Comments on: Multichannel protocols against relay attacks http://www.lightbluetouchpaper.org/2010/01/26/multichannel-protocols-against-relay-attacks/ Security Research, Computer Laboratory, University of Cambridge Fri, 27 Aug 2010 15:36:41 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Mike Bond http://www.lightbluetouchpaper.org/2010/01/26/multichannel-protocols-against-relay-attacks/comment-page-1/#comment-48103 Mike Bond Fri, 12 Feb 2010 10:40:47 +0000 http://www.lightbluetouchpaper.org/?p=1636#comment-48103 I got thinking about this for some time the other day, after finally finding some time to read the paper properly. I wonder whether a better abstract model for protocol analysis might be do redefine the boundary of the protocol participants. The original, conventional, model was to imagine the network interface of Alice's computer to be the trusted boundary, and that both Alice's computer and Alice were at one, both understanding each other entirely and fully aware of the other, together looking out for Alice, a perfect twinning of man and machine. Now that viruses/trojans have become an inevitable part of PC landscape, and now we understand how little the average user knows about their PC (and the protocols it runs), phrases like "Man in the Browser" and so forth have spawned, to capture the fact that the old trust boundary model is out of date. So Frank, Ford and Bruce have taken the approach of making new abstractions such as the "unrelayable channel". It's not a bad idea, I've made new abstractions myself such as the <a href="http://www.cl.cam.ac.uk/~mkb23/research/Dining-Freemasons.pdf" rel="nofollow">deniable channel</a>. But, I wonder... rather than making yet more specialist abstractions like this, would we be better to stay in the information world, but move the boundary of trust to the perimeter of Alice's brain? We would then say that each brain has five network links (two eyes, two ears, and a spine), and apply a conventional (to terribly abuse this technical term) Dolev-Yao attacker to each of these links. Such a model would for instance, capture the concept that sleight of hand could be used to surreptitiously substitute one accelerometer from another in the "shake together" protocol. This then got me thinking about how security might work in future in a world where proper virtual reality exists. Suppose some geezer hits you on the head, or you get disoriented by a nearby flashbang, and when you wake up, you've been surreptitiously connected to a virtual reality? Assuming sensory quality and physics in this virtual reality is perfect, the only problem is that the VR modellers can't model what they dont know about (inside peoples private houses, inside peoples heads etc). After a few minutes or hours, you will figure out you're not in real life, but can they trick you into performing a relayable authentication in the short duration of time youre in there? Just some musings. Mike I got thinking about this for some time the other day, after finally finding some time to read the paper properly.

I wonder whether a better abstract model for protocol analysis might be do redefine the boundary of the protocol participants. The original, conventional, model was to imagine the network interface of Alice’s computer to be the trusted boundary, and that both Alice’s computer and Alice were at one, both understanding each other entirely and fully aware of the other, together looking out for Alice, a perfect twinning of man and machine.

Now that viruses/trojans have become an inevitable part of PC landscape, and now we understand how little the average user knows about their PC (and the protocols it runs), phrases like “Man in the Browser” and so forth have spawned, to capture the fact that the old trust boundary model is out of date.

So Frank, Ford and Bruce have taken the approach of making new abstractions such as the “unrelayable channel”. It’s not a bad idea, I’ve made new abstractions myself such as the deniable channel.

But, I wonder… rather than making yet more specialist abstractions like this, would we be better to stay in the information world, but move the boundary of trust to the perimeter of Alice’s brain? We would then say that each brain has five network links (two eyes, two ears, and a spine), and apply a conventional (to terribly abuse this technical term) Dolev-Yao attacker to each of these links. Such a model would for instance, capture the concept that sleight of hand could be used to surreptitiously substitute one accelerometer from another in the “shake together” protocol.

This then got me thinking about how security might work in future in a world where proper virtual reality exists. Suppose some geezer hits you on the head, or you get disoriented by a nearby flashbang, and when you wake up, you’ve been surreptitiously connected to a virtual reality? Assuming sensory quality and physics in this virtual reality is perfect, the only problem is that the VR modellers can’t model what they dont know about (inside peoples private houses, inside peoples heads etc). After a few minutes or hours, you will figure out you’re not in real life, but can they trick you into performing a relayable authentication in the short duration of time youre in there?

Just some musings.

Mike

]]> By: P http://www.lightbluetouchpaper.org/2010/01/26/multichannel-protocols-against-relay-attacks/comment-page-1/#comment-46477 P Fri, 29 Jan 2010 22:50:53 +0000 http://www.lightbluetouchpaper.org/?p=1636#comment-46477 Congratulations on getting classified by Websense as a "malicious web site". That will stop those dirty bankers reading your paper at work. This paper is blocked but parts of the site are still reachable. Congratulations on getting classified by Websense as a “malicious web site”. That will stop those dirty bankers reading your paper at work. This paper is blocked but parts of the site are still reachable.

]]>