NFC and authentication in pervasive and social computation · 2008-02-14 · authentication Social...

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC and authenticationin pervasive and social computation

Dusko Pavlovic

Kestrel Instituteand

Oxford University

January 2008

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Outline

Introduction: NFC and pervasive security

Derivational approach to authentication and impersonation

Deriving distance bounding authentication protocols

Deriving social authentication protocols

Trust & reputation

Deriving location authentication protocols

Conclusions and future work

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Outline

Introduction: NFC and pervasive securityNear Field CommunicationProblems of pervasive security

Derivational approach to authentication and impersonation

Deriving distance bounding authentication protocols

Deriving social authentication protocols

Trust & reputation

Deriving location authentication protocols

Conclusions and future work

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Near Field Communication (NFC)

Phone with a contactless smart card:

Secure Element (SE) is a miniSD flash memory, or a USIM card, or a separate microcontroller.

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC modes of operation: standards

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC stakeholders

I mobile operators:pro: revenue from card issuers, targeted

advertising, social networkingcon: no revenue from P2P transactions1

I card issuers:pro: increased availability and overall

transaction value,con: dependency on mobile operators

I banks:pro: increased availability and overall

transaction valuecon: lost revenue to P2P digital cash

transactions

1cf. Bluetooth disabling

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC deployment

Australia: Telstra, National Australia Bank

China: China Mobile, Philips, Nokia, Xiamen e-Tongcard

France: CIC, Credit Mutuel, Gemalto, LaSer, Pegasus(multi-operator, multi-bank, multi-card), RATP,SFR

Germany: Deutsche Bahn, Rhein-Main Vb (Frankfurt),Nokia, Philips, Vodafone

India: Delta Technologies

Japan: DoCoMo

UK: Barklays, Orange, O2, TfL Oyster, WirelessFest in Hyde Park

USA: Cingular, Discover, Inside Contactless, Nokia,NXP, NY subway, Venyon ZTar,

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC applicationsContactless payment and exchange

I card mode (← Chip & Pin, EMV)2008 transaction value: $ 2.4 billion (Juniper)

2011 transaction value: $ 24-36 billion (Juniper, Strategy Analytics)

I RW mode:I electronic tickets, transportation systemsI off-line micropayments (← Chip-Knip)

I P2P mode:I digital cash transactionsI electronic barterI street markets and transient merchantsI vending

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC applicationsProximity commercial networking

I RW mode: RFID-based shoppingI discount coupons, mobile rewards distributionI warehouse navigationI dynamic pricing

I shop auctionI shopping derivatives: futures, calls, boolean betting. . .I discount for social hubs, celebritiesI discount for viral marketing, C2C assistance, shop help

I general shopping assistance

I RW mode: bootstrap other networksI distribute relevant URLsI establish Bluetooth, WLAN connections to local

resources

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC applicationsProximity commercial networking

I RW mode: RFID-based shoppingI discount coupons, mobile rewards distributionI warehouse navigationI dynamic pricing

I shop auctionI shopping derivatives: futures, calls, boolean betting. . .I discount for social hubs, celebritiesI discount for viral marketing, C2C assistance, shop help

I general shopping assistanceI RW mode: bootstrap other networks

I distribute relevant URLsI establish Bluetooth, WLAN connections to local

resources

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC applicationsProximity social networking

Beyond address book:

I P2P mode: support local networksI exchange public keys, personal (business) cards

I RW mode: generate local networksI check in selected personal data2 at a smart place

I club, school, shopping mall. . .I local recommender system forms clusters

I sport partners, homework help, one-night stands. . .I queryless social searchI social navigation assistance: friends, foes, fashion. . .

I receive other relevant informationI recommendation driven advertising in physical space

I point-and-clickI drag one proximity link to another: introduce friendsI bootstrap Bluetooth, WLAN networks: "silent concert"I . . . (mouse in space)

2e.g., a fragment of a personal page, reputation certificate, "electronic pheromone"

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC applicationsProximity social networking

Beyond address book:

I P2P mode: support local networksI exchange public keys, personal (business) cards

I RW mode: generate local networksI check in selected personal data2 at a smart place

I club, school, shopping mall. . .I local recommender system forms clusters

I sport partners, homework help, one-night stands. . .I queryless social searchI social navigation assistance: friends, foes, fashion. . .

I receive other relevant informationI recommendation driven advertising in physical space

I point-and-clickI drag one proximity link to another: introduce friendsI bootstrap Bluetooth, WLAN networks: "silent concert"I . . . (mouse in space)

2e.g., a fragment of a personal page, reputation certificate, "electronic pheromone"

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC applicationsProximity social networking

Beyond address book:

I P2P mode: support local networksI exchange public keys, personal (business) cards

I RW mode: generate local networksI check in selected personal data2 at a smart place

I club, school, shopping mall. . .I local recommender system forms clusters

I sport partners, homework help, one-night stands. . .I queryless social searchI social navigation assistance: friends, foes, fashion. . .

I receive other relevant informationI recommendation driven advertising in physical space

I point-and-clickI drag one proximity link to another: introduce friendsI bootstrap Bluetooth, WLAN networks: "silent concert"I . . . (mouse in space)

2e.g., a fragment of a personal page, reputation certificate, "electronic pheromone"

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC applicationsProximity social networking

Beyond address book:

I P2P mode: support local networksI exchange public keys, personal (business) cards

I RW mode: generate local networksI check in selected personal data2 at a smart place

I club, school, shopping mall. . .I local recommender system forms clusters

I sport partners, homework help, one-night stands. . .I queryless social searchI social navigation assistance: friends, foes, fashion. . .

I receive other relevant informationI recommendation driven advertising in physical space

I point-and-clickI drag one proximity link to another: introduce friendsI bootstrap Bluetooth, WLAN networks: "silent concert"I . . . (mouse in space)

2e.g., a fragment of a personal page, reputation certificate, "electronic pheromone"

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC applicationsProximity social networking

Security problems

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC applicationsProximity social networking

Task.Study authentication methods forI proximity social networking, in particular, and

I pervasive computation in general

Method.Derivational approach:I taxonomy of channels and of their applicationsI incremental analysis of channel interactionsI protocol patternsI tool support

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC applicationsProximity social networking

Task.Study authentication methods forI proximity social networking, in particular, andI pervasive computation in general

Method.Derivational approach:I taxonomy of channels and of their applicationsI incremental analysis of channel interactionsI protocol patternsI tool support

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

NFC applicationsProximity social networking

Task.Study authentication methods forI proximity social networking, in particular, andI pervasive computation in general

Method.Derivational approach:I taxonomy of channels and of their applicationsI incremental analysis of channel interactionsI protocol patternsI tool support

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

New security landscapeExample 1: Fair exchange (contract signing)

Theorem (Even-Yacobi, 1980)Every deterministic fair exchange protocol must involve atrusted third party: it is always an escrow protocol.

Why?

Exchange is like a race where the winning horse is the last to finish.

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

New security landscapeExample 1: Fair exchange (contract signing)

Theorem (Even-Yacobi, 1980)Every deterministic fair exchange protocol must involve atrusted third party: it is always an escrow protocol.

Why?

Exchange is like a race where the winning horse is the last to finish.

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

New security landscapeExample 1: Fair exchange (contract signing)

Theorem (Even-Yacobi, 1980)Every deterministic fair exchange protocol must involve atrusted third party: it is always an escrow protocol.

Why?

Exchange is like a race where the winning horse is the last to finish.

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

New security landscapeExample 1: Fair exchange (contract signing)

Pervasive solution

Swap the horses!

. . . i.e. swap the devices, or the send buttons.

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

New security landscapeExample 1: Fair exchange (contract signing)

Pervasive solutionSwap the horses!

. . . i.e. swap the devices, or the send buttons.

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

New security landscapeExample 1: Fair exchange (contract signing)

Pervasive solutionSwap the horses!

. . . i.e. swap the devices, or the send buttons.

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

New security landscapeExample 2: Smart card relay attacks

This becomes much easier with NFC phones!

Solution: distance bounding,social authentication (sign receipt)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

New security landscapeExample 2: Smart card relay attacks

This becomes much easier with NFC phones!

Solution: distance bounding,social authentication (sign receipt)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFCNFC perspective

Pervasive securityproblems

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

New security landscapeExample 2: Smart card relay attacks

This becomes much easier with NFC phones!

Solution: distance bounding,social authentication (sign receipt)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Outline

Introduction: NFC and pervasive security

Derivational approach to authentication and impersonationBasic ideasDeriving challenge-responseReal example: GDOI

Deriving distance bounding authentication protocols

Deriving social authentication protocols

Trust & reputation

Deriving location authentication protocols

Conclusions and future work

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Basics of information flow security

Secrecy: bad information flows do not happen

Authenticity: good information flows do happen

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Basics of program dependability

Safety: bad things do not happen

Liveness: good things do happen

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Basics of information flow security

Secrets must be authenticated

Authentications are based on secrets

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication by challenge-response (CR)

A B◦

νx��◦

cAB x // ◦

��◦ ◦

rAB xoo

A : (νx)A

(〈〈cABx〉〉A . ((rABx))A

=⇒ 〈〈cABx〉〉A . ((cABx))B . 〈〈rABx〉〉B. . ((rABx))A

)(cr)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication by challenge-response (CR)

A B◦

νx��◦

cAB x // ◦

��◦ ◦

rAB xoo

A : (νx)A

(〈〈cABx〉〉A . ((rABx))A

=⇒ 〈〈cABx〉〉A . ((cABx))B . 〈〈rABx〉〉B. . ((rABx))A

)(cr)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Signature-based challenge-response (CRS)

A B◦

νx��◦

cAB x:=x // ◦

��◦ ◦

rAB x:=SB xoo

SB t = SBu =⇒ t = u (sig1)

VB(y, t) ⇐⇒ y = SB t (sig2)

〈〈SB t〉〉X. =⇒ X = B (sig3)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Signature-based challenge-response (CRS)

A B◦

νx��◦

x // ◦

��◦ ◦

SB xoo

(sig1-3) ∧ (B honest) ` (cr)[cAB x:=x, rAB x:=SB x]

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Intruder-in-the-Middle attack on CRS

A I B◦

νx��◦

A to B:x // ◦I to B:x // ◦

��◦ ◦

B to A :SB xoo ◦B to I:SB xoo

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Signature-based challenge-response (CRS)

A B◦

νx��◦

x // ◦

��◦ ◦

SB xoo

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Signature-based nested challenge-response (CRSN)

A B◦

νy��

◦

νx��

◦yoo

◦x // ◦

��◦

��

◦SB xoo

◦SA y // ◦

assumptions: (sig1-3), (A honest), (B honest)

guarantee: using (cr) A and B derive matching views

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Signature-based nested challenge-response (CRSN)

A B◦

νy��

◦

νx��

◦yoo

◦x // ◦

��◦

��

◦SB xoo

◦SA y // ◦

assumptions: (sig1-3), (A honest), (B honest)

guarantee: using (cr) A and B derive matching views

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Intruder-in-the-Middle attack on CRSN

A I B◦

νy��

◦

νx��

◦B to A :yoo ◦

B to I:yoo

◦A to B:x // ◦

I to B:x // ◦

��◦

��

◦B to A :SB xoo ◦

B to I:SB xoo

◦A to B:SA y // ◦

I to B:SA y // ◦

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

IPSec GDOI protocol

A B

◦

νx��◦

A to B:x,HAB x // ◦

νy��

◦ ◦B to A : y,HBA (x,y)oo

◦A ,A ′ to B: CA′ , ΣA′ ,

HAB (y,CA′ , ΣA′ )

// ◦

νk��

◦ ◦B ,B′ to A ,A ′: k ,ΣB′ ,

HBA (x,k ,ΣB′ )

oo

ΣX = SX (x, y)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

DerivingauthenticationBasics

Challenge-response

Real example: GDOI

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Intruder-in-the-middle attack on GDOI

A I B

◦

νx��◦

A to I:x,HAIx // ◦I to B: x,HIB x // ◦

νy��

◦ ◦I to A : y,HIA (x,y)oo ◦

B to I: y,HBI(x,y)oo

◦A ,A ′ to I: CA′ , ΣA′ ,

HAI(y,CA′ , ΣA′ )

// ◦I,A ′ to B: CA′ , ΣA′ ,

HIB (y,CA′ , ΣA′ )

// ◦

νk��

◦ ◦B ,B′ to I,A ′: k ,ΣB′ ,

HBI(x,k ,ΣB′ )

oo

ΣX = SX (x, y)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Outline

Introduction: NFC and pervasive security

Derivational approach to authentication and impersonation

Deriving distance bounding authentication protocolsTimed challenge-responseBinding timed response and crypto responseBinding timed response and crypto challengeMixing timed channels

Deriving social authentication protocols

Trust & reputation

Deriving location authentication protocols

Conclusions and future work

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Timed challenge-response

V X◦

νx��•

xτ0

+3________ ________ •

��• •

f(x)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

supports the axiom

V : (νx)V

(τ0〈x〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ τ1 − τ0

)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Combining timed response and cryptographic response

V P◦

νx��•

xτ0

+3________ ________ ◦

��•

��

◦f(x)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

rVPxoo

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic response

V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦f(x,y)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

rVP (x,y)oo

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic responseBrands-Chaum 1

V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦yτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

SP (x,y)oo

I V : P honest =⇒ d(V ,P) < τ1 − τ0

I V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic responseBrands-Chaum 1

V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦yτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

SP (x,y)oo

I V : P honest =⇒ d(V ,P) < τ1 − τ0

I V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic responseDischarge the honesty assumption?

V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦x⊕yτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

SP (x,y)oo

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic responseP can still cheat

V P◦

νx��

◦

νz��

•xτ0

+3________ ________ ◦

��•

��

◦zτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

SP (x,x⊕z)oo

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic responseBrands-Chaum 2

V P◦

νx��•

xτ0

+3________ ________ ◦

��•

��

◦x⊕mτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

SP (x)oo

I Peggy cannot cheatI Ivan can impersonate her, and relay SP(x)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic responseBrands-Chaum 2

V P◦

νx��•

xτ0

+3________ ________ ◦

��•

��

◦x⊕mτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

SP (x)oo

I Peggy cannot cheat

I Ivan can impersonate her, and relay SP(x)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic responseBrands-Chaum 2

V P◦

νx��•

xτ0

+3________ ________ ◦

��•

��

◦x⊕mτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

SP (x)oo

I Peggy cannot cheatI Ivan can impersonate her, and relay SP(x)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic response— with commitment

V P◦

νy��

◦

νx��

◦ct(y)oo

•xτ0

+3________ ________ ◦

��•

��

◦f(x,y)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

dt(y), rVP (x,y)oo

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Digression: Symbolic commitment

Definition

A commitment schema consists of three publicly knownfunctions over the space of messages T ,I commitment ct : T −→ T ,I decommitment dt : T −→ T , andI open commitment ot : T × T −→ T ,

such thatI ct is a one-way collision-free function,I ot (ct(x), dt(x)) = x.

E.g.,

ct(x) = H(x) ct(x) = H0(x) ct(x) = E(x0, x1)

dt(x) = x dt(x) = H1(x)::x dt(x) = x0

ot(y, z) = z ot(y, z) = z1 ot(y, z) = D(z, y)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Digression: Symbolic commitment

Definition

A commitment schema consists of three publicly knownfunctions over the space of messages T ,I commitment ct : T −→ T ,I decommitment dt : T −→ T , andI open commitment ot : T × T −→ T ,

such thatI ct is a one-way collision-free function,I ot (ct(x), dt(x)) = x.

E.g.,

ct(x) = H(x) ct(x) = H0(x) ct(x) = E(x0, x1)

dt(x) = x dt(x) = H1(x)::x dt(x) = x0

ot(y, z) = z ot(y, z) = z1 ot(y, z) = D(z, y)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic response— with commitment

V P◦

νy��

◦

νx��

◦ct(y)oo

•xτ0

+3________ ________ ◦

��•

��

◦f(x,y)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

dt(y), rVP (x,y)oo

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic responseBrands-Chaum 3

V P◦

νy��

◦

νx��

◦H0yoo

•xτ0

+3________ ________ ◦

��•

��

◦x⊕yτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

H1y,y,SP (x,y)oo

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic responseCapkun-Hubaux

V P◦

νy��

◦

νx��

◦H0yoo

•xτ0

+3________ ________ ◦

��•

��

◦x⊕yτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

H1y,y,x,H(kVP ,x,y)oo

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic responseMeadows-Syverson

V P◦

νy��

◦

νx��

◦H0(y,P)oo

•xτ0

+3________ ________ ◦

��•

��

◦x⊕yτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

H1(y,P),y,x,H(kVP ,x,y)oo

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic responseMeadows-P-Syverson

V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦x⊕H(y,P)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

y,x,H(kVP ,x,y)oo

I V : ∃X . d(V ,X) < τ1 − τ0 ∧ X ∼ PI V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic responseMeadows-P-Syverson

V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦x⊕H(y,P)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

y,x,H(kVP ,x,y)oo

I V : ∃X . d(V ,X) < τ1 − τ0 ∧ X ∼ P

I V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic responseMeadows-P-Syverson

V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦x⊕H(y,P)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

y,x,H(kVP ,x,y)oo

I V : ∃X . d(V ,X) < τ1 − τ0 ∧ X ∼ PI V : ∀X . X responds =⇒ d(V ,X) + d(X ,P) < τ1 − τ0

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic response. . . and in general

V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦f(x,y)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

y,x,rVP (x,y)oo

I f(x, y) one-way function in yI only P could generate rVP(x, y).

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic response. . . and in general

V P◦

νx��

◦

νy��

•xτ0

+3________ ________ ◦

��•

��

◦f(x,y)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��◦ ◦

y,x,rVP (x,y)oo

I f(x, y) one-way function in yI only P could generate rVP(x, y).

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response and cryptographic challenge

V P◦

νy��◦

cVP y //

νx��

◦

��•

xτ0

+3________ ________ ◦

��• ◦

f(x,y)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

(more convenient when P is a smart card)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response and cryptographic challenge

V P◦

νy��◦

cVP y //

νx��

◦

��•

xτ0

+3________ ________ ◦

��• ◦

f(x,y)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

(more convenient when P is a smart card)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response and cryptographic challenge

V P◦

νy��◦

EP y //

νx��

◦

��•

xτ0

+3________ ________ ◦

��• ◦

x⊕yτ1

ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

(if P has a public key)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Binding timed response to cryptographic challengeHancke-Kuhn

V P◦

νy��◦

y //

νx��

◦

��•

xτ0

+3________ ________ ◦

��• ◦

x�H(k ,y)

τ1ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

x � z = [z(xi)i ] where z = z(0)::z(1)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Mixing different kinds of timed channelsECHO: Sastry-Sankar-Wagner

V X◦

νx��•

xτ0

+3______ ______ ◦

��• ◦

xτ1

_jt _ _ _ _ _ __ _ _ _ _ __ _ _ _ _ _

V : (νx)V

(τ0〈〈x〉〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ (τ1 − τ0)

c + scs

)I where c is the speed of light and s the speed of sound

I the reasoning boils down to (crt)), because s � c =⇒ c+scs ≈ 1

I pro: measuring longer response times requires less precision

I con: s less robust, due to the influences of the environment

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Mixing different kinds of timed channelsECHO: Sastry-Sankar-Wagner

V X◦

νx��•

xτ0

+3______ ______ ◦

��• ◦

xτ1

_jt _ _ _ _ _ __ _ _ _ _ __ _ _ _ _ _

V : (νx)V

(τ0〈〈x〉〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ (τ1 − τ0)

c + scs

)I where c is the speed of light and s the speed of sound

I the reasoning boils down to (crt)), because s � c =⇒ c+scs ≈ 1

I pro: measuring longer response times requires less precision

I con: s less robust, due to the influences of the environment

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Mixing different kinds of timed channelsECHO: Sastry-Sankar-Wagner

V X◦

νx��•

xτ0

+3______ ______ ◦

��• ◦

xτ1

_jt _ _ _ _ _ __ _ _ _ _ __ _ _ _ _ _

V : (νx)V

(τ0〈〈x〉〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ (τ1 − τ0)

c + scs

)I where c is the speed of light and s the speed of sound

I the reasoning boils down to (crt)), because s � c =⇒ c+scs ≈ 1

I pro: measuring longer response times requires less precision

I con: s less robust, due to the influences of the environment

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

TimedauthenticationTimed challenge-response

Timed/crypto response

Timed/crypto challenge

Mixing timed

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Mixing different kinds of timed channelsECHO: Sastry-Sankar-Wagner

V X◦

νx��•

xτ0

+3______ ______ ◦

��• ◦

xτ1

_jt _ _ _ _ _ __ _ _ _ _ __ _ _ _ _ _

V : (νx)V

(τ0〈〈x〉〉V . τ1((x))V =⇒ ∃X . d(V ,X) ≤ (τ1 − τ0)

c + scs

)I where c is the speed of light and s the speed of sound

I the reasoning boils down to (crt)), because s � c =⇒ c+scs ≈ 1

I pro: measuring longer response times requires less precision

I con: s less robust, due to the influences of the environment

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Outline

Introduction: NFC and pervasive security

Derivational approach to authentication and impersonation

Deriving distance bounding authentication protocols

Deriving social authentication protocolsSocial channel and its useSocial commitmentAuthentication before decommitmentAuthentication after decommitmentSocially authenticated key exchangeSecurity homology

Trust & reputation

Deriving location authentication protocols

Conclusions and future work

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Preliminary example: a timed social protocol

A B•

mτ0

+3______ ______ ◦

��� (m)τ1

oo o/ o/ o/ o/ o/ o/ o/

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Social channel bandwidth

I σ : T −→ T : a short digest (hash) function

such that

I σσt = σtI "The digest does not change short terms."

I ∀s ∃t . s , t ∧ σs = σt ∧ s ` tI "For every term s, it is feasible to find a different term t

with the same digest."

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Social channel bandwidth

I σ : T −→ T : a short digest (hash) function

such that

I σσt = σtI "The digest does not change short terms."

I ∀s ∃t . s , t ∧ σs = σt ∧ s ` tI "For every term s, it is feasible to find a different term t

with the same digest."

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Social channel bandwidth

I σ : T −→ T : a short digest (hash) function

such that

I σσt = σtI "The digest does not change short terms."

I ∀s ∃t . s , t ∧ σs = σt ∧ s ` tI "For every term s, it is feasible to find a different term t

with the same digest."

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Social actions

I lB to A : βm— B shows an action β to A

axiomatized as follows:

I lB to A : βm =⇒ A : βBI "If A sees B perform β, then A knows that B has

performed β."I lB to A : β m . l C to A : γm =⇒ A : βB . γC

I "If A sees βB before γC , then she knows that βB

occurred before γC ."

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Social actions

I lB to A : βm— B shows an action β to A

axiomatized as follows:

I lB to A : βm =⇒ A : βBI "If A sees B perform β, then A knows that B has

performed β."

I lB to A : β m . l C to A : γm =⇒ A : βB . γCI "If A sees βB before γC , then she knows that βB

occurred before γC ."

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Social actions

I lB to A : βm— B shows an action β to A

axiomatized as follows:

I lB to A : βm =⇒ A : βBI "If A sees B perform β, then A knows that B has

performed β."I lB to A : β m . l C to A : γm =⇒ A : βB . γC

I "If A sees βB before γC , then she knows that βB

occurred before γC ."

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Social actions

I lB to A : tm— B shows a term t to A

axiomatized as follows:

I lB to A : tm =⇒ σt ∈ ΓAI "If B shows A a term t , then A sees the digest σt ."

I lB to A : tm =⇒ A : ∃u. σu = σt ∧ lA to B : umBI "If B shows A a term t , then A knows that B has shown

her some term with the digest σt ."

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Social actions

I lB to A : tm— B shows a term t to A

axiomatized as follows:

I lB to A : tm =⇒ σt ∈ ΓAI "If B shows A a term t , then A sees the digest σt ."

I lB to A : tm =⇒ A : ∃u. σu = σt ∧ lA to B : umBI "If B shows A a term t , then A knows that B has shown

her some term with the digest σt ."

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Social actions

I lB to A : tm— B shows a term t to A

axiomatized as follows:

I lB to A : tm =⇒ σt ∈ ΓAI "If B shows A a term t , then A sees the digest σt ."

I lB to A : tm =⇒ A : ∃u. σu = σt ∧ lA to B : umBI "If B shows A a term t , then A knows that B has shown

her some term with the digest σt ."

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Social actionsGraphic notation

I βB ///o/o �A represents lβmB to A

I ◦Bσt ///o/o �A represents ltmB to A

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Socially authenticated key distributionBob announces his public key

A B

�

��

◦σeoo o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

eoo

A B

◦

��

◦eoo

��� ◦

σeoo o/ o/ o/ o/ o/ o/ o/ o/

I e, σe ∈ ΓA

I A : B honest =⇒ ∃u. σu = σe ∧ 〈B to A : u〉B

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Socially authenticated key distributionBob announces his public key

A B

�

��

◦σeoo o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

eoo

A B

◦

��

◦eoo

��� ◦

σeoo o/ o/ o/ o/ o/ o/ o/ o/

I e, σe ∈ ΓA

I A : B honest =⇒ ∃u. σu = σe ∧ 〈B to A : u〉B

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Socially authenticated key distribution. . . byt Ivan may have replaced it

A I B

�

��

◦σe=σuoo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

eoo ◦uoo

A I B

◦

��

◦eoo ◦

uoo

��� ◦

σe=σuoo o/ o/ o/ o/ o/ o/ o/ o/ o/

I e, σe ∈ ΓA

I A : B honest =⇒ ∃u. σu = σe ∧ 〈B to A : u〉B

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Social commitment

A B◦

νy

��◦

��

◦e, ct(e,y)oo

���

��

◦σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

dt(e,y)oo

A B◦

νy

��◦

��

◦e, ct(e,y)oo

��◦

��

◦dt(e,y)oo

��� ◦

σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication before decommitment

A B

◦

νy

��◦

��

◦e, ct(e,y)oo

���

��

◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

dt(e,y)oo

I A : ∃y. σy = s ∧ lB to A : ymB

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication before decommitment

A B

◦

νy

��◦

��

◦e, ct(e,y)oo

���

��

◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

dt(e,y)oo

I A : B honest =⇒ ∃y. l B to A : σymB

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication before decommitment

A B

◦

νy

��◦

��

◦e, ct(e,y)oo

���

��

◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

dt(e,y)oo

I A : B honest =⇒ ∃u∃y.⟨u, ct(u, y)

⟩B D lσymB

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication before decommitment

A B

◦

νy

��◦

��

◦e, ct(e,y)oo

���

��

◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

dt(e,y)oo

I A : B honest =⇒ ∃u. (νy)B D⟨u, ct(u, y)

⟩B D lσymB

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication before decommitment

A B

◦

νy

��◦

��

◦e, ct(e,y)oo

���

��

◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

dt(e,y)oo

I A : B honest =⇒ (νy)B D⟨e, ct(e, y)

⟩B D lσymB D

⟨dt(e, y)

⟩B

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication before decommitmentWong-Stajano template

A B

◦

νs

��◦

��

◦e, H(k ,e,s)oo

���

��

◦s=σsoo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

koo

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication before decommitmentWong-Stajano- 1

2

A B

◦

νs

��◦

��

◦gb , H(k ,gb ,s)oo

���

��

◦s=σsoo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

koo

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication before decommitmentWong-Stajano

A B

◦

νsa

��

◦

νsb

��◦

ga , H(ka ,ga ,sa)

33

��

◦

gb , H(kb ,gb ,sb )ss

��� oo sb

sa///o/o/o/o/o/o/o/o/o

��

�

��◦

ka

33 ◦kb

ss

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication before decommitmentWong-Stajano 3

A B

◦ga

// ◦

νsb

��◦

��

◦gb , H(k ,ga ,gb ,sb )oo

◦1 ///o/o/o/o/o/o/o/o/o �

���

��

◦sboo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

koo

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication before decommitment

A B

◦

νy

��◦

��

◦e, ct(e,y)oo

���

��

◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

dt(e,y)oo

I A : B honest =⇒ (νy)B D⟨e, ct(e, y)

⟩B D lσymB D

⟨dt(e, y)

⟩B

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication before decommitmentHoepman- 1

2

A B

◦

νxe=y=gx

��◦

��

◦Hyoo

���

��

◦σyoo o/ o/ o/ o/ o/ o/ o/ o/ o/

��◦ ◦

yoo

I A : B honest =⇒ (νx)B D⟨H(gx)

⟩B D lσ(gx)mB D 〈gx〉B

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication after decommitment

A B◦

νy��

◦ ◦e, ct(e,y)oo

?

��

?

��◦

��

◦dt(e,y)oo

��� ◦

σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication after decommitment

A B◦

νy��

◦ ◦e, ct(e,y)oo

?

��

// ?

��◦

��

◦dt(e,y)oo

��� ◦

σf(e,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication after decommitment

A B◦

νy��

◦

νx��

◦e, ct(e,y)oo

◦x // ◦

��◦

��

◦dt(e,y)oo

��� ◦

σf(e,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication after decommitment

A B◦

νy��

◦

νx��

◦e, ct(e,y)oo

◦x // ◦

��◦

��

◦dt(e,y)oo

��� ◦

σf(x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/

A B◦

νy��

◦

νx��

◦e, ct(y)oo

◦x // ◦

��◦

��

◦dt(y)oo

��� ◦

σf(e,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication after decommitmentVaudenay: SAS- 1

2

A B◦

νy��

◦

νx��

◦e, ct(e,y)oo

◦x // ◦

��◦

��

◦dt(e,y)oo

��� ◦

σ(x⊕y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Authentication after decommitmentNguyen-Roscoe: HCBK- 1

2

A B◦

νy��

◦

νx��

◦e, Hyoo

◦x // ◦

��◦

��

◦yoo

��� ◦

σ(e,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Mutual authentication after decommitmentNguyen-Roscoe: HCBK (2-party)

A B◦

νx��

◦

νy��

◦

��

eA , Hx++ ◦

eB , Hy

kk

��◦

��

x++ ◦

ykk

��� �//

σ(eA ,eB ,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/

Assumption: Initiator establishes the order

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Mutual authentication after decommitmentNguyen-Roscoe: HCBK (2-party)

A B◦

νx��

◦

νy��

◦

��

eA , Hx++ ◦

eB , Hy

kk

��◦

��

x++ ◦

ykk

��� �//

σ(eA ,eB ,x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/

Assumption: Initiator establishes the order

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Mutual authentication after decommitmentNguyen-Roscoe: HCBK (2-party)

((νx)A 〈eA ,Hx〉A (u1, u2)A ⊗

(νy)B 〈eB ,Hy〉B (v1, v2)B

);

(〈x〉A (u3)A (u1, u2/eB ,Hu3)A l σ(eA , eB , x, u3) mA ⊗

〈y〉B (v3)B (v1, v2)/eA ,Hv3)B l σ(eA , eB , v3, y) mB

)

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Multi-party authentication after decommitmentNguyen-Roscoe: HCBK

Assumptions (to be discharged)

I agreed ordering of the principals

I all principals must digest at the same payload

I social protocol to compare the digests

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Multi-party authentication after decommitmentNguyen-Roscoe: HCBK

Assumptions (to be discharged)

I agreed ordering of the principalsI all principals must digest at the same payload

I social protocol to compare the digests

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Multi-party authentication after decommitmentNguyen-Roscoe: HCBK

Assumptions (to be discharged)

I agreed ordering of the principalsI all principals must digest at the same payload

I social protocol to compare the digests

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Structural similarity — conceptual difference

A B◦

νy��

◦

νx��

◦e, ct(e,y)oo

◦x // ◦

��◦

��

◦dt(e,y)oo

��� ◦

σf(x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/

V P◦

νy��

◦

νx��

◦ct(y)oo

◦x +3________ ________ ◦

��◦

��

◦f(x,y)ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��� ◦

dt(y),rVP (x,y)oo

Social authentication is not challenge-response:

x on the left is not a challenge, but a binder, analogous to y.

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

SocialauthenticationSocial channel and its use

Social commitment

Auth. then decommit

Decommit then auth.

Social KE

Security homology

Trust & reputation

Locationauthentication

Conclusions andfuture work

Structural similarity — conceptual difference

A B◦

νy��

◦

νx��

◦e, ct(e,y)oo

◦x // ◦

��◦

��

◦dt(e,y)oo

��� ◦

σf(x,y)oo o/ o/ o/ o/ o/ o/ o/ o/ o/

V P◦

νy��

◦

νx��

◦ct(y)oo

◦x +3________ ________ ◦

��◦

��

◦f(x,y)ks _ _ _ _ _ _ _ __ _ _ _ _ _ _ _

��� ◦

dt(y),rVP (x,y)oo

Social authentication is not challenge-response:

x on the left is not a challenge, but a binder, analogous to y.

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Outline

Introduction: NFC and pervasive security

Derivational approach to authentication and impersonation

Deriving distance bounding authentication protocols

Deriving social authentication protocols

Trust & reputation

Deriving location authentication protocols

Conclusions and future work

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Trust and reputation

NOT PRESENTED

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Outline

Introduction: NFC and pervasive security

Derivational approach to authentication and impersonation

Deriving distance bounding authentication protocols

Deriving social authentication protocols

Trust & reputation

Deriving location authentication protocols

Conclusions and future work

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Deriving location authetication: Mobile IP

NOT PRESENTED

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Outline

Introduction: NFC and pervasive security

Derivational approach to authentication and impersonation

Deriving distance bounding authentication protocols

Deriving social authentication protocols

Trust & reputation

Deriving location authentication protocols

Conclusions and future work

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Summary

ConclusionsI space security for pervasive and social computation

I E2E model does not suffice

I bootstrap distance, proximity, routing. . .I derivational approach sine qua non

Future workI embed Social Web 2.0 in physical space

I enable the export of authenticated social linksI make the Web into a social channel

I electronic pheromones

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Summary

ConclusionsI space security for pervasive and social computation

I E2E model does not sufficeI bootstrap distance, proximity, routing. . .

I derivational approach sine qua non

Future workI embed Social Web 2.0 in physical space

I enable the export of authenticated social linksI make the Web into a social channel

I electronic pheromones

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Summary

ConclusionsI space security for pervasive and social computation

I E2E model does not sufficeI bootstrap distance, proximity, routing. . .

I derivational approach sine qua non

Future workI embed Social Web 2.0 in physical space

I enable the export of authenticated social linksI make the Web into a social channel

I electronic pheromones

Pervasiveauthentication

protocols

Dusko Pavlovic

Introduction: NFC

Derivingauthentication

Timedauthentication

Socialauthentication

Trust & reputation

Locationauthentication

Conclusions andfuture work

Summary

ConclusionsI space security for pervasive and social computation

I E2E model does not sufficeI bootstrap distance, proximity, routing. . .

I derivational approach sine qua non

Future workI embed Social Web 2.0 in physical space

I enable the export of authenticated social linksI make the Web into a social channel

I electronic pheromones