Environments
Nowadays, pervasive environments are characterised by the achievement of computer-invisibility, people communicating by means of the presence of phys- ical visible devices but without noticing their existence. It is very clear that the human context is the distinctive property for pervasive environments. Explic- itly, it is desirable to transform security techniques into the new human-based philosophy for pervasive environments.
4.2.1
Positive Human Context
Among the more serious threats which make cryptosystems fail in the real world are human implementation errors and management failures [3]. Superfi- cially, limiting human influences on computing systems is usually a basic disci- pline to guide security protocols design, especially for authentication protocols in conventional environments. This is considered reasonable because of hu- man unpredictability, including dishonest or incompetent behaviours. Hence, we always worry that the involvement of human context would mess up the security dramatically as many cases witnessed in Mitnick’s book [87]. Humans
are invisible in conventional communication contexts such as Internet-based computing. Computer devices follow human instructions, but ignore whether these instructions are appropriate to the tasks or come from the right human. Thus, strong (ID-based) authentication is always required to ensure that a tracing step can be followed if something is going wrong.
Michael Roe in his Ph.D thesis [103] shows that what is regarded as a security threat in one context may become a mechanism providing a desired security service in a different context. We have to look at the context to decide whether something is a threat or a security service. Human influences are usu- ally negatively considered as threats. But nevertheless, the communications in pervasive environments always occur in a highly dynamic and spontaneous way. This results in the infeasibility to have proper pre-computational re- sources configured for a particular interaction. For those interactions between human and human, human and devices, only the human has the contextual knowledge about the forthcoming interactions. For instance, we often have pre-decision (“This is the one to whom I am willing to talk”), and physico- spatial knowledge (“Yes, I can see this is the one I am going to talk to”) for pervasive applications. Thus, the human context cannot be simply considered as a threat because it is the distinctive property for pervasive environments. I shall attempt to positively re-frame knowledgeable human influence as a de- sirable security mechanism in the pervasive context. On the one hand, human users will not worry about the details of pervasive interactions. On the other hand, they ought to be encouraged to interact with the devices and environ- ments more positively, leveraging the ultimate security goal.
Thus, in a similar manner to Roe’s threat/service duality, I argue that the positive human context is the distinctive security service for pervasive environments. Conversely, failing to recognise the positive human context is a threat in the pervasive context.
4.2.2
Minimise The Reliance Upon Trustworthiness
A maltrust problem is defined if humans abuse trust gained from other hu- mans. Most conventional schemes are built upon computed credentials4
from computing devices, intending to solve the maltrust problem. A typical example in the real world is the current Chip and PIN credit card approach. It intends to shift the final jurisdiction from human verification (signature recognition) to computed authentication (system verifying PIN matching). These schemes, however, have not achieved better security performance because the essential maltrust problem has not been solved as it was expected to be. Instead, it is simply reproduced from the human-human domain to the human-device do- main. Consequently, increasing human reliance upon computer devices with the seamless interactions between humans and devices in pervasive environ- ments is in fact compounding the problems caused by maltrust.
The principle of my proposal is based on a Need-to-Know policy 5
. This policy is not new, and was originally produced in a military context and clas- sically applied in access control systems via minimising access rights. Note that in this approach it is critical to relate authentication explicitly to access control, because the primary purpose of authentication in a Need-to-Know con- text is precisely to determine (minimal) access rights. Here, we transfer this idea to authentication protocols and introduce a minimise the reliance upon trustworthiness principle to balance trust coming from human and computer device domains.
For DRDs, it is a high-cost and complicated job to deal with unpredictable confusions by depending only on computational results. Likewise, each DRD cannot simply be assumed honest, competent, and willing to perform expensive
4
Computed credentials are bit-pattern which are solely calculated by computing algo- rithm behind the scene.
5
Regardless of how freely we wish to make resources available, it is dangerous (from the integrity and audit dimensions of security) for users to hold capabilities which they do not even intend to use, as explained in the principle of least privilege [40, 105]
tasks strictly. So it is unfair to establish trustworthiness from authorities’ assurances (due to an obvious trust transitivity problem) and it is worse to rely entirely on the results of computations performed by computer devices with no human interaction (another expression of trust transitivity). For instance, when customers withdraw money from an ATM, they cannot ensure (or even verify) that the ATM will implement security policy checking correctly (but interestingly, both banks and customers usually assume ATMs will do so).
As I pointed out above, positive human involvement is necessary to the security of pervasive computing. Introducing human context into security protocols has the potential to guide pervasive computer devices to deal with complex security requirements effectively. I have always been inspired by a comment of Mark Weiser, the father of ubiquitous computing, in his well- known paper [128]:
“There is more information available at our fingertips during a walk in the woods than in any computer system, yet people find a walk among trees relaxing and computers frustrating. Machines that fit the human environment, instead of forcing humans to enter theirs, will make using a computer as refreshing as taking a walk in the woods.”