[FoRK] moar change we can believe in!

Lucas Gonze lucas.gonze at gmail.com
Wed Sep 16 14:41:16 PDT 2009


On Mon, Sep 14, 2009 at 4:58 PM, Koen Holtman <k.holtman at chello.nl> wrote:
> The actually existing scary pervasive network-connected sensor device is
> otherwise known as the internet enabled mobile phone.

Any thoughts on verifying somebody's location?

Let's say that there is access control tied to physical location.  How
could that be verified?

One possibility is that the verifier and the person signing in both
need to have sensors at the location.  Authentication uses sensor
readings like temperature, barometer, wind, chemicals in the air, and
light intensity as shared secrets.  If the sensor readings being
compared were a rich enough dataset, it would be impossible to predict
them with any reliability.

Except that an attacker can control the environment at the location,
for example by enclosing it in a box, sucking the air out, setting the
temperature, setting the light intensity.  The attacker might also
find a way to observe the verifier's sensor readings.

A defense against these is for the verifier to emit a random signal
within a limited distance.  The authenticating party would have to
detect and acknowledge that signal.  If the allowable time for the
response was short enough, a remote attacker would have to exceed the
speed of light.

So, thinking out loud in a clumsy way about an idea which is new to me
if not to other people...  I realize it must have been studied for
real for many years!


More information about the FoRK mailing list