Security and Ethics in Ubiquitous Computing Environments
-
Upload
sudantha-sulochana -
Category
Documents
-
view
444 -
download
0
description
Transcript of Security and Ethics in Ubiquitous Computing Environments
Security and Ethics in Ubiquitous
Computing Environments
Sudantha Gunawardena
Security and Ethics in Ubiquitous Computing Environments
2
Contents
Abstract...................................................................................................................................... 3
1.0 Introduction .......................................................................................................................... 3
2.0 Properties of Security ........................................................................................................... 4
3.0 Anatomy of a Ubiquitous Environment and Attacks .............................................................. 5
4.0 Authentication and Recognition ............................................................................................ 6
4.1 Spontaneous Interactions ................................................................................................. 7
4.2 ‘Shaking’ as an authentication .......................................................................................... 8
4.3 Ultrasonic Authentication .................................................................................................10
4.4 Visible Laser for Authentication .......................................................................................11
5.0 Security Vulnerabilities ........................................................................................................12
5.1 Physical Security .............................................................................................................12
5.1.1 Replacing or Modify the Hardware Devices/Software ................................................12
5.2 Wireless attacks ..............................................................................................................13
5.2.1 Denial-of-Service Attacks ( DoS attacks) ...................................................................13
5.2.2 Network eavesdropping .............................................................................................14
5.2.3 Man in the Middle attacks ..........................................................................................15
5. 3 Attacks on Cryptography Schemes .................................................................................16
5.3.1 Bruce-force attacks ...................................................................................................16
5.3.2 Rainbow attacks ........................................................................................................16
5.4 Social engineering attacks ...............................................................................................17
5.4.1 Phishing Attacks........................................................................................................17
6.0 Security Mechanisms ..........................................................................................................18
7.0 Ethics ..................................................................................................................................20
8.0 Conclusion ..........................................................................................................................21
References ...............................................................................................................................22
Bibliography ..............................................................................................................................23
Security and Ethics in Ubiquitous Computing Environments
3
Abstract
Ubiquitous computing is the approach of human computer interaction with ambient
intelligence where users can use computer intelligence in day to day life activities. Many
universities and research institutes are working on research projects to make ubiquitous
computing a reality.
In present the one of the foremost challenge in information technology is security, ethics
and privacy which will be left to ubiquitous computing as a key challenge. With
ubiquitous computing deals with day to day life activities of people most of their
sensitive private information can be exposed which need to be secure in ubiquitous
environments.
1.0 Introduction
As Blaauw & Frederick (1997) the first generation of computing is the age of
mainframes which multiple users used the same centralized machine. With the
beginning of the late 80’s the generation of personal computer era embarked with the
slogan of make available computers to each person individually. Computer enthusiastic
like Steve Wozniak pioneered to fabricate the first personal computer to the world.
According to Stajano (2002, p.2) Ubiquitous Computing can be defined as an approach
of ‘Everywhere computing’ and which can be measured as third generation of computer
evolution. As focused by Wiess & Craiger (2002, p.1) Ubiquitous Computing can
defined as enclose computers in our work and personal lives without concentration of
users to improve productivity of regular activities.
Security and Ethics in Ubiquitous Computing Environments
4
2.0 Properties of Security
According to Stajano (2002, p.4) each secure entity should contain key three properties
which are:
Security
Protect the sensitive data from unauthorized attacks or systems.
Integrity
Prevent access or modify information by attackers in a secure system in
unauthorized techniques.
Availability
Users will able to access the system within all the times without failures or
maintenance interruptions.
Figure 1 - Information Security triangle - Stajano (2002)
A secure system should have equilibrium among these three specifics to make the final
system as a secure system. Deprived of equilibrium in these three properties a secure
system cannot consider as a prosperous system, as an example reflect a secure
system with a large scale of security comparing the availability but there is no
productivity of this system because users are not motivated to use system which is not
ease of use.
Security and Ethics in Ubiquitous Computing Environments
5
3.0 Anatomy of a Ubiquitous Environment and Attacks
Content
Providing
Services
Service
Framework
Wireless
NetworkDevicesUsers
Social
Enginnering
Attacks
Physical
Attacks
Network
eavesdropping
Attacks on
Crytography
schemes
Figure 2 - Anatomy of a Ubiquitous Environment - Kang (2007)
As Kang (2007) ubiquitous environment deal with several levels of devices and
environments. To compose a secure ubiquitous system secure the sub structures at the
each level will routinely creates a secure ubiquitous scheme. As described by the above
figure from the user to content providing services. By identifying security vulnerabilities
at the each level and present the necessary solution.
The following tables shows security vulnerabilities at the each level,
Level Security Vulnerabilities
User Social engineering attacks
Device Physical attacks
Wireless Network Network eavesdropping / Man in the
middle attacks
Service Framework Attacks on cryptography schemes
Content Providing Services
Table 1 – Security Vulnerabilities in each level.
Security and Ethics in Ubiquitous Computing Environments
6
4.0 Authentication and Recognition
Authentication plays a major role in security but the current approaches for
authentication like alphanumeric passwords, biometric recondition, graphical passwords
users should enclose to take out an action to be authenticated which will not appropriate
for ubiquitous computing environments because the foremost rationale of ubiquity is to
formulate computing invisible and found everywhere.
According to Mayrhofer (2009, p.4) few researches have designed unique
authentication approaches for ubiquitous computing environments. These
authentication approaches do not necessitate user involvement to get authenticated.
According to Mayrhofer & Welch (2007,p.3) when in view of when two devices required
to establish a secure authentication using a symmetric key technique the two users
should first agree on a shared common key. When reflect on ubiquity environment these
secure key agreement should take in a wireless method which can be expose to various
attacks like phishing attacks, Man in the middle attacks.
But further described by Mayrhofer & Welch (2007,p.4) to defeat these attacks only
trusted devices can be connected each other but however the wireless network will still
remain unsecure.
Security and Ethics in Ubiquitous Computing Environments
7
4.1 Spontaneous Interactions
According to Mayrhofer & Gellersen(2007,p.3) one of the key challenges in designing
authentication systems in ubiquitous environment is that when two devices are need to
be connected as in the present modern computing these two devices are already has
some knowledge about each other. But in a ubiquitous world focusing on ‘every day,
everywhere computing’ where enormous number of devices which does not have pre
knowledge communicating each other deprived of human interaction.
So in the ubiquitous computing the devices which do not have any prior information
should authenticate and interact each other which is according to Mayrhofer &
Gellersen (2007) called as spontaneous interactions.
Device 2
Device 3
Device 1
Spontaneous interactions and authetication
Figure 3 - Spontaneous Interactions
But the problem is that the current authentication schemes are not ‘spontaneous’ and
researchers have come up with the following types of new authentication schemes
which are ‘spontaneous’.
Security and Ethics in Ubiquitous Computing Environments
8
4.2 ‘Shaking’ as an authentication
‘Shaking’ or moving an object in a simple harmonic motion (SHM) can be commonly
achieved in likely most of the objects merely. Mayrhofer & Gellersen (2007,p.3)
describes that in this approach of a authentication in ubiquitous computing that simple
shaking method can use to generate keys and authenticate devices by quantifying the
acceleration of the each device.
Device
Accelerometer
Figure 4 - Implementation of the 'Shaking' as an authentication
Also further described by Mayrhofer & Gellersen (2007, p.8) this methodology of
authentication can be simple, cheaper and a power efficient. The anatomy of this
technique can be designated as follows,
Mayrhofer & Gellersen (2007, p.147) defines that the core concept of proposed
authentication approach is based on an appraisal of an accelerometer.
Firstly three preprocessing tasks will take out to intellect and perceive the input by the
accelerometer and inputted data will be sampled, synchronized and will align the data in
the two devices separately. As a result of these steps following graph is generated to
the both devices which need to authenticate.
Security and Ethics in Ubiquitous Computing Environments
9
Figure 5 - Spectrum of an accelerometer outcomes by 'shaking' the devices - Mayrhofer & Gellersen (2007, p.147)
Finally in the authentication phase these two spectrums will be matched and
authentication will be completed. The main advantage of the method is that two devices
can be authenticated spatially and foremost disadvantage can be defined as the
shaking is done by the human and there can be probability occurrences which both
devices are not in the same spectrum.
Security and Ethics in Ubiquitous Computing Environments
10
4.3 Ultrasonic Authentication
According to Gellersen & Mayrhofer (2007) ultrasonic waves can be used as an
authentication approach within two devices. As ultra wave sound travels in the air in a
really slow behavior according Gellersen & Mayrhofer (2007, p.1) using ultra wave
sound beams the distance, arrival time of the signal and arrival angle of the signal can
be calculated. Relative to the position and the angle of the signal of the devices the
authentication can be achieved.
Ultrasonic
Device
Ultrasonic beams
Device 1
Device 2
T=t
T=t+1
Figure 6 - Ultrasonic Authentication
As the above diagram by transmit an ultrasonic sound wave and at the receivers end
the angle of the signal, arrival time can be calculated. With these data two devices can
be authenticated.
Security and Ethics in Ubiquitous Computing Environments
11
4.4 Visible Laser for Authentication
According to Mayrhofer & Welch (2007, p.6) visible laser can be generated using a laser
diode and could be used to authenticate devices without human interaction in a wireless
approach. As Mayrhofer & Welch (2007, p.7) defines that this technique. The devices
which required authenticate should be kept in line of sight.
Device 1
Device 2
Laser
Beam
Laser
Diode
Figure 7 – Authentication using visible laser light
But further described by Mayrhofer & Welch (2007, p.7) the visible laser channel cannot
be consider as an authentic and confidential because and effortlessly exposed to
attackers and even can modify the channel.
Device 1
Device 2
Laser
Beam
Laser
Diode
Attacker
Figure 8 - Attack on visible laser light scheme
Mayrhofer & Welch (2007, p.8) classify that using a cryptography scheme like Diffie –
Hellman key exchange the data on the laser channel can be secured and authenticate.
Security and Ethics in Ubiquitous Computing Environments
12
5.0 Security Vulnerabilities
5.1 Physical Security
According to Mayrhofer (2009,p.8) as ubiquitous computing environment reflect on
many interconnected devices other than the modern computing ubiquitous
environments can create more scenarios of security treats specially in devices physical
security. As Mayrhofer (2009, p.8) an invader can plan an attack on the ubiquitous
devices by following tactics,
5.1.1 Replacing or Modify the Hardware Devices/Software
Reflect on a scenario which several devices are interconnected to provide a ubiquitous
service to a user. An attacker gain access to this ubiquitous organism by replacing of
modifies one of these devices and remains not informed to the user.
Not only hardware devices potions or full software applications in ubiquitous
environments can replaced with malicious applications and break the functionalities or
steal user’s sensitive data.
5.1.2 Damage or Destroy Hardware Devices /Software
Even an attacker can damage or destroy or damage the physical properties of hardware
devices. Damage to a physical device can halt a procedure of a large ubiquitous
component or loss of large sets of users sensitive data and information.
Security and Ethics in Ubiquitous Computing Environments
13
5.2 Wireless attacks
In ubiquitous environments devices and users are interconnected to exchange data and
instructions for provide services to the user. Especially in ubiquitous devices will be
connected each other using wireless networks.
5.2.1 Denial-of-Service Attacks ( DoS attacks)
According to Hole (2008) DoS attack is an attackers approach to preventing users from
accessing a certain service or disrupts or reduces the efficiency of a service by creating
unnecessary bulk number of traffic requests. Especially a key symptom of a DoS attack
is that the large number of unnecessary data packets travels though the network the
network consumption increases and the network becomes slow.
Attacker
User
Attacker
DoS attack
Request
DoS attack
NetworkTarget Server
Attacker
Figure 9 – Denial-of-Service Attack
Especially in a ubiquitous environment unavailability of a service or a slow access to a
service will create large catastrophe because devices will be depended each other for
information.
Security and Ethics in Ubiquitous Computing Environments
14
5.2.2 Network eavesdropping
Even wireless network eavesdropping currently a considerable issue. According to
Arbaugh (2002) network eavesdropping can be defined as capturing data packets which
are transmitted in wireless or wired networks by an attacker.
Attacker
D
Attacker capturing data packets
Sender
Receiver
Figure 10 - Network eavesdropping in a network
An attacker can listen to the network and capture the data packets and by using this
information can create attacks or steal user confidential information. Even these
attackers can modify the data stream and add malicious code into it.
Security and Ethics in Ubiquitous Computing Environments
15
5.2.3 Man in the Middle attacks
According to Eriksson (n.d, p.7) a common way of network eavesdropping is ‘Man in the
Middle attack’ which an attacker assembles between the sender and receiver and
capture the traffic which was transmitted by the sender and modify the information by
adding malicious scripts and resend back to the original receiver.
Attacker
ReceiverSender
Man in the Middle
Connection
Original Connection
Figure 11 - Man in the middle attack
In ubiquitous environment when two devices required to transmit sensitive user data an
intermediate attacker can capture the data, modify it and communicate back to the
original receiver or the sender. Even the man in the middle attacks can be avoided by
creating secure channels between the two communication parties comparable to SSL,
SSH but this secure communication cannot assure an entirely secure communication
because even these channels can be attacked rarely.
Also these secure communication channels will be not ready to survive in ubiquitous
environments because they are designed for general network communication.
Security and Ethics in Ubiquitous Computing Environments
16
5. 3 Attacks on Cryptography Schemes
Most of the users sensitive information which stored in data repositories are not in plain
text because if attackers gain entrée to the data repository they can easily manipulate
the information. But using cryptography schemes the data can be encrypted and when
required data can be decrypted and utilize. But with modern computing these
cryptography methods cannot be considered as a secure approach because various
attacks have been built to fracture into these cryptography algorithms.
5.3.1 Bruce-force attacks
According to Jakobsson & Myers (2006) brute-force attack can be defined as an
approach to break encrypted data by checking for possible encryption key of the cipher
text. Using a brute-force search the combination can be guessed.
With having the encryption key the attacker can decrypt the data from the data
repository and gain access. A Bruce-force attack takes large amount of processing time
and computation power.
5.3.2 Rainbow attacks
As Norbutaite & Jorgensen (2007) confirms rainbow attack can be consider as a
variation of a Bruce force attack. As Jakobsson & Myers (2006) brute-force attack
searches for the all possible keys in the cipher text but according to Norbutaite &
Jorgensen (2007,p.2) claims in rainbow attacks will generate a table with possible
selected keys combinations called rainbow table and then create the attack.
Relative to Bruce-force attack, rainbow attacks require less computation power and
processing time because only selected keys are seek in the searching process.
Security and Ethics in Ubiquitous Computing Environments
17
5.4 Social engineering attacks
5.4.1 Phishing Attacks
According to Jakobsson & Myers (2006) phishing is an attacking approach with
combination of spoofing which impress users to steal user’s sensitive data by faking
various services like emails, web sites and telephone calls.
Phishing attacks can be transmitted to users by various forms. But the most common
way of phishing attack is using e-mails or fake web forms. Other than that phishing
attacks can target a specific user group of an organization.
In ubiquitous environments phishing can be a devastating attack type because attackers
can easily create false web pages or e-mails and other type of approach and gain user’s
authentication details. With having the authentication details attacker have a wide
records of user’s sensitive personal information.
Security and Ethics in Ubiquitous Computing Environments
18
6.0 Security Mechanisms
Security Mechanisms can be considered as according to Sastry & Roosta (2008, p.65)
are arrangements of methods to secure the systems from attackers and protect
sensitive data. Security mechanisms in computing can be divided in to three core parts
as:
1. Prevention
2. Detection
3. Survivability
6.1 Prevention
As described by Sastry & Roosta (2008, p.65) ‘prevention’ is the technique of secure
sensitive data by controlling the access to the data to attackers. Specifically prevention
can be achieved by cryptography schemes from encryption ciphers to secure
communication channels. Enciphering data using key based cryptography algorithm will
prevent the expose of data on unauthenticated hands.
6.2 Detection
Detection is acquiring the knowledge and alert about the unusual activities before a
system outbreak will take place .As Sastry & Roosta (2008, p.65) if an attacker trying to
break into to a system the malicious activity can be perceived and reported or trigger
the security systems.
6.3 Survivability
Keep the common activities preformed while an attack is already placed can be
considered survivability.
Ubiquitous environments require security from these above mentioned three
mechanisms. Especially the secure ubiquitous designs should consider about
survivability because as human activities fundamentally depends on these ubiquitous
systems failure of a system will be produce frustration in people. Even in some
Security and Ethics in Ubiquitous Computing Environments
19
scenarios data on a one device will be dependent on activities of other several devices
so one failure in a device will be a failure to a huge ubiquitous eco system.
The following table will describes attack at each level of a ubiquitous environment and
security mechanisms.
Attacks Prevention Detection Survivability
Physical Security Implement security
locks.
Security alarms or
user authentication.
Pe
rform
the
no
rma
l u
biq
uitou
s s
erv
ice
s.
Denial-of-Service
Attacks
Firewalls and block
unnecessary inbound
traffic to the network.
Activity profiling,
Change point
detection.
Network
eavesdropping
Use encrypted
communication
channels, SSID hiding.
Using precise timing
techniques.(Synchroni
zation between the
sender and receiver –
Carl et al.(2006)
Man in the Middle
attacks
Use of secure
communication
channels.
Rainbow attacks Use large key size for
the encryption process,
Salting techniques.
Provide certain locking
mechanisms and
detect invalid attempts. Bruce-force
attacks
Table 2 – Security mechanisms for various attacks
Security and Ethics in Ubiquitous Computing Environments
20
7.0 Ethics
According to Greenfield (2004) to secure the well being in the ubiquitous environments
five major ethical guidelines have introduced. These guiding principles will secure the
sensitive user information which set out in the ubiquitous environments.
The proposed ethical principals as follows:
1. Default to harmlessness
As Greenfield (2004) defines a proposed ubiquitous system should always
guarantee the users physical, physiological and financial safely.
2. Be self-disclosing
Always the system should hold information of the ownership of the device , its full
capabilities and which information will transmit to another device .For an example
if there is a device capable of tracking the users geographical location if this
device is designed unethically it can transmit the location details to spy
personals.
3. Be conservative of face
As Greenfield (2004) proposed ubiquitous system should respect all the users
without embarrass, humiliate or shame them.
4. Be conservative of time
Some ubiquitous applications may root with critical activities of users like medical
activities. These vital activities should not deem as ordinary operations and
concern totally.
5. Be deniable
As Greenfield (2004) clarifies that in a proposed ubiquitous system user have
privileges not receive product and service information of service provides
marketing campaigns (Opt-out).For example if a device will send service
information while the subscriber sleeps it will be irritating to the user.
Security and Ethics in Ubiquitous Computing Environments
21
8.0 Conclusion
Within few years time or few decades ubiquitous computing technologies will lead the
day to day human activities and people will depend on these technological expansion.
But without security and ethics ubiquitous computing will not reach its goals.
A ubiquitous environment consists of its foremost organisms which are devices,
networks which interconnect the devices and the service providers. By securing each
aspect at each level the entire ubiquitous environment can be secured. Attacks and
security harms can be barred using security mechanisms which are prevention,
detection and severability. But always the equilibrium in the information security triangle
between security, integrity and availability should be preserved because without this
equilibrium security entities cannot be consider as a successful system.
Also concerning the authentication ubiquitous environments required spontaneous
authentication approaches which are beyond biometric authentication methods.
Finally a proper format of ethical guidelines are not yet standardized but a strong set of
guidelines will strength the security of ubiquitous systems further.
Security and Ethics in Ubiquitous Computing Environments
22
References
Arbaugh, W. (2002) eta al., Your 80211 wireless network has no clothes, Wireless
Communications, IEEE.
Blaauw, G. & Frederick ,B. (1997),Computer Architecture: Concepts and
Evolution,Boston:Addison-Wesley Longman Publishing Co.,Inc.
Carl, G et al. (2006), Denial-of-Service Attack-Detection Techniques,Pennsylvania
United States: Pennsylvania State University.
Eriksson, M (n.d).An Example of a Man-in-the-middle Attack Against Server
Authenticated SSL-sessions. Sweden: Simovits Consulting.
Gellersen, H. & Mayrhofer, R., On the Security of Ultrasound as Out-of-band Channel
,UK: Computing Department, Lancaster University.
Greenfield, A., (2004), Some ethical guidelines for user experience in ubiquitous-
computing,[Online].Available
from:http://www.boxesandarrows.com/view/all_watched_over_by_machines_of_loving_
grace_some_ethical_guidelines_for_user_experience_in_ubiquitous_computing_setting
s_1.[Acessed: 31st of January 2011].
Hole, K., (2008), Denial of Service Attacks, Bergen: Department of Informatics,
University of Bergen.
Jakobsson, M. & Myers, S. (2006).Phishing and Countermeasures: Understanding the
Increasing Problem of Electronic Identity Theft,Canada: Wiley-Interscience.
Jorgensen, K. H. , Norbutaite, R. (2007).Rainbow attack.Ireland:Dublin City University.
Kang, B. , (2007), Ubiquitous Computing Environment Threats and Defensive
Measures, Tasmania: School of Computing and Information Systems, University of
Tasmania.
Mayrhofer, R. & Gellersen, H. (2007).Shake well before use: Authentication based on
Accelerometer Data, UK: Lancaster University.
Security and Ethics in Ubiquitous Computing Environments
23
Mayrhofer, R., & Welch M. , (2007),A Human-Verifiable Authentication Protocol Using
Visible Laser Light, UK: Computing Department, Lancaster University.
Mayrhofer, R., (2009), Ubiquitous Computing Security: Authenticating Spontaneous
Interactions, Habilitation Colloquium.
Roosta , T. & Sastry S. , (2008),Distributed Reputation System for Tracking Applications
in Sensor Networks, California :Department of Electrical Engineering & Computer
Science, University of Berkeley.
Stajano , F.,(2002),Security for Ubiquitous Computing, USA: John Wiley & Sons,Ltd.
Weiss, R., & Craiger, J. (2002), Ubiquitous Computing, Omaha: University of Nebraska.
Bibliography
Lipasti , M., (n.d) ,Role of Ethics in Pervasive Computing Security,Otaniementie:Helsinki
University of Technology.
Kanai, G. (2004), Ethics for Ubiquitous Computing.[Online].November 2004.Available
from:http://kanai.net/weblog/archive/2004/11/01/11h03m19s.[Accesssed: 30th January
2011].