Spontaneous Authentication with Two Channels Protocol

performance compared with the ones which have. Conversely, they can elimi- nate the threats accompanied with unnecessary strong authentication.

4.3.2

Spontaneous Authentication with Two Channels

Protocol

Despite the feasibility of leaving conventional strong authentication behind in pervasive environments, distinguishing legitimate users from unauthorised

6

Another likely concern is how to provide an audit trail without requiring communicating parties’ identities as part of authentication protocols. Although a discussion on audit trails is out of the scope of this dissertation, I also briefly highlight a possible way to support an audit trail in the LoT framework (see the footnote 3 on 107).

users is still an issue. Here, I propose my mechanism Spontaneous Authentica- tion or human thinkable authentication7

. Thinking is a distinctive ability in human behaviours, which is unlikely to be exhibited by any computational de- vice8

. The spontaneous “thinkable” authentication protocols with the human self-determination contrast with the traditional “computable” authentication protocols which involve no distinctively human agency.

In order to achieve this goal, it is expected to impose necessary tolerances to executed protocols. There is no entirely transparent trust in most cases for pervasive applications. Transparent trust in this dissertation means that two entities have established a trust relationship before (e.g. share a secret key) or have been introduced by knowledgeable authorities (e.g. holding correspond- ing certificates). The tolerance property should be understood differently de- pending upon applications. For instance in pervasive environments, the basic wireless RF channel does not have high data origin authenticity. Instead of expending too much cost on making an RF channel with that characteristic, it is desirable to make the protocols tolerant of this limitation. More pre- cisely, another out of band channel is assumed with the required characteristic (high data origin authenticity in this case). Semantically, such an out of band channel is quite similar to a location-limited [13], or empirical [33] channel. It is a relatively low bandwidth channel compared with high bandwidth RF channel. It is subject to passive attack but not to active attack. Therefore, the ad-hoc communication participants can be assured that the data on this channel does really come from their counterparts. It could be realised in many ways between human-human and human-device, for instance, physical contact between the devices, a close range infra-red link, or one device displaying a number on the screen which is typed into another device by the human user,

7

Consider the human thinking ability, this is to put human in the authentication loop. 8

The possibility of devices which can pass the Turing test [125] is beyond the scope of this dissertation, but arguably such devices should be regarded as human users rather than as DRDs from the cyber rights perspective.

and so on. Essentially, the human context (e.g. hearing, monitoring) is re- quired at this level. We call these human contexts human self-determination. Knowledge is said to be human self-determination if the knowledge is acquired via necessary human contexts, such as, hearing a tune or seeing a display.

Thus, two levels of security mechanism are introduced to incorporate hu- man self-determination knowledge into authentication protocols due to the existence of two channels. It allows tradeoff between trustworthiness in both sectors (human-human and human-device).

1. A Plausible (but unreliable) trust (or PT) protocol is used in the high bandwidth channel with the necessary security tolerances. The RF chan- nel is subject to both passive attacks and active attacks. Thus, tolerances here explicitly means that the main purpose of this protocol is to stop passive attacks. Trust gained from the PT protocol run is plausible, but not reliable for active attacks which occur in the high bandwidth RF channel. I will give an example to explain what I mean by this form of trust in 4.4.1 below.

2. A Reliable trust (acquired through human self-determination) (or RT) protocol is called to achieve higher levels of assurance (e.g. high data origin authenticity) with the assistance of the out-of-band channel. This comes with the mandatory interaction of human context, e.g. moni- toring, hearing, recording, etc., depending upon the choice of out-of- band channel. This is expected to gain an equivalent outcome to that which strong authentication schemes achieve in conventional environ- ments. The protocol’s run is completed as success of a human trust-based decision process [77].

These two protocols work together to support the Spontaneous Authentica- tion with two channel protocol argument. Some existing protocols (some of them are listed in section 2) can be substantially adapted to the Spontaneous

Authentication hypothesis, e.g. physical contact authentication in Stajano’s Resurrecting Duckling [120, 121, 13], entity recognition module [112], authen- tication starting from weak secret agreement protocols and applications, and other contextual attributes (i.e. time, temperature, services, locations, specific transactions) stated in [32].

After implementing the PT and RT protocol, eventually, the human users must further be assumed that a fresh session key has been shared between the correct ad-hoc devices. More significantly, no other device or person can know this session key.

4.4

Example Protocols

The Diffie-Hellman (DH) key exchange protocol [41] is the classic solution to the key agreement problem in a decentralised environment. However, the traditional DH key exchange protocol relies upon the assurance of integrity in the high bandwidth message exchange channel. Such an assumption can barely be achieved in the pervasive context when the wireless RF channel is deployed. Correspondingly, a prior context (e.g. a password or a nonce) has been involved in many protocols [8, 9, 28, 50], mainly targeting the man-in-the- middle attack. It is still a problem for most pervasive applications, for instance, the public meeting threat model (in the 4.1.2) which I am investigating in this chapter. The prior context exchanged between Alice and Bob, or their hand- held devices, is vulnerable in an open (even hostile) environment (e.g. the public conference room). Anyone who successfully obtains the prior context can break the entire authentication protocol.

I will give two approaches built upon a basic DH-S3P protocol [28]. They require both significant human context and two channel authentication to address the problem. Consider the public meeting scenario, assume that,

which have monitor screens (e.g. PDA) and sufficient computational resources; a, b: random numbers generated by DRDalice, DRDbob respectively. They

have to be strong enough to be the discrete logarithm (DL) exponent.

Also, we assume generator g, large prime modulus q = 2p + 1 for prime p, and one-way hash function h are publicly known. Random numbers a and b generated by DRDs must be strong (i.e. long enough to be invulnerable to exhaustive search) as well as hard to predict. A full discussion of assumptions as preconditions not specific to the mobile ad-hoc context is given in [28].