Download ppt - Security and Privacy 세종대학교 컴퓨터공학부 권 태 경. Contents Introduction Security and privacy? Some related topics Authentication and Access Control Identity

Security and Privacy

세종대학교 컴퓨터공학부권 태 경

Contents

Introduction Security and privacy? Some related topics

Authentication and Access Control Identity Management and HCI

RFID Security Blocker Tag

MANET Security General Concepts

Database Security Search on Encrypted Data

Terms Revisited

Introduction

What is Ubiquitous Computing?

“Wirelessly networked processors embedded in everyday objects”

Smart environments characterized by: Transparent interaction Automated capture Context awareness Proactive and reactive

Example projects AT&T Active bat/badge, HP Cooltown, Microsoft

Aura, Intel Place Lab and PersonalServer EQUATOR

At UC Berkeley

WEBS (http://webs.cs.berkeley.edu)

WEBS(Wireless Embedded Systems)

WEBS(Wireless Embedded Systems)

NEST(Network Embedded System Technology)

NEST(Network Embedded System Technology)

SesnorWebsSesnorWebs Smart DustSmart Dust

Where Do We Currently Stand?

Ubiquitous devices (always “at hand”): Mobile phones, Personal Digital Assistants, Laptops, etc. Computationally bounded Limited battery

Ubiquitous networks (always available): (W)LAN/MAN (Ethernet & IEEE 802.11) GSM/GPRS/3G PANs (Bluetooth, IrDA, AudioNet etc.)

Ubiquitous services Currently mostly “location-based”

Paradigm Shift

From Resource-Centric to User-Centric

Past Super DistributionSuper Distribution

Are the clients satisfied?

Please give me…

Servants for human and society.

Java

I like…

-Logic-aware-Resource centered

-Context-aware-Resource distributed

Resource

So What?

Ubiquitous / pervasive computingAccess to services and information

ANYWHERE and EVERYWHERESecurity and privacy infringement

ANYWHERE and EVERYWHERE

UbiComp Pervasive disclosure of user information

Security and Privacy?


The “Old Model” – a CastleSecurity perimeter, inside and outsideFirewalls for access controlStatic security policyStatic trust modelTendency to focus on network layer

Pre-evaluated, non- or slowly-evolving threat model.


Confidentiality/Secrecy The assets of a computing system are accessible only by

authorized parties Preventing unauthorized disclosure

Secrecy Issue Privacy Issue

Integrity The assets of a computing system can be modified only by

authorized parties or only in authorized ways Preventing unauthorized modification

Availability The assets of a computing system are accessible to authorized

parties Preventing denial of authorized access

Source Destination

Normal Flow

Source Destination

Interruption: Availability

Source Destination

Interception: Confidentiality

Source Destination

Modification: Integrity

Source Destination

Fabrication: Authenticity

UbiComp Characteristics Billions of potential subjects Continual change in network configuration Frequent disconnection An absence of known online servers in many

environments Most likely absence (or unavailability) of administrators Limited capabilities and power of small smart

appliances Privacy concerns, i.e. “big brother” or ubiquitous

surveillance Physical tamper resistance of smart devices

themselves …

Security and Privacy!

The “New Model” which is flexible, adaptable, robust, effective and un-obtrusive


Authenticationsecure transient associationsproximity

Recognition vs. Authenticationactivities/behavioursituation interpretation

(Dynamic) Identity Management (Dynamic) Group Management


Confidentialityeavesdropping on wireless links not a major

issuedevice capabilities (processor, battery etc.)confidentiality of data and meta data on devices

real problem Integrity

again, not messages in transit but devicestamper resistance/evidence


Availability jamming communications channelssleep deprivation

Dynamic Trust Model localized decisionscontext aware

Context-awarenessGeneralised RBACLocation-based access control


Security policiesprevent formation of “evidence”:

forming a link between contexts, objects, users and objectives.

e.g. number, “credit card”, “foo bar”, credit limit

Location information privacyOne of the burning issues

Authentication and Access Control

Authentication

Ambient intelligent environments : roaming digital entities, most likely presence of strangers

Collaboration with most likely unknown entities: enrolment needed for authentication is missing

Identity in absolute terms is less meaningful than recognition of previous interaction to choose whether to collaborate or not

New requirements lead to new schemes, e.g. the Resurrecting Duckling security model [StajanoAnderson1999]

Any identifier can work as long as it allows for referencing the entity involved

Authentication: subset of recognition

recognition

patterns

IP address

authentication

duckling

Kerberos

PKI Windows login

location

Authentication/Recognition comparison

Authentication Process (AP) Entity Recognition (ER)

A.1. Enrolment: generally involves an administrator or human intervention

A.2. Triggering: e.g., someone clicks on a Web link to a resource that requires authentication to be downloaded

E.1. Triggering (passive and active sense): mainly triggering (as in A.2.), with the idea that the recognizing entity can trigger itself

A.3. Detective work: the main task is to verify that the prinicpal’s claimed identity is the peer’s

E.2. Detective work: to recognize the entity to-be recognized using the negotiated and available recognition scheme(s)

E.3. Retention (optional): “preservation of the after effects of experience and learning that makes recall or recognition possible” [MerriamWebster]

A.4. Action: the identification is subsequently used in some ways. Actually, the claim of the identity may be done in steps 2 or 3 depending on the authentication solution (loop to A.2.)

E.4. Action (optional): the outcome of the recognition is subsequently used in some ways (loop to E.1.)

User: Kreutzer, MichaelAccess: 09:20Withdraw: € 500


User: Kreutzer, MichaelAccess: 10:21Using: Bus #10

User: Kreutzer, Michael Access: 09:20Withdraw: € 500

User: Kreutzer, MichaelAccess: 10:21Using: Bus #10

User: Kreutzer, MichaelAccess: 11:42Query: „Privacy+NSA“

Library Client Profile

Bruce Schneier

Date: 24.03.02Time: 11:42Query: Location

TrafficSystem Client Profile

Bruce Schneier

Date: 24.03.02Time: 10:21Using:Bus #10

Exit: Stop#11


Bruce Schneier


Exit: Stop#11


Bruce Schneier


Exit: Stop#11

Bank Client Profile

Bruce Schneier

Date: 24.03.02Time: 09:20Withdraw: 10032

Quit: 09:42

Bank Client Profile

Bruce Schneier


Quit: 09:42


User: Kreutzer MichaelAccess: 10:21Using: Bus #10

User: Kreutzer, MichaelAccess: 11:42Query: „Privacy+NSA“

General Person Profile

Bruce Schneier

Date: 24.03.02Time: 11:42Location:BusExit: Stop#11


Bruce Schneier



Bruce Schneier



Bruce Schneier



Michael Kreutzer

Date: 24.03.02Time: 11:42Location:LibraryQuery:Privacy+ NSA


Michael Kreutzer

Date: 24.03.02Time: 11:42Query:Privacy+

NSA


Michael Kreutzer


Exit: Stop#11

Bank Client Profile

Michael Kreutzer


Quit: 09:42

The Problem: Prevention of User Profiling Conditions:

Ad Hoc => Constantly changing networks/services

Mobile => Constantly changing location

Fully automatic authentication requests from

the environment

Linkability of the device!

Identity Management

Shopping

Willi Webster

Public Authority

Leisure

Anonymous

Name:Willi Weber

Credit Card: VISACard #: 9988 7766 5544Valid until:01.01.2003

Address:Street: Friedrichstr. 50ZIP-Code: 79098City: Freiburg

Birthday: 11.07.1974Place of Birth: Paris

Hobbies:Swimming, Books

Identity

Nickname: WebsterSociety: Friends of Privacy Berlin e.V.

Identity Management

Identity Management

ContextSensors

Servicesand

Applications

Banking

Shopping

HomeAutomation

...

ContextSensing

Choice ofIdentity

Configurationof Services

Rules Identities

Filter

Identity: Anonymous

Name: Michael KreutzerAccount#: 12927382

Identity: Bank Client


Ticket #: 23882

Identity: Bus

Ticket#: 23882Access: 10:21Using: Bus #10

Bus


Identity: Anonymous


Bus

User: AnonymousAccess: 10:21Query: Privacy+NSA



Bus

User: AnonymousAccess: 10:21Query: Privacy+NSA


Bank Client Profile

Bruce Schneier


Quit: 09:42

Bank Client Profile

Bruce Schneier


Quit: 09:42

Bank Client Profile

Michael Kreutzer


Quit: 09:42


Anonymous

Date: 24.03.02Time: 11:42Query: Crypto


Anonymous

Date: 24.03.02Time: 11:42Query:Privacy+ NSA

? TrafficSystem Client Profile

Ticket #23882


Exit: Stop#11

Bus


Ticket #5321


Exit: Stop#123

Bus


Ticket #12321


Exit: Stop#5

Bus

Role Based Access Control ( RBAC ) Rights are associated with pre-defined roles, and

not with users. Roles can change in different environments, while

user remains the same context – dependent semantics !

Rules for assigning roles are the main access control mechanism

Dynamic creation of roles is possible, based on inferences

Drawback : dynamic delegation of rights not possible

Security Aware Computing

Security Aware

SituationAware

“Context awareness”“Smartness”“Automation"

Environment,User,

Device

Privacy,Trust,

Access control

Context Awareness Model

- P r o f ile & c o n tex t- S en s in g- E x c h an g e

- S ec u r ity- Au th en tic ity- Ac c o r d an c e

- C o n tex t- aw ar e ac tio n- I n te r ac tio n- Ad ap ta tio n- C o m m u n ic a tio n

A qu is it io n

1 s t p h as e 3 rd p h as e2 n d p h as e

Ev a lu a t io n Trig g e rin gC o n tex t- aw ar en es sin

p er v as iv ec o m p u tin g

Hu m anp er c ep tio np r o c ed u r e

" S e e M r. J o h n s o n a n dh e a r h is v o ice ."

" I k n o w h e is M r. J o h n s o nfro m h is fa ce a n d v o ice ." " G re e t h im !"

H e llo !

Context Awareness Model

E 1

E 2

E k

Ac q u is it io n( s en s io n g ,

tr an s ac tin g ,e tc . )

T r ig er in g

f 1

f 2

f 3

f 4

d 1

d 2

d 3

d 4

C o n tex t p r o v id erc o n tex t

P r o v id er d ec is io n N etw o r k

( 1 ) ( 2 )

C las s if ie r S e lec to r

C( c o n tex t s e t)

w 1

w 2

w 3

c 1

c 2

c k

...E v alu a tio n

...

( 6 )

C o n tex t ac q u ir e r ev a lu a tio n( 5 )

P r o v id er p o lic yN etw o r k c o n tex t,

d ev ic e c o n tex t ,ac q u ir ed c o n tex t , e tc .

P r o b lem s p ac e

( 3 ) ( 4 )

C o n te x t pro v ide r C o n te x t a cqu ire r

Security vs. HCI

How does Security affect the user-friendliness of UbiComp?

Can security be achieved without explicit interaction?

RFID Security

RFID Tags Everywhere

500 Eurosin wallet

Serial numbers:597387,389473

…

Wigmodel #4456

(cheap polyester)

30 items of lingerie

Das Capital and Communist-

party handbook

Replacement hipmedical part #459382

Simple Approaches to Privacy

Method 1:Place RFID-tagsin protective meshor foil

Problem: makes locomotiondifficult… perhapsuseful for wallets

Simple Approaches to Privacy

Method 2:“Kill” RFID tags

Problem: RFID tags aremuch too useful…

One Example

European Central Bank has announced plans to implant RFID tags in banknotes by 2005

• Uses?– Anti-counterfeiting

– Tracking of illicit monetary flows

Privacy Infringement

More efficient mugging“Just in case you want to know, she’scarrying 700 Euro…”

• Fairly easy tracking of people and transactions by anyone!• Law-enforcement snooping capabilities made freely

available

External re-encryption

To thwart tracking, appearance of ID should change

RFID tags have too little computational power to generate new IDs

Key idea: Periodically change ID by performing public-key cryptographic operations (re-encryption) in external privacy agent

E[ID]E[ID]

Cryptography performed by external privacy agent (e.g., reader)

Some other technical challenges How do we ensure that banknote is

accessed only by valid privacy machine? Require optical scan for changes to banknotes – Writing can be restricted; reading is still easy

How do we ensure that privacy machine did its job properly? Cryptographic tricks: Special composition of

ciphertexts

Pseudonym management

RFID tag contains a number of pseudonyms Every time it is queried, tag releases a

different pseudonym

“74AB8”“9JHHS”“LI7YY”

Pseudonym management

What if attacker makes rapid-fire queries? Tag will run out of pseudonyms!

Therefore: Tag has built-in delay to prevent rapid querying Special key-management techniques to permit

valid reader to refresh pseudonyms Easy compliance with existing standards As an extra benefit, pseudonym

management also strengthens authentication

Blocker Tag

Blocker simulates all (billions of) possible tag serial numbers!!

1,2,3, …, 2023 pairs of sneakers and…(reading fails)…

Blocker Tag

“Tree-walking” protocol for identifying RFID tags

000 001 010 011 100 101 110 111

00 01 10 11

0 1

?

In a nutshell “Tree-walking” protocol for identifying

tags recursively asks questions: “Is there a tag whose next bit is a ‘1’? “Is there a tag whose next bit is a ‘0’?

Blocker tag always says yes to both questions Makes it seem like all tags are present Thus reader cannot figure out which tags are

actually present Number of possible tags is huge (at least a

billion billion), so reader stalls

Two bottlesof Merlot#458790

Blocker tag system should protect privacy but stillavoid blocking unpurchased items

Blocking with privacy zones

000 001 010 011 100 101 110 111

00 01 10 11

0 1

Transfer to privacy zoneon purchase of item

Privacy zone

More about blocker tags

Blocker tag can be cheapEssentially just a “yes” tag and “no” tag

with a little extra logicCan be embedded in shopping bags, etc.

With multiple privacy zones, sophisticated, e.g., graduated policies are possible

MANET Security

Mobile Ad-Hoc Networks

Collection of wireless mobile hosts forming a temporary network

No fixed network infrastructure No (or limited) organization

Military and Emergency Sensor Networks Civilian applications, ubiquitous computing

Dynamic Configuration

When D moves out of A’s radio range, the link is broken. However, the network is still connected, because A can reach D through C, E and F

Trust in MANET

Managed environment A-priori trust Entity authentication ⇒ correct operation But: requirement for authentication infrastructure

Open environment No a-priori trust authentication does not guarantee correct operation

New security paradigm

Node Misbehavior

Selfish Nodes Do not cooperate Priority: battery saving No intentional damage

to other nodes. Exposure:

passive denial of service black hole idle status

Malicious Nodes Goal: damage to

other nodes Battery saving is not

a priority Exposure:

active attacks denial of service traffic subversion attacks exploiting the

security mechanism

MANET Requirements Wireless & Mobile

Limited energy Cooperation enforcement

Lack of physical security

Secure Routing Ad Hoc

No (or limited) Infra (Lack of organization) Key Management

Secure Routing - Objectives

Authentication (Integrity) of routing information

Entity authentication Source Destination Intermediate node

Correct behavior (of algorithm, if any)

Asymmetric vs. Symmetric Crypto Pro-active vs. Reactive routing protocols

Sensor Network?

Sensor An electronic device used to measure a physical quantity

such as temperature, pressure or loudness and convert it into an electronic signal of some kind (e.g a voltage).

A device that produces a measurable response to a change in a physical condition such as temperature or to a chemical condition such as concentration

Sensor Network Technical Challenges Energy constraints Level of dynamics (obstacles, weather, terrain, large number

of nodes, failures, captures.) Scaling challenges

Current Applications

monitor factory instrumentation, pollution levels freeway traffic the structural integrity of buildings Other applications

climate sensing control in office buildings home environmental sensing systems for

temperature, light, moisture, and motion.

Some Sensor Network

Sensor Network Limitations

No PKC! Node capture Lack of a-priori knowledge of post-

deployment configuration (Airplane) Limited memory resources Limited bandwidth and transmission power Over-reliance on base stations exposes

vulnerability

Sensor Nodes Compromise

Why compromise? Each node: a potential point of attack

impractical to monitor and protect each individual sensor Dispersed over a large area Attackers obtain own commodity sensor nodes Attacker can claim multiple identities for an altered node.

Consequence of compromise? falsification of sensor data extraction of private sensed information from sensor network

readings denial of service

Tamper-resistant: too expensive

Eavesdropping

Wireless = insecurity a few wireless receivers outside a house might be able to

monitor light and temperature readings of sensor networks inside the house

Encryption Good! Using which key? Requirement for key management

maintain secrecy even when an adversary compromises a few sensor nodes

Ideally, revocation of known exposed keys and rekey end-to-end encryption impractical

hop-by-hop encryption: each sensor node stores only encryption keys shared with its immediate neighbors.

Privacy

Adversaries can use data to derive sensitive info if they know how to correlate multiple sensor inputs.

More serious problem they make large volumes of information easily available

through remote access. (on purpose also) A Step toward

Ensuring that sensed information stays within the sensor network, accessible only to trusted parties

restrict the network’s ability to gather data at a detail level that could compromise privacy

Database inference problem Privacy preserving data mining

DoS

Defending against DoS is extremely difficult Can occur at the physical layer, via radio jamming. malicious transmissions into the network to interfere with

sensor network protocols Attackers can induce battery exhaustion: by sending a useless

communications that the target will expend energy processing and may also forward to other nodes

create routing loops that will eventually exhaust all nodes Message authentication based on PKC

highly computationally intensive attackers that can induce a large number of these can mount

an effective energy-exhaustion attack.

Database Security

Database Security

Issues Inference

occurs when users are able to piece together information at one security level to determine a fact that should be protected at a higher security level

Access controlEncrypted computation

Searches on Encrypted Data

Examples Mail Server

Fully trusted, i.e. sys admin can read my e-mail Can build secure storage

But need to sacrifice functionality

Moving the computation to the data storage seems to be very difficult

For example, how to search encrypted data?

Notations

Si : i-th stream from stream cipher G, n-m bits

Wi : i-th word, n bits

Ci : i-th cipher text, n bits

: Bitwise exclusive-or

Fk (x): MAC of x using key k, m bits output

Scheme I: Basic scheme

To search W Alice reveals {ki | where W may occur} Bob checks if Wi Ci is of the form <s,FKi(s)> for some s

For unknown ki, Bob knows nothing To search W, either

Alice reveal all ki, or Alice has to know where W may occur

Wi

Si FKi(Si)

F Ki

Plaintext

Stream Cipher

ciphertext

Scheme II: Controlled search .

Replace ki = f k’ (Wi) where k’ is secret, never revealed f is another MAC with output size = | ki |

Reveal only f k’ (W) and W

Bob identifies only location where W occurs

But reveals nothing on the locations i where W != Wi

Still does not support hidden search

Scheme III: Hidden Searches .

Ek”(Wi)

Si FKi(Si)

F Ki

Plaintext

Stream Cipher

ciphertext

Wi

E k”

Scheme III (Cnt’d)

Let Xi := Ek” (Wi)

After the pre-encryption, Alice has X1, … , Xl

Same as before, Ci = Xi Ti where Xi = Ek” (Wi)

Ti = < Si, Fki (Si) >

To search W, Alice queries (X, k) such that X := Ek”(W) and k := fk’(X)

A problem of Scheme III

Scheme III has a problem… Guess what?

If Alice generates ki = fk’(Ek”(Wi)), she cannot recover

the plaintext from the ciphertext. Ci = Xi Ti where Ti = < Si, Fki (Si) >

To compute Xi from Ci, we have to know Ti

Si can be computed easily

How about Fki (Si)?

The problem is ki

To compute this, we have to know all Ek”(Wi) for all i Ups! If you know all of these, why do you need search?

Scheme IV: The Final Scheme .

FixXi = Ek” (Wi) = < Li, Ri > where |Li|=n-m

bitsTi=< Si, Fki (Si) > where ki=f k’(Li) instead

of f k’(Wi)

Scheme IV: The Final Picture

Ek”(Wi)

Si Fki(Si)

F Ki

Plaintext

Stream Cipher

ciphertext

Wi

E k”

Li

f k’k i

Terms Revisited Ubiquity - Who has access to my resources and services? Issues for confidentiality, authorization,

and access control. Augmented Reality – How do we augment our risk management strategies to match augmented

reality? Furthermore, can we exploit augmented reality in risk management? Context Awareness - Who else knows where I am and what’s going on around me? Matters for

privacy and controlled information access including and beyond location. Invisible Computer - Who am I interacting with and when? Defining suitable authentication and trust

frameworks for ubiquitous computing. Smart Items - But they’re so small, can they protect themselves and who owns these things

anyway? Analysis and classification of existing micro crypto-algorithms, as well as issues surrounding ownership, accountability, and non-repudiation.

Mobility and Portability – What happens to “end-to-end” security? Charting of IT landscapes and architectures representative of ubiquitous computing, and specification of goals for security.

Security versus the Disappearing Computer – How do we manage the tradeoffs presented here? How are the novel disappearing computer interaction substrates maintained when security is introduced?

Management of Augmented Environments – Identification of the management issues for ubiquitous systems and proposals for tools and utilities.

Social Awareness, Legislation and Education – Agreement on what message is to be delivered to society regarding security in ubiquitous computing environments, and how.