Secuirty Issue in Mobile Communication(1)

8/13/2019 Secuirty Issue in Mobile Communication(1)

1/6

Security Issues in Mobile CommunicationsV.Bharghavan and C.V. RamamoorthyCS Division, Department of EECSUniversity of California at BerkeleyBerkeley, CA - 94720

AbstractRecent years have witnessed the rapid growth of mo-bale computing environments. One of the major con-cerns in such env ironm ents is secu rity specially in thecontext of wireless commun icat ions. In this paper wedescribe some of the important issues which need tobe addressed in designing a security schem e for mobilecommunicat ions. These include autonomy of commu-nicating entities mobility of the users l imitat ions ofthe hardw are etc.W e describe a schem e which add resses the above is

sues and provides a correct and eficient mechanismto establish secure comm unicat ions. Our scheme pro-vades authentication of the communicating entities lo-cat ion priva cy and secure messaging.1 Introduction

Recent years have witnessed the rapid developmentof portable computing devices such as notebooks,PDAs, palmtops, etc. In the past , these portable de-vices were designed to operate as stand-alone entities.However, there is a growing trend towards providingportable computers with wireless networking function-ality. This implies that portable computers of the fu-ture will have wireless connectivity with the rest ofthe networked world. The absence of wires facilitatesmobility, and the presence of networking access facil-itates communication-based applications. In fact, thecombination of mobility and networking gives rise toa whole new class of very interesting applications, butalso a whole new set of technological problems. Oneof the more challenging problems introduced by mo-bile networking is security. This paper addresses thesecurity issues in mobile networking.

We describe the problems in secure nomadic move-ment. We then propose a security scheme which pro-vides authentica tion, location privacy, and secure mes-saging. The correctness of the scheme has been shownusing the Burrows-Abadi-Needham Logic of Authen-tication [SI.The rest of the paper is organized as follows. Sec-tion 2 describes the development environment and thegoals of our security scheme. Section 3 describes theissues that need to be resolved to achieve our goals.

Section 4 proposes a practical security scheme whichachieves our goals. Section 5 explores the design space,and Section 6 concludes the paper.

2 Scope and Goals2.1 Development Environment

We have adopted the popular Personal Communi-cations Services (PCS) model for our mobile comput-ing environment. We use the term workstat ions forstatic computers, and walkstat ions for mobile com-puters. There exists a high bandwidth wired back-bone network to which workstations are connected.There are some special purpose networking deviceswhich have wired and wireless networking function-ality. Such devices are called basestations. Basesta-tions serve as the communication intermediaries be-tween sta tic workstations and mobile walkstations. Abasestation services a geographical region around it,called a cell. The environment we envision is one inwhich basestations are appropriately located to co-operatively service a large geographical region. Mo-bile walkstations are allowed unconstrained mobilitywithin this region, while retaining their network con-nectivity. We make no assumptions about the sizeof the mobile computing environment. Our goal isto design a security scheme which scales from IndoorWireless LANs to the PCS infrastructure.Each walkstation has a home workstation on thewired backbone network. A home workstation istrusted fully about any information pertaining to itswalkstation(s). In our environment, home worksta-tions and b asestations are considered to be trusted spe-cial machines.The actual networking protocol used for mobilecommunications is irrelevent. Our implementationuses a TCP/IP/MACAW protocol stack. Our securityscheme sits between MACAW and IP. An importantpoint in our implementation is that we use dynamicaddressing [5] at the media access layer. It turns out tobe an important factor in providing location privacy.We have tried t o make as few assumptions as possi-ble about the development environment in our securityscheme. The important assumption is the trustworthi-ness of basestations and home workstations.Figure 1 shows the development environment.2 2 Goals

The establishment of secure wireless communica-tion channels is one of the major requirements in PCSWhile security is not the prime focus of experimentalnetworks and short-range Indoor Wireless LANs, it isa major concern in commercially viable PCS infras-tructure. In such environments, authenticat ion and

0 8186 7087 8/954.00 1995 EEE 19


2/6

Figure 1: Mobile Computing Environmentprivacy of communica t ion are two major requirements.Our security scheme has four goals.

The walkstation and the basestation must be ableto authenticate each other. Authentication pro-tects the basestations (and by extension, the PCSinfrastructure) from unauthorized intrusion. Italso enables the walkstation to authenticate thebasestation. This could be of importance for tworeasons: firstly, it prevents a malicious stationfrom pretending to be a basestation; secondly,it permits the walkstation to choose the servicesof a part icular basestation in the presence of co-located networks. the latter feature will enablethe walkstation to choose service from one amongcompeting providers.Once authenticated, the walkstation and bases-tation should be able to communicate securely.Privacy has two dimensions: da ta privacy, andlocation privacy. Data privacy is well understoodin the context of traditional wired communica-tions. Data privacy protects data transmittedover a communication channel from being eitherfaked or snooped by an unauthorized entity. Ittherefore prevents both active and passive formsof intrusion.Walkstations should be provided location privacy.Location privacy is of particular importance inmobile computing environments. It prevents abystander from detecting the identity of the com-municating entities. Some applications (specifi-cally military applications) will require locationprivacy, while others may exploit the knowledge

of location of walkstations, such as Active Badgessystems. Our goal is to provide location privacyat the lowest layer. Higher layers may dissemi-nate location information according to the needsof the applications.The security scheme should be efficient, and op-tional. Many applications may not care aboutsecurity at all. For example, given a walkstationwith limited power, there is a trade-off betweenincreasing bandwidth by dat a compression,or security. Essentially, the computing power a t thewalkstation could be a scarce resource, and weneed to choose between encryption and compres-sion. Our goal is to provide security as an op-tional feature, which an application can turn onor off epending on its needs. We want to providean efficient security scheme.

3 Important IssuesSecurity in Mobile environments is governed bythree major factors: (a) hardware characteristics (b)sys tems character is i ics and ) applications charac-ter is t ics . We describe each o these in the followingsections.3.1 Hardware CharacteristicsThe limiting hardware components in a mobilecomputing environment are the walkstations and thewireless medium.Walkstations may range from simple PDAs topowerful notebook computers. Typically, thewalkstations are low power, and their computingresource is scarce. This was in part the motiva-tion for making security an optional feature.

20


3/6

Wireless media are inherently less secure thanwire. For example, it is possible to snoop, or evenjam radio channels very easily. This motivatedmoving the security scheme to the lowest com-munication layer. Our goal is to establish wire-less communication channels which are at leastas secure as wired communications. Note that wecannot prevent jamming in radio media.Wireless bandwidth is typically, orders of magni-tude lesser than wired bandwidth. Our goal isto minimize the overhead of the securit,y scheme,since the wireiess medium is a scarce resource.This translates to reducing the number of mes-sages in the wireless network.Mobile communications work in the presence ofnetwork partitions. In the case of LANs, we assume network parti tions to be negligible. How-ever, i t is possible for walkstations to operate veryfar away from their home network. Typically, mo-bile communications will span a WAN and a wire-less MAN. Network partitions in this scenario arenot to be neglected. Our goal is to eliminate (inthe common case) the across-the-globe messagesthat are required in traditional and current pro-tocols to authenticate the walkstation and bases-tation.

3.2 Systems C Piaract er s t icsThere are a number of Infrastructural charac-teristics in mobile environments. In this paper, wedescribe three of the most important.Autonomy is the critical issue in secure mobilecommunications. In LANs, we usually assumethat the communicating end-points and the in-termediate nodes are all a part of the same or-ganization. Security is thus a relatively simpleissue, given that there is an authenticating au-thority which certifies all the nodes. In WANs,this assumption fails, since frequently, the com-municating entities belong to different organiza-tions, which are autonomously governed. I t is stillpossible to extend the schemes in L 4 N s given asingle, or a set of mutually trusting authenticat-ing authorities. In Mobile Environments, there isa new dimension added by mobility. The wiredWAN, the basestations, and the walkstations areall governed by different organizations, and it ispossible for a walkstation from anywhere in theworld to walk into the cell of any basestation.Mobility has another implication on security.Walkstations move between cells, and need to beauthenticated upon entering each new cell. Cur-rently, each authentication requires communica-tion with the home workstation, which could beacross the globe. In the presence of network par-titions, this can be an enormous problem. Ourgoal is to make handoffs as efficient as possible.Almost all currently available security protocolsassume some form of time synchronization. This

is not a valid assumption in the presence of mo-bility, where a walkstation may travel across mul-tiple time zones without changing its clock. Ourgoal is to provide an implicit form of timestamp-ing.3.3 Applications CharacteristicsApplications in mobile computing environmentstypically have certain unique requirements. The threemost important being location privacy, mobility, andsecure multicast. Location privacy implies that theidentity of the communicating entities needs to be pro-tected. We do this by using dynamic addressing, asdescribed in [5]. Mobility implies frequent authen-tications upon handoffs, as described above. Securemult icast is an indirect consequence of mobility. Weanticipate that among the major applications for In-door Wireless LANs will be classrooms, and meeting.These applications t,ypically involve one transmitterand many listeners. Support for secure multicast istherefore an important aspect of our scheme.In summary, we believz that there are three majorreasons why mobility poses a challange in designingan efficient security scheme: (a) autonomy of commu-nicatiiig systems, (b) frequent sticure communicatiowsetup, and (c) network partitions.

O ur solution addresses all the three issues describedabove. We effectively solve the problem of frequent se-cure communications, while we work around the prob-lem of network partitions. We assume the presence ofa global certifying authority (or set of cooperating au-thorities), but icvolve its use very rarely.4 Security SchemeWe have proposed a security scheme [2] whichprovides authentication. location privacy, and securecommunications. Briefly, o u r scheme mutually au-thenticates the basestation and walkstation, and gen-erates a shared key for encryption of messages. Incase of multicast, our scheme relies on the traditionalpublic/private key mechanism. The authenticationscheme described here is safe against intrusions or re-play. Dat a replay is not a consideration here sincereplayed data will be rejected at a higher layer (typi-cally, TCP).For the purposes of this paper, we assume that it ispossible to communicate securely using a shared keyencryption. Various popular schemes, such as DES,IDEA, FEAL-32, etc. achieve this security.4.1 Definitionsthe paper.x, y, z authentication denotes the scheme bywhich two computers x and y authenticate each othervia z and then arrive at a shared key.m denotes a walkstation.b and b l denote a basestation.h denotes the home workstation of m .Kxy denotes a shared key between two computers xand y.Kx and Kx denote the public key and private keyrespectively of a computer x .

We use the following definitions for the rest of

21


4/6

{p}K denotes a messa e encrypted with key K.key K .N, N nd N denote a nonce.4.2 Message SequenceThe security scheme involves an indirect handshakebetween the mobile and its home. All messages arerouted through the basestation. In our scheme, mgenerates the shared key Kmb for m and b. h au-thenticates m to b, and b to m.A walkstation may first enter a cell by one of threeways - it may be powered-on in a cell, it may entera cell through handoff from another cell, or it mayenter a cell from an unserviced (no basestation s u pport) region. The last case reduces to one of the twoprevious cases, depending on whether the walkstationremembers its previous basestation or not.We expect that the common case in mobile environ-ments will be handoff across cells. We optimize thiscase by observin that basestations are trusted andalso that handoffimplies that the handing off bases-tation can act as the certifying authority for the newbasestation and the walk station.We now describe the case of power-on. The handoffcase is obtained by simply replacing the home h withthe handing off basestation.Initially, m sends a message to h encrypted inKmh. This message contains a nonce, a newly gener-ated shared key Kmb, and a message for b encryptedin Kmb (the messa e from m to h is routed throughand forwards to b a message encrypted in Kbh. Thismessage contains a nonce, the shared key Kmb, themessage from m to b, and a message to m encryptedin Kmh. b forwards the message from h to m en-crypted in Kmb. At the end of this exchan e, m, b,and h are all aware that Kmb is the share key be-tween m and b. Note, that since h is trusted by bothb and m, it actually acts as he Controlling Authorityin this exchange.The security scheme involves 4 messages since thefirst message from m to h is routed throu h b. Interms of the idealized protocol, these are the following.

1. m - b: h, {N, Im, b, KmbJ, {N, Im, b,2. b : {N, Im, b, Kmbl, {N, Im, b,3. h b:4. b m: 6N Im, b, Kmbl, IN m, b,

Ix,y,K denotes that t te computers x and y share a

- m identifies h to ). h sees the encrypted message,

Kmbl}Kmb }KmhKmb }Kmb }KmhKmb }Kmb,{N Im, b, Kmbl}Kmh{N m, b, Kmbl, {N,

Kmb }Km }dmbFigure 2 shows the message sequence.At the end of the message exchange, m and b haveboth obtained the shared key Kmb using which theycan communicate securely.Note that our scheme introduces two significant de-

partures from existing schemes. Firstly, the w alb ta -t ion generates the shared key. Second, in the com-mon case, the authentication process does not involve

the home at all, only neighbouring basestations. Thismakes the protocol much more efficient, specially sinceit is possible for the mobile to be in a different conti-nent from the home.In case of the power-on situation, it is not alwaystrue that the home and the basestation have authen-ticated each other. In that case, the home h and thebase need to authenticate each other through a cen-tral authority c. However, the b, h, c) authen-tication problem reduces exactly to the m, b, h)authentication problem, with b taking on the roleof m, h taking on the role of b, and c taking on therole of h.4.3 Security for Multicast packetsOnly basestations are allowed to multicast data.Mobile computers are not allowed to communicatewith each other directly. Enabling multicast is thussimple. After a basestation b authenticates a walk-station m, b provides m with its public key Kb. bmulticasts packets by encrypting them with its privatekey Kb. Authorized mobiles can decrypt the datausing Kb.Note tha t it is possible for the public key of a bases-tation to be divulged to unauthorized users (walksta-tions are not trusted). There does not seem to be anyfully secure way to prevent this from happening. Inorder to reduce the chance of unauthorized users accessing multicast data , basestations frequently reissuepublic/private keys.4.4 Proxy HomeWhen a walkstation moves away from i ts home net-work into a new network, it needs to establish a proxy-home for reasons described in 171. The proxy-homeand the mobile need to authenticate each other andestablish a shared key.For secure inter-network mobility, there has to besome common trusted central authority. Consider amobile m moving from its home network to a newnetwork. Let h be its home, and h l be the proxyhome. When m initiates the authentication protocolwith some basestation b in the new network, a flevelauthentication scheme is involved -ity in the new network and C s the global centralauthority.thentication, b, h l , c)h C) authentlcation -

Design Spaceof mobile communications.The design space is dictated by the characteristics

The limitations of hardware imply that in mostcases, either the walkstation or the wirelessmedium will be the bottleneck. Our solutionto this problem has been to push the decision(whether to employ a security scheme or not) u pwards in the communication protocol hierarchy,into the application space. This is because it isthe application which can best predict its needs.In terms of the wireless medium, our approachis to reduce the number of messages transmittedover the wireless. We achieve the minimum POsible message exchanges (2) over wireless because

22


5/6

dobile Computer Base Station Home Computc

II

Time Axis:Figure 2: Message Sequence in the Generic Scheme

in our security scheme, it is the walkstation whichgenerates the shared key.Our security scheme ensure that communication over wireless is secure. Of course, it is stillpossible for an intruder to snoop or interfere inthe wired network. For applications which care,higher level security protocols, such as Kerberos,are available. Our scheme thus makes the overallcommunication channel at least as secure as thewired part of the channel.Network parti tions are not negligible when weconsider WAN communication. Thus it is im-practical to involve the home workstation in everyauthentication. Our solution to this problem hasbeen twofold: firstly, we have eliminated commu-nication with the home upon handoff, which weexpect to be the common case; secondly, we es-tablish a proxy-home in the network local to thewalkstation. Setting up a proxy-home is a one-time cost, and significantly reduces the probabil-ity of negation of service to the walkstation dueto a network partition between the home and thebasest at on.We still do not have a good solution to resolve theproblem induced by autonomy of organizations.We have side-stepped this issue by replacing thehome in the common case with a local basesta-tion. However, we still require the presence of aglobal authority, or a set of cooperating authori-ties.

Since time synchronization is difficult to achievein our environment, we have replaced it withimplicit timestamping. Most protocols generatenonces by advancing including a time field in it.That way, if the nonce is replayed after a while,the replay can be detected. We replace the timefield in the nonce by a pair of random numbers,with the second random number of a nonce beingrepeated as the first number of the subsequentnonce. This scheme works well for a pair of sta-tions, and is described in [2].Multicast is a very difficult problem in wirelesscommunications. In [3] we describe the problemsof multicast access. In some sense, this problemis analogous to the problem of arriving at a se-cure key for multicast transmission. Our solutionhas been to use the public/private key scheme,but this does not prevent an unauthorized walk-station from gaining access to the private key ofa basestation and snoop on the transmission. Wedo not yet have a good solution to this problem.

Our implementation of the security scheme demon-strates the feasibility of the scheme, and our proof us-ing the Lo ic of Authentication demonstrates its cor-rectness [2f However, we sti ll need to evaluate ourscheme for performance in the presence of large-scaledeployment of mobile computers.6 Conclusion

One of the major factors in the commercial viabil-ity of PCS is security of communication in the PCS

23


6/6

environment. In general, designing efficient securityschemes for mobile computing environments is a verydifficult task. The major requirements are authenti-cation, location privacy, and secure messaging. Themajor technical challenges arise from the autonomyof administration of the communicating entities, m ebility of the users, and potential network partitions.In this paper, we have described some of the impor-tant factors to consider in designing a security schemefor a mobile computing environment. We have alsodescribed a securit scheme which we proposed andproved correct in [ We believe that our scheme suc-cessfully addresses many of the issues raised in thispaper.References[l] A. Aziz and W. Diffie. Privacy and Authenti-cation in Wireless Local Area Networks. I EEEPersonal Communicat ions First Quarter, 1994.[2]V.Bharghavan. Secure Wireless LANs. Proceed-ings of the ACM Conference on Computers andCommunicat ions Secur it y 1994.[3] V. Bharghavan, A. Demers, S.Shenker, and L.Zhang. MACAW: A Media Access Protocol for

Wireless LANs. Proceedings of t he ACM SIG-OMM Conference on Com munica t ions Archi-tectures Protocols and Applicat ions 1994.LCMACA - A Limited Con-tention Protocol for Wireless LANs: Design Doc-ument. In Preparation.

[5]V. Bharghavan. Dynamic Addressing in Wire-less LANs. Proceedings of the IEEE Intemat ionalCommunicat ions Conference 1995.[SI M. Burrows,M. badi, and R.Needham. A Logicof Authentication. A C M l h n s a c t i o n s o n C o m -puter Sys tems Vol. 8 No. 1 February 1990.[7] Ioannidis, D. Duchamp, and G.Q. Mapire. IP-based Protocols for Mobile Internetworkmg. Proceedings of ACM SIGC OM M 1991.[8]S.P Miller, C. Neumann, J.I. Schiller, and J.H.Saltzer. Kerberos authentication and authoriza-tion system. Project Athen a Technical Plan MIT,July 1987.

[4] V. Bharghavan.

24

Documents

Secuirty Issue in Mobile Communication(1)