Professional Documents
Culture Documents
Sudantha Gunawardena
Contents
Abstract...................................................................................................................................... 3 1.0 Introduction .......................................................................................................................... 3 2.0 Properties of Security ........................................................................................................... 4 3.0 Anatomy of a Ubiquitous Environment and Attacks .............................................................. 5 4.0 Authentication and Recognition ............................................................................................ 6 4.1 Spontaneous Interactions ................................................................................................. 7 4.2 Shaking as an authentication .......................................................................................... 8 4.3 Ultrasonic Authentication .................................................................................................10 4.4 Visible Laser for Authentication .......................................................................................11 5.0 Security Vulnerabilities ........................................................................................................12 5.1 Physical Security .............................................................................................................12 5.1.1 Replacing or Modify the Hardware Devices/Software ................................................12 5.2 Wireless attacks ..............................................................................................................13 5.2.1 Denial-of-Service Attacks ( DoS attacks) ...................................................................13 5.2.2 Network eavesdropping.............................................................................................14 5.2.3 Man in the Middle attacks ..........................................................................................15 5. 3 Attacks on Cryptography Schemes .................................................................................16 5.3.1 Bruce-force attacks ...................................................................................................16 5.3.2 Rainbow attacks ........................................................................................................16 5.4 Social engineering attacks ...............................................................................................17 5.4.1 Phishing Attacks........................................................................................................17 6.0 Security Mechanisms ..........................................................................................................18 7.0 Ethics ..................................................................................................................................20 8.0 Conclusion ..........................................................................................................................21 References ...............................................................................................................................22 Bibliography ..............................................................................................................................23
Abstract
Ubiquitous computing is the approach of human computer interaction with ambient intelligence where users can use computer intelligence in day to day life activities. Many universities and research institutes are working on research projects to make ubiquitous computing a reality. In present the one of the foremost challenge in information technology is security, ethics and privacy which will be left to ubiquitous computing as a key challenge. With ubiquitous computing deals with day to day life activities of people most of their sensitive private information can be exposed which need to be secure in ubiquitous environments.
1.0 Introduction
As Blaauw & Frederick (1997) the first generation of computing is the age of mainframes which multiple users used the same centralized machine. With the beginning of the late 80s the generation of personal computer era embarked with the slogan of make available computers to each person individually. Computer enthusiastic like Steve Wozniak pioneered to fabricate the first personal computer to the world. According to Stajano (2002, p.2) Ubiquitous Computing can be defined as an approach of Everywhere computing and which can be measured as third generation of computer evolution. As focused by Wiess & Craiger (2002, p.1) Ubiquitous Computing can defined as enclose computers in our work and personal lives without concentration of users to improve productivity of regular activities.
A secure system should have equilibrium among these three specifics to make the final system as a secure system. Deprived of equilibrium in these three properties a secure system cannot consider as a prosperous system, as an example reflect a secure system with a large scale of security comparing the availability but there is no productivity of this system because users are not motivated to use system which is not ease of use.
Physical Attacks
Network eavesdropping
As Kang (2007) ubiquitous environment deal with several levels of devices and environments. To compose a secure ubiquitous system secure the sub structures at the each level will routinely creates a secure ubiquitous scheme. As described by the above figure from the user to content providing services. By identifying security vulnerabilities at the each level and present the necessary solution. The following tables shows security vulnerabilities at the each level, Level User Device Wireless Network Service Framework Content Providing Services Security Vulnerabilities Social engineering attacks Physical attacks Network eavesdropping / Man in the middle attacks Attacks on cryptography schemes
Device 3 Device 1
But the problem is that the current authentication schemes are not spontaneous and researchers have come up with the following types of new authentication schemes which are spontaneous.
Device Accelerometer
Also further described by Mayrhofer & Gellersen (2007, p.8) this methodology of authentication can be simple, cheaper and a power efficient. The anatomy of this technique can be designated as follows, Mayrhofer & Gellersen (2007, p.147) defines that the core concept of proposed authentication approach is based on an appraisal of an accelerometer. Firstly three preprocessing tasks will take out to intellect and perceive the input by the accelerometer and inputted data will be sampled, synchronized and will align the data in the two devices separately. As a result of these steps following graph is generated to the both devices which need to authenticate.
Figure 5 - Spectrum of an accelerometer outcomes by 'shaking' the devices - Mayrhofer & Gellersen (2007, p.147)
Finally in the authentication phase these two spectrums will be matched and authentication will be completed. The main advantage of the method is that two devices can be authenticated spatially and foremost disadvantage can be defined as the shaking is done by the human and there can be probability occurrences which both devices are not in the same spectrum.
Device 1
Ultrasonic Device
T=t+1
Device 2
As the above diagram by transmit an ultrasonic sound wave and at the receivers end the angle of the signal, arrival time can be calculated. With these data two devices can be authenticated.
10
Laser Diode
Device 2
Laser Beam
Device 1
Figure 7 Authentication using visible laser light
But further described by Mayrhofer & Welch (2007, p.7) the visible laser channel cannot be consider as an authentic and confidential because and effortlessly exposed to attackers and even can modify the channel.
Device 2
Device 1
Attacker
Mayrhofer & Welch (2007, p.8) classify that using a cryptography scheme like Diffie Hellman key exchange the data on the laser channel can be secured and authenticate.
11
12
Attacker
Attacker
DoS
atta
ck
Request
k ttac
User
Do
Sa
Network
Target Server
Attacker
Figure 9 Denial-of-Service Attack
Especially in a ubiquitous environment unavailability of a service or a slow access to a service will create large catastrophe because devices will be depended each other for information.
13
Attacker
An attacker can listen to the network and capture the data packets and by using this information can create attacks or steal user confidential information. Even these attackers can modify the data stream and add malicious code into it.
14
Sender
Original Connection
Receiver
Attacker
Figure 11 - Man in the middle attack
In ubiquitous environment when two devices required to transmit sensitive user data an intermediate attacker can capture the data, modify it and communicate back to the original receiver or the sender. Even the man in the middle attacks can be avoided by creating secure channels between the two communication parties comparable to SSL, SSH but this secure communication cannot assure an entirely secure communication because even these channels can be attacked rarely. Also these secure communication channels will be not ready to survive in ubiquitous environments because they are designed for general network communication.
15
16
17
6.1 Prevention
As described by Sastry & Roosta (2008, p.65) prevention is the technique of secure sensitive data by controlling the access to the data to attackers. Specifically prevention can be achieved by cryptography schemes from encryption ciphers to secure communication channels. Enciphering data using key based cryptography algorithm will prevent the expose of data on unauthenticated hands.
6.2 Detection
Detection is acquiring the knowledge and alert about the unusual activities before a system outbreak will take place .As Sastry & Roosta (2008, p.65) if an attacker trying to break into to a system the malicious activity can be perceived and reported or trigger the security systems.
6.3 Survivability
Keep the common activities preformed while an attack is already placed can be considered survivability. Ubiquitous environments require security from these above mentioned three mechanisms. Especially the secure ubiquitous designs should consider about survivability because as human activities fundamentally depends on these ubiquitous systems failure of a system will be produce frustration in people. Even in some
18
scenarios data on a one device will be dependent on activities of other several devices so one failure in a device will be a failure to a huge ubiquitous eco system. The following table will describes attack at each level of a ubiquitous environment and security mechanisms. Attacks Physical Security Prevention Implement security locks. Firewalls and block unnecessary inbound traffic to the network. Use encrypted communication channels, SSID hiding. Use of secure communication channels. Detection Security alarms or user authentication. Activity profiling, detection. Using precise timing techniques.(Synchroni zation between the sender and receiver Carl et al.(2006) Perform the normal ubiquitous services. Change point Survivability
Denial-of-Service Attacks
Network eavesdropping
Rainbow attacks
Use large key size for the encryption process, Salting techniques.
Bruce-force attacks
19
7.0 Ethics
According to Greenfield (2004) to secure the well being in the ubiquitous environments five major ethical guidelines have introduced. These guiding principles will secure the sensitive user information which set out in the ubiquitous environments. The proposed ethical principals as follows: 1. Default to harmlessness As Greenfield (2004) defines a proposed ubiquitous system should always guarantee the users physical, physiological and financial safely. 2. Be self-disclosing Always the system should hold information of the ownership of the device , its full capabilities and which information will transmit to another device .For an example if there is a device capable of tracking the users geographical location if this device is designed unethically it can transmit the location details to spy personals. 3. Be conservative of face As Greenfield (2004) proposed ubiquitous system should respect all the users without embarrass, humiliate or shame them. 4. Be conservative of time Some ubiquitous applications may root with critical activities of users like medical activities. These vital activities should not deem as ordinary operations and concern totally. 5. Be deniable As Greenfield (2004) clarifies that in a proposed ubiquitous system user have privileges not receive product and service information of service provides marketing campaigns (Opt-out).For example if a device will send service information while the subscriber sleeps it will be irritating to the user.
20
8.0 Conclusion
Within few years time or few decades ubiquitous computing technologies will lead the day to day human activities and people will depend on these technological expansion. But without security and ethics ubiquitous computing will not reach its goals. A ubiquitous environment consists of its foremost organisms which are devices, networks which interconnect the devices and the service providers. By securing each aspect at each level the entire ubiquitous environment can be secured. Attacks and security harms can be barred using security mechanisms which are prevention, detection and severability. But always the equilibrium in the information security triangle between security, integrity and availability should be preserved because without this equilibrium security entities cannot be consider as a successful system. Also concerning the authentication ubiquitous environments required spontaneous authentication approaches which are beyond biometric authentication methods. Finally a proper format of ethical guidelines are not yet standardized but a strong set of guidelines will strength the security of ubiquitous systems further.
21
References
Arbaugh, W. (2002) eta al., Your 80211 wireless network has no clothes, Wireless Communications, IEEE. Blaauw, G. & Frederick ,B. (1997),Computer Architecture: Concepts and Evolution,Boston:Addison-Wesley Longman Publishing Co.,Inc. Carl, G et al. (2006), Denial-of-Service Attack-Detection Techniques,Pennsylvania United States: Pennsylvania State University. Eriksson, M (n.d).An Example of a Man-in-the-middle Attack Against Server Authenticated SSL-sessions. Sweden: Simovits Consulting. Gellersen, H. & Mayrhofer, R., On the Security of Ultrasound as Out-of-band Channel ,UK: Computing Department, Lancaster University. Greenfield, A., (2004), Some ethical guidelines for user experience in ubiquitouscomputing,[Online].Available from:http://www.boxesandarrows.com/view/all_watched_over_by_machines_of_loving_ grace_some_ethical_guidelines_for_user_experience_in_ubiquitous_computing_setting s_1.[Acessed: 31st of January 2011]. Hole, K., (2008), Denial of Service Attacks, Bergen: Department of Informatics, University of Bergen. Jakobsson, M. & Myers, S. (2006).Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft,Canada: Wiley-Interscience. Jorgensen, K. H. , Norbutaite, R. (2007).Rainbow attack.Ireland:Dublin City University. Kang, B. , (2007), Ubiquitous Computing Environment Threats and Defensive Measures, Tasmania: School of Computing and Information Systems, University of Tasmania. Mayrhofer, R. & Gellersen, H. (2007).Shake well before use: Authentication based on Accelerometer Data, UK: Lancaster University.
22
Mayrhofer, R., & Welch M. , (2007),A Human-Verifiable Authentication Protocol Using Visible Laser Light, UK: Computing Department, Lancaster University. Mayrhofer, R., (2009), Ubiquitous Computing Security: Authenticating Spontaneous Interactions, Habilitation Colloquium. Roosta , T. & Sastry S. , (2008),Distributed Reputation System for Tracking Applications in Sensor Networks, California :Department of Electrical Engineering & Computer Science, University of Berkeley. Stajano , F.,(2002),Security for Ubiquitous Computing, USA: John Wiley & Sons,Ltd. Weiss, R., & Craiger, J. (2002), Ubiquitous Computing, Omaha: University of Nebraska.
Bibliography
Lipasti , M., (n.d) ,Role of Ethics in Pervasive Computing Security,Otaniementie:Helsinki University of Technology. Kanai, G. (2004), Ethics for Ubiquitous Computing.[Online].November 2004.Available from:http://kanai.net/weblog/archive/2004/11/01/11h03m19s.[Accesssed: 30th January 2011].
23