This article can also be found in the Premium Editorial Download "Information Security magazine: Security researchers on biometrics, insider threats, encryption and virtualization."
Download it now to read this article plus other related content.
DEEP THOUGHTS, PRACTICAL SECURITY
He's got the skills, but his greatest gift is context. He adeptly associates problems with solutions, though perhaps to the horror of most security professionals, he experiments with putting security in the hands of the user or within the interaction between users.
"My group in particular is concerned about people who don't have computer science degrees and Ph.D.s in security. Even I have problems using and configuring products," says Perrig, associate professor at CMU and CyLab technical director.
"I approach security by thinking about my family and how they deal with it. I have friends of mine who have Ph.D.s in computer science taking three hours to install their 802.1 access point security. We're just trying to create security that's easy to use."
One such project, developed by Perrig and CMU colleagues Michael K. Reiter (who has since left CMU) and Jonathan M. McCune, is the Seeing is Believing (SiB) protocol, which enables secure communication between mobile devices that have no contextual relationship. The protocol employs two-dimensional
| barcodes that serve as the devices' respective public encryption keys. The barcode is photographed by the other SiB-enabled device, which decodes the barcode, then contacts the other device via Bluetooth to obtain another copy of the public key. If the two match, the devices are authenticated and secure communication can happen without the need for a certificate authority.
"Whenever we need to use encrypted email, we need to trust certificates. There are a lot of problems with certificates," Perrig says. "With this system, you get rid of the certificate authority and essentially create your own."
Perrig sees several important business applications of his protocol, most notably in collaborative settings where certificates aren't necessarily well managed (see "Goodbye PKI, Hello AIP," below).
This was first published in November 2008