Criterion 2 (Confidence). Let ρd denote the num-ber of key evolution cycles during which device d has at-tempted key evolution and ρ∗d the total amount of key evo-lution cycles since establishing the initial pairing for d. Letalso ρmin ∈ N+ denote a key evolution attempt threshold andρcov ∈ [0, 1] a key evolution coverage threshold. The pairingof a device d is accepted as genuine only if ρd > ρmin andρdρ∗d

> ρcov .

Once a device d ’s pairing is accepted as genuine, there aretwo options: other key chains may be removed and pairingstopped (e.g., when a smartwatch has found its host smart-phone), or, the accepting device may continue to evolve pair-ing keys for other devices (e.g., in the case of smart TV thatcan accommodate multiple remote controls).

4. ROBUST CONTEXT FINGERPRINTSWe apply our context fingerprinting method on two differ-

ent contextual modalities: ambient noise and light. As men-tioned before, the fingerprinting scheme is inspired by Schur-mann and Sigg [16], but it is different in several ways: Thescheme in [16] requires tight time synchronization, whereasour scheme does not. Their scheme is intended to extractenough entropy within a very short time to be used as acryptographic key, whereas our fingerprints have a longitu-dinal orientation. Finally, our scheme is equally applicableto both audio and luminosity and the fingerprints representmore sustained changes in the contextual characteristics ofthe ambient context over several hours. Thereby, the fin-gerprints will also capture phenomena originating from theuser’s actions (such as switching on the lights, chatter, si-lence, etc.). These events are inherently random and there-fore difficult to predict even for advanced attackers that maytry to utilize profiled information about the target contextin attempting to fabricate context fingerprints.

Using a longitudinal approach in fingerprint generationand key evolution has also the advantage that the schemeis more robust against attackers that are occasionally co-located with the paired devices. This is different to earlierapproaches, where the security of the pairing is dependenton the fact that the attacker is not sharing the context withthe paired devices at the time of pairing [20, 16]. Our longi-tudinal approach, on the other hand, can gracefully handlesituations in which the attacker is occasionally in the samecontext with the paired devices, as we will show in Sect. 5.

In our scheme, the devices are continuously monitoringtheir context by scanning context snapshots cw(t). Every fseconds, a snapshot of w seconds is recorded. Each snapshotconsists of a sequence of measurements mi in a particularcontextual modality like ambient luminosity or noise level,such that cw(t) = (mi,mi+1, . . . ,mi+n), where the times-tamp associated with an individual measurement mi is de-noted with t(mi), and, t(mi+n) − t(mi) = w. Since theused snapshot length w is fixed and usually clear from thecontext, we omit it in the following and denote a contextsnapshot just with c(t) for better readability.

We average the measurements within each context snap-shot c(t) and denote the snapshot’s average value as

c(t) =

∑mi∈c(t) mi

|{mi ∈ c(t)}|, (2)

where | · | denotes set cardinality.Based on a sequence of context snapshots C(t, t + nf) =

(c(t), c(t+f), c(t+2f), . . . , c(t+nf)), we calculate its contextfingerprint as a sequence of bits, in which each bit denotesthe change of the snapshot’s average value in comparisonwith the previous snapshot’s average. The fingerprint bitcorresponding to a context snapshot is set to “1” if the rel-ative change between the snapshot’s average value and theprevious snapshot’s average value is larger than a specifiedrelative threshold ∆rel and if the difference between the val-ues exceeds an absolute threshold value ∆abs. Otherwise,the bit is “0”.

Definition 2. Let C(t, t + nf) be a sequence of contextsnapshots, i.e., c(ti) ∈ C(t, t + nf), t < ti ≤ t + nf, n ∈N+. We define the fingerprint bit b(ti) corresponding toeach snapshot c(ti) as

b(ti) =

{1, | c(ti)

c(ti−f)− 1|>∆rel ∧ |c(ti)− c(ti−f)|>∆abs

0, otherwise.

(3)

Definition 3. We define the fingerprint φ(C(t, t+nf))of a sequence of context snapshots C(t, t+nf), n∈N+ as

φ(C(t, t+ nf)) = (b(t), b(t+ f), . . . , b(t+ nf)). (4)

The rationale for our notion of fingerprints is that two de-vices that share the same context for an extended period oftime will also experience changes in context parameters in asimilar way. For example, if the user switches on the lights ina room, the increase in luminosity in the room will be sensedby all devices located inside the room, whereas other devicesnot in the same room will not be able to sense it. There-fore, bits generated this way will be shared only with theco-located devices. The same applies to fingerprints basedon audio. The alternating patterns between chatter, silenceand possible other persistent ambient sounds will generate

fingerprint bits in a way that is similar between devices inthe same audio context (e.g., the same room). Devices out-side the audio context will, however, not be able to sensethese changes.

The same logic applies also to mobile personal devices likewearables, which are usually always carried together. Eventhough the context in which the devices are located maychange as the user moves, the changes will be sensed in asimilar way by both devices.

We will evaluate our fingerprint extraction scheme in bothstatic and mobile scenarios in Sect. 4.1.

4.1 Implementation and EvaluationTo analyze the feasibility of our approach, we performed

several experiments in different contexts investigating, howsimilar fingerprints extracted from ambient luminosity andnoise levels are in real contextual settings.

4.1.1 System Set-UpTo simulate the capability of IoT and wearable devices to

sense their ambient context and to use the context infor-mation for key evolution, we used Android OS smartphones(Samsung Galaxy Nexus, Nexus S and Galaxy S III devices)running dedicated context data collection software. The col-lection software on each device continuously measured theluminosity and noise levels in the device’s context and rou-tinely sent the collected data to a server for off-line dataanalysis. In these experiments we used a static placementof the test devices to simulate IoT device pairing scenarios,whereas for personal wearable pairing scenarios test personscarried the data collection devices with them.

In both settings, the orientation of the luminosity sensorsof the devices impacts the magnitude of observed luminosityreadings. However, since our method for deriving fingerprintbits from luminosity readings is not based on absolute lumi-nosity values, but on relative changes in the ambient illumi-nation, the exact placement and orientation of the devicesplays only a minor role.

4.1.2 IoT ScenarioIn this scenario, we investigated whether IoT devices lo-

cated in the same room can successfully establish similarenough fingerprints to be used for context-based key evo-lution. We tested the scenario in different set-ups and lo-cations over several months, varying the placement of thedevices with regard to each other and within the room. Ta-ble 1 shows one example of the placement of devices in twosettings at two different locations: office and home.

In the office setting, two devices simulating correct peerswere placed on the wall of an office room, three meters apartfrom each other. Other smartphones simulating wrong peerswere placed in nearby rooms, but without direct visibilityto the room with the correct peers. In the home setting,the correct peers were placed in the living room of the testparticipant’s house. A smartphone simulating a wrong peerin a neighboring apartment was placed in another room ofthe house, but on a different floor.

To eliminate effects that possible differences in the orien-tation of windows of the rooms could have on lighting con-ditions, we selected rooms that had relatively large windowsfacing the same direction, allowing outdoor light to illumi-nate all rooms used in the experiment in a similar way duringdaytime. In addition, to obtain a baseline measurement of

Table 1: Placement of test devices in an IoT scenario

Device PlacementOffice setting

Device d1 User’s officeDevice d2 User’s officeA1 Outdoor lightA2 Adjacent officeA3 Coffee room, one room apart

Home settingDevice d1 Living room, ground floorDevice d2 Living room, ground floorA1 Outdoor lightA2 Studio, 2nd floor

Table 2: Average fingerprint similarity between theco-located and adversary devices in the IoT scenario

Average fingerprint similarity with co-located devicesLuminosity Audio

Office setting, 8 a.m. to 6 p.m.d1 and d2 95.0 % 91.8 %A1 70.0 % -A2 88.7 % 71.7 %A3 68.3 % 62.6 %Home setting, 6 a.m. to 10 p.m.

d1 and d2 82.9 % 87.5 %A1 70.8 % -A2 70.6 % 77.0 %

the outdoor lighting conditions that affect the illuminationof the room with the correct peers, we dedicated in eachscenario one device for measuring the direct outdoor lightfalling into the room.Results. We collected luminosity and audio measurementsduring the course of several weeks. We extracted context-based fingerprints based on a time window of w = 120 sec-onds for each device and compared the average bit differ-ences of the fingerprints of correct and wrong peers. Inboth settings, hardly any bits were generated during night-time. We will show in Sect. 5 that fingerprints generatedfrom nighttime data contain only very little entropy andcan therefore not be used for fingerprint generation. There-fore, we concentrate our analysis in the office setting duringbusiness hours between 8 a.m. and 6 p.m. and in the homesetting during active hours of a household between 6 a.m.and 10 p.m. The results are shown in Tab. 2.

In the office setting, the co-located devices clearly showthe largest bit similarity in their respective fingerprints. Forthe luminosity data, the difference between the co-locateddevices d1 and d2 and the adversary device A2 in the ad-jacent office is relatively small, i.e., only 6.3%. This is sobecause the lighting conditions affecting the rooms are al-most identical and the effect of sunlight dominates the over-all lighting conditions during business hours1.

For audio, the differences are clearer. Adversary A2 in theadjacent office has only 71.7 % similarity compared to 91.8 %

1The measurements were done less than two months fromthe summer solstice in the northern hemisphere, i.e., thebrightest time in the year. The influence of sunlight is likelyto be be smaller during other times of the year.

for the co-located devices d1 and d2. This is so, even thoughthe doors of the rooms in question to a common hallwaywere mostly kept open, so that some parts of the acousticenvironment could be shared by the devices in these rooms.However, adversary device A3 located in the coffee roomwas farther away, so that it was acoustically more clearlydecoupled from the co-located devices. Therefore the simi-larity percentage of its fingerprints to the fingerprints of theco-located devices is significantly lower, i.e., 62.6 %.

In the home setting, the results were similar. Here, thesimilarity between co-located devices was on the average82.9 % for luminosity and 87.5 % for audio. There wasalso a clear difference to the adversary devices, which couldonly achieve bit similarity values of 70.8 % for luminosityand 77.0 % for audio fingerprints.

4.1.3 Wearable Device ScenarioIn this scenario, we simulated the contextual environment

that typical wearable devices are confronted with. We didthis by equipping test users with smartphones, each playingthe role of a wearable device. We considered two alternativesettings: a ’smart watch’ scenario, in which one device playsthe role of a smart watch, and the other device is used like aregular smartphone. The other, ’cycling’ scenario, simulatesthe use of wearable devices as fitness gadgets.

In the smart watch scenario, users were equipped withtwo smartphones which they carried with them continuously.One of the devices simulated a smart watch that is worn onthe user’s wrist. It was therefore placed in a translucentcarrying pouch so that its light sensor was constantly ex-posed to the ambient light. The other device was used likea regular smartphone.

In the ’cycling’ scenario, we used two smartphones to sim-ulate wearable fitness gadgets, currently one of the mostpopular classes of wearable devices. In our scenario, weconsidered a cyclist, who is using a heart rate monitor torecord his physical performance and a near-eye display de-vice to visually follow the key characteristics of his workout,including the heart rate. The smartphone playing the roleof a near-eye display device was attached on the side of thebicycle helmet of the cyclist, with the light sensor showingoutwards. The other device played the role of the smartheart rate sensor. It was placed in a translucent carryingpouch on the chest of the cyclist, facing forward, which isalso a typical placement for heart rate sensors. In the cy-cling scenario, ambient light and noise data were collectedduring the workouts of the cyclist.

Results. We collected traces from co-located devices car-ried by test persons in a number of mobile and static con-texts: walking, in public transport, as well as stays in thehome and office contexts. Since the mobility of the userintroduces a significant amount of changes into the devices’contexts, the bit similarity of fingerprints from the co-locateddevices was relatively high, 92.6 % on average (minimum87.3 %, maximum 96.7 %). This provides a good basis forsuccessful key evolution between the co-located devices. Inthe wearable device scenario, however, also the presence ofwrong peer devices in the context plays a role. We analyzethe effect of such devices on the key evolution scheme inmore detail in Section 5.1.

For the cycling scenario we collected 10 traces of con-text measurements captured along a back-and-forth journeyon a fixed route of approximately 10 miles. The exercises

were spread out over several weeks, encompassing varyingroad and weather conditions ranging from rainy, overcastto sunny days. Since the contextual environment changesin this scenario much faster than in the static scenario, wechose a shorter time window w = 5 sec and higher samplingrate f = 5 sec for luminosity-based fingerprint generation.Using this fingerprinting scheme, the fingerprints for the ex-ercises contained 665 to 784 bits. For audio data, a slightlylonger time window of w = 6 sec was used, giving us fin-gerprints of 501 to 550 bits. The bit similarity between thefingerprints of the co-located devices d1 and d2 was on theaverage 68.6 % for luminosity-based fingerprints (minimum62.8 %, maximum 74.5 %) and 65.9 % for audio-based fin-gerprints (minimum 63.6 %, maximum 67.1 %).

4.1.4 Context Replay AttacksIn addition to testing the bit similarities of co-located de-

vices we also examined the effect of context replay attacksby analyzing whether an attacker, who knows the route thata user is going to use could record the context parametersalong this route and use this recording to produce a contextfingerprint that could fool a target device into believing thatthe attacker has been sharing the same context. We there-fore used the set of fingerprints from the cycling scenariogenerated on different days on the same route and measuredtheir bit similarity. We did this in order to find out what anattacker in the optimal (worst) case could achieve. We iter-ated over all exercise fingerprints, using one fingerprint at atime as the target device d1’s fingerprint and the remainingfingerprints as fingerprints of the adversary A. Since the fin-gerprints were recorded at different times, it was not clearhow to optimally align them. We therefore calculated thebit difference for each target-attacker fingerprint pair for allpossible overlapping alignments of the fingerprints and usedthe minimal bit difference to choose the optimal alignment.We then averaged the bit similarity values over the adver-sarial fingerprints with optimal alignments.

The fingerprint similarity of simulated replay attacks withthe target devices was 59.5 % (minimum 55.9 %, maximum62.3 %) for luminosity-based fingerprints and 56.4 % (mini-mum 55.0 %, maximum 56.8 %) for audio-based fingerprints.The margin between the actually co-located device pair d1

and d2 to the replayed adversarial fingerprints was on theaverage 52.5 bits (minimum 4 bits, maximum 104 bits) forluminosity and 42.8 bits (minimum 27 bits, maximum 51bits) for audio in favor of the co-located pair.

The clear margins between the bit similarities of co-locatedand attacker fingerprints suggest that it’s in most cases pos-sible to define a parameter value t for the fuzzy commitmentscheme so that co-located peers will be able to successfullyperform key evolution steps, while blocking most attackersfrom doing so. The analysis here also involves two ratheroptimistic assumptions in favor of the attacker, namely thatthe attacker is able to record the trace in exactly the sameway as the targeted user and that the attacker is able toguess the optimal alignment of his fingerprint with the tar-get user’s fingerprint. In practice, it is unlikely that an at-tacker would be able to always guess the optimal alignment,or record context traces with the same rhythm and speedas the targeted users. Hence in practice the margins in fa-vor of the correct peers will be much larger than the onespresented above.

5. SECURITY ANALYSISIn our analysis we assume that the legitimate personal

devices of the user have not been compromised and executecontext sensing, key agreement, key evolution and authen-tication protocols as specified.

Let us consider an adversary A impersonating X , havinga key chain identity IDX

A . The only way for A to get itspairing with a target device d1 accepted as genuine is toachieve a high enough authenticity rating α(IDX

A). To dothis, it needs to successfully participate in the key evolutionprocess. A can do so in two cases:

1. A is in the same context as d1 and can generate contextfingerprints FCA sufficiently similar to the fingerprintFCd1

of d1, i.e., Ham(FCd1, FCA) ≤ t, or,

2. A is not in the same context as d1 but is able to fabri-cate context fingerprints F ′CA sufficiently similar withthe fingerprint of d1, i.e., Ham(FCd1

, F ′CA) ≤ t.

We will first analyze the effect of A being in the samecontext with d1 on his authenticity rating, and then analyzethe success probability of the attacker fabricating contextfingerprints.

5.1 Attacker in Same Context as TargetLet us denote with θ the probability that A is able to

extract a fingerprint FCA having Ham(FCd1, FCA) ≤ t and

with β the probability that a co-located device d2 extractsa fingerprint FCd2

having Ham(FCd1, FCd2

) ≤ t.If A is present in the same context as d1, A can extract

fingerprints FCA that have the same probability to have abit difference of t or lower than the co-located device d2.Therefore, θ = β. However, to simplify the analysis, letus assume a perfect attacker that always succeeds in keyevolution when it is in the context, i.e., θ = 1.

We denote with n the number of key evolution steps thata correct peer d2 will attempt during a specific time periodand withm the number of key evolution steps that the wrongpeer A will attempt during the same time. To maximallyincrease its authenticity rating, A will attempt to do keyevolution steps every time it is co-located with the targetdevice in the same context. When A is not in the samecontext, the probability to successfully evolve the key is lessthan β. Therefore A will not participate in key evolution.Since d2 is a benign peer, it will regularly attempt to evolveits pairing key with d1 each time it is co-located with it.

According to Def. 1 the authenticity rating α(IDXd2

) ofthe correct peer d2 will be higher, if it has performed moresuccessful key evolution steps than the attacker A, i.e., ifγ(IDX

d2) > γ(IDX

A). Since γ(IDXd2

) = β · n and γ(IDXA) =

θ ·m = m, and, if β ·n > m holds, then attacker A will neverbe able to obtain an authenticity rating that is higher thanthe rating of the correct peer. However, since we assumethat n >> m, and, in particular β · n > m, it is clear thatthe attacker will not succeed in getting his pairing acceptedas genuine in our scheme.

5.2 Attacker not in Same Context as TargetThe fuzzy commitment scheme used in the key evolu-

tion protocol provides the hiding property as mentioned inSect. 3. A will not be able to reveal the correct key deriva-tion key Kr and thus participate successfully in the key evo-lution protocol if it can’t find a context fingerprint F ′CA that

has a Hamming distance of at most t bits to the fingerprintFCd1

of the targeted device d1. We focus our analysis there-fore on examining whether an attacker is able to fabricatefingerprints F ′CA satisfying this criterion.

When the attacker A has no access to actual context mea-surements based on which FCd1

is extracted, A has the fol-

lowing options for fabricating the fingerprint F ′Cd1: a ran-

dom guess, a profiling-based guess, or, the use of partialinformation.

Random Guess.In a random guess, the probability to guess one bit cor-

rectly is 0.5. Consequently, for a fingerprint of length k, thelikelihood for a successful guess is therefore 2−k. The suc-cess probability is negligibly small for typical fingerprints oftens or hundreds of bits. For example, using a fingerprint-ing window of w = 120 sec and fingerprinting periods of twohours, one already gets fingerprints of 60 bits, which wouldbe excessively difficult to guess with random guesses.

Profiling-Based Guesses.An obvious improvement to this attack would be to use

profiled information about the distribution of bits to improveA’s chances to fabricate valid fingerprints F ′CA . Dependingon the used fingerprinting parameters, the type of contextin question as well as the time of the day, the distribution offingerprint bits in the fingerprint changes. For example, dur-ing nighttime, when it typically is silent and dark, and thusno significant changes in the context parameters take place,an overwhelming majority of bits in d1’s fingerprint FCd1

will be “0” bits, with only a few “1” bits (if any) in-between.Fig. 4 shows for the office context and the audio modalityexamined in our evaluation experiments the distribution of“1” vs. “0” bits changing according to the time of day. If Acan obtain such profile information about a context whered1 is going to be, A can utilize the profiled information infabricating fingerprints F ′CA that are more likely to have alower Hamming distance Ham(FCd1

, FCA) to the fingerprintFCd1

of device d1 extracted in that context.The strength of a fingerprint against profiling-based guess-

ing attacks can be analyzed by looking at the surprisal as-sociated with individual bits b ∈ FCd1

using a frequentistinterpretation of probability. We do this by calculating theoccurrence probability of a particular bit b in the fingerprintduring a specific time of the day. Thus, the probability of aparticular bit (i.e., “1” or “0”) is equal to the fraction of thatbit’s occurrences in the context fingerprints during that timeof the day. Given the occurrence probability of a particularbit, we define the surprisal associated with individual bitsas follows.

Definition 4 (Surprisal σ of a fingerprint bit).Let B be a random variable modelling the occurrence of a bitas a fingerprint bit in fingerprint F . The surprisal σ asso-ciated with the occurrence of a fingerprint bit b ∈ {0, 1} isthe self-information of this bit σ(b) = I(b) = log( 1

P (B=b)) =

−log(P (B = b)), and is measured in bits.

Definition 5 (Surprisal of a fingerprint).The surprisal σ(F ) of a fingerprint F is the sum of the sur-prisal values of its individual bits, i.e.,

σ(F ) =∑b∈F

σ(b).

For example, we can see based on Fig. 4 that contextmeasurements made during the night are not suitable forgenerating hard-to-guess context fingerprints. This is be-cause, e.g., during the time window of 2 a.m. to 4 a.m. onthe average only 1 % of the extracted fingerprint bits are “1”bits. Each of these bits has a surprisal value of 6.3 bits perfingerprint bit, but the remaining “0” bits only have a sur-prisal of 0.02 bits per fingerprint bit. This means that, e.g.,a 60-bit fingerprint extracted during this time frame wouldhave only 5.8 bits of total surprisal on the average. In otherwords, the attacker would have a 2−5.8 ≈ 1.8% chance ofguessing the exactly correct context fingerprint by utilizingprofiling information.

However, since we are using a fuzzy commitment scheme,the attacker A does not even have to guess the exact finger-print. Any fingerprint F ′CA that is within Hamming distancet of the fingerprint FCd1

of target device d1, will enable theattacker A to open the commitment and retrieve the correctkey derivation key Kr.

From the evaluation results (cf. Tab. 2) we can see thatin the office environment, and for the audio modality, thecontext fingerprints of co-located devices will deviate on theaverage in ca. 10 % of the bits. In order to let correctpeers perform key evolution successfully, we need to tunethe parameter t of the fuzzy commitment scheme so thatit allows fingerprints deviating in 10 % of the bits to stillopen the fuzzy commitments. Coming back to our exam-ple of Fig. 4, this would mean that for fingerprints of 60bits we would need to set t = 6 bits. A could use this tohis advantage and fabricate during nighttime context fin-gerprints F ′CA = {0}60 containing nothing but “0” bits. Thefuzzy commitment scheme would correct the errors this fin-gerprint has with regard to d1’s fingerprint FCd1

, since iton the average contains less than t = 6 “1” bits during thenight. The attacker A could thus successfully evolve the keynearly every time just by targeting fingerprints generatedfrom nighttime context data.

To thwart such attacks against fingerprints with very lowsurprisal values, we need to add an additional requirement:only fingerprints FCd having sufficient total surprisal maybe taken into account when evaluating authenticity ratings.

Requirement 1 (Surprisal threshold σthr). Whend1 calculates the number of successful key evolution stepswith another device d, only such evolution steps may betaken into account that have been based on fingerprints FCd1

having a surprisal value σ(FCd1) > t+ σmarg .

Here σmarg denotes a surprisal margin required in additionto the bits that the fuzzy commitment scheme will correct.In effect, σmarg defines, how hard it is for an attacker toguess a fingerprint F ′CA that is required for successful keyevolution.

Use of Partial Information.In addition to profiling-based guesses, the attacker A may

be in the position to utilize partial information about thecontext fingerprint FCd1

of the target device d1. Such partialinformation may be available to the attacker based on thefact that the contextual separation between the attacker’scontext and the target context, where d1 is located, is notcomplete. In the case of the luminosity, this may be causedby the fact that outdoor light is influencing the lighting con-

0

10

20

30

40

50

60

70

0%

5%

10%

15%

20%

25%

30%

35%

40%

12 pm-2 am

2 am-4 am

4 am-6 am

6 am-8 am

8 am-10 am

10 am-12 am

12 am-2 pm

2 pm-4 pm

4 pm-6 pm

6 pm-8 pm

8 pm-10 pm

10 pm-12 pm

Surp

risa

l (b

its)

Frac

tio

n o

f 1

-bit

s in

fin

gerp

rin

t

Fraction of 1-bits infingerprint

Average surprisal offingerprint

Figure 4: Distribution of bits and surprisal of fin-gerprints in office context depending on time of day(audio)

ditions in both the target device d1’s context, as well as thecontext of the attacker A. In the case of audio, partial in-formation may be because of acoustic events that are heardin both contexts.

The existence of such partial information has the effectthat the fingerprints FCd1

and FCA share common bits at-tributable to this partial information. The effect of the par-tial information is significant. If one looks at the bit simi-larities of adversarial devices to the co-located ones, we cansee that the attacker devices share ca. 65 - 85 % of commonbits, depending on the placement of the attacker devices.

The partial information plays therefore in the attacker’sfavor. If A can assume that his fingerprint FCA containspartial information about the target device d1’s fingerprintFCd1

, A can use its own fingerprint FCA as a basis for fabri-

cating a fake fingerprint F ′CA . If we denote the bit differenceof A’s fingerprint FCA and the target fingerprint FCd1

with

t′, then A needs to guess only ∆t = t′ − t bit modificationsto FCA correctly to fabricate a fake fingerprint F ′CA hav-ing Ham(FCd1

, F ′CA) ≤ t, and thus allowing A to participatesuccessfully in the key evolution.

Since the A does not know which of the bits in FCA dif-fer from d1’s fingerprint FCd1

, A needs to guess a set of atleast ∆t bit positions to correct in FCA in order to obtaina fingerprint F ′CA having Ham(FCd1

, F ′CA) ≤ t. This means

he needs to select ∆t bits from the total set of t′ bits dif-fering with FCd1

and flip them. A can select these with aprobability of

P (∆t successful corrections) =

(t′

∆t

)(|FC |∆t

) , (5)

where |FC | denotes the bit length of the used fingerprints.Consider as an example 360-bit fingerprints corresponding

to, e.g., 6 hours of 1-minute observations. Assume that Ahas a fingerprint FCA that has a bit difference of 15 %,i.e., t′ = 54 bits. Assume also that the fuzzy commitmentscheme corrects up to 10 % of bit differences, i.e., t = 36bits. How difficult is it for A to guess a fingerprint F ′Cd1

with Ham(FCd1, F ′CA) ≤ t = 36? To do this, the attacker

would need to correct ∆t = 18 bits. We can calculate the

success probability for A as(5418)(36018 )

≈ 9.27 × 10−17. This is

equivalent to ca. 53 bits of entropy and demonstrates thatguessing correct fingerprints will be excessively difficult for

the attacker, if the used fingerprints are long enough. Notethat the length of the used fingerprints can be freely chosendepending on the security requirements of a specific use case.The only limiting factor is the time required to acquire thecontext measurements for generating the fingerprints.

Some of the changes in d1’s ambient context, especially inthe ambient luminosity, can originate from environmentalchanges that can also be observable by the attacker A in aclose-by room (e.g., if direct sunlight is suddenly obscuredby a cloud). A could utilize this information to give moreconfidence to bits b in its fingerprint FCA that A knows tooriginate from such environmental events. Thus, he couldlimit the search space of bit positions to be flipped to fab-ricate F ′CA , thus decreasing the effective length |FC | of thefingerprint in Eq. 5 and thereby improving his chances forsuccess. However, in our attacker model, A is an off-the-shelfIoT device, and does in general not have the technology tointerpret the causes behind changes in sensor readings in anautomated way. Therefore it wouldn’t be straightforwardfor A to distinguish which changes in the sensor readingsare caused by such changes in the environment that are ob-servable also in d1’s context and which are not. On the otherhand, should such technology become available in the future,it could not only be used by A to improve its guesses, butalso by d1 to defend against guessing. While generating itsfingerprint, d1 could keep track of the number of fingerprintbits b ∈ FCd1

that were influenced by changes in the envi-ronment outside of its proximate context. The target deviced1 could then disregard such key evolution steps, for whichthe number of influenced fingerprint bits is too high.

6. RELATED WORKThere are various approaches proposed to establish a se-

cure pairing between devices. These approaches can bebroadly divided into two main categories: utilizing key pre-distribution mainly addressing nodes in digital sensor net-works (DSN), and utilizing context information for key es-tablishment or co-presence verification.

Key predistribution-based approaches. A scheme forkey distribution in DSNs based on predistributing keys tonodes was presented by Eschenauer and Gligor [6]. Theirscheme ensured that when deployed, each sensor node sharesa key with a neighboring node. Chan et al. [2] extend thisbasic scheme and design three enhanced key pre-distributionschemes: the q-composite scheme, multipath reinforcementscheme, and, random pairwise key predistribution scheme.Liu et al. [10] propose key predistribution schemes based onpreassignment of polynomial shares to sensor network nodes:a random subset assignment scheme and a hypercube-basedkey predistribution scheme.

Traynor et al. [18] extend the key predistribution schemesby removing the assumption of homogeneous sensor nodesand key predistribution by introducing unbalanced proba-bilistic key distribution. They also extend their approachto hybrid settings in which key distribution centers (KDC)may be available.

However, all of the above schemes are mainly targeted atDSNs deployed in a geographically limited area. Hence theyare as such not applicable nor scalable in practice to oursetting, which involves arbitrary subsets of devices comingfrom a pool of potentially millions of IoT and wearable de-vices deployed anywhere on the planet. Also, in contrast to

DSNs that typically are deployed by a single or a few organi-zations sharing trust associations, IoT and wearable devicesare expected to come from hundreds if not thousands of dif-ferent manufacturers. It is highly unlikely that all potentialIoT and wearable device vendors would share mutual secu-rity associations necessary for pre-keying of devices. Thesefactors make any solutions based on predistributing keys be-tween devices infeasible to deploy in practice.

Therefore, our approach presented in this paper does notutilize key predistribution to devices, but builds on utilizingambient context information for evolving a pairing key be-tween devices consistently sharing the same context.

Context information-based approaches. Varshavsky etal. [20] proposed to use the fluctuations in the received signalstrength of WiFi broadcast packets for verifying the immedi-ate proximity of the to-be-paired parties. This approach is,however not suitable for IoT scenarios: it is unlikely to workin situations in which peers are located farther away fromeach other than one meter, due to the local nature of thefluctuations in WiFi signals. The authors also acknowledgethat it does not protect against man-in-the middle attacksthat are mounted by an attacker immediately behind a wallto the user’s location, since WiFi signals are unaffected bysome wall materials.

Narayanan et al. [11] propose a similar approach, in whichWiFi broadcast packets are monitored to determine locationtags that peers can compare to determine whether they areco-located or not. Their solution addresses, however, theproblem of privacy-preserving determination of co-locationand does not address the problem of pairing previously un-known peers with each other, whereas we explicitly addressthe problem of pairing personal devices.

Schurmann and Sigg [16] propose to use audio for generat-ing a shared secret between co-located peers to be used as apairing key. They record audio samples and calculate audiofingerprints based on them. Using Reed-Solomon encodingfor fuzzy extraction of a common key they show that invarious audio environments, cryptographic keys can be de-rived from the surrounding audio context. Their approachattempts to extract a large amount of entropy from a shortaudio snapshot and requires therefore very exact temporalalignment of the sound samples, which is difficult to achievewith off-the shelf devices. Our approach is different, sinceour method does not require exact temporal alignment, andit operates on longitudinal data, extracting entropy from theuser’s context over a longer period of time. Contrary to theapproaches in [20, 11, 16], our approach can also handle sit-uations in which an adversary is present in the correct peers’context without breaking the authenticity of the pairing.

The problem of zero-interaction authentication utilizingcontextual proofs of presence has been discussed by Truonget al. [19]. While their work also addresses a zero-interactionscenario, their problem is different: they consider the prob-lem of co-location verification using context information ina setting, in which both endpoints are trusted and alreadyhave an established security association, whereas our ap-proach addresses the problem of pairing devices that do nothave any prior security associations with each other.

7. CONCLUSIONWe have presented a novel key evolution approach for pair-

ing personal IoT and wearable devices. The approach builds

on a robust scheme for extracting shared entropy from theambient context of such devices. We have also evaluated theapproach based on experiments with luminosity and ambientnoise in a number of different environments. These resultsshould be understood as indicative, primarily establishingthe overall feasibility of our proposed approach. Currentlywe are working on more large-scale testing in different sce-narios and different contexts, which we think is of impor-tance for further research in this area.

AcknowledgmentsThis work was supported in part by the Intel Institute forCollaborative Research in Secure Computing (ICRI-SC) andthe Academy of Finland (“Contextual Security” project).

We thank Jan-Erik Ekberg for originally suggesting theidea of strengthening a shared key between two devices overtime [5]. We would also like to thank our shepherd FlorianKerschbaum and the anonymous reviewers for their insight-ful feedback.

8. REFERENCES[1] D. Balfanz, D. K. Smetters, P. Stewart, and H. C.

Wong. Talking to strangers: Authentication in ad-hocwireless networks. In Proc. Network and DistributedSystem Security Symposium (NDSS), San Diego, CA,USA, Feb. 2002.

[2] H. Chan, A. Perrig, and D. Song. Random keypredistribution schemes for sensor networks. In Proc.2003 IEEE Symposium on Security and Privacy, pages197–213, May 2003.

[3] Y. Dodis, J. Katz, L. Reyzin, and A. Smith. Robustfuzzy extractors and authenticated key agreementfrom close secrets. In C. Dwork, editor, Advances inCryptology - CRYPTO 2006, volume 4117 of LectureNotes in Computer Science, pages 232–250. SpringerBerlin Heidelberg, 2006.

[4] D. Dolev and A. C. Yao. On the security of public keyprotocols. IEEE Transactions on Information Theory,29(2):198–208, Mar 1983.

[5] J.-E. Ekberg. Key establishment in constraineddevices. graduate seminar paper in T-110.7290 -Research Seminar on Network Security, Oct. 2006.http://www.tcs.hut.fi/Studies/T-79.7001/

2006AUT/seminar-papers/Ekberg-paper-final.pdf.

[6] L. Eschenauer and V. D. Gligor. A key-managementscheme for distributed sensor networks. In Proc. 9thACM Conference on Computer and CommunicationsSecurity, CCS ’02, pages 41–47, New York, NY, USA,2002. ACM.

[7] Gartner. Gartner says by 2017, mobile users willprovide personalized data streams to more than 100apps and services every day, Jan. 2014.http://www.gartner.com/newsroom/id/2654115

[Referenced 2014-04-28].

[8] Gartner. Gartner says the internet of things installedbase will grow to 26 billion units by 2020, 2014.http://www.gartner.com/newsroom/id/2636073

[Referenced on 2014-04-28].

[9] A. Juels and M. Sudan. A fuzzy vault scheme. Designs,Codes and Cryptography, 38(2):237–257, 2006.

[10] D. Liu, P. Ning, and R. Li. Establishing pairwise keys

in distributed sensor networks. ACM Trans. Inf. Syst.Secur., 8(1):41–77, Feb. 2005.

[11] A. Narayanan, N. Thiagarajan, M. Lakhani,M. Hamburg, and D. Boneh. Location privacy viaprivate proximity testing. In Proc. Network andDistributed System Security Symposium (NDSS), SanDiego, CA, USA, Feb. 2011.

[12] Nest Labs. Nest thermostat and nest smoke and COalarm, 2014. http://nest.com/ [Referenced on2014-04-28].

[13] Oral-B. ORAL-B R© debuts world’s first availableinteractive electric toothbrush at mobile wold congress2014, 2014. http://connectedtoothbrush.com/[Referenced 2014-04-28].

[14] Quirky. Spotter multipurpose sensor, 2014.https://www.quirky.com/shop/

609-spotter-multi-purpose-sensor [Referenced2014-04-28].

[15] I. Reed and G. Solomon. Polynomial codes over certainfinite fields. Journal of the Society for Industrial andApplied Mathematics, 8(2):300–304, 1960.

[16] D. Schurmann and S. Sigg. Secure communicationbased on ambient audio. IEEE Transactions on MobileComputing, 12(2):358–370, Feb 2013.

[17] J. Suomalainen, J. Valkonen, and N. Asokan. Securityassociations in personal networks: A comparativeanalysis. In F. Stajano, C. Meadows, S. Capkun, andT. Moore, editors, Security and Privacy in Ad-hoc andSensor Networks, volume 4572 of Lecture Notes inComputer Science, pages 43–57. Springer BerlinHeidelberg, 2007.

[18] P. Traynor, R. Kumar, H. Choi, G. Cao, S. Zhu, andT. La Porta. Efficient hybrid security mechanisms forheterogeneous sensor networks. IEEE Transactions onMobile Computing, 6(6):663–677, June 2007.

[19] H. T. T. Truong, X. Gao, B. Shrestha, N. Saxena,N. Asokan, and P. Nurmi. Comparing and fusingdifferent sensor modalities for relay attack resistancein zero-interaction authentication. In IEEE Int. Conf.on Pervasive Computing and Communications(PerCom), Budapest, Hungary, Mar. 2014.

[20] A. Varshavsky, A. Scannell, A. LaMarca, and E. Lara.Amigo: Proximity-based authentication of mobiledevices. In J. Krumm, G. Abowd, A. Seneviratne, andT. Strang, editors, UbiComp 2007: UbiquitousComputing, volume 4717 of Lecture Notes inComputer Science, pages 253–270. Springer BerlinHeidelberg, 2007.

[21] Vigilant. Vigilant unveils smart IoT innovation fordiabetic patients, Feb. 2014. http://vigilant.ch/en/News/Company_News/2014/0221/53.html [Referenced2014-08-23].

[22] T. D. Wu. The secure remote password protocol. InProc. Network and Distributed Systems SecuritySymposium (NDSS), pages 97–111, San Diego, CA,USA, Mar. 1998.