Home > Information Security Magazine > Features > Security researchers leading way in biometrics, insider threats, encryption and virtualization
EMAIL THIS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Security researchers leading way in biometrics, insider threats, encryption and virtualization
by Michael S. Mimoso
Issue: Nov 2008
printer-friendly
< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >

DEEP THOUGHTS, PRACTICAL SECURITY
Adrian Perrig is a deep thinker posing as a network security expert. He can school most on protocols, authentication, virtualization, key exchange and even share a few thoughts on what it would take to rebuild the Internet from scratch.

He's got the skills, but his greatest gift is context. He adeptly associates problems with solutions, though perhaps to the horror of most security professionals, he experiments with putting security in the hands of the user or within the interaction between users.

"My group in particular is concerned about people who don't have computer science degrees and Ph.D.s in security. Even I have problems using and configuring products," says Perrig, associate professor at CMU and CyLab technical director.

"I approach security by thinking about my family and how they deal with it. I have friends of mine who have Ph.D.s in computer science taking three hours to install their 802.1 access point security. We're just trying to create security that's easy to use."

One such project, developed by Perrig and CMU colleagues Michael K. Reiter (who has since left CMU) and Jonathan M. McCune, is the Seeing is Believing (SiB) protocol, which enables secure communication between mobile devices that have no contextual relationship. The protocol employs two-dimensional barcodes that serve as the devices' respective public encryption keys. The barcode is photographed by the other SiB-enabled device, which decodes the barcode, then contacts the other device via Bluetooth to obtain another copy of the public key. If the two match, the devices are authenticated and secure communication can happen without the need for a certificate authority.

"Whenever we need to use encrypted email, we need to trust certificates. There are a lot of problems with certificates," Perrig says. "With this system, you get rid of the certificate authority and essentially create your own." ...



Perrig sees several important business applications of his protocol, most notably in collaborative settings where certificates aren't necessarily well managed (see "Goodbye PKI, Hello AIP," below).

[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] Goodbye PKI, Hello AIP [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
Accountable Internet Protocol is an ambitious project; its concept of self-verifying transaction statements could snuff out PKI.

PKI, while a solid technology, has never really been executed to a large degree of success. Dave Anderson, an assistant computer science professor at Carnegie Mellon University, may have a way to knock it off the map entirely.

A project called Accountable Internet Protocol aims to replace IP addresses with self-certifying addresses, which are essentially hashes of your public key. If two parties are communicating and know their respective IP addresses, then there is a way to verify each other's public key. A PKI infrastructure becomes moot because the infrastructure would be built into the address resolution infrastructure. Granted, Anderson understands this would take a significant overhaul of the way networking is done today, but this is the mission of CMU and CyLab--to think outside the box.

"You can always have PKI, but our view is that this kind of security should be as intrinsic as you can make it," Anderson says. "You shouldn't have external databases that can be out of date; you shouldn't need to depend on the goodness and happiness of one of 40 root signature issuers, many of which could be convinced to issue a certificate that says you are Microsoft.com."

In essence, self-verifying statements are delivered in a transaction, and don't rely on a third party to verify.

"With AIP, your domain is your autonomous system number; it is a public key," Anderson says. "If I configure a peering session with you, I've said peer with this public key; you don't need a PKI. It's automatic when I do the configuration."

--MICHAEL S. MIMOSO


[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts