Using acoustic networking to transfer data provides some unique benefits for a vast number of applications in a wide array of industries. Applications range from delivering a simple and low-cost entry system for public transport to facilitating peer-to-peer (P2P) payments between two connected parties. The fundamental properties of sound can work to enable a seamless exchange of data payloads across a range of physical environments.
While the usability and time-saving capabilities of data-over-sound are well-understood, there remains a question from those assessing the viability of implementing this type of data transmission into their operations: Can information being transmitted over sound be protected from nearby eavesdroppers? On one hand, audio seems to be more secure than IP-based connectivity, which hackers can remotely penetrate. To put the question to bed, let’s look at the characteristics of sound and how industry-standard encryption can be applied to acoustic data transfer, rendering it secure and safe from the ears of unwanted listeners (Figure 1).
Figure 1. The end-to-end process of encrypting and decrypting data sent over sound to provide quick and secure, peer-to-peer connectivity that can work completely offline.
Acoustic vs. RF Security
When understanding the potential of sound as a means for secure data exchanges, it is useful to grasp its fundamental security benefits and ability to perform just as securely as other forms of connectivity, such as RF. Acoustic data transfer enables localised connectivity, which can effectively reduce the area of potential attack. It doesn’t require IP-based connectivity to perform the transmission, which diminishes the risk of interference from remote hackers.
Ultrasonic transmissions are also beneficial in environments that require secure near-field data transfer in sensitive or RF-saturated vicinities. Because sound doesn’t leak through walls, listeners in adjacent rooms or buildings can’t pick it up. This makes data-over-audio highly suited to areas such as industrial sites or hotel rooms where certain sensitive data must be kept within the confines of one space.
In terms of regulatory considerations, offline acoustic transmissions are compliant with the parameters set by General Data Protection Regulation (GDPR) and The Children’s Online Privacy Protection Act (COPPA) information security rulings – an asset which removes further compliance concerns and is particularly valuable for those delivering consumer-facing applications.
Encryption with a shared key (AES)
Encryption makes data unreadable by anyone other than those with the keys to decode it. Networking technology like data-over-sound can provide the transport layer with an encryption algorithm applied to the data to further protect it from nearby listeners during transmission.
We can take different approaches to data-over-audio depending on the use case, w. A popular approach is Advanced Encryption Standard (AES), one of the most widely-adopted encryption algorithms due to its proven security for a range of applications. The U.S. government were the first to adopt AES to keep classified information safe, and it is used in secure file transfer protocols including HTTPS and SSH. AES is particularly suitable as it doesn’t increase the size of the payload, which is useful for the low-bandwidth channel that acoustic networking provides.
The first step in applying encryption to audio-based transmission is to determine the AES block size to use (128, 192, 256-bit), and pick a shared key to use on both the sender and receiver side. Next, an initialisation vector (IV) or a counter is required. This value should be different for each of the payloads being encrypted, otherwise this will not be secure for transmission.
The way the IV is modified must be known by both parts and replicable, as you can only decrypt the data with the exact same IV. Finally, the encryption function on the data needs calling. This method will return the encrypted payload and will consist of the same length as the raw payload. Decrypting an AES ciphertext is much like the encryption process, just in the reverse order.
Encryption with a public/private key infrastructure (RSA)
The Rivest, Shamir and Adelman (RSA) algorithm is another way to encrypt data. It’s a strong technique for situations in which an individual wants to make a secure transaction to a trusted third party who already has the public keys, such as a bank or point of sale.
Additionally, the third party is also able to verify their identity using the RSA signature. Once a message has been encrypted using the public key, it is only able to be decrypted by an additional key, also known as the private key.
Time-based keying (TOTP)
As an alternative to encryption, time-based one-time passwords (TOTP) can be used to create throwaway single-use keys. This approach is great for situations in which an individual needs a lightweight method to authenticate using a PIN, which is safe from the risk of replay attacks. It is, however, worth noting that this method requires a clock that is roughly synchronised to both devices being used for the encryption process.
There are several viable options when it comes to transmitting data securely and, as a result, there isn’t just one solution that outweighs them all. With various encryption options readily available, sound-based connectivity can be equally as secure as the likes of RF-based transmission, while also giving the user complete control over their encryption approaches. Depending on the situation or use case, data-over-sound transmission provides developers with a myriad of methods to build a tailor-made approach to security. As a result, developers can be confident that the method chosen is the correct one, and they can successfully enable secure data transmission using sound.
Joe Todd is Head of Engineering at Chirp.
>> This article was originally published on our sister site, EE Times: “Data Over Sound: Encryption is Key.”