9-9:15 Welcome
9:15-10:30 Invited talk
A Non-Standard for Trust
Steve Marsh, Communications Research Centre, Ottawa (Canada)
Abstract
More and more, our technological use is moving out of the office and classroom and onto the street.Mobile technologies are used for any number of purposes, with and without forethought. This, their vast range of users, and the ubiquity or technology extending to 'Internet of Things' can be recognised as an area of concern related to topics as diverse as privacy, social mobility, crime, information security, and social disruption.
The main problem related to security (importantly, of device, information, and person) is the inherent situatedness of the device, the fact that unique relationships exist between environment, device, and user, and that new and unforeseen contexts appear every day. More traditional security and trust models are inadequate to handle this plethora of context. Moreover, the imposition of standard models of trust and security on unique individuals is a problem for gaining acceptance (and ironically, trust).
This talk will explore the situatedness of mobile device usage, the uniqueness of individual device-user relationships, and how we can leverage these to create a non-standard, 'trust in the foreground' paradigm to 'advise, encourage, and warn' the humans in the loop of the Internet of Things and People. Relevant current work, such as Device Comfort and trust-enablement, will be examined.
11:00-12:30. Architectures
and
Protocols
A Proof-Carrying File System with Revocable and Use-Once Certificates
Jamie Morgenstern, Deepak Garg and Frank Pfenning
Secure architecure for the integration of RFID and sensors in personal area Networks
Pablo Najera, Rodrigo Roman and Javier Lopez
The Fairness Requirement for Non-repudiation Protocols
Wojciech Jamroga, Sjouke Mauw and Matthijs Melissen
14:00 - 15:30 Integrating Trust
Location Privacy in Relation with Trusted Peers
Klaus Rechert and Benjamin Greschbach
The Role of Data Integrity in EU Digital Signature Legislation - Achieving Statutory Trust for Sanitizable Signature Schemes
Henrich Christopher Pöhls and Focke Höhne.
Accepting Information with a Pinch of Salt: Handling Untrusted Information Sources
Sadie Creese, Michael Goldsmith and Syed Sadiqur Rahman
1600
-
17:00
: PhD winner award
invited talk
Automorphic
Signatures and its Applications
Georg Fuchsbauer
17:00-18:00 STM WG Meeting
7:30: Gala Dinner
Tuesday, 28th of June
9:30 - 10: 30 Invited Talk:
Trust Extorsion on the Internet
Audun Josang, University of Oslo
(Norway)
Abstract
The Internet is a primary arena for human interaction, e.g. for delivering commercial and civic services and for building social communities. At the same time, the Internet is in many ways a dangerous place because we expose ourselves to risks that are difficult to manage. It is therefore realistic to assume that people could stop doing business on the Internet for a shorter or longer period if they perceive the risk to be too high. From the perspective of the service providers the negative effect could be anything from a reduction in business to large scale defection from online services. Such a change in behaviour does not need to be a rational reaction to real threats or serious security incidents, but could be the result of irrational perceptions and mass psychosis. In order to avoid the latter scenario the public must be induced to have trust in the online platform. In fact it has become a primary concern of online service providers to tightly control the dissemination of information about security incidents and vulnerabilities, precisely because negative publicity of this type undermines people's trust, resulting in a reduction in business. Online service providers clearly see a need to be perceived as having a secure IT infrastructure and Web interface, and this should primarily be achieved by actually focusing on real security. However there is a danger that organisations will implement measures aimed at inducing trust, but that in reality give little or no real added security assurance. This creates a market for "fake security", i.e. with the main purpose of giving the impression of security, and to a lesser extent of providing practical security. The need for being perceived as secure can even be amplified when security technology companies try to expand their marked by inducing fear, thereby creating an effect of "trust extortion" in the sense that companies feel obliged to buy security services that induce the impression secure. This talk focuses on certain aspects of the security industry that seem to be more aimed at giving the impression of security than of giving real security.
11:00 -12:30 Access Control
Risk-Aware Role-Based Access Control
Liang Chen and Jason Crampton
Hiding the Policy in Cryptographic Access Control
Sascha Müller and Stefan Katzenbeisser
Automated Analysis of Infinite State Workflows with Access Control Policies
Alessandro Armando and Silvio Ranise
14:00-15:30 Authentication and Authorization
New Modalities for Access Control Logics: Permission, Control and Ratification
Valerio Genovese and Deepak Garg
Mutual Remote Attestation: Enabling System Cloning for TPM based Platforms
Benjamin Justus, Ulrich Greveler and Dennis Löhr
Security Notions of Biometric Remote Authentication Revisited
Neyire Deniz Sarier
16:00 - 17:30 Panel: New Paradigms in Trust
Audun Josang, Carsten Rudolph, Ketil Stolen, Steve Marsh, Michael Goldsmith