Security usually requires the labor-intensive process of integrating a new device into a public-key infrastructure (PKI), so it can use public-key authentication.
Current and proposed public-key infrastructure such as X.509v3 [Housley] and SPKI [Lampson] focus on achieving high assurance of name-key bindings while accepting moderate administrative costs for activities such as key transport to certificate authorities, and the effort to verify identities. While there will always be scenarios which require these high-assurance PKIs, we believe Smart Spaces can not rely on them because the cost of manually configuring every smart device outweighs the need for high assurance. Furthermore, we believe that productive work among local smart space devices must be possible without a access to certificate hierarchies outside the space. For example, using a PKI that requires Internet or Intranet access to verify a name-key binding is not consistent with our design philosophy.
We believe that a new PKI can be designed that
First, let us look at an example of why increasing assurance will work for Smart Spaces, by investigating what happens when the residents of a neighborhood meet a new neighbor. At first the new neighbor is outwardly accepted at face value, but a resident does not really have any assurance that the new neighbor is trustworthy or even owns the house. Over time, as the putative new neighbor continues to act like the new neighbor, the estimate of assurance goes up.
In neighborhoods, people also talk about each other, and especially about a new neighbor. A new neighbor is likely to be described (and in the digital world, this would include a public key) to other residents who have yet to meet him. Thus, by the time the nthold resident meets the new neighbor, their estimate of assurance of the new person's identity (the public key belonging to the new resident is K) is already fairly high.
While some PKI systems such as PGP [Callas] and X.509 with cross-certification do this with mechanisms likely to involve humans, we describe a mechanism that functions without human intervention, and so makes good sense for Smart Spaces. Our Probabilistic, Opportunistic Key Infrastructure (POKI), defines how nodes go about creating a security infrastructure simply by communicating with one another.
When two devices that speak POKI meet, they both exchange keys, and then gossip. The gossip they exchange is the names of other devices that they know, the keys that they associate with those names, and their estimate of assurance that each key is correct. In addition, they may also choose to gossip about what other nodes' estimates of assurance are in the different keys.
After the two nodes have exchanged all of the information (and performed the transaction the connection was started for), they execute their algorithms for updating their beliefs about names, keys, and probabilities.
With POKI, a large number of small devices can gain a moderate level of assurance about the keys in the Smart Space without pre-configuration. The gossip can occur when devices in the space inquire about each other's capabilities. Assurances that started out a low levels can increase over time without any human intervention.