1. Rating Rate the paper in the following categories (For each category, choose a one numeric rating) Technical quality 4: Contents are mostly correct. Some improvements suggested below. Originality 3: No significantly new ideas, but good analysis of current state Editorial quality 5: Clear, understandable and easy to read Overall grade (overall, how do you rate this paper?) 3: Good Confidence (how confident are you about this review?) 3: I have good or expert level knowledge of this topic 2. Detailed comments Provide detailed written comments on the paper. In general, your main aim as a reviewer is to help improve the paper. Be as specific as you can when you point out errors or problems. Suggest concrete improvements whenever possible. Your review should cover the following three aspects. Use the suggested guidelines in composing your review for each aspect. 2a. Technical quality Give a one paragraph summary of the paper. Explain what are the strengths and weaknesses of the paper. In the case of weaknesses suggest how they can be corrected. Point out any errors, and suggest how they can be corrected. Point out any new ideas in the paper that can be improved or further developed. Suggest how. Does the paper provide a good survey of the state of the art? Point out any important missing references. The paper discussed problems in creating authenticated channel between two devices in an ad-hoc wireless network. In addition the paper provides a method called "Physical Contact" to create association between the devices. First, the paper provides an introduction to the problem followed by discussion of the conditions under which "physical contact" is used. Next the paper discusses the attack model the proposed method is trying to fight against. The paper also gives examples on how "physical contact" can be implemented and provides extensions to handle "physical contact" under specific conditions. After reading the paper for couple of times, it was still unclear to me what "Physical Contact" actually means. It is mentioned that "physical contact is a procedure to setup the basic trust and exchange security factors ... where one can sense (e.g. seeing or touching each other". But still, it is not clear for me what it actually means. In addition, the reason for the method stays unclear. Ok, we get proximity detection and presence confirmation, but what else? What happens during the physical contact? For example, you could take as an example the protocol DH-SC, where the short authenticated string is computed from the public Diffie-Hellman values, human readable identities and random nonces in order to proof that both devices share the same data. It might also be good to describe the man-in-the-middle attack and what happens in pairing procedure when a MITM is present to justify the methods more clearly. Another good example could also be paper [Balfanz04], where a method using infrared as the location limietd channel is described. The properties of ad-hoc wireless networks and attack models are quite well listed in sections 2 and 3.1. Just a few opinions. First of all, in the attack models, the first two (modifying data stream and playback of data) are both based on a man-in-the-middle attack. Also, you mention the lack of user interface and battery consumption as problems, but the protocols described in chapter 4 need cameras and quite a lot of computing power. In section 4.2, authentication based on a visual channel is discussed. It would be good to mention that the protocol given in [5] provides only one-way authentication, and needs to be run twice to get mutual authentication, whereas in [6] the protocol provides mutual authentication (if I remember right...) The need for the extensions provided in Section 5 was also somewhat unclear for me. If we take, for example, the printer in an airport. Of course, many people may want to print simultaneously, but if the association is built by the user coming to the printer to take a picture of a barcode or touch the printer with the device, there is no possibility for multiple requests at that time. Thus the properties of the system migth actually be enough to handle that circumstance. 2b. Originality Does the paper claim new ideas? How novel are they? How well does the paper analyze and explain the state of the art? The paper does not actually propose any new ideas, it just gives a name for the direction of the research. It should still be noted, that actually finding new ideas in this field given the course as resources is quite impossible. The analyzis of the current state of the art gives just two directions of research, numeric comparison of short authenticated strings and cameras. This analyzis could be more thorough, for example by describing the rest of the papers given as pointers in the course homepage. It might also be good to go deeper into the properties and actual functionality of the protocols described. 2c. Editorial quality Is the paper easy to read and understand? Does the abstract faithfully describe the contents of the paper? Does the Introduction section clearly spell out the problem addressed and the scope? Can you suggest improvements in organization, and presentation that would improve readability and understandability? The paper is easy to read, and the language is (at least to my knowledge) well written. The abstract gives an idea of what the paper discusses. Introduction gives overall idea of the problem, but it could still need more concrete way of telling the actual problem and give a hint of how to solve the problem. In the references list, all entrys except [6] include the first initial and the last name of the author. In [6] there are only initials. This seems quite confusing to me. The paper uses quite a many times notation "master-slaver". Should this be "master-slave"? In the first paragraph of introduction, the use cases are listed. The readibility of this part could be improved. Now there are quite a many sentences starting with the word "or". References: ----------- [Balfanz04] D. Balfanz, G. Durfee, R. E. Grinter, D. K. Smetters and P. Stewart: "Network-in-a-Box: How to Set Up a Secure Wireless Network in Under a Minute" http://www2.parc.com/csl/members/smetters/publications/niab-dist.pdf