View
227
Download
0
Tags:
Embed Size (px)
Citation preview
SECURITY IN MOBILE SECURITY IN MOBILE NETWORKSNETWORKS
BY BY BHONGIRI ANAND RAJBHONGIRI ANAND RAJ
VENKAT PAVAN RAVILISETTYVENKAT PAVAN RAVILISETTYNAGA MOHAN MADINENINAGA MOHAN MADINENI
Introduction Introduction
Mobile communication - provides huge wireless Mobile communication - provides huge wireless connectivity in today’s world enabling mobility connectivity in today’s world enabling mobility and computing in different communication and computing in different communication environments. environments.
In traditional e-commerce, due to lack of In traditional e-commerce, due to lack of security, frauds are seen as the major obstacle security, frauds are seen as the major obstacle to people.to people.
web browsers and servers are enabled to use web browsers and servers are enabled to use public infrastructures for cryptographic key public infrastructures for cryptographic key distribution and use protocols such as SSLdistribution and use protocols such as SSL
Need to ensure that client and server Need to ensure that client and server sides are not ignored.sides are not ignored.
Installing firewalls and intrusion detection Installing firewalls and intrusion detection systems, systems can be tracedsystems, systems can be traced
Flexibility and functionality are key factors Flexibility and functionality are key factors for creating successful e-commerce for creating successful e-commerce applicationsapplications
Some of the mechanisms in communication Some of the mechanisms in communication security are:security are:
ConfidentialityConfidentialityIntegrityIntegrityAuthentication Authentication Non repudiationNon repudiationLocation of the communicationLocation of the communication
The location of the communication, whether the The location of the communication, whether the communication is taking place or not are some communication is taking place or not are some of the mechanisms need to be privateof the mechanisms need to be privateConfidentiality of traffic, location and addresses Confidentiality of traffic, location and addresses of mobile network will depend on technology of mobile network will depend on technology used.used.
Depending on the protocols used, the Depending on the protocols used, the types of authentication variestypes of authentication varies
For example, in SSL – has four different For example, in SSL – has four different types of authenticationtypes of authentication
Server authenticationServer authentication
Client authenticationClient authentication
Both client and server’s authenticationBoth client and server’s authentication
No authentication, but, providing only No authentication, but, providing only confidentiality. confidentiality.
Different groups have different importance Different groups have different importance regarding authentication. For example:regarding authentication. For example:
Network operators – interested in authenticating the users for Network operators – interested in authenticating the users for billing purposebilling purpose
Content service providers and users – will be interested in Content service providers and users – will be interested in authenticating themselves and with the network service authenticating themselves and with the network service providers. providers.
These all authentications depend on business model and These all authentications depend on business model and technology usedtechnology used
Public key cryptography – an essential element Public key cryptography – an essential element for SSL. Used for securing web communications. for SSL. Used for securing web communications.
Public key certificate Public key certificate CA (certification authorities) digital signature on public keyCA (certification authorities) digital signature on public key
some attributessome attributes
CA ( certificate authority) – is a trusted third party (TTP) CA ( certificate authority) – is a trusted third party (TTP) used to verify and certify the identity of public key owner used to verify and certify the identity of public key owner before issuing certificate. before issuing certificate. Security in heterogeneous networks – architectures Security in heterogeneous networks – architectures depend on protocol layers which represents the way of depend on protocol layers which represents the way of modeling and implementing data transmission between modeling and implementing data transmission between the communication partiesthe communication parties
Figure: communication protocol layersFigure: communication protocol layers
Mobile applications like radio network span over Mobile applications like radio network span over different networks which complicates the different networks which complicates the security implementation and becomes difficult to security implementation and becomes difficult to obtain end to end security.obtain end to end security.
There will be difference between desired There will be difference between desired security service and the protocol layersecurity service and the protocol layer
For example, For example,
figure: security architecture using WTLSfigure: security architecture using WTLS
Usage of security Usage of security
Common design makes security services as transparent as Common design makes security services as transparent as possible. but, this makes user to get less security possible. but, this makes user to get less security informationinformation
Figure: semantic protocol layer between human user and organizationsFigure: semantic protocol layer between human user and organizations
a good user interface indicated the combination of a good user interface indicated the combination of multimedia and optimal terminal design.multimedia and optimal terminal design.
Security of active content Security of active content Active contentActive content
allows sound and image animationallows sound and image animation Provides the user with the ability to interact with server side Provides the user with the ability to interact with server side
during sessionduring session Active X, java applets are some of the examplesActive X, java applets are some of the examples
sandboxing and certification is used to counter sandboxing and certification is used to counter threats from active contentthreats from active content
SandboxingSandboxingthe active content is restricted in what resources it can the active content is restricted in what resources it can access on the host system access on the host system Adv: always active and transparent to user Adv: always active and transparent to user Disadv: limits the capabilities of active contentsDisadv: limits the capabilities of active contents
Certification Certification trusted party has validated and digitally signed active trusted party has validated and digitally signed active content content Adv: can access all system resources Adv: can access all system resources Disadv: certification is not equivalent with trustworthinessDisadv: certification is not equivalent with trustworthiness
Security level of mobile communicationSecurity level of mobile communication Level 1 security: Level 1 security:
Implemented using passcode identificationImplemented using passcode identification
User send the passcode to the mobile network and User send the passcode to the mobile network and then it is compared with one in the databasethen it is compared with one in the database
Level 2 security: Level 2 security: Implemented using symmetric key schemesImplemented using symmetric key schemes
Main feature is client able to authenticate the Main feature is client able to authenticate the identity with gatewayidentity with gateway
Level 3 security: Level 3 security: Implemented by asymmetric key schemes. Implemented by asymmetric key schemes.
Client is able to authenticate the gateway’s identityClient is able to authenticate the gateway’s identity
Figure: Generic model of level 3 secure mobile communication
Implementing the security levels in mobile Implementing the security levels in mobile communicationcommunication Mobile devices and networks need to support Mobile devices and networks need to support
technologies and standardstechnologies and standards Different models were proposed. But, communication Different models were proposed. But, communication
between mobile device and trusted server is not between mobile device and trusted server is not secure.secure.
Clients are classified into following categoriesClients are classified into following categories No private keyNo private key One private key used for authentication or signingOne private key used for authentication or signing Two or more private keys from which one is used for Two or more private keys from which one is used for
authentication and the other one for signingauthentication and the other one for signing
Implementation of security level 1Implementation of security level 1 The client sends the passcode by SMS or WAP The client sends the passcode by SMS or WAP When verified, user is granted to access information When verified, user is granted to access information
Implementation of security level 2Implementation of security level 2 Depends on capability of storing private keysDepends on capability of storing private keys If not capable, private key must be stored either in If not capable, private key must be stored either in
mobile device or must be entered by usermobile device or must be entered by user
Implementation of security level 3Implementation of security level 3 Depends on capability of client to store private keysDepends on capability of client to store private keys Generate the digital signatureGenerate the digital signature If the client is not able to generate digital signatures, we If the client is not able to generate digital signatures, we
use delegated PKI (public key infrastructure) signing use delegated PKI (public key infrastructure) signing ( ( means the security server signs on behalf of mobile devicemeans the security server signs on behalf of mobile device) )
Some of the physical constraints of mobile Some of the physical constraints of mobile communication systems are: communication systems are: Broad-based medium: Broad-based medium:
Wireless medium is broad based medium Wireless medium is broad based medium Extremely exposed to eavesdropping (spying)Extremely exposed to eavesdropping (spying)
DisconnectionsDisconnectionsFrequently gets disconnected due to high degree Frequently gets disconnected due to high degree of noise and interferenceof noise and interference
Heterogeneity Heterogeneity Moving from one domain to other host encounters Moving from one domain to other host encounters different levels of security and management different levels of security and management policiespolicies
Highly distributed environmentHighly distributed environment
Some of the security threats are: Some of the security threats are: Device vulnerability :Device vulnerability :
Many mobile devices are small and light weight Many mobile devices are small and light weight which leads to device being misplaced or lostwhich leads to device being misplaced or lost
Raises a security concern as thief have chances to Raises a security concern as thief have chances to view some secret informationview some secret information
Domain crossing: Domain crossing: Happens when user mobile gets into a new Happens when user mobile gets into a new location belonging to other domain and was location belonging to other domain and was registeredregistered
This raises some of the security mattersThis raises some of the security matters
When entering into new domain, important for both When entering into new domain, important for both user and foreign domain trust one and otheruser and foreign domain trust one and other
Anonymity:Anonymity:Mobile user wants to be anonymous to the outside Mobile user wants to be anonymous to the outside domainsdomains
Authentication:Authentication:Mobile user crosses domain boundaries must be Mobile user crosses domain boundaries must be authenticatedauthenticatedShould not interfere with users task which requires Should not interfere with users task which requires the authentication to be transparent to userthe authentication to be transparent to user
Some of the examples of mobile communication Some of the examples of mobile communication are: are: Global System for Mobile communication (GSM): Global System for Mobile communication (GSM): Cellular Digital Packet Data (CDPD)Cellular Digital Packet Data (CDPD) Mobile IPMobile IP
ConclusionConclusion
Mobile networks have positive side and negative Mobile networks have positive side and negative sidesideThe mobile network operators are well placed to The mobile network operators are well placed to become trusted third party and able to support become trusted third party and able to support the security applications.the security applications.Development of e-commerce technology, Development of e-commerce technology, functionality and flexibility gets the highest functionality and flexibility gets the highest priority as form the basis for new business priority as form the basis for new business modelmodelThe only hope is in future, mobile networks will The only hope is in future, mobile networks will be more secure be more secure
1.1. What are the different encryption types and What are the different encryption types and tools available in networks security?tools available in networks security?
There are three typesThere are three types Manual encryption:Manual encryption:
Completely provided by the userCompletely provided by the user User has to manually select the objects for encryption such as User has to manually select the objects for encryption such as
files or folder and run some command to encrypt or decrypt files or folder and run some command to encrypt or decrypt these objects these objects
Transparent encryption:Transparent encryption: here the encryption/decryption is performed here the encryption/decryption is performed
at a low level during all read/write operationsat a low level during all read/write operations From the point of general security principles, complete From the point of general security principles, complete
low-level transparent encryption is the most secure type low-level transparent encryption is the most secure type imaginable, easiest, and imperceptible for the user to imaginable, easiest, and imperceptible for the user to manage manage
Semi transparent encryptionSemi transparent encryption This operates not permanently, but before or after access is This operates not permanently, but before or after access is
made to confidential objects or during some read or write made to confidential objects or during some read or write operations operations
2. 2. How do you do authentication with a message digests How do you do authentication with a message digests MD5 in network? MD5 in network?
MD5 is a cryptographic hash function with 128 bit has MD5 is a cryptographic hash function with 128 bit has value output.value output.
Used to check integrity of files or inputs.Used to check integrity of files or inputs.
An MD5 hash is expressed as a 32-character hex number. An MD5 hash is expressed as a 32-character hex number. It takes the variable-length input and converts it into a fixed It takes the variable-length input and converts it into a fixed length output of 128-bits called as MD5 hash. length output of 128-bits called as MD5 hash.
It is a one way hash functionIt is a one way hash function
Any change in the message would result in a completely Any change in the message would result in a completely different hash different hash
3. 3. What is routing protocol and routed What is routing protocol and routed protocol?protocol? Routed protocolRouted protocol
Any protocol that provides enough information in Any protocol that provides enough information in its network layer address to allow a packet to be its network layer address to allow a packet to be forwarded from host to host base on addressing forwarded from host to host base on addressing scheme. scheme. Routed protocols define the format and use of the Routed protocols define the format and use of the fields within a packet.fields within a packet.Internet protocol (IP) is an example for routed Internet protocol (IP) is an example for routed protocolprotocol
Routing protocolRouting protocolSupport a routed protocol by providing Support a routed protocol by providing mechanisms for sharing routing information. mechanisms for sharing routing information.
Routing protocol messages move between routersRouting protocol messages move between routers
The routing protocol allows the routers to The routing protocol allows the routers to communicate with other routers to update and communicate with other routers to update and maintain tables.maintain tables.
4. What are the different types of network 4. What are the different types of network security? security?
There are two types of network securityThere are two types of network security Physical security Physical security
It is important to physically secure your computer It is important to physically secure your computer and its components so that unauthorized people and its components so that unauthorized people cannot touch your computers and gain access to cannot touch your computers and gain access to your network. your network.
Software security: Software security:
Along with securing your hardware it is necessary to Along with securing your hardware it is necessary to protect your network from hackers and outside protect your network from hackers and outside attackers attackers
Keeping a firewall on the system to block unwanted Keeping a firewall on the system to block unwanted data data
Having maximum protection against virusesHaving maximum protection against viruses
Use spam filter software Use spam filter software
There are many more things to do to ensure complete There are many more things to do to ensure complete network security.network security.
ReferencesReferences
http://sky.fit.qut.edu.au/~josang/papers/JS2003http://sky.fit.qut.edu.au/~josang/papers/JS2003-AISW.pdf-AISW.pdf
http://www.win.tue.nl/~jmarkovs/Application%2http://www.win.tue.nl/~jmarkovs/Application%20level%20security%20of%20mobile%20comm0level%20security%20of%20mobile%20communications%20-%20MII2003%20final.pdfunications%20-%20MII2003%20final.pdf
http://www.docomoeurolabs.de/pdf/publicationhttp://www.docomoeurolabs.de/pdf/publications/STL_wpmc03_future_mobile.pdfs/STL_wpmc03_future_mobile.pdf
http://www.philadelphia.edu.jo/aiccsa2007/t3.phttp://www.philadelphia.edu.jo/aiccsa2007/t3.pdfdf