1 / 24

Security and PDAs in Mobile Computing Environments

Security and PDAs in Mobile Computing Environments. By Loo Tang Seet and Camilla Fjortoft. Today we will talk about . PDAs and their characteristics Security requirements Advantages and Limitations Operating Systems Authentication & Authorization (A&A) in Mobile Computing Environments

arleen
Télécharger la présentation

Security and PDAs in Mobile Computing Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and PDAs in Mobile Computing Environments By Loo Tang Seet and Camilla Fjortoft

  2. Today we will talk about • PDAs and their characteristics • Security requirements • Advantages and Limitations • Operating Systems • Authentication & Authorization (A&A) in Mobile Computing Environments • A&A in Mobile Computing environment • Charon Architecture • Tiny SESAME Architecture ISRC Workshop, May 2002

  3. Personal Digital Assistants (PDAs) • Small, smaller, smallest • View, store and transmit data from a handheld device • New applications • FiloFax or Business/Enterprise applications? • Mix of personal and business data • Less personal • Access and store corporate data ISRC Workshop, May 2002

  4. PDAs cont.. • Extremely portable, huge advantage • Can be used as an access control device by a wireless network • The access to the device must be controlled • This control must be greater than that for your PC • Constitute Availability, Confidentiality and Integrity of data ISRC Workshop, May 2002

  5. Threats • Small, easy to run-away-with, forget, lose.. • Removable memory card with data • Wireless communication • IR, • data is being ‘beamed’ to another device via the IR port • Wireless network access points • Virus • Synchronizing with Host PC • Email attachments ISRC Workshop, May 2002

  6. Threats cont.. • Operating System • Four to seven digit PIN for accessing the device • Single user access • Input methods • I.e. by pen, choose simple passwords • Not all OS have support for data to be encrypted, need third party software  power consumption ISRC Workshop, May 2002

  7. Security Requirements • Secure access to device, data and network • Encryption of data • The device,or data, cannot be tampered with • OS integrity and file system security • Protection against virus and malicious code • Sufficient power supply and memory • Security policy involving handheld devices ISRC Workshop, May 2002

  8. Limitations of PDAs • Power • Battery only lasts for couple of hours when connected to wireless network • Reduces the amount of time to run applications • Power is a major limitation • Processing speed • Good enough for cryptographic operations • Memory • Memory no longer a limitation for new PDAs. Can get micro drivers with several GB of capacity ISRC Workshop, May 2002

  9. Operating Systems • Windows CE • 4 to 7 digit PIN, accessible by others • No support for data to be encrypted • Need third party software • Larger power consumption • PalmOS • For devices with restricted resources • Password for accessing the device • Single user OS, no file access based on user identity • Linux • Many different distribution available ISRC Workshop, May 2002

  10. PDA survey ISRC Workshop, May 2002

  11. Authentication & Authorization in Mobile Computing Environments Tiny SESAME Charon

  12. Overview • Authentication & authorization issues in mobile computing environments • Existing authentication and authorization security architectures • Adapting existing security architectures to mobile computing environments • Conclusions ISRC Workshop, May 2002

  13. Authentication & authorization Issues in Mobile Computing Environment • Two constraints presented by mobile computing environment: • Processing resource constraints on the mobile platform • Communication resource constraints in the mobile network • Two approach to providing A&A for mobile computing environment: • adapting existing security architecture or • design a whole new architecture ISRC Workshop, May 2002

  14. Existing A&A Security Architectures • Kerberos • Developed by MIT for Project Athena • Provides end-to-end mutual authentication between client and server with single sign on • Authorization is provided by the host OS • SESAME • An extension to Kerberos with additional services • Provides both authentication and authorization services and delegation of access rights • Supports both password and public key authentication • Supports RBAC ISRC Workshop, May 2002

  15. Charon – Indirect Authentication Using Kerberos IV – by UC at Berkeley • Migrating Kerberos into mobile computing platform • Displacing complexity from client to proxy • Only DES encryption/decryption on the client • Kerberos library shifted to proxy • Rewrites client and libdes library to run on the Sony MagicLink PDA with a total footprint of ~45kB ( 9% of the original size of kinit) • No modification to KDC and server is required ISRC Workshop, May 2002

  16. Kerberos Client AS TGS Phase I: Authentication & obtaining TGT 2 Service 1 Proxy 3 4 Charon Architecture ISRC Workshop, May 2002

  17. Charon Architecture Phase II: Obtaining ticket for proxy Kerberos Client AS 5,9 Proxy 6 8 TGS 7 Service ISRC Workshop, May 2002

  18. Charon Architecture Phase III: Accessing a Service via Proxy Kerberos Client 10,14 AS Proxy 11 13 TGS 12 16 15 Service ISRC Workshop, May 2002

  19. Charon vs Standard Kerberos • Inherits both the strength and shortcomings of Kerberos IV • Charon provides a lightweight client to accommodate the mobile computing devices with limited storage space • Additional protocol exchanges required to establish trust between client and proxy • No network performance advantage using Charon versus the unmodified Kerberos ISRC Workshop, May 2002

  20. Adapting PKINIT - By A. Harbitter & D. Menasce • PKINIT – Public key extension to Kerberos V initial authentication phase • Public key encryption requires more computational resources • General approaches to adapt PK based security systems: • Reduce the number of public/private key operations on the mobile client side • Choose the right public key algorithm that allows faster public/private key operation to be performed on the mobile client side (refer to next slide) • Use proxy to offload some processing from client ISRC Workshop, May 2002

  21. Relative Speeds of Public/Private Key Operations Using DSA and RSA Refer to “Applied Cryptography”, by Bruce Schneier ISRC Workshop, May 2002

  22. TINY SESAME- By UIUC • A lightweight SESAME implemented in Java using component-based architecture • Supports authentication, simple encryption, integrity checks and RBAC • Dynamic component loading ISRC Workshop, May 2002

  23. User Sponsor Client Application User Service Tiny SESAME Architecture Client Side Security Server AS APA Client PAS KDS GSS-API DCL SACM Communication Protocol Security Context Application Server APA-Client: Authentication & Privilege client. AS: Authentication Server. DCL: Dynamic Component Loader. GSS: Generic Security Services. KDS: Key Distribution Center. PAC: Privilege Attribute Certificate. PAS: Privilege Attribute Server. PVF: PAC Validation Facility. SACM: Secure Association Context Manager. DCL SACM GSS-API PVF ISRC Workshop, May 2002

  24. Conclusions • Current A&A security architectures trust the client to protect confidential keying information • PDAs are becoming less personal • PDA are small, portable and easily subverted • Better security is needed for PDA ISRC Workshop, May 2002

More Related