Secure and Usable Handshake Based Pairing for Wrist-Worn Smart Devices on Different Users

Abstract

Wrist-worn smart devices are being used to share various sensitive personal information in various fields such as social, medical treatment, sports, etc. Secure pairing establishing a trusted channel between involved devices is a prerequisite to ensure data transmission security. Handshake has been employed to realize secure pairing between devices worn by different users without pre-shared knowledge, the participation of third parties or complicated user interactions. However, existing schemes cannot meet the practical requirement in terms of time delay and security. In this paper, we present a secure and usable pairing scheme utilizing the handshake acceleration data. Specifically, we propose an optimal feature selection algorithm based on Euclidean distance sorting which improves the success rate and security of the system. In addition, we use Pearson correlation coefficient based feature sequence similarity measurement approach to enhance the accuracy of pairing scheme. Theoretical and experimental security analysis indicates that our solution can resist active and passive attacks. What’s more, the experimental results demonstrate that the proposed solution has a high key generation rate of 87 bits per second, and completes security pairing in less than 4 s.

1 Introduction

Nowadays, wrist-worn smart devices are ubiquitous in our lives, and the embedding of sensors (e.g., accelerometer, gyroscope and heartbeat detector) enables them find wide applications in health monitoring, activity recognition, and personal assistance. In social occasions, an increasing number of people use their wrist-worn smart devices to share various personal information, such as business cards, music, and personal pictures. A typical application scenario of employing wrist-worn devices for information sharing is shown in Fig. 1, in which users wearing the devices can share data through wireless channels [1], such as Bluetooth and Wi-Fi.

Fig. 1

The scenario of information sharing

Unfortunately, the wireless channel for information sharing is inherently open due to its public nature, which could cause various types of attacks such as eavesdropping, tampering and man-in-the-middle (MITM) attack [2,3,4]. Therefore, to share personal information securely, secure paring [5] between two devices that have never known each other before is an urgent requirement, which can establish a secure communication channel to transmit sensitive information [6, 7]. However, it faces the following challenges to fulfill secure pairing in this setting, which is the concern of this paper. First, two pairing devices on different users do not have any prior security context or a common point of trust, making the authentication between them difficult to achieve [8]. Second, as for the users, almost zero effort is required to complete the secure pairing [1], since complicated operations may make users without security consciousness skip the secure pairing procedure. Third, the energy consumption and time delay should be minimized to be fit for the resource-constrained wrist-worn smart devices.

A number of secure pairing solutions have been proposed [9,10,11,12,13,14], while few of existing solutions caters to the scenario shown in Fig. 1. Although several works tried to address this issue [15,16,17,18], none of them satisfies both security and usability required by practical application, making them still have a long distance from an ideal secure pairing scheme for wrist-worn devices on different users.

Handshake, a common form of physical contact between human beings, is one of the most promising solution to achieve secure pairing in this scenario. Handshake-based schemes usually take handshake acceleration as the common input for secure pairing. However, existing methods cannot meet both security and usability requirements at the same time. Specifically, both of the schemes in [19, 20] both have good usability, while their auxiliary data used for the key negotiating may reveal the secret key information. The scheme in [21] guarantees the security, while its key generation rate is low. In addition, it has poor usability for longer user handshake time is required.

Therefore, in this paper, we propose a novel handshake-based secure pairing scheme which achieves both the security and usability. Specifically, we obtain optimized features from the accelerometer data through feature extraction and feature selection. Then we extract the similar witness and negotiate a symmetric key through fuzzy commitment, to realize secure pairing between the devices. In summary, the main contributions of this paper are outlined as follows.

• We propose a secure pairing scheme based on handshake acceleration, which enables secure pairing between wrist-worn smart wearable devices worn on different individuals.

• We propose the optimal feature selection algorithm based on Euclidean distance sorting, which makes the witness generated by the two devices more similar. In addition, in order to ensure the accuracy of our system, we use the Pearson correlation coefficient to measure the similarity of the feature sequences in the key verification stage.

• We comprehensively evaluate the security of our pairing system based on the proposed threat model. Theoretical and experimental analysis show that our scheme can resist active and passive attacks.

• We demonstrate the usability of our pairing scheme by simulation experiments. The results show that the proposed pairing scheme is robust and user-friendly, which only takes about 4 s to complete the secure pairing process.

The remainder of this paper is organized as follows: Section 2 reviews the related work, and Section 3 introduces the required preliminaries. The system model and threat model are introduced in Section 4. Section 5 provides the details of our proposed scheme. In Section 6, the optimal feature selection algorithm is detailed. We give the performance evaluation the system by evaluating its performance in Section 7 and the security analysis in Section 8. Section 9 concludes the paper.

2 Related work

Most wearable devices today transmit data via short-range wireless communication technologies such as Bluetooth, Wi-Fi, etc., through which the data is easily leaked and tampered with [22]. Security is the matter of concern for information transmissions between them [23]. A simple method for pairing two devices is to let the users enter the same password on both devices. However, it is shown that the passwords chosen by users are generally easy to guess. Another method is to generate a random number and display it on the output interface of one device, then it is typed by the user on another device to be paired with [24]. This method is vulnerable to shoulder attacks and lacks user-friendliness [25].

To avoid above problems, secure paring schemes based on data matching have been explored. These common context data are collected by sensors embedded in wrist-worn smart devices [26]. Shaking is a common behavior which can generate the same context between two devices, device pairing schemes based on shaking [12, 13] have been proposed. Specifically, the acceleration signals produced by the shaking patterns are pseudo-random, unique, and difficult to reproduce, which are used to pair the devices. Smart-Its Friends [13] is the first system that uses rapid shaking to pair devices, where users simply hold two devices together and shake them. The movement patterns of the two devices are recorded and compared by the system to determine whether the two devices can be paired. Similarly, Rainhard et al. proposed a scheme which can unlock smartphone by shaking wristwatch and smartphone together [27]. In their scheme, inertial acceleration data is recorded by smartphone and wristwatch simultaneously, then the data of wristwatch is sent to the smartphone transparently. Subsequently, the data collected by two devices is compared on the smartphone. If the deviation is less than a threshold, the smartphone will be unlocked. However, these schemes are vulnerable to MITM, as their context is transmitted in plaintext.

ShaVe [12] extends Smart-Its Friends, combined the session key generated by Diffie-Hellman exchange protocol with the accelerometer data collected by shaking to form an acceleration time series, which is then compared by both sides to fulfill secure pairing. However, the scheme entails much computational cost due to the involved encryption operations. Moreover, the attacker can tamper with the exchanged messages to obtain the accelerate time sequences of the legitimate devices, and then use this time sequence to pair with other devices by impersonating the legitimate device. Hence, secure pairing based on common context comparisons is not immune to tampering attacks.

To address this issue, shaking motion based secure pairing schemes [10, 12] have been proposed, which can ensure secure transmission by using the negotiated keys. ShaCK [10, 12] extracted feature from the three-dimensional acceleration signals generated by shaking devices, which then is used to generate symmetric keys. However, their schemes have security issues and are not suitable for the scenario shown in Fig. 1. Groza et al. proposed to generate a symmetric key by comparing the shaking acceleration time series with the random threshold values [10]. Meanwhile, they suggested exchanging a predefined order to improve the success rate and security of the key negotiation. However, attackers can analyze the general trend of the acceleration curve based on this order. In addition, their scheme used a hashed heuristic tree, which is energy and time consuming.

Recently, inspired by shaking based secure pairing, in [19,20,21, 28], the device motion pattern generated by the handshake are used to establish a secure channel between two devices, which is attractive for secure pairing between wrist-worn devices worn by different users. Regrettably, existing schemes still cannot satisfy both security and usability required by practical use. SDP via Handshake [19] proposed to detect the handshake action in real time by extracting acceleration, gyroscope from multiple sensors, however, handshake detection needs high computational cost. Besides, both check bits of the Hamming code and parity digit are used as auxiliary data to reconcile a session key, which may cause the leakage of the key information, reducing the security of the scheme. In [20], principal component analysis (PCA) is introduced to reduce the dimension of raw acceleration data. However, its key generation rate is low, since the processing of ambiguous bits in this procedure increases the pairing time. In [21], the perturbation vector based fuzzy cryptography (PVFC) is proposed to reduce the computing overhead. However, the method in [21] has low usability due to the long time delay incurred by the feature collection procedure. In the preliminary version of this paper [28], we presented a user-friendly pairing scheme for wrist-worn smart devices employing fuzzy commitment technique. In this paper, to enhance pairing accuracy, we employ the Pearson correlation coefficient to measure the similarity of the feature sequence. Moreover, we provide a more comprehensive security analysis of the proposed scheme.

3 Preliminaries

In this section, we introduce the preliminaries employed in our proposed scheme.

3.1 Euclidean distance and hamming distance

We first introduce two different types of distance used in this paper, Euclidean Distance and Hamming Distance.

Euclidean Distance refers to the straight line distance between two points in Euclidean space. In this paper, we represent the Euclidean Distance between two points x and y as Δ(x, y), which can be calculated by Formula (1), where ∣ · ∣ represents the absolute value.

$$ \varDelta \left(x,y\right)=\mid x-y\mid $$

(1)

Hamming distance is a concept that represents the number of different bits corresponding to two (same length) bit strings. In this paper, we use dis(str1, str2) to represent the Hamming distance between two bit strings str1, str2.

3.2 Fuzzy commitment

Fuzzy commitment [29, 30], the combination of error correcting codes and cryptography, is a useful primitive for biometric authentication. In this paper, we utilize the Bose-Chaudhuri-Hocquenghem (BCH) code [31].

We denote the function of fuzzy commitment as fc(·), as shown in Formula (2), where k is a randomly selected key, and h(·) represents the anti-collision hash function.

$$ fc\left(\mathrm{w},k\right)=\left(h(k),X\right) $$

(2)

X can be obtained by Formula (3)

$$ X=\left(c\oplus w\right) $$

(3)

where ⊕ represents exclusive OR (XOR) operation, and c is the encoded k.

To decommit, c^′is obtained from w^′ and X firstly (as shown in Formula (4)), then k^′can be recovered from c^′ by BCH decoding. Finally, the values of h(k) and h(k′) are compared to confirm whether k is successfully restored.

$$ c^{\prime }=\left(X\oplus w^{\prime}\right) $$

(4)

If dis(w, w′) is smaller than the tolerance of the BCH code, then k can be recovered by w′.

3.3 Pearson correlation coefficient

The Pearson correlation coefficient between two variables is defined as the quotient of the covariance cov and standard deviation σ between the two variables. It can be used to measure the linear relationship between two variables. If the two variables are positively correlated, the Pearson correlation coefficient is between 0.00 and 1.00. While the two variables are negatively correlated, the Pearson correlation coefficient is between −1.00 and 0.00. The definition of the Pearson correlation coefficient is shown in the Formula (5), where μ represents the mean, and E is the expectation.

$$ Cor{r}_{x,y}=\frac{{\mathit{\operatorname{cov}}}_{\mathrm{x},\mathrm{y}}}{\sigma_x{\sigma}_y}=\frac{E(XY)-E(X)\mathrm{E}(Y)}{\sigma_x{\sigma}_y}\kern1.75em \sigma =\sqrt{\frac{\sum_{i=1}^n{\left({\alpha}_i-\mu \right)}^2}{n-1}}. $$

(5)

4 System and threat model

In this section, we first introduce the system model, then we define the threat model in our scheme.

4.1 System model

In this section, we consider the handshake-based secure pairing system model shown in Fig. 2, which contains two wrist-worn devices worn on the wrists of two different subjects (user A and user B). Each device is equipped with an inertial accelerometer. Data can be transmitted between the devices through open and transparent wireless channels (such as Bluetooth, Wi-Fi, etc.). When the users instruct the devices to start pairing by performing a handshake, the devices worn by the two subjects will be paired securely.

Fig. 2

Handshake based secure pairing model

4.2 Threat model

In this paper, we mainly consider the threats of passive eavesdropping and active attacks. For a passive attacker, he has well knowledge of the pairing mechanism, which can eavesdrop all messages transmitted in wireless channels. Then the attacker can analyze the eavesdropped messages to obtain useful information transmitted between the devices.

Active attackers can be divided into two categories. The first type is MITM attacker, who has all the capabilities of the passive attacker. In addition, MITM attacker can intercept and tamper with messages transmitted in public channels, then illegal data is constructed to pair with legitimate devices. The second type is the mimic attacker, who constructs the illegal pairing data by imitating the handshake mode of the legal user, then tries to pair with the legal device.

The same as most existing researches, we assume that the attackers don’t have the ability to hijack the devices or implant malicious devices into users. Besides, they cannot analyze the handshake process through video recording, and the computing power is limited.

5 Secure device paring via handshakes

In this section, we first give the overall system processes of the protocol, and then introduce the details of our handshake based secure pairing scheme. The devices on two sides are denoted as A and B.

The scheme consists of five stages: data preprocessing, initialization and pre-commitment exchange, reconciliation, witness generation and key binding, and key verification. In the data preprocessing phase, the acceleration data collected by the device is processed to reduce its dimension. In the initialization and pre-commitment exchange phase, the parameters of the pairing system are initialized, and the optimal feature selection algorithm is employed to select the reliable features. In the reconciliation phase, the features used to generate witness are selected by both parties at the same time. In the stage of witness generation and key binding, the witness is generated by the extraction algorithm, then is bound with k to obtain auxiliary data. In the key verification phase, the device recovers the original key through the auxiliary data, then determines whether the pairing is successful by comparing the hash value of the key. All symbols used in this paper are summarized in Table 1.

Table 1 Table of notions

5.1 Data collection and preprocessing

In order to detect the start of the handshake accurately, users are required to press a button on the wrist-worn devices to indicate that it is about to start handshaking and devices pairing. Besides, 1–2 s of quiescence is needed before the handshake. It is worthy to note that these additional interaction can greatly simplify the detection of the start of the handshake and avoid other unnecessary monitoring process. Moreover, the required interactions are very simple and in line with the user’s usage habits. After the data is collected, dimensionality reduction and synchronization are performed to improve the probability of successful pairing.

In our scheme, the three-dimension accelerometer data generated by the handshake is used. Since the positions of the two devices worn on users’ wrists vary from person to person, the collected three-dimension acceleration time series lack spatial alignment and cannot be compared directly. To this end, the root mean square of the X-axis, Y-axis, and Z-axis of accelerometer data (see Fig. 3(a)) is calculate for reducing the three dimension data to one dimension as shown in Fig. 3(b). We refer to the data obtained after processing as acceleration magnitude.

Fig. 3

Handshake acceleration data

Furthermore, the accelerometer data, which is collected by devices independently, needs to be synchronized. As shown in Fig. 3(a), the handshake acceleration exhibits periodicity. Figure 3(b) shows the acceleration magnitude, from which we can obviously find that the magnitude of acceleration fluctuates significantly. As it is verified that the time when the two sides generated data with almost zero acceleration magnitude is very close in [21], we take the intersection of the axis x = 0 and the acceleration magnitude curve of the first complete period (i.e., the acceleration magnitude in red arrow in the Fig. 3(b)) as the starting point. In this paper, the acceleration magnitude time series after synchronization is used as the feature sequence f.

5.2 Initialization and pre-commitment exchange

After data preprocessing, the initialization and pre-commitment exchange stage is shown in Fig. 4. The device first selects two random numbersR, k, where R is a random threshold generation factor and k is a random key. The device takes R and feature sequence f as parameters to generate a preselect feature index I through the optimal feature selection algorithm (as described in Section 6). <E_k(f, I), R, ID> is then sent to the other side as a pre-commitment, where E_κ(·) means to encrypt the data with k, and ID represents the identity information of the device.

Fig. 4

Initialization and pre-commitment exchange

5.3 Reconciliation

The reconciliation stage is shown in Fig. 5. Device A uses R_A and R_B respectively to calculate its own optimal feature indexes\( {I}_{R_A}^A \)and\( {I}_{R_B}^A \), and sends them to device B. After receiving \( {I}_{R_A}^B \), \( {I}_{R_B}^B \)sent by device B, device A compares the preselected indexes I_R generated by both devices to obtain I_R^∗, that is\( {I}_{R_A}^{\ast}\leftarrow {I}_{R_A}^A\cap {I}_{R_A}^B \), \( {I}_{R_B}^{\ast}\leftarrow {I}_{R_B}^A\cap {I}_{R_B}^B \). x ∩ y represents the intersection of x and y.

Fig. 5

Reconciliation

5.4 Witness generation and key binding

The witness generation and key binding stage is given as follows, as shown in Fig. 6.

1. (1)

   Device A calculates the witness\( {w}_{R_A} \), \( {w}_{R_B}^{\prime } \)respectively based on the preselected feature indexes\( {I}_{R_A}^{\ast } \), \( {I}_{R_B}^{\ast } \)obtained in the reconciliation phase, where\( {w}_{R_A}\leftarrow EXT\left({I}_{R_A}^{\ast },{R}_A,{f}_A\right) \), \( {w}_{R_B}^{\prime}\leftarrow EXT\left({I}_{R_B}^{\ast },{R}_B,{f}_A\right) \). The witness generation algorithm EXT is shown in Fig. 7. At the beginning, w is set as an empty bit string∅., and the fixed random number generation algorithm rand with the seed R is executed to generate random threshold sequence value th = {th₁, th₂, …, th_n}. Next, the witness is gained by comparing the random threshold value with the feature sequence. If the feature value \( {\alpha}_{index_i} \) is larger than the random threshold value\( {th}_{index_i} \), a bit 1 is generated, otherwise, a bit 0 is generated, where index_i is an element in\( {I}_{R_A}^{\ast } \) or\( {I}_{R_B}^{\ast } \) and the\( {\alpha}_{index_i} \) is the value in f_A, ∣ means bit concatenation. Finally, the witness w is compressed into a string of length len.

2. (2)

   Device A calculates c_A by encoding the random key k_A with the BCH code, that is, c_A ← bchenc(k_A), where bchenc(·) represents the BCH encoding function. The length of the information bits of the BCH code is equal to the length of k_A.

Fig. 6

Witness generation and key binding

Fig. 7

Witness generation algorithm

1. (3)

   Device A generates auxiliary data X_A by binding the w_A with c_A, i.e., X_A ← c_A ⊕ w_A, then sends the X_A to device B.

2. (4)

   After receiving the X_B sent by device B, device A use \( {w}_{R_B}^{\prime } \)generated in (1) to recover the random key k_B selected by the deviceB, that is\( {k}_B^{\prime}\leftarrow bchdec\left({X}_B\oplus {w}_{R_B}^{\prime}\right) \), where bchdec(·) is the BCH decoding function.

3. (5)

   The final key key is obtained by concatenating Device A’s own random key k_A with the recovered key\( {k}_B^{\prime } \).

5.5 Key verification

The last step is to verify that legitimate devices have successfully extracted a same secret key. To enhance the security of our system, we first verify whether the keys generated by the devices are same, then verify whether the information exchanged in the initialization and pre-commitment exchange stage is legal (may be tampered with). The special steps are shown in Fig. 8.

Fig. 8

Key verification

We first verify the consistency of the keys key generated by both devices.

1. (1)

   The two devices first exchange a message authentication code M. MAC(·)represents the message authentication code algorithm, which contains a key key, a random number N used to ensure real-time performance, and an ID indicating the identity of the device. Then M and N are sent to the other side.

2. (2)

   After receiving M,N,ID from the other side, the device firstly uses its own key, the received N and ID, to calculate M ′  = {key′| N| ID}, then verifies if M ′  = M. If the verification passed, turn to the next step, otherwise return⊥.

1. (3)

   Our scheme also verifies the integrity of the pre-commitment generated in Section 5.2 to ensure that it has not been tampered with during transmission. Specifically, it has been verified that the keys key generated by both sides are the same. Therefore, it can be sure that device A has correctly recovered k_B, which indicates k′_B = k_B. Device A uses k_B to decrypt the\( {E}_{k_B}\left({f}_B,{I}_{R_B}\right) \)to obtain the feature sequence information of device B, that is, \( {f}_B,{I}_{R_B}\leftarrow {D}_{k_B^{\prime }}\left({E}_{k_B}\left({f}_B,{I}_{R_B}\right)\right) \). Where D_κ(·) represents the function of decryption using k.

2. (4)

   Device A first verifies whether the\( {I}_{R_B} \)in the pre-commitment is the same as the\( {I}_{R_B} \)sent by device B in the reconciliation stage. If the verification is successful, the system will execute the next steps. Otherwise, it returns ⊥ and stops pairing.

3. (5)

   Device A compares its own feature sequence f_A with f_B, if the result is greater than threshold, then key is used as the symmetric session key K, which means the pairing is successful. Otherwise, the device returns ⊥ and stops pairing. Specially, we use Pearson correlation coefficient to measure the similarity of both devices’ feature sequence, which can be calculated by Formula (6), where α_{A, i} means the i-th elements in f_A.

$$ Cor{r}_{A,B}=\frac{\mathit{\operatorname{cov}}\left({f}_A,{f}_B\right)}{\sigma_A{\sigma}_B}=\frac{E\left({f}_A{f}_B\right)-E\left({f}_A\right)E\left({f}_B\right)}{\sqrt{\frac{\sum_{i=1}^n{\left({\alpha}_{A,i}-{\mu}_A\right)}^2}{n-1}}\sqrt{\frac{\sum_{i=1}^n{\left({\alpha}_{B,i}-{\mu}_B\right)}^2}{n-1}}} $$

(6)

6 Optimal feature selection

After data processing (as described in Section 5.1), the noise in the acceleration data will affect the success rate of device pairing. Therefore, we propose the optimal feature selection algorithm, which can select reliable features from the feature sequence f for device pairing. In our algorithm, the generated raw features are sorted, then the optimal features are selected from the sorted features, and finally the index I_R of the optimal features is sent as the auxiliary data to the pairing device.

6.1 Sort based on Euclidean distance

Taking th_i as an example, the corresponding acceleration magnitude value of device A and device B is α_{A, i} and α_{B, i}. To extract same bits, the sign of the distance between α and th should be the same, that is (th_i − α_{A, i}) ∗ (th_i − α_{B, i}) ≥ 0. Let P be the probability of (th_i − α_{A, i}) ∗ (th_i − α_{B, i}) ≥ 0, then P = P[α_{A, i} ≥ th_i ∧ α_{B, i} ≥ th_i] + P[α_{A, i} < th ∧ α_{B, i} < th_i] =1 − P[α_{A, i} ≥ th_i ∧ α_{B, i} < th_i] − P[α_{A, i} < th_i ∧ α_{B, i} ≥ th_i] While the precondition of P[α_{A, i} ≥ th_i ∧ α_{B, i} < th_i] is Δ(α_{A, i}, α_{B, i}) > Δ(α_{A, i}, th_i) and the precondition of P[α_{A, i} < th_i ∧ α_{B, i} ≥ th_i] is Δ(α_{A, i}, α_{B, i}) > Δ(α_{B, i}, th_i). Therefore, it can be speculated that the higher the Δ(α_i, th_i), the lower the P[α_{A, i} ≥ th_i ∧ α_{B, i} < th_i] andP[α_{A, i} < th_i ∧ α_{B, i} ≥ th_i] for legitimated devices. Hence, sorting the Euclidean distance Δ(α_i, th_i) of each feature in ascending order and then selecting those later features (features with larger Euclidean distance) is a feasible method to obtain reliable features. However, through our experiments, we find that just sorting by Δ(α_i, th_i) to select optimal features is not enough.

As we can see from Fig. 9, when the acceleration changes quickly, the slight delay of one of the devices could cause large offset between the accelerometer magnitudes. Figure 9 (b) is an enlargement of the green dashed box in Fig. 9 (a), where the green dot represents the random threshold th_i, and the hollow circle and triangle represent the feature value α_{A, i},α_{B, i} corresponding to th_i. It can be seen that f_A and f_B are very close, but a slight lag on one side results in a very large Δ(α_{A, i}, α_{B, i}). As a result of the increase of Δ(α_{A, i}, α_{B, i}), the upper limit of the corresponding Δ(α_i, th_i) also increases. It can also be seen that Δ(α_{A, i}, th_i), Δ(α_{B, i}, th_i) are larger in Fig. 9, which will mislead the ordering of features.

Fig. 9

A handshake acceleration data of the devices with slight delay

Therefore, based on the conclusion that P[α_{A, i} ≥ th_i ∧ α_{B, i} < th_i] and P[α_{A, i} < th_i ∧ α_{B, i} ≥ th_i] decrease exponentially as Δ(α_i, th_i) increases, we propose an algorithm called minimum distance within the window. We call window_i = [α_i − δ, …, α_i, …, α_i + δ] as a window of feature α_i with the size δ, and min (Δ(window_i, th_i)) is the smallest α_i of Δ(α_i, th_i) corresponding to window_i. We do not directly take Δ(α_i, th_i) as the sorting criteria, but introduce the values δ before and after α_i to reduce the misleading caused by the slight lag, and use min (Δ(window_i, th_i)) as the standard to sort.

6.2 Secure feature selection

To filter out the noisy features that are most likely to influence the success rate of device pairing, we propose the optimal feature selection algorithm Γ (see Fig. 10), where n is denotes as the total number of original features, and q is denotes as the number of optimal features selected by Γ, the corresponding optimal feature sequence is defined as Q.

Fig. 10

Optimal feature selection algorithm

We take the index i of each element in f and the corresponding min (Δ(window_i, th_i)) as a key-value tuple (i, min(Δ(window_i, th_i))), and put them into a list, that is add(list, (i, min(Δ(window_i, th_i)))), then the list is sorted by sort(·) algorithm. As min(Δ(window_i, th_i)) becomes smaller, the probability of the offset occurring between the α_i of devices will increase. We filter the feature sequence and select the last q key-value tuples in the sorted list as the feature sequence Q for generating w. However, the direct exchange of the indexes i of the last q key-value tuples will expose the information of f, so we protect f by deleting some tuples in Q randomly, and we call these deleted tuples as chaff features. The algorithm genchaff(·) selects chaff features randomly from a sequence. In order to ensure that the minimum number of optimal features indexes selected by the devices on both sides is not less than len, that is,Count(U_A ∩ U_B) > len, where Count(U_A) and Count(U_B) represent the number of features finally selected by users A and B, which is calculated by q − cn. Then Count(U_A ∩ U_B) > len can be simplified as:

$$ Count\left({U}_A\right)/ Count\left({U}_B\right)>\frac{n+ len}{2} $$

(7)

and the value range of cn can be obtained:

$$ cn<q-\frac{\mathrm{n}+ len}{2} $$

(8)

Finally, we arrange the key values of the tuples in Q in a sequential manner as the preselected feature indexes I_R.

7 Performance evaluation

In this section, we evaluate our proposed scheme through a series of experiments. In terms of system robustness, we first evaluated the impact of our feature selection algorithm on the similarity of the generated witness. In addition, we evaluated the accuracy of the system, which is an important indicator of robustness. What’s more, the Pearson correlation coefficient distributions of the handshake acceleration magnitude feature sequence extracted from interactive and non-interactive individuals are experimentally analyzed, according to which we recommend the threshold. In terms of efficiency and user-friendliness, the key generation rate of our proposed scheme is experimentally evaluated.

7.1 Experiment setup

In our experiments, the iPhones (iPhone6-CPU: A8 1.4GHz, OS: iOS 11.0 and iPhone8-CPU: A11 2.74GHz, OS: iOS 11.0) is tied to the volunteers’ wrist to simulate the wrist-worn devices. We recruited 16 volunteers, containing 8 males and 8 females. Their ages range from 22 to 25. In the following experiments, the handshake data is generated by volunteers shaking hands in pairs (one volunteer will shake with the remaining 15 volunteers), each handshake including 16 ups and downs and is repeated 5 times to ensure the accuracy of the data, the accelerometer sampling frequency is set to be 200 Hz. It is worth noting that the pairing of devices through a short-time handshake is user-friendly. In our scheme, a handshake time of 3 to 4 s is enough to complete the pairing, which is convenient to user.

7.2 Witness similarity

The accuracy of the system is directly related to the similarity of the witness w generated by the two devices, and the witness w is generated from the optimal features selected by the optimal feature selection algorithm. In this section, we first evaluate the feature sorting based on the minimum distance within the window, and then experimentally analyze the similarity variation of the generated witness when different values of the two important parameters in the optimal feature selection algorithm, the window size δ and the optimal feature selection number q are chosen. In our scheme, we sort the features in ascending order based on min (Δ(window_i, th_i)).

Definition 1: If th_i and its corresponding feature values α_{A, i}, α_{B, i} satisfy (th_i − α_{A, i}) ∗ (th_i − α_{B, i}) ≤ 0, we deem the index i of the th_i as the index of the offset feature.

The first 3 s of the synchronized acceleration magnitude is used as original feature data in our experiments, from which 600 acceleration magnitude features will be generated. The distribution of the indexes of the offset features is shown in Fig. 11. Figure 11 (a) shows the cumulative distribution function (CDF) of indexes of the offset features of the unsorted feature sequence, and Fig. 11 (b) shows that of the sorted feature sequence. As can be seen, the indexes of the offset features are uniformly distributed before sorted, are mostly distributed at the front of the sequence after sorted. The smaller the index i is, the faster the CDF grows, and 80% of the indexes of the offset feature are range from 0 to 150. Besides, it can be seen from the partially enlarged diagram of Fig. 11 (b) that in the range around 150, the CDF performance is better when δ = 2.

Fig. 11

CDF of indexes of the offset features

In the optimal feature selection algorithm, the window size δ and q are two important parameters which affect our feature selection directly, thus affecting the similarity of the witness w. We evaluate the similarity of the witness by changing the two parameters, and the similarity of the two witness is measured by Hamming distance. Figure 12 shows the variation of the average value of the dis(w, w′) under different q and δ, from which we can see that as the number of selected feature q decreases, dis(w, w′) decreases exponentially. When q is less than 320, dis(w, w′) approaches 0, while the feature number q is selected to be less than 500, dis(w, w′) becomes smaller and the decreasing tendency slows down, which is less than 7. In addition, when q is around 500, the dis(w, w^′) is the smallest when δ = 2.

Fig. 12

Average dis(w, w’).with different q and δ

7.3 System accuracy

System accuracy is the ability of the system to pair two devices correctly. It requires that only devices worn by users who shake hands with each other can be paired and generate the same symmetric key.

In our scheme, the impact on the system’s accuracy mainly comes from three aspects. One is the optimal feature selection algorithm, which filters the noisy features. It can also be seen from the above experiments, the smaller the value is q, the more features are filtered and the smaller is dis(w, w′). The second is the parameter selection of the BCH code. For a BCH code with a fixed total length, the higher the noise tolerance ability is, the shorter the information bits can be contained. That is, the shorter the key length can be bound. In addition, with the increase of noise tolerance ability, the accuracy of the system will reduce accordingly. The third is the Pearson correlation coefficient used in the key verification stage, its threshold selection directly affects the accuracy of the system.

Since the feature selection algorithm directly affects the similarity of witness, and the similarity of witness is related to the accuracy of the BCH code, we evaluate the joint impact of q and different BCH codes of the system accuracy. We denote a BCH code as (ln, lk, t0) where ln represents the total length of the BCH code, lk represents the length of the information bits, and t0 represents the capability of noise tolerance. In order to ensure the length of the bound key k and filter enough tough features, we select 255 as the value ln of a BCH code, and the BCH codes with ln=255 are shown in Table 2.

Table 2 BCH codes with len = 255

The false rejection rate (FRR) and false acceptance rate (FAR) are also used to evaluate the system accuracy. FRR indicates the probability that the two wrist-watches worn on two legal users who shake hands with each other fail to match. FAR indicates the probability of successfully completing device pairing without a handshake between an illegal user and a legal user.

In this experiment, the main concern is the variation of FRR and FAR and their correlation when different BCH codes are selected. We can see from Fig. 13(a) that the higher the value.

Fig. 13

FRR, FAR, EER of the scheme with different q and t0

t0 is, the lower the FRR is. Conversely, from Fig. 13(b), we can see that the higher the value t0 is, the higher the FAR is. Noted that if the system accuracy is needed to be ensured, FAR and FRR must be reduced at the same time. As shown in Fig. 13(c), we can find an equilibrium point, i.e., equal error probability (EER) when q=500. In our scheme, the BCH code we choose is (255, 18, 131) and q is set as 520, as our scheme has better accuracy in this case.

We use the Pearson correlation coefficient of the acceleration magnitude feature sequence in key verification stage to evaluate the similarity and determine whether the pairing device is a legitimate one In Fig. 14, the blue curve shows the CDF of Pearson correlation coefficient of the acceleration magnitude feature sequence generated by legitimated devices, while the red curve shows the CDF of Pearson correlation coefficient of the acceleration magnitude generated by illegal devices and legitimated devices. It can be seen that 90% of the Pearson correlation coefficient of the acceleration magnitude feature sequence generated by legitimated devices is greater than 0.9, while for illegal devices, the number of Pearson correlation coefficients that is greater than 0.9 are approaches 0. According to the experimental results, we set the threshold threshold to be 0.9.

Fig. 14

CDF of Pearson correlation coefficient between devices

7.4 Comparison with state-of-the-art

In this section, we first compare key generation rate of the proposed scheme with that of state-of-the-art of acceleration-based pairing schemes [9, 11, 14, 19,20,21].

The comparison of the key generation rate is shown in Table 3, our key generation rate is 87 bits per second, which is higher than the other schemes. Thus, our solution can quickly complete device pairing and session key negotiation, offer a better user-friendliness.

Table 3 Key generation rate comparison

We further compare our scheme with handshake-based schemes [19, 20] in term of feature selection, feature privacy protection, pre-commitment exchange, and computation time. Table 4 highlights the differences among them.

Table 4 Feature and computation time comparison

Specifically, in our scheme, optimal feature selection is employed to enhance the similarity of two acceleration sequences, which improves efficiency of the reconciliation process. Besides, this procedure can improve the robustness of auxiliary data, and protect feature privacy. Pre-commitment exchange in the proposed scheme can verify the device legality, thus preventing the man-in-the-middle attack.

However, SDP via Handshake [19] and Shake-n-Shack [20] use the noisy acceleration feature for pairing without feature selection, resulting in low efficiency of the reconciliation process. In addition, these two schemes fail to protect feature privacy, as the auxiliary data generated by quantizing acceleration feature may disclose the handshake information. Meanwhile, these two schemes are vulnerable to man-in-the-middle attacks due to the omission of pre-commitment exchange phase.

Furthermore, the simulation of our scheme and the other two schemes on a laptop with MATLAB shows that our scheme is the most efficient one among these three schemes. It is worthy to note that, as discussed in Section 8.7, our proposed scheme is the only one which is secure against all the attacks concerned in this paper.

8 Security analysis

Based on our proposed threat model, we construct experimental data sets for active attackers and passive attackers respectively. The active attackers’ data set is generated by two illegal volunteers simulating the handshake of legitimate volunteers, and the passive attackers’ data set is the auxiliary data transmitted between legal devices during the pairing process.

We consider seven different attacks from two types of attackers, as shown in Fig. 15, ①-⑦ indicates attacks that may be happened at different stages. ①: attacker directly obtains the acceleration data by some ways. ②: attacker may reuse past data to pair with legitimate devices. ③: attacker brute-forces the witness generated by the quantified features. ④: attacker obtains key-related information through the auxiliary data transmitted during the reconciliation stage. ⑤: attacker directly brute-forces the negotiated key. ⑥: MITM attack, attacker may impersonate the legitimate device to intercept and tamper with the transmitted messages, then attempt to pair with a legitimate device. ⑦: attacker attempts to pair with a legitimate device by mimicking legitimate users’ handshake.

Fig. 15

Conceptual view of pairing protocols

8.1 Security of the acceleration data (①,②)

As discussed in Section 4.2, in our threat model, we assume that the attacker cannot hijack the device or implant an illegal device on the user to obtain acceleration data. In addition, we do not consider that an attacker can capture and analyze the handshake process by recording video. Under these assumptions, our scheme is secure at the sensor level (①), which indicates the attacker cannot obtain the acceleration data collected by sensors of legal device, and the handshake acceleration data is only held by legal devices.

On the other hand, unlike permanent physical characteristics (face or fingerprint), handshake as a behavioral characteristic shows good randomness and time variability. In other words, the accelerometer values produced by the two handshakes are often different, even if it is the two handshake of the same group of users. Therefore, it is difficult for an attacker to complete the correct pairing even if he obtains the previous handshake acceleration data of the legitimate user. Therefore, our scheme is resistant to the attack of data reuse (②).

8.2 Witness security (③)

To evaluate the security of w, we apply Shannon entropy to measure the randomness of w. Since w is a bit string of 0 and 1, the entropy of each bit is between 0 and 1. Figure 16 shows the CDF of the average entropy of each bit in w.

Fig. 16

CDF of the entropy of w

It can be seen that the average entropy of each bit is close to 1. For each set of experiments, the average Shannon entropy is greater than 0.920 and the largest one is up to 0.982. For the 255-bit witness, the entropy contained in w can be calculated by Formula (9), which is 250.41. Therefore, we demonstrate that the generated w is secure.

$$ \mathrm{E}=\sum \limits_{i=0}^m{e}_i $$

(9)

8.3 Auxiliary data security (④)

It is required that the transmitted auxiliary data I_R and X cannot reveal the information of the feature and the negotiated key, otherwise, it will be used by passive attackers.

In our scheme, we randomly delete a certain number of chaff features from the optimal q features, which makes it difficult for the attackers to distinguish the indexes of features that are close to the random threshold values. To guess the acceleration data from I_R, the attackers must identify the hidden chaff features from the missing indexes. The probability of finding all cn chaff features P_chafftuple(cn) is obtained as follows:

$$ {P}_{chafftuple}(cn)=1/{C}_{n-q+ cn}^{cn} $$

(10)

To find all the chaff features, the attacker needs at most 1/P_chafftuple(cn) attempts, so we define the security S_chaff(cn) guaranteed by the chaff tuple as shown in Formula (11).

$$ {S}_{chaff}(cn)={-\mathit{\log}}_2\ {P}_{chaff tuple}(cn) $$

(11)

Take the BCH length len as 255 as an example. Figure 17 shows the security that the chaff features can guarantee under different number of optimal features q. It can be seen that when q = 520, it reaches the peak. The security S_chaff(cn) can reach up to 120 bits when q is in the range of 480 to 560. Therefore, the data I_R is secure.

Fig. 17

Security strength provided by chaff tuple

The robustness of the auxiliary data X = w ⨁ bchenc(k) relies on the witness w and the random key k. The randomness of w is proved by experiments in Section 7.2, and the key k is randomly generated, so the bchenc(k) obtained by BCH encoding is random. Therefore, the auxiliary data X is also secure.

8.4 Key security (⑤)

The session key key is concatenated by k_A, k_B, which are randomly selected by two devices, so its security depends on its length. As shown in Fig. 18, the length of the session key changes with the variation of noise tolerant ability t0 when the BCH code length len is 255. It can be seen that when the noise tolerance ability t0 is lower than 30, the length of the session key key is greater than 126. If the attacker wants to guess the negotiated key by brute force, it will take up to 2¹²⁶ attempts.

Fig. 18

The length of the session key under different t0

8.5 Resisting MITM attack(⑥)

In this section, we theoretically analyze the resistance of the proposed scheme to MITM attack. Assuming the attacker C knows well of the random threshold generation algorithm rand (·), the feature selection algorithm Γ(·), the witness generation algorithm EXT (·), and the used BCH code, the attacker also can intercept and tamper with all messages transmitted between legitimate devices.

Assumption 1 Attacker C impersonates A and B to pair with B and A respectively.

As C cannot get the acceleration data held by legal devices A and B, even if C tempers with the pre-commitment information and the auxiliary data I and X, he is unable to generate w′ that satisfies dis(w, w′) < t0 and recover the random key k_A or k_B through BCH decoding.

Assumption 2 Attacker C impersonates B and sends A the R_c, which is designed to be more easily to generate a w_c similar with w_A during the initialization and pre-commitment stage. For example, the generated random threshold values have more distribution on the upper and lower boundaries of the random threshold values. Then C carefully selects\( {I}_{R_A}^C \), \( {I}_{R_c}^A \) send to A during the reconciliation stage to increase the possibility of a successful attack. Specifically, C selects the index of the feature corresponding to the value distributed near the upper and lower boundaries of the threshold.

Since we exchanged encrypted \( \left({f}_C,{I}_{R_c}^C\right) \) in advance during the pre-commitment exchange stage, f_C provided by C could not pass the verification of device A in the verification stage.

Assumption 3 Attacker C replays the pre-commitments of A and B during the initialization and pre-commitment stage. In other words, attacker C sends tampered pre-commitments\( {E}_{k_A}\left({f}_A,{I}_{R_A}^A\right),{R}_A,I{D}_A\to {E}_{k_A}\left({f}_A,{I}_{R_A}^A\right),{R}_C,I{D}_C \) to B, \( {E}_{k_B}\left({f}_B,{I}_{R_B}^B\right),{R}_B,I{D}_B\to {E}_{k_B}\left({f}_B,{I}_{R_B}^B\right),{R}_C,I{D}_C \)to A, trying to negotiate a key with A and B respectively with selecting I′ and I carefully.

As I_R and f are bound together during the initialization and pre-commitment exchange stage, once I_R has been tampered by C in the subsequent stages, it will also be rejected by legitimate devices during the verification stage.

8.6 Resisting mimicking attack(⑦)

The mimicking attacker observes the handshake between two legitimate users, and mimics it in real time in an attempt to obtain similar acceleration data collected by a legitimate device. We did imitation attack and obtained accelerometer value by imitating others handshake. As shown in Fig. 19, when mimicking the handshake, there is a time lag from seeing the legitimate user’s handshake to the react. Therefore, compared with a random handshake, it is more difficult for an attacker to generate a similar acceleration magnitude time series to pair with the legitimate device. Moreover, there is no success case that the mimicking attacker paired with a legitimated device in our experiments, which shows that our solution is suitable for practical applications.

Fig. 19

The acceleration magnitude time series gained by the mimicking attacker and the legitimate user

8.7 Security comparison

This section compares the security of the proposed scheme with that of related schemes in [9, 11, 14, 19, 20]. As shown in Table 5, our scheme is the only one which can resist attacks against auxiliary data (④), which ensures that attackers cannot obtain usable information about the key through the transmitted auxiliary data. Specifically, in our scheme, optimal feature selection and random deletion of acceleration feature is employed to generate auxiliary data of high randomness. Hence, it is difficult for attackers to obtain useful information from auxiliary data. In addition, the scheme [14, 19, 20] cannot resist MITM attacks (⑥), which indicates that attackers can obtain the key information through multiple attempts, and even complete the pairing with legitimate users, while our scheme can effectively resist this attack. Overall, the proposed scheme is the only one which can resist the attacks illustrated in Fig. 15.

Table 5 Security comparison of our scheme with other schemes

9 Conclusion

In this paper, we proposed a robust and user-friendly secure pairing scheme based on handshake acceleration for wrist-worn smart devices, which is of high key generation rate. In our scheme, we used the three-dimension inertial acceleration sensor on the off-the-shelf wrist-worn smart devices to record handshake patterns. Besides, we used the random threshold-based witness generation algorithm to improve the key agreement rate. To increase the success rate and ensure the security of the scheme, optimal feature selection algorithm, BCH based fuzzy commitment, and Pearson correlation coefficient based feature sequence similarity matching method are used. Finally, we theoretically and experimentally analyzed the security and performance of our scheme. On the one hand, the results show that the entropy of 256-bit key generated is more than 0.92, and the key generation rate is up to 87 bits per second. On the other hand, the proposed scheme can resist the attacks in the pairing procedure, including brute force attack, reuse attack, eavesdropping attack, tampering attack, MITM attack, and mimicking attack.

In the future work, we would like to further improve the feature extraction method to achieve fast and effective pairing between devices, such as, to extract more feature values from the acceleration signal. Also, we would like to take computer vision based attacks into consideration, which applies computer vision to analyze the handshake process.