argp         posts     research     bugs

The cost of authentication

Lately I have focused much of my research efforts on the investigation of incorporating economic considerations into the design of network security technologies, and particularly of authentication mechanisms. As a preliminary result of this work I, along with Robert McAdoo and Professor Donal O’Mahony, have written a paper on comparing the costs of three different public key authentication infrastructures. Our work has been published at the Workshop on the Economics of Securing the Information Infrastructure. The abstract follows (the paper in its entirety is available here):

The holy grail of Internet security still remains a global authentication infrastructure that will be able to provide the basis for secure communications across a wide range of network technologies. The failure of Public Key Infrastructure (PKI) to fulfill this role clearly demonstrates the complexity of the problem and its interdisciplinary nature which transcends technical difficulties and has socioeconomic aspects. In this paper, we focus on the economic dimensions of the problem and perform a comparison of three existing public key authentication infrastructures. Specifically, we present a security assessment of the PKI, Identity-Based Encryption (IBE) and Secure Shell (SSH) authentication systems while modelling the economic value exchanges between the participating actors. Our approach constitutes a step towards the examination of the authentication problem in a wider context than just a technical one. Finally, we show how this study can help in the design of a solution for secure telecommunications.

The feedback from the reviewers was very encouraging and the presentation at the workshop, which was given by Robert since I didn’t manage to renew my visa in time, successful. I plan to pursue this research topic further and ultimately develop a framework that can be used to understand the trade-offs between the violation risks and the (not just monetary) costs related to various security technologies.

If you have any thoughts and/or suggestions on the topic I would be happy to hear them.