Poster: VLC-based Authenticated Key Exchange

Cryptographic keys are essential for secure communication. To establish pairwise secret keys in a group of devices, the devices can first exchange their authentic public keys and then use asymmetric key agreement (e.g., Diffie-Hellman) to compute shared secrets among themselves. Authenticated publickey exchange in a group (even a small one) is nevertheless challenging [1], as a man-in-the-middle or group-in-the-middle adversary can impersonate others or segregate the group. State-of-the-art authenticated public-key exchange protocols often heavily rely on human users acting as Out-of-Band (OOB) channels to defend against strong in-band attacks. Users may be asked to type passcodes on each device, take a picture of a barcode displayed on each device’s screen, or confirm whether every device displays the same information. However, human OOBs are slow and human error complicates the design and validation of security protocols. This work explores Visual Light Communication (VLC) as an alternative OOB channel for reducing user intervention in authenticated key-exchange protocols. VLC is an emerging wireless communication technology with the potential to enhance security and user experience. VLC can provide high inherent security down to the physical layer because of its lineof-sight propagation and ease of isolation. Moreover, VLC is designed to transmit data while maintaining illumination, thus allowing data exchange in the background without annoying users. By contrast, other OOBs (e.g., humans, NFC, or LED blinking patterns) are either slow, designed for pairwise interactions, or are intrusive to the user experience. Although leveraging VLC for security applications has been mentioned in the literature [2], there still lacks a systematic exploration of its benefits and challenges with respect to security, especially when it comes to actual deployment. Hence, in this work, we design a proof-of-concept VLC-based key exchange protocol, analyze its security and performance, and highlight practical considerations based on our experience with the ongoing implementation. In addition, we plan to formalize the problem and threat model under a more realistic setting where, for example, the visual light channel is not ideal.