Upload
moorthy10
View
216
Download
0
Embed Size (px)
Citation preview
7/27/2019 Riguidel security
1/52
Security Issues & Paradigms
in Mobile Computing Science &
Networking
Michel Riguidel
Tel : +33 1 45 81 73 02
mailto:[email protected]:[email protected]7/27/2019 Riguidel security
2/52
Les exigences de QoS, mobilit et de
configurabilit
7/27/2019 Riguidel security
3/52
Feb-02 3
Information Technology evolution
Before 80 : Middle Age, Computing Sc. belongs to fiefs (IBM, ), nonetwork
All proprietary, no flow : All is parchment or proprietary spreadsheet
80s : All is transparent for a computer scientistAll is file : UNIX (/dev/null, /dev/lpr, ...)
a file is a set of characters which can be manipulated by C language
85s : All is readable on a desk (or a PC) for anybody
All is document (no more interoperability & transparency)95s: All is an available object on the networkfor communication
All is document, readable everywhere (HTML page) or executable everywhere(Java)
Privilege to information access : kiosk, server
00s : All is a digital, fluid & live stream distributed over networks
Nomadic user, virtual presence (user or sw/content move), Virtual Machine &JavaBeans
Ubiquitous IT (networked planet grid) & Mobile computing infrastructure(Xeo satellites)
05s : All is program, alive on ad hoc networksAn entity on the network is a Java Program (Jini Concept)
Intentional architecture
7/27/2019 Riguidel security
4/52
Feb-02 4
The new Paradigm of IT
Distributed
Multimedia
Data
Individuals
Software
Hardware
Content
Communicating, autonomous, configurable, mobile, automatically plugged ENTITIES
onto an interoperable secured, Plug & Play, scaleable dynamically INFRASTRUCTURE,
All being distributedly managed by various Actors, according several point of view
Towards a Convergence Telecom - Multimedia - IT
For a seamless IT with mobility, configurabilityin zero-administration within an heterogeneous world
end-user Profile, smart card
software object, Agent
Application, Service
Telephone, Set Top Box, PDA
PC, Server, Printer
Trusted Third Party
Router, Switch
Home Network, Local
Network
Virtual Private Network for
Businesses,Internet
Middleware Infrastructure
of dynamically configurable
distributed IT
7/27/2019 Riguidel security
5/52
Feb-02 5
Infrastructure of a IS:
Urbanization of an Information System
Distributed
Multimedia
Data
Multimedia Hyperdocument
Infrastructure with QoS, mobility & security
New Services & Usagebiometric Authentication
Adaptive & multi-modal
Human Interface
Speech recognition
Adaptability & customization
of applications according
terminal configuration &end-users services
Mobile Terminals
Network Computers
New ServicesIntelligent Routers & Switchers
Configurability
Active & Ad hocNetworks
Interface : XML
Protocol: IP
New ServicesIndexation by content
Protection of digital Objects
Navigation, Search engineinformation filtering
Java
Applet
Mobile/fix, wired/wireless
Extra/Inter/Intranet
7/27/2019 Riguidel security
6/52
Feb-02 6
Software Intensive System:Architecture is a key issue
distribution & services: M2M, P2P
Middleware, XML, Corba & mobile Code
communication
convergence IP & ATM
applications:
configurable, downloadable
Usage, cooperation:
teleworking, videoconference,
real time negotiation
transmission:
wired & wireless
performance
QoSinteroperability
security
mobility
heterogeneity
distributiondependability
maintainability
information
& documents
Multimedia
Cross media, video, image,
mobile code, hyperdocument
Broadcast & Access System ArchitectureNew OSI Layers
Content Communication Properties
7/27/2019 Riguidel security
7/52Feb-02 7
Core Network
Urbanization :
Versatility in Access NetworksHeterogeneity, Global roaming, QoS, Value Added Services
Access / Intermediation
UMTS
Ad hocBluetooth
IEEE802.11
IPv6
7/27/2019 Riguidel security
8/52Feb-02 8
Global Interconnection : seamless Heterogeneity, Multimedia, macroMobility
EnterpriseTelecom Operators
& InternetCooperation
Mobiles
Private
Common challenges to be
solved:
. Plug & play
. Configurability
. Management
. Quality of Service
. Upgradeability
. Adaptability
. Security, privacy
. Stability, safety
. Costs
More Heterogeneity
Interoperability through different networks
No Esperanto : W-Corba, JavaRMI, J2EE, agents, do not fit
M2M (middleware to middleware)
Selectivity, Resource management,
Global Roaming
7/27/2019 Riguidel security
9/52Feb-02 9
Dynamic Links :heterogeneity & mobility
Telecom Operators
& Internet
GSM
WAP
Global Handover
More Dynamicity
Changes depending upon
Policy, Traffic,
Opportunities, locations, context, resource
7/27/2019 Riguidel security
10/52
Feb-02 10
New Services, Contents, Middleware,
Network Service ProvidersClient-server => intermediation architecture
Multimedia Content-basedSearch Engine,
Agent Platform, etc
Content Provider
Personal Area Network
More Content : Rich Content & Cross-Content
VoIP, "QoS" real time, critical flows, audio-video streaming
Content processing (searching, watermarking, ) QoS
Achilles
Barbara
7/27/2019 Riguidel security
11/52
Feb-02 11
The digital World: Architecture &
Urbanization
Ubiquity of computing & storing resourcescommunication anytime, anywhere, anyhowconcept of datagrid (metacomputing)
Externalization of General resources
Mips
StorageTrust content (secret keys available everywhere)
Communicating Objects & Subjects
Objects are dynamically connected
Devices are permanently connected (IP v6)
Subjects have representations over the network (avatars)
Customization of its own Virtual Private Network &Community
Key technology
Cellular Mobile Telecommunications, Mobility, roaming
Internet, Data Grid, Cache ArchitectureSatellite, Broadcast
7/27/2019 Riguidel security
12/52
Feb-02 12
The digital World:Architecture & Urbanization
Customization
of its own Virtual Private Network & Community
Subjects have representations over the network (avatars)
Devices are permanently connected (IP v6)
Layer 2 : Data link
Communicating Objects & Subjects
Objects are dynamically connectedCommunication anytime, anywhere, anyhow
Versatile medium access
Layer 7 : Bottom of Application Layer
Ubiquity of computing & storing resources
concept of datagrid (metacomputing)
Externalization of General resources
Mips, Storage, Trust content (secret keys available everywhere)
Semantic socket, pluget
Quality of communication (QoS, Security)
Nature of content
Negotiated resources
7/27/2019 Riguidel security
13/52
Feb-02 13
The past & emergence of new context
Information on Years 80s & 90sSimple and it works Not enough mips
Proprietary
Dedicated entities with specific intelligence & engine
Assumptions which are no more verified for Years 00sCatalogues of fix Applications
Bill Gates' concept is obsolete
Dedicated Infrastructure
Need of Global Interoperability & Roaming
For "Beyond 3G networks", Routes do not exist any moreThe OSI model is no more "the" reference
Herzian spectrum : static allocation by ranges
Spectrum must be shared differently (new rules, UWB, )
7/27/2019 Riguidel security
14/52
Feb-02 14
The Future :
Open, Smart & Configurable Networks
Non Functional Properties are essential
Policy aware networks
Mobility, QoS, interoperability, security
Configurability : changes versus time & space
Management issues, proactive & reactive mgt
Potential solution
VirtualizationOpenness
Hw Trivial (not simple !) & Sw Virtual
More Intelligence in the network
Pros & Cons
Performance
Business models
Technological issues
Complexity reduction
Software engineering does not follow
7/27/2019 Riguidel security
15/52
Feb-02 15
Long Term Vision
Vision
Hw & Sw separation and independence
Smart intelligence within the open network
Radio block (General Management of the Radio Resource)
Lower layers (UMTS MAC layer)
Upper Layers & Downloadable Applications
Relationship between the layersArticulation between the architecture styles
Implementation of these architectures are different
Management
subsidiarity
Orientation
Open Network (Next seism in Computing & networking)
Software radio, software Terminal, "Software Network" : Ad hoc &Active Networks
New Architectures : P2P, M2M,
7/27/2019 Riguidel security
16/52
Feb-02 16
Convergence :Virtualization & Externalization
WirelessMobility & autonomyAdaptation, Configurability
Depending of the context
Ambient Networks
Embedded Internet, Desegregating terminalsDisappearing computing, pervasive computing
ubiquity of access
communicating objects and devices
remote work (medicine, surgery)
Augmented realityData Grid & MetaComputing
Global computation (Genomes, cryptography, astrophysics, )
Managing & securing Chain Value
7/27/2019 Riguidel security
17/52
Feb-02 17
Conclusions
Convergence / Divergence dialecticMerging wired & wirelesshigh date rate core networks
diversity of access to the network
New Content: multimedia, art creation
exploration of the content cosmosDifferent Scales & heterogeneity
Bluetooth, WLan (802.xx), UMTS, Internet
Decentralization
Not a revolution but smooth & permanent changes
migration of standardsIPv4 versus IPv6
de facto: Windows towards Linux (open software)
GSM to GPRS
Etc.
7/27/2019 Riguidel security
18/52
Feb-02 18
Computing &/or Networking
Management of Time/Space & I/O Management of Space & I/O
Semantic : Turing Machine
Computer Network
Semantic : Store & Forward
Router & Switch
Mips & Gigabytes
Bandwidth
Erlang
Data rate
QoS
Bottleneck : I/O Bottleneck : the last Mile, , centimeter
Space : not x,y,z but structured addresses
PC & Server
7/27/2019 Riguidel security
19/52
Feb-02 19
Gilders versus Moores law
97 9 9 01 03 05 07
100
10,000
1M
2x/3-6 months
2x/18 months
1000 x
Greg Papadopoulos, Sun Microsystems
7/27/2019 Riguidel security
20/52
Feb-02 20
Mobile Context & Digital World
More Mobility
Nomadic people (with terminals)
Mobile services, content (caches), infrastructure (satellite constellation)
Downloading applications, agent framework, liquid software, VHE,
Personalization
Localization
MobilityAmbience
Contextualization :communication infrastructure, equipment,
environment
7/27/2019 Riguidel security
21/52
Feb-02 21
Evolution of mobile networks :from vertical to horizontal segmentation
PortalServers
Clients
Circuit Access
2G/RTC/ISDN
Mobile
Access bypackets
Content Content
High rate
PacketsAccess
Mobile
Internet
High rate
Internet
backbone network
by packets
Data/IPNetworks
PLMN
PSTN/ISDN
CATV
Services
Access Network, Transport & Switch Network
TodaySpecific Network with unique service
Old : Binding services withcommunication technology
TomorrowMulti-service/client-server Network
New: SP competition over openInfrastructure
From Ericsson
7/27/2019 Riguidel security
22/52
Feb-02 22
Dynamic Provision of Services to Users
Devices Communication Providers
Value Added
Service
Provider
Telecom
Operator &
ISP
Shopping
Information
Banking
Culture
Entertainment
Automation
Services
Voice Services
Calling Services
Value AddedServices
Directory Services
End user
Private
7/27/2019 Riguidel security
23/52
Feb-02 23
Quality of Service
QoS defined by UIT-T E.800 norm
Accessibility
Security
Service
Logistics
Ease of useDegree of satisfaction of
the service user
Continuity
Integrity
Audrey
7/27/2019 Riguidel security
24/52
Feb-02 24
Information Flows, Streams & Cachesefficiency of the whole Loop : Content Delivery Networks, ...
INFORMATION
DOCUMENTS
EXECUTION
STREAMSSTREAMS
Analysis
SimulationDecision
Data
SensorsActuators
MANAGEMENTTRANSMISSIONS TRANSMISSIONS
More irrigation in IS
by differentiated Information Flows
More Intelligence
at the periphery of ISMore Knowledge and reactivity
in the Loop
Synthesis Sensors& Actuators
7/27/2019 Riguidel security
25/52
Feb-02 25
The ecology of networks
Social networkswho knows who => Virtual Private Communities
Knowledge networkswho knows what => Knowledge Management
Information networks
who informs what => la Internet
Work networkswho works where => GroupWare
Competency networks
what is where => Knowledge with time and space
Inter-organizational network
organizational linkages => Semantic Interoperability
7/27/2019 Riguidel security
26/52
Feb-02 26
Mobility & InfospheresEvolution of Spaces : regular & intelligent
As spaces become intelligent individual's infospheres grow,
changes occur in the and in which people are embedded.
PAN-Bluetooth-WLan-UMTS-Internet
From K. M. Carley CMU
Infospheres : circlesinteraction : bold linesknowledge network : dashed line
permanent links
through IPv6
7/27/2019 Riguidel security
27/52
Feb-02 27
The Seven OSI Layers
Wireless & Optics
Turbocode
Active Networks : computation within Nodes
Ad hoc Networks : moving nodes, No fix Routes
Between TCP & UDP, there are thousands of upper transport
protocols
Browser & Players
Multimode
DynamicApplication
Presentation
Session
Transport
Network
Link
Physics
7/27/2019 Riguidel security
28/52
Feb-02 28
Communication Infrastructure :Client-server is dead =>Policy Aware Networks
B: server
A: client
Connection between A and B
secure interoperable protocols
Pab
& Pbawith adaptive QoS
Network infrastructure
More intelligence:
memory, visibility, flexibility
Towards
Active & Ad hoc
Networks
Horizontal unbalance of the semantic distribution in networks:network entities are efficient lifts for the OSI layered model extremities (client &
server) bearing the whole intelligence
7/27/2019 Riguidel security
29/52
Feb-02 29
Active Network Model
EE 1
Java(Capsule)
EE 2
(IPv4)
EE 3
(IPv6)
Trivial Hw
(Physical Resource)
Open Operating system (Node OS) Resource management
Open APIs towards EEs
Infrastructure for Security Functions
Execution Environment Execution Machine
Interfaces to program the network
NodeOS
Router
EE 4
AsmIntel
APIs
Application Program Interfaces
7/27/2019 Riguidel security
30/52
Feb-02 30
Rseaux actifs : dfis
Ouvrir le rseau aux (fournisseurs de) services
Modification dynamique du comportement du rseau
par les utilisateurs, applications, et oprateurs
Dfinir une interface (API) de programmation des rseaux
Ouvrir le rseau
Virtualiser les composants
Configurer dynamiquement
Un rseau programmable est un rseaude transmission de paquets ouvert et
extensible disposant d'une infrastructure ddie l'intgration et la mise en
uvre rapide de nouveaux services
Rseau extensible qui offre des facilits pour changer dynamiquement son
comportement (tel quil est peru par lusager)
Le Rseau devient une machine virtuelle programmable
7/27/2019 Riguidel security
31/52
Feb-02 31
Active Networks
To keep the Networkproprietary ! over an OpenInfrastructure
To distribute intelligence withinthe Network
DiffServ is a straightforward
Active Network !The Java Packet program is aconstant (flow header)
MPLS is an elegant simpleActive Network !
The program is a stack ofconstant (shim header) whichis run over the entry and exitnodes to create Tunnels
More to come
Filtering,
Application
Presentation
Session
Transport
Network
Link
Physics
Application
7/27/2019 Riguidel security
32/52
Feb-02 32
Spontaneous Device Networking :self-organizing, ad-hoc
Wireless : no route
Access control ?
Net etymology : mesh, graph
How to find his own way ?
Some Issues
Service discoverySpectrum coexistence
Management
Security
7/27/2019 Riguidel security
33/52
Feb-02 33
Ad hoc Networks
Each node can be a router and/or a terminal
Astrid cannot talk to Charlotte (hidden nodes)
Basil : potential collisions
C can reach the cell A via B
Radio range
A B C D
7/27/2019 Riguidel security
34/52
Feb-02 34
Ad hoc Networks
No more Routes
No more Topology
Blind search
Search with Reminiscence
Extension to Self organizing
Network
Network
Application
Presentation
Session
Transport
Link
Physics
7/27/2019 Riguidel security
35/52
Feb-02 35
Zimmermanns open interconnection model
From top to bottom and from A to B
Seven layers model: isotropic, no time and space
Homology to win interoperability
Vertical software engineering
To shred any content into packets, datagrams, frames, and finally bits
We ignore content semantics
Application
Presentation
Session
Transport
Network
Link
Physics
Application
Presentation
Session
Transport
Network
Link
Physics
To
p-down
End-to-end
h f i i
7/27/2019 Riguidel security
36/52
Feb-02 36
Theory of communication
Shannon & Weaver model (1949)
Linear & unidirectional model
Neither the relationship between the actors nor the situation are taken
into consideration
Eliminate semantics
J Lacan (seminar II, 1954), R Barthes (ethos, logos, pathos)
emission receptionmessage
Property of [email protected]
Shannon Formula (1948)
C = B log2(1 + q)
Bandwidth, Hz
Received signal-to-noise power ratio
Channel Capacity, bit/s
The capacity to transmit error-free information is proportional to B, for q = const.
Notes
Special coding required that may not work with interactive communications
Shannon says nothing about the code
Isolated system assumed
7/27/2019 Riguidel security
37/52
Les exigences de scurit dans un
univers mobile
7/27/2019 Riguidel security
38/52
Feb-02 38
Security issues in a mobile world
Specification of policies compatible with the Content andthe Container
Set up of a context-oriented, plural, configurable policy
Design of new encryption protocols
Placing cryptology and steganography in perspectiveIntroducing security in an open world
7/27/2019 Riguidel security
39/52
Feb-02 39
Challenges
Years 2001
Distorting reality prism with
Internet (asynchronous messages & meshes of routers) and
GSM (voice content & cellular architecture with Base stations)
Security & mobility
Use of infrastructures
Need of geographical referencesNeed of protecting the spatial structure
Fix infrastructure : articulation of mobile part and fix part via a cryptographicprotocol
Mobile part (ad hoc networks) : search for invariant structures
Use of history of movements
Traceability of moving objects and subjectsBuilding alibis
Ontologies are moving in these virtual spaces
Identification and then confirming their existence in a defined locationusing alibis
7/27/2019 Riguidel security
40/52
Feb-02 40
New situation : no more deterrence
Before 11th September (QQ33N
)Symbolic attack : no more
undetectable or discrete attack
balance between investment protection cost & risk to lose assets
After 11th September (QQ33N)
The whole communities can lose confidence
Security against on cyberwar
at a greater scale for large infrastructure
Main threat
Denial of service for a long time with multiple accidentalcoincidences
Basic security
Audit, accountability (identification & authentication)
7/27/2019 Riguidel security
41/52
Feb-02 41
Classical Security solutions
PKIs, Certificates (X509), SSL, IPSec, Firewalls
Security classical cryptography modelAudrey & Basil share a secret
can be used to scramble the message (cryptography)
can be used to insert a subliminal mark in order to leave a trace (steganography)
Cryptography
Trusted third party
Point to point
S it S l ti
7/27/2019 Riguidel security
42/52
Feb-02 42
Security Solutions
IT today : 2 focal key points
PGP
SSL/TLS/LIPKEY
WAP securityXML
IP
Network Boundary
IPsec
BitStream Ciphering
A lot of standard solutions
Utilization often complexOne protocol does not eliminate all the threats
P3P FIPA security
Security with proxy
S/MIME
IKE/ISAKMP
Content Security
Route Security
Articulation : distributed security Infrastructure
Di it l
7/27/2019 Riguidel security
43/52
Feb-02 43
Digital era :
vulnerability & customized security
011000101100
00101100
0101100
1011000011101001
01000011
01010101000011
1100101001010
1100101001010101000011
01001010101000011
110010100101000011
payment
order
Buyer
Seller
Bank
vulnerable
only clones
Intelligent : can be adjusted andpersonalized
7/27/2019 Riguidel security
44/52
Feb-02 44
Mobility within a Convergence world
Open or closed ?
Both : Mbius ribbon
Historical world : footprint & witness
We must authenticate the scene, the situation
We must trust a witness located at t = t0 and at x = x0Audrey & Basil know each other
Local confidence
Mobility introduces new threats
a subject S is going to travel : trajectory x(t)
S is not alone
S leaves traces, depends upon the ambience
S wants to trust the object OS and O are going to create alibis depending upon time and space
Alibis
are trusted relationships between the infrastructure, S & O
E.g. : the individual is going to sign with the station base that he/she waspresent in this cell
Sec rit polic depending pon space &
7/27/2019 Riguidel security
45/52
Feb-02 45
Security policy depending upon space &
time
User point of viewhe/she defines his/her own security policy for comfortService access if the user in inside a perimeter
One restricts on his own our mobile phone usage inside a given
zone for a certain period of time
One asks for a control from the telecom operatorSecret shared with the operator
Service Provider point of view
Creation of a cryptographic protocol to sign the user ID with the
location ID (here the base station name)
Buyer may be anonymous but one knows that he was here at t = t0
It is no more a virtual world
7/27/2019 Riguidel security
46/52
Feb-02 46
Object traceability
Trust modelContent security (end-to-end)
Container security (depending upon operator, Internet, etc)
The whole system has a memory
Audit function (.log files to record events)
Historical signature
Digital signature of the content : integrity
Digital signature of the traces
Labeling, watermarking
Ephemeral watermarking
7/27/2019 Riguidel security
47/52
Feb-02 47
Security functions in a mobile universe
IdentificationBiometry, smart card, trusted entity
Anonymous
need to find a witness for the situation
capture a secret depending upon the situation
AuthenticationOf the scene:
to exchange a secret with someone that we will see again
Audit
History of the objects /subjects trajectoryEphemeral watermarking
Data Protection
Both Cryptography & steganography
7/27/2019 Riguidel security
48/52
Feb-02 48
Architecture : Projection of constraints
ArchitectureExpression of constraints
Design : Projection of the specification onto an implementation
The expression of the constraints (QoS, Security, mobility,
interoperability) must be incarnate and instantiate through
The network architecture
The protocol specification
The applications
Some expressions will be through markers
In a clear world
7/27/2019 Riguidel security
49/52
Feb-02 49
Reconstruction of space, time and trust
Network models
Anarchical model
Internet, WLAN, WPAN
Master-slave
WLAN
Hierarchical
Cellular networksSemantics of protocols
Oligarchic
PKIs
Architectures of Applications
Client server architecture model
Audrey & Basil are living in an isotropic world
Producer & consumer of content
Administration
management : very often a bureaucracy
Others
Th di
7/27/2019 Riguidel security
50/52
Feb-02 50
The new paradigms :the focal point is not IP
Computation ubiquity (bottom of layer 7)Horizontal software engineering (M2M, P2P), Agents
XML metalanguage
To find an Esperanto (interoperability)
Allows to describe policies, rules, intentions, predicates
Metacomputation: grid
Swarm of computers (10 6) running one single application
Issue : the semantical socket at the bottom of the application layer
Access ubiquity (layer 2MAC)
Vertical software engineering
High data rate Internet (digital divide)Urbanization
Construction of an Harlequin mantle (802.11, 802.15, UMTS, )
Dialectic of usages
7/27/2019 Riguidel security
51/52
Feb-02 51
Remedies to mobility vulnerabilities
Distribution
Trusted hierarchy by subsidiarity
One can distribute secrets which are longer
Intelligence everywhere
Inside the network
Network have a better throughput
Capillarity larger & larger
Security hopping (security evasion)
Classical cryptography : immutable world
To zap one billions of security policy implementations
1 single security policy but 10 9 implementations
Each solution is fallible but the whole is highly secureSecret contents
Delivery Content Network (DCNs), Storage Area Networks
Flood the network with machines able to compute secrets
Secret Content Networks : huge repository of keys
7/27/2019 Riguidel security
52/52
Conclusion
Lurbanisation des systmes de communication
Ubiquit, universalit
Complexit : Structure, Architecture, Urbanisme
Les nouvelles exigences dans les futurs rseaux
QoS, mobilit, configurabilit, scurit
Le seuil de la complexit des architecturesPerformance versus intelligence
Les points de vue
oprateurs, manufacturiers, fournisseurs de services et utilisateurs
La complexit projete dans lurbanisme, larchitecture, les protocoles, les
extrmits et la subsidiarit (management rparti)
Le rythme des ruptures et des volutions
dans le cadre de la convergence et
des rajustements de la tectonique des 3 plaques
Tlcoms, Informatique, Audiovisuel