Ubiquitous Computing

Max Mühlhäuser, Iryna Gurevych (Editors)

Part IV : LiabilityChapter 15: Security for Ubiquitous Computing

Tobias Straub, Andreas Heinemann

2

UbiquitousComputing

Security for UC:

Introduction & Motivation

• UC features (not meant to be complete)

– large number of peers– spontaneous and autonomous interaction– a priori unknown communication partners – no or just limited established security infrastructure (e.g., PKI)– rich diversity of UC settings and applications

• Virgil Gligor, 2005From the Internet where processing is free and physically

protected, but communication is not to UC where neither processing nor communication is free

and physically protected

3

UbiquitousComputing

Security for UC:

various infrastructures & services, unknown networks,

etc.

various infrastructures & services, unknown networks,

etc.

UbiComp changes our world

• today:

• tomorrow:

ME

Drucker1

Computer

PDA

Laptop

Handy

PDA

different levels oftrust

„virtual printer“:part of infrastructure

Attacker

PC Printer

Attacker Common approaches

Trusted device

known, trusteddevice

?

new, distributed, attacks

Printing

Billing

Virus-Scanner

Layout

Various/new monitoring Capabilities. Privacy at risk

4

UbiquitousComputing

Security for UC:

FOUR UC SETTINGS

5

UbiquitousComputing

Security for UC:

UC setting 1: Mobile Computing

Mobile Computing• supports mobile users with connectivity and access to services and

backend systems while being on the move (aka nomadic computing)

• relies on a given infrastructure (802.11 WiFi, GSM, UMTS, etc.)– user needs to register with a provider– access is controlled by provider– closed group of users– no user anonymity

• physical threat if device is mobile.– 4.973 laptops, 5.939 Pocket PCs, and a 63.135 mobile phones lost or

forgotten in taxis in London within 6 monthsee http://www.laptopical.com/laptops-lost-in-taxi.html

danger of device owner impersonation private & business data lost

6

UbiquitousComputing

Security for UC:

Mobile Computing Scenario

Challenges• secure communication to backend via insecure communication

links• secure storage of internal data on a mobile device• secure device association

– Is there a way to securely send a confidential document over the air to a printer located in the office?

– Does it help if the salesman selects a printer close to him equipped with a secondary communication interface?

Scenario: The Mobile SalesmanWhile on the road, a salesman needs to regularly download up-to-date client reports fromhis company’s databases. His laptop is equipped with several wireless communicationinterfaces which can be used to connect via different service providers depending onwhat kind of service/infrastructure is available.

At the client’s office, there is a WiFi network the salesman can access. There are alsosome networked printers available for guests. However, it is unclear to what extent theinfrastructure can be trusted.

7

UbiquitousComputing

Security for UC:

UC setting 2: Ad Hoc Interaction

Ad Hoc Interaction• no given infrastructure

• UC devices build the infrastructure on their own by establishing temporary, wireless, and ad hoc communication links between them

• On application layer: spontaneous interaction without any central authority that restricts interaction/participation, no managed groups

• user & device anonymity

• again: physical device exposure

8

UbiquitousComputing

Security for UC:

Ad Hoc Interaction Scenario

Scenario: Passive Collaboration in Opportunistic NetworksIn an Opportunistic Network, passers-by exchange information, for example digitaladvertisements (Straub & Heinemann, 2004), while being co-located. After an initialconfiguration, devices interact autonomously and without users’ attention. Informationdissemination is controlled by profiles stored on the users’ devices. Such a profileexpresses a user’s interest in and knowledge about some pieces of information to share.

Challenges• devices, that are a priori unknown to each other,

communicate.whom to trust? (see Chapter 16 – Trust II)

• personal data stored on the device and exchanged with strangersuser privacy is at risk

9

UbiquitousComputing

Security for UC:

UC setting 3: Smart Spaces

Smart Spaces• focus on user friendliness & user empowerment

• unobtrusive interaction

• use of contextual information

• optional: digital IDs in use

• often based on sensing and tracking capabilities integrated into the environment

location privacy issues?

10

UbiquitousComputing

Security for UC:

Smart Spaces Scenario

Scenario: Patient MonitoringIn a hospital, all records of patients are digitally stored and maintained in a centraldatabase. Records are updated with the results of physical examinations or continuousmonitoring. Husemann and Nidd (2005) describe a middleware capable of integrating awide range of medical analyzers that have a common wireless interface. Consider abattery driven heartbeat monitor which is attached to the body and sends measurementsto the database. The data can be used as well as for a patient surveillance system thattriggers an alarm in case of an anomaly.

Challenges• for new patients, how to unambiguously associate the

heartbeat monitor with a record?

• how to secure a communication link?

• how to detach a heartbeat monitor from a patient's record, after a patient leaves the hospital?

11

UbiquitousComputing

Security for UC:

UC setting 4: Real-Time Enterprises

Real-Time Enterprises• effort to leverage UC technology and methods within enterprises• goal: have immediate access to comprehensive and up-to-date

information about processes and procedures within an enterprise• goal: close information/media gap

12

UbiquitousComputing

Security for UC:

Real-Time Enterprise Scenario

Scenario: RFID-based Warehouse ManagementRadio frequency identification (RFID) offers a variety of opportunities in tracking goods(see e.g. Fleisch & Mattern (2005)). Suppose all goods stocked at a warehouse areequipped tagged with an RFID transponder. With the corresponding readers integratedinto storage racks, the process of stocktaking can be completely automated and inventoryinformation is available in real-time.

Challenges• how to circumvent industrial espionage by unauthorized

RFID tag readout?

• how to circumvent surveillance and tracking of humans by unauthorized RFID tag readout?

13

UbiquitousComputing

Security for UC:

A TAXONOMY OF UC SECURITY

14

UbiquitousComputing

Security for UC:

Basic Terminology and Objectives of IT Security

ASSETS (data, HW) to protect in the four scenarios• confidential documents (Scenario 1)• an individual’s habits and preferences (Scenario 2),• medical information (Scenario 3),• the stock list at a warehouse (Scenario 4).

Protection Objectives (CIAA)• Confidentiality (C) refers to the aim of keeping pieces of

information secret from unauthorized access.• Integrity (I) is the requirement that data is safe from changes, be it

either accidentally or deliberately.• Authenticity (A) concerns itself with the genuineness of messages

or the identity of entities in a networked system.• Availability (A) means the provisioning of a system’s services to its

users in a reliable way.

15

UbiquitousComputing

Security for UC:

UC Characteristics and Associated Risks

characteristics risks

communication

wireless eavesdropping, …

ad hoc impersonation

multi-hop man-in-the-middle attacks, …

pervasive nature

physical exposuredevice/data theft, manipulation

limited power supply

sleep deprivation torture

traceability privacy violation

16

UbiquitousComputing

Security for UC:

UC Limitations and Associated Challenges

Limitations Challenges

resource,infrastructurelimitations

lack of centralized authority

entity authentication

policy decision

limited CPU power, few/no memory, limited power supply

algorithm implementation,protocol design

user interface limitationstrusted path establishment

17

UbiquitousComputing

Security for UC:

OVERVIEW OF CRYPTOGRAPHIC TOOLS

18

UbiquitousComputing

Security for UC:

Symmetric Cryptosystems

• A plaintext is transformed into a ciphertext in order to ensure confidentiality between a sender (Alice) and a receiver (Bob)

• Alice and Bob need to agree on a shared key and an algorithm (3DES, AES, ….)

• Symmetric: Alice and Bob use the same key for en- and decryption

• Kerckhoff (19th century): A cryptosystem’s strength should not be based on the assumption that its algorithm is kept secret, but only on the attacker’s uncertainty regarding the key.

• visit http://www.keylength.com for appropriate key lengths

• secure key distribution?

19

UbiquitousComputing

Security for UC:

Asymmetric Cryptosystems and PKI

• avoids key distribution problem

• makes use of different keys for encryption and decryption (public and private key)

• Alice encrypts a message for Bob with Bob's public key. Bob uses his corresponding private key to decrypt a message

• Examples: RSA, ElGammal, Elliptic curves

• new problem: public key authentication. How does Alice know, that a public key P+

Bob is genuine?solution: digital certificates managed by PKIs

20

UbiquitousComputing

Security for UC:

Hash Functions & Digital Signatures

• Modification detection code (MDC)– ensures data integrity – hash function h: a function that compresses bitstrings of arbitrary finite length

to bitstrings of fixed length, common 160 bit– Examples: RIPEMD-160, SHA-1– has to be 2nd preimage resistant: Given an input x that hashes to h(x), an

attacker must not be able to find a value y x such that h(y) = h(x).

• Message authentication code (MAC)– hash function + secret key shared between sender and receiver– On receipt, Bob knows: Message is integer and was send by Alice– Each MDC h can be extended to a MAC in the following way:

On input x, compute h( (k 7 p1) || h( (k 7 p2) || x) ) where k is the key, p1, p2 are constant padding strings, 7 is the XOR operation, and || denotes concatenation.

• Digital Signatures– used for proof of authorship (different to MAC, where both Alice and Bob know

a shared key)– often implemented with public key cryptography, see RSA signature scheme.

21

UbiquitousComputing

Security for UC:

Limitations of Cryptography in UC

• Pocket PC’s battery with a 1500 mAh capacity and a 5V voltage would have lost 20% of its charge after 5000 executions of a DH protocol or 10000 RSA signatures

Lightweight cryptography needed (new designs, but also new risk and thread analysis)

Exp

erim

en

ts w

ith a

20

6 M

Hz

Co

mp

aq

iPA

Q

H3

67

0.

Po

tlap

ally

, R

avi

, R

ag

hu

na

tha

n,

an

d J

ha

(2

00

3)

• Energy consumption is a serious issue in UC

22

UbiquitousComputing

Security for UC:

SAMPLE SOLUTIONS

23

UbiquitousComputing

Security for UC:

Privacy-Enhancing Technologies (I)

Suitable for one-hop communication in Opportunistic Networks- cf. Scenario 2

• Blurring data (location based service)

Application Layerself generated key pairs (X+,X-) serve as aliases

TCP/IP dynamic IP Addresses

802.11 WIFI dynamic MAC Addresses

• Avoid static data on all network layers

24

UbiquitousComputing

Security for UC:

Privacy-Enhancing Technologies (II)

Design Principles for UC environments. Langheinrich (2001)• Notice

– An announcement mechanism that allows users to notice the dta collectoin capabilities in their environments.

• Choice and Consent– The user has the choice of allowing or denying any kind of data

collection (respected by the environment)

• Proximity and Locality – meta information (locality and proximity) for collected data should

be used by the enviroment to enforce access restriction

• Access and Recourse– easy user access to collected personal information– reports about usage of personal data

Implemented in pawS. Langheinrich (2002)

25

UbiquitousComputing

Security for UC:

pawS Architecture. Langheinrich (2002)

26

UbiquitousComputing

Security for UC:

Fighting DoS Attacks

Proof-of-Work techniques (PoW)• idea: treat the computational resources of each user of a

resource or service as valuable

• in order to prevent arbitrarily high usage of a common resource by a single user, each user has to prove that she has made some effort, i.e., spent computing resources, before she is allowed to use the service

• sender provides answer to a computational challenge together with message. if verification of answer fails, message is discarded

• costs of creating such a proof must be some order of magnitude higher than for system setup and proof verification.

27

UbiquitousComputing

Security for UC:

Bootstrapping Secure Communication

Secure transient association – The resurrecting duckling security policy

• device authentication in the absence of a central and always available authority

• agreement on a shared key by physical device contact. Simple to understand for a user and involved devices are non-ambiguous

• Two devices involved. Roles– a slave (or duckling) obeys a master– a master (or mother duck) controls a slave

• Two states of a slave:

28

UbiquitousComputing

Security for UC:

Four formal principles of theresurrecting duckling security policy - (Stajano, 2002)

1) Two State principle • imprintable or imprinted.• In the imprintable state, anyone can take it over. In the imprinted state,

it only obeys its mother duck.2) Imprinting principle

• The transition from imprintable to imprinted, known as imprinting, happens when the mother duck, sends an imprinting key to the duckling. This must be done using a channel whose confidentiality and integrity are adequately protected.

• The mother duck must also create an appropriate backup of the imprinting key.

3) Death principle • The transition from imprinted to imprintable is known as death. It may

occur under a very specific circumstance (particular variant) of the model• death by order of the mother duck.• death by old age after a predefined time interval.• death on completion of a specific transaction.

4) Assassination principle • The duckling must be constructed in such a way that it will be

uneconomical for an attacker to assassinate it, i.e., to cause the duckling’ s death artificially in circumstances other than the one prescribed by the Death principle of the policy.

29

UbiquitousComputing

Security for UC:

Out-of-Band Channels in UC

• UC environments may feature a rich set of out-of-band channels in order to bootstrap communication, e.g.– Infrared light– Dynamically generated 2D barcodes– location limited audio channel– biometric data– ultrasonic– LED and a pushbutton

• Example: Proximity-Based Authentication for Windows Domains (Aitenbichler & Heinemann, 2007)

30

UbiquitousComputing

Security for UC:

RFID – Clipped Tag (IBM)

• IBM’s “Clipped Tag” is giving consumers the ability to simply “opt out” and protect their privacy by tearing or scratching off the RFID antennae, eliminating the tag’s ability to communicate with other devices or systems.

31

UbiquitousComputing

Security for UC:

Literature

• Virgil Gligor (2005) Cryptolite: How Lite Can Secure Crypto Get? Information Security Summer School.

• Straub & Heinemann (2004). An Anonymous Bonus Point System For Mobile Commerce Based On Word-Of-Mouth Recommendation. In, Applied Computing 2004. Proceedings of the 2004 ACM Symposium on Applied Computing (pp. 766–773). New York, ACM Press.

• Husemann and Nidd (2005). Pervasive Patient Monitoring – Take Two at Bedtime. ERCIM News, 70–71.

• Fleisch & Mattern (2005). Das Internet der Dinge: Ubiquitous Computing und RFID in der Praxis. Springer.

• Potlapally, Ravi, Raghunathan, and Jha (2003). Analyzing the energy consumption of security protocols. In Proc. ISPLED’03 (pp. 30–35).

• Langheinrich (2001). Privacy by Design – Principles of Privacy-Aware Ubiquitous Systems. In G. D. Abowd, B. Brumitt, & S. A. Shafer (Eds.), Ubicomp (Vol. 2201, p. 273-291). Springer.

• Langheinrich (2002). A Privacy Awareness System for Ubiquitous Computing Environments. In G. Borriello & L. E. Holmquist (Eds.), Ubicomp (Vol. 2498, pp. 237–245). Springer.

• Stajano (2002). Security for Ubiquitous Computing. John Wiley & Sons.• Aitenbichler & Heinemann, 2007. Proximity-Based Authentication for

Windows Domains. to be published at UbiComp 07. WS on Security for Spontaneous Interaction