nfc and authentication in pervasive and social computation · 2008-02-14 · authentication social...

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC and authenticationin pervasive and social computation

Dusko Pavlovic

Kestrel Instituteand

Oxford University

January 2008


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Trust & reputation



Outline

Introduction: NFC and pervasive security

Derivational approach to authentication and impersonation

Deriving distance bounding authentication protocols

Deriving social authentication protocols

Trust & reputation

Deriving location authentication protocols

Conclusions and future work


protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems


Timedauthentication


Trust & reputation



Outline

Introduction: NFC and pervasive securityNear Field CommunicationProblems of pervasive security




Trust & reputation




protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation



Near Field Communication (NFC)

Phone with a contactless smart card:

Secure Element (SE) is a miniSD flash memory, or a USIM card, or a separate microcontroller.


protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation



NFC modes of operation: standards


protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation



NFC stakeholders

I mobile operators:pro: revenue from card issuers, targeted

advertising, social networkingcon: no revenue from P2P transactions1

I card issuers:pro: increased availability and overall

transaction value,con: dependency on mobile operators

I banks:pro: increased availability and overall

transaction valuecon: lost revenue to P2P digital cash

transactions

1cf. Bluetooth disabling


protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation



NFC deployment

Australia: Telstra, National Australia Bank

China: China Mobile, Philips, Nokia, Xiamen e-Tongcard

France: CIC, Credit Mutuel, Gemalto, LaSer, Pegasus(multi-operator, multi-bank, multi-card), RATP,SFR

Germany: Deutsche Bahn, Rhein-Main Vb (Frankfurt),Nokia, Philips, Vodafone

India: Delta Technologies

Japan: DoCoMo

UK: Barklays, Orange, O2, TfL Oyster, WirelessFest in Hyde Park

USA: Cingular, Discover, Inside Contactless, Nokia,NXP, NY subway, Venyon ZTar,


protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation



NFC applicationsContactless payment and exchange

I card mode (← Chip & Pin, EMV)2008 transaction value: $ 2.4 billion (Juniper)

2011 transaction value: $ 24-36 billion (Juniper, Strategy Analytics)

I RW mode:I electronic tickets, transportation systemsI off-line micropayments (← Chip-Knip)

I P2P mode:I digital cash transactionsI electronic barterI street markets and transient merchantsI vending


protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation



NFC applicationsProximity commercial networking

I RW mode: RFID-based shoppingI discount coupons, mobile rewards distributionI warehouse navigationI dynamic pricing

I shop auctionI shopping derivatives: futures, calls, boolean betting. . .I discount for social hubs, celebritiesI discount for viral marketing, C2C assistance, shop help

I general shopping assistance

I RW mode: bootstrap other networksI distribute relevant URLsI establish Bluetooth, WLAN connections to local

resources


protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation



NFC applicationsProximity commercial networking

I RW mode: RFID-based shoppingI discount coupons, mobile rewards distributionI warehouse navigationI dynamic pricing

I shop auctionI shopping derivatives: futures, calls, boolean betting. . .I discount for social hubs, celebritiesI discount for viral marketing, C2C assistance, shop help

I general shopping assistanceI RW mode: bootstrap other networks

I distribute relevant URLsI establish Bluetooth, WLAN connections to local

resources


protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation



NFC applicationsProximity social networking

Beyond address book:

I P2P mode: support local networksI exchange public keys, personal (business) cards

I RW mode: generate local networksI check in selected personal data2 at a smart place

I club, school, shopping mall. . .I local recommender system forms clusters

I sport partners, homework help, one-night stands. . .I queryless social searchI social navigation assistance: friends, foes, fashion. . .

I receive other relevant informationI recommendation driven advertising in physical space

I point-and-clickI drag one proximity link to another: introduce friendsI bootstrap Bluetooth, WLAN networks: "silent concert"I . . . (mouse in space)

2e.g., a fragment of a personal page, reputation certificate, "electronic pheromone"


protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation




Security problems


protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation




Task.Study authentication methods forI proximity social networking, in particular, and

I pervasive computation in general

Method.Derivational approach:I taxonomy of channels and of their applicationsI incremental analysis of channel interactionsI protocol patternsI tool support


protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation




Task.Study authentication methods forI proximity social networking, in particular, andI pervasive computation in general

Method.Derivational approach:I taxonomy of channels and of their applicationsI incremental analysis of channel interactionsI protocol patternsI tool support


protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation



New security landscapeExample 1: Fair exchange (contract signing)

Theorem (Even-Yacobi, 1980)Every deterministic fair exchange protocol must involve atrusted third party: it is always an escrow protocol.

Why?

Exchange is like a race where the winning horse is the last to finish.


protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation




Pervasive solution

Swap the horses!

. . . i.e. swap the devices, or the send buttons.


protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation




Pervasive solutionSwap the horses!

. . . i.e. swap the devices, or the send buttons.


protocols

Dusko Pavlovic




Timedauthentication


Trust & reputation



New security landscapeExample 2: Smart card relay attacks

This becomes much easier with NFC phones!

Solution: distance bounding,social authentication (sign receipt)


protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication


Trust & reputation



Outline


Derivational approach to authentication and impersonationBasic ideasDeriving challenge-responseReal example: GDOI



Trust & reputation




protocols

Dusko Pavlovic

Introduction: NFC


Challenge-response

Real example: GDOI

Timedauthentication


Trust & reputation



Basics of information flow security

Secrecy: bad information flows do not happen

Authenticity: good information flows do happen


protocols

Dusko Pavlovic

Introduction: NFC


Challenge-response

Real example: GDOI

Timedauthentication


Trust & reputation



Basics of program dependability

Safety: bad things do not happen

Liveness: good things do happen


protocols

Dusko Pavlovic

Introduction: NFC


Challenge-response

Real example: GDOI

Timedauthentication


Trust & reputation



Basics of information flow security

Secrets must be authenticated

Authentications are based on secrets


protocols

Dusko Pavlovic

Introduction: NFC


Challenge-response

Real example: GDOI

Timedauthentication


Trust & reputation



Authentication by challenge-response (CR)

A B◦

νx��◦

cAB x // ◦

��◦ ◦

rAB xoo

A : (νx)A

(〈〈cABx〉〉A . ((rABx))A

=⇒ 〈〈cABx〉〉A . ((cABx))B . 〈〈rABx〉〉B. . ((rABx))A

)(cr)


protocols

Dusko Pavlovic

Introduction: NFC


Challenge-response

Real example: GDOI

Timedauthentication


Trust & reputation



Signature-based challenge-response (CRS)

A B◦

νx��◦

cAB x:=x // ◦

��◦ ◦

rAB x:=SB xoo

SB t = SBu =⇒ t = u (sig1)

VB(y, t) ⇐⇒ y = SB t (sig2)

〈〈SB t〉〉X. =⇒ X = B (sig3)


protocols

Dusko Pavlovic

Introduction: NFC


Challenge-response

Real example: GDOI

Timedauthentication


Trust & reputation




A B◦

νx��◦

x // ◦

��◦ ◦

SB xoo

(sig1-3) ∧ (B honest) ` (cr)[cAB x:=x, rAB x:=SB x]


protocols

Dusko Pavlovic

Introduction: NFC


Challenge-response

Real example: GDOI

Timedauthentication


Trust & reputation



Intruder-in-the-Middle attack on CRS

A I B◦

νx��◦

A to B:x // ◦I to B:x // ◦

��◦ ◦

B to A :SB xoo ◦B to I:SB xoo


protocols

Dusko Pavlovic

Introduction: NFC


Challenge-response

Real example: GDOI

Timedauthentication


Trust & reputation




A B◦

νx��◦

x // ◦

��◦ ◦

SB xoo


protocols

Dusko Pavlovic

Introduction: NFC


Challenge-response

Real example: GDOI

Timedauthentication


Trust & reputation



Signature-based nested challenge-response (CRSN)

A B◦

νy��

◦

νx��

◦yoo

◦x // ◦

��◦

��

◦SB xoo

◦SA y // ◦

assumptions: (sig1-3), (A honest), (B honest)

guarantee: using (cr) A and B derive matching views


protocols

Dusko Pavlovic

Introduction: NFC


Challenge-response

Real example: GDOI

Timedauthentication


Trust & reputation



Intruder-in-the-Middle attack on CRSN

A I B◦

νy��

◦

νx��

◦B to A :yoo ◦

B to I:yoo

◦A to B:x // ◦

I to B:x // ◦

��◦

��

◦B to A :SB xoo ◦

B to I:SB xoo

◦A to B:SA y // ◦

I to B:SA y // ◦


protocols

Dusko Pavlovic

Introduction: NFC


Challenge-response

Real example: GDOI

Timedauthentication


Trust & reputation



IPSec GDOI protocol

A B

◦

νx��◦

A to B:x,HAB x // ◦

νy��

◦ ◦B to A : y,HBA (x,y)oo

◦A ,A ′ to B: CA′ , ΣA′ ,

HAB (y,CA′ , ΣA′ )

// ◦

νk��

◦ ◦B ,B′ to A ,A ′: k ,ΣB′ ,

HBA (x,k ,ΣB′ )

oo

ΣX = SX (x, y)


protocols

Dusko Pavlovic

Introduction: NFC


Challenge-response

Real example: GDOI

Timedauthentication


Trust & reputation



Intruder-in-the-middle attack on GDOI

A I B

◦

νx��◦

A to I:x,HAIx // ◦I to B: x,HIB x // ◦

νy��

◦ ◦I to A : y,HIA (x,y)oo ◦

B to I: y,HBI(x,y)oo

◦A ,A ′ to I: CA′ , ΣA′ ,

HAI(y,CA′ , ΣA′ )

// ◦I,A ′ to B: CA′ , ΣA′ ,

HIB (y,CA′ , ΣA′ )

// ◦

νk��

◦ ◦B ,B′ to I,A ′: k ,ΣB′ ,

HBI(x,k ,ΣB′ )

oo

ΣX = SX (x, y)


protocols

Dusko Pavlovic

Introduction: NFC


TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed


Trust & reputation



Outline



Deriving distance bounding authentication protocolsTimed challenge-responseBinding timed response and crypto responseBinding timed response and crypto challengeMixing timed channels


Trust & reputation




protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Timed challenge-response

V X◦

νx��•

xτ0

+3________ ________ •

��• •

f(x)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

supports the axiom

V : (νx)V

(τ0〈x〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ τ1 − τ0

)


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Combining timed response and cryptographic response

V P◦

νx��•

xτ0

+3________ ________ ◦

��•

��

◦f(x)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

rVPxoo


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Binding timed response to cryptographic response

V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦f(x,y)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

rVP (x,y)oo


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Binding timed response to cryptographic responseBrands-Chaum 1

V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦yτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

SP (x,y)oo

I V : P honest =⇒ d(V ,P) < τ1 − τ0

I V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Binding timed response to cryptographic responseDischarge the honesty assumption?

V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦x⊕yτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

SP (x,y)oo


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Binding timed response to cryptographic responseP can still cheat

V P◦

νx��

◦

νz��

•xτ0

+3________ ________ ◦

��•

��

◦zτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

SP (x,x⊕z)oo


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation




V P◦

νx��•

xτ0

+3________ ________ ◦

��•

��

◦x⊕mτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

SP (x)oo

I Peggy cannot cheatI Ivan can impersonate her, and relay SP(x)


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation




V P◦

νx��•

xτ0

+3________ ________ ◦

��•

��

◦x⊕mτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

SP (x)oo

I Peggy cannot cheat

I Ivan can impersonate her, and relay SP(x)


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation




V P◦

νx��•

xτ0

+3________ ________ ◦

��•

��

◦x⊕mτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

SP (x)oo

I Peggy cannot cheatI Ivan can impersonate her, and relay SP(x)


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Binding timed response to cryptographic response— with commitment

V P◦

νy��

◦

νx��

◦ct(y)oo

•xτ0

+3________ ________ ◦

��•

��

◦f(x,y)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

dt(y), rVP (x,y)oo


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Digression: Symbolic commitment

Definition

A commitment schema consists of three publicly knownfunctions over the space of messages T ,I commitment ct : T −→ T ,I decommitment dt : T −→ T , andI open commitment ot : T × T −→ T ,

such thatI ct is a one-way collision-free function,I ot (ct(x), dt(x)) = x.

E.g.,

ct(x) = H(x) ct(x) = H0(x) ct(x) = E(x0, x1)

dt(x) = x dt(x) = H1(x)::x dt(x) = x0

ot(y, z) = z ot(y, z) = z1 ot(y, z) = D(z, y)


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Binding timed response to cryptographic response— with commitment

V P◦

νy��

◦

νx��

◦ct(y)oo

•xτ0

+3________ ________ ◦

��•

��

◦f(x,y)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

dt(y), rVP (x,y)oo


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation




V P◦

νy��

◦

νx��

◦H0yoo

•xτ0

+3________ ________ ◦

��•

��

◦x⊕yτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

H1y,y,SP (x,y)oo


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Binding timed response to cryptographic responseCapkun-Hubaux

V P◦

νy��

◦

νx��

◦H0yoo

•xτ0

+3________ ________ ◦

��•

��

◦x⊕yτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

H1y,y,x,H(kVP ,x,y)oo


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Binding timed response to cryptographic responseMeadows-Syverson

V P◦

νy��

◦

νx��

◦H0(y,P)oo

•xτ0

+3________ ________ ◦

��•

��

◦x⊕yτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

H1(y,P),y,x,H(kVP ,x,y)oo


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Binding timed response to cryptographic responseMeadows-P-Syverson

V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦x⊕H(y,P)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

y,x,H(kVP ,x,y)oo

I V : ∃X . d(V ,X) < τ1 − τ0 ∧ X ∼ PI V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation




V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦x⊕H(y,P)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

y,x,H(kVP ,x,y)oo

I V : ∃X . d(V ,X) < τ1 − τ0 ∧ X ∼ P

I V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation




V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦x⊕H(y,P)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

y,x,H(kVP ,x,y)oo

I V : ∃X . d(V ,X) < τ1 − τ0 ∧ X ∼ PI V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Binding timed response to cryptographic response. . . and in general

V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦f(x,y)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

y,x,rVP (x,y)oo

I f(x, y) one-way function in yI only P could generate rVP(x, y).


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Binding timed response and cryptographic challenge

V P◦

νy��◦

cVP y //

νx��

◦

��•

xτ0

+3________ ________ ◦

��• ◦

f(x,y)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

(more convenient when P is a smart card)


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Binding timed response and cryptographic challenge

V P◦

νy��◦

EP y //

νx��

◦

��•

xτ0

+3________ ________ ◦

��• ◦

x⊕yτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

(if P has a public key)


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Binding timed response to cryptographic challengeHancke-Kuhn

V P◦

νy��◦

y //

νx��

◦

��•

xτ0

+3________ ________ ◦

��• ◦

x�H(k ,y)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

x � z = [z(xi)i ] where z = z(0)::z(1)


protocols

Dusko Pavlovic

Introduction: NFC





Mixing timed


Trust & reputation



Mixing different kinds of timed channelsECHO: Sastry-Sankar-Wagner

V X◦

νx��•

xτ0

+3______ ______ ◦

��• ◦

xτ1

_jt _ _ _ _ _ __ _ _ _ _ __ _ _ _ _ _

V : (νx)V

(τ0〈〈x〉〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ (τ1 − τ0)

c + scs

)I where c is the speed of light and s the speed of sound

I the reasoning boils down to (crt)), because s � c =⇒ c+scs ≈ 1

I pro: measuring longer response times requires less precision

I con: s less robust, due to the influences of the environment


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Outline




Deriving social authentication protocolsSocial channel and its useSocial commitmentAuthentication before decommitmentAuthentication after decommitmentSocially authenticated key exchangeSecurity homology

Trust & reputation




protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Preliminary example: a timed social protocol

A B•

mτ0

+3______ ______ ◦

�� (m)τ1

oo o/ o/ o/ o/ o/ o/ o/


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Social channel bandwidth

I σ : T −→ T : a short digest (hash) function

such that

I σσt = σtI "The digest does not change short terms."

I ∀s ∃t . s , t ∧ σs = σt ∧ s ` tI "For every term s, it is feasible to find a different term t

with the same digest."


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Social actions

I lB to A : βm— B shows an action β to A

axiomatized as follows:

I lB to A : βm =⇒ A : βBI "If A sees B perform β, then A knows that B has

performed β."I lB to A : β m . l C to A : γm =⇒ A : βB . γC

I "If A sees βB before γC , then she knows that βB

occurred before γC ."


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Social actions




performed β."

I lB to A : β m . l C to A : γm =⇒ A : βB . γCI "If A sees βB before γC , then she knows that βB



protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Social actions




performed β."I lB to A : β m . l C to A : γm =⇒ A : βB . γC

I "If A sees βB before γC , then she knows that βB



protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Social actions

I lB to A : tm— B shows a term t to A


I lB to A : tm =⇒ σt ∈ ΓAI "If B shows A a term t , then A sees the digest σt ."

I lB to A : tm =⇒ A : ∃u. σu = σt ∧ lA to B : umBI "If B shows A a term t , then A knows that B has shown

her some term with the digest σt ."


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Social actionsGraphic notation

I βB ///o/o �A represents lβmB to A

I ◦Bσt ///o/o �A represents ltmB to A


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Socially authenticated key distributionBob announces his public key

A B

�

��

◦σeoo o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

eoo

A B

◦

��

◦eoo

�� ◦

σeoo o/ o/ o/ o/ o/ o/ o/ o/

I e, σe ∈ ΓA

I A : B honest =⇒ ∃u. σu = σe ∧ 〈B to A : u〉B


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Socially authenticated key distribution. . . byt Ivan may have replaced it

A I B

�

��

◦σe=σuoo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

eoo ◦uoo

A I B

◦

��

◦eoo ◦

uoo

�� ◦

σe=σuoo o/ o/ o/ o/ o/ o/ o/ o/ o/

I e, σe ∈ ΓA

I A : B honest =⇒ ∃u. σu = σe ∧ 〈B to A : u〉B


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Social commitment

A B◦

νy

��◦

��

◦e, ct(e,y)oo

��

��

◦σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

dt(e,y)oo

A B◦

νy

��◦

��

◦e, ct(e,y)oo

��◦

��

◦dt(e,y)oo

�� ◦

σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Authentication before decommitment

A B

◦

νy

��◦

��

◦e, ct(e,y)oo

��

��

◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

dt(e,y)oo

I A : ∃y. σy = s ∧ lB to A : ymB


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation




A B

◦

νy

��◦

��

◦e, ct(e,y)oo

��

��


��◦ ◦

dt(e,y)oo

I A : B honest =⇒ ∃y. l B to A : σymB


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation




A B

◦

νy

��◦

��

◦e, ct(e,y)oo

��

��


��◦ ◦

dt(e,y)oo

I A : B honest =⇒ ∃u∃y.⟨u, ct(u, y)

⟩B D lσymB


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation




A B

◦

νy

��◦

��

◦e, ct(e,y)oo

��

��


��◦ ◦

dt(e,y)oo

I A : B honest =⇒ ∃u. (νy)B D⟨u, ct(u, y)

⟩B D lσymB


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation




A B

◦

νy

��◦

��

◦e, ct(e,y)oo

��

��


��◦ ◦

dt(e,y)oo

I A : B honest =⇒ (νy)B D⟨e, ct(e, y)

⟩B D lσymB D

⟨dt(e, y)

⟩B


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Authentication before decommitmentWong-Stajano template

A B

◦

νs

��◦

��

◦e, H(k ,e,s)oo

��

��

◦s=σsoo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

koo


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Authentication before decommitmentWong-Stajano- 1

2

A B

◦

νs

��◦

��

◦gb , H(k ,gb ,s)oo

��

��

◦s=σsoo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

koo


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Authentication before decommitmentWong-Stajano

A B

◦

νsa

��

◦

νsb

��◦

ga , H(ka ,ga ,sa)

33

��

◦

gb , H(kb ,gb ,sb )ss

�� oo sb

sa///o/o/o/o/o/o/o/o/o

��

�

��◦

ka

33 ◦kb

ss


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Authentication before decommitmentWong-Stajano 3

A B

◦ga

// ◦

νsb

��◦

��

◦gb , H(k ,ga ,gb ,sb )oo

◦1 ///o/o/o/o/o/o/o/o/o �

��

��

◦sboo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

koo


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation




A B

◦

νy

��◦

��

◦e, ct(e,y)oo

��

��


��◦ ◦

dt(e,y)oo

I A : B honest =⇒ (νy)B D⟨e, ct(e, y)

⟩B D lσymB D

⟨dt(e, y)

⟩B


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Authentication before decommitmentHoepman- 1

2

A B

◦

νxe=y=gx

��◦

��

◦Hyoo

��

��


��◦ ◦

yoo

I A : B honest =⇒ (νx)B D⟨H(gx)

⟩B D lσ(gx)mB D 〈gx〉B


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Authentication after decommitment

A B◦

νy��

◦ ◦e, ct(e,y)oo

?

��

?

��◦

��

◦dt(e,y)oo

�� ◦

σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation




A B◦

νy��

◦ ◦e, ct(e,y)oo

?

��

// ?

��◦

��

◦dt(e,y)oo

�� ◦

σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation




A B◦

νy��

◦

νx��

◦e, ct(e,y)oo

◦x // ◦

��◦

��

◦dt(e,y)oo

�� ◦

σf(e,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation




A B◦

νy��

◦

νx��

◦e, ct(e,y)oo

◦x // ◦

��◦

��

◦dt(e,y)oo

�� ◦

σf(x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/

A B◦

νy��

◦

νx��

◦e, ct(y)oo

◦x // ◦

��◦

��

◦dt(y)oo

�� ◦

σf(e,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Authentication after decommitmentVaudenay: SAS- 1

2

A B◦

νy��

◦

νx��

◦e, ct(e,y)oo

◦x // ◦

��◦

��

◦dt(e,y)oo

�� ◦

σ(x⊕y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Authentication after decommitmentNguyen-Roscoe: HCBK- 1

2

A B◦

νy��

◦

νx��

◦e, Hyoo

◦x // ◦

��◦

��

◦yoo

�� ◦

σ(e,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Mutual authentication after decommitmentNguyen-Roscoe: HCBK (2-party)

A B◦

νx��

◦

νy��

◦

��

eA , Hx++ ◦

eB , Hy

kk

��◦

��

x++ ◦

ykk

�� //

σ(eA ,eB ,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/

Assumption: Initiator establishes the order


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Mutual authentication after decommitmentNguyen-Roscoe: HCBK (2-party)

((νx)A 〈eA ,Hx〉A (u1, u2)A ⊗

(νy)B 〈eB ,Hy〉B (v1, v2)B

);

(〈x〉A (u3)A (u1, u2/eB ,Hu3)A l σ(eA , eB , x, u3) mA ⊗

〈y〉B (v3)B (v1, v2)/eA ,Hv3)B l σ(eA , eB , v3, y) mB

)


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Multi-party authentication after decommitmentNguyen-Roscoe: HCBK

Assumptions (to be discharged)

I agreed ordering of the principals

I all principals must digest at the same payload

I social protocol to compare the digests


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Multi-party authentication after decommitmentNguyen-Roscoe: HCBK

Assumptions (to be discharged)

I agreed ordering of the principalsI all principals must digest at the same payload

I social protocol to compare the digests


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation



Structural similarity — conceptual difference

A B◦

νy��

◦

νx��

◦e, ct(e,y)oo

◦x // ◦

��◦

��

◦dt(e,y)oo

�� ◦

σf(x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/

V P◦

νy��

◦

νx��

◦ct(y)oo

◦x +3________ ________ ◦

��◦

��

◦f(x,y)ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

�� ◦

dt(y),rVP (x,y)oo

Social authentication is not challenge-response:

x on the left is not a challenge, but a binder, analogous to y.


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Trust & reputation



Outline





Trust & reputation




protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Trust & reputation



Trust and reputation

NOT PRESENTED


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Trust & reputation



Outline





Trust & reputation




protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Trust & reputation



Deriving location authetication: Mobile IP

NOT PRESENTED


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Trust & reputation



Outline





Trust & reputation




protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Trust & reputation



Summary

ConclusionsI space security for pervasive and social computation

I E2E model does not suffice

I bootstrap distance, proximity, routing. . .I derivational approach sine qua non

Future workI embed Social Web 2.0 in physical space

I enable the export of authenticated social linksI make the Web into a social channel

I electronic pheromones


protocols

Dusko Pavlovic

Introduction: NFC


Timedauthentication


Trust & reputation



Summary

ConclusionsI space security for pervasive and social computation

I E2E model does not sufficeI bootstrap distance, proximity, routing. . .

I derivational approach sine qua non

Future workI embed Social Web 2.0 in physical space

I enable the export of authenticated social linksI make the Web into a social channel

I electronic pheromones

nfc and authentication in pervasive and social computation · 2008-02-14 · authentication social...

Documents