• http://www.infosec-research.org/
• http://www.cndrt.org/frontpage.htm
• http://www.node99.org/projects

Authorization

Or, who's the Dick on your wifi? must see presentation! (single signon to blog ‘sphere’)

1. Role of Authorization in Wireless Network Security from DIMACS 2004, powerpoint
2. Delegated Guest Access to Secure Networks (ppt)
3. Dartmouth - PKI Lab Greenpass, pki ecash for wifi Greenpass: Decentralized, PKI-based Authorization for Wireless LANs(pdf), Flexible and Scalable (pdf)
4. NIST MANET Security, A Solution for Wireless Privacy and Payments based on E-cash
5. Unofficial 802.11 Security Website with plenty of IEEE papers and proposals

1. Connection access != “authorized”
   1. businesses, schools, govt, etc

1. Community wifi?
   1. any ‘secure’ and ‘free’ wifi service
   2. how can i help others w/o making self vulnerable?
   3. default bcast ssid, no encryption
   4. best practices available?
      1. many software ‘out of the box’ apps available
      2. http://www.oreillynet.com/pub/a/wireless/2002/05/24/wlan.html

1. Complicated Security
   1. ‘hotspot’ systems often
      1. proprietary
      2. limited
      3. no single ‘payment’ plan, reusable
      4. mobility and roaming, different cities?

1. protocols, requirement for user
   1. “i just want to connect and check email”
   2. wireless card stardards, chipsets
   3. EAP, RADIUS, infrastructure requirements

1. Dynamic Authorization
   1. temporal access time
   2. security posture of network changes, revoke access
   3. mission systems needed, allow access
   4. varying degress / rings of trust, allowed access
   5. requires some 802.1x and/or firewall filtering

1. Authentication mechanisms
   1. secret: password, pki, ssl
   2. transmit: email, sms
   3. identity: MAC address, pki, ipsec
   4. how many ways can I authenticate?
   5. what devices supported?
   6. how extensible is it to other user reqs?

1. Enable privacy as well?
   1. great anonymous mobility - but location tied to AP
   2. often unencrypted, anyone can read the traffic
      1. dns, http images, text
   3. local hijacking attacks
   4. IPv6 support any of this? (anonymous IPs)

• always access online, but secure for the users?
• usb drive, where to store the keys?

• Problem: Managing 1,000 passwords online
  • SXIP, Sxored - homesites/membersites
    • http://identity20.com/media/ETECH_2006/
    • http://brianwiese.net/blog/2006/06/07/sxored/
  • http://identity20.com/
  • http://www.nsf-middleware.org/default.aspx

• Trust Management in Distributed and Dynamic Environments
  • that’s the main idea possibly

• Problem: Managing 1,000 submissions of my Personal Information
  • Almost like a single sign-on, at least some way to manage “who” gets access to “what” updated contact information and “when”
  • Maybe need a personal server
  • Many websites/etc require you to keep them updated with your contact info as part of registration

11: Civil Penalties for Noncompliance with the Privacy Act 
The Privacy Act also imposes civil penalties on violators who: 
Unlawfully refuse to amend a record 
Unlawfully refuse to grant access to records 
Fail to maintain accurate, relevant, timely and complete data 
Fail to comply with any Privacy Act provision or agency rule that results in an adverse effect. 

• Managing Digital Identity
  • Look at web2.0 single-sign-on architectures, question applicability to Internet apps and DoD?

• Managing Trust in Distributed & Dynamic Environments
  • social networks concept, peers

• resilient/distributed integrity models? each peer stores a hash of your file for you?
• trust the ‘sphere collective’ for redundancy

• Identification and Authentication in MANET, P2P and Groups
  • Secure association and transport of keys
  • PGP, PKI/CA based models, SSH-based host keys
    • PKI probs - http://www.schneier.com/paper-pki.html
    • PKI - http://www.cs.dartmouth.edu/~pki02/Ellison/
    • Self Signed - http://iang.org/ssl/dr_self_signed.html
    • SSH keys - http://www.oreillynet.com/pub/a/oreilly/networking/news/silverman_1200.html
    • SSL Harmful? - http://iang.org/ssl/
  • Key continuity management (in ssh host keys? PKI and PGP certs?)
  • Peter Gutmann - http://www.cs.auckland.ac.nz/~pgut001/ on why
    • Internet is not yet Secure Yet - http://www.cs.auckland.ac.nz/~pgut001/pubs/dammit.pdf
  • Secure Information dispersial - anonyminity?
    • Efficient dispersal of information for security, load balancing, and fault tolerance

• Mobile Device ID and Auth
  • The Seeing Is Believing and Loud and Clear paths
    • http://www.ics.uci.edu/~ccsp/lac/
  • Finding a good “out of band” channel to verify key association
    • Zfone just has users ‘speak their signature’ in real time over the channel
    • http://www.philzimmermann.com/EN/zfone/

• Possibly “out of band channels”
  • P2P network, distributed hash table of stored values
    • need several nodes to recover the key, the data is partitioned among many nodes
  • Some Zero-knowledge based proof, based on assumptions in local environment
    • or Covert Channels ~ Out of Band... used for verification of a passed key?
  • RF imperfections from wireless cards, signatures
    • To ID ‘who to attack’ and to ID ‘who is under attack’ by MAC spoofing?
    • __If I have 2 requests coming from “MAC A”, which is the real one?
  • Embedded “stenagraphy” or “port knocking” and “timing” based signatures
  • Device Driver Fingerprinting (packet formats, timing of algorithms)
  • Jon Ellisch’s work here in 802.11
  • http://www.caida.org/publications/papers/2005/fingerprinting/KohnoBroidoClaffy05-devicefingerprinting.pdf
  • Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting
    • http://www.usenix.org/events/sec06/tech/
    • http://p.fscked.org/research/

• Pervasive Signed Email - Simson Garfinkel
  • http://www.simson.net/projects.php - as well as the networking
  • Pervasive Signed Email. Now that roughly 90% of all Internet users have S/MIME-compliant mail programs, it’s time for companies like PayPal and Amazon to be sending out digitally signed mail as a matter of course. It would help in the fight against both spam and phishing. How can we get them to do it?

• Current Security Protocols of Interest
  • http://www.philzimmermann.com/EN/zfone/ - for VoIP
    • Needs to be integrated with Asterisk (Open Source PBX)
    • API available in C for porting other VoIP applications
  • SILC - http://silcnet.org/support/faq/crypto/
    • Sends some “signatures” that can be detected?

• PGP In Constrained Wireless Devices
  • http://www.usenix.org/events/sec2000/full_papers/brown/brown.pdf

• http://www.skyhunter.com/marcs/petnames/IntroPetNames.html

From the IEEE Security CFP

• Access Control and Audit
• Anonymity and Pseudonymity
• Authentication, including Phishing
• Automated and Large-Scale Attacks
• Biometrics
• Commercial and Industrial Security
• Data Integrity
• Database Security
• Denial of Service
• Distributed Systems Security
• Electronic Privacy
• Information Flow
• Intrusion Detection
• Language-Based Security
• Malicious Code
• Mobile Code and Agent Security
• Network Security
• Peer-to-Peer Security
• Secure Hardware and Smartcards
• Security Protocols
• Security Verification
• Security of Mobile Ad-Hoc Networks