Zero Involvement Pairing and Authentication (ZIPA) is a promising technique for auto-provisioning large networks of Internet-of-Things (IoT) devices. Presently, these networks use password-based authentication, which is difficult to scale to more than a handful of devices. To deal with this challenge, ZIPA enabled devices autonomously extract identical authentication or encryption keys from ambient environmental signals. However, during the key negotiation process, existing ZIPA systems leak information on a public wireless channel which can allow adversaries to learn the key. We demonstrate a passive attack called SyncBleed, which uses leaked information to reconstruct keys generated by ZIPA systems. To mitigate SyncBleed, we present TREVOR, an improved key generation technique that produces nearly identical bit sequences from environmental signals without leaking information. We demonstrate that TREVOR can generate keys from a variety of environmental signal types under 4 seconds, consistently achieving a 90-95% bit agreement rate across devices within various environmental sources.

翻译：零参与配对与认证（ZIPA）是一种为大规模物联网设备网络自动配置的有前景的技术。目前，这些网络采用基于密码的身份验证，难以扩展到超过少量设备。为应对这一挑战，ZIPA使设备能够从环境信号中自主提取相同的认证或加密密钥。然而，在密钥协商过程中，现有ZIPA系统会在公共无线信道上泄露信息，使攻击者可能获知密钥。我们提出一种名为SyncBleed的被动攻击，利用泄露的信息重构ZIPA系统生成的密钥。为缓解SyncBleed，我们提出TREVOR，一种改进的密钥生成技术，能从环境信号中生成几乎相同的比特序列且不泄露信息。我们证明，TREVOR能在4秒内从多种环境信号类型中生成密钥，在不同环境源下的设备间持续实现90-95%的比特一致率。