Security Challenges of Location-Aware Mobile Business

1
Security Challenges of Location-Aware Mobile
Business

• Emin Islam Tatli, Dirk Stegemann
• Theoretical Computer Science, University of
  Mannheim
• February 2005

2
Outline

• The Mobile Business Research Group
• Context- and Location-awareness
• Application Logic Framework
• Security Challenges
• Further Research

3
Mobile Business Research Group

• Generic platform for location-based and
  context-based mobile business applications
• Joint project of 7 research groups at the
  University of Mannheim
• Cooperations with
• SAP AG, Walldorf
• CAS Software AG, Karlsruhe
• Web http//www.m-business.uni-mannheim.de/

4
Location and Context

• Context any information that can be used to
  characterize the situation of an entity
• Examples location, time, identity, level of
  mobility
• A Context-based application considers context
  when providing its service.

5
Examples

• Find the nearest haircutter
• Display the special offers of nearby shops that
  sell mens shirts
• Find a pizza delivery service that can deliver my
  favorite pizza for less than 8 EUR within 15
  minutes to my current location
• Location-based Post-it

6
Application Logic
Service Provider
Mobile User
Service Provider
Service Provider
7
Research Areas

• Service-oriented software architectures
• Service discovery and service brokerage
• Wireless networks, localization,content-to-device
  adaption
• Data exchange formats, location-based ontologies
• User requirements and preferences
• Mobile solutions in supply chain management
• Security

8
Security Challenges

• Anonymity
• Privacy of personal data
• Confidentiality of the communication
• Confidentiality of locally stored data
• Usability vs. security

9
Anonymity

• Mobile users require to hide their real identity
• Anonymity ensures that a user may use a resource
  or service without disclosing the user's identity
  1
• Service providers require a unique representation
  of users
• (partial) Solution
• Pseudonymity
• Pseudonyms are faked names (e.g. nicknames)

10
Unlinkability of Pseudonyms

• Linkability of pseudonyms may break anonymity
• unlinkability requires that users and/or
  subjects are unable to determine whether the same
  user caused certain specific operations in the
  system 1
• Mix-net 2 based solutions not flexible
• Future Research
• Analyzing existing protocols and enhancing them
  to satisfy m-business unlinkability

11
Mix-net

• Mix
• Computer between sender and receiver
• Decrypts messages and forwards to receiver

Sender
Receiver
Mix-net
KM(R1, KR(R0,M), Addr_R)
KR(R0,M)
12
Privacy of Personal Data

• Service providers request different kinds of
  personal data (even only for profiling of users)
• Personal data is private, especially location
• Privacy is the ability and/or right to protect
  your personal secrets 4
• Solution
• Identity Manager 5
• P3P 6

13
Identity Manager

• Enables full control of personal data
• Presents an interface for
• creating different virtual IDs
• binding a subset of personal data to each ID
• During communication with a service provider, the
  user chooses a suitable ID for this particular
  type of communication
• Before any personal data is sent to a service
  provider, the user is asked to allow this
  transmission

14
Identity Manager (cont.)
quoted from http//tserv.iig.uni-freiburg.de/telem
atik/forschung/projekte/kom_technik/atus/idm-demo/
15
Confidentiality of the Communication

• Communication messages contain sensitive
  information e.g.
• personal data, credit card numbers, location,
  queries of users
• results from broker
• registration data of providers
• Any mobile device can receive data transmitted
  over air
• Confidentiality ensures that unauthorized
  disclosure of personal data is not possible
• Solution
• End-to-end security (e.g. SSL-based protocol)
• Future research
• How to avoid SSL-handshake delay

16
Confidentiality of Locally Stored Data

• Thefts are very common in the mobile world
• Users local data (e.g. profiles, passwords,
  private keys, etc.) should be protected from
  unauthorized disclosure
• Solution
• Two-factor authentication
• Password-based encryption

17
Usability vs. Security

• Trade-off usability and security users prefer
  usability
• weak, easily-guessable passwords
• digital certificates
• Different sensitivity of users for security
• Enhance usability and security according to
  personal needs
• Solution
• Dynamically configurable security policy
  management system

18
Usability vs. Security (cont.)

• Components of a dynamically configurable security
  policy management system
• Password Manager
• Single-Sign-On
• Security Level Manager
• Identity Manager

19
Research Focus

• Design an open security architecture which can
  easily be integrated within the m-business
  application framework

20
Remarks

• Workshop
• 22.03.2005 - Public Workshop on Mobile Business
  organized by the University of Mannheim
• Mobile Business Geschäftsfelder und
  Softwaretechnologien
• More Information
• http//www.m-business.uni-mannheim.de/workshopMBus
  iness/mBusinessWorkshop.htm
• Hiwi Jobs, Studien-, Bachelor- and
  Diplomarbeiten
• Emin Islam Tatli
• A5,6 B105 tatli_at_th.informatik.uni-mannheim.de
• Dirk Stegemann
• A5,6 B125 stegemann_at_th.informatik.uni-mannheim.d
  e
• ... and co-workers in the project

21
References
1 ISO99 ISO IS 15408, 1999, http//www.commoncriteria.org.
2 D. Chaum. Untraceable Electronic Mail, Return Ad- dresses, and Digital Pseudonyms. Communications of the ACM, 1981.
3 D. Chaum. The Dining Cryptographers Problem Unconditional Sender and Receipient Untraceability. Journal of Cryptography, 1988.
4 Anderson R., Security Engineering, Wiley Computer Publishing, 2001.
5 U. Jendricke , D. Gerd tom Markotten, Usability meets security - the Identity-Manager as your personal security assistant for the Internet, Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC'00), p.344, December 11-15, 2000.
6 W3C, P3P (Platform for Privacy Preferences Initiative), http//www.w3.org/P3P/.
7 OpenCA Research \ Development Labs, www.openca.org.
8 eTrust Pki, http//www3.ca.com/Solutions/Product.asp?ID2623.
9 Netscape Certificate Management System, http//enterprise.netscape.com/products/identsvcs/certmgmt.html.
10 Raheem Beyah, Shantanu Kangude, George Yu, Brian Strickland, and John Copeland. Rogue Access Point Detection using Temporal Traffic Characteristics.'' Appeared in the Proceedings of IEEE GLOBECOM 2004, December 2004.
11 Preventing Internet Denial-of-Service using Capabilities, Tom Anderson, Timothy Roscoe and David Wetherall. Proceedings of the Second Workshop on Hot Topics in Networking (HotNets-II), Cambridge, MA, USA, November 19-20, 2003.
22
Security Challenges of Location-Aware Mobile
Business
Thank you for your attention !

• Emin Islam Tatli, Dirk Stegemann
• Theoretical Computer Science, University of
  Mannheim
• February 2005