Post on 16-Jul-2020
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC and authenticationin pervasive and social computation
Dusko Pavlovic
Kestrel Instituteand
Oxford University
January 2008
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive security
Derivational approach to authentication and impersonation
Deriving distance bounding authentication protocols
Deriving social authentication protocols
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive securityNear Field CommunicationProblems of pervasive security
Derivational approach to authentication and impersonation
Deriving distance bounding authentication protocols
Deriving social authentication protocols
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Near Field Communication (NFC)
Phone with a contactless smart card:
Secure Element (SE) is a miniSD flash memory, or a USIM card, or a separate microcontroller.
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC modes of operation: standards
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC stakeholders
I mobile operators:pro: revenue from card issuers, targeted
advertising, social networkingcon: no revenue from P2P transactions1
I card issuers:pro: increased availability and overall
transaction value,con: dependency on mobile operators
I banks:pro: increased availability and overall
transaction valuecon: lost revenue to P2P digital cash
transactions
1cf. Bluetooth disabling
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC deployment
Australia: Telstra, National Australia Bank
China: China Mobile, Philips, Nokia, Xiamen e-Tongcard
France: CIC, Credit Mutuel, Gemalto, LaSer, Pegasus(multi-operator, multi-bank, multi-card), RATP,SFR
Germany: Deutsche Bahn, Rhein-Main Vb (Frankfurt),Nokia, Philips, Vodafone
India: Delta Technologies
Japan: DoCoMo
UK: Barklays, Orange, O2, TfL Oyster, WirelessFest in Hyde Park
USA: Cingular, Discover, Inside Contactless, Nokia,NXP, NY subway, Venyon ZTar,
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsContactless payment and exchange
I card mode (← Chip & Pin, EMV)2008 transaction value: $ 2.4 billion (Juniper)
2011 transaction value: $ 24-36 billion (Juniper, Strategy Analytics)
I RW mode:I electronic tickets, transportation systemsI off-line micropayments (← Chip-Knip)
I P2P mode:I digital cash transactionsI electronic barterI street markets and transient merchantsI vending
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity commercial networking
I RW mode: RFID-based shoppingI discount coupons, mobile rewards distributionI warehouse navigationI dynamic pricing
I shop auctionI shopping derivatives: futures, calls, boolean betting. . .I discount for social hubs, celebritiesI discount for viral marketing, C2C assistance, shop help
I general shopping assistance
I RW mode: bootstrap other networksI distribute relevant URLsI establish Bluetooth, WLAN connections to local
resources
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity commercial networking
I RW mode: RFID-based shoppingI discount coupons, mobile rewards distributionI warehouse navigationI dynamic pricing
I shop auctionI shopping derivatives: futures, calls, boolean betting. . .I discount for social hubs, celebritiesI discount for viral marketing, C2C assistance, shop help
I general shopping assistanceI RW mode: bootstrap other networks
I distribute relevant URLsI establish Bluetooth, WLAN connections to local
resources
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Beyond address book:
I P2P mode: support local networksI exchange public keys, personal (business) cards
I RW mode: generate local networksI check in selected personal data2 at a smart place
I club, school, shopping mall. . .I local recommender system forms clusters
I sport partners, homework help, one-night stands. . .I queryless social searchI social navigation assistance: friends, foes, fashion. . .
I receive other relevant informationI recommendation driven advertising in physical space
I point-and-clickI drag one proximity link to another: introduce friendsI bootstrap Bluetooth, WLAN networks: "silent concert"I . . . (mouse in space)
2e.g., a fragment of a personal page, reputation certificate, "electronic pheromone"
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Beyond address book:
I P2P mode: support local networksI exchange public keys, personal (business) cards
I RW mode: generate local networksI check in selected personal data2 at a smart place
I club, school, shopping mall. . .I local recommender system forms clusters
I sport partners, homework help, one-night stands. . .I queryless social searchI social navigation assistance: friends, foes, fashion. . .
I receive other relevant informationI recommendation driven advertising in physical space
I point-and-clickI drag one proximity link to another: introduce friendsI bootstrap Bluetooth, WLAN networks: "silent concert"I . . . (mouse in space)
2e.g., a fragment of a personal page, reputation certificate, "electronic pheromone"
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Beyond address book:
I P2P mode: support local networksI exchange public keys, personal (business) cards
I RW mode: generate local networksI check in selected personal data2 at a smart place
I club, school, shopping mall. . .I local recommender system forms clusters
I sport partners, homework help, one-night stands. . .I queryless social searchI social navigation assistance: friends, foes, fashion. . .
I receive other relevant informationI recommendation driven advertising in physical space
I point-and-clickI drag one proximity link to another: introduce friendsI bootstrap Bluetooth, WLAN networks: "silent concert"I . . . (mouse in space)
2e.g., a fragment of a personal page, reputation certificate, "electronic pheromone"
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Beyond address book:
I P2P mode: support local networksI exchange public keys, personal (business) cards
I RW mode: generate local networksI check in selected personal data2 at a smart place
I club, school, shopping mall. . .I local recommender system forms clusters
I sport partners, homework help, one-night stands. . .I queryless social searchI social navigation assistance: friends, foes, fashion. . .
I receive other relevant informationI recommendation driven advertising in physical space
I point-and-clickI drag one proximity link to another: introduce friendsI bootstrap Bluetooth, WLAN networks: "silent concert"I . . . (mouse in space)
2e.g., a fragment of a personal page, reputation certificate, "electronic pheromone"
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Security problems
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Task.Study authentication methods forI proximity social networking, in particular, and
I pervasive computation in general
Method.Derivational approach:I taxonomy of channels and of their applicationsI incremental analysis of channel interactionsI protocol patternsI tool support
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Task.Study authentication methods forI proximity social networking, in particular, andI pervasive computation in general
Method.Derivational approach:I taxonomy of channels and of their applicationsI incremental analysis of channel interactionsI protocol patternsI tool support
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Task.Study authentication methods forI proximity social networking, in particular, andI pervasive computation in general
Method.Derivational approach:I taxonomy of channels and of their applicationsI incremental analysis of channel interactionsI protocol patternsI tool support
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 1: Fair exchange (contract signing)
Theorem (Even-Yacobi, 1980)Every deterministic fair exchange protocol must involve atrusted third party: it is always an escrow protocol.
Why?
Exchange is like a race where the winning horse is the last to finish.
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 1: Fair exchange (contract signing)
Theorem (Even-Yacobi, 1980)Every deterministic fair exchange protocol must involve atrusted third party: it is always an escrow protocol.
Why?
Exchange is like a race where the winning horse is the last to finish.
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 1: Fair exchange (contract signing)
Theorem (Even-Yacobi, 1980)Every deterministic fair exchange protocol must involve atrusted third party: it is always an escrow protocol.
Why?
Exchange is like a race where the winning horse is the last to finish.
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 1: Fair exchange (contract signing)
Pervasive solution
Swap the horses!
. . . i.e. swap the devices, or the send buttons.
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 1: Fair exchange (contract signing)
Pervasive solutionSwap the horses!
. . . i.e. swap the devices, or the send buttons.
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 1: Fair exchange (contract signing)
Pervasive solutionSwap the horses!
. . . i.e. swap the devices, or the send buttons.
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 2: Smart card relay attacks
This becomes much easier with NFC phones!
Solution: distance bounding,social authentication (sign receipt)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 2: Smart card relay attacks
This becomes much easier with NFC phones!
Solution: distance bounding,social authentication (sign receipt)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 2: Smart card relay attacks
This becomes much easier with NFC phones!
Solution: distance bounding,social authentication (sign receipt)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive security
Derivational approach to authentication and impersonationBasic ideasDeriving challenge-responseReal example: GDOI
Deriving distance bounding authentication protocols
Deriving social authentication protocols
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Basics of information flow security
Secrecy: bad information flows do not happen
Authenticity: good information flows do happen
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Basics of program dependability
Safety: bad things do not happen
Liveness: good things do happen
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Basics of information flow security
Secrets must be authenticated
Authentications are based on secrets
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication by challenge-response (CR)
A B◦
νx��◦
cAB x // ◦
��◦ ◦
rAB xoo
A : (νx)A
(〈〈cABx〉〉A . ((rABx))A
=⇒ 〈〈cABx〉〉A . ((cABx))B . 〈〈rABx〉〉B. . ((rABx))A
)(cr)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication by challenge-response (CR)
A B◦
νx��◦
cAB x // ◦
��◦ ◦
rAB xoo
A : (νx)A
(〈〈cABx〉〉A . ((rABx))A
=⇒ 〈〈cABx〉〉A . ((cABx))B . 〈〈rABx〉〉B. . ((rABx))A
)(cr)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Signature-based challenge-response (CRS)
A B◦
νx��◦
cAB x:=x // ◦
��◦ ◦
rAB x:=SB xoo
SB t = SBu =⇒ t = u (sig1)
VB(y, t) ⇐⇒ y = SB t (sig2)
〈〈SB t〉〉X. =⇒ X = B (sig3)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Signature-based challenge-response (CRS)
A B◦
νx��◦
x // ◦
��◦ ◦
SB xoo
(sig1-3) ∧ (B honest) ` (cr)[cAB x:=x, rAB x:=SB x]
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Intruder-in-the-Middle attack on CRS
A I B◦
νx��◦
A to B:x // ◦I to B:x // ◦
��◦ ◦
B to A :SB xoo ◦B to I:SB xoo
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Signature-based challenge-response (CRS)
A B◦
νx��◦
x // ◦
��◦ ◦
SB xoo
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Signature-based nested challenge-response (CRSN)
A B◦
νy��
◦
νx��
◦yoo
◦x // ◦
��◦
��
◦SB xoo
◦SA y // ◦
assumptions: (sig1-3), (A honest), (B honest)
guarantee: using (cr) A and B derive matching views
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Signature-based nested challenge-response (CRSN)
A B◦
νy��
◦
νx��
◦yoo
◦x // ◦
��◦
��
◦SB xoo
◦SA y // ◦
assumptions: (sig1-3), (A honest), (B honest)
guarantee: using (cr) A and B derive matching views
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Intruder-in-the-Middle attack on CRSN
A I B◦
νy��
◦
νx��
◦B to A :yoo ◦
B to I:yoo
◦A to B:x // ◦
I to B:x // ◦
��◦
��
◦B to A :SB xoo ◦
B to I:SB xoo
◦A to B:SA y // ◦
I to B:SA y // ◦
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
IPSec GDOI protocol
A B
◦
νx��◦
A to B:x,HAB x // ◦
νy��
◦ ◦B to A : y,HBA (x,y)oo
◦A ,A ′ to B: CA′ , ΣA′ ,
HAB (y,CA′ , ΣA′ )
// ◦
νk��
◦ ◦B ,B′ to A ,A ′: k ,ΣB′ ,
HBA (x,k ,ΣB′ )
oo
ΣX = SX (x, y)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Intruder-in-the-middle attack on GDOI
A I B
◦
νx��◦
A to I:x,HAIx // ◦I to B: x,HIB x // ◦
νy��
◦ ◦I to A : y,HIA (x,y)oo ◦
B to I: y,HBI(x,y)oo
◦A ,A ′ to I: CA′ , ΣA′ ,
HAI(y,CA′ , ΣA′ )
// ◦I,A ′ to B: CA′ , ΣA′ ,
HIB (y,CA′ , ΣA′ )
// ◦
νk��
◦ ◦B ,B′ to I,A ′: k ,ΣB′ ,
HBI(x,k ,ΣB′ )
oo
ΣX = SX (x, y)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive security
Derivational approach to authentication and impersonation
Deriving distance bounding authentication protocolsTimed challenge-responseBinding timed response and crypto responseBinding timed response and crypto challengeMixing timed channels
Deriving social authentication protocols
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Timed challenge-response
V X◦
νx��•
xτ0
+3________ ________ •
��• •
f(x)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
supports the axiom
V : (νx)V
(τ0〈x〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ τ1 − τ0
)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Combining timed response and cryptographic response
V P◦
νx��•
xτ0
+3________ ________ ◦
��•
��
◦f(x)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
rVPxoo
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic response
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦f(x,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
rVP (x,y)oo
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseBrands-Chaum 1
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦yτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
SP (x,y)oo
I V : P honest =⇒ d(V ,P) < τ1 − τ0
I V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseBrands-Chaum 1
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦yτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
SP (x,y)oo
I V : P honest =⇒ d(V ,P) < τ1 − τ0
I V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseDischarge the honesty assumption?
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦x⊕yτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
SP (x,y)oo
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseP can still cheat
V P◦
νx��
◦
νz��
•xτ0
+3________ ________ ◦
��•
��
◦zτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
SP (x,x⊕z)oo
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseBrands-Chaum 2
V P◦
νx��•
xτ0
+3________ ________ ◦
��•
��
◦x⊕mτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
SP (x)oo
I Peggy cannot cheatI Ivan can impersonate her, and relay SP(x)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseBrands-Chaum 2
V P◦
νx��•
xτ0
+3________ ________ ◦
��•
��
◦x⊕mτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
SP (x)oo
I Peggy cannot cheat
I Ivan can impersonate her, and relay SP(x)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseBrands-Chaum 2
V P◦
νx��•
xτ0
+3________ ________ ◦
��•
��
◦x⊕mτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
SP (x)oo
I Peggy cannot cheatI Ivan can impersonate her, and relay SP(x)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic response— with commitment
V P◦
νy��
◦
νx��
◦ct(y)oo
•xτ0
+3________ ________ ◦
��•
��
◦f(x,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
dt(y), rVP (x,y)oo
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Digression: Symbolic commitment
Definition
A commitment schema consists of three publicly knownfunctions over the space of messages T ,I commitment ct : T −→ T ,I decommitment dt : T −→ T , andI open commitment ot : T × T −→ T ,
such thatI ct is a one-way collision-free function,I ot (ct(x), dt(x)) = x.
E.g.,
ct(x) = H(x) ct(x) = H0(x) ct(x) = E(x0, x1)
dt(x) = x dt(x) = H1(x)::x dt(x) = x0
ot(y, z) = z ot(y, z) = z1 ot(y, z) = D(z, y)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Digression: Symbolic commitment
Definition
A commitment schema consists of three publicly knownfunctions over the space of messages T ,I commitment ct : T −→ T ,I decommitment dt : T −→ T , andI open commitment ot : T × T −→ T ,
such thatI ct is a one-way collision-free function,I ot (ct(x), dt(x)) = x.
E.g.,
ct(x) = H(x) ct(x) = H0(x) ct(x) = E(x0, x1)
dt(x) = x dt(x) = H1(x)::x dt(x) = x0
ot(y, z) = z ot(y, z) = z1 ot(y, z) = D(z, y)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic response— with commitment
V P◦
νy��
◦
νx��
◦ct(y)oo
•xτ0
+3________ ________ ◦
��•
��
◦f(x,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
dt(y), rVP (x,y)oo
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseBrands-Chaum 3
V P◦
νy��
◦
νx��
◦H0yoo
•xτ0
+3________ ________ ◦
��•
��
◦x⊕yτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
H1y,y,SP (x,y)oo
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseCapkun-Hubaux
V P◦
νy��
◦
νx��
◦H0yoo
•xτ0
+3________ ________ ◦
��•
��
◦x⊕yτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
H1y,y,x,H(kVP ,x,y)oo
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseMeadows-Syverson
V P◦
νy��
◦
νx��
◦H0(y,P)oo
•xτ0
+3________ ________ ◦
��•
��
◦x⊕yτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
H1(y,P),y,x,H(kVP ,x,y)oo
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseMeadows-P-Syverson
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦x⊕H(y,P)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
y,x,H(kVP ,x,y)oo
I V : ∃X . d(V ,X) < τ1 − τ0 ∧ X ∼ PI V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseMeadows-P-Syverson
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦x⊕H(y,P)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
y,x,H(kVP ,x,y)oo
I V : ∃X . d(V ,X) < τ1 − τ0 ∧ X ∼ P
I V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseMeadows-P-Syverson
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦x⊕H(y,P)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
y,x,H(kVP ,x,y)oo
I V : ∃X . d(V ,X) < τ1 − τ0 ∧ X ∼ PI V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic response. . . and in general
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦f(x,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
y,x,rVP (x,y)oo
I f(x, y) one-way function in yI only P could generate rVP(x, y).
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic response. . . and in general
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦f(x,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
y,x,rVP (x,y)oo
I f(x, y) one-way function in yI only P could generate rVP(x, y).
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response and cryptographic challenge
V P◦
νy��◦
cVP y //
νx��
◦
��•
xτ0
+3________ ________ ◦
��• ◦
f(x,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
(more convenient when P is a smart card)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response and cryptographic challenge
V P◦
νy��◦
cVP y //
νx��
◦
��•
xτ0
+3________ ________ ◦
��• ◦
f(x,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
(more convenient when P is a smart card)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response and cryptographic challenge
V P◦
νy��◦
EP y //
νx��
◦
��•
xτ0
+3________ ________ ◦
��• ◦
x⊕yτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
(if P has a public key)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic challengeHancke-Kuhn
V P◦
νy��◦
y //
νx��
◦
��•
xτ0
+3________ ________ ◦
��• ◦
x�H(k ,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
x � z = [z(xi)i ] where z = z(0)::z(1)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mixing different kinds of timed channelsECHO: Sastry-Sankar-Wagner
V X◦
νx��•
xτ0
+3______ ______ ◦
��• ◦
xτ1
_jt _ _ _ _ _ __ _ _ _ _ __ _ _ _ _ _
V : (νx)V
(τ0〈〈x〉〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ (τ1 − τ0)
c + scs
)I where c is the speed of light and s the speed of sound
I the reasoning boils down to (crt)), because s � c =⇒ c+scs ≈ 1
I pro: measuring longer response times requires less precision
I con: s less robust, due to the influences of the environment
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mixing different kinds of timed channelsECHO: Sastry-Sankar-Wagner
V X◦
νx��•
xτ0
+3______ ______ ◦
��• ◦
xτ1
_jt _ _ _ _ _ __ _ _ _ _ __ _ _ _ _ _
V : (νx)V
(τ0〈〈x〉〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ (τ1 − τ0)
c + scs
)I where c is the speed of light and s the speed of sound
I the reasoning boils down to (crt)), because s � c =⇒ c+scs ≈ 1
I pro: measuring longer response times requires less precision
I con: s less robust, due to the influences of the environment
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mixing different kinds of timed channelsECHO: Sastry-Sankar-Wagner
V X◦
νx��•
xτ0
+3______ ______ ◦
��• ◦
xτ1
_jt _ _ _ _ _ __ _ _ _ _ __ _ _ _ _ _
V : (νx)V
(τ0〈〈x〉〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ (τ1 − τ0)
c + scs
)I where c is the speed of light and s the speed of sound
I the reasoning boils down to (crt)), because s � c =⇒ c+scs ≈ 1
I pro: measuring longer response times requires less precision
I con: s less robust, due to the influences of the environment
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mixing different kinds of timed channelsECHO: Sastry-Sankar-Wagner
V X◦
νx��•
xτ0
+3______ ______ ◦
��• ◦
xτ1
_jt _ _ _ _ _ __ _ _ _ _ __ _ _ _ _ _
V : (νx)V
(τ0〈〈x〉〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ (τ1 − τ0)
c + scs
)I where c is the speed of light and s the speed of sound
I the reasoning boils down to (crt)), because s � c =⇒ c+scs ≈ 1
I pro: measuring longer response times requires less precision
I con: s less robust, due to the influences of the environment
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive security
Derivational approach to authentication and impersonation
Deriving distance bounding authentication protocols
Deriving social authentication protocolsSocial channel and its useSocial commitmentAuthentication before decommitmentAuthentication after decommitmentSocially authenticated key exchangeSecurity homology
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Preliminary example: a timed social protocol
A B•
mτ0
+3______ ______ ◦
��� (m)τ1
oo o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social channel bandwidth
I σ : T −→ T : a short digest (hash) function
such that
I σσt = σtI "The digest does not change short terms."
I ∀s ∃t . s , t ∧ σs = σt ∧ s ` tI "For every term s, it is feasible to find a different term t
with the same digest."
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social channel bandwidth
I σ : T −→ T : a short digest (hash) function
such that
I σσt = σtI "The digest does not change short terms."
I ∀s ∃t . s , t ∧ σs = σt ∧ s ` tI "For every term s, it is feasible to find a different term t
with the same digest."
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social channel bandwidth
I σ : T −→ T : a short digest (hash) function
such that
I σσt = σtI "The digest does not change short terms."
I ∀s ∃t . s , t ∧ σs = σt ∧ s ` tI "For every term s, it is feasible to find a different term t
with the same digest."
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : βm— B shows an action β to A
axiomatized as follows:
I lB to A : βm =⇒ A : βBI "If A sees B perform β, then A knows that B has
performed β."I lB to A : β m . l C to A : γm =⇒ A : βB . γC
I "If A sees βB before γC , then she knows that βB
occurred before γC ."
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : βm— B shows an action β to A
axiomatized as follows:
I lB to A : βm =⇒ A : βBI "If A sees B perform β, then A knows that B has
performed β."
I lB to A : β m . l C to A : γm =⇒ A : βB . γCI "If A sees βB before γC , then she knows that βB
occurred before γC ."
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : βm— B shows an action β to A
axiomatized as follows:
I lB to A : βm =⇒ A : βBI "If A sees B perform β, then A knows that B has
performed β."I lB to A : β m . l C to A : γm =⇒ A : βB . γC
I "If A sees βB before γC , then she knows that βB
occurred before γC ."
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : tm— B shows a term t to A
axiomatized as follows:
I lB to A : tm =⇒ σt ∈ ΓAI "If B shows A a term t , then A sees the digest σt ."
I lB to A : tm =⇒ A : ∃u. σu = σt ∧ lA to B : umBI "If B shows A a term t , then A knows that B has shown
her some term with the digest σt ."
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : tm— B shows a term t to A
axiomatized as follows:
I lB to A : tm =⇒ σt ∈ ΓAI "If B shows A a term t , then A sees the digest σt ."
I lB to A : tm =⇒ A : ∃u. σu = σt ∧ lA to B : umBI "If B shows A a term t , then A knows that B has shown
her some term with the digest σt ."
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : tm— B shows a term t to A
axiomatized as follows:
I lB to A : tm =⇒ σt ∈ ΓAI "If B shows A a term t , then A sees the digest σt ."
I lB to A : tm =⇒ A : ∃u. σu = σt ∧ lA to B : umBI "If B shows A a term t , then A knows that B has shown
her some term with the digest σt ."
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actionsGraphic notation
I βB ///o/o �A represents lβmB to A
I ◦Bσt ///o/o �A represents ltmB to A
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Socially authenticated key distributionBob announces his public key
A B
�
��
◦σeoo o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
eoo
A B
◦
��
◦eoo
��� ◦
σeoo o/ o/ o/ o/ o/ o/ o/ o/
I e, σe ∈ ΓA
I A : B honest =⇒ ∃u. σu = σe ∧ 〈B to A : u〉B
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Socially authenticated key distributionBob announces his public key
A B
�
��
◦σeoo o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
eoo
A B
◦
��
◦eoo
��� ◦
σeoo o/ o/ o/ o/ o/ o/ o/ o/
I e, σe ∈ ΓA
I A : B honest =⇒ ∃u. σu = σe ∧ 〈B to A : u〉B
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Socially authenticated key distribution. . . byt Ivan may have replaced it
A I B
�
��
◦σe=σuoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
eoo ◦uoo
A I B
◦
��
◦eoo ◦
uoo
��� ◦
σe=σuoo o/ o/ o/ o/ o/ o/ o/ o/ o/
I e, σe ∈ ΓA
I A : B honest =⇒ ∃u. σu = σe ∧ 〈B to A : u〉B
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social commitment
A B◦
νy
��◦
��
◦e, ct(e,y)oo
���
��
◦σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
dt(e,y)oo
A B◦
νy
��◦
��
◦e, ct(e,y)oo
��◦
��
◦dt(e,y)oo
��� ◦
σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
◦
νy
��◦
��
◦e, ct(e,y)oo
���
��
◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
dt(e,y)oo
I A : ∃y. σy = s ∧ lB to A : ymB
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
◦
νy
��◦
��
◦e, ct(e,y)oo
���
��
◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
dt(e,y)oo
I A : B honest =⇒ ∃y. l B to A : σymB
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
◦
νy
��◦
��
◦e, ct(e,y)oo
���
��
◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
dt(e,y)oo
I A : B honest =⇒ ∃u∃y.⟨u, ct(u, y)
⟩B D lσymB
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
◦
νy
��◦
��
◦e, ct(e,y)oo
���
��
◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
dt(e,y)oo
I A : B honest =⇒ ∃u. (νy)B D⟨u, ct(u, y)
⟩B D lσymB
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
◦
νy
��◦
��
◦e, ct(e,y)oo
���
��
◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
dt(e,y)oo
I A : B honest =⇒ (νy)B D⟨e, ct(e, y)
⟩B D lσymB D
⟨dt(e, y)
⟩B
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentWong-Stajano template
A B
◦
νs
��◦
��
◦e, H(k ,e,s)oo
���
��
◦s=σsoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
koo
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentWong-Stajano- 1
2
A B
◦
νs
��◦
��
◦gb , H(k ,gb ,s)oo
���
��
◦s=σsoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
koo
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentWong-Stajano
A B
◦
νsa
��
◦
νsb
��◦
ga , H(ka ,ga ,sa)
33
��
◦
gb , H(kb ,gb ,sb )ss
��� oo sb
sa///o/o/o/o/o/o/o/o/o
��
�
��◦
ka
33 ◦kb
ss
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentWong-Stajano 3
A B
◦ga
// ◦
νsb
��◦
��
◦gb , H(k ,ga ,gb ,sb )oo
◦1 ///o/o/o/o/o/o/o/o/o �
���
��
◦sboo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
koo
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
◦
νy
��◦
��
◦e, ct(e,y)oo
���
��
◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
dt(e,y)oo
I A : B honest =⇒ (νy)B D⟨e, ct(e, y)
⟩B D lσymB D
⟨dt(e, y)
⟩B
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentHoepman- 1
2
A B
◦
νxe=y=gx
��◦
��
◦Hyoo
���
��
◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
yoo
I A : B honest =⇒ (νx)B D⟨H(gx)
⟩B D lσ(gx)mB D 〈gx〉B
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitment
A B◦
νy��
◦ ◦e, ct(e,y)oo
?
��
?
��◦
��
◦dt(e,y)oo
��� ◦
σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitment
A B◦
νy��
◦ ◦e, ct(e,y)oo
?
��
// ?
��◦
��
◦dt(e,y)oo
��� ◦
σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitment
A B◦
νy��
◦
νx��
◦e, ct(e,y)oo
◦x // ◦
��◦
��
◦dt(e,y)oo
��� ◦
σf(e,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitment
A B◦
νy��
◦
νx��
◦e, ct(e,y)oo
◦x // ◦
��◦
��
◦dt(e,y)oo
��� ◦
σf(x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
A B◦
νy��
◦
νx��
◦e, ct(y)oo
◦x // ◦
��◦
��
◦dt(y)oo
��� ◦
σf(e,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitmentVaudenay: SAS- 1
2
A B◦
νy��
◦
νx��
◦e, ct(e,y)oo
◦x // ◦
��◦
��
◦dt(e,y)oo
��� ◦
σ(x⊕y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitmentNguyen-Roscoe: HCBK- 1
2
A B◦
νy��
◦
νx��
◦e, Hyoo
◦x // ◦
��◦
��
◦yoo
��� ◦
σ(e,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mutual authentication after decommitmentNguyen-Roscoe: HCBK (2-party)
A B◦
νx��
◦
νy��
◦
��
eA , Hx++ ◦
eB , Hy
kk
��◦
��
x++ ◦
ykk
��� �//
σ(eA ,eB ,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
Assumption: Initiator establishes the order
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mutual authentication after decommitmentNguyen-Roscoe: HCBK (2-party)
A B◦
νx��
◦
νy��
◦
��
eA , Hx++ ◦
eB , Hy
kk
��◦
��
x++ ◦
ykk
��� �//
σ(eA ,eB ,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
Assumption: Initiator establishes the order
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mutual authentication after decommitmentNguyen-Roscoe: HCBK (2-party)
((νx)A 〈eA ,Hx〉A (u1, u2)A ⊗
(νy)B 〈eB ,Hy〉B (v1, v2)B
);
(〈x〉A (u3)A (u1, u2/eB ,Hu3)A l σ(eA , eB , x, u3) mA ⊗
〈y〉B (v3)B (v1, v2)/eA ,Hv3)B l σ(eA , eB , v3, y) mB
)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Multi-party authentication after decommitmentNguyen-Roscoe: HCBK
Assumptions (to be discharged)
I agreed ordering of the principals
I all principals must digest at the same payload
I social protocol to compare the digests
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Multi-party authentication after decommitmentNguyen-Roscoe: HCBK
Assumptions (to be discharged)
I agreed ordering of the principalsI all principals must digest at the same payload
I social protocol to compare the digests
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Multi-party authentication after decommitmentNguyen-Roscoe: HCBK
Assumptions (to be discharged)
I agreed ordering of the principalsI all principals must digest at the same payload
I social protocol to compare the digests
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Structural similarity — conceptual difference
A B◦
νy��
◦
νx��
◦e, ct(e,y)oo
◦x // ◦
��◦
��
◦dt(e,y)oo
��� ◦
σf(x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
V P◦
νy��
◦
νx��
◦ct(y)oo
◦x +3________ ________ ◦
��◦
��
◦f(x,y)ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��� ◦
dt(y),rVP (x,y)oo
Social authentication is not challenge-response:
x on the left is not a challenge, but a binder, analogous to y.
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Structural similarity — conceptual difference
A B◦
νy��
◦
νx��
◦e, ct(e,y)oo
◦x // ◦
��◦
��
◦dt(e,y)oo
��� ◦
σf(x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
V P◦
νy��
◦
νx��
◦ct(y)oo
◦x +3________ ________ ◦
��◦
��
◦f(x,y)ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��� ◦
dt(y),rVP (x,y)oo
Social authentication is not challenge-response:
x on the left is not a challenge, but a binder, analogous to y.
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive security
Derivational approach to authentication and impersonation
Deriving distance bounding authentication protocols
Deriving social authentication protocols
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Trust and reputation
NOT PRESENTED
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive security
Derivational approach to authentication and impersonation
Deriving distance bounding authentication protocols
Deriving social authentication protocols
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Deriving location authetication: Mobile IP
NOT PRESENTED
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive security
Derivational approach to authentication and impersonation
Deriving distance bounding authentication protocols
Deriving social authentication protocols
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Summary
ConclusionsI space security for pervasive and social computation
I E2E model does not suffice
I bootstrap distance, proximity, routing. . .I derivational approach sine qua non
Future workI embed Social Web 2.0 in physical space
I enable the export of authenticated social linksI make the Web into a social channel
I electronic pheromones
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Summary
ConclusionsI space security for pervasive and social computation
I E2E model does not sufficeI bootstrap distance, proximity, routing. . .
I derivational approach sine qua non
Future workI embed Social Web 2.0 in physical space
I enable the export of authenticated social linksI make the Web into a social channel
I electronic pheromones
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Summary
ConclusionsI space security for pervasive and social computation
I E2E model does not sufficeI bootstrap distance, proximity, routing. . .
I derivational approach sine qua non
Future workI embed Social Web 2.0 in physical space
I enable the export of authenticated social linksI make the Web into a social channel
I electronic pheromones
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Summary
ConclusionsI space security for pervasive and social computation
I E2E model does not sufficeI bootstrap distance, proximity, routing. . .
I derivational approach sine qua non
Future workI embed Social Web 2.0 in physical space
I enable the export of authenticated social linksI make the Web into a social channel
I electronic pheromones