Security researchers leading way in biometrics, insider threats, encryption and virtualization


This article can also be found in the Premium Editorial Download "Information Security magazine: Security researchers on biometrics, insider threats, encryption and virtualization."

Download it now to read this article plus other related content.

Adrian Perrig is a deep thinker posing as a network security expert. He can school most on protocols, authentication, virtualization, key exchange and even share a few thoughts on what it would take to rebuild the Internet from scratch.

He's got the skills, but his greatest gift is context. He adeptly associates problems with solutions, though perhaps to the horror of most security professionals, he experiments with putting security in the hands of the user or within the interaction between users.

"My group in particular is concerned about people who don't have computer science degrees and Ph.D.s in security. Even I have problems using and configuring products," says Perrig, associate professor at CMU and CyLab technical director.

"I approach security by thinking about my family and how they deal with it. I have friends of mine who have Ph.D.s in computer science taking three hours to install their 802.1 access point security. We're just trying to create security that's easy to use."

One such project, developed by Perrig and CMU colleagues Michael K. Reiter (who has since left CMU) and Jonathan M. McCune, is the Seeing is Believing (SiB) protocol, which enables secure communication between mobile devices that have no contextual relationship. The protocol employs two-dimensional

    Requires Free Membership to View

barcodes that serve as the devices' respective public encryption keys. The barcode is photographed by the other SiB-enabled device, which decodes the barcode, then contacts the other device via Bluetooth to obtain another copy of the public key. If the two match, the devices are authenticated and secure communication can happen without the need for a certificate authority.

"Whenever we need to use encrypted email, we need to trust certificates. There are a lot of problems with certificates," Perrig says. "With this system, you get rid of the certificate authority and essentially create your own."

Perrig sees several important business applications of his protocol, most notably in collaborative settings where certificates aren't necessarily well managed (see "Goodbye PKI, Hello AIP," below).

Goodbye PKI, Hello AIP
Accountable Internet Protocol is an ambitious project; its concept of self-verifying transaction statements could snuff out PKI.

PKI, while a solid technology, has never really been executed to a large degree of success. Dave Anderson, an assistant computer science professor at Carnegie Mellon University, may have a way to knock it off the map entirely.

A project called Accountable Internet Protocol aims to replace IP addresses with self-certifying addresses, which are essentially hashes of your public key. If two parties are communicating and know their respective IP addresses, then there is a way to verify each other's public key. A PKI infrastructure becomes moot because the infrastructure would be built into the address resolution infrastructure. Granted, Anderson understands this would take a significant overhaul of the way networking is done today, but this is the mission of CMU and CyLab--to think outside the box.

"You can always have PKI, but our view is that this kind of security should be as intrinsic as you can make it," Anderson says. "You shouldn't have external databases that can be out of date; you shouldn't need to depend on the goodness and happiness of one of 40 root signature issuers, many of which could be convinced to issue a certificate that says you are Microsoft.com."

In essence, self-verifying statements are delivered in a transaction, and don't rely on a third party to verify.

"With AIP, your domain is your autonomous system number; it is a public key," Anderson says. "If I configure a peering session with you, I've said peer with this public key; you don't need a PKI. It's automatic when I do the configuration."


This was first published in November 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: