This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Mobile Device Security Using Transient Authentication
November 2006 (vol. 5 no. 11)
pp. 1489-1502
Mobile devices are vulnerable to theft and loss due to their small size and the characteristics of their common usage environment. Since they allow users to work while away from their desk, they are most useful in public locations and while traveling. Unfortunately, this is also where they are most at risk. Existing schemes for securing data either do not protect the device after it is stolen or require bothersome reauthentication. Transient Authentication lifts the burden of authentication from the user by use of a wearable token that constantly attests to the user's presence. When the user departs, the token and device lose contact and the device secures itself. We show how to leverage this authentication framework to secure all the memory and storage locations on a device into which secrets may creep. Our evaluation shows this is done without inconveniencing the user, while imposing a minimal performance overhead.

[1] A. Adams and M.A. Sasse, “Users Are Not the Enemy: Why Users Compromise Security Mechanisms and How to Take Remedial Measures,” Comm. ACM, vol. 42, no. 12, pp. 40-46, Dec. 1999.
[2] R. Anderson, “Why Cryptosystems Fail,” Comm. ACM, vol. 37, no. 11, pp. 32-40, Nov. 1994.
[3] B.V. Bigelow, “Qualcomm Secrets Vanish with Laptop,” San Diego Union-Tribune, 2000.
[4] M. Blaze, “A Cryptographic File System for UNIX,” Proc. First ACM Conf. Computer and Comm. Security, pp. 9-16, Nov. 1993.
[5] M. Blaze, “Key Management in an Encrypting File System,” Proc. Summer 1994 USENIX Conf., pp. 27-35, June 1994.
[6] S. Brands and D. Chaum, “Distance-Bounding Protocols,” Proc. EUROCRYPT Conf., pp. 344-359, 1993.
[7] M. Burrows, M. Abadi, and R. Needham, “A Logic of Authentication,” ACM Trans. Computer Systems, vol. 8, no. 1, pp. 18-36, Feb. 1990.
[8] S. Carlton, J. Taylor, and J. Wyszynski, “Alternate Authentication Mechanisms,” Proc. 11th Nat'l Computer Security Conf., 1988.
[9] G. Cattaneo, L. Catuogno, A.D. Sorbo, and P. Persiano, “The Design and Implementation of a Transparent Crytographic File System for UNIX,” Proc. Freenix Track: 2001 USENIX Ann. Technical Conf., pp. 199-212, June 2001.
[10] M. Corner and B. Noble, “Zero-Interaction Authentication,” Proc. Eighth Int'l Conf. Mobile Computing and Networking (ACM MobiCom '02), Sept. 2002.
[11] M.D. Corner and B.D. Noble, “Protecting Applications with Transient Authentication,” Proc. First Int'l Conf. Mobile Systems, Applications, and Services (MobiSys '03), May 2003.
[12] G. Di Crescenzo, N. Ferguson, R. Impagliazzo, M. Jakobsson, C. Meinel, and S. Tison, “How to Forget a Secret,” Proc. 16th Ann. Symp. Theoretical Aspects in Computer Science (STACS '99), pp. 500-509, Mar. 1999.
[13] J. Daemen and V. Rijmen, AES Proposal: Rijindael. Advanced Encryption Standard Submission, second ed. Mar. 1999.
[14] D. Davis, “Compliance Defects in Public-Key Cryptography,” Proc. Sixth USENIX Security Symp., pp. 171-178, 1996.
[15] F. Deane, K. Barrelle, R. Henderson, and D. Mahar, “Perceived Acceptability of Biometric Security Systems,” Computers and Security, vol. 14, no. 3, pp. 225-231, 1994.
[16] W. Diffie, P. van Oorschot, and M. Wiener, Design Codes and Cryptography. Kluwer Academic, 1992.
[17] P. Gutmann, “Secure Deletion of Data from Magnetic and Solid-State Memory,” Proc. Sixth USENIX Security Symp., pp. 77-89, July 1996.
[18] L. Hu and D. Evans, “Using Directional Antennas to Prevent Wormhole Attacks,” Proc. 11th Network and Distributed System Security Symp. (NDSS '04), Feb. 2004.
[19] Y.-C. Hu, A. Perrig, and D.B. Johnson, “Packet Leashes: A Defense Against Wormhole Attacks in Wirless Ad Hoc Networks,” Proc. 22nd Ann. Joint Conf. IEEE Computer and Comm. Soc. (INFOCOM), pp. 1976-1986, Apr. 2003.
[20] J. Howard et al., “Scale and Performance in a Distributed File System,” ACM Trans. Computer Systems, vol. 6, no. 1, pp. 51-81, Feb. 1988.
[21] C. Landwehr, “Protecting Unattended Computers without Software,” Proc. 13th Ann. Computer Security and Applications Conf. (ACSAC), pp. 274-283, 1997.
[22] C. Narayanaswami and M.T. Raghunath, “Application Design for a Smart Watch with a High Resolution Display,” Proc. Fourth Int'l Symp. Wearable Computers, pp. 7-14, Oct. 2000.
[23] M. Negin, Jr., T.A. Chemielewski, M. Salganicoff, T.A. Camus, U.M. Cahnvon Seelen, P.L. Venetianer, and G.G. Zhang, “An Iris Biometric System for Public and Personal Use,” Computer, vol. 33, no. 2, pp. 70-75, Feb. 2000.
[24] P.J. Phillips, A. Martin, C.L. Wilson, and M. Przybocki, “An Introduction to Evaluating Biometric Systems,” Computer, vol. 33, no. 2, pp. 56-63, Feb. 2000.
[25] N. Provos, “Encrypting Virtual Memory,” Proc. Ninth USENIX Security Symp., Aug. 2000.
[26] A.D. Rubin and P. Honeyman, “Long Running Jobs in an Authenticated Environment,” Proc. Fourth USENIX Security Symp., pp. 19-28, Oct. 1993.
[27] A.D. Rubin and P. Honeyman, “Nonmonotonic Cryptographic Protocols,” Proc. Computer Security Foundations Workshop, pp. 100-116, June 1994.
[28] B. Schneier, “Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish),” Proc. Cambridge Security Workshop, pp.191-204, Dec. 1993.
[29] B. Schneier, Applied Cryptography. John Wiley and Sons, 1996.
[30] R.E. Smith, Authentication: From Passwords to Public Keys. Addison-Wesley, 2002.
[31] T. Ylonen et al., “SSH Protocol Architecture,” Internet Draft, Jan. 2001.
[32] D. Verton, “State Department to Punish Six over Missing Laptop,” Computerworld, Dec. 2000.
[33] T. Ylonen, “SSH-Security Login Connections over the Internet,” Proc. Sixth USENIX Security Symp., pp. 37-42, July 1996.
[34] E. Zadok, I. Badulescu, and A. Shender, “CryptFS: A Stackable Vnode Level Encryption File System,” Technical Report CUCS-021-98, Computer Science Dept., Columbia Univ., 1998.
[35] E. Zadok and J. Nieh, “FIST: A Language for Stackable File Systems,” Proc. Ann. USENIX Technical Conf., pp. 55-70, June 2000.

Index Terms:
Transient authentication, human factors, cryptographic controls, security, mobile computing, privacy.
Citation:
Anthony J. Nicholson, Mark D. Corner, Brian D. Noble, "Mobile Device Security Using Transient Authentication," IEEE Transactions on Mobile Computing, vol. 5, no. 11, pp. 1489-1502, Nov. 2006, doi:10.1109/TMC.2006.169
Usage of this product signifies your acceptance of the Terms of Use.