1

Alljoyn Pairing Security

asked 2015-08-02 10:50:05 -0700

sumirbharati gravatar image

Alljoyn Pairing Security - we use the ALLJOYN_ECDHE_NULL authentication mechanism to create a encrypted connection between our devices. We choose this option because we do not want the user to have to enter pincodes, or passwords. Instead we use a simple picture pairing protocol to pair devices - the user is asked to select images on both devices. However with anonymous key exchange there is a risk of a 'man in the middle' attack. Therefore we would like to be able to leverage the shared secret in order to select the picture displayed on each device. Do you think it’s acceptable to use Master / Session key like this?\

edit retag flag offensive close merge delete

Comments

you might try on the core mailing list. https://lists.allseenalliance.org/mailman/listinfo/allseen-core

ry.jones ( 2015-08-07 11:58:47 -0700 )edit

1 answer

Sort by » oldest newest most voted
1

answered 2015-08-10 01:29:33 -0700

praveenb gravatar image

updated 2015-10-20 17:01:43 -0700

To be able to prevent man-in-the-middle attacks when using ECDHE, it is important that both end points should authenticate with each other.

Without prior authentication, leveraging the master / session key will not avoid main-in-the-middle attacks.

edit flag offensive delete publish link more
Login/Signup to Answer

Question Tools

Follow
2 followers

Stats

Asked: 2015-08-02 10:50:05 -0700

Seen: 2,789 times

Last updated: Oct 20 '15