Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federated Authentication mechanism for mobile services Dasun Weerasinghe, Saritha Arunkumar, M Rajarajan, Veselin Rakocevic Mobile Networks Research Group.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Federated Authentication mechanism for mobile services Dasun Weerasinghe, Saritha Arunkumar, M Rajarajan, Veselin Rakocevic Mobile Networks Research Group."— Presentation transcript:

1 Federated Authentication mechanism for mobile services Dasun Weerasinghe, Saritha Arunkumar, M Rajarajan, Veselin Rakocevic Mobile Networks Research Group School of Engineering and Mathematical Sciences City University London.

2 Outline of the Presentation Motivation factor Our approach to authentication Mobile Service Environment Technology Security Capsule Possible security attacks Conclusion

3 Use of mobile devices Study in 2006 December  2.7 billion mobile users worldwide  1.1 billion Internet users worldwide  India is in world’s No. 3 in mobile phone users Prediction for 2011  3.96 billion mobile users worldwide  2 billion Internet users worldwide Rapid growth in 3G network  More services over the phone rather than voice communication  By 2011 there will be 1.06 billion 3G users in Western Europe and US

4 Services available in your mobile Daily activities over the Internet  Banking  Pay utility bills; Shop online Mobile phone has the same capabilities Extra services to mobile devices  Location based services (e.g. find the nearest parking)  Services while mobility (e.g. Healthcare) Authentication and Payments over the mobile devices  Authenticate your self ???  Pay by credit card ???

5 Emerging Services in a mobile

6 Our approach to authentication Introduce a Single-Sign-On server Mobile user authenticate with the mobile operator Confirmation of mobile operator authentication will be used in the Single-Sign-On sever Single-Sign-On server acts as an identity provider Mobile user authenticates to these services based on the authentication with the Single- Sign-On server

7 Mobile Service Environment Mobile Operator Mobile Device Identity Provider (SSO) Vendor Secure Connectivity Existing Relation Payment Service Secure link Authentication Service

8 8 Core Technology: GAA Mobile operators to enable 3G authentication as a service: 3GPP This framework is know as Generic Access Authentication (GAA) USIM Identity  IMPI - IP Multimedia Private Identity  Session key generation for secure communication GAA reference model:  NAF in different network from BSF  Secure communication between NAF and BSF  BSF generates session keys for the communication between UE and NAF Bootstrapping Server Function (BSF) Home subscriber System (HSS) Network Application Function (NAF)

9 Security and Privacy protection for the mobile users Data communications are secured  Mobile and the SSO is secured with session key  Mobile and the vendor is secured with derived session or PKI keys  XML Security methods are applied in the messages Communication between the Mobile and the Vendor is not visible to the SSO server.  Separate key generation Anonymous authentication for mobile users  Real identity of the user is protected at the SSO  SSO generates a temporary identity for the communcation  e.g. Healthcare: record linkage, drug store

10 Operations inside the mobile Security capsule is the application that connects the mobile device with SSO and vendors Encrypted content from the vendor to the mobile Decryption key can only be generated inside the mobile with the combination of,  IMPI – From mobile operator  IMEI – From mobile device  PIN validation – From user  Session Key – From vendor Content can’t be transmitted to other mobile devices or can’t be stolen by someone else

11 Operations inside the mobile (Contd.) IMPI IMEI User PIN Vendor Key Key Generation (SHA 1) 192 bit key Encrypted Data Decryption (Triple DES) Decrypted Data Data Utilization Locate the RAM address Shuffle data in the RAM address

12 Threats to the mobile services Mobile operator impersonate Identity provider impersonate Mobile user impersonate SIM card cloning Man-in-the middle attacks  Message monitoring  Message altering Phone lost or stolen

13 Threats to mobile devices Any message sent to the network is assumed to be received by a malicious user Any message received from the network is assumed to be from the malicious user

14 Dolev-Yao threat scenario

15 Dolev-Yao threat model Assuming that Malice can do a lot, Dolev-Yao threat model proves that Malice cannot do the following:  Malice cannot guess a random number which is chosen from a sufficiently large space.  Without the correct secret (or private) key, Malice cannot retrieve plain-text from given cipher-text, and cannot create valid cipher-text from given plaintext, with respect to the perfect encryption algorithm.  Malice cannot find the private component, i.e., the private key, matching a given public key.

16 Our system We prove the Dolev- Yao threat model for our system knowing that Malice cannot retreive information as Malice will never have Retailer Session key and user PIN, so he will not be able to generate the key to decrypt the message

17 Mobile Phone Compromised There are 3 scenarios for a phone to be compromised  Attacks from the Internet  Infection from compromised PC during data synchronize  Peer smart-phone attack or infection

18 Mobile Phone Attacks Base Station DoS DDoS to call centers Spamming Identity theft and spoofing Wiretapping

19 Defence Phone hardening  OS hardening  Hardware hardening Internet side protection Telecom side protection

20 Conclusion USIM based approach for mobile user authentication Single-Sign-On methodology Security Capsule based data security Possible security attacks on our model Counter measures

21 Q & A

Download ppt "Federated Authentication mechanism for mobile services Dasun Weerasinghe, Saritha Arunkumar, M Rajarajan, Veselin Rakocevic Mobile Networks Research Group."

Similar presentations

1 Design of Key-Sharing System Based on a Unique Device Kenji Imamoto (Kyushu Univ.) Hiromi Fukaya (Pastel) Kouichi Sakurai (Kyushu Univ.)

1 Design of Key-Sharing System Based on a Unique Device Kenji Imamoto (Kyushu Univ.) Hiromi Fukaya (Pastel) Kouichi Sakurai (Kyushu Univ.)
KERBEROS LtCdr Samit Mehra (05IT 6018).

KERBEROS LtCdr Samit Mehra (05IT 6018).
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Doc.: IEEE 802.11-04/0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
Patient’s privacy protection with anonymous access to medical services Dasun Weerasinghe, Kalid Elmufti, M Rajarajan, Veselin Rakocevic Mobile Networks.

Patient’s privacy protection with anonymous access to medical services Dasun Weerasinghe, Kalid Elmufti, M Rajarajan, Veselin Rakocevic Mobile Networks.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.

G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Database Key Management CSCI 5857: Encoding and Encryption.

Database Key Management CSCI 5857: Encoding and Encryption.

Similar presentations

Ads by Google