Showing papers by "Chris J. Mitchell published in 2002"
01 Oct 2002-Quarterly Journal of Experimental Psychology Section B-comparative and Physiological Psychology
TL;DR: It is argued that the blocking shown in the present experiments resulted from the operation, not of an error-correction learning rule, nor of a simple contingency detection mechanism, but of a more complex inferential process based on propositional knowledge.
Abstract: Blocking was observed in two human Pavlovian conditioning studies in which colour cues signalled shock. Both forward (Experiment 1) and backward (Experiment 2) blocking was demonstrated, but only when prior verbal and written instructions suggested that if two signals of shock (A+ and B+) were presented together, a double shock would result (AB++). In this case, participants could assume that the outcome magnitude was additive. Participants given non-additivity instructions (A+ and B+ combined would result in the same outcome, a single shock) failed to show blocking. Modifications required for associative models of learning, and normative statistical accounts of causal induction, to account for the impact of additivity instructions on the blocking effect, are discussed. It is argued that the blocking shown in the present experiments resulted from the operation, not of an error-correction learning rule, nor of a simple contingency detection mechanism, but of a more complex inferential process based on prop...
80 citations
TL;DR: This paper is concerned with the design of public key based protocols suitable for application in upcoming third-generation mobile systems such as the Universal Mobile Telecommunications Service.
Abstract: The secure provision of mobile computing and telecommunication services is rapidly increasing in importance as both demand and applications for such services continue to grow. This paper is concerned with the design of public key based protocols suitable for application in upcoming third-generation mobile systems such as the Universal Mobile Telecommunications Service. Candidate protocols are considered for the authentication of a mobile user to a value-added service provider with initialization of a mechanism enabling payment for the value-added service. A set of goals for such a protocol are identified, as are a number of generic attacks; these goals and attacks are then used to evaluate the suitability of seven candidate third-generation user-to-network authentication protocols. Many of these candidate protocols are shown to have highly undesirable features.
79 citations
28 Sep 2002
TL;DR: A payment protocol in which the risk of having debit/credit card details stored at a merchant server is eliminated and user authentication is also provided by utilising the GSM data confidentiality service to encrypt sensitive information.
Abstract: Today, an e-commerce transaction is typically protected using SSL/TLS@. However, there remain some risks in such use of SSL/TLS@. These include that of information being stored in clear at the end point of the communication link and lack of user authentication. Although SSL/TLS does offer the latter, the security service is optional and usually omitted. This is because of the fact that users typically do not have the necessary asymmetric key pair. Since SSL/TLS protects data only while it is being transmitted, the merchant has access to sensitive information such as the debit/credit card number. The storage of unencrypted debit/credit card information at the merchant server therefore represents a risk that is not currently addressed by the use of SSL/TLS to secure electronic payment transactions.In this paper, we propose a payment protocol in which the risk of having debit/credit card details stored at a merchant server is eliminated. User authentication is also provided. This is achieved by utilising the GSM data confidentiality service to encrypt sensitive information. The GSM security service is also used to provide user identity authentication. The additional security is realised in such a way that no management overhead is imposed on the user.
21 citations
02 Sep 2002
TL;DR: A way of using EMV IC cards for secure remote payments, such as those made via the Internet, with the goal of providing protection against some of these residual risks is proposed.
Abstract: A growing number of payment transactions are now being made over the Internet. Although transactions are typically made over a secure channel provided using SSL or TLS, there remain some security risks. Meanwhile, EMV-compliant IC cards are being introduced to reduce fraud for conventional debit/credit transactions. In this paper, we propose a way of using EMV IC cards for secure remote payments, such as those made via the Internet, with the goal of providing protection against some of these residual risks. The scheme described in this paper is based on the EMV 2000 Integrated Circuit Card Specification for Payment Systems, which is first outlined. Threats to, and advantages and disadvantages of, the scheme are also examined.
16 citations
Proceedings Article•
21 Nov 2002
TL;DR: This paper identifies and classify possible threats to the communications link between card and card reader during cardholder authentication, and considers five different architectures to indicate the relative security of the various possible architectures.
Abstract: The use of biometrics, and fingerprint recognition in particular, for cardholder authentication in smart-card systems is growing in popularity. In such a biometrics-based cardholder authentication system, sensitive data may be transferred between the smartcard and the card reader. In this paper we identify and classify possible threats to the communications link between card and card reader during cardholder authentication. We also analyse the impact of these threats. We consider five different architectures and use the threat analysis to indicate the relative security of the various possible architectures.
15 citations
08 May 2002
TL;DR: Research is described intended to help rectify the gap in security in agent-based systems by providing a detailed security architecture, including a security model and a specification of security services provided within the model.
Abstract: Future mobile systems are expected to exploit the flexibility of agent-based software in a variety of ways. This includes agents providing both middleware and application-level functionality. Realising the full benefits of this innovative approach requires that security issues are properly addressed. There are many security issues associated with agent-based systems; some of the most difficult to deal with arise when agents themselves can be mobile. There has been much recent interest in developing cryptographic protocols designed especially for securing mobile agents. However, this work has mainly been ad hoc in nature, i.e., it has not been developed in response to a thorough analysis of the security requirements for a particular agent application. The paper describes research intended to help rectify this gap by providing a detailed security architecture, including a security model and a specification of security services provided within the model.
12 citations
[...]
01 Jan 2002
TL;DR: This paper assesses how well SET meets merchant and consumer security requirements and analyses criticisms of SET and considers its future in Internet e-commerce security.
Abstract: According to Hassler (2000), the Secure Electronic Transaction (SET) scheme is one of a small number of industry standard means for securing Internet e-commerce communications. Although SET potentially offers a high level of security protection for e-commerce transactions, there have been a number of criticisms of SET, including of its complexity and cost of implementation. These problems have restricted SET implementation and use. However, SET has been continuously improved since it was first released in 1997, including the development of a number of SET extensions. This paper assesses how well SET meets merchant and consumer security requirements. In addition, this paper also analyses criticisms of SET and considers its future in Internet e-commerce security.
10 citations
10 Dec 2002
TL;DR: An initialisation process appropriate for use within a PAN is proposed, and a detailed comparison between the ID-based approach and a more conventional PKI (public key infrastructure) approach is given.
Abstract: We consider the applicability of ID-based cryptography to providing security within a personal area network (PAN). An initialisation process appropriate for use within a PAN is proposed, and a detailed comparison between the ID-based approach and a more conventional PKI (public key infrastructure) approach is given.
9 citations
TL;DR: A 'pragmatic' alternative to undetachable signatures is proposed, which involves the use of conventional signatures and public key certificates.
Abstract: A 'pragmatic' alternative to undetachable signatures is proposed. Undetachable signatures were introduced by Sander and Tschudin, [4], as a means of giving a mobile agent the means to sign a message on behalf of a user, without endangering the user's private key. The alternative discussed in this paper involves the use of conventional signatures and public key certificates.
8 citations
TL;DR: The smartcard as a mobile security device has been used in this article to secure mobile access in future mobile systems, where a public key based network access protocol is used to protect mobile users' privacy and security.
Abstract: * Part I: Underlying technologies * Chapter 1: Cryptography for mobile security * Chapter 2: PKI in mobile systems * Chapter 3: The personal PKI * Chapter 4: The smartcard as a mobile security device * Chapter 5: Secure mobile tokens - the future * Part II: Network security * Chapter 6: UMTS security * Chapter 7: Securing network access in future mobile systems * Chapter 8: Public key based network access * Chapter 9: Security in personal area networks * Chapter 10: Towards the security of routing in ad hoc networks * Chapter 11: Security issues in a MobileIPv6 network * Part III: Mobile code issues * Chapter 12: Security for agent systems and mobile agents * Chapter 13: Security issues for downloaded code in mobile phones * Part IV: Application security * Chapter 14: Secure mobile commerce * Chapter 15: Securing the delivery of digital content over the Internet * Chapter 16: Security for future standardised DRM * Part V: The future * Chapter 17: Pioneering advanced mobile privacy and security
7 citations
10 Oct 2002
TL;DR: It is observed that the mass media may actually be unduly increasing e-consumer concerns, and thereby adversely affecting the e-commerce marketplace.
Abstract: Security is clearly a very important factor governing the size of the e-commerce market E-commerce security concerns include payment confidentiality, payment integrity, and payment authorisation for Internet transactions Currently, many potential e-commerce participants are reluctant to participate in Internet e-commerce because of these concerns, not least because many users perceive Internet shopping as the riskiest shopping method by comparison with other methods of payment In this paper we consider the influence of the mass media, including television and newspapers, on e-commerce consumer perceptions Given that cases of security breaches are often sensationalised by these media, we observe that the mass media may actually be unduly increasing e-consumer concerns, and thereby adversely affecting the e-commerce marketplace
26 Sep 2002
TL;DR: Certain undesirable features are identified in the ‘Structural proven signer ordering’ multisignature scheme of Kotzanikolaou, Burmester and Chrissikopoulos.
Abstract: Certain undesirable features are identified in the ‘Structural proven signer ordering’ multisignature scheme of Kotzanikolaou, Burmester and Chrissikopoulos. This scheme is a modification of a previous multisignature scheme due to Mitomi and Miyaji.
Patent•
01 Nov 2002TL;DR: In this article, a method of authenticating a remote user, using a remote computer device, to a host computer in a data communication system is presented, where the verification values are stored at the host computer, which are used to authenticate the user upon receipt of data from the remote computer devices.
Abstract: A method of authenticating a remote user, using a remote computer device, to a host computer in a data communication system. Verification values are stored at the host computer, which are used to authenticate a remote user upon receipt of data from the remote computer device. Further data, including a next set of verification values calculated by the remote computer device are also sent to the host computer.
17 Apr 2002
TL;DR: The findings of this investigation are used as input for the design of authentication protocols suitable for use in future Internet access environments supporting ubiquitous mobility.
Abstract: Conventionally, mutual entity authentication is seen as the necessary precursor to the establishment of a secure connection. However, there exist examples of cases where authentication is not needed. The purpose of this paper is to consider this proposition, illustrated by case studies, and to use the findings of this investigation as input for the design of authentication protocols suitable for use in future Internet access environments supporting ubiquitous mobility.
01 Jan 2002
TL;DR: In this article, the authors analyse the factors associated with consumer risk perceptions for Internet shopping and suggest guidelines for e-commerce merchants, which can be used to address negative consumer perceptions of Internet ecommerce.
Abstract: Jarupunphol and Mitchell (2001) point out that there is a mismatch between the level of actual and perceived risks (the “risk perception gap”) associated with Internet e-commerce. This perception gap appears to be seriously restricting the growth of business-to-consumer (B2C) e-commerce since it deters many potential e-commerce participants. Although the emergence of e-commerce provides many benefits to consumers, e.g. convenience, greater choice, lower prices, and more information, consumers still have serious security concerns. The aim of this paper is to analyse the factors associated with consumer risk perceptions for Internet shopping. In addition, this paper also suggests guidelines for e-commerce merchants, which can be used to address negative consumer perceptions of Internet e-commerce.
01 Jan 2002
TL;DR: This paper presents a comprehensive description of various management system requirements for systems beyond 3G, which have been identified as a result of the Software Based Systems activities within the Mobile VCE Core 2 program.
Abstract: This paper presents a comprehensive description of various management system requirements for systems beyond 3G, which have been identified as a result of the Software Based Systems activities within the Mobile VCE Core 2 program. Specific requirements for systems beyond 3G are discussed and potential technologies to address them proposed. The analysis has been carried out from network, service and security viewpoints.
07 Oct 2002
TL;DR: The integration of SET with EMV is a possible route for facilitating the wider use of SET in Internet commerce transactions, since it could simplify user registration and also considers the implementation feasibility of SET/EMV.
Abstract: The threat of credit card fraud is arguably one of the most serious issues in e-commerce, since it makes consumers reluctant to engage in this alternative method of shopping. Secure Electronic Transaction (SET) was invented to address this issue, and it provides effective security for the entire Internet e-commerce transaction. However, SET has not really taken off; implementation issues appear to be the main factor restricting its adoption. Given the existing consumer concerns about e-commerce security, SET still appears to be very relevant to the Internet e-commerce transaction environment. The integration of SET with EMV is a possible route for facilitating the wider use of SET in Internet commerce transactions, since it could simplify user registration. The aim of this paper is to evaluate the effectiveness of SET/EMV integration for fraud reduction in e-commerce. In addition, this paper also considers the implementation feasibility of SET/EMV.
TL;DR: The purpose of this paper is to present a rather simple alternative to threshold signatures which raises questions about the value of such schemes, at least when applied to the mobile agent scenario.
Abstract: Threshold signature schemes are examples of threshold cryptosystems, as introduced by Desmedt, [4]. The purpose of this paper is to present a rather simple alternative to threshold signatures which raises questions about the value of such schemes, at least when applied to the mobile agent scenario.
10 Dec 2002
TL;DR: The security mechanisms documented form part of the MVCE reconfiguration management architecture (RMA), and mechanisms to ensure secure reconfigurability procedures are described.
Abstract: Software reconfigurability of air interfaces, the actual reconfiguration processes and the procurement of reconfiguration software are posing substantial threats to the system integrity of wireless communication system These threats are investigated and reported, and mechanisms to ensure secure reconfiguration procedures are described The security mechanisms documented form part of the MVCE reconfiguration management architecture (RMA)
01 Jan 2002
TL;DR: The intention of this paper is to consider the true nature of the SET implementation difficulties and how things might be changed to achieve higher levels of adoption.
Abstract: Although e-commerce provides many benefits to consumers, e.g. convenience, greater choice, lower prices, and more information, there are also a number of barriers restricting its growth. Credit card fraud is currently one of the most serious issues in e-commerce, since it makes consumers reluctant to engage in this alternative method of shopping. Secure Electronic Transaction or SET is arguably the most secure method of payment by credit card over the Internet, and it was purposely designed to address all potential threats to Internet e-commerce transactions. However, SET has not really taken off; implementation issues appear to be the main factor restricting its adoption. For example, complexity of end-user initialisation, transaction speed, and cost of investment all appear to be significant issues. The intention of this paper is to consider the true nature of the SET implementation difficulties and how things might be changed to achieve higher levels of adoption.
01 Jan 2002
TL;DR: In this paper, the authors show that the scheme described in Haber and Stornetta [1994] for extending the validity of a cryptographic timestamp for a Time Stamping Service contains security shortcomings.
Abstract: This paper shows that the scheme described in Haber and Stornetta [Haber and Stornetta Jr., 1994] for extending the validity of a cryptographic timestamp for a Time Stamping Service contains security shortcomings. A modification is proposed to rectify the identified shortcomings.
01 Jan 2002
TL;DR: A new type of attack is introduced which takes advantage of MAC truncation to simplify key recovery attacks based on MAC verifications, and the existence of this attack means that truncation for this MAC scheme should be used with greater care than was previously believed.
Abstract: A new type of attack is introduced which takes advantage of MAC truncation to simplify key recovery attacks based on MAC verifications. One example of the attack is described which, in certain circumstances, enables a more efficient attack than was previously known to be launched against the ANSI retail MAC. The existence of this attack means that truncation for this MAC scheme should be used with greater care than was previously believed, and very short MACs should be avoided altogether.