论文读后感
我读的论文题目是《Progreive authentication: deciding when to authenticate on mobile phones》,这是一篇由中国计算机学会推荐的国际学术会议和期刊论文,发表在USENIX会议上。
该篇论文综合论述了近年来手机验证领域的一些新发展,并对当前手机认证方法的安全性和方便性问题提出了自己的看法和观点。论文中指出传统的验证方法并不符合大部分手机用户的需要,只用更加智能化的手段才是未来手机行业的发展趋势。该论文观点鲜明,论证清晰有力,论据充分可靠,数据准确,资料详实,文献综述丰富而规范,其中论文关于手机安全验证的方方面面都具有相当高的新的见解。下面简单介绍如下:
一、安全性和可用性
论文对当前使用手机人群的满意度进行了详细的调查分析,发现有超过60%的手机用户不会再手机上使用PIN。这种现象一方面是由于用户觉得该验证方法过于麻烦,另一方面也说明用户对自身手机的安全性缺乏正确的认识。文中提到“All-or-nothing”的验证方式,即或者全部验证,或者全部不验证,这也正是当前大多数手机的验证方法,该方式也不能满足人们对安全性和可用性的需求。
本文提到的验证技术对手机行业来说并不是一种新的验证方法,而是综合分析当前所有的验证方式后得到的一个结论:何时验证以及对何种应用进行验证。这正是该篇论文的意义所在,希望可以对手机验证技术有一个很好的指导作用。在保证安全性的基础上,尽可能的使用户方便使用,这不仅是手机行业未来的发展方向,也应该是所有其他行业的发展趋势,因此也可以相应的借鉴该论文中的观点和理论。
二、多层验证
在文中,提到了多层验证的概念,即对于不同的手机应用,提供不同的验证级别。例如:对于游戏、天气等应用来说,可以对所有人进行开放,只要拿到手机就可以打开这些应用,也不会对手机所有者造成经济损失;对于短信、电话、邮件等这些涉及个人隐私的应用,则应该设为私有的,当需要使用时,需要进行一部分的验证;而对于银行账户等涉及安全和财产方面的应用时,则应该给予最大的保密权限。
对于不同的验证级别,每一个使用该手机的用户的权限都是不太相同的。手机所有者在被系统识别为可信之后,可以方便的使用系统中所有或者大部分的手机应用,而无需进行验证。对于那些初次使用手机的人来说,系统并不能识别他们的可信度,因此只能使用公开的手机应用,如果想要打开私有的或保密的应用,则需要其他的验证方法。 该方案的提出在满足安全性的基础上,可以大幅度方便用户的操作,已经超越了原有的“All-or-nothing”验证方式。
三、实验结果
论文对提出的理论进行了相应的实验。该实验的基本原理是在手机上安装多种类型的传感器,用于采集可信用户的各种数据。例如:温度传感器可以采集用户的体温;声音传感器可以再用户打电话时逐步采集用户的声音特征;视频传感器可以采集到用户的生理特征等等。另外,文中还提到了一种新型的验证方式,即设备间的验证。在用户的多个电子设备(如PC、Pad和手机)中通过蓝牙建立连接,当手机在使用时,可以自动的检测周围是否存在这些已经连接的设备。如果系统发现无法连接到其他设备时,将会提高手机的安全级别,用户需要使用涉及隐私的手机应用时,将会需要更多的身份验证。
实验的目标有以下四点:
1、减少验证开销
2、寻找安全性和便利性的折中
3、对模型的安全性进行高低不同的推理逻辑
4、很少的能量消耗。在安全性和便利性方面,文中提到了FR(False Rejection)和FA(False Authentication)两个概念,即概率统计中“弃真”和“纳假”。FR表示一个合法的用户被不正确的要求身份验证的概率,而FA表示一个不合法的用户没有被验证的概率。在实验中,作者自定义了一个变量R,当R越高时,表明用户需要更高的便利性,这也会导致更多的FA;当R越低时,表明用户需要更高的安全性,这也会导致更多的FR。
论文通过实验最终证明该验证技术可以满足用户安全性和便利性的需求。对于银行账户等安全性级别要求高的应用来说,FA的比率一直为0,即绝不会出现非法用户不经过验证即使用这些应用的情况;而FR的比率一直在96%以上,即对于一个合法用户,随着R的升高,被错误的要求验证的概率并没有明显的降低。
在论文最后,用实际的数据表明该技术消耗的能量很低,在可以接受的范围之内,这也为该技术的可行性研究提供了良好的基础。
读过该论文后,使我不仅了解了手机验证领域的一些知识,而且也学习到了一篇经典论文的脉络结构应该如何组织。这两篇论文的结构严谨,层次分明,采用了递进式的分析结构,逻辑性强,文笔流畅,表达清晰,重点突出。文章格式相当的符合学术规范,反映了作者很强的科研能力。
另外,通过读这篇论文,也使我认识和体会到了以下几点:
1、一切事物的发展都是循序渐进的,手机行业发展到今天已经相当的辉煌。但是伴随着事物的发展也会相应的提出一系列新的问题,我们要在遵循客观规律的基础上突出人的主观能动性,而不要想着一蹴而就。
2、科研的道路是曲折的,但前途是光明的。
3、任何技术都有其优点和缺点。在论文中提到了很多新兴的手机验证技术,这些技术都各有所长,但却都不是完美的。我们只有正视这些缺点,取长补短,才能促进手机验证领域的更好更快发展。
4、手机验证行业的价值。手机产业的高速发展,带来了验证技术的空前繁荣,但危害手机安全性的事件也在不断发送,手机安全验证的形势是严峻的。我们应该从人的角度出发,以人为本,只有如此才能设计出更好的产品供用户使用。
总之,正如一句名言所说:读一本好书就像和一个高尚的人说话。我相信站在巨人的肩膀上才能有更高的成就,我以后要多读书,读好书,不断提高科研水平和自身修养,尽量为中国的科研事业做出自己力所能及的贡献。
The book I read the title of the paper is the progreive authentication: deciding when to authenticate on mobile phones \", this is a recommended by the China Computer Federation International Academic Conference and journal papers, published in the USENIX conference.This paper comprehensively discues some new developments in the field of mobile phone authentication in recent years, and puts forward its own views and perspectives on the security and convenience of the current mobile phone authentication methods.The paper points out that the traditional verification methods are not in line with the needs of most mobile phone users, only a more intelligent means is the future development trend of the mobile phone industry.The viewpoint is bright, argument is clear and strong, argument is sufficient and reliable, data is accurate, detailed information, literature review rich and normative, which the party about cell phone safety verification has quite high new insights.The following brief introduction is as follows: First, security and availability In this paper, the current use of mobile phone population satisfaction conducted a detailed investigation and analysis, found that more than 60% of the mobile phone users will not use PIN.One aspect of this phenomenon is that users feel that the verification method is too cumbersome, on the other hand also shows that users of their mobile phone security is the lack of correct understanding.This paper referred to the \"All-or-nothing\" verification, namely all validation, or are not verified, this also is is most of the current mobile phone verification method and the way it does not meet the people\'s demand on security and usability.Verification techniques mentioned in this article for the mobile phone industry and not a new verification method, but a comprehensive analysis of all current methods of verification of a conclusion: when the validation and on which application for verification.This is the significance of this paper, I hope you can have a good guide for mobile phone authentication technology.In order to ensure the safety based on, as far as poible to make it easier for users to use.This is not only mobile phone industry in the future direction of development, should also be the development trend of all other industries, could therefore be the corresponding reference to the ideas and theories.Two, multilayer verification In this paper, the concept of multi tier verification is mentioned, that is, to provide different authentication level for different mobile applications.For example: for applications such as games and weather can be open to everyone, as long as you get the phone can open these applications, not on the phone owner caused economic loes; for text meages, phone, mail, etc.These involves the application of personal privacy, should be set as part of the validation for private, when need to use and need, and for bank accounts and relates to the application of security and property, should give the utmost confidentiality permiions.For different authentication levels, each user\'s permiion to use the phone is not the same.When the mobile phone owner is trusted by the system, it is easy to use all or most of the mobile phone applications in the system.For the first time using a cell phone, the system can not identify their credibility, so only use public mobile application, if you want to open a private or confidential application, you need to other verification methods.On the basis of the security of the proposed scheme, it can greatly facilitate the user\'s operation, has gone beyond the original \"All-or-nothing\" verification method.Three, the results of the experiment In this paper, the corresponding experiments are carried out.The basic principle of the experiment is to install a variety of types of sensors on the phone, used to collect a variety of data trusted users.For example: the temperature sensor can collect the user\'s temperature; the sound sensor can be used to collect the user\'s voice gradually when the user calls, the video sensor can collect the user\'s physiological characteristics and so on.In addition, the paper also mentions a new type of verification, which is the verification of equipment.In the user\'s multiple electronic devices (such as PC, Pad and mobile phones) in the establishment of a Bluetooth connection, when the phone is in use, you can automatically detect the presence of these are connected to the surrounding equipment.If the system finds that it is unable to connect to other devices, it will improve the security level of the phone, users need to use mobile applications involving privacy, you will need more authentication.The goal of the experiment is the following four points: 1, reduce the verification cost 2, find the security and convenience of the compromise 3, the security of the model to the level of different reasoning logic 4, little energy consumption.In terms of safety and convenience, the article referred to the FR (Rejection False) and FA (Authentication False) two concepts, that is, the probability of Statistics \"abandon true\" and \"false\"\".FR indicates that a legitimate user is not required to verify the identity of the probability, while FA indicates that an illegal user does not have the probability of being verified.In the experiment, the author defines a variable R, when R is higher, indicating that the user needs more high convenience, this will also lead to more FA; when R is low, indicating that users need higher security, which will lead to more fr.The experiment proves that the verification technology can meet the needs of users\' safety and convenience.For the high level of bank accounts and security requirements of application, ratio of FA always 0 that will never come illegal users not validated using these applications; and fr ratio has been in more than 96%, namely for a legitimate user, with the increase of R, the wrong of the requirements validation probability did not significantly reduced.
