ABSTRACT
How does a machine know who is using it? Currently, systems assume that the user typing now is the same person who supplied a password days ago. Such persistent authentication is inappropriate for mobile and ubiquitous systems, because associations between people and devices are fleeting. To address this, we propose transient authentication. In this model, a user wears a small hardware token that authenticates the user to other devices over a short-range, wireless link. This paper presents the four principles of transient authentication, our experience applying the model to a cryptographic file system, and our plans for extending the model to other services and applications.
- M. Blaze. A cryptographic file system for UNIX. In Proceedings of the 1st ACM Conf. on Computer and Communications Security, pages 9--16, Fairfax, VA, November 1993.]] Google ScholarDigital Library
- M. Blaze. Key management in an encrypting file system. In Proceedings of the Summer 1994 USENIX Conference, pages 27--35, Boston, MA, June 1994.]] Google ScholarDigital Library
- M. D. Corner and B. D. Noble. Zero-interaction authentication. In Proceedings of the ACM International Conference on Mobile Computing and Communications, Atlanta, GA, September 2002. to appear.]] Google ScholarDigital Library
- W. Diffie, P. van Oorschot, and M. Wiener. Design Codes and Cryptograhpy. Kluwer Academic Publishers, 1992.]]Google Scholar
- A. Freier, P. Karlton, and P. Kocher. The SSL protocol version 3.0. Internet Draft, March 1996.]]Google Scholar
- J. S. Heidmann and G. J. Popek. File-system development with stackable layers. ACM Transactions on Computer Systems, 12(1):58--89, February 1994.]] Google ScholarDigital Library
- C. E. Landwehr. Protecting unattended computers without software. In Proceedings of the 13th Annual Computer Security Applications Conference, pages 274--283, San Diego, CA, December 1997.]] Google ScholarDigital Library
- Microsoft. Encrypting File System for Windows 2000. http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp.]]Google Scholar
- C. Narayanaswami and M. T. Raghunath. Application design for a smart watch with a high resolution display. In Proceedings of the Fourth International Symposium on Wearable Computers, pages 7--14, Atlanta, GA, October 2000.]] Google ScholarDigital Library
- M. Negin, T. A. Chemielewski Jr., M. Salganicoff, T. A. Camus, U. M. Cahn von Seelen, P. L. Venetianer, and G. G. Zhang. An iris biometric system for public and personal use. IEEE Computer, 33(2):70-5, February 2000.]] Google ScholarDigital Library
- National Institute of Standards and Technology. Computer data authentication. FIPS Publication #113, May 1985.]]Google Scholar
- P. J. Phillips, A. Martin, C. L. Wilson, and M. Przybocki. An introduction to evaluating biometric systems. IEEE Computer, 33(2):56--63, February 2000.]] Google ScholarDigital Library
- N. Provos. Encrypting virtual memory. In Proceedings of the Ninth USENIX Security Symposium, pages 35--44, Denver, CO, August 2000.]] Google ScholarDigital Library
- Ensure Technologies, http://www.ensuretech.com/.]]Google Scholar
- B. Yee and J. D. Tygar. Secure coprocessors in electronic commerce applications. In Proceedings of the First USENIX Workship of Electronic Commerce, pages 155--70, New York, NY, July 1995.]] Google ScholarDigital Library
- E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A stackable vnode level encryption file system. Technical Report CUCS-021-98, Computer Science Department, Columbia University, 1998.]]Google Scholar
- E. Zadok and J. Nieh. FiST: a language for stackable file systems. In Proceedings of the 2000 USENIX Annual Technical Conference, pages 55--70, San Diego, CA, June 2000.]] Google ScholarDigital Library
- The case for transient authentication
Recommendations
Protecting applications with transient authentication
MobiSys '03: Proceedings of the 1st international conference on Mobile systems, applications and servicesHow does a machine know who is using it? Current systems authenticate their users infrequently, and assume the user's identity does not change. Such persistent authentication is inappropriate for mobile and ubiquitous systems, where associations between ...
Mobile Device Security Using Transient Authentication
Mobile devices are vulnerable to theft and loss due to their small size and the characteristics of their common usage environment. Since they allow users to work while away from their desk, they are most useful in public locations and while traveling. ...
Unconditionally secure ring authentication
ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications securityWe propose ring authentication in unconditionally secure setting. In a ring authentication system a sender can choose a set of users and construct an authenticated message for a receiver such that the receiver can verify authenticity of the message with ...
Comments