Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Ramon Martí, DMAG, Universitat Pompeu Fabra 1 WP2 UPF Contribution to MobiHealth Security in the MobiHealth BAN Enschede 2002/09/18-20.

Published byJacob McKenzie Modified over 9 years ago

Similar presentations

Presentation on theme: "© Ramon Martí, DMAG, Universitat Pompeu Fabra 1 WP2 UPF Contribution to MobiHealth Security in the MobiHealth BAN Enschede 2002/09/18-20."— Presentation transcript:

1 © Ramon Martí, DMAG, Universitat Pompeu Fabra 1 WP2 UPF Contribution to MobiHealth Security in the MobiHealth BAN Enschede 2002/09/18-20

2 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 2 UPF Participation Workpackages and Tasks WP2 - MobiHealth services and BAN integration  T2.2 - Development and integration of the BAN platform  T2.5 - Security Services for the BAN Starting on M3:  WP2 - MobiHealth services and BAN integration (M3-M13)  T2.2 - Development and integration of the BAN platform (M3- M13)  T2.5 - Security services for the BAN (M3-M13)

3 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 3 WP2 Security Timetable T2.5 - Security services in the MobiHealth BAN  Refinement of requirementsM03-M05(Aug-Sep)  BAN Test Security Platform Set-upM04-M06(Sep-Oct)  BAN Network Security TestsM05-M08(Oct-Dec)  BAN Transport Security TestsM05-M08(Oct-Dec)  BAN Application Security TestsM05-M08(Oct-Dec)  BAN Security IntegrationM08-M10(Jan-Feb)  BAN Final Security IntegrationM10-M13(Mar-May)

4 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 4 General security requirements Data protection:  Components  Storage  Access  Communications  Hop­to­hop  End­to­end

5 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 5 Other security services Traffic confidentiality (origin, destination, length, time,... of messages) Confidentiality of identity (anonymity, pseudonymity) Confidentiality of location Availability (counter DoS attacks) Accountability Reliability

6 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 6 MobiHealth System Architecture

7 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 7 MobiHealth System Components Sensor Actuator Front-End MBU (Mobile Base Unit) WSB (Wireless Service Broker) AppServer WorkStation

8 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 8 MobiHealth System Components Security Confidentiality / privacy: Data encryption and authentication  Data confidentiality  No data stored in some components Authenticity / integrity  User authentication (password, smartcard,... )  Terminal authentication (SIM,... )  Application/server authentication (certificate,... )

9 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 9 MobiHealth Communications Sensor Front-End Actuator Front-End Front-End PDA PDA WSB WSB AppServer PDA AppServer AppServer Workstation

10 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 10 Communications Security Security can be added to most communication layers Different security features depending on layer:  Data link layer: Bluetooth, GPRS/UMTS,...  Network layer: IPsec,...  Transport layer: SSL/TLS, HTTPS,...  Application layer: Data encryption (OpenSSL Libraries, MIME)

11 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 11 Data Link Layer / Network Layer Security Data Link Layer Security  Hop-to-hop protection (encryption and authentication).  No user or application authentication.  Security provided by Bluetooth or GPRS/UMTS, in each case, can be used. Network Layer Security  Host-to-host protection (encryption and authentication)  Hop-to-hop protection  End-to-end protection  No user or application authentication.  IPsec can be used.

12 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 12 Transport Layer / Application Layer Security Transport Layer Security  End-to-end protection (encryption and authentication).  Application-to-application protection; opt. user authentication  SSL/TLS or HTTPS can be used. Application Layer Security  Application-to-application and application_user-to- application_user protection, including user authentication.  Usually through encryption or/and signature of data sent through the communications stack.  SMIME or OpenSSL libraries could be used to encrypt and sign data.

13 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 13 MobiHealth Security BAN and Rest of the System BAN Security  Sensor Front-End  Front-End  Front-End PDA  PDA  PDA WSB  PDA AppServer Rest of MobiHealth Security  WSB  AppServer  Workstation  WSB AppServer  AppServer Workstation

14 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 14 WP2 Security Timetable T2.5 - Security services in the MobiHealth BAN  Refinement of requirementsM03-M05(Aug-Sep)  BAN Test Security Platform Set-upM04-M06(Sep-Oct)  BAN Network Security TestsM05-M08(Oct-Dec)  BAN Transport Security TestsM05-M08(Oct-Dec)  BAN Application Security TestsM05-M08(Oct-Dec)  BAN Security IntegrationM08-M10(Jan-Feb)  BAN Final Security IntegrationM10-M13(Mar-May)

15 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 15 Security Possible Setups First Approach iPAQ Linux (GPRS) to Linux Gateway using IPsec tunnel with pre-shared keys. iPAQ Linux (GPRS) to Linux Gateway using IPsec tunnel with x.509 certificates. iPAQ Linux (GPRS) to Windows 2000/XP Gateway using IPsec tunnel with pre-shared keys. iPAQ Linux (GPRS) to Windows 2000/XP Gateway using IPsec tunnel with x.509 certificates. iPAQ Windows CE (GPRS) to Linux Gateway using IPsec tunnel with pre-shared keys. iPAQ Windows CE (GPRS) to Windows 2000/XP Gateway using IPsec tunnel with pre-shared keys.

16 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 16 Setup Requirements Common part: certificates creation  Set-up a Certificate Authority (CA)  Certificates Generation  Installation of certificates in Gateway Machines (Linux)  Installation of certificates in Linux machines (PPC 2002 & PC)  Installation of certificates in Windows 2000/XP machines (PC) FreeS/WAN: IPsec for Linux (Linux PPC & PC)  Installation and configuration in Linux machines

17 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 17 Test Security Platform Set-up Linux PC Windows 2000 PC iPAQ  Just arrived  Test iPAQ GPRS connection  Serial port  Bluetooth GPRS Phones  Received beginning September from Movilforum  2 Motorola Timeport 260 GPRS  1 Ericsson T32m Bluetooth

18 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 18 Software Requirements and Installation Downloaded and installed  FreeS/WAN  X.509 Patch for FreeS/WAN (version 0.9.12 or better)  Patches to add multiple encryption ciphers, etc. (optional)  Marcus Müller's Windows 2000 VPN Tool  OpenSSL package in Linux  AdmitOne(r) VPN Client for Pocket PC  Linux on iPAQ

19 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 19 Test Security Platform Set-up Current Status Install.Config.Tests Linux GW and CAyesyesyes W2K/XP GWyesyesyes Linux PC vs. Linux GWyesyesno W2K/XP PC vs. Linux GWyesyesyes W2K/XP PC vs. W2K/XP GWyesyesno iPAQ WCE vs. Linux GWnonono iPAQ WCE vs. W2K/XP GWnonono iPAQ Linux vs. Linux GWnonono iPAQ Linux vs. W2K/XP GWnonono

20 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 20 Open Security Issues in the BAN (1/4) What are the security requirements for the trial scenarios Which components are to be protected  Internal network: sensors, front­end, MBU  External network: GPRS/UMTS, application server How to integrate security into the BAN architecture Hardware, BAN OS What will be there at the server side? Where is the “intelligence” of the system to be developed? More cooperation required with the other WP2 partners

21 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 21 Open Security Issues in the BAN (2/4) Communication Protocols  Sensor Front-End  Actuator Front-End  Front-End PDA  PDA WSB  [WSB AppServer]  PDA AppServer  [AppServer Workstation] Communication Protocols Security

22 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 22 Open Security Issues in the BAN (3/4) MobiHealth System Components Functionality  Sensor  Actuator  Front-End  MBU (Mobile Base Unit)  [WSB (Wireless Service Broker)]  [AppServer]  [WorkStation] MobiHealth System Components Security  Storage  Access

23 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 23 Open Security Issues in the BAN (4/4) MobiHealth System Components Platform:  PDA  OS: Windows CE / Linux  Application Server  Hardware: PC / Workstation  OS: Windows 2000 / Linux  Workstation  Hardware: PC / Workstation  OS: Windows 2000 / Linux

24 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 24

25 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 25 BAN Architecture

26 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 26 General Security Threats Transmission or storage electronic data security threats  Interruption: Data transmission interrupted, or stored data deleted.  Interception: Data accessed and read during transmission or storage.  Modification: Data modified during transmission or storage.  Fabrication: Data created by a third party, supplanting the data originator.  Man in the middle: Third party introduced in the middle of communication, supplanting receiver from sender point of view, and supplanting sender from receiver point of view.

27 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 27 General Security Services General security services to avoid security threats:  Confidentiality: Protect data to be (almost) impossible to interpret for non authorised user in communication or storage.  Integrity: Protect data against non allowed modification, insertion, reordering or destruction during communication or storage.  Authentication: Allows the way to corroborate identity of the entities implied in the data creation or communication.  Non Repudiation: Protects against unilateral or mutual data repudiation.  Access control: Protects system and resources against not authorised use.

28 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 28 General Security Services and Threads Security services for security threats protection:  Interruption: --  Interception: Confidentiality  Modification: Integrity, Authentication  Fabrication: Authentication  Man in the middle: Authentication Threats addressed by security services:  Confidentiality: Interception  Integrity: Modification  Authentication: Fabrication, Man in the middle  Non Repudiation: --  Access control: --

29 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 29 General Security Mechanisms Symmetrical key encryption: “Low” computing power Asymmetrical key encryption: “High” computing power  Encryption with public key of receiver  Encryption with private key of sender Signature: Asymmetrical key encryption of message hash with private key of sender. “Low” computing power Combined: F.e. Asymmetrical key encryption for interchange of symmetrical key + Symmetrical key encryption for data interchange.

30 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 30 General Security Services and Mechanisms Confidentiality: Encryption. Symmetrical or asymmetrical. Symmetrical usually used. Integrity: Signature or Encryption (Symmetrical or asymmetrical). Signature is better. Authentication: Signature or Symmetrical Encryption with private sender key. Signature is better. Non Repudiation: Signature. Single or mutual. Access control: --

31 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 31 Communication layers Layer 7: The application layer Layer 6: The presentation layer Layer 5: The session layer Layer 4: The transport layer Layer 3: The network layer Layer 2: The data-link layer Layer 1: The physical layer

32 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 32 Sensor Front-End Security In principle, no data encryption is foreseen, except in case Bluetooth is used for wireless. Communications:  Wired: Maybe security is not really needed.  Wireless: Security may be required in the communication.  Bluetooth  Zigbee Data encryption and/or authentication: Only in wireless communication?  Bluetooth

33 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 33 Front-End Security Front-End stores data received from sensors. This data stored in the Front-End should be protected. Data encryption and authentication:  SMIME  OpenSSL libraries

34 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 34 Front-End PDA Security It must be decided if security is really needed. Communications:  Wired  Wireless: security is required.  Bluetooth  Flash memory Data encryption and authentication: Could be required  Bluetooth  SMIME  OpenSSL libraries

35 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 35 PDA Security PDA should act as communication component in BAN to get data from Front-end and send it secure through GPRS/UMTS to AppServer. Data encryption and authentication:  No data should be stored in the PDA. User authentication: May be required for accessing PDA  Password  SIM-card  X.509 key

36 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 36 PDA WSB Security  Communications:  GPRS/UMTS  WAP + WML  HTTP / HTTPS + HTML  User authentication: May be required.  SIM-card based?  Terminal authentication: May be required.  SIM-card  X.509 key  Data encryption and authentication:  GPRS/UMTS  Network layer security (f.e. IPsec) may be required.  Transport layer security (SSL/TLS, HTTPS) may be required  Application layer security (data encryption) (SMIME, OpenSSL libraries) may be required.

37 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 37 PDA AppServer Security  Should include some authentication and data encryption.  Communications:  TCP / IP (IPsec)  WAP + WML  HTTP / HTTPS + HTML  User Authentication: It should also include some user authentication.  SIM-card  X.509 key  Terminal authentication: Some terminal authentication may be required.  SIM-card  X.509 key  Data encryption and authentication:  Network layer security (f.e. IPsec) may be required.  Transport layer security (SSL/TLS, HTTPS) may be required  Application layer security (data encryption) (SMIME, OpenSSL libraries) may be required.

38 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 38 WSB Security No data should be stored in the WSB. Data encryption and authentication:  No data should be stored in the PDA.

39 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 39 AppServer Security Data stored should be encrypted to avoid interception. Data encryption and authentication:  SMIME  OpenSSL libraries User authentication: May be required for accessing the AppServer.  Password  SIM-card  X.509 key

40 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 40 Workstation Security Data Storage:  No data should be stored in the Workstation. User authentication: Some user authentication may be required for accessing the Workstation.  Password  SIM-card  X.509 key

41 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 41 WSB AppServer Security Communications:  TCP / IP (IPsec)  WAP + WML  HTTP / HTTPS + HTML Data encryption and authentication:  Network layer security (f.e. IPsec) may be required.  Transport layer security (SSL/TLS, HTTPS) may be required  Application layer security (data encryption) (SMIME, OpenSSL libraries) may be required.

42 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 42 AppServer Workstation Security Internal communication inside hospital or health centre. Communications:  TCP / IP (IPsec)  WAP + WML  HTTP / HTTPS + HTML Data encryption and authentication:  Network layer security (f.e. IPsec) may be required.  Transport layer security (SSL/TLS, HTTPS) may be required  Application layer security (data encryption) (SMIME, OpenSSL libraries) may be required.

43 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 43 Communications security Communication layers:  Data link layer (Bluetooth, GPRS,... )  Network layer (IPsec,... )  Application layer (SSL/TLS,... ) Data link layer security for hop­to­hop protection, Application layer security for end­to­end protection

44 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 44 MobiHealth Communication Sensor Front-End: Wired / Bluetooth / Zigbee Actuator Front-End: Wired / Bluetooth / Zigbee Front-End PDA: Bluetooth PDA WSB: GPRS / UMTS + [WAP + WML | HTTP / HTTPS + HTML] WSB AppServer: HTTP / HTTPS + HTML | WAP + WML PDA AppServer: HTTP / HTTPS + HTML | WAP + WML AppServer Workstation: HTML

45 © Ramon Martí, DMAG, Universitat Pompeu Fabra Page 45 Security services  Confidentiality / privacy  Data confidentiality  Authenticity / integrity  User authentication (password, smartcard,... )  Terminal authentication (SIM,... )  Application/server authentication (certificate,... )

Download ppt "© Ramon Martí, DMAG, Universitat Pompeu Fabra 1 WP2 UPF Contribution to MobiHealth Security in the MobiHealth BAN Enschede 2002/09/18-20."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Telefónica Móviles España WP3 meeting 2.5 - 3G Communication Infrastructure.

Telefónica Móviles España WP3 meeting G Communication Infrastructure.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security

Cryptography and Network Security
Security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.

Security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
© Ramon Martí, DMAG, Universitat Pompeu Fabra 1 BAN Security Services MobiHealth Plenary Session Santorini 2003/05/26-27.

© Ramon Martí, DMAG, Universitat Pompeu Fabra 1 BAN Security Services MobiHealth Plenary Session Santorini 2003/05/26-27.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Doc.: IEEE 802.11-04/0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.

Similar presentations

Ads by Google