Summer School of Telecommunications Report

Report about Presentations in The 17th International Summer School on Telecommunications during August 19-22, 2008 in Lappeenranta for course CT10A9700 - SUMMER SCHOOL ON COMMUNICATIONS ENGINEERING

003507 Petri Heinilä

Security in wireless communications

Mario Hoffmann, Fraunhofer SIT, Germany

Mobile systems applications are developed to be applied in deployments from very near are PAN's to global cyber-worlds. Applications covers communication solutions, like voice or video, personal information management, transaction service, for example billing or mac-machine interaction solutions to control ambient devices. Mobile context for applications creates challenges for security implementations, where conventional security design do not apply anymore, for example it is not possible build organizational firewall to wireless and mobile devices.

Mobile systems security development process can be structured into four building blocks: Context, Application, Device and Transmission.

Context. Mobile devices lives on different contexts. There should be security context consideration where logical and physical mobility are managed. Management could implemented for example with profiles. For example profile for home usage where, password's or PIN's are not required, and profile for travel usage that requires more user authorization.

Application. Application architectures and implementations should fit into general security considerations in mobile environment. Application types should be considered; information, transaction or interaction applications. What security parameters the applications have. How applications are utilizing the provided security mechanism. On application development, there should first taken security concepts and after that functionalities.

Device. User mobile device has its own environment with operating system and it's components. Question is how user has control to that device. How access control is made. How data is protected inside of the device, for example if device is stolen. Protection against malware software. How device is managed, software components management.

Transmission. Communication in mobile devices can be implemented in various way, that creates also various possibilities to implement attacks to devices. First general question is that can we rely security provided by the certain communication network ? There are different impacts in this issue. What is the security architecture founded in communications networks specifications. Can we apply relevant configuration of devices and software components, to establish suitable security level. Faults in mobile device hardware or software. Support of security mechanism in communications counterparts devices. Practical use of the security systems, are they bypassed by users if mechanism is too hard to use.

For example transmission security in Bluetooth: On architecture specification level there has appeared flaws: Specified security algorithms has not been strong enough, using security is not mandatory, no protection against denial-of-service attack or no considerations to the air traffic analysis. On configurations there is no minimum level of security measurements set, either vendor or user. Bluetooth stack has security related faults or lacked implementations. Status of communications counterparts is not clear, counterpart could alter security level or granter access to some services could allow access also to critical services. Security usage is varying: short PIN identifiers, pairing practices or trusting counterpart device. Solutions here could be to form adhoc based trusting mechanism for example using fractal images to implement trusted pairing.

Security development process could divided into four iterative phases:

  1. System requirements and environment definition.
  2. Thread identication, protection goals and security requirements.
  3. Technology selection and implementation.
  4. Evaluation and testing.

Privacy issues in network environment

Prof. Josef Noll, University Graduate Center, Norway

Networked environment is about to share, distribute and deliver information to every entity in the network. The information includes also privacy information. What is privacy information ? It is not clearly defined, it depends on different factors, but common thing is that there usage of the information want to be controlled. Privacy information could be some physical information, for example personal possessions. There might be cultural factors on physical information. Privacy might be organizational, for example use to products and trademarks on certain time and locations. Privacy might be set of information entities related to some person or organization.

When person, organization or other entity acts in networked environment, it starts to build identity in the network, starting from ip-address, for example. Identity makes entity separate from others. To identity there is also attached information that defines the being of that entity. This information is usually counted as private information.

When working with others in (networked) environment the identified entity builds reputation against others. Reputation is social evaluation between entities, that creates classification about social status and gives mechanism for social control.

Trust is a credit for entity that is based on reputation. Reputation is a knowledge of history behaviour of some entity. Trust is a prediction that certain entity will be behave in manner that reputation has showed out.

To protect the users private information and identity there should been build secure privacy requirements. What information is really necessary to application functionality ? What data is just needed to be known on some situation ? What is nice to have information and should it be given at all ? Should the services personalized for users, how much private data is enough to for personalized identity for application ?

Trust4All

M.Sc. Sami Lehtonen, Technical Research Center of Finland

Trust4All project, partially developed in VTT, targets to create middleware software architecture for embedded systems, where security is managed by trust based approach. Application domain for project covers home medicare or home security. Embedded systems are dynamic in nature so conventional static security implementations are not feasible. The goal of project is to create a trust model that can be applied to application domains. Model will create a framework for applying certain level of trusting in embedded software. The deployment of the composed software could be validated against the model. Result of architecture will be published as set of open interfaces.

The project models trust by concepts:

  • Trust is directed.
  • Trust is subjective.
  • Trust is context-dependent.
  • Trust is measurable.
  • Trust depends on history.
  • Trust is dynamic.
  • Trust is conditionally transferable.
  • Trust can be a composite property.

The trustworthiness management framework will model dependability situations by different modes, where trustor and trustee counterparts acts. Usually from system part the framework is first limitating system priviledges to needed degree. With interaction counterparts the trustworthiness level is then calculated and selected by given threshold value. Input parameters for calculation is taken from trustworthiness profile, from quality attributes and from current context.

P2P on Handhelds

Dr. Jukka K. Nurminen, Nokia Research Center

Peer-to-peer is a concept to form a communications networks there focus is on individual computers, utilizing local processing power and local network bandwidth. The nodes in network are considered to be equal, meaning that they are mixing communication initializing (client) part and responsive implementation (server) part. Driving force behind of the p2p usage is development of local computer capabilities in processing and communication. The development factor is also applying to small scale mobile devices.

Peer-to-peer systems can be divided into:

  • Unstructured
    • Centralized P2P
    • Pure P2P
    • Hybrid P2P
  • Structured
    • DHT-Based P2P (Distributed Hash Table)

P2P systems are most made for contents distribution systems. Usually files are transferred, a file is split into smaller pieces those are the distributed among peers. Downloading peer is the collecting pieces, preferrable from local peers. Distribution could be also extented to data streams, where peers are forwarding the incoming stream to others.

P2P on handheld devices is currently at experimental stage. There are challenges, like: firewall traversing, operator co-operation, high churn, battery consuption, billing possibilities and device limited resources. What is best P2P technology in mobile environment ? How implement efficient usage on device resources ? What new possibilities mobile device aspects could bring on ?

PAMP ? PAMP is project to create local web applications in mobile device. Relation to distributed P2P systems left unclear.

Code Camp

On code camp our group developed a SuperStalker3000. Stalkers tracks user routes (from GPS information) and is the able to send route data to Google application. Google application attachs the route information to the map. Routes in map could then studied by other people.

The software was implemented by python language, both in local side and google application side. The environment was nokia internet table (N810). Biggest practical problem in work was that N810 GPS implementation was not mature and there was problems to get good GPS signal and data.