4,213 research outputs found
Survey and Systematization of Secure Device Pairing
Secure Device Pairing (SDP) schemes have been developed to facilitate secure
communications among smart devices, both personal mobile devices and Internet
of Things (IoT) devices. Comparison and assessment of SDP schemes is
troublesome, because each scheme makes different assumptions about out-of-band
channels and adversary models, and are driven by their particular use-cases. A
conceptual model that facilitates meaningful comparison among SDP schemes is
missing. We provide such a model. In this article, we survey and analyze a wide
range of SDP schemes that are described in the literature, including a number
that have been adopted as standards. A system model and consistent terminology
for SDP schemes are built on the foundation of this survey, which are then used
to classify existing SDP schemes into a taxonomy that, for the first time,
enables their meaningful comparison and analysis.The existing SDP schemes are
analyzed using this model, revealing common systemic security weaknesses among
the surveyed SDP schemes that should become priority areas for future SDP
research, such as improving the integration of privacy requirements into the
design of SDP schemes. Our results allow SDP scheme designers to create schemes
that are more easily comparable with one another, and to assist the prevention
of persisting the weaknesses common to the current generation of SDP schemes.Comment: 34 pages, 5 figures, 3 tables, accepted at IEEE Communications
Surveys & Tutorials 2017 (Volume: PP, Issue: 99
Seeking the philosopher's stone.
This article describes the unique challenges facing usable security research and design, and introduces three proposals for addressing these. For all intents and purposes, security design is currently a craft, where quality is dependent on individuals and their ability, rather than on principles and engineering. However, the wide variety of different skills necessary to design secure and usable systems is unlikely to be mastered by many individuals, requiring an unlikely combination of insight and education. Psychology, economics and cryptography have very little in common, and yet all have a role to play in the field of usable security. To address these concerns, three proposals are presented here: 1) to adopt a principled design framework for usable security and privacy; 2) to support a research environment where skills and knowledge can be pooled and shared; and 3) to guide and inform the principles that underpin the educational curriculum of future security engineers and researchers
A proof-of-proximity framework for device pairing in ubiquitous computing environments
Ad hoc interactions between devices over wireless networks in ubiquitous
computing environments present a security problem: the generation of shared secrets
to initialize secure communication over a medium that is inherently vulnerable to
various attacks. However, these ad hoc scenarios also offer the potential for physical
security of spaces and the use of protocols in which users must visibly demonstrate
their presence and/or involvement to generate an association. As a consequence,
recently secure device pairing has had significant attention from a wide community of
academic as well as industrial researchers and a plethora of schemes and protocols
have been proposed, which use various forms of out-of-band exchange to form an
association between two unassociated devices. These protocols and schemes have
different strengths and weaknesses â often in hardware requirements, strength against
various attacks or usability in particular scenarios. From ordinary userâs point of
view, the problem then becomes which to choose or which is the best possible scheme
in a particular scenario.
We advocate that in a world of modern heterogeneous devices and
requirements, there is a need for mechanisms that allow automated selection of the
best protocols without requiring the user to have an in-depth knowledge of the
minutiae of the underlying technologies. Towards this, the main argument forming the
basis of this dissertation is that the integration of a discovery mechanism and several
pairing schemes into a single system is more efficient from a usability point of view
as well as security point of view in terms of dynamic choice of pairing schemes. In
pursuit of this, we have proposed a generic system for secure device pairing by
demonstration of physical proximity. Our main contribution is the design and
prototype implementation of Proof-of-Proximity framework along with a novel Co-
Location protocol. Other contributions include a detailed analysis of existing device
pairing schemes, a simple device discovery mechanism, a protocol selection
mechanism that is used to find out the best possible scheme to demonstrate the
physical proximity of the devices according to the scenario, and a usability study of
eight pairing schemes and the proposed system
Security and usability: searching for the philosopher's stone.
This paper describes the unique challenges facing usable security research and design, and introduces three proposals for addressing these. For all intents and purposes security design is currently a craft, where quality is dependent on individuals and their ability, rather than principles and engineering. However, the wide variety of different skills necessary to design secure and usable systems is unlikely to be mastered by many individuals, requiring an unlikely combination of insight and education. Psychology, economics and cryptography have very little in common, and yet all have a role to play in the field of usable security. To address these concerns, three proposals are presented here: to adopt a principled design framework for usable security and privacy, to support a research environment where skills and knowledge can be pooled and shared, and to guide and inform the principles that underpin the educational curriculum of future security engineers and researchers
Security and usability: searching for the philosopher's stone.
This paper describes the unique challenges facing usable security research and design, and introduces three proposals for addressing these. For all intents and purposes security design is currently a craft, where quality is dependent on individuals and their ability, rather than principles and engineering. However, the wide variety of different skills necessary to design secure and usable systems is unlikely to be mastered by many individuals, requiring an unlikely combination of insight and education. Psychology, economics and cryptography have very little in common, and yet all have a role to play in the field of usable security. To address these concerns, three proposals are presented here: to adopt a principled design framework for usable security and privacy, to support a research environment where skills and knowledge can be pooled and shared, and to guide and inform the principles that underpin the educational curriculum of future security engineers and researchers
Actor-network procedures: Modeling multi-factor authentication, device pairing, social interactions
As computation spreads from computers to networks of computers, and migrates
into cyberspace, it ceases to be globally programmable, but it remains
programmable indirectly: network computations cannot be controlled, but they
can be steered by local constraints on network nodes. The tasks of
"programming" global behaviors through local constraints belong to the area of
security. The "program particles" that assure that a system of local
interactions leads towards some desired global goals are called security
protocols. As computation spreads beyond cyberspace, into physical and social
spaces, new security tasks and problems arise. As networks are extended by
physical sensors and controllers, including the humans, and interlaced with
social networks, the engineering concepts and techniques of computer security
blend with the social processes of security. These new connectors for
computational and social software require a new "discipline of programming" of
global behaviors through local constraints. Since the new discipline seems to
be emerging from a combination of established models of security protocols with
older methods of procedural programming, we use the name procedures for these
new connectors, that generalize protocols. In the present paper we propose
actor-networks as a formal model of computation in heterogenous networks of
computers, humans and their devices; and we introduce Procedure Derivation
Logic (PDL) as a framework for reasoning about security in actor-networks. On
the way, we survey the guiding ideas of Protocol Derivation Logic (also PDL)
that evolved through our work in security in last 10 years. Both formalisms are
geared towards graphic reasoning and tool support. We illustrate their workings
by analysing a popular form of two-factor authentication, and a multi-channel
device pairing procedure, devised for this occasion.Comment: 32 pages, 12 figures, 3 tables; journal submission; extended
references, added discussio
- âŠ