Presentation is loading. Please wait.

Presentation is loading. Please wait.

A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices 2019/7/1 A Lightweight reconfigurable security mechanism for 3G/4G mobile devices.

Published byLeona Stevenson Modified over 5 years ago

Similar presentations

Presentation on theme: "A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices 2019/7/1 A Lightweight reconfigurable security mechanism for 3G/4G mobile devices."— Presentation transcript:

1 A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices
2019/7/1 A Lightweight reconfigurable security mechanism for 3G/4G mobile devices JALAL AL-MUHTADI, DENNIS MICKUNAS, AND ROY CAMPBELL, UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN IEEE Wireless Communication April 2002 通訊所碩一 曹爾凱 2019/7/1 INSA lab, Kai

2 A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices
2019/7/1 Introduction Existing security schemes in 2G and 3G systems are inadequate, since there is greater demand to provide a more flexible, reconfigurable, and scalable security mechanism that can evolves as fast as mobile hosts are evolving into full-fledge IP-enabled device. Our approach is to employ a component-based, lightweight, portable security mechanism that we developed based on the SESAME architecture: Tiny SESAME. Secure European System for Applications in a Multi-vendor Environment 2019/7/1 INSA lab, Kai

3 A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices
2019/7/1 SESAME - Secure European System for Applications in a Multi-vendor Environment It extends Kerberos by providing additional services, include support for asymmetric cryptography. Privileged Attribute Certificates (PAC) to authenticate principals and identify their privileges, security attributes, and access rights. Role-Based Access Control (RBAC) model authorization services. SESAME adopts the Internet standard generic security services application programming interface (GSS-API) GSS-API is a standard programming interface for generic security services. ECMA standardized SESAME. (European Computer Manufactures Association 歐洲電腦廠商協會) SESAME defines different key management protocols and cryptographic profiles while maintaining backward compatibility with Kerberos. 2019/7/1 INSA lab, Kai

4 A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices
2019/7/1 Tiny SESAME Tiny SESAME is a component-based subset of UIUC SESAME that supports authentication, protocol negotiation, various levels and strengths of encryption, and access control based on the RBAC model. UIUC SESAME is a portable version of SESAME implemented completely in Java. 2019/7/1 INSA lab, Kai

5 Tiny SESAME Architecture
A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices 2019/7/1 Tiny SESAME Architecture SESAME consists of at least three major components: the client application or the initiator who is attempting to securely contact a server or get a service, the application server or the service, and the security server that authenticates the users and makes access control decisions. The client and server use GSS-API to authenticate and request security services for the communication channel. 2019/7/1 INSA lab, Kai

6 Client Side User sponsor GSS-API
A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices 2019/7/1 Client Side User sponsor GSS-API Secure Association Context Manager (SACM) Dynamic Component Loader (DCL) Authentication and Privilege Attribute Client (APA-Client) The user sponsor could be a personal computer, a handheld, a mobile host, or any device capable of running Java. The GSS-API on top of SACM provides Java programs with a standard interface to access SACM services. (SACM) provides data integrity and confidentiality services for the communication between the client and the service. dynamic component loader (DCL) is responsible for on-demand loading of required components. (resource demanding, in Tiny SESAME different protocols, cryptographic profiles, and access control models are implemented as separate software components. These components are loaded dynamically on demand. Once ) (APA-Client) is responsible for secure connections with the authentication server. 2019/7/1 INSA lab, Kai

7 Security Server Authentication Server (AS)
A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices 2019/7/1 Security Server Authentication Server (AS) Kerberos authentication X.509’s strong two-way authentication protocol Privilege Attribute server (PAS) Privilege attribute certificate (PAC) Key Distribution Server (KDS) Role-based access control (RBAC) security policy Authentication server (AS), which provides a single sign-on point for the distributed environment. Kerberos based on passwords and symmetric keys. X.509’s which uses public key cryptography. (PAS) provides information about the privileges and security attributes of users and user sponsors. (KDS) manages the cryptographic keys that are used for mutual authentication between the client and remote server. RBAC makes it easy to define well structured rules and practices for regulating and managing sensitive data and resources. security policy may include restricting access to subscription-based services or reserving certain bandwidth for emergency services, and so on. 2019/7/1 INSA lab, Kai

8 Service Side Policy Cache PAC validation facility (PVF) 2019/7/1
A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices 2019/7/1 Service Side Policy Cache PAC validation facility (PVF) Policy cache provides caching for security policies relevant to the service. (PVF) is the component responsible for checking the validity of PACs and detecting any tampering. 2019/7/1 INSA lab, Kai

9 A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices
2019/7/1 2019/7/1 INSA lab, Kai

10 Component-based Architecture
A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices 2019/7/1 Component-based Architecture Tiny SESAME achieves this by incorporating a component-based design for the client and service sides. In this design, the different security services, protocols, and cryptographic profiles are implemented as separate components that can be loaded, unloaded, or reconfigured on demand. The DCL is capable of loading other Tiny SESAME components from the device’s built-in memory on demand. 2019/7/1 INSA lab, Kai

11 Employing Tiny SESAME in 2G/3G - Existing Security
A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices 2019/7/1 Employing Tiny SESAME in 2G/3G - Existing Security Initially, the mobile host identification number is transmitted to the (BS) unprotected. The receiving BS identifies the mobile host and contacts the home environment of the subscriber. a random challenge (RAND) is generated by the subscriber’s (HLR) and authentication center (AuC). a triplet in the 2G case: <CHAL2G, RESP2G, SK2G> a quintuplet in the 3G case: <CHAL3G, RESP3G, SK3G, IK, AUTN>. mobile station returns the correct response, then the authentication is complete in 2G systems and data transmitted will be encrypted with the session key. 2019/7/1 INSA lab, Kai

12 Limitations of Existing System
The subscriber’s ID confidentiality is threatened as a result of the initial sending of the mobile host’s identification number unprotected. The key sizes, and encryption and decryption algorithms are fixed. 2019/7/1 INSA lab, Kai

13 Using Tiny SESAME for Initial Authentication and Call Setup
3G Compatibility Mode Default authentication mechanism This involves the formation of the security quintuplet. Mobile host’s ID is transmitted unprotected. The network parts of a 3G system do not need any modification. 2019/7/1 INSA lab, Kai

14 Using Tiny SESAME for Initial Authentication and Call Setup
A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices 2019/7/1 Using Tiny SESAME for Initial Authentication and Call Setup Tiny-SESAME Authentication users are authenticated to the system by the AS component within the security server using an enhanced version of the Kerberos authentication scheme. Upon successful authentication, the user sponsor obtains a PAC from the PAS. The PAC contains the user’s roles, security attributes, and the basic key. the mobile host can use the PAC to authenticate itself to different base stations without waiting for security information to come from the HLR of the subscriber’s home environment. 2019/7/1 INSA lab, Kai

15 A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices
2019/7/1 Using Tiny SESAME to Provide Security Service for Multimedia Applications Tiny SESAME can be used to provide security services for multimedia or IP-based applications. When the mobile host wishes to use network services, the stored PAC is sent using the SACM to the desired service. The data sent is transferred by any protocol (radio signals and/or IP etc.) If the service employs SESAME as well, it passes the PAC to the PVF, which verifies, from the integrity protection, that the PAC is genuine, and a secure association is established over which the user can communicate with the remote service. 2019/7/1 INSA lab, Kai

16 Tiny SESAME Implementation
HP Jornada 680 (Hitachi 133MHz) 2019/7/1 INSA lab, Kai

17 Future Work Using OPNET Modeler to more accurately simulate 2G and 3G security aspects, and measure the impact of employing Tiny SESAME different scenarios and compare the results with conventional 2G/3G security. Porting Tiny SESAME to Java 2 Micro Edition 2019/7/1 INSA lab, Kai

Download ppt "A lighttwiht reconfigurable security mechanism for 3G/4G mobile devices 2019/7/1 A Lightweight reconfigurable security mechanism for 3G/4G mobile devices."

Similar presentations

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Introduction to Secure Sockets Layer (SSL) Protocol Based on: https://developer.mozilla.org/En/Introduction_to_SSL#The_SSL_Protocol.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Chapter 21 Distributed System Security Copyright © 2008.

Chapter 21 Distributed System Security Copyright © 2008.
Network Security Jiuqin Wang June, 2000 Security & Operating system To protect the system, we must take security measures at two levels: Physical level:

Network Security Jiuqin Wang June, 2000 Security & Operating system To protect the system, we must take security measures at two levels: Physical level:
Module 9: Fundamentals of Securing Network Communication.

Module 9: Fundamentals of Securing Network Communication.
KAIS T Wireless Network Security and Interworking Minho Shin, et al. Proceedings of the IEEE, Vol. 94, No. 2, Feb. 2006 Hyeongseop Shim NS Lab, Div. of.

KAIS T Wireless Network Security and Interworking Minho Shin, et al. Proceedings of the IEEE, Vol. 94, No. 2, Feb Hyeongseop Shim NS Lab, Div. of.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

Similar presentations

Ads by Google