A Mobile Companion (MobCom)

logoMobcomThere is undoubtedly an increasing trend towards mobile communications and mobile applications. It is to be expected that mobile devices will become the main guardians and managers of our multiple electronic identities for a broad range of applications and services which include payments, e-health, e-government, etc.

The mobile companion will become the natural user interface in a ubiquitous computing environment, through which users will access services and perform their daily transactions. Most communication will be wireless and other parties can be malicious. The companion should protect the interests of all the stakeholders: (1) the user who wants to protect his privacy and prevent identity fraud or theft, but also wants to be able to use his rights to access preferably highly customized services; (2) the service provider that needs to verify the user's rights to access services, and should be able to get access to profiling information in order to customize the offered services; moreover {in case of abuse{ it needs appropriate evidence to be able to hold the abuser accountable; (3) the authorities that wish to punish unethical behaviour such as money laundering, computer crime, etc.

The mobile companion should only require user intervention occasionally. Policies shift most of the burden of operational decision making from people to the technology. In this project, we will focus on privacy policies (which restrict the disclosure of personal information) context-dependent policies (which regulate the use of the mobile device in a particular context) and attestation policies (which control the use of biometrics in entity authentication).

Advanced cryptographic protocols are necessary to minimize the disclosure of the user's attributes (including personal identifiers, location and previous interactions) while limiting the trust in any other party as much as possible. On the other hand, these protocols need to be robust in case of failures and should allow for audits and identification of abusers. This project will focus on efficient protocols for showing credentials, determining the distance of an entity to a specific node and for payments and refunds. Location privacy is also a research challenge.

The project will research how a TPM can be used to create a secure virtual environment on a mobile device and new primitives (device attestation) will be developed to assess the trustworthiness of the device. Also, user attestation protocols need to be designed that allow for binding a user to a device
and for generating a proof that a certain device is registered to a user or to his delegate (which may require verification of biometric data).

One of the objectives of the mobCom project is the development of a reusable security and software architecture that enables the development of applications that require mobile user identities and profiles. It is based on the ADAPID-framework. Appropriate tools and a methodology will
assist the application developer. A simulation environment will allow for rapid prototyping.
Personalization and customization are also very important aspects. Instead of the current practice, where a service provider (SP) maintains a profile for every user, the mobile companion will manage these profiles and provide limited access to the SPs. Such profiles are more useful since they
span different SPs, while remaining under full control of the user. In this project, a general framework will be designed to accomplish this task.

This project provides the opportunity for an in-depth study of these issues and will integrate the research results into a reusable security and software architecture. Throughout the research, a continuous validation in a real-world setting will provide suitable feedback to ensure the usability of
the architecture and hence, its valorization potential.á

 

More information about the project can be found at https://www.msec.be/mobcom/

Project fiche