Location-Aware Sign-On and Key Exchange using Attribute-Based Encryption and Bluetooth Beacons Marcos Portnoi, Chien-Chung Shen Computer and Information Sciences, University of Delaware Newark, Delaware The Issue

Enter the Location-Aware Sign-on



Traditional authentication consists of username and password.





Strong security requires stronger passwords.





Long, hard-to-memorize passwords. 

How do we get stronger passwords? 



Longer passwords with high entropy = hard-to-memorize passwords. 

Uses location as an authentication factor. Uses the consumer mobile device (smartphone) as an agent to perform locationaware sign-on procedures on behalf of the user. Uses Attribute-Based Encryption (ABE) to construct a secure key exchange protocol. Uses Bluetooth Low Energy beacons to delimit wireless broadcast zones for indoor location. Does not require that the mobile device knows, or reports, its present location.

1sth!s@hArdt0m3M0r1zEp@s$wORdd postercoffeerentalcarpetchandellierdustbook 6ba7752136af3514dd3f24d98575287cbc39b9eae14499d790c53af1d0156b2f



Two-factor authentication.

Case scenario: office The Location-Aware Sign-On at work 

1. Password + another (temporary) information shared through secondary channel. SMS codes.

Token authenticators.

419 Royal Bank. The one-time code is 18471030. Please enter and submit it online.







Unique passwords per system in which we are registered.

Wireless-delimited broadcast zones, employing Bluetooth Low-Energy beacons, covers an office floor. Beacons broadcast ABE encrypted messages (keys) containing access rules. If a mobile device within range is able to decrypt the message, then a key exchange follows between mobile device and backend system.

And then, more issues  

We navigate and sign-on to several systems in a day.

Pigeon Email Login

This is a sign-on procedure done on behalf of the user.

Username: connorm Corporate Intranet

Password: ••••••••• 

Username: cmacleod Password: ••••••••• PaperTrail Bank Username: CmaCleod Password: •••••••••

A second authentication step is performed by the user, utilizing a “simpler” factor (a temporary PIN, pattern, or fingerprint) to the backend system.

Singularity University Username: cmacleod9

Old News Tribune

Password: •••••••••

Username: cmcleod Password: •••••••••



We tend to rely more on mobile devices for access.



Mobile devices = small touch screens, no hardware keyboards.

The Key Exchange

Typing long, mixed-character passwords is cumbersome!

How can we combine: wireless communications, two-factor authentication, long passwords, into an improved user experience with authentication security?

Highlights















Our ABE-based key exchange allows access rules (built on attributes) to be encoded within ciphertext itself. The messages containing access rules can be broadcast through insecure medium.

The primary access decision relies on the capacity, of the user, to decrypt the broadcast message (i.e., the user’s attributes). The access rules can be changed on the fly. www.marcosportnoi.com