Monday 27th of June

    9-9:15 Welcome


    9:15-10:30 Invited talk

            A Non-Standard for Trust

  Steve Marsh, Communications Research Centre, Ottawa (Canada)


More and more, our technological use is moving out of the office and classroom and onto the street.Mobile technologies are used for any number of purposes, with and without forethought. This, their vast range of users, and the ubiquity or technology extending to 'Internet of Things' can be recognised as an area of concern related to topics as diverse as privacy, social mobility, crime, information security, and social disruption.


The main problem related to security (importantly, of device, information, and person) is the inherent situatedness of the device, the fact that unique relationships exist between environment, device, and user, and that new and unforeseen contexts appear every day. More traditional security and trust models are inadequate to handle this plethora of context. Moreover, the imposition of standard models of trust and security on unique individuals is a problem for gaining acceptance (and ironically, trust).


This talk will explore the situatedness of mobile device usage, the uniqueness of individual device-user relationships, and how we can leverage these to create a non-standard, 'trust in the foreground' paradigm to 'advise, encourage, and warn' the humans in the loop of the Internet of Things and People. Relevant current work, such as Device Comfort and trust-enablement, will be examined.

    11:00-12:30. Architectures and Protocols


    A Proof-Carrying File System with Revocable and Use-Once Certificates

    Jamie Morgenstern, Deepak Garg and Frank Pfenning


    Secure architecure for the integration of RFID and sensors in personal area Networks

    Pablo Najera, Rodrigo Roman and Javier Lopez


    The Fairness Requirement for Non-repudiation Protocols

    Wojciech Jamroga, Sjouke Mauw and Matthijs Melissen


    14:00 - 15:30 Integrating Trust


    Location Privacy in Relation with Trusted Peers

    Klaus Rechert and Benjamin Greschbach


    The Role of Data Integrity in EU Digital Signature Legislation - Achieving Statutory Trust     for Sanitizable Signature Schemes

    Henrich Christopher Pöhls and Focke Höhne.


    Accepting Information with a Pinch of Salt: Handling Untrusted Information Sources

    Sadie Creese, Michael Goldsmith and Syed Sadiqur Rahman


    1600 - 17:00 : PhD winner award invited talk
Automorphic Signatures and its Applications
                            Georg Fuchsbauer


    17:00-18:00 STM WG Meeting


    7:30: Gala Dinner


    Tuesday, 28th of June


    9:30 - 10: 30 Invited Talk:

Trust Extorsion on the Internet

Audun Josang, University of Oslo (Norway)

The Internet is a primary arena for human interaction, e.g. for delivering commercial     and civic services and for building social communities. At the same time, the Internet   is in many ways a dangerous place because we expose ourselves to risks that are       difficult to manage. It is therefore realistic to assume that people could stop doing         business on the Internet for a shorter or longer period if they perceive the risk to be     too high. From the perspective of the service providers the negative effect could be anything from a reduction in business to large scale defection from online services. Such a change in behaviour does not need to be a rational reaction to real threats or serious security incidents, but could be the result of irrational perceptions and mass psychosis. In order to avoid the latter scenario the public must be induced to have trust in the online platform. In fact it has become a primary concern of online service providers to tightly control the dissemination of information about security incidents and vulnerabilities, precisely because negative publicity of this type undermines people's trust, resulting in a reduction in business. Online service providers clearly see a need to be perceived as having a secure IT infrastructure and Web interface, and this should primarily be achieved by actually focusing on real security. However there is a danger that organisations will implement measures aimed at inducing trust, but that in reality give little or no real added security assurance. This creates a market for "fake security", i.e. with the main purpose of giving the impression of security, and to a lesser extent of providing practical security. The need for being perceived as secure can even be amplified when security technology companies try to expand their marked by inducing fear, thereby creating an effect of "trust extortion" in the sense that companies feel obliged to buy security services that induce the impression secure. This talk focuses on certain aspects of the security industry that seem to be more aimed at giving the impression of security than of giving real security.


    11:00 -12:30 Access Control


    Risk-Aware Role-Based Access Control

    Liang Chen and Jason Crampton


    Hiding the Policy in Cryptographic Access Control

    Sascha Müller and Stefan Katzenbeisser


    Automated Analysis of Infinite State Workflows with Access Control Policies

    Alessandro Armando and Silvio Ranise


    14:00-15:30 Authentication and Authorization


    New Modalities for Access Control Logics: Permission, Control and Ratification

    Valerio Genovese and Deepak Garg


    Mutual Remote Attestation: Enabling System Cloning for TPM based Platforms

    Benjamin Justus, Ulrich Greveler and Dennis Löhr


    Security Notions of Biometric Remote Authentication Revisited

    Neyire Deniz Sarier


    16:00 - 17:30 Panel: New Paradigms in Trust

    Audun Josang, Carsten Rudolph, Ketil Stolen, Steve Marsh, Michael Goldsmith