NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social...
Transcript of NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social...
![Page 1: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/1.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC and authenticationin pervasive and social computation
Dusko Pavlovic
Kestrel Instituteand
Oxford University
January 2008
![Page 2: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/2.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive security
Derivational approach to authentication and impersonation
Deriving distance bounding authentication protocols
Deriving social authentication protocols
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
![Page 3: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/3.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive securityNear Field CommunicationProblems of pervasive security
Derivational approach to authentication and impersonation
Deriving distance bounding authentication protocols
Deriving social authentication protocols
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
![Page 4: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/4.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Near Field Communication (NFC)
Phone with a contactless smart card:
Secure Element (SE) is a miniSD flash memory, or a USIM card, or a separate microcontroller.
![Page 5: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/5.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC modes of operation: standards
![Page 6: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/6.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC stakeholders
I mobile operators:pro: revenue from card issuers, targeted
advertising, social networkingcon: no revenue from P2P transactions1
I card issuers:pro: increased availability and overall
transaction value,con: dependency on mobile operators
I banks:pro: increased availability and overall
transaction valuecon: lost revenue to P2P digital cash
transactions
1cf. Bluetooth disabling
![Page 7: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/7.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC deployment
Australia: Telstra, National Australia Bank
China: China Mobile, Philips, Nokia, Xiamen e-Tongcard
France: CIC, Credit Mutuel, Gemalto, LaSer, Pegasus(multi-operator, multi-bank, multi-card), RATP,SFR
Germany: Deutsche Bahn, Rhein-Main Vb (Frankfurt),Nokia, Philips, Vodafone
India: Delta Technologies
Japan: DoCoMo
UK: Barklays, Orange, O2, TfL Oyster, WirelessFest in Hyde Park
USA: Cingular, Discover, Inside Contactless, Nokia,NXP, NY subway, Venyon ZTar,
![Page 8: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/8.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsContactless payment and exchange
I card mode (← Chip & Pin, EMV)2008 transaction value: $ 2.4 billion (Juniper)
2011 transaction value: $ 24-36 billion (Juniper, Strategy Analytics)
I RW mode:I electronic tickets, transportation systemsI off-line micropayments (← Chip-Knip)
I P2P mode:I digital cash transactionsI electronic barterI street markets and transient merchantsI vending
![Page 9: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/9.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity commercial networking
I RW mode: RFID-based shoppingI discount coupons, mobile rewards distributionI warehouse navigationI dynamic pricing
I shop auctionI shopping derivatives: futures, calls, boolean betting. . .I discount for social hubs, celebritiesI discount for viral marketing, C2C assistance, shop help
I general shopping assistance
I RW mode: bootstrap other networksI distribute relevant URLsI establish Bluetooth, WLAN connections to local
resources
![Page 10: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/10.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity commercial networking
I RW mode: RFID-based shoppingI discount coupons, mobile rewards distributionI warehouse navigationI dynamic pricing
I shop auctionI shopping derivatives: futures, calls, boolean betting. . .I discount for social hubs, celebritiesI discount for viral marketing, C2C assistance, shop help
I general shopping assistanceI RW mode: bootstrap other networks
I distribute relevant URLsI establish Bluetooth, WLAN connections to local
resources
![Page 11: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/11.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Beyond address book:
I P2P mode: support local networksI exchange public keys, personal (business) cards
I RW mode: generate local networksI check in selected personal data2 at a smart place
I club, school, shopping mall. . .I local recommender system forms clusters
I sport partners, homework help, one-night stands. . .I queryless social searchI social navigation assistance: friends, foes, fashion. . .
I receive other relevant informationI recommendation driven advertising in physical space
I point-and-clickI drag one proximity link to another: introduce friendsI bootstrap Bluetooth, WLAN networks: "silent concert"I . . . (mouse in space)
2e.g., a fragment of a personal page, reputation certificate, "electronic pheromone"
![Page 12: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/12.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Beyond address book:
I P2P mode: support local networksI exchange public keys, personal (business) cards
I RW mode: generate local networksI check in selected personal data2 at a smart place
I club, school, shopping mall. . .I local recommender system forms clusters
I sport partners, homework help, one-night stands. . .I queryless social searchI social navigation assistance: friends, foes, fashion. . .
I receive other relevant informationI recommendation driven advertising in physical space
I point-and-clickI drag one proximity link to another: introduce friendsI bootstrap Bluetooth, WLAN networks: "silent concert"I . . . (mouse in space)
2e.g., a fragment of a personal page, reputation certificate, "electronic pheromone"
![Page 13: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/13.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Beyond address book:
I P2P mode: support local networksI exchange public keys, personal (business) cards
I RW mode: generate local networksI check in selected personal data2 at a smart place
I club, school, shopping mall. . .I local recommender system forms clusters
I sport partners, homework help, one-night stands. . .I queryless social searchI social navigation assistance: friends, foes, fashion. . .
I receive other relevant informationI recommendation driven advertising in physical space
I point-and-clickI drag one proximity link to another: introduce friendsI bootstrap Bluetooth, WLAN networks: "silent concert"I . . . (mouse in space)
2e.g., a fragment of a personal page, reputation certificate, "electronic pheromone"
![Page 14: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/14.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Beyond address book:
I P2P mode: support local networksI exchange public keys, personal (business) cards
I RW mode: generate local networksI check in selected personal data2 at a smart place
I club, school, shopping mall. . .I local recommender system forms clusters
I sport partners, homework help, one-night stands. . .I queryless social searchI social navigation assistance: friends, foes, fashion. . .
I receive other relevant informationI recommendation driven advertising in physical space
I point-and-clickI drag one proximity link to another: introduce friendsI bootstrap Bluetooth, WLAN networks: "silent concert"I . . . (mouse in space)
2e.g., a fragment of a personal page, reputation certificate, "electronic pheromone"
![Page 15: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/15.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Security problems
![Page 16: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/16.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Task.Study authentication methods forI proximity social networking, in particular, and
I pervasive computation in general
Method.Derivational approach:I taxonomy of channels and of their applicationsI incremental analysis of channel interactionsI protocol patternsI tool support
![Page 17: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/17.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Task.Study authentication methods forI proximity social networking, in particular, andI pervasive computation in general
Method.Derivational approach:I taxonomy of channels and of their applicationsI incremental analysis of channel interactionsI protocol patternsI tool support
![Page 18: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/18.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
NFC applicationsProximity social networking
Task.Study authentication methods forI proximity social networking, in particular, andI pervasive computation in general
Method.Derivational approach:I taxonomy of channels and of their applicationsI incremental analysis of channel interactionsI protocol patternsI tool support
![Page 19: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/19.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 1: Fair exchange (contract signing)
Theorem (Even-Yacobi, 1980)Every deterministic fair exchange protocol must involve atrusted third party: it is always an escrow protocol.
Why?
Exchange is like a race where the winning horse is the last to finish.
![Page 20: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/20.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 1: Fair exchange (contract signing)
Theorem (Even-Yacobi, 1980)Every deterministic fair exchange protocol must involve atrusted third party: it is always an escrow protocol.
Why?
Exchange is like a race where the winning horse is the last to finish.
![Page 21: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/21.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 1: Fair exchange (contract signing)
Theorem (Even-Yacobi, 1980)Every deterministic fair exchange protocol must involve atrusted third party: it is always an escrow protocol.
Why?
Exchange is like a race where the winning horse is the last to finish.
![Page 22: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/22.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 1: Fair exchange (contract signing)
Pervasive solution
Swap the horses!
. . . i.e. swap the devices, or the send buttons.
![Page 23: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/23.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 1: Fair exchange (contract signing)
Pervasive solutionSwap the horses!
. . . i.e. swap the devices, or the send buttons.
![Page 24: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/24.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 1: Fair exchange (contract signing)
Pervasive solutionSwap the horses!
. . . i.e. swap the devices, or the send buttons.
![Page 25: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/25.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 2: Smart card relay attacks
This becomes much easier with NFC phones!
Solution: distance bounding,social authentication (sign receipt)
![Page 26: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/26.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 2: Smart card relay attacks
This becomes much easier with NFC phones!
Solution: distance bounding,social authentication (sign receipt)
![Page 27: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/27.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFCNFC perspective
Pervasive securityproblems
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
New security landscapeExample 2: Smart card relay attacks
This becomes much easier with NFC phones!
Solution: distance bounding,social authentication (sign receipt)
![Page 28: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/28.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive security
Derivational approach to authentication and impersonationBasic ideasDeriving challenge-responseReal example: GDOI
Deriving distance bounding authentication protocols
Deriving social authentication protocols
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
![Page 29: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/29.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Basics of information flow security
Secrecy: bad information flows do not happen
Authenticity: good information flows do happen
![Page 30: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/30.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Basics of program dependability
Safety: bad things do not happen
Liveness: good things do happen
![Page 31: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/31.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Basics of information flow security
Secrets must be authenticated
Authentications are based on secrets
![Page 32: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/32.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication by challenge-response (CR)
A B◦
νx��◦
cAB x // ◦
��◦ ◦
rAB xoo
A : (νx)A
(〈〈cABx〉〉A . ((rABx))A
=⇒ 〈〈cABx〉〉A . ((cABx))B . 〈〈rABx〉〉B. . ((rABx))A
)(cr)
![Page 33: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/33.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication by challenge-response (CR)
A B◦
νx��◦
cAB x // ◦
��◦ ◦
rAB xoo
A : (νx)A
(〈〈cABx〉〉A . ((rABx))A
=⇒ 〈〈cABx〉〉A . ((cABx))B . 〈〈rABx〉〉B. . ((rABx))A
)(cr)
![Page 34: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/34.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Signature-based challenge-response (CRS)
A B◦
νx��◦
cAB x:=x // ◦
��◦ ◦
rAB x:=SB xoo
SB t = SBu =⇒ t = u (sig1)
VB(y, t) ⇐⇒ y = SB t (sig2)
〈〈SB t〉〉X. =⇒ X = B (sig3)
![Page 35: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/35.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Signature-based challenge-response (CRS)
A B◦
νx��◦
x // ◦
��◦ ◦
SB xoo
(sig1-3) ∧ (B honest) ` (cr)[cAB x:=x, rAB x:=SB x]
![Page 36: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/36.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Intruder-in-the-Middle attack on CRS
A I B◦
νx��◦
A to B:x // ◦I to B:x // ◦
��◦ ◦
B to A :SB xoo ◦B to I:SB xoo
![Page 37: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/37.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Signature-based challenge-response (CRS)
A B◦
νx��◦
x // ◦
��◦ ◦
SB xoo
![Page 38: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/38.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Signature-based nested challenge-response (CRSN)
A B◦
νy��
◦
νx��
◦yoo
◦x // ◦
��◦
��
◦SB xoo
◦SA y // ◦
assumptions: (sig1-3), (A honest), (B honest)
guarantee: using (cr) A and B derive matching views
![Page 39: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/39.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Signature-based nested challenge-response (CRSN)
A B◦
νy��
◦
νx��
◦yoo
◦x // ◦
��◦
��
◦SB xoo
◦SA y // ◦
assumptions: (sig1-3), (A honest), (B honest)
guarantee: using (cr) A and B derive matching views
![Page 40: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/40.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Intruder-in-the-Middle attack on CRSN
A I B◦
νy��
◦
νx��
◦B to A :yoo ◦
B to I:yoo
◦A to B:x // ◦
I to B:x // ◦
��◦
��
◦B to A :SB xoo ◦
B to I:SB xoo
◦A to B:SA y // ◦
I to B:SA y // ◦
![Page 41: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/41.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
IPSec GDOI protocol
A B
◦
νx��◦
A to B:x,HAB x // ◦
νy��
◦ ◦B to A : y,HBA (x,y)oo
◦A ,A ′ to B: CA′ , ΣA′ ,
HAB (y,CA′ , ΣA′ )
// ◦
νk��
◦ ◦B ,B′ to A ,A ′: k ,ΣB′ ,
HBA (x,k ,ΣB′ )
oo
ΣX = SX (x, y)
![Page 42: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/42.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
DerivingauthenticationBasics
Challenge-response
Real example: GDOI
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Intruder-in-the-middle attack on GDOI
A I B
◦
νx��◦
A to I:x,HAIx // ◦I to B: x,HIB x // ◦
νy��
◦ ◦I to A : y,HIA (x,y)oo ◦
B to I: y,HBI(x,y)oo
◦A ,A ′ to I: CA′ , ΣA′ ,
HAI(y,CA′ , ΣA′ )
// ◦I,A ′ to B: CA′ , ΣA′ ,
HIB (y,CA′ , ΣA′ )
// ◦
νk��
◦ ◦B ,B′ to I,A ′: k ,ΣB′ ,
HBI(x,k ,ΣB′ )
oo
ΣX = SX (x, y)
![Page 43: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/43.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive security
Derivational approach to authentication and impersonation
Deriving distance bounding authentication protocolsTimed challenge-responseBinding timed response and crypto responseBinding timed response and crypto challengeMixing timed channels
Deriving social authentication protocols
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
![Page 44: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/44.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Timed challenge-response
V X◦
νx��•
xτ0
+3________ ________ •
��• •
f(x)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
supports the axiom
V : (νx)V
(τ0〈x〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ τ1 − τ0
)
![Page 45: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/45.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Combining timed response and cryptographic response
V P◦
νx��•
xτ0
+3________ ________ ◦
��•
��
◦f(x)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
rVPxoo
![Page 46: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/46.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic response
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦f(x,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
rVP (x,y)oo
![Page 47: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/47.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseBrands-Chaum 1
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦yτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
SP (x,y)oo
I V : P honest =⇒ d(V ,P) < τ1 − τ0
I V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0
![Page 48: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/48.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseBrands-Chaum 1
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦yτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
SP (x,y)oo
I V : P honest =⇒ d(V ,P) < τ1 − τ0
I V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0
![Page 49: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/49.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseDischarge the honesty assumption?
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦x⊕yτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
SP (x,y)oo
![Page 50: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/50.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseP can still cheat
V P◦
νx��
◦
νz��
•xτ0
+3________ ________ ◦
��•
��
◦zτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
SP (x,x⊕z)oo
![Page 51: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/51.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseBrands-Chaum 2
V P◦
νx��•
xτ0
+3________ ________ ◦
��•
��
◦x⊕mτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
SP (x)oo
I Peggy cannot cheatI Ivan can impersonate her, and relay SP(x)
![Page 52: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/52.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseBrands-Chaum 2
V P◦
νx��•
xτ0
+3________ ________ ◦
��•
��
◦x⊕mτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
SP (x)oo
I Peggy cannot cheat
I Ivan can impersonate her, and relay SP(x)
![Page 53: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/53.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseBrands-Chaum 2
V P◦
νx��•
xτ0
+3________ ________ ◦
��•
��
◦x⊕mτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
SP (x)oo
I Peggy cannot cheatI Ivan can impersonate her, and relay SP(x)
![Page 54: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/54.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic response— with commitment
V P◦
νy��
◦
νx��
◦ct(y)oo
•xτ0
+3________ ________ ◦
��•
��
◦f(x,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
dt(y), rVP (x,y)oo
![Page 55: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/55.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Digression: Symbolic commitment
Definition
A commitment schema consists of three publicly knownfunctions over the space of messages T ,I commitment ct : T −→ T ,I decommitment dt : T −→ T , andI open commitment ot : T × T −→ T ,
such thatI ct is a one-way collision-free function,I ot (ct(x), dt(x)) = x.
E.g.,
ct(x) = H(x) ct(x) = H0(x) ct(x) = E(x0, x1)
dt(x) = x dt(x) = H1(x)::x dt(x) = x0
ot(y, z) = z ot(y, z) = z1 ot(y, z) = D(z, y)
![Page 56: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/56.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Digression: Symbolic commitment
Definition
A commitment schema consists of three publicly knownfunctions over the space of messages T ,I commitment ct : T −→ T ,I decommitment dt : T −→ T , andI open commitment ot : T × T −→ T ,
such thatI ct is a one-way collision-free function,I ot (ct(x), dt(x)) = x.
E.g.,
ct(x) = H(x) ct(x) = H0(x) ct(x) = E(x0, x1)
dt(x) = x dt(x) = H1(x)::x dt(x) = x0
ot(y, z) = z ot(y, z) = z1 ot(y, z) = D(z, y)
![Page 57: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/57.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic response— with commitment
V P◦
νy��
◦
νx��
◦ct(y)oo
•xτ0
+3________ ________ ◦
��•
��
◦f(x,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
dt(y), rVP (x,y)oo
![Page 58: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/58.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseBrands-Chaum 3
V P◦
νy��
◦
νx��
◦H0yoo
•xτ0
+3________ ________ ◦
��•
��
◦x⊕yτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
H1y,y,SP (x,y)oo
![Page 59: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/59.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseCapkun-Hubaux
V P◦
νy��
◦
νx��
◦H0yoo
•xτ0
+3________ ________ ◦
��•
��
◦x⊕yτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
H1y,y,x,H(kVP ,x,y)oo
![Page 60: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/60.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseMeadows-Syverson
V P◦
νy��
◦
νx��
◦H0(y,P)oo
•xτ0
+3________ ________ ◦
��•
��
◦x⊕yτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
H1(y,P),y,x,H(kVP ,x,y)oo
![Page 61: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/61.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseMeadows-P-Syverson
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦x⊕H(y,P)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
y,x,H(kVP ,x,y)oo
I V : ∃X . d(V ,X) < τ1 − τ0 ∧ X ∼ PI V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0
![Page 62: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/62.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseMeadows-P-Syverson
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦x⊕H(y,P)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
y,x,H(kVP ,x,y)oo
I V : ∃X . d(V ,X) < τ1 − τ0 ∧ X ∼ P
I V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0
![Page 63: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/63.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic responseMeadows-P-Syverson
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦x⊕H(y,P)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
y,x,H(kVP ,x,y)oo
I V : ∃X . d(V ,X) < τ1 − τ0 ∧ X ∼ PI V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0
![Page 64: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/64.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic response. . . and in general
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦f(x,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
y,x,rVP (x,y)oo
I f(x, y) one-way function in yI only P could generate rVP(x, y).
![Page 65: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/65.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic response. . . and in general
V P◦
νx��
◦
νy��
•xτ0
+3________ ________ ◦
��•
��
◦f(x,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��◦ ◦
y,x,rVP (x,y)oo
I f(x, y) one-way function in yI only P could generate rVP(x, y).
![Page 66: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/66.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response and cryptographic challenge
V P◦
νy��◦
cVP y //
νx��
◦
��•
xτ0
+3________ ________ ◦
��• ◦
f(x,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
(more convenient when P is a smart card)
![Page 67: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/67.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response and cryptographic challenge
V P◦
νy��◦
cVP y //
νx��
◦
��•
xτ0
+3________ ________ ◦
��• ◦
f(x,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
(more convenient when P is a smart card)
![Page 68: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/68.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response and cryptographic challenge
V P◦
νy��◦
EP y //
νx��
◦
��•
xτ0
+3________ ________ ◦
��• ◦
x⊕yτ1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
(if P has a public key)
![Page 69: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/69.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Binding timed response to cryptographic challengeHancke-Kuhn
V P◦
νy��◦
y //
νx��
◦
��•
xτ0
+3________ ________ ◦
��• ◦
x�H(k ,y)
τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
x � z = [z(xi)i ] where z = z(0)::z(1)
![Page 70: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/70.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mixing different kinds of timed channelsECHO: Sastry-Sankar-Wagner
V X◦
νx��•
xτ0
+3______ ______ ◦
��• ◦
xτ1
_jt _ _ _ _ _ __ _ _ _ _ __ _ _ _ _ _
V : (νx)V
(τ0〈〈x〉〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ (τ1 − τ0)
c + scs
)I where c is the speed of light and s the speed of sound
I the reasoning boils down to (crt)), because s � c =⇒ c+scs ≈ 1
I pro: measuring longer response times requires less precision
I con: s less robust, due to the influences of the environment
![Page 71: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/71.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mixing different kinds of timed channelsECHO: Sastry-Sankar-Wagner
V X◦
νx��•
xτ0
+3______ ______ ◦
��• ◦
xτ1
_jt _ _ _ _ _ __ _ _ _ _ __ _ _ _ _ _
V : (νx)V
(τ0〈〈x〉〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ (τ1 − τ0)
c + scs
)I where c is the speed of light and s the speed of sound
I the reasoning boils down to (crt)), because s � c =⇒ c+scs ≈ 1
I pro: measuring longer response times requires less precision
I con: s less robust, due to the influences of the environment
![Page 72: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/72.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mixing different kinds of timed channelsECHO: Sastry-Sankar-Wagner
V X◦
νx��•
xτ0
+3______ ______ ◦
��• ◦
xτ1
_jt _ _ _ _ _ __ _ _ _ _ __ _ _ _ _ _
V : (νx)V
(τ0〈〈x〉〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ (τ1 − τ0)
c + scs
)I where c is the speed of light and s the speed of sound
I the reasoning boils down to (crt)), because s � c =⇒ c+scs ≈ 1
I pro: measuring longer response times requires less precision
I con: s less robust, due to the influences of the environment
![Page 73: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/73.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
TimedauthenticationTimed challenge-response
Timed/crypto response
Timed/crypto challenge
Mixing timed
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mixing different kinds of timed channelsECHO: Sastry-Sankar-Wagner
V X◦
νx��•
xτ0
+3______ ______ ◦
��• ◦
xτ1
_jt _ _ _ _ _ __ _ _ _ _ __ _ _ _ _ _
V : (νx)V
(τ0〈〈x〉〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ (τ1 − τ0)
c + scs
)I where c is the speed of light and s the speed of sound
I the reasoning boils down to (crt)), because s � c =⇒ c+scs ≈ 1
I pro: measuring longer response times requires less precision
I con: s less robust, due to the influences of the environment
![Page 74: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/74.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive security
Derivational approach to authentication and impersonation
Deriving distance bounding authentication protocols
Deriving social authentication protocolsSocial channel and its useSocial commitmentAuthentication before decommitmentAuthentication after decommitmentSocially authenticated key exchangeSecurity homology
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
![Page 75: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/75.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Preliminary example: a timed social protocol
A B•
mτ0
+3______ ______ ◦
��� (m)τ1
oo o/ o/ o/ o/ o/ o/ o/
![Page 76: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/76.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social channel bandwidth
I σ : T −→ T : a short digest (hash) function
such that
I σσt = σtI "The digest does not change short terms."
I ∀s ∃t . s , t ∧ σs = σt ∧ s ` tI "For every term s, it is feasible to find a different term t
with the same digest."
![Page 77: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/77.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social channel bandwidth
I σ : T −→ T : a short digest (hash) function
such that
I σσt = σtI "The digest does not change short terms."
I ∀s ∃t . s , t ∧ σs = σt ∧ s ` tI "For every term s, it is feasible to find a different term t
with the same digest."
![Page 78: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/78.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social channel bandwidth
I σ : T −→ T : a short digest (hash) function
such that
I σσt = σtI "The digest does not change short terms."
I ∀s ∃t . s , t ∧ σs = σt ∧ s ` tI "For every term s, it is feasible to find a different term t
with the same digest."
![Page 79: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/79.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : βm— B shows an action β to A
axiomatized as follows:
I lB to A : βm =⇒ A : βBI "If A sees B perform β, then A knows that B has
performed β."I lB to A : β m . l C to A : γm =⇒ A : βB . γC
I "If A sees βB before γC , then she knows that βB
occurred before γC ."
![Page 80: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/80.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : βm— B shows an action β to A
axiomatized as follows:
I lB to A : βm =⇒ A : βBI "If A sees B perform β, then A knows that B has
performed β."
I lB to A : β m . l C to A : γm =⇒ A : βB . γCI "If A sees βB before γC , then she knows that βB
occurred before γC ."
![Page 81: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/81.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : βm— B shows an action β to A
axiomatized as follows:
I lB to A : βm =⇒ A : βBI "If A sees B perform β, then A knows that B has
performed β."I lB to A : β m . l C to A : γm =⇒ A : βB . γC
I "If A sees βB before γC , then she knows that βB
occurred before γC ."
![Page 82: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/82.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : tm— B shows a term t to A
axiomatized as follows:
I lB to A : tm =⇒ σt ∈ ΓAI "If B shows A a term t , then A sees the digest σt ."
I lB to A : tm =⇒ A : ∃u. σu = σt ∧ lA to B : umBI "If B shows A a term t , then A knows that B has shown
her some term with the digest σt ."
![Page 83: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/83.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : tm— B shows a term t to A
axiomatized as follows:
I lB to A : tm =⇒ σt ∈ ΓAI "If B shows A a term t , then A sees the digest σt ."
I lB to A : tm =⇒ A : ∃u. σu = σt ∧ lA to B : umBI "If B shows A a term t , then A knows that B has shown
her some term with the digest σt ."
![Page 84: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/84.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : tm— B shows a term t to A
axiomatized as follows:
I lB to A : tm =⇒ σt ∈ ΓAI "If B shows A a term t , then A sees the digest σt ."
I lB to A : tm =⇒ A : ∃u. σu = σt ∧ lA to B : umBI "If B shows A a term t , then A knows that B has shown
her some term with the digest σt ."
![Page 85: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/85.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actionsGraphic notation
I βB ///o/o �A represents lβmB to A
I ◦Bσt ///o/o �A represents ltmB to A
![Page 86: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/86.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Socially authenticated key distributionBob announces his public key
A B
�
��
◦σeoo o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
eoo
A B
◦
��
◦eoo
��� ◦
σeoo o/ o/ o/ o/ o/ o/ o/ o/
I e, σe ∈ ΓA
I A : B honest =⇒ ∃u. σu = σe ∧ 〈B to A : u〉B
![Page 87: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/87.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Socially authenticated key distributionBob announces his public key
A B
�
��
◦σeoo o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
eoo
A B
◦
��
◦eoo
��� ◦
σeoo o/ o/ o/ o/ o/ o/ o/ o/
I e, σe ∈ ΓA
I A : B honest =⇒ ∃u. σu = σe ∧ 〈B to A : u〉B
![Page 88: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/88.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Socially authenticated key distribution. . . byt Ivan may have replaced it
A I B
�
��
◦σe=σuoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
eoo ◦uoo
A I B
◦
��
◦eoo ◦
uoo
��� ◦
σe=σuoo o/ o/ o/ o/ o/ o/ o/ o/ o/
I e, σe ∈ ΓA
I A : B honest =⇒ ∃u. σu = σe ∧ 〈B to A : u〉B
![Page 89: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/89.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social commitment
A B◦
νy
��◦
��
◦e, ct(e,y)oo
���
��
◦σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
dt(e,y)oo
A B◦
νy
��◦
��
◦e, ct(e,y)oo
��◦
��
◦dt(e,y)oo
��� ◦
σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/
![Page 90: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/90.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
◦
νy
��◦
��
◦e, ct(e,y)oo
���
��
◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
dt(e,y)oo
I A : ∃y. σy = s ∧ lB to A : ymB
![Page 91: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/91.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
◦
νy
��◦
��
◦e, ct(e,y)oo
���
��
◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
dt(e,y)oo
I A : B honest =⇒ ∃y. l B to A : σymB
![Page 92: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/92.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
◦
νy
��◦
��
◦e, ct(e,y)oo
���
��
◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
dt(e,y)oo
I A : B honest =⇒ ∃u∃y.⟨u, ct(u, y)
⟩B D lσymB
![Page 93: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/93.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
◦
νy
��◦
��
◦e, ct(e,y)oo
���
��
◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
dt(e,y)oo
I A : B honest =⇒ ∃u. (νy)B D⟨u, ct(u, y)
⟩B D lσymB
![Page 94: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/94.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
◦
νy
��◦
��
◦e, ct(e,y)oo
���
��
◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
dt(e,y)oo
I A : B honest =⇒ (νy)B D⟨e, ct(e, y)
⟩B D lσymB D
⟨dt(e, y)
⟩B
![Page 95: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/95.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentWong-Stajano template
A B
◦
νs
��◦
��
◦e, H(k ,e,s)oo
���
��
◦s=σsoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
koo
![Page 96: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/96.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentWong-Stajano- 1
2
A B
◦
νs
��◦
��
◦gb , H(k ,gb ,s)oo
���
��
◦s=σsoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
koo
![Page 97: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/97.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentWong-Stajano
A B
◦
νsa
��
◦
νsb
��◦
ga , H(ka ,ga ,sa)
33
��
◦
gb , H(kb ,gb ,sb )ss
��� oo sb
sa///o/o/o/o/o/o/o/o/o
��
�
��◦
ka
33 ◦kb
ss
![Page 98: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/98.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentWong-Stajano 3
A B
◦ga
// ◦
νsb
��◦
��
◦gb , H(k ,ga ,gb ,sb )oo
◦1 ///o/o/o/o/o/o/o/o/o �
���
��
◦sboo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
koo
![Page 99: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/99.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
◦
νy
��◦
��
◦e, ct(e,y)oo
���
��
◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
dt(e,y)oo
I A : B honest =⇒ (νy)B D⟨e, ct(e, y)
⟩B D lσymB D
⟨dt(e, y)
⟩B
![Page 100: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/100.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentHoepman- 1
2
A B
◦
νxe=y=gx
��◦
��
◦Hyoo
���
��
◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/
��◦ ◦
yoo
I A : B honest =⇒ (νx)B D⟨H(gx)
⟩B D lσ(gx)mB D 〈gx〉B
![Page 101: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/101.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitment
A B◦
νy��
◦ ◦e, ct(e,y)oo
?
��
?
��◦
��
◦dt(e,y)oo
��� ◦
σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
![Page 102: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/102.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitment
A B◦
νy��
◦ ◦e, ct(e,y)oo
?
��
// ?
��◦
��
◦dt(e,y)oo
��� ◦
σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
![Page 103: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/103.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitment
A B◦
νy��
◦
νx��
◦e, ct(e,y)oo
◦x // ◦
��◦
��
◦dt(e,y)oo
��� ◦
σf(e,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
![Page 104: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/104.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitment
A B◦
νy��
◦
νx��
◦e, ct(e,y)oo
◦x // ◦
��◦
��
◦dt(e,y)oo
��� ◦
σf(x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
A B◦
νy��
◦
νx��
◦e, ct(y)oo
◦x // ◦
��◦
��
◦dt(y)oo
��� ◦
σf(e,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
![Page 105: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/105.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitmentVaudenay: SAS- 1
2
A B◦
νy��
◦
νx��
◦e, ct(e,y)oo
◦x // ◦
��◦
��
◦dt(e,y)oo
��� ◦
σ(x⊕y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
![Page 106: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/106.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitmentNguyen-Roscoe: HCBK- 1
2
A B◦
νy��
◦
νx��
◦e, Hyoo
◦x // ◦
��◦
��
◦yoo
��� ◦
σ(e,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
![Page 107: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/107.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mutual authentication after decommitmentNguyen-Roscoe: HCBK (2-party)
A B◦
νx��
◦
νy��
◦
��
eA , Hx++ ◦
eB , Hy
kk
��◦
��
x++ ◦
ykk
��� �//
σ(eA ,eB ,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
Assumption: Initiator establishes the order
![Page 108: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/108.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mutual authentication after decommitmentNguyen-Roscoe: HCBK (2-party)
A B◦
νx��
◦
νy��
◦
��
eA , Hx++ ◦
eB , Hy
kk
��◦
��
x++ ◦
ykk
��� �//
σ(eA ,eB ,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
Assumption: Initiator establishes the order
![Page 109: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/109.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mutual authentication after decommitmentNguyen-Roscoe: HCBK (2-party)
((νx)A 〈eA ,Hx〉A (u1, u2)A ⊗
(νy)B 〈eB ,Hy〉B (v1, v2)B
);
(〈x〉A (u3)A (u1, u2/eB ,Hu3)A l σ(eA , eB , x, u3) mA ⊗
〈y〉B (v3)B (v1, v2)/eA ,Hv3)B l σ(eA , eB , v3, y) mB
)
![Page 110: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/110.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Multi-party authentication after decommitmentNguyen-Roscoe: HCBK
Assumptions (to be discharged)
I agreed ordering of the principals
I all principals must digest at the same payload
I social protocol to compare the digests
![Page 111: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/111.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Multi-party authentication after decommitmentNguyen-Roscoe: HCBK
Assumptions (to be discharged)
I agreed ordering of the principalsI all principals must digest at the same payload
I social protocol to compare the digests
![Page 112: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/112.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Multi-party authentication after decommitmentNguyen-Roscoe: HCBK
Assumptions (to be discharged)
I agreed ordering of the principalsI all principals must digest at the same payload
I social protocol to compare the digests
![Page 113: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/113.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Structural similarity — conceptual difference
A B◦
νy��
◦
νx��
◦e, ct(e,y)oo
◦x // ◦
��◦
��
◦dt(e,y)oo
��� ◦
σf(x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
V P◦
νy��
◦
νx��
◦ct(y)oo
◦x +3________ ________ ◦
��◦
��
◦f(x,y)ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��� ◦
dt(y),rVP (x,y)oo
Social authentication is not challenge-response:
x on the left is not a challenge, but a binder, analogous to y.
![Page 114: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/114.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Structural similarity — conceptual difference
A B◦
νy��
◦
νx��
◦e, ct(e,y)oo
◦x // ◦
��◦
��
◦dt(e,y)oo
��� ◦
σf(x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/
V P◦
νy��
◦
νx��
◦ct(y)oo
◦x +3________ ________ ◦
��◦
��
◦f(x,y)ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
��� ◦
dt(y),rVP (x,y)oo
Social authentication is not challenge-response:
x on the left is not a challenge, but a binder, analogous to y.
![Page 115: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/115.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive security
Derivational approach to authentication and impersonation
Deriving distance bounding authentication protocols
Deriving social authentication protocols
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
![Page 116: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/116.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Trust and reputation
NOT PRESENTED
![Page 117: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/117.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive security
Derivational approach to authentication and impersonation
Deriving distance bounding authentication protocols
Deriving social authentication protocols
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
![Page 118: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/118.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Deriving location authetication: Mobile IP
NOT PRESENTED
![Page 119: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/119.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction: NFC and pervasive security
Derivational approach to authentication and impersonation
Deriving distance bounding authentication protocols
Deriving social authentication protocols
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
![Page 120: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/120.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Summary
ConclusionsI space security for pervasive and social computation
I E2E model does not suffice
I bootstrap distance, proximity, routing. . .I derivational approach sine qua non
Future workI embed Social Web 2.0 in physical space
I enable the export of authenticated social linksI make the Web into a social channel
I electronic pheromones
![Page 121: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/121.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Summary
ConclusionsI space security for pervasive and social computation
I E2E model does not sufficeI bootstrap distance, proximity, routing. . .
I derivational approach sine qua non
Future workI embed Social Web 2.0 in physical space
I enable the export of authenticated social linksI make the Web into a social channel
I electronic pheromones
![Page 122: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/122.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Summary
ConclusionsI space security for pervasive and social computation
I E2E model does not sufficeI bootstrap distance, proximity, routing. . .
I derivational approach sine qua non
Future workI embed Social Web 2.0 in physical space
I enable the export of authenticated social linksI make the Web into a social channel
I electronic pheromones
![Page 123: NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social authentication Trust & reputation Location authentication Conclusions and future](https://reader033.fdocuments.in/reader033/viewer/2022041908/5e64edd0d18d0c3f42519e18/html5/thumbnails/123.jpg)
Pervasiveauthentication
protocols
Dusko Pavlovic
Introduction: NFC
Derivingauthentication
Timedauthentication
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Summary
ConclusionsI space security for pervasive and social computation
I E2E model does not sufficeI bootstrap distance, proximity, routing. . .
I derivational approach sine qua non
Future workI embed Social Web 2.0 in physical space
I enable the export of authenticated social linksI make the Web into a social channel
I electronic pheromones