Research Ideas

Wireless Authorization


Or, who's the Dick on your wifi? =) must see presentation! (single signon to blog ‘sphere’)

  1. Unofficial 802.11 Security Website with plenty of IEEE papers and proposals
  1. Connection access != “authorized”
    1. businesses, schools, govt, etc
  1. Community wifi?
    1. any ‘secure’ and ‘free’ wifi service
    2. how can i help others w/o making self vulnerable?
    3. default bcast ssid, no encryption
    4. best practices available?
      1. many software ‘out of the box’ apps available
  1. Complicated Security
    1. ‘hotspot’ systems often
      1. proprietary
      2. limited
      3. no single ‘payment’ plan, reusable
      4. mobility and roaming, different cities?
  1. protocols, requirement for user
    1. “i just want to connect and check email”
    2. wireless card stardards, chipsets
    3. EAP, RADIUS, infrastructure requirements
  1. Dynamic Authorization
    1. temporal access time
    2. security posture of network changes, revoke access
    3. mission systems needed, allow access
    4. varying degress / rings of trust, allowed access
    5. requires some 802.1x and/or firewall filtering
  1. Authentication mechanisms
    1. secret: password, pki, ssl
    2. transmit: email, sms
    3. identity: MAC address, pki, ipsec
    4. how many ways can I authenticate?
    5. what devices supported?
    6. how extensible is it to other user reqs?
  1. Enable privacy as well?
    1. great anonymous mobility - but location tied to AP
    2. often unencrypted, anyone can read the traffic
      1. dns, http images, text
    3. local hijacking attacks
    4. IPv6 support any of this? (anonymous IPs)

Password Management

  • always access online, but secure for the users?
  • usb drive, where to store the keys?
  • Trust Management in Distributed and Dynamic Environments
    • that’s the main idea possibly

Personal Info Mgmt

  • Problem: Managing 1,000 submissions of my Personal Information
    • Almost like a single sign-on, at least some way to manage “who” gets access to “what” updated contact information and “when”
    • Maybe need a personal server
    • Many websites/etc require you to keep them updated with your contact info as part of registration
11: Civil Penalties for Noncompliance with the Privacy Act 
The Privacy Act also imposes civil penalties on violators who: 
Unlawfully refuse to amend a record 
Unlawfully refuse to grant access to records 
Fail to maintain accurate, relevant, timely and complete data 
Fail to comply with any Privacy Act provision or agency rule that results in an adverse effect. 

ID & Auth

  • Managing Digital Identity
    • Look at web2.0 single-sign-on architectures, question applicability to Internet apps and DoD?
  • Managing Trust in Distributed & Dynamic Environments
    • social networks concept, peers
  • resilient/distributed integrity models? each peer stores a hash of your file for you?
  • trust the ‘sphere collective’ for redundancy
  • Possibly “out of band channels
    • P2P network, distributed hash table of stored values
      • need several nodes to recover the key, the data is partitioned among many nodes
    • Some Zero-knowledge based proof, based on assumptions in local environment
      • or Covert Channels ~ Out of Band... used for verification of a passed key?
    • RF imperfections from wireless cards, signatures
      • To ID ‘who to attack’ and to ID ‘who is under attack’ by MAC spoofing?
      • __If I have 2 requests coming from “MAC A”, which is the real one?
    • Embedded “stenagraphy” or “port knocking” and “timing” based signatures
    • Device Driver Fingerprinting (packet formats, timing of algorithms)
    • Jon Ellisch’s work here in 802.11
    • Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting

Other Ideas

  • Pervasive Signed Email - Simson Garfinkel
    • - as well as the networking
    • Pervasive Signed Email. Now that roughly 90% of all Internet users have S/MIME-compliant mail programs, it’s time for companies like PayPal and Amazon to be sending out digitally signed mail as a matter of course. It would help in the fight against both spam and phishing. How can we get them to do it?

Security & Privacy

From the IEEE Security CFP

  • Access Control and Audit
  • Anonymity and Pseudonymity
  • Authentication, including Phishing
  • Automated and Large-Scale Attacks
  • Biometrics
  • Commercial and Industrial Security
  • Data Integrity
  • Database Security
  • Denial of Service
  • Distributed Systems Security
  • Electronic Privacy
  • Information Flow
  • Intrusion Detection
  • Language-Based Security
  • Malicious Code
  • Mobile Code and Agent Security
  • Network Security
  • Peer-to-Peer Security
  • Secure Hardware and Smartcards
  • Security Protocols
  • Security Verification
  • Security of Mobile Ad-Hoc Networks
academics/researchideas.txt · Last modified: 2006/06/16 16:42 by
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki