Security and Privacy
세종대학교 컴퓨터공학부권 태 경
Contents
Introduction Security and privacy? Some related topics
Authentication and Access Control Identity Management and HCI
RFID Security Blocker Tag
MANET Security General Concepts
Database Security Search on Encrypted Data
Terms Revisited
Introduction
What is Ubiquitous Computing?
“Wirelessly networked processors embedded in everyday objects”
Smart environments characterized by: Transparent interaction Automated capture Context awareness Proactive and reactive
Example projects AT&T Active bat/badge, HP Cooltown, Microsoft
Aura, Intel Place Lab and PersonalServer EQUATOR
At UC Berkeley
WEBS (http://webs.cs.berkeley.edu)
WEBS(Wireless Embedded Systems)
WEBS(Wireless Embedded Systems)
NEST(Network Embedded System Technology)
NEST(Network Embedded System Technology)
SesnorWebsSesnorWebs Smart DustSmart Dust
Where Do We Currently Stand?
Ubiquitous devices (always “at hand”): Mobile phones, Personal Digital Assistants, Laptops, etc. Computationally bounded Limited battery
Ubiquitous networks (always available): (W)LAN/MAN (Ethernet & IEEE 802.11) GSM/GPRS/3G PANs (Bluetooth, IrDA, AudioNet etc.)
Ubiquitous services Currently mostly “location-based”
Paradigm Shift
From Resource-Centric to User-Centric
Past Super DistributionSuper Distribution
Are the clients satisfied?
Please give me…
Servants for human and society.
Java
I like…
-Logic-aware-Resource centered
-Context-aware-Resource distributed
Resource
So What?
Ubiquitous / pervasive computingAccess to services and information
ANYWHERE and EVERYWHERESecurity and privacy infringement
ANYWHERE and EVERYWHERE
UbiComp Pervasive disclosure of user information
Security and Privacy?
Security and Privacy?
The “Old Model” – a CastleSecurity perimeter, inside and outsideFirewalls for access controlStatic security policyStatic trust modelTendency to focus on network layer
Pre-evaluated, non- or slowly-evolving threat model.
Security and Privacy?
Confidentiality/Secrecy The assets of a computing system are accessible only by
authorized parties Preventing unauthorized disclosure
Secrecy Issue Privacy Issue
Integrity The assets of a computing system can be modified only by
authorized parties or only in authorized ways Preventing unauthorized modification
Availability The assets of a computing system are accessible to authorized
parties Preventing denial of authorized access
Source Destination
Normal Flow
Source Destination
Interruption: Availability
Source Destination
Interception: Confidentiality
Source Destination
Modification: Integrity
Source Destination
Fabrication: Authenticity
UbiComp Characteristics Billions of potential subjects Continual change in network configuration Frequent disconnection An absence of known online servers in many
environments Most likely absence (or unavailability) of administrators Limited capabilities and power of small smart
appliances Privacy concerns, i.e. “big brother” or ubiquitous
surveillance Physical tamper resistance of smart devices
themselves …
Security and Privacy!
The “New Model” which is flexible, adaptable, robust, effective and un-obtrusive
Security and Privacy!
Authenticationsecure transient associationsproximity
Recognition vs. Authenticationactivities/behavioursituation interpretation
(Dynamic) Identity Management (Dynamic) Group Management
Security and Privacy!
Confidentialityeavesdropping on wireless links not a major
issuedevice capabilities (processor, battery etc.)confidentiality of data and meta data on devices
real problem Integrity
again, not messages in transit but devicestamper resistance/evidence
Security and Privacy!
Availability jamming communications channelssleep deprivation
Dynamic Trust Model localized decisionscontext aware
Context-awarenessGeneralised RBACLocation-based access control
Security and Privacy!
Security policiesprevent formation of “evidence”:
forming a link between contexts, objects, users and objectives.
e.g. number, “credit card”, “foo bar”, credit limit
Location information privacyOne of the burning issues
Authentication and Access Control
Authentication
Ambient intelligent environments : roaming digital entities, most likely presence of strangers
Collaboration with most likely unknown entities: enrolment needed for authentication is missing
Identity in absolute terms is less meaningful than recognition of previous interaction to choose whether to collaborate or not
New requirements lead to new schemes, e.g. the Resurrecting Duckling security model [StajanoAnderson1999]
Any identifier can work as long as it allows for referencing the entity involved
Authentication: subset of recognition
recognition
patterns
IP address
authentication
duckling
Kerberos
PKI Windows login
location
Authentication/Recognition comparison
Authentication Process (AP) Entity Recognition (ER)
A.1. Enrolment: generally involves an administrator or human intervention
A.2. Triggering: e.g., someone clicks on a Web link to a resource that requires authentication to be downloaded
E.1. Triggering (passive and active sense): mainly triggering (as in A.2.), with the idea that the recognizing entity can trigger itself
A.3. Detective work: the main task is to verify that the prinicpal’s claimed identity is the peer’s
E.2. Detective work: to recognize the entity to-be recognized using the negotiated and available recognition scheme(s)
E.3. Retention (optional): “preservation of the after effects of experience and learning that makes recall or recognition possible” [MerriamWebster]
A.4. Action: the identification is subsequently used in some ways. Actually, the claim of the identity may be done in steps 2 or 3 depending on the authentication solution (loop to A.2.)
E.4. Action (optional): the outcome of the recognition is subsequently used in some ways (loop to E.1.)
User: Kreutzer, MichaelAccess: 09:20Withdraw: € 500
User: Kreutzer, MichaelAccess: 09:20Withdraw: € 500
User: Kreutzer, MichaelAccess: 10:21Using: Bus #10
User: Kreutzer, Michael Access: 09:20Withdraw: € 500
User: Kreutzer, MichaelAccess: 10:21Using: Bus #10
User: Kreutzer, MichaelAccess: 11:42Query: „Privacy+NSA“
Library Client Profile
Bruce Schneier
Date: 24.03.02Time: 11:42Query: Location
TrafficSystem Client Profile
Bruce Schneier
Date: 24.03.02Time: 10:21Using:Bus #10
Exit: Stop#11
TrafficSystem Client Profile
Bruce Schneier
Date: 24.03.02Time: 10:21Using:Bus #10
Exit: Stop#11
TrafficSystem Client Profile
Bruce Schneier
Date: 24.03.02Time: 10:21Using:Bus #103
Exit: Stop#11
Bank Client Profile
Bruce Schneier
Date: 24.03.02Time: 09:20Withdraw: 10032
Quit: 09:42
Bank Client Profile
Bruce Schneier
Date: 24.03.02Time: 09:20Withdraw: 100
Quit: 09:42
User: Kreutzer, MichaelAccess: 09:20Withdraw: € 500
User: Kreutzer MichaelAccess: 10:21Using: Bus #10
User: Kreutzer, MichaelAccess: 11:42Query: „Privacy+NSA“
General Person Profile
Bruce Schneier
Date: 24.03.02Time: 11:42Location:BusExit: Stop#11
General Person Profile
Bruce Schneier
Date: 24.03.02Time: 11:42Location:BusExit: Stop#11
General Person Profile
Bruce Schneier
Date: 24.03.02Time: 11:42Location:BusExit: Stop#11
General Person Profile
Bruce Schneier
Date: 24.03.02Time: 11:42Location:BusExit: Stop#11
General Person Profile
Michael Kreutzer
Date: 24.03.02Time: 11:42Location:LibraryQuery:Privacy+ NSA
Library Client Profile
Michael Kreutzer
Date: 24.03.02Time: 11:42Query:Privacy+
NSA
TrafficSystem Client Profile
Michael Kreutzer
Date: 24.03.02Time: 10:21Using:Bus #10
Exit: Stop#11
Bank Client Profile
Michael Kreutzer
Date: 24.03.02Time: 09:20Withdraw: 500
Quit: 09:42
The Problem: Prevention of User Profiling Conditions:
Ad Hoc => Constantly changing networks/services
Mobile => Constantly changing location
Fully automatic authentication requests from
the environment
Linkability of the device!
Identity Management
Shopping
Willi Webster
Public Authority
Leisure
Anonymous
Name:Willi Weber
Credit Card: VISACard #: 9988 7766 5544Valid until:01.01.2003
Address:Street: Friedrichstr. 50ZIP-Code: 79098City: Freiburg
Birthday: 11.07.1974Place of Birth: Paris
Hobbies:Swimming, Books
Identity
Nickname: WebsterSociety: Friends of Privacy Berlin e.V.
Identity Management
Identity Management
ContextSensors
Servicesand
Applications
Banking
Shopping
HomeAutomation
...
ContextSensing
Choice ofIdentity
Configurationof Services
Rules Identities
Filter
Identity: Anonymous
Name: Michael KreutzerAccount#: 12927382
Identity: Bank Client
User: Kreutzer, MichaelAccess: 09:20Withdraw: € 500
Ticket #: 23882
Identity: Bus
Ticket#: 23882Access: 10:21Using: Bus #10
Bus
User: Kreutzer, MichaelAccess: 09:20Withdraw: € 500
Identity: Anonymous
Ticket#: 23882Access: 10:21Using: Bus #10
Bus
User: AnonymousAccess: 10:21Query: Privacy+NSA
User: Kreutzer, MichaelAccess: 09:20Withdraw: € 500
Ticket#: 23882Access: 10:21Using: Bus #10
Bus
User: AnonymousAccess: 10:21Query: Privacy+NSA
User: Kreutzer, MichaelAccess: 09:20Withdraw: € 500
Bank Client Profile
Bruce Schneier
Date: 24.03.02Time: 09:20Withdraw: 10032
Quit: 09:42
Bank Client Profile
Bruce Schneier
Date: 24.03.02Time: 09:20Withdraw: 100
Quit: 09:42
Bank Client Profile
Michael Kreutzer
Date: 24.03.02Time: 09:20Withdraw: 10000
Quit: 09:42
Library Client Profile
Anonymous
Date: 24.03.02Time: 11:42Query: Crypto
Library Client Profile
Anonymous
Date: 24.03.02Time: 11:42Query:Privacy+ NSA
? TrafficSystem Client Profile
Ticket #23882
Date: 24.03.02Time: 10:21Using:Bus #10
Exit: Stop#11
Bus
TrafficSystem Client Profile
Ticket #5321
Date: 24.03.02Time: 14:31Using:Bus #12
Exit: Stop#123
Bus
TrafficSystem Client Profile
Ticket #12321
Date: 24.03.02Time: 10:31Using:Bus #1
Exit: Stop#5
Bus
Role Based Access Control ( RBAC ) Rights are associated with pre-defined roles, and
not with users. Roles can change in different environments, while
user remains the same context – dependent semantics !
Rules for assigning roles are the main access control mechanism
Dynamic creation of roles is possible, based on inferences
Drawback : dynamic delegation of rights not possible
Security Aware Computing
Security Aware
SituationAware
“Context awareness”“Smartness”“Automation"
Environment,User,
Device
Privacy,Trust,
Access control
Context Awareness Model
- P r o f ile & c o n tex t- S en s in g- E x c h an g e
- S ec u r ity- Au th en tic ity- Ac c o r d an c e
- C o n tex t- aw ar e ac tio n- I n te r ac tio n- Ad ap ta tio n- C o m m u n ic a tio n
A qu is it io n
1 s t p h as e 3 rd p h as e2 n d p h as e
Ev a lu a t io n Trig g e rin gC o n tex t- aw ar en es sin
p er v as iv ec o m p u tin g
Hu m anp er c ep tio np r o c ed u r e
" S e e M r. J o h n s o n a n dh e a r h is v o ice ."
" I k n o w h e is M r. J o h n s o nfro m h is fa ce a n d v o ice ." " G re e t h im !"
H e llo !
Context Awareness Model
E 1
E 2
E k
Ac q u is it io n( s en s io n g ,
tr an s ac tin g ,e tc . )
T r ig er in g
f 1
f 2
f 3
f 4
d 1
d 2
d 3
d 4
C o n tex t p r o v id erc o n tex t
P r o v id er d ec is io n N etw o r k
( 1 ) ( 2 )
C las s if ie r S e lec to r
C( c o n tex t s e t)
w 1
w 2
w 3
c 1
c 2
c k
...E v alu a tio n
...
( 6 )
C o n tex t ac q u ir e r ev a lu a tio n( 5 )
P r o v id er p o lic yN etw o r k c o n tex t,
d ev ic e c o n tex t ,ac q u ir ed c o n tex t , e tc .
P r o b lem s p ac e
( 3 ) ( 4 )
C o n te x t pro v ide r C o n te x t a cqu ire r
Security vs. HCI
How does Security affect the user-friendliness of UbiComp?
Can security be achieved without explicit interaction?
RFID Security
RFID Tags Everywhere
500 Eurosin wallet
Serial numbers:597387,389473
…
Wigmodel #4456
(cheap polyester)
30 items of lingerie
Das Capital and Communist-
party handbook
Replacement hipmedical part #459382
Simple Approaches to Privacy
Method 1:Place RFID-tagsin protective meshor foil
Problem: makes locomotiondifficult… perhapsuseful for wallets
Simple Approaches to Privacy
Method 2:“Kill” RFID tags
Problem: RFID tags aremuch too useful…
One Example
European Central Bank has announced plans to implant RFID tags in banknotes by 2005
• Uses?– Anti-counterfeiting
– Tracking of illicit monetary flows
Privacy Infringement
More efficient mugging“Just in case you want to know, she’scarrying 700 Euro…”
• Fairly easy tracking of people and transactions by anyone!• Law-enforcement snooping capabilities made freely
available
External re-encryption
To thwart tracking, appearance of ID should change
RFID tags have too little computational power to generate new IDs
Key idea: Periodically change ID by performing public-key cryptographic operations (re-encryption) in external privacy agent
E[ID]E[ID]
Cryptography performed by external privacy agent (e.g., reader)
Some other technical challenges How do we ensure that banknote is
accessed only by valid privacy machine? Require optical scan for changes to banknotes – Writing can be restricted; reading is still easy
How do we ensure that privacy machine did its job properly? Cryptographic tricks: Special composition of
ciphertexts
Pseudonym management
RFID tag contains a number of pseudonyms Every time it is queried, tag releases a
different pseudonym
“74AB8”“9JHHS”“LI7YY”
Pseudonym management
What if attacker makes rapid-fire queries? Tag will run out of pseudonyms!
Therefore: Tag has built-in delay to prevent rapid querying Special key-management techniques to permit
valid reader to refresh pseudonyms Easy compliance with existing standards As an extra benefit, pseudonym
management also strengthens authentication
Blocker Tag
Blocker simulates all (billions of) possible tag serial numbers!!
1,2,3, …, 2023 pairs of sneakers and…(reading fails)…
Blocker Tag
“Tree-walking” protocol for identifying RFID tags
000 001 010 011 100 101 110 111
00 01 10 11
0 1
?
In a nutshell “Tree-walking” protocol for identifying
tags recursively asks questions: “Is there a tag whose next bit is a ‘1’? “Is there a tag whose next bit is a ‘0’?
Blocker tag always says yes to both questions Makes it seem like all tags are present Thus reader cannot figure out which tags are
actually present Number of possible tags is huge (at least a
billion billion), so reader stalls
Two bottlesof Merlot#458790
Blocker tag system should protect privacy but stillavoid blocking unpurchased items
Blocking with privacy zones
000 001 010 011 100 101 110 111
00 01 10 11
0 1
Transfer to privacy zoneon purchase of item
Privacy zone
More about blocker tags
Blocker tag can be cheapEssentially just a “yes” tag and “no” tag
with a little extra logicCan be embedded in shopping bags, etc.
With multiple privacy zones, sophisticated, e.g., graduated policies are possible
MANET Security
Mobile Ad-Hoc Networks
Collection of wireless mobile hosts forming a temporary network
No fixed network infrastructure No (or limited) organization
Military and Emergency Sensor Networks Civilian applications, ubiquitous computing
Dynamic Configuration
When D moves out of A’s radio range, the link is broken. However, the network is still connected, because A can reach D through C, E and F
Trust in MANET
Managed environment A-priori trust Entity authentication ⇒ correct operation But: requirement for authentication infrastructure
Open environment No a-priori trust authentication does not guarantee correct operation
New security paradigm
Node Misbehavior
Selfish Nodes Do not cooperate Priority: battery saving No intentional damage
to other nodes. Exposure:
passive denial of service black hole idle status
Malicious Nodes Goal: damage to
other nodes Battery saving is not
a priority Exposure:
active attacks denial of service traffic subversion attacks exploiting the
security mechanism
MANET Requirements Wireless & Mobile
Limited energy Cooperation enforcement
Lack of physical security
Secure Routing Ad Hoc
No (or limited) Infra (Lack of organization) Key Management
Secure Routing - Objectives
Authentication (Integrity) of routing information
Entity authentication Source Destination Intermediate node
Correct behavior (of algorithm, if any)
Asymmetric vs. Symmetric Crypto Pro-active vs. Reactive routing protocols
Sensor Network?
Sensor An electronic device used to measure a physical quantity
such as temperature, pressure or loudness and convert it into an electronic signal of some kind (e.g a voltage).
A device that produces a measurable response to a change in a physical condition such as temperature or to a chemical condition such as concentration
Sensor Network Technical Challenges Energy constraints Level of dynamics (obstacles, weather, terrain, large number
of nodes, failures, captures.) Scaling challenges
Current Applications
monitor factory instrumentation, pollution levels freeway traffic the structural integrity of buildings Other applications
climate sensing control in office buildings home environmental sensing systems for
temperature, light, moisture, and motion.
Some Sensor Network
Sensor Network Limitations
No PKC! Node capture Lack of a-priori knowledge of post-
deployment configuration (Airplane) Limited memory resources Limited bandwidth and transmission power Over-reliance on base stations exposes
vulnerability
Sensor Nodes Compromise
Why compromise? Each node: a potential point of attack
impractical to monitor and protect each individual sensor Dispersed over a large area Attackers obtain own commodity sensor nodes Attacker can claim multiple identities for an altered node.
Consequence of compromise? falsification of sensor data extraction of private sensed information from sensor network
readings denial of service
Tamper-resistant: too expensive
Eavesdropping
Wireless = insecurity a few wireless receivers outside a house might be able to
monitor light and temperature readings of sensor networks inside the house
Encryption Good! Using which key? Requirement for key management
maintain secrecy even when an adversary compromises a few sensor nodes
Ideally, revocation of known exposed keys and rekey end-to-end encryption impractical
hop-by-hop encryption: each sensor node stores only encryption keys shared with its immediate neighbors.
Privacy
Adversaries can use data to derive sensitive info if they know how to correlate multiple sensor inputs.
More serious problem they make large volumes of information easily available
through remote access. (on purpose also) A Step toward
Ensuring that sensed information stays within the sensor network, accessible only to trusted parties
restrict the network’s ability to gather data at a detail level that could compromise privacy
Database inference problem Privacy preserving data mining
DoS
Defending against DoS is extremely difficult Can occur at the physical layer, via radio jamming. malicious transmissions into the network to interfere with
sensor network protocols Attackers can induce battery exhaustion: by sending a useless
communications that the target will expend energy processing and may also forward to other nodes
create routing loops that will eventually exhaust all nodes Message authentication based on PKC
highly computationally intensive attackers that can induce a large number of these can mount
an effective energy-exhaustion attack.
Database Security
Database Security
Issues Inference
occurs when users are able to piece together information at one security level to determine a fact that should be protected at a higher security level
Access controlEncrypted computation
Searches on Encrypted Data
Examples Mail Server
Fully trusted, i.e. sys admin can read my e-mail Can build secure storage
But need to sacrifice functionality
Moving the computation to the data storage seems to be very difficult
For example, how to search encrypted data?
Notations
Si : i-th stream from stream cipher G, n-m bits
Wi : i-th word, n bits
Ci : i-th cipher text, n bits
: Bitwise exclusive-or
Fk (x): MAC of x using key k, m bits output
Scheme I: Basic scheme
To search W Alice reveals {ki | where W may occur} Bob checks if Wi Ci is of the form <s,FKi(s)> for some s
For unknown ki, Bob knows nothing To search W, either
Alice reveal all ki, or Alice has to know where W may occur
Wi
Si FKi(Si)
F Ki
Plaintext
Stream Cipher
ciphertext
Scheme II: Controlled search .
Replace ki = f k’ (Wi) where k’ is secret, never revealed f is another MAC with output size = | ki |
Reveal only f k’ (W) and W
Bob identifies only location where W occurs
But reveals nothing on the locations i where W != Wi
Still does not support hidden search
Scheme III: Hidden Searches .
Ek”(Wi)
Si FKi(Si)
F Ki
Plaintext
Stream Cipher
ciphertext
Wi
E k”
Scheme III (Cnt’d)
Let Xi := Ek” (Wi)
After the pre-encryption, Alice has X1, … , Xl
Same as before, Ci = Xi Ti where Xi = Ek” (Wi)
Ti = < Si, Fki (Si) >
To search W, Alice queries (X, k) such that X := Ek”(W) and k := fk’(X)
A problem of Scheme III
Scheme III has a problem… Guess what?
If Alice generates ki = fk’(Ek”(Wi)), she cannot recover
the plaintext from the ciphertext. Ci = Xi Ti where Ti = < Si, Fki (Si) >
To compute Xi from Ci, we have to know Ti
Si can be computed easily
How about Fki (Si)?
The problem is ki
To compute this, we have to know all Ek”(Wi) for all i Ups! If you know all of these, why do you need search?
Scheme IV: The Final Scheme .
FixXi = Ek” (Wi) = < Li, Ri > where |Li|=n-m
bitsTi=< Si, Fki (Si) > where ki=f k’(Li) instead
of f k’(Wi)
Scheme IV: The Final Picture
Ek”(Wi)
Si Fki(Si)
F Ki
Plaintext
Stream Cipher
ciphertext
Wi
E k”
Li
f k’k i
Terms Revisited Ubiquity - Who has access to my resources and services? Issues for confidentiality, authorization,
and access control. Augmented Reality – How do we augment our risk management strategies to match augmented
reality? Furthermore, can we exploit augmented reality in risk management? Context Awareness - Who else knows where I am and what’s going on around me? Matters for
privacy and controlled information access including and beyond location. Invisible Computer - Who am I interacting with and when? Defining suitable authentication and trust
frameworks for ubiquitous computing. Smart Items - But they’re so small, can they protect themselves and who owns these things
anyway? Analysis and classification of existing micro crypto-algorithms, as well as issues surrounding ownership, accountability, and non-repudiation.
Mobility and Portability – What happens to “end-to-end” security? Charting of IT landscapes and architectures representative of ubiquitous computing, and specification of goals for security.
Security versus the Disappearing Computer – How do we manage the tradeoffs presented here? How are the novel disappearing computer interaction substrates maintained when security is introduced?
Management of Augmented Environments – Identification of the management issues for ubiquitous systems and proposals for tools and utilities.
Social Awareness, Legislation and Education – Agreement on what message is to be delivered to society regarding security in ubiquitous computing environments, and how.