Abstract

Authentication between mobile devices in ad-hoc computing environments is a challenging prob- lem. Without pre-shared knowledge, existing applications must rely on additional communication methods, such as out-of-band or location-limited channels for device authentication. Much of the focus in development of new applications in this area seeks to reduce or eliminate the impact of this additional requirement. However, no formal analysis has been conducted to determine whether out- of-band channels are actually necessary, or more importantly, whether the protocols used to establish ad-hoc communication can be proven secure. We seek to answer these questions through formal analysis of authentication protocols in mobile device applications. Specifically, we use BAN logic to show that device authentication using a single channel is not possible, and propose a BAN logic extension to help prove correct existing authentication protocols. We demonstrate our analysis by applying our extensions to existing mobile device authentication applications.