SECURITY IN MOBILE NETWORKS BY BHONGIRI ANAND RAJ VENKAT PAVAN RAVILISETTY NAGA MOHAN MADINENI

Introduction Mobile communication - provides huge wireless connectivity in today’s world enabling mobility and computing in different communication environments. In traditional e-commerce, due to lack of security, frauds are seen as the major obstacle to people. web browsers and servers are enabled to use public infrastructures for cryptographic key distribution and use protocols such as SSL

Need to ensure that client and server sides are not ignored. Installing firewalls and intrusion detection systems, systems can be traced Flexibility and functionality are key factors for creating successful e-commerce applications

Some of the mechanisms in communication security are: ConfidentialityIntegrityAuthentication Non repudiation Location of the communication The location of the communication, whether the communication is taking place or not are some of the mechanisms need to be private Confidentiality of traffic, location and addresses of mobile network will depend on technology used.

Depending on the protocols used, the types of authentication varies For example, in SSL – has four different types of authentication Server authentication Client authentication Both client and server’s authentication No authentication, but, providing only confidentiality.

Different groups have different importance regarding authentication. For example: Network operators – interested in authenticating the users for billing purpose Content service providers and users – will be interested in authenticating themselves and with the network service providers. These all authentications depend on business model and technology used Public key cryptography – an essential element for SSL. Used for securing web communications. Public key certificate CA (certification authorities) digital signature on public key some attributes

CA ( certificate authority) – is a trusted third party (TTP) used to verify and certify the identity of public key owner before issuing certificate. Security in heterogeneous networks – architectures depend on protocol layers which represents the way of modeling and implementing data transmission between the communication parties Figure: communication protocol layers Figure: communication protocol layers

Mobile applications like radio network span over different networks which complicates the security implementation and becomes difficult to obtain end to end security. There will be difference between desired security service and the protocol layer For example, figure: security architecture using WTLS figure: security architecture using WTLS

Usage of security Common design makes security services as transparent as possible. but, this makes user to get less security information Common design makes security services as transparent as possible. but, this makes user to get less security information Figure: semantic protocol layer between human user and organizations a good user interface indicated the combination of multimedia and optimal terminal design.

Security of active content Active content Active content allows sound and image animation allows sound and image animation Provides the user with the ability to interact with server side during session Provides the user with the ability to interact with server side during session Active X, java applets are some of the examples Active X, java applets are some of the examples sandboxing and certification is used to counter threats from active content sandboxing and certification is used to counter threats from active content Sandboxing Sandboxing the active content is restricted in what resources it can access on the host system Adv: always active and transparent to user Disadv: limits the capabilities of active contents Certification Certification trusted party has validated and digitally signed active content Adv: can access all system resources Disadv: certification is not equivalent with trustworthiness

Security level of mobile communication Level 1 security: Level 1 security: Implemented using passcode identification User send the passcode to the mobile network and then it is compared with one in the database Level 2 security: Level 2 security: Implemented using symmetric key schemes Main feature is client able to authenticate the identity with gateway

Figure: Generic model of level 2 secure mobile communication

Level 3 security: Level 3 security: Implemented by asymmetric key schemes. Client is able to authenticate the gateway’s identity Figure: Generic model of level 3 secure mobile communication

Implementing the security levels in mobile communication Mobile devices and networks need to support technologies and standards Mobile devices and networks need to support technologies and standards Different models were proposed. But, communication between mobile device and trusted server is not secure. Different models were proposed. But, communication between mobile device and trusted server is not secure. Clients are classified into following categories No private key No private key One private key used for authentication or signing One private key used for authentication or signing Two or more private keys from which one is used for authentication and the other one for signing Two or more private keys from which one is used for authentication and the other one for signing

Implementation of security level 1 The client sends the passcode by SMS or WAP The client sends the passcode by SMS or WAP When verified, user is granted to access information When verified, user is granted to access information Implementation of security level 2 Depends on capability of storing private keys Depends on capability of storing private keys If not capable, private key must be stored either in mobile device or must be entered by user If not capable, private key must be stored either in mobile device or must be entered by user Implementation of security level 3 Depends on capability of client to store private keys Depends on capability of client to store private keys Generate the digital signature Generate the digital signature If the client is not able to generate digital signatures, we use delegated PKI (public key infrastructure) signing ( means the security server signs on behalf of mobile device ) If the client is not able to generate digital signatures, we use delegated PKI (public key infrastructure) signing ( means the security server signs on behalf of mobile device )

Implementing security level 3 of mobile communications

Some of the physical constraints of mobile communication systems are: Broad-based medium: Broad-based medium: Wireless medium is broad based medium Extremely exposed to eavesdropping (spying) Disconnections Disconnections Frequently gets disconnected due to high degree of noise and interference Heterogeneity Heterogeneity Moving from one domain to other host encounters different levels of security and management policies Highly distributed environment Highly distributed environment

Some of the security threats are: Device vulnerability : Device vulnerability : Many mobile devices are small and light weight which leads to device being misplaced or lost Raises a security concern as thief have chances to view some secret information Domain crossing: Domain crossing: Happens when user mobile gets into a new location belonging to other domain and was registered This raises some of the security matters When entering into new domain, important for both user and foreign domain trust one and other

Anonymity: Anonymity: Mobile user wants to be anonymous to the outside domains Authentication: Authentication: Mobile user crosses domain boundaries must be authenticated Should not interfere with users task which requires the authentication to be transparent to user Some of the examples of mobile communication are: Global System for Mobile communication (GSM): Global System for Mobile communication (GSM): Cellular Digital Packet Data (CDPD) Cellular Digital Packet Data (CDPD) Mobile IP Mobile IP

Conclusion Mobile networks have positive side and negative side The mobile network operators are well placed to become trusted third party and able to support the security applications. Development of e-commerce technology, functionality and flexibility gets the highest priority as form the basis for new business model The only hope is in future, mobile networks will be more secure

1.What are the different encryption types and tools available in networks security? There are three types Manual encryption: Manual encryption: Completely provided by the user Completely provided by the user User has to manually select the objects for encryption such as files or folder and run some command to encrypt or decrypt these objects User has to manually select the objects for encryption such as files or folder and run some command to encrypt or decrypt these objects Transparent encryption: Transparent encryption: here the encryption/decryption is performed at a low level during all read/write operations here the encryption/decryption is performed at a low level during all read/write operations From the point of general security principles, complete low-level transparent encryption is the most secure type imaginable, easiest, and imperceptible for the user to manage From the point of general security principles, complete low-level transparent encryption is the most secure type imaginable, easiest, and imperceptible for the user to manage

Semi transparent encryption This operates not permanently, but before or after access is made to confidential objects or during some read or write operations This operates not permanently, but before or after access is made to confidential objects or during some read or write operations 2. How do you do authentication with a message digests MD5 in network? MD5 is a cryptographic hash function with 128 bit has value output. Used to check integrity of files or inputs. An MD5 hash is expressed as a 32-character hex number. It takes the variable-length input and converts it into a fixed length output of 128-bits called as MD5 hash. It is a one way hash function Any change in the message would result in a completely different hash

3. What is routing protocol and routed protocol? Routed protocol Routed protocol Any protocol that provides enough information in its network layer address to allow a packet to be forwarded from host to host base on addressing scheme. Routed protocols define the format and use of the fields within a packet. Internet protocol (IP) is an example for routed protocol Routing protocol Routing protocol Support a routed protocol by providing mechanisms for sharing routing information.

Routing protocol messages move between routers The routing protocol allows the routers to communicate with other routers to update and maintain tables. 4. What are the different types of network security? There are two types of network security Physical security Physical security It is important to physically secure your computer and its components so that unauthorized people cannot touch your computers and gain access to your network.

Software security: Software security: Along with securing your hardware it is necessary to protect your network from hackers and outside attackers Keeping a firewall on the system to block unwanted data Having maximum protection against viruses Use spam filter software There are many more things to do to ensure complete network security.

References -AISW.pdf -AISW.pdf 0level%20security%20of%20mobile%20comm unications%20-%20MII2003%20final.pdf 0level%20security%20of%20mobile%20comm unications%20-%20MII2003%20final.pdf s/STL_wpmc03_future_mobile.pdf s/STL_wpmc03_future_mobile.pdf df df

?