Security Protocols XX

Frontmatter

Introduction: Bringing Protocols to Life (Transcript of Discussion)

Abstract

Our theme this year (which it’s customary to mention once on the morning of the first day) is ”Bringing Protocols to Life”.

We’ve gotten a lot better at specifying protocols in increasing degrees of formality, but it’s not clear that this is actually making it easier to implement them, nor that it’s improving the quality of the finished products to the extent that is often claimed.

Bruce Christianson

Secure Internet Voting Protocol for Overseas Military Voters

Abstract

Overseas military members are known to be disenfranchised at a far higher rate than traditional voters. This fact stems from problems associated with the traditional vote-by-mail absentee process, which does not mesh well to the military member’s frequent address changes, mail delivery in combat environments, and the simple delay in the two way mail system. Initiatives by the Federal Voting Assistance Program aim to improve voting capabilities for U.S. military members. Among these initiatives are the efforts to provide a complete system allowing the military voter the ability to receive and cast voted ballots directly over the Internet. This paper proposes a communication protocol to securely provide this voting option to our military voters while maintaining integrity in the U.S. election process.

Todd R. Andel, Alec Yasinsac

Secure Internet Voting Protocol for Overseas Military Voters (Transcript of Discussion)

Abstract

Our intent is to develop a system to allow deployed military voters to vote via the Internet. The system is to be equivalent to the absentee vote by mail system, without the problems that arise with physical mail. Therefore, the security of our system needs to be evaluated against the absentee process to ensure we meet current absentee security.

Todd R. Andel

Self-enforcing Electronic Voting

Abstract

Verifiable electronic voting has been extensively researched for over twenty years, but few protocols have achieved real-life deployment. A key impediment, we argue, is caused by the existing protocols’ universal reliance on the probity of the tallying authorities. This might seem surprising to many people as dependence on tallying authorities has been a de facto standard in the field. However, this dependence is actually a legacy inherited from traditional physical voting, one that has proved problematic in the electronic context. In this paper, we propose a radically new concept called “self-enforcing electronic voting”, which refers to voting systems that are free from reliance on any tallying authority. This proposal goes significantly further than all existing or proposed e-voting systems. We explain the feasibility of this new approach, with a theoretical definition of the system properties, a concrete engineering design, a practical implementation, and real-world trial experiments. We also highlight some open issues for further research.

Feng Hao, Brian Randell, Dylan Clarke

Self-enforcing Electronic Voting (Transcript of Discussion)

Abstract

Good morning everyone. In the past six months I have been doing some preliminary investigation on what the future e-voting will look like. We have made some progress and I would like to share with you our findings, and also highlight some open problems. I would appreciate your comments and critics. For this presentation I have prepared an election. All you need to do is take one pass code. You will need a laptop with Internet access to vote. I will just pass around the pass codes now. Voting is anonymous, and feel free to take one pass code. Of course you may ask, what is this election about? I’m not going to tell you yet (laughter from the audience) but near the end of my talk I will reveal the results of the election.

Feng Hao

Approaches to Modelling Security Scenarios with Domain-Specific Languages

Abstract

Many security scenarios involve both network and cryptographic protocols and the interactions of different human participants in a real-world environment. Modelling these scenarios is complex, in part due to the imprecision and under-specification of the tasks and properties involved. We present work-in-progress on a domain-specific modelling approach for such scenarios; the approach is intended to support coarse-grained state exploration, and incorporates a classification of elements complementary to computer protocols, such as the creation, personalisation, modification and transport of identity tokens. We propose the construction of a domain-specific language for capturing these elements, which will in turn support domain-specific analyses related to the reliability and modifiability of said scenarios.

Phillip J. Brooke, Richard F. Paige, Christopher Power

Approaches to Modelling Security Scenarios with Domain-Specific Languages(Transcript of Discussion)

Abstract

Good morning, I’m Phil Brooke. My co-authors hail from York, and I’m based at Teesside. For a couple of years we’ve been looking at how people interact with protocols, and the implicit protocols in how people carry out transactions. What we want to do is get some answers in terms of: if I change a process for how I run a particular transaction, do I get a benefit from it? The motivation for this came originally from the Identity Card Act, which has since been repealed in the UK. So our scenarios involve somebody trying to buy some age restricted goods. Rather than just eyeballing the person and saying, ”I think you’re over 18”, or asking for some other identification which may or may not be easily forged, you would have this gold standard ID card, and they’d be able to look at it and say, ”yes, of course you are old enough,” and on we go. Our question wasn’t so much are these good or bad things, but how much difference would it make to us and can I measure that? Can I model it?

Phillip J. Brooke

The Casino and the OODA Loop

Why Our Protocols Always Eventually Fail

Abstract

Security protocols are almost always part of an iterated game, but existing abstractions don’t model this behavior. Models for such systems have been developed in other contexts, and we propose the use of one, John Boyd’s Observe-Orient-Decide-Act (OODA) Loop, as appropriate for the security context.

Sandy Clark, Matt Blaze, Jonathan M. Smith

The Casino and the OODA Loop: Why Our Protocols Always Eventually Fail (Transcript of Discussion)

Abstract

This is joint work with Sandy, who is here, and Jonathan Smith, who’s not. The title of my talk, which is a moving target, is the Casino and OODA loop, and why we are converging on failure. I want to start with a disclaimer that this talk is going to be all questions and no answers or new protocols, so I apologize for that. But I’m going to add a claimer which is that at least this year we are on the theme I think maybe more than anyone else here is, so that’s enough for me.

Matt Blaze

Statistical Metrics for Individual Password Strength

Abstract

We propose several possible metrics for measuring the strength of an individual password or any other secret drawn from a known, skewed distribution. In contrast to previous ad hoc approaches which rely on textual properties of passwords, we consider the problem without any knowledge of password structure. This enables rating the strength of a password given a large sample distribution without assuming anything about password semantics. We compare the results of our generic metrics against those of the NIST metrics and other previous “entropy-based” metrics for a large password dataset, which suggest over-fitting in previous metrics.

Joseph Bonneau

Statistical Metrics for Individual Password Strength (Transcript of Discussion)

Abstract

I’m not proposing any protocols here, I’m talking about passwords, which is what I’ve spent the last year or so doing now. An interesting problem, which came up in my thesis, is how to tell how strong an individual password is. There’s a growing body of publications on how to assess the strength of a big pile of passwords. So if a bunch of passwords leak from a new website there are some measures that I’ve developed, and some things other people have worked on, to try and compare this new body of passwords to all of the passwords at a different website. But the world of analysing a single password is still in the dark ages I would say. Obviously the difference is that with a group of passwords you can start to do statistics, and you can look at how many passwords are repeated within that set, whereas if you just have one password you have to reason about what set it came from.

Joseph Bonneau

Street-Level Trust Semantics for Attribute Authentication

Abstract

The problem of determining whether a receiver may safely accept attributes (e.g., identity, credentials, location) of unknown senders in various online social protocols is a special instance of a more general problem of establishing trust in interactive protocols. We introduce the notion of interactive trust protocols to illustrate the usefulness of social collateral in reducing the inherent trust asymmetry in large classes of online user interactions. We define a social collateral model that allows receivers to accept attributes from unknown senders based on explicit recommendations received from social relations. We use social collateral as a measure of both social relations and “tie strength” among individuals to provide different degrees of accountability when accepting attribute information from unknown senders. Our model is robust in the face of several specific attacks, such as impersonation and tie-strength-amplification attacks. Preliminary experiments with visualization of measured tie strength among users of a social network indicate that the model is usable by ordinary protocol participants.

Tiffany Hyun-Jin Kim, Virgil Gligor, Adrian Perrig

Street-Level Trust Semantics for Attribute Authentication (Transcript of Discussion)

Abstract

In keeping up with the idea of bringing security protocols to life, I’m going to talk about the act of trusting in interactive send-receive protocols. This class of protocols is similar to the “trust game” I presented last year, except that it does not require the existence of a dealer. Specifically, I am going to ask the question of whether it is ever safe to trust input received from an unknown sender.

Virgil Gligor

Analysis of Issues and Challenges of E-Voting in the UK

Abstract

Official trials were conducted of a number of e-voting systems in the UK in 2002/3 and 2007 during local government elections, yet none of these test systems were subsequently used in any further elections, and all trials were suspended in 2008. We describe these trials, concentrating on the second more extensive 2007 trial, and how their results were received. Based on these events, we consider the key challenges involved in introducing current e-voting systems into the present system of UK national and local elections, and what general implications this may have for achieving practical take-up of e-voting within the UK.

Dylan Clarke, Feng Hao, Brian Randell

Analysis of Issues and Challenges of E-Voting in the UK (Transcript of Discussion)

Abstract

My name is Dylan Clarke and I’m from Newcastle University. I’ve been working with Feng Hao on the self-enforcing e-voting system that you saw earlier, and this is another piece of work that is connected to that project. When we started off, we weren’t just looking at what desirable properties can that system provide, and what can it do for elections.We also started looking at the fact that we don’t have e-voting in the UK, despite it having been trialled before, and we wanted to investigate why don’t we have it, and what’s stopped us from having it.

Dylan Clarke

Protocol Governance: The Elite, or the Mob?

Abstract

My talk will be about the life that protocols acquire once they start evolving in a competitive environment. Why is the CA infrastructure so totally broken? Why are the APIs of hardware security modules almost unfixable? The answer, I will argue, is that the interface between the crypto layer and the comsec layer is becoming unmanageable because of conflicts of interest, governance failures at scale, asymmetric information and assorted externalities — in other words, a bundle of security-economics issues.

Ross Anderson

Protocol Governance: The Elite, or the Mob? (Transcript of Discussion)

Abstract

The topic that I suggested when we were asked for abstracts and talk titles back in January was “Protocol governance: the elite, or the mob?”. And sustainability is very fashionable these days so let’s ask ourselves whether protocols are sustainable. We’ve had one or two comments from previous speakers that all protocols tend towards failure because of environmental changes. I agree with that entirely. We’ve been discussing for over a year now in various fora why the CA infrastructure is so broken; there was a wonderful panel at financial crypto last year with a chap from Mozilla having to defend himself against a room full of annoyed people. Why is it that security APIs are almost unfixable? Some of us have looked at that a lot at Cambridge.

Ross Anderson

Usability Issues in Security

Abstract

Usability issues in security have been discussed such that users could use the security tools easier. On contrary we presume another aspect of usability issues in security; an interface which causes a slight disturbance and discomfort so that a user would be aware of security threats and risks. The idea is that we should not feel Anshin to be secure. Anshin is a Japanese indicating the sense of security. We need a risk-aware interface to notice an insecure situation so that we would install security countermeasures. It is a warning interface for the insecure situations. We show how we could implement such an interface in a mail system to prevent users from sending email messages to incorrect destination addresses.

Yuko Murayama, Yasuhiro Fujihara, Yoshia Saito, Dai Nishioka

Usability Issues in Security (Transcript of Discussion)

Abstract

Good morning. Last year I was supposed to attend the workshop, but I’m from North Japan and due to the disaster I couldn’t make it, so this year I’m very happy to be here. I will talk a little bit about our work on Anshin trust, and then I will introduce our research on a warning interface causing discomfort for risk awareness.

Yuko Murayama

Usable Privacy by Visual and Interactive Control of Information Flow

Abstract

With over 2 billion people using the Internet and over 800 million people registered on the popular social networking website Facebook, one problem that is widely discussed in the media and extensively researched in academic circles is that of ensuring privacy of the users. Privacy has been defined as the “individuals right to control information about themselves”, but this right is hard to enforce if one does not understand the flow of information. In this paper, we suggest that in order to bring privacy enhancing protocols into life, for the user, we need to visualise the information flow from the user to the Internet and vice versa. This would help users better understand what information they are sharing with whom and disable any undesired flows, with a mouse-click or a finger-tap, before it is too late.

Shah Mahmood, Yvo Desmedt

Usable Privacy by Visual and Interactive Control of Information Flow (Transcript of Discussion)

Abstract

I’m here to discuss our work about usable privacy through visual and interactive control of information flow. I have done this work in collaboration with Professor Yvo Desmedt at UCL. We will first talk about the importance of users’ privacy, then discuss the reasons that current privacy mechanisms are failing and following that we will discuss our new proposal for a visual and interactive control of information flow.

Shah Mahmood

Sense-And-Trace: A Privacy Preserving Distributed Geolocation Tracking System

Abstract

The capabilities of modern smartphones pave the way for a new collaborative usage of this technology. Several researchers already envisaged to use this technology for distributed sensing purposes. In particular, one of these purposes focuses on tracing devices (people) movement. Current solutions for distributed tracing (either based on information provided by the mobile nodes, or collected by the surrounding network) have some limitations: e.g. accuracy, privacy, cost of deployment, and cost of operation.

The aim of this paper is to highlight the open problems of distributed geolocation tracing and to propose a solution for some of the current problems. In particular, we propose Sense-And-Trace (SAT), which is a system that makes use of collaborative sensing to collect information about other mobile nodes with the final aim of tracking potential target nodes. In SAT, information is collected in a way such that the privacy of nodes that voluntarily collaborate is preserved, and the information of the mobility of a node is disclosed only to the authorized entity (e.g. a law enforcement agency with the appropriate permission). Our solution can be seen as an enhancement of the classical “neighborhood watching” concept, with fine-grained mobility information automatically-collected through the devices carried by humans.

Eyüp S. Canlar, Mauro Conti, Bruno Crispo, Roberto Di Pietro

Sense-And-Trace: A Privacy Preserving Distributed Geolocation Tracking System (Transcript of Discussion)

Abstract

This is joint work with Eyüp Canlar, my PhD-Student, who is also in the room, and whom I thank for preparing the slides. Bruno Crispo and Roberto Di Pietro also contributed to this work.

Mauro Conti

Am I in Good Company? A Privacy-Protecting Protocol for Cooperating Ubiquitous Computing Devices

Abstract

A portable device carries important secrets in encrypted form; to unlock it, a threshold secret sharing scheme is used, requiring the presence of several other devices. We explore the design space for the protocol through which these devices communicate wirelessly, under the additional constraint that eavesdroppers should not be able to recognize and track the user carrying these devices.

Oliver Stannard, Frank Stajano

Am I in Good Company? A Privacy-Protecting Protocol for Cooperating Ubiquitous Computing Devices (Transcript of Discussion)

Abstract

My name is Frank Stajano and this is work done with my brilliant undergraduate student Oliver Stannard. I am very proud of his work. He is doing his final project on an aspect of what I presented last year, namely Pico.

Frank Stajano

Stayin’ Alive: Aliveness as an Alternative to Authentication

Abstract

Authentication protocols attempt to discern whether or not a user is who she says she is based on what she has, is or knows. In many situtations, however, such as protecting Wikis from robots and Distributed Hash Tables from sybils, identity is less important than liveness: it’s not who you are that matters, it’s whether or not you are alive. We propose extensions to the Kerberos authentication which allow systems to test whether or not they are interacting with a real person, optionally disregarding their identity. We demonstrate how such extensions could be used to support realistic user interactions with requiring shared definitions of global identity.

Jonathan Anderson, Robert N. M. Watson

Stayin’ Alive: Aliveness as an Alternative to Authentication (Transcript of Discussion)

Abstract

I’ll start as I often do with an obligatory handwave towards the theme of the workshop. This isn’t so much about bringing protocols to life as a protocol that says whether or not you are currently alive, and this is based on some thinking I’ve been doing with Robert Watson. The title is “Stayin’ Alive: Aliveness as an alternative to authentication”, because sometimes authentication is not the property that you actually want.

Jonathan Anderson

Paul Revere Protocols

Abstract

At the start of the American Revolution, Paul Revere designed one of the most famous covert signaling protocols in history. Though incredibly simple, it has interesting features that we explore in this paper. We also consider the use of Paul Revere protocols in covert computer communication. The Sleeping Beauty problem is a heavily researched puzzle in the theory of probability that previously only had counterintuitive descriptions and complex analyses. Representing it using Paul Revere protocols in covert computer communication provides a clear, natural explanation and simple resolution of this problem.

Paul Syverson

Paul Revere Protocols (Transcript of Discussion)

Abstract

All right, saving the worst for last. I guess, keeping with the theme, this is not (well in a sense it is) about bringing protocols to life: in this case it’s more bringing history to life. I’m going to be describing an actual protocol that was quite significant in history. Some people may know about it. This is a poem that describes the events. This is something that American schoolchildren for many generations, or decades, were forced to memorize after it came out. I was actually, I think, after that period: I don’t remember ever having to memorize this (and my school did keep things around for a long time: we were still having air-raid drills when I was a senior in high school in 1976). But in any case I didn’t have to memorize this.

Paul Syverson

Backmatter