ubiquitous computing max mühlhäuser, iryna gurevych (editors) part iv : liability chapter 15:...
TRANSCRIPT
Ubiquitous Computing
Max Mühlhäuser, Iryna Gurevych (Editors)
Part IV : LiabilityChapter 15: Security for Ubiquitous Computing
Tobias Straub, Andreas Heinemann
2
UbiquitousComputing
Security for UC:
Introduction & Motivation
• UC features (not meant to be complete)
– large number of peers– spontaneous and autonomous interaction– a priori unknown communication partners – no or just limited established security infrastructure (e.g., PKI)– rich diversity of UC settings and applications
• Virgil Gligor, 2005From the Internet where processing is free and physically
protected, but communication is not to UC where neither processing nor communication is free
and physically protected
3
UbiquitousComputing
Security for UC:
various infrastructures & services, unknown networks,
etc.
various infrastructures & services, unknown networks,
etc.
UbiComp changes our world
• today:
• tomorrow:
ME
Drucker1
Computer
PDA
Laptop
Handy
PDA
different levels oftrust
„virtual printer“:part of infrastructure
Attacker
PC Printer
Attacker Common approaches
Trusted device
known, trusteddevice
?
new, distributed, attacks
Printing
Billing
Virus-Scanner
Layout
Various/new monitoring Capabilities. Privacy at risk
4
UbiquitousComputing
Security for UC:
FOUR UC SETTINGS
5
UbiquitousComputing
Security for UC:
UC setting 1: Mobile Computing
Mobile Computing• supports mobile users with connectivity and access to services and
backend systems while being on the move (aka nomadic computing)
• relies on a given infrastructure (802.11 WiFi, GSM, UMTS, etc.)– user needs to register with a provider– access is controlled by provider– closed group of users– no user anonymity
• physical threat if device is mobile.– 4.973 laptops, 5.939 Pocket PCs, and a 63.135 mobile phones lost or
forgotten in taxis in London within 6 monthsee http://www.laptopical.com/laptops-lost-in-taxi.html
danger of device owner impersonation private & business data lost
6
UbiquitousComputing
Security for UC:
Mobile Computing Scenario
Challenges• secure communication to backend via insecure communication
links• secure storage of internal data on a mobile device• secure device association
– Is there a way to securely send a confidential document over the air to a printer located in the office?
– Does it help if the salesman selects a printer close to him equipped with a secondary communication interface?
Scenario: The Mobile SalesmanWhile on the road, a salesman needs to regularly download up-to-date client reports fromhis company’s databases. His laptop is equipped with several wireless communicationinterfaces which can be used to connect via different service providers depending onwhat kind of service/infrastructure is available.
At the client’s office, there is a WiFi network the salesman can access. There are alsosome networked printers available for guests. However, it is unclear to what extent theinfrastructure can be trusted.
7
UbiquitousComputing
Security for UC:
UC setting 2: Ad Hoc Interaction
Ad Hoc Interaction• no given infrastructure
• UC devices build the infrastructure on their own by establishing temporary, wireless, and ad hoc communication links between them
• On application layer: spontaneous interaction without any central authority that restricts interaction/participation, no managed groups
• user & device anonymity
• again: physical device exposure
8
UbiquitousComputing
Security for UC:
Ad Hoc Interaction Scenario
Scenario: Passive Collaboration in Opportunistic NetworksIn an Opportunistic Network, passers-by exchange information, for example digitaladvertisements (Straub & Heinemann, 2004), while being co-located. After an initialconfiguration, devices interact autonomously and without users’ attention. Informationdissemination is controlled by profiles stored on the users’ devices. Such a profileexpresses a user’s interest in and knowledge about some pieces of information to share.
Challenges• devices, that are a priori unknown to each other,
communicate.whom to trust? (see Chapter 16 – Trust II)
• personal data stored on the device and exchanged with strangersuser privacy is at risk
9
UbiquitousComputing
Security for UC:
UC setting 3: Smart Spaces
Smart Spaces• focus on user friendliness & user empowerment
• unobtrusive interaction
• use of contextual information
• optional: digital IDs in use
• often based on sensing and tracking capabilities integrated into the environment
location privacy issues?
10
UbiquitousComputing
Security for UC:
Smart Spaces Scenario
Scenario: Patient MonitoringIn a hospital, all records of patients are digitally stored and maintained in a centraldatabase. Records are updated with the results of physical examinations or continuousmonitoring. Husemann and Nidd (2005) describe a middleware capable of integrating awide range of medical analyzers that have a common wireless interface. Consider abattery driven heartbeat monitor which is attached to the body and sends measurementsto the database. The data can be used as well as for a patient surveillance system thattriggers an alarm in case of an anomaly.
Challenges• for new patients, how to unambiguously associate the
heartbeat monitor with a record?
• how to secure a communication link?
• how to detach a heartbeat monitor from a patient's record, after a patient leaves the hospital?
11
UbiquitousComputing
Security for UC:
UC setting 4: Real-Time Enterprises
Real-Time Enterprises• effort to leverage UC technology and methods within enterprises• goal: have immediate access to comprehensive and up-to-date
information about processes and procedures within an enterprise• goal: close information/media gap
12
UbiquitousComputing
Security for UC:
Real-Time Enterprise Scenario
Scenario: RFID-based Warehouse ManagementRadio frequency identification (RFID) offers a variety of opportunities in tracking goods(see e.g. Fleisch & Mattern (2005)). Suppose all goods stocked at a warehouse areequipped tagged with an RFID transponder. With the corresponding readers integratedinto storage racks, the process of stocktaking can be completely automated and inventoryinformation is available in real-time.
Challenges• how to circumvent industrial espionage by unauthorized
RFID tag readout?
• how to circumvent surveillance and tracking of humans by unauthorized RFID tag readout?
13
UbiquitousComputing
Security for UC:
A TAXONOMY OF UC SECURITY
14
UbiquitousComputing
Security for UC:
Basic Terminology and Objectives of IT Security
ASSETS (data, HW) to protect in the four scenarios• confidential documents (Scenario 1)• an individual’s habits and preferences (Scenario 2),• medical information (Scenario 3),• the stock list at a warehouse (Scenario 4).
Protection Objectives (CIAA)• Confidentiality (C) refers to the aim of keeping pieces of
information secret from unauthorized access.• Integrity (I) is the requirement that data is safe from changes, be it
either accidentally or deliberately.• Authenticity (A) concerns itself with the genuineness of messages
or the identity of entities in a networked system.• Availability (A) means the provisioning of a system’s services to its
users in a reliable way.
15
UbiquitousComputing
Security for UC:
UC Characteristics and Associated Risks
characteristics risks
communication
wireless eavesdropping, …
ad hoc impersonation
multi-hop man-in-the-middle attacks, …
pervasive nature
physical exposuredevice/data theft, manipulation
limited power supply
sleep deprivation torture
traceability privacy violation
16
UbiquitousComputing
Security for UC:
UC Limitations and Associated Challenges
Limitations Challenges
resource,infrastructurelimitations
lack of centralized authority
entity authentication
policy decision
limited CPU power, few/no memory, limited power supply
algorithm implementation,protocol design
user interface limitationstrusted path establishment
17
UbiquitousComputing
Security for UC:
OVERVIEW OF CRYPTOGRAPHIC TOOLS
18
UbiquitousComputing
Security for UC:
Symmetric Cryptosystems
• A plaintext is transformed into a ciphertext in order to ensure confidentiality between a sender (Alice) and a receiver (Bob)
• Alice and Bob need to agree on a shared key and an algorithm (3DES, AES, ….)
• Symmetric: Alice and Bob use the same key for en- and decryption
• Kerckhoff (19th century): A cryptosystem’s strength should not be based on the assumption that its algorithm is kept secret, but only on the attacker’s uncertainty regarding the key.
• visit http://www.keylength.com for appropriate key lengths
• secure key distribution?
19
UbiquitousComputing
Security for UC:
Asymmetric Cryptosystems and PKI
• avoids key distribution problem
• makes use of different keys for encryption and decryption (public and private key)
• Alice encrypts a message for Bob with Bob's public key. Bob uses his corresponding private key to decrypt a message
• Examples: RSA, ElGammal, Elliptic curves
• new problem: public key authentication. How does Alice know, that a public key P+
Bob is genuine?solution: digital certificates managed by PKIs
20
UbiquitousComputing
Security for UC:
Hash Functions & Digital Signatures
• Modification detection code (MDC)– ensures data integrity – hash function h: a function that compresses bitstrings of arbitrary finite length
to bitstrings of fixed length, common 160 bit– Examples: RIPEMD-160, SHA-1– has to be 2nd preimage resistant: Given an input x that hashes to h(x), an
attacker must not be able to find a value y x such that h(y) = h(x).
• Message authentication code (MAC)– hash function + secret key shared between sender and receiver– On receipt, Bob knows: Message is integer and was send by Alice– Each MDC h can be extended to a MAC in the following way:
On input x, compute h( (k 7 p1) || h( (k 7 p2) || x) ) where k is the key, p1, p2 are constant padding strings, 7 is the XOR operation, and || denotes concatenation.
• Digital Signatures– used for proof of authorship (different to MAC, where both Alice and Bob know
a shared key)– often implemented with public key cryptography, see RSA signature scheme.
21
UbiquitousComputing
Security for UC:
Limitations of Cryptography in UC
• Pocket PC’s battery with a 1500 mAh capacity and a 5V voltage would have lost 20% of its charge after 5000 executions of a DH protocol or 10000 RSA signatures
Lightweight cryptography needed (new designs, but also new risk and thread analysis)
Exp
erim
en
ts w
ith a
20
6 M
Hz
Co
mp
aq
iPA
Q
H3
67
0.
Po
tlap
ally
, R
avi
, R
ag
hu
na
tha
n,
an
d J
ha
(2
00
3)
• Energy consumption is a serious issue in UC
22
UbiquitousComputing
Security for UC:
SAMPLE SOLUTIONS
23
UbiquitousComputing
Security for UC:
Privacy-Enhancing Technologies (I)
Suitable for one-hop communication in Opportunistic Networks- cf. Scenario 2
• Blurring data (location based service)
Application Layerself generated key pairs (X+,X-) serve as aliases
TCP/IP dynamic IP Addresses
802.11 WIFI dynamic MAC Addresses
• Avoid static data on all network layers
24
UbiquitousComputing
Security for UC:
Privacy-Enhancing Technologies (II)
Design Principles for UC environments. Langheinrich (2001)• Notice
– An announcement mechanism that allows users to notice the dta collectoin capabilities in their environments.
• Choice and Consent– The user has the choice of allowing or denying any kind of data
collection (respected by the environment)
• Proximity and Locality – meta information (locality and proximity) for collected data should
be used by the enviroment to enforce access restriction
• Access and Recourse– easy user access to collected personal information– reports about usage of personal data
Implemented in pawS. Langheinrich (2002)
25
UbiquitousComputing
Security for UC:
pawS Architecture. Langheinrich (2002)
26
UbiquitousComputing
Security for UC:
Fighting DoS Attacks
Proof-of-Work techniques (PoW)• idea: treat the computational resources of each user of a
resource or service as valuable
• in order to prevent arbitrarily high usage of a common resource by a single user, each user has to prove that she has made some effort, i.e., spent computing resources, before she is allowed to use the service
• sender provides answer to a computational challenge together with message. if verification of answer fails, message is discarded
• costs of creating such a proof must be some order of magnitude higher than for system setup and proof verification.
27
UbiquitousComputing
Security for UC:
Bootstrapping Secure Communication
Secure transient association – The resurrecting duckling security policy
• device authentication in the absence of a central and always available authority
• agreement on a shared key by physical device contact. Simple to understand for a user and involved devices are non-ambiguous
• Two devices involved. Roles– a slave (or duckling) obeys a master– a master (or mother duck) controls a slave
• Two states of a slave:
28
UbiquitousComputing
Security for UC:
Four formal principles of theresurrecting duckling security policy - (Stajano, 2002)
1) Two State principle • imprintable or imprinted.• In the imprintable state, anyone can take it over. In the imprinted state,
it only obeys its mother duck.2) Imprinting principle
• The transition from imprintable to imprinted, known as imprinting, happens when the mother duck, sends an imprinting key to the duckling. This must be done using a channel whose confidentiality and integrity are adequately protected.
• The mother duck must also create an appropriate backup of the imprinting key.
3) Death principle • The transition from imprinted to imprintable is known as death. It may
occur under a very specific circumstance (particular variant) of the model• death by order of the mother duck.• death by old age after a predefined time interval.• death on completion of a specific transaction.
4) Assassination principle • The duckling must be constructed in such a way that it will be
uneconomical for an attacker to assassinate it, i.e., to cause the duckling’ s death artificially in circumstances other than the one prescribed by the Death principle of the policy.
29
UbiquitousComputing
Security for UC:
Out-of-Band Channels in UC
• UC environments may feature a rich set of out-of-band channels in order to bootstrap communication, e.g.– Infrared light– Dynamically generated 2D barcodes– location limited audio channel– biometric data– ultrasonic– LED and a pushbutton
• Example: Proximity-Based Authentication for Windows Domains (Aitenbichler & Heinemann, 2007)
30
UbiquitousComputing
Security for UC:
RFID – Clipped Tag (IBM)
• IBM’s “Clipped Tag” is giving consumers the ability to simply “opt out” and protect their privacy by tearing or scratching off the RFID antennae, eliminating the tag’s ability to communicate with other devices or systems.
31
UbiquitousComputing
Security for UC:
Literature
• Virgil Gligor (2005) Cryptolite: How Lite Can Secure Crypto Get? Information Security Summer School.
• Straub & Heinemann (2004). An Anonymous Bonus Point System For Mobile Commerce Based On Word-Of-Mouth Recommendation. In, Applied Computing 2004. Proceedings of the 2004 ACM Symposium on Applied Computing (pp. 766–773). New York, ACM Press.
• Husemann and Nidd (2005). Pervasive Patient Monitoring – Take Two at Bedtime. ERCIM News, 70–71.
• Fleisch & Mattern (2005). Das Internet der Dinge: Ubiquitous Computing und RFID in der Praxis. Springer.
• Potlapally, Ravi, Raghunathan, and Jha (2003). Analyzing the energy consumption of security protocols. In Proc. ISPLED’03 (pp. 30–35).
• Langheinrich (2001). Privacy by Design – Principles of Privacy-Aware Ubiquitous Systems. In G. D. Abowd, B. Brumitt, & S. A. Shafer (Eds.), Ubicomp (Vol. 2201, p. 273-291). Springer.
• Langheinrich (2002). A Privacy Awareness System for Ubiquitous Computing Environments. In G. Borriello & L. E. Holmquist (Eds.), Ubicomp (Vol. 2498, pp. 237–245). Springer.
• Stajano (2002). Security for Ubiquitous Computing. John Wiley & Sons.• Aitenbichler & Heinemann, 2007. Proximity-Based Authentication for
Windows Domains. to be published at UbiComp 07. WS on Security for Spontaneous Interaction