370 likes | 503 Views
Urban Sensor Security Challenge. By Cindy Nguyen H. University Central of Florida Class: EEL6788 Date: April 21, 2010. Introduction Case Study Security Issues Conclusion. Outline.
E N D
Urban Sensor Security Challenge By Cindy Nguyen H University Central of Florida Class: EEL6788 Date: April 21, 2010
Introduction Case Study Security Issues Conclusion Outline
Science and technology comes into almost every aspect of our lives, helping us to solve problems and create opportunities. Despite the achievements, we face very real economic and environmental challenges that require a new level of effort and success. While today, much security research is about defending against the attacks on security and privacy, there has been theoretical work in computer security, along with the beginnings of a science base for security. Introduction
Urban sensing wireless network systems that utilize mobile phones which enable individuals and communities to collect and share data with unprecedented speed, accuracy and granularity. In the work place, home or nursing-homes, pervasive networks may assist residents and their caregivers by providing continuous medical monitoring, memory enhancement, control of home appliances, medical data access, and emergency communication. Employing mobile handsets as sensor nodes poses new challenges for privacy, data security, and ethics. Introduction
M-Commerce Health monitoring 2004 Health Care Application Emergency Medical Response 2005 Case Study
Case #1 M-Commerce
M-Commerce The emergence of mobile devices and wireless networks has created a new path in the field of E-commerce: “M-commerce”. Significant research is needed in the field of service discovery to support M-commerce applications.
Wireless Application Protocol (WAP) Created by WAP Forum Founded June 1997 by Ericsson, Motorola, Nokia, Phone.com 500+ member companies Goal: Bring Internet content to wireless devices Wireless Transport Layer Security (WTLS) Control: WAP Gap Data in the clear at gateway while re-encryption takes place Link Layer: LAN: 802.11, Bluetooth, WAN: Analog / AMPS Devices: Cell phone, Palm, WinCE, Blackberry M-Commerce - (WAP)
WTLS SSL Internet WAP Gateway Basic WAP Architecture Web Server SSL: Secure Socket Layer WTLS: Wireless Transport Layer Security
Less processing power on devices Slow Modular exponentiation and Primality Checking (i.e., RSA) Crypto operations drain batteries(CPU intensive!) Less memory (keys, certs, etc. require storage) Few devices have crypto accelerators, or support for biometric authentication No tamper resistance (memory can be tampered with, no secure storage) Primitive operating systems w/ no support for access control (Palm OS) Security Challenges
The intermediate entity can potentially attack communications between two parties. Typically attacks involve altering the content or the order of messages and replaying messages sent earlier. In applications based on cell phones, by definition, the cell phone will know the physical location of client device. This creates privacy risks Privacy and Authenticity
Link Layer Security GSM: A3/A5/A8 (auth, key agree, encrypt) CDMA: spread spectrum + code seq CDPD: RSA + symmetric encryption Application Layer Security WAP: WTLS, WML, WMLScript, & SSL iMode: N/A SMS: N/A Wireless Security Approaches GSM: Global System for Mobile CDMA: Code Division Multiple Access CDPD - Cellular Digital Packet Data SSL: Secure Socket Layer WML: Wireless Markup Language WTLS: Wireless Transport Layer Security
Case #2 Health Monitoring System
Developing network architecture for smart healthcare will provide new opportunities for continuous monitoring for assisted and independent-living. This will preserve resident comfort, security and privacy for individuals while also providing a managing network for medical history records. Integration with existing medical practice and technology, real-time and long term monitoring, wearable sensors and assistance to chronic patients, elders or handicapped people Health Monitoring Application (HMA)
Example: Smart Health Home Current configuration of the medical test-bed Layout of the experimental smart health home
Example: Smart Health Home Portability and unobtrusiveness Ease of deployment and scalability Real-time and always-on Reconfiguration and self-organization This architecture is multi-tiered, with heterogeneous devices ranging from lightweight sensors, to mobile components, and more powerful stationary devices. “MicaZ with MTS310 sensor board”
Experimental Smart Health Home • These system is single hop, as the radio range covers all of the facility. A multi-hop protocol will be necessary for access of multiple floors, or if transmission power is reduced. • Data communication is bi-directional between the motes and the Star gate. Time-stamping is done by the PC when motion events are received.
When the data association mechanisms are not sufficient, or integrity is considered critically important, some functionalities of the system can be disabled. This preserves only the data which can claim a high degree of confidence. In an environment where false alarms cannot be tolerated, there is a tradeoff between accuracy and availability. Data Integrity - HMA
The system is monitoring and collecting patient data that is subject to privacy policies. For example, the patient may decide not to reveal the monitored data of certain sensors until it is vital to determine a diagnosis and therefore, authorized by the patient at the time of a doctor visit. Security and privacy mechanisms must be throughout the system. Security and privacy - HMA
Case #3 Health Care Application
The use of wireless sensor networks (WSN) in healthcare applications is growing at a fast pace. Numerous applications such as: Heart rate monitor, Blood pressure monitor and Endoscopic capsule are already in use. To address the growing use of sensor technology in this area, a new field known as Wireless Body Area Networks (WBAN or simply BAN) has emerged. Health Care Application (HCA)
Architecture in Healthcare Application Architecture of Wireless Sensor Networks in Healthcare Applications
Security Issues - HCA • Many sensor networks applications used in healthcare are heavily relied on technologies that can pose security threats like eavesdropping and denial of services. • There are concerns of health hazards for the implanted sensor devices. The concerns have far reaching social implications. • The social implications and issues that are directly related to the above mentioned application scenarios can be categorized into three major areas security, privacy and legal issues. Besides these, there can be more issues such as economic and political issues.
Case #4 Emergency Medical Response
Emergency Medical Response (EMR) • Systems need to communicate with hospitals from the field and exchange information about: • Patient condition, • Expected time of patient arrival, and • Occasionally inquire about the ability to accept more patients. • An ideal EMS system should provide real-time information and tracking of patients, staff and emergency vehicles.
Architecture Emergency Medical Response A wireless infrastructure for real-time data transport between motes and local PDAs and tablet PCs Patient sensors (a pulse oximetry sensor integrated with a GPS receiver, micro-processor, data storage & transmitter) for patient vital sign and location monitoring A local command site for field coordination Cellular/Satellite wireless links for real time communication between local and remote sites A web services architecture to process, interpret, aggregate and present information A central command site for global resource management
While web services provide powerful and flexible service oriented architectures, they also introduce overheads such as the extraction of the SOAP envelope and parsing of the contained XML information. These are the issues known over a wired internet. It is possible that these problems increase exponentially over a wireless internet, where there are bandwidth and connectivity issues. There are in the process of conducting quantitative empirical studies to test web services over a wireless internet. The latency and through-put will be tested while the vehicle is standing still and at varying speeds. The data types and lengths will also be varied. Security Issues - HCA
It must be possible to erase data stored on a device that is stolen or lost?... If not, that data may fall into the wrong hands. Look for centralized management features that allow administrators to purge data remotely from a missing device. Security Issues - Lost or Stolen Device
Authentication service consists of association processing among nodes. It is an efficient method against impersonation attacks. How effective is the solution’s approach to authenticating individuals using the device and guarding against fraud? Strong password protection, two-factor authentication, and best-practice password policies are all elements of an effective data security plan. Security Issues - Authentication
This security service prevents the attacker from replaying the old frames that it eavesdropped by using nonce or time token. Wireless networking is revolutionizing the way people work and play. By removing physical constraints commonly associated with high-speed networking, individuals are able to use networks in ways never possible in the past. Security Issues - Protection
Wireless Users have many more opportunity in front of them, but those opportunities open up the user to greater risk. The risk model of network security has been firmly entrenched, in the concept that the physical layer is at least somewhat secure. There is no physical security. The radio waves that make wireless networking possible are also what make wireless networking so dangerous. An attacker can be anywhere nearby listening to all the traffic from your network in your yard, in the parking lot across the street, or on the hill outside of town. By properly engineering and using your wireless network, you can keep attackers at bay. Security Issues
One of the biggеѕt threats to security, may be technological progress itself, as organizations embrace new technologies without taking the associated risk into account. To maintain and improve security, you need more than just the right blend of technology, policy and procedure. Distinctions between Speech and action, Traditional concept of property, Definitions of jurisdictional authority, and Enforcement powers are poorly understood in the new-networked world. To the extent that laws are the embodiment of ethical beliefs, the lack of agreement on what is ethical makes developing legal codes extremely difficult. Privacy and Integrity Issues
Conclusion • Industry best practices and regulatory mandates place a high premium on securing electronic data and protecting it against theft or unauthorized viewing. • To be effective, data security needs to be integrated into the solution, becoming an integral part of each communication channel, data storage medium and network link. • To meet privacy and data integrity concerns, security should provide an umbrella of protection that extends end-to-end, from the handheld computing device across the Internet to the back-end data servers.
References [1] A. Perrig, J. Stankovic, and D. Wagner, invited paper, “Security in Wireless Sensor Networks”, Communications of the ACM, Volume 47, Number 6, pages 53-57, June 2004 [2] G. Virone, A. Wood, L. Selavo, Q. Cao, L. Fang, T. Doan, Z. He, R. Stoleru, S. Lin, and J.A. Stankovic, “An Advanced Wireless Sensor Network for Health Monitoring”, Department of Computer Science, University of Virginia, 2005 [3] Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava, “Achieving Participatory Privacy Regulation”: Guidelines for CENS Urban Sensing, Center for Embedded Networked Sensing, University of California Los Angeles. June 25, 2008 [4] Mani Srivastava, Mark Hansen, Jeff Burke, Andrew Parker, Sasank Reddy, Ganeriwal Saurabh, Mark Allman, Vern Paxson, Deborah Estrin, Wireless “Urban Sensing Systems, Center for Embedded Networked Sensing Systems”, UCLA, April 2006 [5] By Deep a Kundur, Senior Member IEEE, William Luh, Student Member IEEE,- Unoma Ndili Okorafor, Student Member IEEE, and Takis Zourntos, Member IEEE, “Security and Privacy for Distributed Multimedia Sensor Networks” - Vol. 96, No. 1, January 2008 [6] Laurent Eschenauer, Virgil D. Gligor: A “key-management scheme for distributed sensor networks”. ACM Conference on Computer and Communications Security, pages 41-47, November 18-22, 2002
References [7] Shilton Katie, Burke Jeffrey A, Estrin D, Hansen Mark, & Srivastava Mani. “Participatory Privacy in Urban Sensing”, UC Los Angeles: Center for Embedded Network Sensing. 04-21-2008. [8] An Liu, Peng Ning, "TinyECC: “A Configurable Library for Elliptic Curve Cryptography in Wireless Sensor Networks”, in Proceedings of the 7th International Conference on Information Processing in Sensor Networks (IPSN 2008), SPOTS Track, pages 245-256, April 2008. [9] Apu Kapadia, Nikos Triandopoulos, Cory Cornelius, Dan Peebles and David Klotz. AnonySense, “Opportunistic and Privacy-Preserving Context Collection”. In Proceedings of the Sixth International Conference on Pervasive Computing (Pervasive), pages 280-297, May 2008 [10] Baik Hoh, Marco Gruteser, Ryan Herring, Jeff Ban, Dan Work, Juan-Carlos Herrera, Alexandre Bayen, Murali Annavaram, Quinn Jacobson. “Virtual Trip Lines for Distributed Privacy-Preserving Traffic Monitoring”, ACM Mobisys, 2008 [11] Peter Johnson, Apu Kapadia, David Kotz and Nikos Triandopoulos – “People-Centric Urban Sensing: Security Challenges for the New Paradigm” - Institute for Security Technology Studies, Dartmouth College, Dartmouth Computer Science Technical Report TR2007-586, February 2007. [12] Moshaddique Al Ameen, Jingwei Liu and Kyungsup Kwak – “Security and Privacy Issues in Wireless Sensor Networks for Healthcare Applications” - 18 December 2009 / Accepted: 16 February 2010
References [13] John Crum – “Pay for Performance: The Answer to the Human Capital Crisis?” - The Public Manager, Vol. 32, 2003 [14] Prepared Statement on the National Security Personnel System – “U.S. Department of Defense Speeches” - June 4, 2003 [15] Dipanjan Chakraborty, Filip Perich, Sasikanth Avancha, Anupam Joshi – “Semantic Service Discovery for M-Commerce Applications” - University of Maryland, Baltimore County [16] Nada Hashmi, Dan Myung, Mark Gaynor, Steve Moulton – “A Sensor-based,Web Service-enabled, Emergency Medical Response System” - Boston University - 2005 [17] Eun-Kyeong Kwon1, Yong-Gu Cho2, and Ki-Joon Chae – “Security Enhancement on Mobile Commerce” - W. Kim et al. (Eds.): Human.Society@Internet 2001, LNCS 2105, pp. 164-176, 2001. Springer-Verlag Berlin Heidelberg 2001