1 security infrastructures for cns dr. istván mezgÁr hungarian academy of sciences...
Post on 18-Dec-2015
214 views
TRANSCRIPT
1
Security infrastructures
for CNs Dr. István MEZGÁR
Hungarian Academy of Sciences
2
Structure of the lecture• Introduction,• Definitions and connections,• Demands of security in a CN, • Fields and elements/components of security,• Security components and technologies for CNs,• Wireless technologies and their security,• Trends in security,• Conclusions.
3
Goal of the lecture
The goal is to give an overview on security HW & SW elements and technologies that can be applied in collaborative networks. This overview doesn’t intend to go into details (because of the strongly limited time-frame of the lecture), rather to give possible starting points for the audience to find the direction of solutions for security problems in a CN.
4
Definitions and relations
5
What is security?• Security can be defined as the state of certainty that
computerized data and program files cannot be accessed, obtained, or modified by unauthorized personnel.
• Security is a conscious risk-taking, it is a practice of risk
management, so in every phase of a computer system’s life cycle must be applied the proper security level. Security must be so strong, that it would not be worth to attack the system, because the investment of an attack would be higher than the expected benefits .
6
Security in practice• There is no open system that is completely secure
(NO 100 % security!). • Increases in system security typically decrease
system performance and usefulness. • At different system levels different security
solutions have to be applied, and these separate parts have to cover the entire system consistently.
• Important role of human beings/users!
7
Security Infrastructure
• Infrastructure is the set of interconnected physical and immaterial components that provide the framework required for a particular system to function properly.
• In case of Security Infrastructure this means computer and network security HW and SW components, security organization & technologies, and organized staff training.
8
Connection between trust and security
• When do people feel safe and secure a system/network, what causes these feelings?
• „The feeling of security experienced by a user of an interactive system is determined by the user's feeling of control of the interactive system". The more a user feels in control of an interactive program, the more the user will trust the site, the program and the service represented by the site.
(D’Hertefelt, 2000)
9
Definition of trustTrust can be defined as a psychological condition comprising the trustor’s intention to accept vulnerability based upon positive expectations of the trustee’s intentions or behaviour (Rousseau et al. 1998). Those positive expectations are based upon the trustor’s cognitive and affective evaluations of the trustee and the system/world as well as of the disposition of the trustor to trust.
10
Types of trust
• Intrapersonal trust - trust in one’s own abilities; • Interpersonal trust - expectation based on
cognitive and affective evaluation of the partners; • System trust - trust in depersonalised systems (e.g.
legal system, technology);• Object trust - trust in non-social objects; trust in its
correct functioning (e.g. in an electronic device).
(Luhman 1979).
11
Trust building
Psychology (human-human)Face-to-face (direct contact)Without contact (virtual teams)
Technical (human-system)Interfaces (menu structure, graphical, control)Security services (confidentiality, integrity, authentication, access contr., non repudiation)
12
Role of interfaces• The inteface is the connection between
humans/computers,
• Information Society - everybody is a user,
• Mobility is a demand,
• Multimodal & “All Senses” interfaces,
• “For All or Abled Bodied Only” .
13
Security and Collaborative Networks
14
CN and security
• During communication in a CN, a huge amount of extremely valuable technical data and information (development, product, process data beside business information) are moving through the network, making security a vital concern.
• The management of collaborative networks will be controlled also from mobile devices in the close future, so security problems of mobile communication has of vital importance.
15
Specialties of CN• Very frequent communication on different channels,• Type of communication - different mobile, wireless,
wired,• Availability at any time at any place – wireless
mobile,• Data Validity became shorter.• Content of communication can be voice, data,
multimedia, ….• Not formal - Many human-to-human connection,
16
CN security requirements
• Same level protection of all types of enterprise data (for all company forming the CN)Privacy and integrity of all types of documents during all phases of storage and communication (Data and communication security – Certification, Encryption),
• To enable companies confidential access control,• Authorization and authentication of services
(digital signature).
17
Life cycle phases of CN and the needed trust-types and the realization mechanisms
Life cycle phases of networked production
system
Types of trust needed
Security services to
be applied
Security mechanisms
Forming NO
IntrapersonalInterpersonalSystem
AuthenticationConfidentiality
Encryption
Start-up operation
InterpersonalSystemObject
AuthenticationConfidentialityIntegrityNon-repudiation
EncryptionChecksums/hash algorithms
Operation
SystemObject
Access controlAuthenticationConfidentialityIntegrityNon-repudiation
EncryptionDigital signatures
Closing operation
InterpersonalSystemObject
Access controlAuthenticationConfidentialityIntegrityNon-repudiation
EncryptionDigital signatures
Break-up NO
InterpersonalSystem
Access controlAuthenticationConfidentialityIntegrityNon-repudiation
EncryptionDigital signatures
18
Fields, elements and technologies of security
19
Fields of computer security
Organizationsecurity
Personalsecurity
Network (channel)security
Computer(end point) security
SWsecurity
Definition ofsecurity pol-icy (e.g. ac-cess rights)
Employment oftrained and reli-able staff
Using tested networkSW tools, and con-tinuously checkedcommunication chan-nels and well config-ured network elements
Using tested appli-cation SW tools, andcontinuouslychecked operationsystem, and properlyconfigured HW sys-tems
HWsecurity
Placing thecomputers insecure loca-tion of thebuilding andoffices
Physical identi-fication tech-nologies (fin-gerprints, etc.)
Prevent direct, orclose access to net-work cables, orapplication of specialtechnologies
Prevent direct physi-cal access to com-puters by unauthor-ized persons, or aclose access in elec-tromagnetic way
20
Computer & environmentsecurity
Levels Function of the Level Example Security method, technology, tool, etc.What type of security activi-
ties are done on the level
Userinter-faces
To help the user to use the com-puter HW and SW possibilities(USEABILITY)
Xwindow, pop-upmenus, sensitive sur-faces (e.g.. HTML,Windows help)
password protected screen saver
secure access to the informa-tion displayed on the screenfiltered access to sensitivedata (Excel cell hiding)
Appli-cations
To help the user in solving thegiven tasks through differentprogram packages(FUNCTIONALITY)
Word processors, im-age editors, Excel,MatLab, etc.
Cryptography SW, password protectedappearance of programs or information
Secure use of applicationsand applications related files
BasicSW andcom-muni-cation
To manage data, applicationsand communication tasks.
Networking SW,WWW browsers, filemanagers, archivationprograms
Password protected archives, and filesystems,
Secure use of SW and the SWrelated files
Opera-tionsystem
To solve OS dependent tasks bya specific HW based, more spe-cific SW.
DOS, Windows ver-sions, UNIX versions,VMS, Mainframe,Macintosh
user authorization file (SYS$UAF.DATon VMS, /etc/passwd on UNIX -/etc/shadow on secure UNIX…) andACL files (Access Control List) and dif-ferent rights for different groups/entities.
Secure use of OS and OS re-lated programs, and files.
Hard-ware
To help in extending computer’scapabilities: printing, scanning,presenting on monitor or by amiller machine in different ma-terials, store data, etc.
printer, monitor,mouse, scanner, plotter
Physical security, tokens, smart cards,HW locks
To guarantee the securephysical access to the com-puter itself.
Envi-ronment
To extend the computer’s ca-pacity in connection with theoutside world: phone-modem,ATM-line, ISDN-line, Internet,telescope or other tool’s control,etc.
Ethernet card, modem,camera, fax, micro-phone, head-set
Security policy, environment security,security and disaster plan, education…
To guarantee the securephysical access to the com-puter environment
21
Network securityLaye
rNumber
Layers ofthe OSI
referencemodel
TCP/IPProtocols
SECURITY PROTOCOLS Security method, technology, tool, etc.What type of security ac-
tivities are done on thelevel
S/MIME,PEM,PGP,MOSS
S-HTTP, SET
SMTP
7.Applica-tion
FTP, SMTP,TELNET,SNMP, NFS,Xwindows,NNTP,IRC,HTTP, WAP
-Firewall (typical) - application levelto check digital signatures- authentication protocols,- encryption protocols,- Virus scanner (memory resident)
- identification of the user,- authenticate messages- encryption of messages-virus scanning in activemode.
6.Presen-tation
ASCII,EBCDIC,ASN1, XDR
Firewall - max. filter of images, likeNetscape “show images” checkboxfiltered by the HTTP server!
filter, or hide of informa-tion (e.g. at password typ-ing)
5. Session RPC
SSL, SSH
Firewall - filtering the query/requestfilter of disallowed re-quests/services
4.Trans-port
TCP, UDPTLS (Transport Layer Se-curity Protocol),WAP/WTLS
Firewall - coded/encrypted transpor-tationScreening router (filtering)
digitally coded/encryptedtransport after authentica-tion of the next transmis-sion party
3. Network IP IPv6
Screening router (filtering) - Firewall -NW level, mainly in router to filterfalse/untrusted/not authentic IP ad-dresses
encryption and DNS filter
2. Data linkX.25, SLIP,PPP, FrameRelay
Screening router (filtering) Link encryption
1. PhysicalLAN,ARPANET
Electromagnetic Emissionstandard (89/336/EEC -European EconomicalCommunity guideline)
Screening router (filtering) e.g.. with-out valid Ethernet card address de-clined access, or by an address in aspecified domain: limited access
physical security methodsand tools, mainly not in-formation techniques!
22
Security hierarchy
• Security policy,
• Security services,
• Security mechanisms,
• Mechanisms are implemented through algorithms.
23
Security policy
• A security policy identifies the rules and procedures that all persons accessing computer resources must adhere to in order to ensure the confidentiality, integrity, and availability of data and resources. Furthermore, it puts into writing an organization’s security posture, describes and assigns functions and responsibilities, grants authority to security professionals, and identifies the incident response processes and procedures.
24
Types of computer security policy
• Program-level policy is used to create an organisation’s computer security program.
• Program-framework policy establishes the organisation’s overall approach to computer security (i.e., its computer security framework).
• Issue-specific policies address specific issues of concern to the organisation.
• System- specific policies focus on policy issues which management has decided for a specific system.
25
Security services
Confidentiality - Protects against disclosure to unauthorised identities.
Integrity - Protects from unauthorised data alteration.
Authentication - Provides assurance of someone's identity.
Access control: Protects against unauthorised use. Non-repudiation: Protects against originator of
communications later denying it.
26
Confidentiality
• Confidentiality can be achieved by technologies that convert/hide the data, text into a form that cannot be interpreted by unauthorized persons. Encryption is the major technique in generating confidentiality.
•
27
Integrity
• A message integrity check ensures that information has not been altered message in transit by unauthorized persons in a way that is not detectable by authorized users. In combination with a key, a message integrity check (or checksum, or keyed hash) insures that only the holders of the proper key is able to modify a message in transit without detection.
28
Authentication
• Authentication is the process of identifying an individual. The typical computer based methods involve user ID/password, biometric templates or digitally signing a set of bytes using a keyed hash. Authentication usually relies on either direct knowledge of the other entity (shared symmetric key or possession of the other person's public key), or third party schemes.
29
Access control
• Access control is the process of giving permission for a user to access to network resources after the user has been authenticated through e.g. username and password. The type of information and services the user can access depends on the user's authorization level.
30
Non-repudiation
• Non-repudiation provides a method to guarantee that a party to a transaction cannot falsely claim that they did not participate in that transaction. In the real world, hand-written signatures are used to ensure this.
31
Security mechanisms
Encryption is used to provide confidentiality can provide authentication and integrity protection.Digital signatures are used to provide authentication, integrity protection, and non-repudiation.Checksums/hash algorithms are used to provide integrity protection can provide authentication.
One or more security mechanisms are combined to provide a security service.
32
Security mechanisms and services
Encrypt. Hash funct. Dig.sign.
Privacy or confidentiality X
Integrity X X X
Authentication X X X
Access control X
Non-repudiation X X
33
Basic steps of a security system design process
• Definition of threats and their attack types from which the system has to be protected.
• The degree of protection should be applied.• The place and mode of the protection
should be applied.• Selection of security mechanisms and
services.• Selection of HW and SW solutions.
34
Most frequent types of attacks in US
The 2005 CSI/FBI Computer Crime and Security Survey
Type of attack About In %
Virus 75
Insider abuse of net access 50
Laptop/mobile theft 50
Unauthorised access 33
Denial of service 33
Abuse of wireless network 18
System penetration 16
Telecom fraud 10
Thief of proprietary information 8
Financial fraud 7
Misuse of public WEB application 5
Sabotage 2
35
Security technologies used in the US Security technologies About In
%
Firewalls 97
Anti –Virus SW 96
Intrusion detection system 72
Server-based access control 70
Encryption for data transmission 68
Reusable account/login password 52
Encrypted files 46
One-time password token (smart card) 42
Public Key Infrastructure 35
Intrusion prevention system 35
Biometrics 15
36
Tools, methods and techniques for
security • Security Architectures
• Firewalls
• Virus defense
• Encryption
• Identification of persons (not the equipment) - biometry
• Smart cards
37
Security architectures
• The security architectures represent a structured set of security functions (and the needed hardware and software methods, technologies, tools, etc.) that can serve the security goals of the distributed system. In addition to the security and distributed enterprise functionality, the issue of security is as much (or more) a deployment and user-ergonomics issue as technology issue.
38
Security solutions for VE
Complex solutions in reference architectures
In NIIIP (National Industrial Information Infrastructure Protocols), secure communication can be implemented at three levels:– IP level - protocol security,– OMG level,– NIIIP level - data encryption,In PRODNET (EU project) Communication Infrastructure– privacy,– authentication,– integrity,
– logging information is stored.
39
Client security in NIIIP
40
The Architecture of PRODNET
Communication Infrastructure
PCI
SECURITYSECURITYPICM
PRODNET Intelligent Communication Manager
PICM PRODNET Intelligent
Communication Manager
MCIMessage Class
Identifier
MCIMessage Class
Identifier
Multi Protocol Access ControlMulti Protocol Access Control
SMTP/POP3SMTP/POP3
Web ProxyWeb Proxy
CGICGITCP/IPTCP/IP ......
API (RPC and DLL)API (RPC and DLL)
41
Firewall
A network firewall protects a computer network from unauthorized access. Network firewalls may be hardware devices, software programs, or a combination of the two. Network firewalls guard an internal computer network (home, school, business intranet) against malicious access from the outside. Network firewalls may also be configured to limit access to the outside from internal users.
42
Why HW firewall
• A typical unprotected PC will come under attack within several minutes of being connected to the Internet.
• HW - simpler to use than software firewalls, and they don't have any [performance] impact on the computer,
• HW firewall doesn’t cause problems when installing new SW on the system and the firewall cannot be taken out.
43
Virus defence
• Viruses and other malicious code (worms and Trojans) can be extremely destructive to the vital information and the computing systems both for individuals and businesses systems. There are big advances in anti-virus technology, but malicious codes remain a permanent threat. The reason is that the highest-level security technology can be only as effective as the users operate them. In the chain of computer security, human beings seem to be the weakest
point, so there is no absolute security in virus defence.
44
Encryption
Encryption is a process of translating a message, called the Plaintext, into an encoded message, called the Ciphertext. This is usually accomplished using a secret key and a cryptographic Cipher.
• Symmetric Encryption, where a single secret key is used for both encryption and decryption.
• Asymmetric Encryption, where a pair of keys is used -- one for Encryption and the other for Decryption.
Problems of strong Encryption - algorithms are freely available everywhere on the Internet – some states prohibit to use them.
45
Encryption Algorithms • RSA – 1977 Ron Rivest, Adi Shamir and Len Adleman, most
popular method for public key encryption and digital signatures -
• DES - symmetric block cipher with 64-bit block size using 56-bit keys. No secure against attacks! 3DES cumulative key size of 112-168 bits.
• BLOWFISH - Bruce Schneier 1993. Variable-length key, from 32 to 448 bits. Strong encryption algorithm.
• International Data Encryption Algorithm (IDEA) - Dr. X. Lai and Prof. J. Massey early 1990. 128 bit key, fast algorithm implemented in hardware chipsets.
• Advanced Encryption Standard (AES) - Rijndael algorithm. US Government standard, May 26, 2002.
46
Public key infrastructure
Public key infrastructure (PKI) is the most widely applied technology on public networks such as the Internet. PKI is a framework encompassing the laws, policies, standards, hardware, and software to provide and manage the use of public key cryptography. This is a method of encryption that uses a pair of mathematically related keys: a public key and a corresponding private key. Either key can be used to encrypt data, but the corresponding key must be used to decrypt it. This method is also called asymmetric encryption.
47
Digital signature
Digital signature is a data that binds a sender's identity to the information being sent. Digital signature may be tied with any message, file, or other digitally encoded information, or transmitted separately. Digital signatures are used in public key environments and provide non-repudiation and integrity services.
48
Biometry
Generally, biometrics refers to the study of measurable biological characteristics. In computer security, biometric technologies are defined as automated methods of identifying or authenticating the identity of a living person based on his/her physiological (e.g. fingerprint, hand, ear, face, eye – iris/retina) or behavioural (e.g. signature, voice, keystroke) characteristic. This method of identification is preferred over current methods involving passwords and pin numbers as the person to be identified is required to be physically present at the point-of-identification, so the person of user is identified not the device as in case of PIN and password.
49
Method Individuality Invariabilty Falsification Deceive Forcing Twins Realisation
DNS perfect OK From a hair copy Not avoidable [?] Complex, costly
Fingerpr. Close perfect Accident, oper. OK Mission
Impossible Another finger 92% works
Palm OK Accident, oper. OK OK undetectable [?] works
Iris perfect OK OK OK Only eye can be seen [?] works
Retina perfect OK OK OK Only eye can be seen [?] dengerouos
Handwritng OK Some time after Dynamics
imposs. Not possible probably[?]
Can be distinguished
Needs developm.
Voice OK Flu enough OK Tape recorder Only listening/voice
analysis Can be hear Works, complex
Visual OK OK OK OK Can be seen the
number Pritty similar Too complex
Smelling [?] Alters quickly [?] Thef of cloth [?] [?] [?]
©By Bernát Balázs, Jakabfy Tamás - Eötvös Loránd Tudományegyetem, Budapest
Biometry approaches
50
Smart Card (ISO 7816)
51
Inside smart card
Present
CPU - 8..64 bit
RAM - 256..4KB
ROM- 32 ..128 KB
EEPROM, NV RAM, Flash, - KB…..MB
Future
FRAM - 64KB
ROM- 128 MB
52
Applications
53
Wireless technologies and their security
54
Wired securityAt the beginning of networking there was a need mainly for the reliable operation, but the secure and authentic communication has became a key factor for today. According to Internet users, security and privacy are the most important functions to be ensured and by increasing the security the number of Internet users could be double or triple according to different surveys. The main reason of the increased demand is the spread of electronic commerce through the Internet, where money transactions are made in a size of millions of dollars a day.
55
TCP/IP- and security protocols in the networkLayerNum-
ber
Layers ofthe OSI
referencemodel
TCP/IP Proto-cols
SECURITY PROTOCOLS
S/MIME,PEM,PGP,MOSS
S-HTTP, SET
SMTP
7.Applica-tion
FTP, SMTP,TELNET,SNMP, NFS,Xwindows,NNTP,IRC,HTTP, WAP
6.Presenta-tion
ASCII,EBCDIC,ASN1, XDR
5. Session RPC
SSL, SSH
4. Transport TCP, UDPTLS (Transport Layer SecurityProtocol), WAP/WTLS
3. Network IP IPv6
2. Data linkX.25, SLIP,PPP, FrameRelay
Electromagnetic Emissionstandard (89/336/EEC - Euro-pean Economical Communityguideline)
56
Trends of wireless applications
According to market researcher Gartner
• 45 percent of the American workforce is using mobile technology of some kind, including laptops, PDAs, and new sensor networks.
• By 2007 more than 50 percent of enterprises with more than 1,000 employees will make use of at least five wireless networking technologies.
57
Enterprises and wireless technology
Possibilities/demands
• enterprises need new business -communication strategies,
• possibilities for new resources,
• new information/security infrastructures.
58
Types of Wireless Networks Based on their coverage range WNs can be
categorized into five groups : • Satellite communication (SC), • Wireless Wide Area Networks (WWAN), • Wireless Metropolitan Area Network (WMAN)• Wireless Local Area Networks (WLAN) and • Wireless Personal Area (or Pico) Network (WPAN).
59
Wirelessnetwork type
Operationfrequency
Data rate Operationrange
Characteristics
Satellite 2170–2200MHz
Different (9.6 kbps- 2 Mbps)
Satellitecoverage
Relative high cost,availability
WWANGSM(2-2.5 G)
824-1880 MHz 9.6 - 384 kbps(EDGE)
Cellularcoverage
Reach, quality, low cost
3G/UMTS 1755-2200 MHz 2.4 Mbps Cellularcoverage
Speed, big attachments
iMode (3G/FOMA)
800 MHz 64 - 384kpbs(W-CDMA)
Cellularcoverage
Always on, easy to use
FLASH-OFDM 450 MHZ Max. 3 Mbps Cellularcoverage
High speed, respond timeless then 50 milliseconds
WMANIEEE 802.16 2-11 GHz Max.70 Mbps 3-10 (max. 45)
kmSpeed, high operationrange
WWLANIEEE 802.11A 5 GHz 54 Mbps 30m Speed, limited rangeIEEE 802.11b 2.4 GHz 11 Mbps 100 m Medium data rateIEEE 802.11g 2.4 GHz 54 Mbps 100-150m Speed, flexibilityWPANBLUETOOTH 2.4 GHz 720 kbps 10 m Cost, convenienceUWB 1.5 – 4 GHz 50-100 Mbps 100-150 m Low cost, low powerZigBee 2.4 GHz, 915 -
868 Mhz250 Kbps 1-75 m Reliable, low power, cost
effectiveInfrared 300 GHz 9.6 kbps-4Mbps 0.2-2 m Non interfere, low costRFID 30-500 KHz
850-950 MHz2.4-2.5 GHz
linked to band-width, max. 2Mbps
0.02–30 m High reading speeds,responding in less than100 milliseconds
60
Security Technologies for Wireless communication
Secure communication is a key point of every type of wireless communication
• In enterprises/organizations a big amount of extremely valuable technical data and information (development, product, process data beside business information) are moving through the network, making security a vital concern.
• Wireless technologies are more sensitive for attacks (e.g. sniffing of Wi-Fi).
61
Complexity of wireless apps.
62
Wireless securityThere are a variety of simple security procedures to protect the
Wi-Fi connection. These include enabling 64-bit or 128-bit Wi-Fi encryption (Wired Equivalent Privacy - WEP), changing the password or network name and closing the network.
WEP and other wireless encryption methods operate strictly between the Wi-Fi computer and the Wi-Fi access point or gateway. When data reaches the access point or gateway, it is unencrypted and unprotected while it is being transmitted out on the public Internet to its destination — unless it is also encrypted at the source with SSL or when using a VPN (Virtual Private Network). WEP protects the user from most external intruders, but WEP also has known security holes.
63
VPN (Virtual Private Network)
VPN works by creating a secure virtual "tunnel" from the end-user's computer through the end-user's access point or gateway, through the Internet, all the way to the corporation's servers and systems. It also works for wireless networks and can effectively protect transmissions from Wi-Fi equipped computers to corporate servers and systems.
The special VPN software on the remote computer or laptop uses the same encryption scheme, enabling the data to be safely transferred back and forth with no chance of interception.
64
VPN components
• The best processors are designed for advanced networking applications like virtual private networking (VPN) broadband routers, wireless access points, VPN edge router/gateways, firewall/VPN appliances, and other network and customer premise equipment. Some of them can handle a variety of IPsec and SSL/TLS protocols including DES, 3 DES, AES and public key. In addition to IPsec and SSL protocols, the temporal key integrity protocol (TKIP) and AES counter mode encryption can be also supported.
65
VoIP application
• Voice over Internet Protocol (VoIP), is a technology that allows people to make telephone calls using a broadband Internet connection instead of a regular (or analog) phone line. VoIP technologies convert digitized voice into data packets that are encapsulated in Internet protocol.
• Security – can be a hole in the enterprise system - prohibited applications
66
RFID applications
• The main purpose of the RFID (Radio Frequency Identification) technology is the automated identification of objects with electromagnetic fields. RFID systems have three basic components: transponders (tags), interrogators (readers or scanners) and middleware (application systems) for further processing of the acquired data.
• Problems with security – memory capacity, air interface.
67
Mobile security
Mobile security is inherently different than LAN-based security. The basic demands for privacy (confidentiality), integrity, authenticity and non-repudiation are even harder as the range of users is broader as in traditional networks. As security in the mobile world is more complex and different it need more advanced network security models, it can stated that mobile communication is one of the biggest changes in the security market. Mobile security measures depend on the types of data and applications being mobilized. The more sensitive the data, the more effective security measures must be introduced.
68
Special considerations for mobile
security • “Two Factor Authentication” had to be introduced. This
technology is used to verify both the device and the identity of the end-user during a secure transaction
• Minimize end user requirements - user participation, involvement should be restricted to quick, easy and mandatory tasks.
• Implement WPKI authentication technology - WAP PKI (used by VeriSign) to maintain security. PKI, or Public Key Infrastructure, is a protocol enabling digital certificates on wired devices. WPKI is an adaptation of PKI for mobile devices that meets m-commerce security requirements.
69
WAP security modelThere are three steps of the WAP security model:
- WAP gateway simply uses SSL to communicate securely with a Web server, ensuring privacy, integrity and server authenticity.
- WAP gateway takes SSL-encrypted messages from the Web and translates them for transmission over wireless networks using WAP’s WTLS security protocol.- Messages from the mobile device to the Web server are likewise converted from WTLS to SSL. In essence, the WAP gateway is a bridge between the WTLS and SSL security protocols.
70
The WAP Security Model
71
Standards
• “Orange book” (Orange book, 1996) - to classify the reliability and security level of computer systems an evaluation system,
• The ISO/IEC 10181- (ISO, 1996) multi-part (1-8) “International Standard on Security Frameworks for Open Systems” addresses the application of security services in an “Open Systems” environment,
• The ISO/IEC 15408 standard (ISO, 1999) consists of three parts, under the general title “Evaluation Criteria for Information Technology Security”. Originates from the
“Common Criteria” (CC).
72
Technical vision• Complex networked ICT systems cover the whole globe -
ubiquitous/ambient/etc. systems,• Everybody intend/have to use the different systems (X- billion users
with very-very different user profiles – disabled, analphabets, criminals, researchers, etc.),
• New, extended, integrated applications – e.g. integrated mobile/wireless systems – Six-level MultiSphere Reference Model - PAN/BAN -> Cyber World
• Mixed business and private applications,• Communications among objects, humans and cymans (the synthetic
counterparts of users in the virtual cyber-world – kind of autonomous avatars),
• Cyber World will be truly user centred.
73
Trends in security
• Agent-based technologies,
• Application of smart cards,
• General security architectures,
• Importance of standardization,
• Bio-inspired security,
• Quantum Cryptography,
• Nano-scale security mechanisms.
74
Conclusions • Novel networking technologies are basic components in the
communication of collaborative networks.• Wireless technologies cause remarkable modifications in the
structure, in the operation, in the collaboration techniques, in the cost structure and in business processes of networked organizations.
• Information systems of networked organizations will be always a security risk originating from their openness and flexibility.
• Complex, flexible security systems are needed that are user friendly and platform independent at the same time.
• New generations of networking technologies make significant changes in the cultural and social environments as well.
75
Useful URLs• Internet Security Threat Reports -
http://www.symantec.com/enterprise/threatreport/index.jsp• Bruce Schneier weblog - http://www.schneier.com/• About Viruses - http://www.mcafee.com/uk/• NIST CRSC publications -
http://csrc.nist.gov/publications/nistpubs/ • Guide to Information Technology Security Services – NIST,
2003http://csrc.nist.gov/publications/nistpubs/800-35/NIST-SP800-35.pdf#search=%22computer%20security%20services%22
• MultiSphere Reference Model - www.wireless-world-research.org
76
Thanks for your attention