Docstoc

Broker

Document Sample
Broker Powered By Docstoc
					 Wireless Security
 Effective Security



      Sara Javanmardi

Introduction to Ubiquitous Computing
             Winter 2007
   Securing Wireless Data:
System Architecture Challenges
     Authors: Srivaths Ravi, Anand
     Raghunathan, and Nachiketh
               Potlapally
        Presented by Sara Javanmardi
           Introduction
 •   Wireless security
 •   Computational requirements in architecture design of handsets
 •   Security processing gap
 •   Possible solutions to bridge the gap
      – Theory: Low-Complexity Cryptographic Algorithm
      – Hardware: Security Enhancement to embedded processors
      – Software: Advanced system architecture (new system level
        methodologies)




                                                                     3
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Its Differences with Wired Security

      – Public transmission medium
      – The possibility of being lost or stolen and the
        mobility of the handset
      – Constrained capabilities and energy supplies



         Wireless data requires at least equal and often a
         higher level of security compared to wired data
         transmission.




                                                                     4
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Role of Security Mechanisms
           and Protocols
 • Ensure privacy and integrity of data
 • Authenticity of parties involved in transactions
 • Provide non-repudiation
 • Prevent usage for denial of service attacks,
   filter viruses, malicious code
 • Provide anonymous communication




                                                                     5
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Security Domains
 • Appliance domain security
      – User authentication
 • Network access domain security
      – Device authentication
      – Data privacy and integrity
 • Network domain security
      – Network infrastructure
 • Application domain
      – Authentication of applications on an appliance
      – Security of transactions between applications




                                                                     6
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Background

 • Many protocols address only one network access
   domain security.
 • Studies show security level provided by many
   protocols (802.11b, WLAN, CDPD, Bluetooth) are
   insufficient
 • The move from wired Internet to wireless appliances
   is bringing a push for increased wireless security by
   placing wired protocols on top of “bearer”
   technologies.




                                                                     7
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Security Protocols in a
           Wireless Data Network




                                                                     8
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           GSM




                                                                     9
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           UMTS




                                                                     10
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Challenges

 • Security processing gap
      – Security protocols greatly increase computational
        requirements of appliances
      – Ex: Palm IIIx- 3.4sec for 512bit RSA key
        generation
 • Battery gap
      – Battery growth cannot keep up with processing
        requirements




                                                                     11
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Challenges II

 • Flexibility
      – Need to support a multitude of security protocols
      – Need for upgradability to newer protocols and
        enhancements
 • Tamper-proof implementation
      – Need to prevent malicious users from
        compromising system security




                                                                     12
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Analyzing Computational Requirement

 • Note that security protocols require combined
   usage of a symmetric key encryption
   algorithm and a message authentication
   algorithm during the bulk data transfer phase.




                                                                     13
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Processing Requirements of RSA-based SSL Handshake for
           Different Connection Latencies and Module Sizes




                                                                     14
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           An Processing Requirements of Cryptographic Algorithms at
           Different Data Rates analyzing Computational Requirement




                                                                       15
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           The Wireless Processing Gap




                                                                     16
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Bridge the Wireless Security Gap

 • Low- complexity cryptographic algorithms
 • Security enhancement to embedded
   processors
 • Advanced system architecture for wireless
   handset
      – By new system level design methodologies




                                                                     17
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Low Complexity Security Protocols &
           Cryptographic Algorithms

 • Optional SW implementation of cryptographic
   algorithms
 • Adaptation of cryptography algorithm based
   on the sensitivity of the data (re-configuration)
      – Example: Just some part of video
 • Lightweight cryptographic algorithms
      – ECC or NTRU instead of RSA (in SSL)
      – AES instead of DES




                                                                     18
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Comparison

 • ECC vs RSA
      – ECC offers considerably greater security with the same RSA
         key size
      |E| = 320 probably more secure than |n| = 2048

      – Faster cryptographic operations, running on smaller chips or
        more compact software.
      – Less heat production and less power consumption

      – Some compact hardware implementations available for ECC
        exponentiation operations, offering potential reductions in
        implementation footprint even beyond those due to the
        smaller key length alone.


                                                                       19
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Moses

 • MOSES (MObile SEcurity processing System) is a
   programmable security processor platform being
   developed at NEC to enable secure data and multi-
   media communications in next-generation wireless
   handsets.

 • Objective: To tackle the wireless security processing
   gap




                                                                     20
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Moses Architecture




                                                                     21
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Estimated Speed Up for SSL




                                                                     22
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Conclusion
 • Although battery limitation poses some challenges in design and
   development of wireless protocols, such as security protocols,
   there are some other ways that can mitigate the problem.




                                                                     23
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Question?

 ?
                ?
      ?
                           ?
            ?




                                                                     24
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
Security Day-to-Day: User Strategies for Managing
   Security as an Everyday, Practical Problem


                        Authors:
      Paul Dourish, Rebecca E. Grinter, Brind Dalal,
      Jessica Delgado de la Flor and Melissa Joseph

                Presented by Sara Javanmardi
           Effective Security

 • It refers to the degree of security that is practically
   achievable in real settings.




• Effective security solutions depend on:
    • The mathematical and technical properties of
    those solutions
    • On people’s ability to understand them and use
    them as part of their work.



                                                                     26
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           “Security is more pervasive these days”

 • Rapid expansion of the Internet into daily life has made
   security a PRACTICAL day-to-day problem and every one on
   some level should be concerned with the security related facets
   of his/her activities.


      This transition implies a radical change in
       the way that security should be understood
       and studied.




                                                                     27
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Is security considered in the 4 steps?


 Security should be considered in the software
   life cycle:

 •   Requirement
 •   Design
 •   Implementation
 •   Test




                                                                     28
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
            Current Security technology

                                                                      Application
Security                                The                           Developers and
Professionals
Don’t Know The                      Security Gap                      QA Professionals
Applications                                                          Don’t Know
                                                                      Security

“As a Network
Security                                                              “As an
Professional, I don’t                                                 Application
know how my                                                           Developer, I can
company’s web                                                         build great
applications are                                                      features and
supposed to work so                                                   functions while
I deploy a protective                                                 meeting
solution…but don’t                                                    deadlines, but I
know if it’s                                                          don’t know how
protecting what it’s                                                  to build security
supposed to.”                                                         into my web
                                                                      applications.”
                                                                                      29
 Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           When does the problem start from?

 • From the requirement Phase where we ask users what they
   want and we show them the prototypes including user
   interfaces.


                                           Scalability

                                      Non-Functional
        Functional                    Requirements
        Requirements
                                             Security




                                                                     30
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           The correct view:
 •   Non-functional requirements as some properties, in this way we are
     embedding them to the core of the system from the first step.
 •   Interactions between non-functional requirements and functional
     requirements are VISIBLE.               …


               Security                                              Scalability
                                             Functional
                                             Requirements


                                                   …


 Automatically, security will be embedded in our system.

                                                                                   31
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Aspects of security

 • We should distinguish between two aspects
   of security:
      – Theoretical security
      – Effective Security




                                                                     32
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Differences

 • Theoretical security sets an upper bound for effective
   security

 • Result: Both non-technical end users and high-technical
   personnel encounter the disparity between theoretical security
   and effective security.




                                                                     33
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Background

 • Security research has long acknowledged the
   role of

      – Human
      – Social
      – organizational factors in creating effective
        solutions



                                        Usability Analysis

                                                                     34
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Security History: Usability Analysis

 • Whitten and Tygar (1999) presented a usability
   analysis of PGP 5.0, results show:
    – difficulties that users have in completing
         experimental tasks (in their user study, only 3 out of 12 test
         subjects successfully completed a standard set of tasks
         using PGP to encrypt and decrypt email.)




                                                                          35
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           How to Improve Usability

 • To forget about “all or nothing” approach
 • To allow users to manage their security and
   change the degree of desired security
      – e.g. privacy agents




                                                                     36
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Interview Groups & subjects

 • Site A, an academic institution, eleven
   participants
      • administrative staff members of both an academic
        department and a research institute

      • Graduate students in a management program.

      They were interested in these people because of their range of
        institutional affiliations and responsibilities.




                                                                       37
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Interview Groups & subjects

 • Site B, an industrial research lab, nine
   participants
      • Staff in jobs: media relations, human resources, executive
      administration, and legal.

      • People in this group addition to any end-user security problems,
        also had security needs that related to their jobs.




                                                                           38
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Interview Groups & subjects

 • Site C, a law firm, one participant
      • Lower highly sensitized to issues of privacy,
        confidentiality, and trust.




                                                                     39
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Their findings

 1- Scope of security, or the range of concerns that
    manifest themselves when end users think about
    security issues.

 2- The range of attitudes that people display towards
    security problems.

 3- Relevant aspects of the social and organizational
    contexts within which people encounter and solve
    security problems.



                                                                     40
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           1.1 Security as a barrier

 “Security professionals and end users see
   security quite different from each other”

      – People imagine and seek unitary solutions to these

         problems     .
      – People think of security as a barrier, akin to a gate or a
         locked door.




                                                                     41
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           1.1 Observation:


      – Security solution that solves only one problem but not others
        (e.g. a virus scanner) is likely to be seen as inadequate.

      – A technology deployed to solve one problem may be
        mistakenly interpreted as providing protection against the
        others.




                                                                        42
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           1.2 Online and Offline
 • Relation between online and offline security management

      – Offline experiences provide metaphor and analogy for online world


      – Online and offline come together in another way:
        practical management of space and security




                                                                            43
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           1.3 Hackers, Stalkers, Spammers and
           Marketers

 • Four broad classes of threats that people
   brought up in discussion:
      –   Hackers
      –   Stalkers
      –   Spammers
      –   Marketers




                                                                     44
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           2. Attitudes Towards Security


      – Security as an obstacle

      – Pragmatism

      – Futility




                                                                     45
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           3. Social Context

 •   Delegation Security
 •   Socially-Defined Security Needs
 •   Security as a Practice
 •   Managing Identity




                                                                     46
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           3.1 Delegation of Security

 • Most people, in the course of their daily work,
   have neither the time nor inclination to be
   continually vigilant for new threats
 • They delegate responsibility of security to:
      –   delegate to technology
      –   delegate to another individual
      –   delegate to an organization
      –   delegate to institutions




                                                                     47
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           3.2 Socially-Defined Security
           Needs
 • How to define know that if we need security in
   a specific context or not
    – E.g. How to define grant electronic file
      access when there is no guideline such as
      Federal laws




                                                                     48
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           3.3 Security as a Practice

 • People they interviewed had a number of methods for
   managing online security:
    – People use institutional means to secure
      communications.
           • Securing consequences instead of securing the
             communication (e.g. Marked Documents)
      – People use context for security
           • Not explicitly state the subject of email by using the
             shared working context
      – People use of media switching as a security
        measurer
           • Switch from Tel to Email or vice versa.

                                                                      49
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           3.4 Managing Identity

 • Participants see identity as a security
   challenge.
      – The production of identity
      – The interpretation of identity




                                                                     50
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           The production of identity

 • Using virtual IDs
 • Using partial Identities




                                                                     51
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007
           Conclusion

 • Result showed that security is a great concern for
   end users.
 • Security research typically focus on theoretical and
   technical issues rather than social aspects of
   security, hence the usability of the result is under
   question.




                                                                     52
Sara Javanmardi, Introduction to Ubiquitous Computing, Winter 2007

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:4
posted:9/5/2011
language:English
pages:52