ITU K ALEIDOSCOPE 2013 October 18, 2012 G RIFFIN – A PRIL 2013 IEEE Global Communications 2015 Conference IoTAAL Workshop - Sunday, December 6, 2015 Security for Ambient Assisted Living Phillip H. Griffin Griffin Information Security
State of Things IoTAAL Workshop IoT Ambient Assisted Living Landscape G RIFFIN – December — Assisted home care needs: growing populations of elderly, disabled — Few AAL research projects consider security and privacy aspects — Universal Access through user choice of authentication method — Biometric options can enable access for elderly and disabled users — Mutual and multifactor authentication using biometrics IEEE GLOBECOM 2015
Something More IoTAAL Workshop Biometric authentication: Something-You-Are G RIFFIN – December — Sensor collects sample to enroll user in biometric system — Data extracted from sample to create biometric reference template — Uniquely Identifiable template stored for later user matching — Sensor can collect knowledge and biometric data — Extracted biometric knowledge: a shared “weak secret” — Secret drives Authenticated Key Exchange (AKE) protocol Biometric sensor data can also contain Something-You-Know IEEE GLOBECOM 2015 Tagged IoT objects can be Something-You-Have — People can be associated with physical objects — RFID tags can be bound to biometric reference templates
Something You Know IoTAAL Workshop Biometric-AKE | Password Authenticated Key Exchange AKE - Strong cryptographic protection of communications G RIFFIN – December — Mutual authentication using shared knowledge (No PKI overhead) — Key Establishment, not Key Exchange (Diffie-Hellman key agreement) — Defeats Man-In-The-Middle, Phishing (Weak secret not revealed) — Perfect Forward Secrecy (Key compromise contained) IEEE GLOBECOM 2015
Something You Have IoTAAL Workshop A physical object: Something-You-Have authentication factor G RIFFIN – December — Traditionally, these objects have been issued by an authority: drivers license, payment card, passport, ID badge,... — In the Internet of Things (IoT) objects might be a door, car, appliance, … — An object with an embedded RFID can be uniquely identified — IoT objects can be ‘possessed’ by more than one person (shared objects) — Individuals can be associated with physical objects by cryptographically binding object’s tag ID to their biometric template using a digital signature IEEE GLOBECOM 2015
Deeper Dive IoTAAL Workshop Griffin, P. (2015). Security for Ambient Assisted Living. IEEE Global Communications (GLOBECOM) IoT Ambient Assisted Living (IoTAAL) Workshop. Retrieved November 11, 2015, from Griffin, P. (2014). Telebiometric authentication objects. Complex Adaptive Systems 2014 Proceedings. Procedia Computer Science, 36, Retrieved November 11, 2015, from 6 G RIFFIN – December 2015 IEEE GLOBECOM 2015 Griffin, P. (2015). Biometric Knowledge Extraction for Multi-Factor Authentication and Key Exchange. Complex Adaptive Systems 2015 Proceedings. Procedia Computer Science, 61, Retrieved November 11, 2015, from ITU-T X.1035: Password-authenticated key exchange (PAK) protocol (2007). Retrieved November 11, 2015, from X9.73 Cryptographic Message Syntax – ASN.1 and XML. American National Standards Institute. X9.84 Biometric Information Management and Security. American National Standards Institute. ISO/IEC | ITU-T X.cms (Draft)
G RIFFIN – A PRIL 2013 Questions? IoTAAL Workshop Skype: phil.griffin