Outline Authentication in pervasive and social …Social authentication Trust & reputation Location...
Transcript of Outline Authentication in pervasive and social …Social authentication Trust & reputation Location...
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication inpervasive and social computation
Dusko Pavlovic
Kestrel Instituteand
Oxford University
January-May 2008
with thanks to Cathy Meadows, Mike Mislove,John Mitchell, Bill Roscoe
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction
Model of network computation
Authentication with timed channels
Symbolic model with partial information and guessing
Authentication with social channels
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
IntroductionProblem of security engineeringApproach: Protocol derivationsExample: Deriving CRTask
Model of network computation
Authentication with timed channels
Symbolic model with partial information and guessing
Authentication with social channels
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Problem of security engineering
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Problem of security engineering
Verified protocols often fail
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Problem of security engineering
Verified protocols often fail
Bull’s protocol
I Isabelle: secure for E(k ,m; n)
I Ryan & Schneider: not for E(k ,m; n) = n � Hk (m)
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Problem of security engineering
Verified protocols often fail
Bull’s protocol
I Isabelle: secure for E(k ,m; n)
I Ryan & Schneider: not for E(k ,m; n) = n � Hk (m)
IPSec GDoII IETF MSec WG: secure, verifiedI Cathy & Dusko: GDoI_PoP attack
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Problem of security engineering
Verified protocols often fail
Bull’s protocol
I Isabelle: secure for E(k ,m; n)
I Ryan & Schneider: not for E(k ,m; n) = n � Hk (m)
IPSec GDoII IETF MSec WG: secure, verifiedI Cathy & Dusko: GDoI_PoP attack
MQV
I NSA: "MQV is critical for national security of US"I Krawczyk: MQV insecure
I Menezes: HMQV insecure
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Problem of security engineering
Verified protocols often fail
Bull’s protocol
I Isabelle: secure for E(k ,m; n)
I Ryan & Schneider: not for E(k ,m; n) = n � Hk (m)
IPSec GDoII IETF MSec WG: secure, verifiedI Cathy & Dusko: GDoI_PoP attack
MQV
I NSA: "MQV is critical for national security of US"I Krawczyk: MQV insecure, HMQV proven secure
I Menezes: HMQV insecure
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Problem of security engineering
Verified protocols often fail
Bull’s protocol
I Isabelle: secure for E(k ,m; n)
I Ryan & Schneider: not for E(k ,m; n) = n � Hk (m)
IPSec GDoII IETF MSec WG: secure, verifiedI Cathy & Dusko: GDoI_PoP attack
MQV
I NSA: "MQV is critical for national security of US"I Krawczyk: MQV insecure, HMQV proven secureI Menezes: HMQV insecure
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Problem of security engineering
Thesis: Informal reasoning is error prone.
Antithesis: Formal reasoning hides some attacks
,and becomes error prone as it getscomplicated.
Synthesis: Incremental formalization:Do not try to say all at once.
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Problem of security engineering
Thesis: Informal reasoning is error prone.
Antithesis: Formal reasoning hides some attacks
,and becomes error prone as it getscomplicated.
Synthesis: Incremental formalization:Do not try to say all at once.
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Problem of security engineering
Thesis: Informal reasoning is error prone.
Antithesis: Formal reasoning hides some attacks,and becomes error prone as it getscomplicated.
Synthesis: Incremental formalization:Do not try to say all at once.
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Derivational approach
Thesis: Informal reasoning is error prone.
Antithesis: Formal reasoning hides some attacks,and becomes error prone as it getscomplicated.
Synthesis: Incremental formalization:Do not try to say all at once.
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Derivational approach
ProblemIncompleteness is the central concernin security engineering.
SolutionProtocol derivations manage it interactively.
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Example: Deriving authentications
A B�
⌫x✏✏� cAB x
// �✏✏� �rAB x
oo
A : (⌫x)A
✓
hhcABxiiA . ((rABx))A
=) hhcABxiiA . ((cABx))B . hhrABxiiB. . ((rABx))A
◆
(cr)
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Example: Deriving authentications
A B�
⌫x✏✏� cAB x
// �✏✏� �rAB x
oo
A : (⌫x)A
✓
hhcABxiiA . ((rABx))A
=) hhcABxiiA . ((cABx))B . hhrABxiiB. . ((rABx))A
◆
(cr)
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Signature-based challenge-response (CRS)
A B�
⌫x✏✏� cAB x:=x
// �✏✏� �rAB x:=SB x
oo
SBt = SBu =) t = u (sig1)
VB(y, t) () y = SBt (sig2)
hhSBtiiX. =) X = B (sig3)
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Signature-based challenge-response (CRS)
A B�
⌫x✏✏� x
// �✏✏� �SB x
oo
(sig1-3) ^ (B honest) ` (cr)[cAB x:=x, rAB x:=SB x]
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Problem
A I B�
⌫x✏✏� A to B:x
// � I to B:x// �
✏✏� �B to A :SB xoo �B to I:SB x
oo
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Signature-based challenge-response (CRS)
A B�
⌫x✏✏� A to B:x
// �✏✏� �B to A :SB(A ,x)
oo
(sig1-3) ^ (B honest) ` (cr)[cAB x:=x, rAB x:=SB(A ,x)]
^ "B to A : SB(A , x)". . .
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Problem
This becomes much easier with NFC phones!
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Problem
This becomes much easier with NFC phones!
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Near Field Communication (NFC)
Phone with a contactless smart card:
Secure Element (SE) is a miniSD flash memory, or a USIM card, or a separate microcontroller.
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Agreement without proximity
A B C D
m n0 m0 n
�A
// �A
// �A
// �⌫x
✏✏�
✏✏
�D,x
oo �D,x
oo �D,x
oo
�SA (D,x)
// �SA (D,x)
// �SA (D,x)
// �
Pervasiveauthentication
Dusko Pavlovic
IntroductionProblem
Approach
Example
Task
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Task
Study proximity authentication.
Pervasiveauthentication
Dusko Pavlovic
Introduction
ModelProcess model
Network model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction
Model of network computationProcess modelNetwork model
Authentication with timed channels
Symbolic model with partial information and guessing
Authentication with social channels
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
Dusko Pavlovic
Introduction
ModelProcess model
Network model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Process model
terms (T ,v),
principals (W,6),
actions A generated by:
action constructor form
send W2 ⇥ T hi,! A hA to B : ti
receive Var2W ⇥ VarT
(),! A (Y to Z : x)
match T ⇥ OpT ⇥ VarW(/),! A (t/p(x))
new VarT(⌫),! A (⌫x)
· · · · · · · · ·
Pervasiveauthentication
Dusko Pavlovic
Introduction
ModelProcess model
Network model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Process model
processes PP
// A ⇥W whereI (P, .) is a well-founded partial orderI PW(p)#PW(q) ) p#q
runs⇣
P,p
: recvs(P) �! sends(P)⌘
, (x) 6 .p(x)
I Pp
= P/ (p(x).(x))
Pervasiveauthentication
Dusko Pavlovic
Introduction
ModelProcess model
Network model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Network model
A communication network consists of
network graph N = (L�◆%
N), where
I N is the set of nodes,I L =
P
N⇥NNmn is the set of links,I Nmn = h�, %i�1(m, n)
control assignment c� :W �! }N, satisfying
A 6 B =) c�A ✓ c�B
A#B =) c�A \ c�B = ;
channel typing ✓ : L �! C,
Pervasiveauthentication
Dusko Pavlovic
Introduction
ModelProcess model
Network model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Network model
A communication network consists of
network graph N = (L�◆%
N), where
I N is the set of nodes,I L =
P
N⇥NNmn is the set of links,I Nmn = h�, %i�1(m, n)
control assignment c� :W �! }N, satisfying
A 6 B =) c�A ✓ c�B
A#B =) c�A \ c�B = ;
channel typing ✓ : L �! C,
Pervasiveauthentication
Dusko Pavlovic
Introduction
ModelProcess model
Network model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Network model
A communication network consists of
network graph N = (L�◆%
N), where
I N is the set of nodes,I L =
P
N⇥NNmn is the set of links,I Nmn = h�, %i�1(m, n)
control assignment c� :W �! }N, satisfying
A 6 B =) c�A ✓ c�B
A#B =) c�A \ c�B = ;
channel typing ✓ : L �! C,
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction
Model of network computation
Authentication with timed channelsTimed challenge-responseDistance bounding with two responses
Solution 1: CommitmentSolution 2: One-way response
Distance bounding with two challengesSimple distance bounding
Symbolic model with partial information and guessing
Authentication with social channels
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Timed challenge-response
V X
m ________ ________ n
�⌫x
✏✏• x⌧0
+3
________ ________ •
✏✏• •fx⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
V : (⌫x)V
✓
⌧0hxiV . ⌧1(fx)V =) 9X . d(V ,X) c2(⌧1 � ⌧0)
◆
(crt)
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Timed challenge-response
V X
m ________ ________ n
�⌫x
✏✏• x⌧0
+3
________ ________ •
✏✏• •fx⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
V : (⌫x)V
✓
⌧0hxiV . ⌧1(fx)V =) 9X . d(V ,X) c2(⌧1 � ⌧0)
◆
(crt)
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Distance bounding protocolsIdeaCombine (cr) and (crt).
Three familiesI with one challenge and two responses:
I rVPx, satisfying (cr)I fVPx, satisfying (crt)
I with two challenges and one response:I cVPy and frVP(x, y), satisfying (cr)I x and frVP(x, y), satisfying (crt)
I with one challenge and one response:I x and frVPx, satisfying
V : (⌫x)V
✓
⌧0hxiV . ⌧1(frVPx)V
=) ⌧0hxiV . (x)P . hfrVPxiP. . ⌧1(frVPx)V (crp)
^ d(V ,P) ⌧1 � ⌧0◆
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Distance bounding protocolsIdeaCombine (cr) and (crt).
Three families
I with one challenge and two responses:I rVPx, satisfying (cr)I fVPx, satisfying (crt)
I with two challenges and one response:I cVPy and frVP(x, y), satisfying (cr)I x and frVP(x, y), satisfying (crt)
I with one challenge and one response:I x and frVPx, satisfying
V : (⌫x)V
✓
⌧0hxiV . ⌧1(frVPx)V
=) ⌧0hxiV . (x)P . hfrVPxiP. . ⌧1(frVPx)V (crp)
^ d(V ,P) ⌧1 � ⌧0◆
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Distance bounding protocolsIdeaCombine (cr) and (crt).
Three familiesI with one challenge and two responses:
I rVPx, satisfying (cr)I fVPx, satisfying (crt)
I with two challenges and one response:I cVPy and frVP(x, y), satisfying (cr)I x and frVP(x, y), satisfying (crt)
I with one challenge and one response:I x and frVPx, satisfying
V : (⌫x)V
✓
⌧0hxiV . ⌧1(frVPx)V
=) ⌧0hxiV . (x)P . hfrVPxiP. . ⌧1(frVPx)V (crp)
^ d(V ,P) ⌧1 � ⌧0◆
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Distance bounding protocolsIdeaCombine (cr) and (crt).
Three familiesI with one challenge and two responses:
I rVPx, satisfying (cr)I fVPx, satisfying (crt)
I with two challenges and one response:I cVPy and frVP(x, y), satisfying (cr)I x and frVP(x, y), satisfying (crt)
I with one challenge and one response:I x and frVPx, satisfying
V : (⌫x)V
✓
⌧0hxiV . ⌧1(frVPx)V
=) ⌧0hxiV . (x)P . hfrVPxiP. . ⌧1(frVPx)V (crp)
^ d(V ,P) ⌧1 � ⌧0◆
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Distance bounding protocolsIdeaCombine (cr) and (crt).
Three familiesI with one challenge and two responses:
I rVPx, satisfying (cr)I fVPx, satisfying (crt)
I with two challenges and one response:I cVPy and frVP(x, y), satisfying (cr)I x and frVP(x, y), satisfying (crt)
I with one challenge and one response:I x and frVPx, satisfying
V : (⌫x)V
✓
⌧0hxiV . ⌧1(frVPx)V
=) ⌧0hxiV . (x)P . hfrVPxiP. . ⌧1(frVPx)V (crp)
^ d(V ,P) ⌧1 � ⌧0◆
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Distance bounding with two responsesIdea
V Pm YYZZ[[\\]]^__`aabbccddee n
�
✏✏
�Poo
� V//
⌫x✏✏
�
• x⌧0
+3
________ ________ �
✏✏• �fx⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �rVP xoo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Distance bounding with two responsesProblem
V I P
m YYZZ[[\\]]^__`aabbccddeeff XXYYZZ[[\\]]^__`aabbccddee n
�✏✏
�Poo �P
oo
� V//
⌫x✏✏
� V// �
• x⌧0
+3
________ ________ �✏✏• �fx
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏• x+3
________ ________ �✏✏• �fx
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �rVPxoo �rVP x
oo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Distance bounding with two responsesBasic template
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫x
✏✏
�⌫y
✏✏• x⌧0
+3
________ ________ �
✏✏•
✏✏
�f(x,y)
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �rVP(x,y)oo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Brands-Chaum 1
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫x
✏✏
�⌫y
✏✏• x⌧0
+3
________ ________ �
✏✏•
✏✏
�y⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �SP(x,y)oo
I V : P honest =) d(V ,P) < ⌧1 � ⌧0I V : 8X . X responds =) d(V ,X) + d(X ,P) < ⌧1 � ⌧0
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Brands-Chaum 1
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫x
✏✏
�⌫y
✏✏• x⌧0
+3
________ ________ �
✏✏•
✏✏
�y⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �SP(x,y)oo
I V : P honest =) d(V ,P) < ⌧1 � ⌧0I V : 8X . X responds =) d(V ,X) + d(X ,P) < ⌧1 � ⌧0
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Discharge the honesty assumption?
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫x
✏✏
�⌫y
✏✏• x⌧0
+3
________ ________ �
✏✏•
✏✏
�x�y⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �SP(x,y)oo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
P can still cheat
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫x
✏✏
�⌫z
✏✏• x⌧0
+3
________ ________ �
✏✏•
✏✏
�z⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �SP(x,x�z)oo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Brands-Chaum 2
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫x
✏✏• x⌧0
+3
________ ________ �
✏✏•
✏✏
�x�m⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �SP(x)oo
I Peggy cannot cheatI Ivan can impersonate her, and relay SP(x)
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Brands-Chaum 2
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫x
✏✏• x⌧0
+3
________ ________ �
✏✏•
✏✏
�x�m⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �SP(x)oo
I Peggy cannot cheat
I Ivan can impersonate her, and relay SP(x)
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Brands-Chaum 2
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫x
✏✏• x⌧0
+3
________ ________ �
✏✏•
✏✏
�x�m⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �SP(x)oo
I Peggy cannot cheatI Ivan can impersonate her, and relay SP(x)
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Solution 1: Commitment
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫y
✏✏�⌫x
✏✏
�ct(y)oo
• x⌧0
+3
________ ________ �
✏✏•
✏✏
�f(x,y)
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �dt(y), rVP(x,y)oo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Digression: Symbolic commitment
Definition
A commitment schema consists of three publicly knownfunctions over the space of messages T ,I commitment ct : T �! T ,I decommitment dt : T �! T , andI open commitment ot : T ⇥ T �! T ,
such thatI ct is a one-way collision-free function,I ot (ct(x), dt(x)) = x.
E.g.,
ct(x) = H(x) ct(x) = H0(x) ct(x) = E(x0, x1)
dt(x) = x dt(x) = x::H1(x) dt(x) = x0
ot(y, z) = z ot(y, z) = z0 ot(y, z) = D(z, y)
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Digression: Symbolic commitment
Definition
A commitment schema consists of three publicly knownfunctions over the space of messages T ,I commitment ct : T �! T ,I decommitment dt : T �! T , andI open commitment ot : T ⇥ T �! T ,
such thatI ct is a one-way collision-free function,I ot (ct(x), dt(x)) = x.
E.g.,
ct(x) = H(x) ct(x) = H0(x) ct(x) = E(x0, x1)
dt(x) = x dt(x) = x::H1(x) dt(x) = x0
ot(y, z) = z ot(y, z) = z0 ot(y, z) = D(z, y)
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Solution 1: Commitment
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫y
✏✏�⌫x
✏✏
�ct(y)oo
• x⌧0
+3
________ ________ �
✏✏•
✏✏
�f(x,y)
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �dt(y), rVP(x,y)oo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Brands-Chaum 3
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫y
✏✏�⌫x
✏✏
�H0yoo
• x⌧0
+3
________ ________ �
✏✏•
✏✏
�x�y⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �y,H1y,SP(x,y)oo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Capkun-Hubaux
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫y
✏✏�⌫x
✏✏
�H0yoo
• x⌧0
+3
________ ________ �
✏✏•
✏✏
�x�y⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �y,H1y,x,HVP(x,y)oo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
. . . but Peggy’s identity can be spoofed
V I P
m XXXXYYYYZZZZ[[[[\\\\]]]]^^__``aaaabbbbccccddddeeeeffff` n�
⌫y✏✏�
⌫x✏✏
�H0yoo
• x⌧0
+3
_________________ _________________ �
✏✏•
✏✏
�x�y⌧1
ks _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
✏✏� �y,H1y,x,HVI(x,y)oo �y,x,H1y,HVP(x,y)
oo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
. . . and in general
V I P
m XXXXYYYYZZZZ[[[[\\\\]]]]^^__``aaaabbbbccccddddeeeeffff` n�
⌫y✏✏�
⌫x✏✏
�ct(y)oo
• x⌧0
+3
_________________ _________________ �
✏✏•
✏✏
�f(x,y)
⌧1ks _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
✏✏� �dt(y), rVI(x,y)oo �dt(y), rVP(x,y)
oo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
. . . so we need
V Pm [[[[\\\\\\]]]]]]]]^^^^______````aaaaaaaabbbbbbcccc n
�⌫y
✏✏�⌫x
✏✏
�ct(y,P)oo
• x⌧0
+3
_________________ _________________ �
✏✏•
✏✏
�f(x,y)
⌧1ks _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
✏✏� �dt(y,P), rVP(x,y)oo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Meadows et al
V P�
⌫y✏✏�
⌫x✏✏
�H0(y,P)oo
• x⌧0
+3
________ ________ �
✏✏•
✏✏
�x�y⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �y,H1(y,P),x,HVP(x,y)oo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Solution 2: One-way response
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫x
✏✏
�⌫y
✏✏• x⌧0
+3
________ ________ �
✏✏•
✏✏
�f(x,y)
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �rVP(x,y)oo
where fVP(x,�) is a one-way function for every x.
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Meadows et bo
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫x
✏✏
�⌫y
✏✏• x⌧0
+3
________ ________ �
✏✏•
✏✏
�x�H(y,P)
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �y,x,HVP(x,y)oo
I V : 9X . d(V ,X) < ⌧1 � ⌧0 ^ X ⇠ PI V : 8X . X responds =) d(V ,X) + d(X ,P) < ⌧1 � ⌧0
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Meadows et bo
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫x
✏✏
�⌫y
✏✏• x⌧0
+3
________ ________ �
✏✏•
✏✏
�x�H(y,P)
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �y,x,HVP(x,y)oo
I V : 9X . d(V ,X) < ⌧1 � ⌧0 ^ X ⇠ P
I V : 8X . X responds =) d(V ,X) + d(X ,P) < ⌧1 � ⌧0
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Meadows et bo
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫x
✏✏
�⌫y
✏✏• x⌧0
+3
________ ________ �
✏✏•
✏✏
�x�H(y,P)
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �y,x,HVP(x,y)oo
I V : 9X . d(V ,X) < ⌧1 � ⌧0 ^ X ⇠ PI V : 8X . X responds =) d(V ,X) + d(X ,P) < ⌧1 � ⌧0
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Distance bounding with two challengesIdea
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫y
✏✏� cVP y//
⌫x✏✏
�
✏✏• x⌧0
+3
________ ________ �
✏✏• �frVP(x,y)
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
where
I frVP(x,�) satisfies (cr) for all x
I frVP(�, y) satisfies (crt) for all y
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Distance bounding with two challengesIdea
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫y
✏✏� cVP y//
⌫x✏✏
�
✏✏• x⌧0
+3
________ ________ �
✏✏• �frVP(x,y)
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
where
I frVP(x,�) satisfies (cr) for all x
I frVP(�, y) satisfies (crt) for all y
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Distance bounding with two challengesTry
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫y
✏✏� cVP y//
⌫x✏✏
�
✏✏• x⌧0
+3
________ ________ �
✏✏• �x�rVPy⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Distance bounding with two challengesProblem
m YYZZZZ[[[[[[\\\\]]]]]]^^______``aaaaaabbbbccccccddddee________ ________ ` ________ ________ n
�⌫y
✏✏� cVPy//
⌫x
✏✏
�
✏✏
�⌫ex
✏✏•✏✏
ex+3
________ ________ �✏✏•
✏✏
�ex�rVPyks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
•✏✏
x⌧0
+3
________ ________ �✏✏• �x�rVPy
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Distance bounding with two challengesIdea 2: Find �
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫y
✏✏� cVP y//
⌫x✏✏
�
✏✏• x⌧0
+3
________ ________ �
✏✏• �x�rVPy⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
where
I rVP satisfies (cr)
I x � (�) is one-way function for every x
I (�) � y satisfies (crt) for every y
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Hancke-KuhnCandidate
V Pm YYZZ[[\\]]^__`aabbccddee n
�⌫y
✏✏� y//
⌫x✏✏
�
✏✏• x⌧0
+3
________ ________ �
✏✏• �x�HVPy⌧1
ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
x � z = [z(xi)i ] where z = z(0)::z(1)
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Hancke-KuhnProblem
m VVWWWWXXYYYYZZ[[[[\\\\]]^^__``aabbbbccccddeeeeffgggghh________ ________ `
ggeeddccbbaa`__^]]\\[[ZZYY n
�⌫y
✏✏� y//
⌫x
✏✏
�✏✏�
✏✏
0n+3
________ ________ �✏✏�
✏✏
�0n�rVP yks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
�✏✏
V to P:y// �
✏✏�✏✏
1n+3
________ ________ �✏✏�
✏✏
�1n�rVP yks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
•✏✏
x⌧0
+3
________ ________ �✏✏• �x�rVPy
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Hancke-KuhnProblem: a � z, a � z ` (�) � z, for any a
m VVWWWWXXYYYYZZ[[[[\\\\]]^^__``aabbbbccccddeeeeffgggghh________ ________ `
ggeeddccbbaa`__^]]\\[[ZZYY n
�⌫y
✏✏� y//
⌫x
✏✏
�✏✏�
✏✏
0n+3
________ ________ �✏✏�
✏✏
�0n�rVP yks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
�✏✏
V to P:y// �
✏✏�✏✏
1n+3
________ ________ �✏✏�
✏✏
�1n�rVP yks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
•✏✏
x⌧0
+3
________ ________ �✏✏• �x�rVPy
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Simple distance bounding templateIdea 3: Use counters to disable querying of (�) � rVPy
V Pm YY ZZ[[\\]]^__`aabbccddee n76540123u
⌫x✏✏
u,v 76540123v
76540123u+1x⌧0
+3
________ ________ 76540123v+1
✏✏76540123u+2 76540123v+2x�rVP(u,v)
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
I rVP satisfies (cr)
I x � (�) is one-way function for every x
I (�) � z satisfies (crt) for every z
I the counters u, v are public, but never reused
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Simple distance bounding templateIdea 3: Use counters to disable querying of (�) � rVPy
V Pm YY ZZ[[\\]]^__`aabbccddee n76540123u
⌫x✏✏
u,v 76540123v
76540123u+1x⌧0
+3
________ ________ 76540123v+1
✏✏76540123u+2 76540123v+2x�rVP(u,v)
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
where
I rVP satisfies (cr)
I x � (�) is one-way function for every x
I (�) � z satisfies (crt) for every z
I the counters u, v are public, but never reused
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
TimedauthenticationTimed challenge-response
Two responses
Solution 1: Commitment
Solution 2: One-wayresponse
Two challenges
Simple distance bounding
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Simple distance bounding templateIdea 3: Use counters to disable querying of (�) � rVPy
V Pm YY ZZ[[\\]]^__`aabbccddee n76540123u
⌫x✏✏
u,v 76540123v
76540123u+1x⌧0
+3
________ ________ 76540123v+1
✏✏76540123u+2 76540123v+2x�rVP(u,v)
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
where
I rVP satisfies (cr)
I x � (�) is one-way function for every x
I (�) � z satisfies (crt) for every z
I the counters u, v are public, but never reused
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction
Model of network computation
Authentication with timed channels
Symbolic model with partial information and guessingAlgebra codingGuessingBase and dimension
Authentication with social channels
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Algebra coding
I T be a term algebra over a clone TI L a language over an alphabet ⌃
DefinitionAn encoding (or implementation) of T in L is a pair of maps
~�� : T ! Lp
: L* T
such thatp~t� = t .
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Algebra coding
I T be a term algebra over a clone TI L a language over an alphabet ⌃
DefinitionAn encoding (or implementation) of T in L is a pair of maps
~�� : T ! Lp
: L* T
such thatp~t� = t .
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Feasible algebra
Notation and terminology
I ⌃? = ⌃ + {?}, where ? @ s for s 2 S
I L? = {↵ 2 ⌃⇤?| 9⇠ 2 L. ↵ v ⇠}I ↵ v � () |↵| |�| ^ 8i |↵|. ↵i @ �i _ ↵i = �i
I F ✓ [L? ) L?]t" , a submonoid of feasible maps
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Feasible algebra
Notation and terminology
I ⌃? = ⌃ + {?}, where ? @ s for s 2 SI L? = {↵ 2 ⌃⇤?| 9⇠ 2 L. ↵ v ⇠}
I ↵ v � () |↵| |�| ^ 8i |↵|. ↵i @ �i _ ↵i = �i
I F ✓ [L? ) L?]t" , a submonoid of feasible maps
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Feasible algebra
Notation and terminology
I ⌃? = ⌃ + {?}, where ? @ s for s 2 SI L? = {↵ 2 ⌃⇤?| 9⇠ 2 L. ↵ v ⇠}I ↵ v � () |↵| |�| ^ 8i |↵|. ↵i @ �i _ ↵i = �i
I F ✓ [L? ) L?]t" , a submonoid of feasible maps
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Feasible algebra
Notation and terminology
I ⌃? = ⌃ + {?}, where ? @ s for s 2 SI L? = {↵ 2 ⌃⇤?| 9⇠ 2 L. ↵ v ⇠}I ↵ v � () |↵| |�| ^ 8i |↵|. ↵i @ �i _ ↵i = �i
I F ✓ [L? ) L?]t" , a submonoid of feasible maps
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Feasible algebra
Definition
An algebraic operation ' 2 T is called feasible if the partialmap
~'� : L * L~t� 7! ~'t�
can be extended to a feasible map.
Example
Hohenberger-Rivest: pseudo-free groups
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Feasible algebra
Definition
An algebraic operation ' 2 T is called feasible if the partialmap
~'� : L * L~t� 7! ~'t�
can be extended to a feasible map.
Example
Hohenberger-Rivest: pseudo-free groups
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Derivability
DefinitionFor ↵1, . . . ,↵n, � 2 L? define the derivability relation
↵1, . . . ,↵n ` � () 9f1, . . . fn 2 F .nG
i=1
fi↵i w �
For a multiset of terms s1, . . . , sn, t 2 T , we abbreviate
s1, . . . , sn ` t () ~s1�, . . . , ~sn� ` ~t�
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Derivability
DefinitionFor ↵1, . . . ,↵n, � 2 L? define the derivability relation
↵1, . . . ,↵n ` � () 9f1, . . . fn 2 F .nG
i=1
fi↵i w �
For a multiset of terms s1, . . . , sn, t 2 T , we abbreviate
s1, . . . , sn ` t () ~s1�, . . . , ~sn� ` ~t�
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Frequency distribution
AssumptionSuppose that L is given with a probability measure
Prob : M(L) �! [0, 1]
For simplicity, take
I L = {0, 1}⇤I M{0, 1}⇤ =
h
↵" ✓ {0, 1}⇤i
I where ↵" = {⇠ 2 {0, 1}⇤ | ↵ v ⇠}I
Prob(↵") = 2�|↵|
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Frequency distribution
AssumptionSuppose that L is given with a probability measure
Prob : M(L) �! [0, 1]
For simplicity, take
I L = {0, 1}⇤I M{0, 1}⇤ =
h
↵" ✓ {0, 1}⇤i
I where ↵" = {⇠ 2 {0, 1}⇤ | ↵ v ⇠}I
Prob(↵") = 2�|↵|
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Derivability with guessing
Guessing a term
IProb(t |A) =
Prob(~t�"\A")Prob(A")
IProb(t |↵) =
Prob(~t�"\↵")Prob(↵") =
8
>
>
<
>
>
:
2k↵k�|~t�| if ↵ v ~t�0 otherwise
I where k↵k = |↵�⌃ |
DefinitionFor ↵1, . . . ,↵n, � 2 L? and � � 0 define
↵1, . . . ,↵n `� � ()9f1, . . . fn 2 F . Prob (� | f1↵1, . . . , fn↵n) � �
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Derivability with guessing
Guessing a term
IProb(t |A) =
Prob(~t�"\A")Prob(A")
IProb(t |↵) =
Prob(~t�"\↵")Prob(↵") =
8
>
>
<
>
>
:
2k↵k�|~t�| if ↵ v ~t�0 otherwise
I where k↵k = |↵�⌃ |
DefinitionFor ↵1, . . . ,↵n, � 2 L? and � � 0 define
↵1, . . . ,↵n `� � ()9f1, . . . fn 2 F . Prob (� | f1↵1, . . . , fn↵n) � �
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Derivability with guessing
Guessing a term
IProb(t |A) =
Prob(~t�"\A")Prob(A")
IProb(t |↵) =
Prob(~t�"\↵")Prob(↵") =
8
>
>
<
>
>
:
2k↵k�|~t�| if ↵ v ~t�0 otherwise
I where k↵k = |↵�⌃ |
DefinitionFor ↵1, . . . ,↵n, � 2 L? and � � 0 define
↵1, . . . ,↵n `� � ()9f1, . . . fn 2 F . Prob (� | f1↵1, . . . , fn↵n) � �
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Base and dimension
Base
Let ' 2 T be an algebraic operation andB = {b1, . . . , bk } ✓ T . DefineI '[B]� =
n
t 2 T | t ,B ,'(B) `� '(t)o
I base�✏(') =n
B 2 }<!T | Prob
⇣
'[B]�⌘
� ✏o
DimensionI dim�✏(') =
V
B2base�✏(')|B |
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Base and dimension
Base
Let ' 2 T be an algebraic operation andB = {b1, . . . , bk } ✓ T . DefineI '[B]� =
n
t 2 T | t ,B ,'(B) `� '(t)o
I base�✏(') =n
B 2 }<!T | Prob
⇣
'[B]�⌘
� ✏o
DimensionI dim�✏(') =
V
B2base�✏(')|B |
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Base and dimension
Base
Let ' 2 T be an algebraic operation andB = {b1, . . . , bk } ✓ T . DefineI '[B]� =
n
t 2 T | t ,B ,'(B) `� '(t)o
I base�✏(') =n
B 2 }<!T | Prob
⇣
'[B]�⌘
� ✏o
DimensionI dim�✏(') =
V
B2base�✏(')|B |
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
ExampleseXclusive OR
Refine b , b � c ` x � c for all b , c, x 2 {0, 1}` to show
I base�✏(� � c) =
8
>
>
<
>
>
:
{0, 1}⇤ if ✏ 2�k ^ � 2`�k
{0, 1}k if ✏ > 2�k ^ � 2`�k
I dim�✏ (� � c) =
8
>
>
<
>
>
:
0 if ✏ 2�k ^ � 2`�k
1 if ✏ > 2�k ^ � 2`�k
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
ExamplesOne-way XOR
For ⌃ = {0, 1, . . . , n � 1} and d = d(0)::d(1):: . . . d(n�1) 2 ⌃n`
define
(�) � d : ⌃` �! ⌃`
z 7!
d(z1)1 , d(z2)
2 , . . . , d(z`)`
�
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
ExamplesOne-way XOR
Refine0`, 1`, . . . , (n � 1)`, 0` � d, . . . , (n � 1)` � d ` x � dto show
dim�✏ (� � d) =
8
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
<
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
:
1 if ✏ 2h
0, 2�nki
2 if ✏ 2⇣
2�nk , 2(1�n)ki
...
i + 1 if ✏ 2⇣
2(i�1�n)k , 2(i�n)ki
...
n if ✏ 2⇣
2�k , 1i
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Upshot
PropositionFor all �, ✏ � 0, and any A ✓ T holds
|A | < dim�✏(') =) Prob
⇣
t 2 T | t ,A ,'(A) `� '(t)⌘
< ✏
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
SymbolicguessingAlgebra coding
Guessing
Base and dimension
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Corollary
m YYZZ[[\\]]^__`aabbccddeeffn76540123u
⌫x✏✏
u,v 76540123v
/.-,()*+u+1x⌧0
+3
________ ________ /.-,()*+v+1
✏✏/.-,()*+u+2 /.-,()*+v+2x�rVP(u,v)
⌧1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
satisfies
V : (⌫x)V
✓
⌧0hxiV . ⌧1(frVPx)V
=) ⌧0hxiV . (x)P . hfrVPxiP. . ⌧1(frVPx)V
^ d(V ,P) ⌧1 � ⌧0◆
with probability 1 � 2�|x |.
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction
Model of network computation
Authentication with timed channels
Symbolic model with partial information and guessing
Authentication with social channelsSocial channel and its useSocial commitmentAuthentication before decommitmentAuthentication after decommitmentSocially authenticated key exchangeSecurity homology
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Preliminary example: a timed social protocol
A B• m
⌧0+3
______ ______ �
✏✏
� (m)⌧1oo
o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social channel bandwidth
I � : T �! T : a short digest (hash) function
such thatI ��t = �t
I "The digest does not change short terms."I 8s 9t . s , t ^ �s = �t ^ s ` t
I "For every term s, it is feasible to find a different term twith the same digest."
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social channel bandwidth
I � : T �! T : a short digest (hash) function
such thatI ��t = �t
I "The digest does not change short terms."
I 8s 9t . s , t ^ �s = �t ^ s ` tI "For every term s, it is feasible to find a different term t
with the same digest."
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social channel bandwidth
I � : T �! T : a short digest (hash) function
such thatI ��t = �t
I "The digest does not change short terms."I 8s 9t . s , t ^ �s = �t ^ s ` t
I "For every term s, it is feasible to find a different term twith the same digest."
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : �m— B shows an action � to A
axiomatized as follows:I lB to A : �m =) A : �B
I "If A sees B perform �, then A knows that B hasperformed �."
I lB to A : � m . l C to A : �m =) A : �B . �CI "If A sees �B before �C , then she knows that �B
occurred before �C ."
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : �m— B shows an action � to A
axiomatized as follows:I lB to A : �m =) A : �B
I "If A sees B perform �, then A knows that B hasperformed �."
I lB to A : � m . l C to A : �m =) A : �B . �CI "If A sees �B before �C , then she knows that �B
occurred before �C ."
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : �m— B shows an action � to A
axiomatized as follows:I lB to A : �m =) A : �B
I "If A sees B perform �, then A knows that B hasperformed �."
I lB to A : � m . l C to A : �m =) A : �B . �CI "If A sees �B before �C , then she knows that �B
occurred before �C ."
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : tm— B shows a term t to A
axiomatized as follows:I lB to A : tm =) �t 2 �A
I "If B shows A a term t , then A sees the digest �t ."I lB to A : tm =) A : 9u. �u = �t ^ lA to B : umB
I "If B shows A a term t , then A knows that B has shownher some term with the digest �t ."
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : tm— B shows a term t to A
axiomatized as follows:I lB to A : tm =) �t 2 �A
I "If B shows A a term t , then A sees the digest �t ."
I lB to A : tm =) A : 9u. �u = �t ^ lA to B : umBI "If B shows A a term t , then A knows that B has shown
her some term with the digest �t ."
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actions
I lB to A : tm— B shows a term t to A
axiomatized as follows:I lB to A : tm =) �t 2 �A
I "If B shows A a term t , then A sees the digest �t ."I lB to A : tm =) A : 9u. �u = �t ^ lA to B : umB
I "If B shows A a term t , then A knows that B has shownher some term with the digest �t ."
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social actionsGraphic notation
I �B //
/o
/o �A represents lB to A : �m
I �B�t
//
/o
/o �A represents lB to A : tm
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Socially authenticated key distributionBob announces his public key
A B
�
✏✏
��eoo
o/ o/ o/ o/ o/ o/ o/ o/
✏✏� �eoo
A B
�
✏✏
�eoo
✏✏� ��eoo
o/ o/ o/ o/ o/ o/ o/ o/
I e,�e 2 �A
I A : B honest =) 9u. �u = �e ^ hB to A : uiB
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Socially authenticated key distributionBob announces his public key
A B
�
✏✏
��eoo
o/ o/ o/ o/ o/ o/ o/ o/
✏✏� �eoo
A B
�
✏✏
�eoo
✏✏� ��eoo
o/ o/ o/ o/ o/ o/ o/ o/
I e,�e 2 �A
I A : B honest =) 9u. �u = �e ^ hB to A : uiB
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Socially authenticated key distribution. . . but Ivan may have replaced it
A I B
�
✏✏
��e=�uoo
o/ o/ o/ o/ o/ o/ o/ o/ o/
✏✏� �eoo �u
oo
A I B
�
✏✏
�eoo �u
oo
✏✏� ��e=�uoo
o/ o/ o/ o/ o/ o/ o/ o/ o/
I e,�e 2 �A
I A : B honest =) 9u. �u = �e ^ hB to A : uiB
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Social commitment
A B�⌫y
✏✏�
✏✏
�e, ct(e,y)oo
✏✏�
✏✏
��f(e,y)oo
o/ o/ o/ o/ o/ o/ o/ o/
✏✏� �dt(e,y)oo
A B�⌫y
✏✏�
✏✏
�e, ct(e,y)oo
✏✏�
✏✏
�dt(e,y)oo
✏✏� ��f(e,y)oo
o/ o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
�⌫y
✏✏�
✏✏
�e, ct(e,y)oo
✏✏�
✏✏
��yoo
o/ o/ o/ o/ o/ o/ o/ o/ o/
✏✏� �dt(e,y)oo
I A : 9y. �y = s ^ lB to A : smB
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
�⌫y
✏✏�
✏✏
�e, ct(e,y)oo
✏✏�
✏✏
��yoo
o/ o/ o/ o/ o/ o/ o/ o/ o/
✏✏� �dt(e,y)oo
I A : B honest =) 9y. l B to A : �ymB
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
�⌫y
✏✏�
✏✏
�e, ct(e,y)oo
✏✏�
✏✏
��yoo
o/ o/ o/ o/ o/ o/ o/ o/ o/
✏✏� �dt(e,y)oo
I A : B honest =) 9u9y.⌦
u, ct(u, y)↵
B D l�ymB
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
�⌫y
✏✏�
✏✏
�e, ct(e,y)oo
✏✏�
✏✏
��yoo
o/ o/ o/ o/ o/ o/ o/ o/ o/
✏✏� �dt(e,y)oo
I A : B honest =) 9u. (⌫y)B D⌦
u, ct(u, y)↵
B D l�ymB
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
�⌫y
✏✏�
✏✏
�e, ct(e,y)oo
✏✏�
✏✏
��yoo
o/ o/ o/ o/ o/ o/ o/ o/ o/
✏✏� �dt(e,y)oo
I A : B honest =) (⌫y)B D⌦
e, ct(e, y)↵
B D l�ymB D⌦
dt(e, y)↵
B
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentWong-Stajano template
A B
�⌫s
✏✏�
✏✏
�e, H(k ,e,s)oo
✏✏�
✏✏
�s=�soo
o/ o/ o/ o/ o/ o/ o/ o/ o/
✏✏� �koo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentWong-Stajano- 1
2
A B
�⌫s
✏✏�
✏✏
�gb , H(k ,gb ,s)oo
✏✏�
✏✏
�s=�soo
o/ o/ o/ o/ o/ o/ o/ o/ o/
✏✏� �koo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentWong-Stajano
A B
�⌫sa
✏✏
�⌫sb
✏✏�ga , H(ka ,ga ,sa)
33
✏✏
�gb , H(kb ,gb ,sb)
ss
✏✏
� oo
sb
sa//
/o/o/o/o/o/o/o/o/o
✏✏
�
✏✏�ka
33 �kb
ss
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentWong-Stajano 3
A B
� ga// �⌫sb
✏✏�
✏✏
�gb , H(k ,ga ,gb ,sb)oo
� 1//
/o/o/o/o/o/o/o/o/o �
✏✏�
✏✏
�sboo
o/ o/ o/ o/ o/ o/ o/ o/ o/
✏✏� �koo
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitment
A B
�⌫y
✏✏�
✏✏
�e, ct(e,y)oo
✏✏�
✏✏
��yoo
o/ o/ o/ o/ o/ o/ o/ o/ o/
✏✏� �dt(e,y)oo
I A : B honest =) (⌫y)B D⌦
e, ct(e, y)↵
B D l�ymB D⌦
dt(e, y)↵
B
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication before decommitmentHoepman- 1
2
A B
�⌫xe=y=gx
✏✏�
✏✏
�Hyoo
✏✏�
✏✏
��yoo
o/ o/ o/ o/ o/ o/ o/ o/ o/
✏✏� �yoo
I A : B honest =) (⌫x)B D⌦
H(gx)↵
B D l�(gx)mB D hgxiB
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitment
A B�⌫y
✏✏� �e, ct(e,y)oo
?
✏✏
?
✏✏�
✏✏
�dt(e,y)oo
✏✏� ��f(e,y)oo
o/ o/ o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitment
A B�⌫y
✏✏� �e, ct(e,y)oo
?
✏✏
// ?
✏✏�
✏✏
�dt(e,y)oo
✏✏� ��f(e,y)oo
o/ o/ o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitment
A B�⌫y
✏✏�⌫x
✏✏
�e, ct(e,y)oo
� x// �
✏✏�
✏✏
�dt(e,y)oo
✏✏� ��f(e,x,y)oo
o/ o/ o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitment
A B�⌫y
✏✏�⌫x
✏✏
�e, ct(e,y)oo
� x// �
✏✏�
✏✏
�dt(e,y)oo
✏✏� ��f(x,y)oo
o/ o/ o/ o/ o/ o/ o/ o/ o/
A B�⌫y
✏✏�⌫x
✏✏
�e, ct(y)oo
� x// �
✏✏�
✏✏
�dt(y)oo
✏✏� ��f(e,x,y)oo
o/ o/ o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitmentVaudenay: SAS- 1
2
A B�⌫y
✏✏�⌫x
✏✏
�e, ct(e,y)oo
� x// �
✏✏�
✏✏
�dt(e,y)oo
✏✏� ��(x�y)oo
o/ o/ o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Authentication after decommitmentNguyen-Roscoe: HCBK- 1
2
A B�⌫y
✏✏�⌫x
✏✏
�e, Hyoo
� x// �
✏✏�
✏✏
�yoo
✏✏� ��(e,x,y)oo
o/ o/ o/ o/ o/ o/ o/ o/ o/
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mutual authentication after decommitmentNguyen-Roscoe: HCBK (2-party)
A B�
⌫x✏✏
�⌫y
✏✏�
✏✏
eA , Hx++ �
eB , Hy
kk
✏✏�
✏✏
x++ �
ykk
✏✏
� �//�(eA ,eB ,x,y)oo
o/ o/ o/ o/ o/ o/ o/ o/ o/
Assumption: Initiator establishes the order
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mutual authentication after decommitmentNguyen-Roscoe: HCBK (2-party)
A B�
⌫x✏✏
�⌫y
✏✏�
✏✏
eA , Hx++ �
eB , Hy
kk
✏✏�
✏✏
x++ �
ykk
✏✏
� �//�(eA ,eB ,x,y)oo
o/ o/ o/ o/ o/ o/ o/ o/ o/
Assumption: Initiator establishes the order
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Mutual authentication after decommitmentNguyen-Roscoe: HCBK (2-party)
✓
(⌫x)A heA ,HxiA (u1, u2)A ⌦
(⌫y)B heB ,HyiB (v1, v2)B
◆
;
✓
hxiA (u3)A (u1, u2/eB ,Hu3)A l �(eA , eB , x, u3) mA ⌦
hyiB (v3)B (v1, v2)/eA ,Hv3)B l �(eA , eB , v3, y) mB
◆
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Multi-party authentication after decommitmentNguyen-Roscoe: HCBK
Assumptions (to be discharged)
I agreed ordering of the principals
I all principals must digest at the same payloadI social protocol to compare the digests
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Multi-party authentication after decommitmentNguyen-Roscoe: HCBK
Assumptions (to be discharged)
I agreed ordering of the principalsI all principals must digest at the same payload
I social protocol to compare the digests
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Multi-party authentication after decommitmentNguyen-Roscoe: HCBK
Assumptions (to be discharged)
I agreed ordering of the principalsI all principals must digest at the same payload
I social protocol to compare the digests
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Structural similarity — conceptual difference
A B�⌫y
✏✏�⌫x
✏✏
�e, ct(e,y)oo
� x// �
✏✏�
✏✏
�dt(e,y)oo
✏✏� ��f(x,y)oo
o/ o/ o/ o/ o/ o/ o/ o/ o/
V P�⌫y
✏✏�⌫x
✏✏
�ct(y)oo
� x+3
________ ________ �
✏✏�
✏✏
�f(x,y)ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �dt(y),rVP(x,y)oo
Social authentication is not challenge-response:x on the left is not a challenge, but a binder, analogous to y.
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
SocialauthenticationSocial channel and its use
Social commitment
Auth. then decommit
Decommit then auth.
Social KE
Security homology
Trust & reputation
Locationauthentication
Conclusions andfuture work
Structural similarity — conceptual difference
A B�⌫y
✏✏�⌫x
✏✏
�e, ct(e,y)oo
� x// �
✏✏�
✏✏
�dt(e,y)oo
✏✏� ��f(x,y)oo
o/ o/ o/ o/ o/ o/ o/ o/ o/
V P�⌫y
✏✏�⌫x
✏✏
�ct(y)oo
� x+3
________ ________ �
✏✏�
✏✏
�f(x,y)ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _
✏✏� �dt(y),rVP(x,y)oo
Social authentication is not challenge-response:x on the left is not a challenge, but a binder, analogous to y.
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction
Model of network computation
Authentication with timed channels
Symbolic model with partial information and guessing
Authentication with social channels
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Trust and reputation
NOT PRESENTED
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction
Model of network computation
Authentication with timed channels
Symbolic model with partial information and guessing
Authentication with social channels
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Deriving location authetication: Mobile IP
NOT PRESENTED
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Outline
Introduction
Model of network computation
Authentication with timed channels
Symbolic model with partial information and guessing
Authentication with social channels
Trust & reputation
Deriving location authentication protocols
Conclusions and future work
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Summary
ConclusionsI space security for pervasive and social computation
I E2E model does not suffice
I bootstrap distance, proximity, routing. . .I derivational approach sine qua non
Future workI embed Social Web 2.0 in physical space
I enable the export of authenticated social linksI make the Web into a social channel
I electronic pheromones
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Summary
ConclusionsI space security for pervasive and social computation
I E2E model does not sufficeI bootstrap distance, proximity, routing. . .
I derivational approach sine qua non
Future workI embed Social Web 2.0 in physical space
I enable the export of authenticated social linksI make the Web into a social channel
I electronic pheromones
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Summary
ConclusionsI space security for pervasive and social computation
I E2E model does not sufficeI bootstrap distance, proximity, routing. . .
I derivational approach sine qua non
Future workI embed Social Web 2.0 in physical space
I enable the export of authenticated social linksI make the Web into a social channel
I electronic pheromones
Pervasiveauthentication
Dusko Pavlovic
Introduction
Model
Timedauthentication
Symbolicguessing
Socialauthentication
Trust & reputation
Locationauthentication
Conclusions andfuture work
Summary
ConclusionsI space security for pervasive and social computation
I E2E model does not sufficeI bootstrap distance, proximity, routing. . .
I derivational approach sine qua non
Future workI embed Social Web 2.0 in physical space
I enable the export of authenticated social linksI make the Web into a social channel
I electronic pheromones