University of Hertfordshire

By the same authors

Pico without public keys

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Standard

Pico without public keys. / Christianson, B.; Stajano, Frank; Lomas, Mark; Jenkinson, Graeme ; Jeunese, Payne; Stafford-Fraser, Quentin; Spencer, Max.

Security Protocols XXIII. Springer-Verlag, (Berlin-Heidelberg), 2015. p. 195-211 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Christianson, B, Stajano, F, Lomas, M, Jenkinson, G, Jeunese, P, Stafford-Fraser, Q & Spencer, M 2015, Pico without public keys. in Security Protocols XXIII. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer-Verlag, (Berlin-Heidelberg), pp. 195-211, Security Protocols XXIII 23rd International Workshop, Cambridge, United Kingdom, 31/03/15. https://doi.org/10.1007/978-3-319-26096-9_21

APA

Christianson, B., Stajano, F., Lomas, M., Jenkinson, G., Jeunese, P., Stafford-Fraser, Q., & Spencer, M. (2015). Pico without public keys. In Security Protocols XXIII (pp. 195-211). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). Springer-Verlag, (Berlin-Heidelberg). https://doi.org/10.1007/978-3-319-26096-9_21

Vancouver

Christianson B, Stajano F, Lomas M, Jenkinson G, Jeunese P, Stafford-Fraser Q et al. Pico without public keys. In Security Protocols XXIII. Springer-Verlag, (Berlin-Heidelberg). 2015. p. 195-211. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-26096-9_21

Author

Christianson, B. ; Stajano, Frank ; Lomas, Mark ; Jenkinson, Graeme ; Jeunese, Payne ; Stafford-Fraser, Quentin ; Spencer, Max. / Pico without public keys. Security Protocols XXIII. Springer-Verlag, (Berlin-Heidelberg), 2015. pp. 195-211 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

Bibtex

@inproceedings{a1d077ea5a974adea189010544233290,
title = "Pico without public keys",
abstract = "Pico is a user authentication system that does not requireremembering secrets. It is based on a personal handheld token that holdsthe user{\textquoteright}s credentials and that is unlocked by a “personal aura” generatedby digital accessories worn by the owner. The token, acting as prover,engages in a public-key-based authentication protocol with the verifier.What would happen to Pico if success of the mythical quantum computermeant secure public key primitives were no longer available, or if forother reasons such as energy consumption we preferred not to deploythem? More generally, what would happen under those circumstancesto user authentication on the web, which relies heavily on public keycryptography through HTTPS/TLS?Although the symmetric-key-vs-public-key debate dates back to the 1990s,we note that the problematic aspects of public key deployment that wereidentified back then are still ubiquitous today. In particular, althoughpublic key cryptography is widely deployed on the web, revocation stilldoesn{\textquoteright}t work.We discuss ways of providing desirable properties of public-key-baseduser authentication systems using symmetric-key primitives and tamperevidenttokens. In particular, we present a protocol through which acompromise of the user credentials file at one website does not requireusers to change their credentials at that website or any other.We also note that the current prototype of Pico, when working in compatibilitymode through the Pico Lens (i.e. with websites that are unawareof the Pico protocols), doesn{\textquoteright}t actually use public key cryptography,other than that implicit in TLS. With minor tweaks we adopt this as thenative mode for Pico, dropping public key cryptography and achievingmuch greater deployability without any noteworthy loss in security.",
author = "B. Christianson and Frank Stajano and Mark Lomas and Graeme Jenkinson and Payne Jeunese and Quentin Stafford-Fraser and Max Spencer",
note = "This document is the Accepted Manuscript version of the following paper: Frank Stajano, Bruce Christianson, Mark Lomas, Graeme Jenkinson, Jeunese Payne, Max Spencer, and Quentin Stafford Fraser, 'Pico without Public Keys', Security Protocols XXIII, 23rd International Workshop Cambridge, March 31- April 2, 2015, Revised Selected Papers, pp. 195-211, part of the Lecture Notes in Computer Science book series (LNCS, Vol. 9379), first online 25 November 2015, ISBN: 978-3-319-26095-2. The final publication is available at Springer via: https://link.springer.com/chapter/10.1007%2F978-3-319-26096-9_21v. ; Security Protocols XXIII 23rd International Workshop ; Conference date: 31-03-2015 Through 02-04-2015",
year = "2015",
month = nov,
day = "25",
doi = "10.1007/978-3-319-26096-9_21",
language = "English",
isbn = "978-3-319-26095-2",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer-Verlag, (Berlin-Heidelberg)",
pages = "195--211",
booktitle = "Security Protocols XXIII",

}

RIS

TY - GEN

T1 - Pico without public keys

AU - Christianson, B.

AU - Stajano, Frank

AU - Lomas, Mark

AU - Jenkinson, Graeme

AU - Jeunese, Payne

AU - Stafford-Fraser, Quentin

AU - Spencer, Max

N1 - This document is the Accepted Manuscript version of the following paper: Frank Stajano, Bruce Christianson, Mark Lomas, Graeme Jenkinson, Jeunese Payne, Max Spencer, and Quentin Stafford Fraser, 'Pico without Public Keys', Security Protocols XXIII, 23rd International Workshop Cambridge, March 31- April 2, 2015, Revised Selected Papers, pp. 195-211, part of the Lecture Notes in Computer Science book series (LNCS, Vol. 9379), first online 25 November 2015, ISBN: 978-3-319-26095-2. The final publication is available at Springer via: https://link.springer.com/chapter/10.1007%2F978-3-319-26096-9_21v.

PY - 2015/11/25

Y1 - 2015/11/25

N2 - Pico is a user authentication system that does not requireremembering secrets. It is based on a personal handheld token that holdsthe user’s credentials and that is unlocked by a “personal aura” generatedby digital accessories worn by the owner. The token, acting as prover,engages in a public-key-based authentication protocol with the verifier.What would happen to Pico if success of the mythical quantum computermeant secure public key primitives were no longer available, or if forother reasons such as energy consumption we preferred not to deploythem? More generally, what would happen under those circumstancesto user authentication on the web, which relies heavily on public keycryptography through HTTPS/TLS?Although the symmetric-key-vs-public-key debate dates back to the 1990s,we note that the problematic aspects of public key deployment that wereidentified back then are still ubiquitous today. In particular, althoughpublic key cryptography is widely deployed on the web, revocation stilldoesn’t work.We discuss ways of providing desirable properties of public-key-baseduser authentication systems using symmetric-key primitives and tamperevidenttokens. In particular, we present a protocol through which acompromise of the user credentials file at one website does not requireusers to change their credentials at that website or any other.We also note that the current prototype of Pico, when working in compatibilitymode through the Pico Lens (i.e. with websites that are unawareof the Pico protocols), doesn’t actually use public key cryptography,other than that implicit in TLS. With minor tweaks we adopt this as thenative mode for Pico, dropping public key cryptography and achievingmuch greater deployability without any noteworthy loss in security.

AB - Pico is a user authentication system that does not requireremembering secrets. It is based on a personal handheld token that holdsthe user’s credentials and that is unlocked by a “personal aura” generatedby digital accessories worn by the owner. The token, acting as prover,engages in a public-key-based authentication protocol with the verifier.What would happen to Pico if success of the mythical quantum computermeant secure public key primitives were no longer available, or if forother reasons such as energy consumption we preferred not to deploythem? More generally, what would happen under those circumstancesto user authentication on the web, which relies heavily on public keycryptography through HTTPS/TLS?Although the symmetric-key-vs-public-key debate dates back to the 1990s,we note that the problematic aspects of public key deployment that wereidentified back then are still ubiquitous today. In particular, althoughpublic key cryptography is widely deployed on the web, revocation stilldoesn’t work.We discuss ways of providing desirable properties of public-key-baseduser authentication systems using symmetric-key primitives and tamperevidenttokens. In particular, we present a protocol through which acompromise of the user credentials file at one website does not requireusers to change their credentials at that website or any other.We also note that the current prototype of Pico, when working in compatibilitymode through the Pico Lens (i.e. with websites that are unawareof the Pico protocols), doesn’t actually use public key cryptography,other than that implicit in TLS. With minor tweaks we adopt this as thenative mode for Pico, dropping public key cryptography and achievingmuch greater deployability without any noteworthy loss in security.

U2 - 10.1007/978-3-319-26096-9_21

DO - 10.1007/978-3-319-26096-9_21

M3 - Conference contribution

SN - 978-3-319-26095-2

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 195

EP - 211

BT - Security Protocols XXIII

PB - Springer-Verlag, (Berlin-Heidelberg)

T2 - Security Protocols XXIII 23rd International Workshop

Y2 - 31 March 2015 through 2 April 2015

ER -