Authentication of communication channels between devices that lack any previous association is a challenging problem. It has been considered in many contexts  and in various flavors, most recently, by McCune  et al. where human-assisted device authentication is achieved through the use of photo cameras (present in some cellphones) and 2-dimensional barcodes. Their proposed Seeing-is-Believing system allows users with devices equipped with cameras to use the visual channel for  authentication of unfamiliar devices, so as to defeat man-in-the-middle attacks.

In this work, we investigate an alternative and complementary approach---the use of the audio channel for human-assisted authentication of previously un-associated devices. Our motivation is four-fold: (1) many personal devices are not equipped with cameras or scanners, (2) some human users are visually impaired (hence, cannot be in the authentication pipeline of a vision-based system),  (3) some usage scenarios preclude either taking a sufficiently clear picture and/or the use of barcodes and (4) the use of camera-equipped devices is typically prohibited in high security facilities such as nuclear power plants and military bases.

We develop and evaluate a system we call  Loud-and-Clear (L&C), which, similar to Seeing-is-Believing, places little demand on the human user. L&C is based on the use of a text-to-speech (TTS) engine to read an auditorially-robust, grammatically-correct sentence derived from the hash of a device's public key or a newly computed shared session key. By coupling vocalization on  one device with the display of the same information on another device, we demonstrate that L&C is suitable for secure device pairing (e.g., key exchange) and similar tasks. We also describe several use cases, as well as provide some performance data for a prototype implementation and a discussion of the security properties of L&C.