Name: Phillip Hallam-Baker For VeriSign Inc. Position paper One of the biggest challenges in developing a security infrastructure for mobile devices is to develop a means of device authentication that offers both ease of use and ease of administration. Traditionally, mobile devices have been authenticated by symmetric key techniques, usually with minimal thought given to usability. The configuration challenges posed to users in the original 802.11b WEP authentication scheme are a case in point: In one current implementation that is in widespread use, the user is asked to authenticate their machine to the network by typing in a hexadecimal string 32 digits in length into a password entry field, *twice*. While the authentication mechanism developed for Bluetooth devices is clearly designed to offer a minimal usability challenge, it has become apparent that entry of a four digit numeric authentication PIN is not minimal enough as new devices almost invariably choose 0000 as the authentication code. Public key credentials, in particular digital certificates offer one solution to this problem. A digital certificate that ties the public key of a device to a MAC address allows for a highly automated authentication mechanism. MAC addresses are effectively unique for a particular device and are commonly employed as a means of weak network authentication. MAC address assignments are commonly printed on the outside of device packaging in barcode form and on shipping notices to facitiliate this mode of device management. The principal disadvantage of this approach is that a MAC address can be cloned easily. The addtition of public key cryptography allows a strong means of authentication to be effected from what is currently a weak scheme. Although device certificates are currently deployed in DOCSIS cable modems and will be deployed in WiMAX devices, the principal drawback to this scheme is that it is of limited effectiveness in environments where only some devices have device certificates. What is proposed is a compromise approach in which public key credentials and symmetric key credentials are used in an asymmetric fashion. In traditional approaches both parties use symmetric key credentials or both parties use asymmetric credentials in protocol exchanges offering mutual authentication. In the proposed approach the world of devices is divided into 'hub' devices that have public key credentials and 'spoke' devices that effect strong authentication by means of a large, random symmetric key. While username and password authentication over SSL is also another authentication trope that involves this type of asymmetry, this does not achieve mutual authentication. The authentication of the client to the server is not interconnected to the authentication of the server to the client. Two unidirectional authentications do not equal mutual authentication. Use Scenario Having won the lottery, Alice retires to her house of the future. Every electrical device in the house is network connected: heating, cooling, every appliance, every lightswitch. How does Alice live in such a house without spending every waking moment playing system administrator? While peer to peer configuration can be effective for small networks, Alice has over a thousand devices (its a large house). A peer to peer scheme would require over a million interactions. The scheme simply does not scale. In order to scale, structure is required. Alice does not want to manage a thousand devices, she wants to manage a single network console that in turn manages the actual devices. The network console itself is managed by a pair of hub devices, configured so as to provide for fault tolerance. Whenever Alice indulges in a gadget buying spree, she brings the loot home, unpacks it and 'pairs' each device to her network. This process can be made as simple as pushing a button on the device and one of the hub devices at the same time, or might be somewhat more elaborate involving some form of authentication code to be entered in addition. But once the pairing relationship is established it is permanent and will allow the device to engage in mutual authentication with any hub in the network. Architecture The transparent client authentication protocol, allows a client to authenticate to a server by means of a symmetric authentication key that is derrived from a master secret that is never disclosed outside the device. Only the symmetric authentication key derrived from the master key is ever disclosed, and this only encrypted under the public key of the specific server that that particular symmetric key is bound to. The net result is a mechanism that allows for strong client authentication without the overhead of certificates and key lifecycle management traditionally associated with client certificates. Extensions Exotic cryptography has traditionally involved public key cryptography and advanced mathematics. The blend of symmetric key cryptography with asymmetric offers features that are traditionally associated with exotic cryptography without the 'consumer resistance' that security systems dependent on advanced mathematics are likely to face. In public key algorithms key generation is a lengthy process. RSA requires generation of two large primes and even Diffie-Hellman requires a modular exponentiation step. In a symmetric key algorithm the only constraint required of a key is that it be pseudo-random. This fact allows for some interesting effects. Consider a situation where Alice and Bob want to arrange a meeting. Neither wants to reveal their complete calendar to each other so they select a mutually trusted intermediary agent Mary and both grant Mary access to their calendar services (A_C, B_C respectively). In a public key scheme the principle means of achieving this is to either use some exotic Chaumian style approach with a complicated proof that nobody is likely to ever use or to spin out a SAML style assertion that tells Mary exactly what to do, which is already giving her rather more information than we might wish. With the blended symmetric key approach, Alice and Bob might each issue to Mary a symmetric key access credential that is tied directly to the digital 'statement of work' that Mary is to execute: Let W be the statement of work, K_AC be the symmetric secret established between Alice and the calendar servce, the secret key alice issues to Mary to allow access to her calendar is then S_AM = HMAC (K_AC, H (Work)), attempts to modify the statement of work will invalidate the access credential. The point of interest her is that symmetric key cryptography offers a scheme in which we may take an access credential of a particular form (e.g. 128 bit pseudo-random symmetric key), perform a sequence of complex cryptographic operations on it and arrive at a cryptographic credential of the exact same form. This is encouraging as it points to the possibility of establishing a compiler for protocols or an API for support libraries that meet complex, possibly unique confidentiality, privacy or integrity requirements. For example, consider the case in which Alice and Bob want to delegate the task of arranging the meeting to Mary but not tell Mary who they are, only who their calendar manager is. While public key approaches to achieving this particular requirement certainly exist, their form is best described as 'bespoke'. Meeting these criteria with the symmetric approach is rather more straightforward, if information is to be kept confidential from certain parties it is encrypted and we ensure that only the intended counterparties gain access to the decryption key. If we wish to make disclosure of information contingent on some information being passed without modification we make the calculation of the access credential dependent on that data. Conclusion While public key cryptography has traditionally considered symmetric key approaches as being fit only for a 'supporting role', the fusion of symmetric and public techniques offer much more interesting possibilities that are directly relevant to the workshop in question. In particular, restricting the use of PKI to the purpose of establishing trust relationships and employing symmetric key cryptography to achieve complex security requirements offers a practical means of arriving at cryptographic enforcement at the API level.