1

Security Challenges of Location-Aware Mobile Business

Emin Islam Tatlı, Dirk Stegemann

Theoretical Computer Science, University of Mannheim

February 2005

2

Outline

The Mobile Business Research Group

Context- and Location-awareness

Application Logic Framework

Security Challenges

Further Research

3

Mobile Business Research Group

Generic platform for location-based and context-based mobile business applications

Joint project of 7 research groups at the University of Mannheim

Cooperations with SAP AG, Walldorf CAS Software AG, Karlsruhe

Web: http://www.m-business.uni-mannheim.de/

4

Location and Context

Context = any information that can be used to characterize the situation of an entity

Examples: location, time, identity, level of mobility

A Context-based application considers context when providing its service.

5

Examples

Find the nearest haircutter

Display the special offers of nearby shops that sell men’s shirts

Find a pizza delivery service that can deliver my favorite pizza for less than 8 EUR within 15 minutes to my current location

Location-based Post-it

6

Application Logic

CONTEXT AWARE MOBILE BUSINESS SERVICES

RequestDispatcher

ServiceRegistrationService

Repository

MobileUser

ServiceProviderService

ProviderServiceProvider

1 - register2- service query3- service descriptions

4- service request

5- service result

7

Research Areas

Service-oriented software architecturesService discovery and service brokerageWireless networks, localization,content-to-device adaptionData exchange formats, location-based ontologies

User requirements and preferencesMobile solutions in supply chain management

Security

8

Security Challenges

Anonymity

Privacy of personal data

Confidentiality of the communication

Confidentiality of locally stored data

Usability vs. security

9

Anonymity

Mobile users require to hide their real identityAnonymity ensures that a user may use a resource or service without disclosing the user's identity [1]Service providers require a unique representation of users(partial) Solution Pseudonymity

Pseudonyms are faked names (e.g. nicknames)

10

Unlinkability of Pseudonyms

Linkability of pseudonyms may break anonymity„unlinkability requires that users and/or subjects are unable to determine whether the same user caused certain specific operations in the system“ [1]Mix-net [2] based solutions not flexibleFuture Research Analyzing existing protocols and enhancing them to

satisfy m-business unlinkability

11

Mix-net

Mix:Computer between sender and receiverDecrypts messages and forwards to receiver

Sender ReceiverMix-net

KM(R1, KR(R0,M), Addr_R) KR(R0,M)

Sender

Sender Receiver

Receiver

12

Privacy of Personal Data

Service providers request different kinds of personal data (even only for profiling of users)

Personal data is private, especially location

Privacy is “the ability and/or right to protect your personal secrets” [4]

Solution Identity Manager [5] P3P [6]

13

Identity Manager

Enables full control of personal data

Presents an interface for creating different virtual IDs binding a subset of personal data to each ID

During communication with a service provider, the user chooses a suitable ID for this particular type of communication

Before any personal data is sent to a service provider, the user is asked to allow this transmission

14

Identity Manager (cont.)

quoted from http://tserv.iig.uni-freiburg.de/telematik/forschung/projekte/kom_technik/atus/idm-demo/

15

Confidentiality of the Communication

Communication messages contain sensitive information e.g. personal data, credit card numbers, location, queries of users results from broker registration data of providers

Any mobile device can receive data transmitted over airConfidentiality ensures that unauthorized disclosure of personal data is not possibleSolution End-to-end security (e.g. SSL-based protocol)

Future research How to avoid SSL-handshake delay

16

Confidentiality of Locally Stored Data

Thefts are very common in the mobile world

User’s local data (e.g. profiles, passwords, private keys, etc.) should be protected from unauthorized disclosure

Solution Two-factor authentication Password-based encryption

17

Usability vs. Security

Trade-off usability and security: users prefer usability weak, easily-guessable passwords digital certificates

Different sensitivity of users for securityEnhance usability and security according to personal needsSolution Dynamically configurable security policy

management system

18

Usability vs. Security (cont.)

Components of a dynamically configurable security policy management system Password Manager Single-Sign-On Security Level Manager Identity Manager

19

Research Focus

Design an open security architecture which can easily be integrated within the m-business application

framework

20

Remarks

Workshop 22.03.2005 - Public Workshop on Mobile Business organized by the

University of Mannheim Mobile Business: Geschäftsfelder und Softwaretechnologien More Information:

http://www.m-business.uni-mannheim.de/workshopMBusiness/mBusinessWorkshop.htm

Hiwi Jobs, Studien-, Bachelor- and Diplomarbeiten: Emin Islam Tatlı

A5,6 B105 – tatli@th.informatik.uni-mannheim.de Dirk Stegemann

A5,6 B125 – stegemann@th.informatik.uni-mannheim.de ... and co-workers in the project

21

References[1] ISO99 ISO IS 15408, 1999, http://www.commoncriteria.org.

[2] D. Chaum. Untraceable Electronic Mail, Return Ad- dresses, and Digital Pseudonyms. Communications of the ACM, 1981.

[3] D. Chaum. The Dining Cryptographers Problem: Unconditional Sender and Receipient Untraceability. Journal of Cryptography, 1988.

[4] Anderson R., Security Engineering, Wiley Computer Publishing, 2001.

[5] U. Jendricke , D. Gerd tom Markotten, Usability meets security - the Identity-Manager as your personal security assistant for the Internet, Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC'00), p.344, December 11-15, 2000.

[6] W3C, P3P (Platform for Privacy Preferences Initiative), http://www.w3.org/P3P/.

[7] OpenCA Research \& Development Labs, www.openca.org.

[8] eTrust Pki, http://www3.ca.com/Solutions/Product.asp?ID=2623.

[9] Netscape Certificate Management System, http://enterprise.netscape.com/products/identsvcs/certmgmt.html.

[10] Raheem Beyah, Shantanu Kangude, George Yu, Brian Strickland, and John Copeland. ``Rogue Access Point Detection using Temporal Traffic Characteristics.'' Appeared in the Proceedings of IEEE GLOBECOM 2004, December 2004.

[11] Preventing Internet Denial-of-Service using Capabilities, Tom Anderson, Timothy Roscoe and David Wetherall. Proceedings of the Second Workshop on Hot Topics in Networking (HotNets-II), Cambridge, MA, USA, November 19-20, 2003.

22

Security Challenges of Location-Aware Mobile Business

Emin Islam Tatlı, Dirk Stegemann

Theoretical Computer Science, University of Mannheim

February 2005

Thank you for your attention !