Research and Technology Policy in the European Union: A Bottom-up Contribution to European Integration

Presented on April 21, 2009, President’s Suites C & D – Student Success Center.Co-sponsored by the Center for International Strategy, Technology and Policy (CISTP) as part of the Globalization, Innovataion and Development Lecture Series.The European Union’s Research Policy, aimed to increase competitiveness of the European productive system, is implemented through strategic actions, the most relevant of which is increased public and private investments in strategic industrial research and innovation, but it includes also investments in education, lifelong learning, and technological infrastructures. We prove that research policy is playing a role over and above the institutional objective of competitiveness. Research and development (R&D) programs led to an upgrade in the scientific, cultural, and technological level of participants and contributed to the path towards political union, to the irradiation of European values within and beyond European boundaries, and to the implementation of other policies. EU research programs generated high return on the investment. It is estimated that current Community contribution of € billion/year might generate a GDP increase of € 200 billion/year in the 2030s. Intangible results are also momentous. In this paper we address the impact of research on other policies: Competition, Consumer Protection, Employment, Energy, Enlargement, Enterprise, Environment, Information Society, Institutional Affairs, Internal Market, Mobility, Public Health, Regional Policy, and Transport. R&D policy was put at the heart of the Lisbon Strategy (LS) to boost employment and growth in Europe. LS suffered of major weaknesses, described in the paper; it had however, a role in putting R&D center stage in EU strategic planning for sustainable growth and in creating the conditions for the member states to decide for a major increase of R&D public spending, thus reinforcing the most effective component of the LS, the Framework Program, built on strengths of proved effectiveness: the involvement of all stakeholders in its planning, the feeling of ownership by the scientific/industrial community, focused funding, strict monitoring of execution, and enhanced exploitation plans. Community funding is the incentive to face the intrinsic complexity of international collaborations, an incentive ever so much important in EU27 to overcome the diversity in business culture, business practices, innovation, and workforce qualification across the enlarged Union. Diversity makes integration more complex and introduces additional costs to international cooperation, but it is an asset and a point in favor of the EU within the Triad. It facilitates addressing and understanding competitors in a world where new actors from remote markets and with different cultures take increasingly relevant roles. Changes triggered by research policy are bottom up and affect people in the first place: researchers, industrialists, students. By getting to know their peers in other countries, European participants in the programs learn to respect and appreciate diverse cultures, overcome the barriers that divided Europe, experience the feeling of belonging in a community larger than their own country, and establish networks that are the ground culture for European citizenship. Changes triggered by research policy affect enterprises as well. They broaden their horizon and they experience the advantages of international collaboration, known to universities for centuries. This bottom-up action complements and is supported by the institutional activities of the EU and builds a community united in diversity capable of facing the challenges of a globalized world

Pico: No More Passwords!

Abstract. From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different, regularly changed and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can’t abandon passwords until we come up with an alternative method of user authentication that is both usable and secure. We present an alternative design based on a hardware token called Pico that relieves the user from having to remember passwords and PINs. Unlike most alternatives, Pico doesn’t merely address the case of web passwords: it also applies to all the other contexts in which users must at present remember passwords, passphrases and PINs. Besides relieving the user from memorization efforts, the Pico solution scales to thousands of credentials, provides “continuous authentication ” and is resistant to brute force guessing, dictionary attacks, phishing and keylogging. 1 Why users are right to be fed up Remembering an unguessable and un-brute-force-able password was a manageable task twenty or thirty years ago, when each of us had to use only one or two. Since then, though, two trends in computing have made this endeavour much harder. First, computing power has grown by several orders of magnitude: once upon a time, eight characters were considered safe from brute force 1; nowadays, passwords that are truly safe from brute force and from advanced guessing attacks 2 typically exceed the ability of ordinary users to remember them 3 4. Second, and most important, the number of computer-based services with which It’s OK to skip all these gazillions of footnotes

Relay-proof channels using UWB lasers

Alice is a hand-held device. Bob is a device providing a service, such as an ATM, an automatic door, or an anti-aircraft gun pointing at the gyro-copter in which Alice is travelling. Bob and Alice have never met, but share a key, which Alice uses to request a service from Bob (dispense cash, open door, don't shoot). Mort pretends to Bob that she is Alice, and her accomplice Cove pretends to Alice that he is Bob. Mort and Cove relay the appropriate challenges and responses to one another over a channel hidden from Alice and Bob. Meanwhile Alice waits impatiently in front of a different ATM, or the wrong door, or another gun. How can such an attack be prevented?Final Accepted Versio

Am I in good company? A privacy-protecting protocol for cooperating ubiquitous computing devices

A portable device carries important secrets in encrypted form; to unlock it, a threshold secret sharing scheme is used, requiring the presence of several other devices. We explore the design space for the protocol through which these devices communicate wirelessly, under the additional constraint that eavesdroppers should not be able to recognize and track the user carrying these devices

User Authentication for the Internet of Things

Having been talked about under a variety of names for two or three decades, the Internet of Things is finally coming to fruition. What is still missing, though, is a proper security architecture for it. That currently deployed IoT devices are insecure is testified by the plethora of vulnerabilities that are discovered and exploited daily: clearly “features” are higher priority than “security” in the eyes of the purchasers—and therefore of the manufacturers. But we are talking here of a more structural problem: not “this device is insecure” but “there is no strategic plan and no accepted blueprint to make IoT devices secure”. We should also bear in mind that if purchasers do not understand security vulnerabilities, or cannot articulate their understanding, then manufacturers are unlikely to address them. In this position paper we do not address IoT security in general: instead we focus specifically on the problem of user authentication, addressing which is a pre-requisite of any security architecture insofar as the three crucial security properties of Confidentiality, Integrity and Availability can only be defined in terms of the distinction between authorized and unauthorized users of the sys- tem. However, we should not be misled by the word “authorized”; authorized users may misbehave.ERC 30722

Passwords and the evolution of imperfect authentication

Theory on passwords has lagged practice, where large providers use back-end smarts to survive with imperfect technology.This is the author accepted manuscript. The final version is available from ACM via http://dx.doi.org/10.1145/269939

Explicit Delegation Using Configurable Cookies

Password sharing is widely used as a means of delegating access, but it is open to abuse and relies heavily on trust in the person being delegated to. We present a protocol for delegating access to websites as a natural extension to the Pico protocol. Through this we explore the potential characteristics of delegation mechanisms and how they interact. We conclude that security for the delegator against misbehaviour of the delegatee can only be achieved with the cooperation of the entity offering the service being delegated. To achieve this in our protocol we propose configurable cookies that capture delegated permissions.We are grateful to the European Research Council for funding this research through grant StG 307224 (Pico)

Zero-Knowledge User Authentication: An Old Idea Whose Time Has Come

User authentication can rely on various factors (e.g., a password, a cryptographic key, biometric data) but should not reveal any secret or private information. This seemingly paradoxical feat can be achieved through zero-knowledge proofs. Unfortunately, naive password-based approaches still prevail on the web. Multi-factor authentication schemes address some of the weaknesses of the traditional login process, but generally have deployability issues or degrade usability even further as they assume users do not possess adequate hardware. This assumption no longer holds: smartphones with biometric sensors, cameras, short-range communication capabilities, and unlimited data plans have become ubiquitous. In this paper, we show that, assuming the user has such a device, both security and usability can be drastically improved using an augmented password-authenticated key agreement (PAKE) protocol and message authentication codes.Comment: International Workshop on Security Protocols (SPW) 201