This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present disclosure that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present disclosure. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.
There are many scenarios in which two devices need to interact to exchange data. A common case occurs when a single user controls the devices, e.g. a laptop and a wireless access point. In this case, the communication passes over a wireless communication channel that is relatively easy to eavesdrop. Therefore, it is important to ensure that this channel is secure, in particular when sensitive data is to be transmitted. While the wireless channel will be used as an example, it will however be appreciated that this also applies, but often to a lesser extent, to wired connections.
In these cases, it is common that there is no prior trust infrastructure. This opens the door for the so-called man-in-the-middle attacks. Mitigation of this attack requires some level of user involvement in the device enrolment process. Prior art solutions comprise different methods as button protocols and the use of visual channels (e.g. a first device can have a bar code that the user scans with the second device and the information is used to generate a session key). Such methods engage the user in interacting with the devices communicating over the wireless channel. This is the basis of forming a secure connection between devices in ad hoc networks.
Most applications today employ Transport Layer Security (TLS) protocol for providing secure connections. Conventional options available for authenticating the user include pre-shared key, passwords or public-key certificates. However, there are only a few applications that employ client-side public key certificates for user authentication. In fact, the deployment and management of certificates has turned out to be the main issue.
There exist solutions that combine a password and a certificate for authenticating a user. These methods generally work as follows: when the user is provided with a certificate and a private key, he is directed to input a password. The password is used for the secure storage of the private key and permits minimizing the risks of the certificate being lost or stolen. Then, during a TLS session, the user is requested to enter the password again in order to “unlock” the digital certificate for use. The password is given as evidence of possession of the private key associated to the digital certificate.
A man-in-the-middle (“MITM”) attack or impersonation is a type of attack on mutual authentication protocols in which an attacker makes independent connections with two devices and relays messages between them. The attacker in a MITM attack is usually invisible, and impersonates the devices making them believe they are communicating directly with one another over a secure connection. The attacker, however, controls the entire communication. MITM attacks may be devastating. If, a user authenticates himself to the MITM, then he reveals his credentials and the attacker can misuse them to spoof the user.
Many authentication mechanisms fail to provide enough protection against MITM or impersonation attacks. There are two main reasons:                1. The user-authentication mechanism used is usually weak. This leads to a situation in which the user talks to the MITM, thereby revealing his password,        2. The TLS session establishment is generally decoupled from the user authentication. If for instance a shared secret-key leaks, it can be reused to spoof any device in a network.        
Consequently, any effective countermeasure against MITM attacks must address these problems by implementing a secure authentication mechanism that combines user authentication with TLS certificate-based authentication.
RFC 2945, “The SRP Authentication and Key Exchange System”, describes a Secure Remote Password (SRP) algorithm that enables set-up of authentication based on passwords. The client has a password or PIN code and the server has a verification data (e.g. the salted hash of the password). SRP provides strong mutual authentication. However, SRP is not always supported or available. Datagram TLS (DTLS), which is the reference for protecting data over UDP, does not support SRP authentication; only certificate-based and pre-shared key authentication are currently supported.
A first problem with the prior art methods is that when password verification is local to a device it cannot be trusted because of a possibly weak security enforcement mechanism. This may be harmful for the system infrastructure. The reason is that in such a case, an attacker can bypass the password enforcement on a weak device and then get access to critical resources. It will thus be seen that there is a need for a solution in which the remote device (i.e. the verifier) not only verifies that the user possesses the private key but also that he knows the correct password.
A second problem with the prior art methods, is the centralized nature and complexity of setting up a PKI infrastructure. The scalability (addition of new devices) within such systems requires a management service for the signature and delivery of new certificates. This has a cost and is not easy to set-up or use, especially for a user without any security knowledge. In many cases, particularly for ad hoc networks, there is no central authority or management server and devices generate self-signed certificates. Since any device then can generate a certificate, it is difficult to trust such certificates. We address the issue here by proposing a secure and decentralized PKI system based on the knowledge of a unique password. This renders the deployment and management of certificates completely transparent for the user. The user needs only to remember the password.
It will thus be appreciated that there is a need for a solution that ensures that a certificate not only permits remote password verification, but also that the certificate was generated by a user device under control of a user that knows the password. The present disclosure provides such a solution.