Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

Enhancing mobile security

http://istresults.cordis.lu/index.cfm/section/news/tpl/article/BrowsingType/Features/ID/79247


Security and privacy are increasingly an issue for mobile communications’ users. Two European projects assessed ways of improving security and their results have influenced international standards in wireless LAN, Bluetooth and public key infrastructure.
Under the IST project SHAMAN, researchers focused on security infrastructures for two increasingly important aspects of mobile communications. First, the ability of the mobile user to roam globally and to connect to the network and its services, using various access networks including wireless LAN and Bluetooth. Second, the development of mobile terminals featuring wireless components – some of which are worn – made up of dynamically configurable components.

“We looked beyond 3G, as future mobile communications will include a mix of networks, among them 2G, wireless LAN and other radio interfaces into the IP-based core network,” says project coordinator Nigel Jefferies. “Our goal was to secure this more complex network.”

The partners identified gaps in security architectures before developing concrete solutions using existing technology, rather than an end-to-end solution. The main gaps were user authentication and the wireless challenge of securing a device before it gets onto the network.

Authentication via imprinting
“One solution,” says the coordinator, “was a new method to set up a Personal Area Network (PAN), even when the devices involved are simple, such as headphones. Our imprinting method involves authenticating each device through software and user input such as passwords.”

Imprinting allows all necessary public keys to be created in the network and then communicated in the network without further input. Users can then set up a PAN around them and control how it connects to the network.

The project developed several imprinting protocols for components with a variety of different user interfaces, for both secret and public key-based security techniques. Also developed was a personal Public Key Infrastructure (PKI) to support PAN security mechanisms based on the use of certificates issued by a personal Certification Authority. All this work was fed into specifications used by the Bluetooth Group.

For mobile network services, the project explored security architectures for existing and new forms of payment. It developed non-subscription payment methods allowing users to roam between networks without having subscriptions to all of them.

“It’s a sort of automatic pay-as-you-go system via your own provider or by using a credit card or electronic purse,” says Jefferies. The project’s Authentication, Authorisation and Accounting (AAA) research was fed into the Internet Engineering Task Force’s Protocol for Carrying Authentication for Network Access work group.

Several SHAMAN partner companies are currently building on the earlier project's work on mobile security - such as the dynamic roaming system with automatic set-up - under the IST project Ambient Networks.

Nomadic security
Under the IST project UBISEC researchers assessed new business areas and technologies originating from the integration of public wide area networks, such as cellular and Internet, and private corporate and home/small business local area networks.

“SHAMAN looked at seamless mobility security and addressed security at network level. UBISEC focuses on the applications level, which is best suited for securing the nomadic mobility mode,” says UBISEC’s coordinator Dr Heinz-Josef Eikerling.


“Our goal was to enable secured ubiquitous computing – keeping user privacy and protecting such assets as computing devices, their software and data,” he adds. “So a mobile user can roam around and securely and conveniently get access to certain services and applications, as well as background information associated with those applications.”

To achieve the sort of advanced infrastructure envisaged by the project, the partners looked at large-scale mobility and security based on smartcard technologies. “These technologies can identify services available to the user,” says Eikerling. “They then securely authenticate the user to the services, check authorisation to use them and customise services to the user's needs.”

This process requires context information, such as the location of the user. It also needs some information attached to local content based on user profile information, for example on the mobile device or taken from the network infrastructure.

Services also need to be customised. For example, users wanting multimedia applications must choose a screen resolution to be rendered to the mobile device at a bandwidth of 100 Kb per second. But if they are close to a wireless LAN hotspot, they could select two Mb per second for full MPEG2 streaming.

Though it is not technically difficult to do all this, it is hard to get information from different sources. “Part of the profile information is on the local device, so we favour smartcards for identity,” adds the coordinator. “But we may need other (potentially less protected and critical) information residing on a network resource, for example for the specific device's capability in terms of display size and communication features.

The project-developed architecture allows distribution of profile information. At its core is the profile access manager, which handles requests to retrieve profile information and does authentication and authorisation. Because this is transparent to users, they need not worry about manual configuring.

The three steps involved in the process are service discovery, applying authentication schemes, and customisation. Service discovery is done with software and is protocol independent, thus working with wireless LAN, Bluetooth or cellular protocols. Two of the service discovery protocols can be downloaded as open-source software.

The project architecture’s specifications and design are being validated in home, car and office environments. In Spain, for example, the partners tested a gateway giving access to several networks. Says Eikerling: “Our software runs on top and the mobile device works through this gateway. So one can move around the home or office, or in between the two. The system keeps information about the context of the user. So if they have to leave home while watching a video, the stream is broken and later picked up where it left off, whenever it is possible to access a wireless connection.”

Security was identified as very important, because these issues are blocking wider dissemination of mobile networks and more advanced services running on them. Mobile security is tough to achieve at least for the application area addressed by the project, because something that is not always connected to a network resource has no trusted third parties, unlike fixed-line networks which rely on the continuous availability of centralised security infra-structure.

Yet Eikerling believes secured ubiquitous computing is feasible, thanks in part to work done under his project. That includes an enhanced PKI, involving key management for certificates localised to mobile devices.

“Our project’s work on mobile security, customisation management, and service discovery paves the way for more efficient mobile service development, a process involving many parties from applications development to billing and charging,” adds Eikerling.