Transcript Davis
Frank Stajano
Presented by
Patrick Davis
1
Ubiquitous Computing
◦ Exact concept inception date is unknown
◦ Basically background computing in life
Pervasive Computing
Invisible / Disappearing Computing
Sentient Computing
Ambient Intelligence
Calm computing
◦ Different things to different people
Security
◦ A virus broke my toaster and now my freezer won’t
work!
2
Security is Risk Management
Defender thinks about
◦
◦
◦
◦
◦
◦
◦
I have gold in my house - Asset
Someone can steal my gold - Threats
I leave the front door unlocked - Vulnerabilities
A thief can walk into the front door - Attacks
It costs a lot of money to replace the gold -Risks
Get a few dogs – Safeguards
Release the hounds - Countermeasure
3
Not a complete list but traditionally…
◦ Confidentiality
◦ Integrity
◦ Availability
To mitigate these risks
◦ Authentication
Identification
Verification
◦ Authorization
4
Mobile Phone
◦ What do you lose if some one steals the device
Cost of the device
Information On the device
Availability of the device
Your Identification (if the phone is used as a credit card)
◦ What if the phone is hacked. (How do you know it isn’t)
Information on the phone is compromised
Components on the phone are compromised
Microphone
Your current location
Your current soundings
5
How important does it seem to be?
How important is it?
Think like the enemy…
6
What happens when you record every aspect
of your life.
◦ What if I wore one?
What kind of things would you be ok with
sharing
How much do you want protect these
◦ From your own memory loss
◦ From hackers
How close are we to this already
7
Phones are sending location back almost 24
hours a day
One of the ways to get maintain privacy is to
make each location marker anonymous
Another way is to have the interested parties
broad cast their services and the users pickup
or disregard those services as needed
The author disregards the situation where the
location of any user (anonymous or not) is a
security risk
8
Basically barcodes that can remotely identify
themselves
Can be powered by the request to read the
tag
Economics of scale should bring down the
price of RFIDs
Can be used as machine vision where as the
vision is basically viewed as positions of the
RFIDs
Are limited in processing ability meaning
cryptology is limited
9
Some Safe Guards are
◦
◦
◦
◦
◦
◦
◦
◦
Killing the Tag
Hash-based access control
Randomized Access Control
Silent tree walking
Blocker-tag
Anti-Counterfeiting using PUFs
Distance bounding protocols
Multi-Factor Access Control in e-passports
10
In UbiComp the server authenticates the
client and if it is allowed does the requested
actions.
A couple principles in authentication
◦ Big Stick
◦ Resurrecting Duckling
◦ Multi Channel Protocols
11
The mother duck is the master and the
duckling is the slave
Based on a set of four principles
◦
◦
◦
◦
Two State principle
Imprinting Principle
Death Principle
Assassination Principle
12
Data Origin Authenticity
DiffieHellman key exchange
Man in the middle attack
Have two channels
◦ A high capacity Channel for “long” messages
◦ A low capacity Channel for Data-Origin
authentication
13
Do you really like entering your password for
every site?
Why do we have single sign on or Identity
Management (Face book sign on)
How do we get around password
◦ Tokens
◦ Biometrics
14
Security is only to prevent dishonest people
from performing bad Actions
This often gets in the way of honest user’s
activities
Tax on the honest
15
We must view though someone else's eyes
◦ The attacker
◦ The user
Quote:
◦ Security cannot depend upon the user’s ability to
read a message from the computer and act in an
informed and sensible manner […] a machine must
be secure out of the factory if given to a user who
cannot read
◦ Meaning the security glove must fit the user
comfortably but still stop the attacker
16
Systems are sold on the basis of features.
Customers really only care about security in
terms of particular scenarios
Security features cost money to implement
clients see security as an extra or just another
feature that they never see.
Again how important is privacy…
◦ Client must have a bad experience with security in
order to see the importance of good security
17
QUESTIONS?
18