Where have all the protocols gone?

Abstract

There was a time when security protocols lived mainly in the network and transport layers. Where are they now? Some have moved downstairs, towards the physical layer. What used to be a wide-area authentication or session establishment protocol is now a very local interaction with a trusted device, such as a tamper-evident smartcard, or a biometric token. Indeed, in some cases a piece of mobile hardware has actually replaced altogether the security protocol that we used to find. Now in the strict sense, there is still a security protocol here: we use a set of rules to construct an artefact which will then be moved into a different context and interpreted in accordance with a shared set of conventions. But the individual protocol run no longer involves the same kind of electronic message-passing that we used to see or rather, as Marshall McLuhan would have said, the medium is now the message.