1 / 26

Secure Identity Solutions

Secure Identity Solutions. Craig Thompson, Dale R. Thompson, Jia Di University of Arkansas, Fayetteville February 21, 2007 {cwt, drt, jdi}@uark.edu Computer Science and Computer Engineering Dept., University of Arkansas 311 Engineering Hall, Fayetteville, Arkansas 72701. Everything is Alive.

chester
Download Presentation

Secure Identity Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Identity Solutions Craig Thompson, Dale R. Thompson, Jia Di University of Arkansas, Fayetteville February 21, 2007 {cwt, drt, jdi}@uark.edu Computer Science and Computer Engineering Dept., University of Arkansas 311 Engineering Hall, Fayetteville, Arkansas 72701

  2. Everything is Alive Craig W. Thompson University of Arkansas

  3. Craig Thompson’s story • SSN at birth, developed a personality, passport at 10, collected coins, CA DL at 17, TX DL at 21, member of CACM & IEEE, married, got credit cards, TN DL at 27, bought car for daughter, wrote autobiographies for family members • worked on DBMS, middleware & architectures, agents, policy languages, digital rights, RFID, threats, privacy, synthetic data generation, participated in this conference • Records of my life include birth certificates, transcripts, photos, diary, job records, phone bills, … DBMS(me)/mylifebits, … models of myself

  4. orders & subscriptions observations & recommendations Any threats? Need fuel! I see a tank! Everything is Alive a world where everything is alive (EiA) and can sense, act, think, feel, communicate, and maybe even move and reproduce. This might include equipment, vehicles, robots, toys, clothing, pets, and objects such as trees and walls.

  5. Reader1 Reader2 Tag Printer Motion Sensor Camera Device Wrappers XML messages sent between “agents” … DBMS GUI Dashboard TagCentric RFID Middleware Architecture • Developed TagCentric RFID application: • 4 reader types supported: Alien, Symbol, Thingmagic, and “Fake”. • 1 Tag printer supported: Zebra • 5 databases supported: DB2, Derby, MySQL, Oracle, PostgreSQL • Open Source Toolkit available

  6. Smart devices + Supply chains • Humans now manage 10 network devices and will need to manage 100s to 1000s • Many kinds of sensors • Item level RFID • Data synchronization networks • Download plugins from the web • Simple and complex user interfaces • Scheduler • Log History • Natural language I/F and/or GUI • …

  7. Menu Based Natural Language I/F Plugin • Predictive menu to guide user to correct sentence

  8. Many Puzzles Remain • Technical – we don’t yet have all the puzzle pieces • Universal plug and play, composability & MDE • Querying collections of agents & Policy languages & … • Social – extrapolate today’s direction to tomorrow • Humans are increasingly connected – cell phones, instant messaging, chat, blogs, social networks, role playing games, … • 1000 closest friends, borgs, precision communication, Internet people, anonymity • Information aggregation – DBMS[me] • Human augmentation • Better hearing, seeing, memory, … • Transferring your identity to your smart card, memory stick, personal agents, models • Safe information sharing

  9. Publications • C. Thompson, “Everything is Alive,” Architectural Perspective Column, IEEE Internet Computing, Jan-Feb 2004. • C. Thompson, P. Parkerson, “DBMS[me],” Architectural Perspective Column, IEEE Internet Computing, May-June 2004. • C. Thompson, “Smart Devices and Soft Controllers,” Architectural Perspective Column, IEEE Internet Computing, Jan-Feb 2005. • C. Thompson, P. Pazandak, H. Tennant, “Talk to your Semantic Web,” Architectural Perspective Column, IEEE Internet Computing, Nov-Dec 2005. • J. Hoag, C. Thompson, “Architecting RFID Middleware,” Architectural Perspectives column, IEEE Internet Computing, September-October, 2006.

  10. Security and Privacy Threats to Identity Dale R. Thompson University of Arkansas

  11. Security Threats to Identity *M. Howard and D. LeBlanc, Writing Secure Code, 2nd ed., Redmond, Washington: Microsoft Press, 2003.

  12. STRIDE Categories and Mitigation Techniques* *M. Howard and D. LeBlanc, Writing Secure Code, 2nd ed., Redmond, Washington: Microsoft Press, 2003.

  13. What is Privacy? • “The right to be let alone” [1] • “The right of individuals to determine when, how, and how much information about themselves is released to others.” [2] • Privacy includes the right to make decisions about one’s own life, to keep personal secrets, and to keep secrets about where we come and go. [3] • It is the right to make decisions without interference from the government or economic pressures from commercial entities. [3] [1] S. Warren and L. Brandeis, “The Right to Privacy,” Harvard Law Review, vol. 4, pp. 193-220, 1890. [2] A. F. Westin, Privacy and Freedom, Atheneum, NY, 1967. [3] R. E. Smith and M. Zolikoff, “Citizens: Getting at our Real concerns,” in RFID: Applications, Security, and Privacy, S. Garfinkel and B. Rosenberg, Eds. Upper Saddle River, New Jersey: Addison-Wesley, 2006, pp. 413-429.

  14. Fair Information Practices (FIPs) Principles of Information Privacy* • Notice. There must be no personal-data, record-keeping systems whose very existence is a secret. • Access. There must be a way for a person to find out what information about the person is in a record and how it is used. • Choice. There must be a way to prevent personal information that was obtained for one purpose from being used or made available for other purposes without the person’s consent. • Recourse. There must be a way for a person to correct or amend a record of identifiable information about the person. • Security. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data. *The Code of Fair Information Practices, U.S. Department of Health, Education and Welfare, Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, VIII. (1973). [Online]. Available: http://www.epic.org/privacy/consumer/code_fair_info.html

  15. Privacy Threats by National ID • Enables tracking, profiling, and surveillance of individuals on a large scale.

  16. Alan F. Westin’s Privacy Classifications • Privacy Fundamentalist (11%) • Very concerned • Unwilling to provide data • Privacy Unconcerned (13%) • Mild concern • Willing to provide data • Privacy Pragmatists (75%) • Somewhat concerned • Willing to provide data if they are notified and get a benefit

  17. Publications • M. Byers, A. Lofton, A. K. Vangari-Balraj, and D. R. Thompson, “Brute force attack of EPCglobal UHF class-1 generation-2 RFID tag,” in Proc. IEEE Region 5 Technical Conf., Fayetteville, Arkansas, April 20-21, 2007, to appear. • D. R. Thompson, J. Di, H. Sunkara, and C. Thompson, “Categorizing RFID privacy threats with STRIDE,” in Proc. ACM Symposium on Usable Privacy and Security (SOUPS), Carnegie Mellon University, Pittsburgh, Pennsylvania, July 12-14, 2006. • D. R. Thompson, N. Chaudhry, and C. W. Thompson, “RFID security threat model,” in Proc. Acxiom Laboratory for Applied Research (ALAR) Conf. on Applied Research in Information Technology, Conway, Arkansas, Mar. 3, 2006. • N. Chaudhry, D. R. Thompson, and C. Thompson, RFID Technical Tutorial and Threat Modeling, ver. 1.0, tech. report, Dept. of Computer Science and Computer Engineering, University of Arkansas, Fayetteville, Arkansas, Dec. 8, 2005. Available: http://csce.uark.edu/~drt/rfid

  18. Mitigating Side-Channel Attacks to RFID Hardware Jia Di University of Arkansas

  19. Known Attacks to Integrated Circuits (ICs) • Invasive attacks • De-packaging • Layout reconstruction • Microprobing • Non-invasive attacks • Simple power analysis (SPA) • Differential power analysis (DPA) • High-order differential power analysis (HO-DPA) • Timing analysis (TA) • Fault analysis • Glitch attacks

  20. Power Fluctuation in Synchronous Circuits The power and timing parameters need to be made independent of data pattern

  21. Delay-Insensitive Asynchronous Logic • High energy efficiency • No clock skew • High modularity (plug-n-play) • Stable power dissipation • Average case performance • Robust input timing handling • Low noise and emission • … Data-spacer sequence

  22. Dual-Spacer Dual-Rail Delay-Insensitive Logic (D3L)

  23. On-the-fly Random Spacer Selection

  24. Results Comparison – Multipliers

  25. Publications • J. Di and F. Yang, “D3L – A Framework on Fighting against Non-invasive Attacks to Integrated Circuits for Security Applications,” the IASTED International Conference on Circuits, Signals, and Systems (CSS 2005). • D. R. Thompson, J. Di, H. Sunkara, and C. Thompson, “Categorizing RFID privacy threats with STRIDE,” in Proc. ACM Symposium on Usable Privacy and Security (SOUPS), Carnegie Mellon University, Pittsburgh, Pennsylvania, July 12-14, 2006. • J. Di and S. Smith, “A Hardware Threat Modeling Concept for Trustable Integrated Circuits,” in Proc. IEEE Region 5 Technical Conf., Fayetteville, Arkansas, April 20-21, 2007, to appear. • J. Di and S. Smith, “Detecting Malicious Logic through Structural Checking,” in Proc. IEEE Region 5 Technical Conf., Fayetteville, Arkansas, April 20-21, 2007, to appear.

  26. Building a Secure Federal Real ID System Today at 4:15 p.m.

More Related