Upload
vodan
View
213
Download
0
Embed Size (px)
Citation preview
1
www.wireless-trust.org
Wireless Trust for Mobile Business─ WiTness ─
Roger Kilian-KehrSAP Corporate Research
2WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Agenda
Enterprise security
Mobile applications infrastructure
Towards application-level security
WiTness project
WiTness federations + demonstration
3WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Enterprise Security: The Model of the Past...
Basic Assumption: Everything Outside is Evil...Approach to Implementing Security:
1. Security is separated from applications, 2. Security technology is deployed at the infrastructure level
4WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Mobile Applications: Backend PerspectiveDMZInternet
GSM
Web Server FarmWorkplace
Middlewarehttp-Proxies
NAT/LoadBalancer
WAP GW
RAS(ppp Dial-In)
Corporate Intranet
Middleware
Information Provider System
User-centricIntegration:
Portal
http(s) XML
Process-centricIntegration: Exchange
Web Services
GGSNSGSN
HLR
GPRS
NAT
Enterprises are confronted with a whole zoo of isolated “security islands”: security management is a nightmareComplex software architectures like Portals, Exchanges, Proxies,… prevent network-level end-to-end security solutions
Security on the network (infrastructure) level alone does not work!
5WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Proaktive Approach:OS, Appl. Server, Applicationsprovide their own securityVision: Secure e-business without FirewallsIt matters what you do.
Proaktive Approach:OS, Appl. Server, Applicationsprovide their own securityVision: Secure e-business without FirewallsIt matters what you do.
Appl.-centered Security
Enterprise SecurityResour-
ces
Communi-cation
Applications
Defensive Approach:
Network and Device-oriented
Security and Applicationsare separatedIt matters where you areand how you do it.
Defensive Approach:
Network and Device-oriented
Security and Applicationsare separatedIt matters where you areand how you do it.
Perimeter Security
6WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Mobile Security Strategy
Server ClientsAccessNetwork
Communi-cation
Platform(Web Browser)
AccessNetwork
Communi-cation
Platform(Web Server)
WEP, GEA1/2,...
IPSEC,...
Application ApplicationApp-level Sec.
HTTPS
Focus: ApplicationFocus: Application--level Securitylevel Security
7WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
WiTness: Project Overview
IST Project (funded by European Commission)Duration: 01/2002 – 04/2004Goals:
Contribute application-level security to 3G mobile businessBuild upon GSM/UMTS security infrastructures (not networks!)
Approach: Create and Combine Functions of
Devices (mediators to users)Smart Cards / SIMs (security platforms)Enterprise Software (application servers)
to Provide Security Services/Interfaces
8WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Vision and Mission in a Nut Shell
Witness’ vision is a secure mobile wireless application computing world where business processes are not hindered by firewalls.
Witness aims at enabling secure mobile applications of third-party application providers in 3G wireless networks by providing technology for application level security.
Witness focuses on technology that allows application providers to set up their own security solutions for mobile applications. This will be achieved by defining security platforms and security services in mobile devices and smart cards.
9WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Project Consortium
Lead: SAP Corporate Research (FR/DE)Team: J. Posegga, J. Haller, Ph. Robinson, L. Gomez, C. Hébert, R. Kilian-Kehr
Partners: EZOS (BE)Eurécom (FR), Team: R. Molva, Y. Roudier, L. Bussard, S. CrostaGiesecke und Devrient (DE)Microsoft Research (UK)NTT DoCoMo Labs (DE)T-Mobile (CZ) University of Frankfurt (DE)
10WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Enterprise
Employee
provides Mobile Application
owns SIM; providesMobile Security Applet
MobileApplication
MSA
manages employee’s device
and deploysapplications
ApplicationProvider
uses
MobileOperator
Goal: Secure Mobile Business Landscape
11WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Phys. SCard Interface
SIM Access (JSR 177)
Mobile Biz Application
Witness Framework
WiTness: A Technology Perspective
Mobile Business
Security Applet
Phys. SCard Interface
SIM Access API
Mobile Biz Application
Witness Framework
Server-side Application
Witness Server-side Framework
FEDERATION
WP2
WP3
WP1,5
WP4
WP6
WP7
12WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Federation Concept - B2E scenarios
• Face-to-face liableinteractions(e.g. mobile work-flow)
• Ambient services / devices
• Access to group data(i.e. mobile groupware)
• Access to corporate dataand processes
13WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
WiTness Vision: Secure B2E Federations
EmpowermentExtend the way workers perform everyday tasks while being mobileEnvironment aware
SecurityDevices or communication channels do not necessarily belong to corporationPrevent malicious attacks on corporate data and processesTechnically ensure that users cannot inadvertently violate security policyProtection spectrum: channel security, data access control, user presence verification, transaction liability, network access, etc.
Secure B2E Federation = Corporation ControlledMobile Workforce Empowerment
Federation = environment made up of mobile and ambient devicesspontaneously collaborating in support of applications
14WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Security vs. Flexibility
FlexibilityAutomation, Usability
Security Mobile access to corporate resources
Federated access to corporate resources
Secure federations
Ideal goal: self organising secure federation
WiTness: flexible secure federations
low high
low
high
15WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
{ … }K1< /---- >
EiPAQ{K1,K2}
Edisplay{K2}
<confidential/>----------------------------------------< /---- ><unclassified/>-------------------
{ … }K2
Corporate Security Policy EnforcementOnly trusted devices should process corporate data
Mandatory and automated enforcementBased on encryption by Corporate Access PointWith support from SIM as a security module (e.g. for key distribution)
DB1
DB2
DB3
Access Control:
Request + Authorization
XMLXML-encryption+ key distributionSecurity Policy
Trust:
Federation Credentials
operation request
16WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Demonstration 1: Trust Based Data Access
Corporate e-mail carries confidential dataE.g. contract amounts, names of involved parties, etc.Protection of these data may be specified in security policyAccess will depend on device tamper-resistance, trust, context
An employee accesses his e-mail from:a workstation at a partner: confidential data about contracts with that partner can be displayed on the workstationa public terminal in an airport: confidential data will be displayed only on a device trusted by his company (e.g. his PDA with SIM module)
17WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Demonstration 1: Trust Based Data AccessCorporate Domain
CAPBackend
Terminal
Personal DomainDevice
Item is requested to
backend Access Control
XMLTrust Control
Federate
display delegated
18WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Demonstration 1: Trust Based Data AccessCorporate Domain
CAPBackend
Terminal
Personal DomainDeviceDecryption
Secret display
Item is requested to
backend Access Control
Trust Control
Data encrypted according to policy
XML
19WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
HCI and bandwidth limitations: Federations
20WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Building a Federation
Federated device
delegation
21WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Trusted Terminal
Partner terminal available(trusted)
Partner terminal booked(trusted)
22WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
Untrusted(public terminal)
Untrusted Terminal
Trusted(corporate PDA)
23WiTness Consortium
Wireless Trust for Mobile Business - WiTness 05/06/2003www.wireless-trust.org
WiTness
Further information available athttp://www.wireless-trust.org
ContactDr. Roger Kilian-KehrPervasive Security GroupSAP Corporate [email protected]