View
215
Download
0
Tags:
Embed Size (px)
Citation preview
1
Security Challenges of Location-Aware Mobile Business
Emin Islam Tatlı, Dirk Stegemann
Theoretical Computer Science, University of Mannheim
February 2005
2
Outline
The Mobile Business Research Group
Context- and Location-awareness
Application Logic Framework
Security Challenges
Further Research
3
Mobile Business Research Group
Generic platform for location-based and context-based mobile business applications
Joint project of 7 research groups at the University of Mannheim
Cooperations with SAP AG, Walldorf CAS Software AG, Karlsruhe
Web: http://www.m-business.uni-mannheim.de/
4
Location and Context
Context = any information that can be used to characterize the situation of an entity
Examples: location, time, identity, level of mobility
A Context-based application considers context when providing its service.
5
Examples
Find the nearest haircutter
Display the special offers of nearby shops that sell men’s shirts
Find a pizza delivery service that can deliver my favorite pizza for less than 8 EUR within 15 minutes to my current location
Location-based Post-it
6
Application Logic
CONTEXT AWARE MOBILE BUSINESS SERVICES
RequestDispatcher
ServiceRegistrationService
Repository
MobileUser
ServiceProviderService
ProviderServiceProvider
1 - register2- service query3- service descriptions
4- service request
5- service result
7
Research Areas
Service-oriented software architecturesService discovery and service brokerageWireless networks, localization,content-to-device adaptionData exchange formats, location-based ontologies
User requirements and preferencesMobile solutions in supply chain management
Security
8
Security Challenges
Anonymity
Privacy of personal data
Confidentiality of the communication
Confidentiality of locally stored data
Usability vs. security
9
Anonymity
Mobile users require to hide their real identityAnonymity ensures that a user may use a resource or service without disclosing the user's identity [1]Service providers require a unique representation of users(partial) Solution Pseudonymity
Pseudonyms are faked names (e.g. nicknames)
10
Unlinkability of Pseudonyms
Linkability of pseudonyms may break anonymity„unlinkability requires that users and/or subjects are unable to determine whether the same user caused certain specific operations in the system“ [1]Mix-net [2] based solutions not flexibleFuture Research Analyzing existing protocols and enhancing them to
satisfy m-business unlinkability
11
Mix-net
Mix:Computer between sender and receiverDecrypts messages and forwards to receiver
Sender ReceiverMix-net
KM(R1, KR(R0,M), Addr_R) KR(R0,M)
Sender
Sender Receiver
Receiver
12
Privacy of Personal Data
Service providers request different kinds of personal data (even only for profiling of users)
Personal data is private, especially location
Privacy is “the ability and/or right to protect your personal secrets” [4]
Solution Identity Manager [5] P3P [6]
13
Identity Manager
Enables full control of personal data
Presents an interface for creating different virtual IDs binding a subset of personal data to each ID
During communication with a service provider, the user chooses a suitable ID for this particular type of communication
Before any personal data is sent to a service provider, the user is asked to allow this transmission
14
Identity Manager (cont.)
quoted from http://tserv.iig.uni-freiburg.de/telematik/forschung/projekte/kom_technik/atus/idm-demo/
15
Confidentiality of the Communication
Communication messages contain sensitive information e.g. personal data, credit card numbers, location, queries of users results from broker registration data of providers
Any mobile device can receive data transmitted over airConfidentiality ensures that unauthorized disclosure of personal data is not possibleSolution End-to-end security (e.g. SSL-based protocol)
Future research How to avoid SSL-handshake delay
16
Confidentiality of Locally Stored Data
Thefts are very common in the mobile world
User’s local data (e.g. profiles, passwords, private keys, etc.) should be protected from unauthorized disclosure
Solution Two-factor authentication Password-based encryption
17
Usability vs. Security
Trade-off usability and security: users prefer usability weak, easily-guessable passwords digital certificates
Different sensitivity of users for securityEnhance usability and security according to personal needsSolution Dynamically configurable security policy
management system
18
Usability vs. Security (cont.)
Components of a dynamically configurable security policy management system Password Manager Single-Sign-On Security Level Manager Identity Manager
19
Research Focus
Design an open security architecture which can easily be integrated within the m-business application
framework
20
Remarks
Workshop 22.03.2005 - Public Workshop on Mobile Business organized by the
University of Mannheim Mobile Business: Geschäftsfelder und Softwaretechnologien More Information:
http://www.m-business.uni-mannheim.de/workshopMBusiness/mBusinessWorkshop.htm
Hiwi Jobs, Studien-, Bachelor- and Diplomarbeiten: Emin Islam Tatlı
A5,6 B105 – [email protected] Dirk Stegemann
A5,6 B125 – [email protected] ... and co-workers in the project
21
References[1] ISO99 ISO IS 15408, 1999, http://www.commoncriteria.org.
[2] D. Chaum. Untraceable Electronic Mail, Return Ad- dresses, and Digital Pseudonyms. Communications of the ACM, 1981.
[3] D. Chaum. The Dining Cryptographers Problem: Unconditional Sender and Receipient Untraceability. Journal of Cryptography, 1988.
[4] Anderson R., Security Engineering, Wiley Computer Publishing, 2001.
[5] U. Jendricke , D. Gerd tom Markotten, Usability meets security - the Identity-Manager as your personal security assistant for the Internet, Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC'00), p.344, December 11-15, 2000.
[6] W3C, P3P (Platform for Privacy Preferences Initiative), http://www.w3.org/P3P/.
[7] OpenCA Research \& Development Labs, www.openca.org.
[8] eTrust Pki, http://www3.ca.com/Solutions/Product.asp?ID=2623.
[9] Netscape Certificate Management System, http://enterprise.netscape.com/products/identsvcs/certmgmt.html.
[10] Raheem Beyah, Shantanu Kangude, George Yu, Brian Strickland, and John Copeland. ``Rogue Access Point Detection using Temporal Traffic Characteristics.'' Appeared in the Proceedings of IEEE GLOBECOM 2004, December 2004.
[11] Preventing Internet Denial-of-Service using Capabilities, Tom Anderson, Timothy Roscoe and David Wetherall. Proceedings of the Second Workshop on Hot Topics in Networking (HotNets-II), Cambridge, MA, USA, November 19-20, 2003.
22
Security Challenges of Location-Aware Mobile Business
Emin Islam Tatlı, Dirk Stegemann
Theoretical Computer Science, University of Mannheim
February 2005
Thank you for your attention !