Final Activity Report Summary - CAPER (Context-based authentication in pervasive computing)
The objective of this project was to address the problem of peer device authentication in wireless ad hoc networks with context sensing. Research activities were focussed both on development of concrete methods that employ context sensing for verification of device authenticity, and on development of a general understanding of design challenges for context-based authentication. The problem of peer device authentication has been studied specifically for two use cases: secure spontaneous interaction of mobile users via personal mobile devices with infrastructure services (e.g. printer in an unknown environment), and secure pairing of small mobile devices (e.g. mobile phone and Bluetooth headset). An extensive literature survey was conducted to gain insight into principal challenges surrounding secure authentication and spontaneous interaction in pervasive computing, discovering that a key concern not sufficiently addressed to date is the need for methods that involve minimal overhead from a user point of view.
Two concrete methods have been developed and studied in depth. The first one uses "spatial references" for authentication of devices, based on relative position sensing with embedded ultrasonic transceivers (utilising the outcomes of the FET-Open RELATE coordinated at Lancaster University, the host site of this fellowship project). The second is designed specifically for authentication of small handheld devices and uses shared movement patterns that users can generate by shaking devices together. The study of the methods has included analyses of the security of out-of-band channels such as ultrasound, and of different protocol designs, for example comparative analysis of key generation versus key verification on the basis of movement data. Both methods have been subjected to in depth security analyses as well as usability assessments. a) authentication based on relative spatial relationship, called "spatial references"; and b) authentication based on shared movement patterns, called "shake well before use". These methods cover the two studied use cases. Spatial relationships seem appropriate to select and implicitly authenticate stationary devices or services, but can also be used between two mobile devices. This has also involved user studies for data collection and for evaluation of the methods under realistic usage conditions.
In addition to the study of specific approaches, activity has also focussed on development of general contributions including open source development of a toolkit and survey work toward a taxonomy of authentication methods. The research has also been widely disseminated through peer-reviewed publications, as well as presentation and demonstration at international conferences and workshops. Moreover, a dedicated international workshop on the topic of secure spontaneous interaction was organised and moderated by the fellow, fostering the development of a community of researchers active in this distinct research direction. Discussion in this emerging community is facilitated by a public Wiki that has initially been populated with results of the workshop discussions, and first user contributions are starting to appear.
Two concrete methods have been developed and studied in depth. The first one uses "spatial references" for authentication of devices, based on relative position sensing with embedded ultrasonic transceivers (utilising the outcomes of the FET-Open RELATE coordinated at Lancaster University, the host site of this fellowship project). The second is designed specifically for authentication of small handheld devices and uses shared movement patterns that users can generate by shaking devices together. The study of the methods has included analyses of the security of out-of-band channels such as ultrasound, and of different protocol designs, for example comparative analysis of key generation versus key verification on the basis of movement data. Both methods have been subjected to in depth security analyses as well as usability assessments. a) authentication based on relative spatial relationship, called "spatial references"; and b) authentication based on shared movement patterns, called "shake well before use". These methods cover the two studied use cases. Spatial relationships seem appropriate to select and implicitly authenticate stationary devices or services, but can also be used between two mobile devices. This has also involved user studies for data collection and for evaluation of the methods under realistic usage conditions.
In addition to the study of specific approaches, activity has also focussed on development of general contributions including open source development of a toolkit and survey work toward a taxonomy of authentication methods. The research has also been widely disseminated through peer-reviewed publications, as well as presentation and demonstration at international conferences and workshops. Moreover, a dedicated international workshop on the topic of secure spontaneous interaction was organised and moderated by the fellow, fostering the development of a community of researchers active in this distinct research direction. Discussion in this emerging community is facilitated by a public Wiki that has initially been populated with results of the workshop discussions, and first user contributions are starting to appear.