Download - Mobile and wireless security
-
7/29/2019 Mobile and wireless security
1/47
Introduction
Mobile Wireless future is here but security isnot ready for it
Cell phones, Laptops, RFID, Applications are
built around mobility
Unfortunately security is not enough to securemobile wireless network
Techniques available : Cryptography, VPN, andDigital Authentication
Not sufficient to solve security problem
-
7/29/2019 Mobile and wireless security
2/47
Introduction
First worm designed to move from desktop machines to cell
phones was recently discovered
Recent cases in Afghanistan of sales in bazaars of stolen flash
drives filled with classified data
Providing security for mobile wireless is difficult
Mesh networks and MANET are known to challenges to
secure operation that we cannot properly address today
Extreme Constraint of sensor network rely on wirelesscommunication make many of the security solution infeasible
Scale and openness of proposed ubiquitous computing
environments pose tremendous challenges to security
-
7/29/2019 Mobile and wireless security
3/47
Introduction
Loss of privacy enables cell phones, Bluetooth and wifi
laptops ,RFID affects all of us
Simple solutions are required to control anonymity while
guaranteeing accountability
Security for this future world cannot depend on manual
configuration, deep understanding of security threats or
reactions to ongoing problems by human working with the
system
We must move to a future where devices and networks are
secure on their own without ongoing human supervision
These dangers motivated NSF to fund this study
Based on leading researchers NSF sponsored WSPWN
-
7/29/2019 Mobile and wireless security
4/47
State of the art Much of the work already done in Cryptography
Useful in the wireless domain
We already know how to maintain privacy of data
sent over wireless networks, how to detect
alterations of such data during transmission and howto determine authenticity of messages
Many devices in wireless networks are battery
powered so have limitations such as limited
processing capacity, memory and secondary storage
Years of research on cryptography for low power
devices are not succeeded in finding algorithms and
no techniques exist to convert existing algorithms tolow owered variants
-
7/29/2019 Mobile and wireless security
5/47
State of the art
Cryptography offers to mobile devices
Sensitive data in lost laptops and flash drives
are kept in encrypted form
Researches done ensuring mobile devices
authorized user can get data
If keys are stored insecurely then the securityoffered by cryptography fades away
Loss of key = Loss of stored data
-
7/29/2019 Mobile and wireless security
6/47
State of the art
Other security solutions Firewalls act as network perimeter
Users send their data through access point even receiver in
direct radio range
Access point is a location to put a perimeter defense Personal firewalls protect a single computer from threats
wherever it is and whatever technology it is using
Methods used to evaluate the security of wired environments
can be extended to evaluate the security of wireless ones Tools that works in a single machine like virus detection
software will be useful for single machines
However intelligent application and useful technologies does
not cover all security problems and need further research
-
7/29/2019 Mobile and wireless security
7/47
802.11 Wireless Networks (WiFi)
As available bandwidth and deployment ofwireless networks increase we can expect to seenew challenges arise such as DOS attack, Stealthy
spread of worms and clever misuse of wirelessnetworks
Privacy issues- Privacy threats inherent in thewired Internet are going to become much worse
in mobile wireless future Easily loss control of data whose confidentiality
we wish to protect as devices are so mobile.
-
7/29/2019 Mobile and wireless security
8/47
802.11 Wireless Networks (WiFi)
Challenges for Standard Wireless Networks
Security Issues
Authentication Encryption
Data Integrity
Outsider Access and needs strong protection
-
7/29/2019 Mobile and wireless security
9/47
Security Solutions
WPA and WEP
Hacking into a wireless system is easy if
encryption is not available
Install Firewall at where wireless and wired
network meet
Little to handle DOS Attack-Future research
-
7/29/2019 Mobile and wireless security
10/47
802.11 Wireless Networks (WiFi)
Wireless Networks are useful but also has greaterchallenges
Bandwidths in wireless network for popular use isa future research
Well designed solutions for securing, Mobilizing
and Managing wireless LANs should integrateseamlessly into existing enterprise networkdesign and network management principles
-
7/29/2019 Mobile and wireless security
11/47
3G Wireless Networks
Features by 3G
Huge Capacity and Broadband Capabilities to
support Greater number of voice and Data
Transfers at a lower cost
Both voice and Non voice data at speeds upto
384 Kbps
Stealing Cellular airtime by tampering with
cellular NAMs
-
7/29/2019 Mobile and wireless security
12/47
3G Wireless Networks
Ensuring Safe and Reliable Interoperability of 3 Gand wireless LAN technologies
No well defined security solutions
Threats to 3 G and other wireless networktechnologies are active attacks on the radiointerface between the terminal and servingnetwork
Attacks: Attacks on wireless interfaces, wiredinterfaces and attack which cannot be attributedto a single interface
-
7/29/2019 Mobile and wireless security
13/47
Challenges for Sensor Networks
Today sensor are tiny micro electro mechanical
devices comprise of one or more sensing units, a
processor and a radio transceiver and an
embedded battery
Sensors organized into a sensor network
Sensors and sensor network are expected to be a
self managing Applications- Military, Medicine, Environmental
Monitoring, Disaster preparedness etc..
-
7/29/2019 Mobile and wireless security
14/47
Challenges for Sensor Networks
Limited power of sensor nodes and selfadministering a new class of network protocolsand designs has been developed
Security solutions developed for wireless LANsare unusable for Sensor networks
Research: Use of Sensor networks in MissionCritical tasks
Security Requirements: Confidentiality, DataIntegrity, Data Freshness, Data Authenticationand Non Repudiation, Controlled Access,Availability and Accountability
-
7/29/2019 Mobile and wireless security
15/47
Challenges for Sensor Networks
Examples:
Cryptography and Key Management
Limited Computation, Memory and Energy Resources
Symmetric Cryptography Algorithms face Challenges inKey deployment and Management
Asymmetric Cryptography needs higher computationaland energy costs render too expensive for manyapplications
Lower level of protection is acceptable Research-Matching the style and costs of cryptography
needs of sensor network
-
7/29/2019 Mobile and wireless security
16/47
Challenges for Sensor Networks
Node Integrity- Easy to compromise due tophysical access
Compromised nodes may compromise other
nodes Research- Designing sensor network protocols
that are tolerant to some degree of nodecompromise
Designing suitable methods for detectingcompromised sensor network nodes and securelyreconfiguring the network and application
-
7/29/2019 Mobile and wireless security
17/47
Challenges for Sensor Networks
Scalability-
Sensor networks have thousands or morenodes
Security techniques are not designed tooperate at the scale sensor networks
Research- Understanding the scaling costs of
security algorithms Designing high scale security solutions to
sensor networks
-
7/29/2019 Mobile and wireless security
18/47
Challenges for Sensor Networks
Limitation of sensor networks a number of new securitymechanisms, schemes and protocols need to be created
Different attacks on sensor network can occur in differentlayers
Ex: Physical Layer Jamming the RF, Tampering the nodes Data Link Layer- Collisions, Resource Exhaustion and
unfairness
Network Layer- Spoofing, Data alteration, Replays ofrouting information, selective forwarding, sink hole attacks,
white hole attacks, sybil attacks, worm hole, HELLO floodattacks, insulation and corruption attacks or ack spoofing
Transport Layer- Flooding and Dessynchronization
-
7/29/2019 Mobile and wireless security
19/47
Security Approaches in Sensor
Network
Cryptography and Key Management,
Routing Security,
Location Security, Data Fusion Security
Security Maintenance
-
7/29/2019 Mobile and wireless security
20/47
Cryptography
Processing and power costs of performing
cryptography, complexity of algorithms and
key distribution
Key Distribution drains Batter power
-
7/29/2019 Mobile and wireless security
21/47
Routing Protocols
External Threat- Cryptographic schemes such asEncryption and Digital Signature
Internal Threat- Difficult to detect since maliciousinformation sent by a compromised node is adifficult task
Techniques developed for adhoc network rely onsharing information among many nodes overcourse of time to detect cheating
Sensor network special resource constraint makesuch techniques unusable
Research- Different style of routing strategies
-
7/29/2019 Mobile and wireless security
22/47
Location Security
Important when proper behavior of a sensor
network depends on knowledge of physical
location of its nodes
Small and accessible
Attackers may gain advantage to know about
location
-
7/29/2019 Mobile and wireless security
23/47
Data Fusion
Save Energy in sensor networks
Data Fusion-Data is combined and forwarded
If any nodes are compromised then they canfalsify not only its data but also fused data
Alternatives- Collective endorsements to
Filter Faults, voting mechanism
Data Aggregation- Cipher text in intermediate
nodes
-
7/29/2019 Mobile and wireless security
24/47
Detection of Compromised Nodes
Base station gathers information from sensors
and processes to find compromised node
Neighboring nodes cooperated to determine
nearby nodes are behaving badly
Cooperative Approach statistical methods or
voting methods are used to find compromised
nodes
-
7/29/2019 Mobile and wireless security
25/47
RFID Tags
Sensing uses passive or reactive power free
nodes
Readers are needed to power up sensors
Research- Security
-
7/29/2019 Mobile and wireless security
26/47
Challenges for Mesh and Adhoc
Networks
No fixed Infrastructure like wired
Group of wireless Devices organized in
Multihop
Some times connects to Traditional network
or standalone
Mesh network-Less mobile nodes
Adhoc network- Frequent Mobility
Challenges Security and Privacy
-
7/29/2019 Mobile and wireless security
27/47
Challenges for Mesh and Adhoc
Networks
Cooperation among all nodes is required
No particular reason to trust
All nodes sends their own messages, receive
messages, forwared messages Routing protocol security based on trust will not
work
Mobile nodes runs on battery, chance of attackon energy usage of nodes
Location based attack
-
7/29/2019 Mobile and wireless security
28/47
Challenges for Mesh and Adhoc
Networks
Addition to Routing nodes need to rely on
untrusted peers for other network services
Ex: DNS
Research DNS, QOS and ICMP, Designing
Distributed application
Adhoc Network Scenario
Military, Disaster Relief and Infrastructure
protection
-
7/29/2019 Mobile and wireless security
29/47
Challenges related to Mobility
Many mobile computing scenarios do not involve wirelesscommunications
Office laptop will be connected with the home DSL
Mobile devices are often stolen
Stolen Pen drive
Laptop stolen from airport, coffee shop or bus (Data carriedbecomes risk)
Conventional solution: Cryptography
Problem : Key Management
If key is stored in machine readily available thencryptography is of little value
Usability of encrypted data
-
7/29/2019 Mobile and wireless security
30/47
Challenges related to Mobility
Technology development Increasing size of a disk ( Oncestored it remains forever)
Human user remembers to clear private data
If device stolen last amount of data will be lost
Technology offer any solutions?
Automated system delete, move or encrypt old unaccesseddata on a laptop
If so how, which and when?
If its deleted then how we can certain we have not lost anydata
If its moved where to ?
If its encrypted then with what key? How user recover it?
-
7/29/2019 Mobile and wireless security
31/47
Challenges related to Mobility
Mobile computers enter environments that
are not under the control of their owner nor
under the control of people the owner trust
Desktop Machines protected by company
But Laptop computers will be protected till
door of the company
Why should the user trust coffee shop or
Internet caf
-
7/29/2019 Mobile and wireless security
32/47
Challenges related to Mobility
Feature by Mobile computing
Group of users congregate together in a physicalplace can use their devices to interact Share their data
pool their computing, storage, and communicationsresources
set up temporary applications related to their jointpresence in a particular
place for a particular period of time learn about each other
foster social interactions in many ways
-
7/29/2019 Mobile and wireless security
33/47
Challenges related to Mobility
For a Security professional its a disaster
How he can limit the damage while doing socialinteractions?
These devices interact with large no of users theymight have never seen before and never seenagain
This ubiquitous Environment should protect itselfagainst malicious users
How we can figure out who is responsible for badbehavior
-
7/29/2019 Mobile and wireless security
34/47
Challenges related to Mobility
User control of flow of data
How to formulate trust model for ubiquitous and dynamicenvironment
Trust formulation
User trusts the Internet but does not trust Wireless network If data travels in Untrusted network
Is there a special way to control data flow
Trust formulation must take into account the possible maliciousbehavior of participating hosts
Location privacy when analyzing the kinds of risks devices face as they move
from place to place in a ubiquitous environment style andmovement have effect
-
7/29/2019 Mobile and wireless security
35/47
Challenges related to Mobility
Data on real movement of users in wireless
environments is available
But more is needed, both for general mobility
research and for mobile security research.
In addition to raw data, we need realistic, but
usable, models of mobility to drive
simulations and to test new mobile security
technologies
-
7/29/2019 Mobile and wireless security
36/47
Security for new/emerging wireless
technologies
New Wireless Technologies
Underwater sensor
Change in spectrum allocation that opens new
bandwidth for public use Free space optical network under development
These networks are different from existingwireless network
Security Challenges are different
NSF should urge researchers in network security
-
7/29/2019 Mobile and wireless security
37/47
General Recommendations for
Research
Many papers describing security for ad hoc network
Little or no experience in countering such attacks
No secure wireless adhoc networks thats what failed in
earlier research
All research not based on reality
Research based on Analysis and simulation
Many algorithms are never implemented in real
environments In wireless reality observed is not often like the models used
in much research
Models of mobility used in research are too simplistic and
have no grounding in actual behavior of users and otherentities
-
7/29/2019 Mobile and wireless security
38/47
General Recommendations for
Research
Most of the research done when mobile andwireless environment really was the future
There were often few or no suitable networks
to test Early researchers rely on simulation and to a
lesser degree analysis
But that time passed No great barrier today to create a wireless
network
-
7/29/2019 Mobile and wireless security
39/47
General Recommendations for
Research
All laptops come with one or more forms of wireless
communications
People become mobile computer users
Future research should be based on realism
Simulation should be used as a method of evaluating system
not as the only method
Most attention should be paid by researchers to the realities
of what is actually happening every day
Most research should result in working prototypes
Most research should make use of either live tests or
modeling based on observed behavior of real users and
systems working in targeted environment
-
7/29/2019 Mobile and wireless security
40/47
General Recommendations for
Research
NSF cannot abandon deep theoretical
research
More emphasis should be placed on solving
privacy and security problems and cannot
solve in real networks
Its based on pure practical necessity
-
7/29/2019 Mobile and wireless security
41/47
General Recommendations for
Research
Mobile and Wireless environment is not secure nowand will not become more secure unless research isdone in suitable ways
Priority must be given to work that will improve
security Recommendation of realism extends further favoring
system development and real world testing
NSF should encourage research that address securityproblems that are actively exploited today
Tools that help researchers build and test their privacyand security solutions for realistic environments arevaluable
-
7/29/2019 Mobile and wireless security
42/47
General Recommendations for
Research
This is not intended to shut down theoretical research There must be always room for research program for
bold and visionary but we must also consider there aredangerous problems with systems that we have literally
today This recommendation must be balanced by industry
Problems that are causing large companies to losemoney are to be addressed
Problems whose solutions can lead to profitableproducts are sources for industry funding
Problems whose solutions are mandated by laws of USand influential nations are addressed by industry
-
7/29/2019 Mobile and wireless security
43/47
General Recommendations for
Research
Many industry research are private and
secret, but there is value in supporting
publicly available research
NSF Prioritize research funding for private and
security in mobile and wireless environments
in following ways:
-
7/29/2019 Mobile and wireless security
44/47
General Recommendations for
Research
a) Fund projects that offer good possibilities to solve
problems that have been observed in real world situations.
b) Fund projects that propose to build systems that will, at
least in a proof-of-concept fashion, demonstrate such
problems being directly and successfully addressed.
c) Fund projects that improve our knowledge of how people
move and what computing and networking operations they
perform when they move, particularly taking privacy and
security issues into consideration. Many privacy and security solutions cannot be realistically tested
without such knowledge, and industrial research of this kind is usually
not made available to the general research community.
f
-
7/29/2019 Mobile and wireless security
45/47
General Recommendations for
Research
NSF calls certain problems attention to certainknown problems in the areas of privacy andsecurity for mobile and wireless networks.
Others problems are on horizon
Those problems are
a) Protecting a network against malicioussoftware
b) Allowing a mobile user to gain effective controlover the privacy of his movements and activitiesin the various places he visits.
l d f
-
7/29/2019 Mobile and wireless security
46/47
General Recommendations for
Research c) Ensuring that a sensor network provides the best possible
information for the longest possible period of time in
situations where opponents can either disable or compromise
some of its nodes.
d) Allowing a ubiquitous environment in a typical home to besufficiently secure for normal users purposes without
requiring any but the most minimal actions on the part of
such users.
e) Designing self-healing mobile and wireless networksystems and mechanisms that support self-healing.
f) Finding efficient application level techniques that minimize
the cryptographic overhead when the system is not under
attack.
l d i f
-
7/29/2019 Mobile and wireless security
47/47
General Recommendations for
Research
g) Protecting sensitive or classified data in
mobile wireless networks operating in
extreme conditions, such as disaster relief or
military situations.
Homeland Security requires such protection
because todays terrorist is, unfortunately, a
good hacker