SECURITY IN MOBILE SECURITY IN MOBILE NETWORKSNETWORKS

BY BY BHONGIRI ANAND RAJBHONGIRI ANAND RAJ

VENKAT PAVAN RAVILISETTYVENKAT PAVAN RAVILISETTYNAGA MOHAN MADINENINAGA MOHAN MADINENI

Introduction Introduction

Mobile communication - provides huge wireless Mobile communication - provides huge wireless connectivity in today’s world enabling mobility connectivity in today’s world enabling mobility and computing in different communication and computing in different communication environments. environments.

In traditional e-commerce, due to lack of In traditional e-commerce, due to lack of security, frauds are seen as the major obstacle security, frauds are seen as the major obstacle to people.to people.

web browsers and servers are enabled to use web browsers and servers are enabled to use public infrastructures for cryptographic key public infrastructures for cryptographic key distribution and use protocols such as SSLdistribution and use protocols such as SSL

Need to ensure that client and server Need to ensure that client and server sides are not ignored.sides are not ignored.

Installing firewalls and intrusion detection Installing firewalls and intrusion detection systems, systems can be tracedsystems, systems can be traced

Flexibility and functionality are key factors Flexibility and functionality are key factors for creating successful e-commerce for creating successful e-commerce applicationsapplications

Some of the mechanisms in communication Some of the mechanisms in communication security are:security are:

ConfidentialityConfidentialityIntegrityIntegrityAuthentication Authentication Non repudiationNon repudiationLocation of the communicationLocation of the communication

The location of the communication, whether the The location of the communication, whether the communication is taking place or not are some communication is taking place or not are some of the mechanisms need to be privateof the mechanisms need to be privateConfidentiality of traffic, location and addresses Confidentiality of traffic, location and addresses of mobile network will depend on technology of mobile network will depend on technology used.used.

Depending on the protocols used, the Depending on the protocols used, the types of authentication variestypes of authentication varies

For example, in SSL – has four different For example, in SSL – has four different types of authenticationtypes of authentication

Server authenticationServer authentication

Client authenticationClient authentication

Both client and server’s authenticationBoth client and server’s authentication

No authentication, but, providing only No authentication, but, providing only confidentiality. confidentiality.

Different groups have different importance Different groups have different importance regarding authentication. For example:regarding authentication. For example:

Network operators – interested in authenticating the users for Network operators – interested in authenticating the users for billing purposebilling purpose

Content service providers and users – will be interested in Content service providers and users – will be interested in authenticating themselves and with the network service authenticating themselves and with the network service providers. providers.

These all authentications depend on business model and These all authentications depend on business model and technology usedtechnology used

Public key cryptography – an essential element Public key cryptography – an essential element for SSL. Used for securing web communications. for SSL. Used for securing web communications.

Public key certificate Public key certificate CA (certification authorities) digital signature on public keyCA (certification authorities) digital signature on public key

some attributessome attributes

CA ( certificate authority) – is a trusted third party (TTP) CA ( certificate authority) – is a trusted third party (TTP) used to verify and certify the identity of public key owner used to verify and certify the identity of public key owner before issuing certificate. before issuing certificate. Security in heterogeneous networks – architectures Security in heterogeneous networks – architectures depend on protocol layers which represents the way of depend on protocol layers which represents the way of modeling and implementing data transmission between modeling and implementing data transmission between the communication partiesthe communication parties

Figure: communication protocol layersFigure: communication protocol layers

Mobile applications like radio network span over Mobile applications like radio network span over different networks which complicates the different networks which complicates the security implementation and becomes difficult to security implementation and becomes difficult to obtain end to end security.obtain end to end security.

There will be difference between desired There will be difference between desired security service and the protocol layersecurity service and the protocol layer

For example, For example,

figure: security architecture using WTLSfigure: security architecture using WTLS

Usage of security Usage of security

Common design makes security services as transparent as Common design makes security services as transparent as possible. but, this makes user to get less security possible. but, this makes user to get less security informationinformation

Figure: semantic protocol layer between human user and organizationsFigure: semantic protocol layer between human user and organizations

a good user interface indicated the combination of a good user interface indicated the combination of multimedia and optimal terminal design.multimedia and optimal terminal design.

Security of active content Security of active content Active contentActive content

allows sound and image animationallows sound and image animation Provides the user with the ability to interact with server side Provides the user with the ability to interact with server side

during sessionduring session Active X, java applets are some of the examplesActive X, java applets are some of the examples

sandboxing and certification is used to counter sandboxing and certification is used to counter threats from active contentthreats from active content

SandboxingSandboxingthe active content is restricted in what resources it can the active content is restricted in what resources it can access on the host system access on the host system Adv: always active and transparent to user Adv: always active and transparent to user Disadv: limits the capabilities of active contentsDisadv: limits the capabilities of active contents

Certification Certification trusted party has validated and digitally signed active trusted party has validated and digitally signed active content content Adv: can access all system resources Adv: can access all system resources Disadv: certification is not equivalent with trustworthinessDisadv: certification is not equivalent with trustworthiness

Security level of mobile communicationSecurity level of mobile communication Level 1 security: Level 1 security:

Implemented using passcode identificationImplemented using passcode identification

User send the passcode to the mobile network and User send the passcode to the mobile network and then it is compared with one in the databasethen it is compared with one in the database

Level 2 security: Level 2 security: Implemented using symmetric key schemesImplemented using symmetric key schemes

Main feature is client able to authenticate the Main feature is client able to authenticate the identity with gatewayidentity with gateway

Figure: Generic model of level 2 secure mobile communication

Level 3 security: Level 3 security: Implemented by asymmetric key schemes. Implemented by asymmetric key schemes.

Client is able to authenticate the gateway’s identityClient is able to authenticate the gateway’s identity

Figure: Generic model of level 3 secure mobile communication

Implementing the security levels in mobile Implementing the security levels in mobile communicationcommunication Mobile devices and networks need to support Mobile devices and networks need to support

technologies and standardstechnologies and standards Different models were proposed. But, communication Different models were proposed. But, communication

between mobile device and trusted server is not between mobile device and trusted server is not secure.secure.

Clients are classified into following categoriesClients are classified into following categories No private keyNo private key One private key used for authentication or signingOne private key used for authentication or signing Two or more private keys from which one is used for Two or more private keys from which one is used for

authentication and the other one for signingauthentication and the other one for signing

Implementation of security level 1Implementation of security level 1 The client sends the passcode by SMS or WAP The client sends the passcode by SMS or WAP When verified, user is granted to access information When verified, user is granted to access information

Implementation of security level 2Implementation of security level 2 Depends on capability of storing private keysDepends on capability of storing private keys If not capable, private key must be stored either in If not capable, private key must be stored either in

mobile device or must be entered by usermobile device or must be entered by user

Implementation of security level 3Implementation of security level 3 Depends on capability of client to store private keysDepends on capability of client to store private keys Generate the digital signatureGenerate the digital signature If the client is not able to generate digital signatures, we If the client is not able to generate digital signatures, we

use delegated PKI (public key infrastructure) signing use delegated PKI (public key infrastructure) signing ( ( means the security server signs on behalf of mobile devicemeans the security server signs on behalf of mobile device) )

Implementing security level 3 of mobile communications

Some of the physical constraints of mobile Some of the physical constraints of mobile communication systems are: communication systems are: Broad-based medium: Broad-based medium:

Wireless medium is broad based medium Wireless medium is broad based medium Extremely exposed to eavesdropping (spying)Extremely exposed to eavesdropping (spying)

DisconnectionsDisconnectionsFrequently gets disconnected due to high degree Frequently gets disconnected due to high degree of noise and interferenceof noise and interference

Heterogeneity Heterogeneity Moving from one domain to other host encounters Moving from one domain to other host encounters different levels of security and management different levels of security and management policiespolicies

Highly distributed environmentHighly distributed environment

Some of the security threats are: Some of the security threats are: Device vulnerability :Device vulnerability :

Many mobile devices are small and light weight Many mobile devices are small and light weight which leads to device being misplaced or lostwhich leads to device being misplaced or lost

Raises a security concern as thief have chances to Raises a security concern as thief have chances to view some secret informationview some secret information

Domain crossing: Domain crossing: Happens when user mobile gets into a new Happens when user mobile gets into a new location belonging to other domain and was location belonging to other domain and was registeredregistered

This raises some of the security mattersThis raises some of the security matters

When entering into new domain, important for both When entering into new domain, important for both user and foreign domain trust one and otheruser and foreign domain trust one and other

Anonymity:Anonymity:Mobile user wants to be anonymous to the outside Mobile user wants to be anonymous to the outside domainsdomains

Authentication:Authentication:Mobile user crosses domain boundaries must be Mobile user crosses domain boundaries must be authenticatedauthenticatedShould not interfere with users task which requires Should not interfere with users task which requires the authentication to be transparent to userthe authentication to be transparent to user

Some of the examples of mobile communication Some of the examples of mobile communication are: are: Global System for Mobile communication (GSM): Global System for Mobile communication (GSM): Cellular Digital Packet Data (CDPD)Cellular Digital Packet Data (CDPD) Mobile IPMobile IP

ConclusionConclusion

Mobile networks have positive side and negative Mobile networks have positive side and negative sidesideThe mobile network operators are well placed to The mobile network operators are well placed to become trusted third party and able to support become trusted third party and able to support the security applications.the security applications.Development of e-commerce technology, Development of e-commerce technology, functionality and flexibility gets the highest functionality and flexibility gets the highest priority as form the basis for new business priority as form the basis for new business modelmodelThe only hope is in future, mobile networks will The only hope is in future, mobile networks will be more secure be more secure

1.1. What are the different encryption types and What are the different encryption types and tools available in networks security?tools available in networks security?

There are three typesThere are three types Manual encryption:Manual encryption:

Completely provided by the userCompletely provided by the user User has to manually select the objects for encryption such as User has to manually select the objects for encryption such as

files or folder and run some command to encrypt or decrypt files or folder and run some command to encrypt or decrypt these objects these objects

Transparent encryption:Transparent encryption: here the encryption/decryption is performed here the encryption/decryption is performed

at a low level during all read/write operationsat a low level during all read/write operations From the point of general security principles, complete From the point of general security principles, complete

low-level transparent encryption is the most secure type low-level transparent encryption is the most secure type imaginable, easiest, and imperceptible for the user to imaginable, easiest, and imperceptible for the user to manage manage

Semi transparent encryptionSemi transparent encryption This operates not permanently, but before or after access is This operates not permanently, but before or after access is

made to confidential objects or during some read or write made to confidential objects or during some read or write operations operations

2. 2. How do you do authentication with a message digests How do you do authentication with a message digests MD5 in network? MD5 in network?

MD5 is a cryptographic hash function with 128 bit has MD5 is a cryptographic hash function with 128 bit has value output.value output.

Used to check integrity of files or inputs.Used to check integrity of files or inputs.

An MD5 hash is expressed as a 32-character hex number. An MD5 hash is expressed as a 32-character hex number. It takes the variable-length input and converts it into a fixed It takes the variable-length input and converts it into a fixed length output of 128-bits called as MD5 hash. length output of 128-bits called as MD5 hash.

It is a one way hash functionIt is a one way hash function

Any change in the message would result in a completely Any change in the message would result in a completely different hash different hash

3. 3. What is routing protocol and routed What is routing protocol and routed protocol?protocol? Routed protocolRouted protocol

Any protocol that provides enough information in Any protocol that provides enough information in its network layer address to allow a packet to be its network layer address to allow a packet to be forwarded from host to host base on addressing forwarded from host to host base on addressing scheme. scheme. Routed protocols define the format and use of the Routed protocols define the format and use of the fields within a packet.fields within a packet.Internet protocol (IP) is an example for routed Internet protocol (IP) is an example for routed protocolprotocol

Routing protocolRouting protocolSupport a routed protocol by providing Support a routed protocol by providing mechanisms for sharing routing information. mechanisms for sharing routing information.

Routing protocol messages move between routersRouting protocol messages move between routers

The routing protocol allows the routers to The routing protocol allows the routers to communicate with other routers to update and communicate with other routers to update and maintain tables.maintain tables.

4. What are the different types of network 4. What are the different types of network security? security?

There are two types of network securityThere are two types of network security Physical security Physical security

It is important to physically secure your computer It is important to physically secure your computer and its components so that unauthorized people and its components so that unauthorized people cannot touch your computers and gain access to cannot touch your computers and gain access to your network. your network.

Software security: Software security:

Along with securing your hardware it is necessary to Along with securing your hardware it is necessary to protect your network from hackers and outside protect your network from hackers and outside attackers attackers

Keeping a firewall on the system to block unwanted Keeping a firewall on the system to block unwanted data data

Having maximum protection against virusesHaving maximum protection against viruses

Use spam filter software Use spam filter software

There are many more things to do to ensure complete There are many more things to do to ensure complete network security.network security.

ReferencesReferences

http://sky.fit.qut.edu.au/~josang/papers/JS2003http://sky.fit.qut.edu.au/~josang/papers/JS2003-AISW.pdf-AISW.pdf

http://www.win.tue.nl/~jmarkovs/Application%2http://www.win.tue.nl/~jmarkovs/Application%20level%20security%20of%20mobile%20comm0level%20security%20of%20mobile%20communications%20-%20MII2003%20final.pdfunications%20-%20MII2003%20final.pdf

http://www.docomoeurolabs.de/pdf/publicationhttp://www.docomoeurolabs.de/pdf/publications/STL_wpmc03_future_mobile.pdfs/STL_wpmc03_future_mobile.pdf

http://www.philadelphia.edu.jo/aiccsa2007/t3.phttp://www.philadelphia.edu.jo/aiccsa2007/t3.pdfdf

?