security and ethics in ubiquitous computing environments

23
Security and Ethics in Ubiquitous Computing Environments Sudantha Gunawardena

Upload: sudantha-sulochana

Post on 15-Sep-2014

446 views

Category:

Documents


0 download

DESCRIPTION

Security and Ethics in Ubiquitous Computing Environments

TRANSCRIPT

Page 1: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous

Computing Environments

Sudantha Gunawardena

Page 2: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

2

Contents

Abstract...................................................................................................................................... 3

1.0 Introduction .......................................................................................................................... 3

2.0 Properties of Security ........................................................................................................... 4

3.0 Anatomy of a Ubiquitous Environment and Attacks .............................................................. 5

4.0 Authentication and Recognition ............................................................................................ 6

4.1 Spontaneous Interactions ................................................................................................. 7

4.2 ‘Shaking’ as an authentication .......................................................................................... 8

4.3 Ultrasonic Authentication .................................................................................................10

4.4 Visible Laser for Authentication .......................................................................................11

5.0 Security Vulnerabilities ........................................................................................................12

5.1 Physical Security .............................................................................................................12

5.1.1 Replacing or Modify the Hardware Devices/Software ................................................12

5.2 Wireless attacks ..............................................................................................................13

5.2.1 Denial-of-Service Attacks ( DoS attacks) ...................................................................13

5.2.2 Network eavesdropping .............................................................................................14

5.2.3 Man in the Middle attacks ..........................................................................................15

5. 3 Attacks on Cryptography Schemes .................................................................................16

5.3.1 Bruce-force attacks ...................................................................................................16

5.3.2 Rainbow attacks ........................................................................................................16

5.4 Social engineering attacks ...............................................................................................17

5.4.1 Phishing Attacks........................................................................................................17

6.0 Security Mechanisms ..........................................................................................................18

7.0 Ethics ..................................................................................................................................20

8.0 Conclusion ..........................................................................................................................21

References ...............................................................................................................................22

Bibliography ..............................................................................................................................23

Page 3: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

3

Abstract

Ubiquitous computing is the approach of human computer interaction with ambient

intelligence where users can use computer intelligence in day to day life activities. Many

universities and research institutes are working on research projects to make ubiquitous

computing a reality.

In present the one of the foremost challenge in information technology is security, ethics

and privacy which will be left to ubiquitous computing as a key challenge. With

ubiquitous computing deals with day to day life activities of people most of their

sensitive private information can be exposed which need to be secure in ubiquitous

environments.

1.0 Introduction

As Blaauw & Frederick (1997) the first generation of computing is the age of

mainframes which multiple users used the same centralized machine. With the

beginning of the late 80’s the generation of personal computer era embarked with the

slogan of make available computers to each person individually. Computer enthusiastic

like Steve Wozniak pioneered to fabricate the first personal computer to the world.

According to Stajano (2002, p.2) Ubiquitous Computing can be defined as an approach

of ‘Everywhere computing’ and which can be measured as third generation of computer

evolution. As focused by Wiess & Craiger (2002, p.1) Ubiquitous Computing can

defined as enclose computers in our work and personal lives without concentration of

users to improve productivity of regular activities.

Page 4: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

4

2.0 Properties of Security

According to Stajano (2002, p.4) each secure entity should contain key three properties

which are:

Security

Protect the sensitive data from unauthorized attacks or systems.

Integrity

Prevent access or modify information by attackers in a secure system in

unauthorized techniques.

Availability

Users will able to access the system within all the times without failures or

maintenance interruptions.

Figure 1 - Information Security triangle - Stajano (2002)

A secure system should have equilibrium among these three specifics to make the final

system as a secure system. Deprived of equilibrium in these three properties a secure

system cannot consider as a prosperous system, as an example reflect a secure

system with a large scale of security comparing the availability but there is no

productivity of this system because users are not motivated to use system which is not

ease of use.

Page 5: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

5

3.0 Anatomy of a Ubiquitous Environment and Attacks

Content

Providing

Services

Service

Framework

Wireless

NetworkDevicesUsers

Social

Enginnering

Attacks

Physical

Attacks

Network

eavesdropping

Attacks on

Crytography

schemes

Figure 2 - Anatomy of a Ubiquitous Environment - Kang (2007)

As Kang (2007) ubiquitous environment deal with several levels of devices and

environments. To compose a secure ubiquitous system secure the sub structures at the

each level will routinely creates a secure ubiquitous scheme. As described by the above

figure from the user to content providing services. By identifying security vulnerabilities

at the each level and present the necessary solution.

The following tables shows security vulnerabilities at the each level,

Level Security Vulnerabilities

User Social engineering attacks

Device Physical attacks

Wireless Network Network eavesdropping / Man in the

middle attacks

Service Framework Attacks on cryptography schemes

Content Providing Services

Table 1 – Security Vulnerabilities in each level.

Page 6: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

6

4.0 Authentication and Recognition

Authentication plays a major role in security but the current approaches for

authentication like alphanumeric passwords, biometric recondition, graphical passwords

users should enclose to take out an action to be authenticated which will not appropriate

for ubiquitous computing environments because the foremost rationale of ubiquity is to

formulate computing invisible and found everywhere.

According to Mayrhofer (2009, p.4) few researches have designed unique

authentication approaches for ubiquitous computing environments. These

authentication approaches do not necessitate user involvement to get authenticated.

According to Mayrhofer & Welch (2007,p.3) when in view of when two devices required

to establish a secure authentication using a symmetric key technique the two users

should first agree on a shared common key. When reflect on ubiquity environment these

secure key agreement should take in a wireless method which can be expose to various

attacks like phishing attacks, Man in the middle attacks.

But further described by Mayrhofer & Welch (2007,p.4) to defeat these attacks only

trusted devices can be connected each other but however the wireless network will still

remain unsecure.

Page 7: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

7

4.1 Spontaneous Interactions

According to Mayrhofer & Gellersen(2007,p.3) one of the key challenges in designing

authentication systems in ubiquitous environment is that when two devices are need to

be connected as in the present modern computing these two devices are already has

some knowledge about each other. But in a ubiquitous world focusing on ‘every day,

everywhere computing’ where enormous number of devices which does not have pre

knowledge communicating each other deprived of human interaction.

So in the ubiquitous computing the devices which do not have any prior information

should authenticate and interact each other which is according to Mayrhofer &

Gellersen (2007) called as spontaneous interactions.

Device 2

Device 3

Device 1

Spontaneous interactions and authetication

Figure 3 - Spontaneous Interactions

But the problem is that the current authentication schemes are not ‘spontaneous’ and

researchers have come up with the following types of new authentication schemes

which are ‘spontaneous’.

Page 8: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

8

4.2 ‘Shaking’ as an authentication

‘Shaking’ or moving an object in a simple harmonic motion (SHM) can be commonly

achieved in likely most of the objects merely. Mayrhofer & Gellersen (2007,p.3)

describes that in this approach of a authentication in ubiquitous computing that simple

shaking method can use to generate keys and authenticate devices by quantifying the

acceleration of the each device.

Device

Accelerometer

Figure 4 - Implementation of the 'Shaking' as an authentication

Also further described by Mayrhofer & Gellersen (2007, p.8) this methodology of

authentication can be simple, cheaper and a power efficient. The anatomy of this

technique can be designated as follows,

Mayrhofer & Gellersen (2007, p.147) defines that the core concept of proposed

authentication approach is based on an appraisal of an accelerometer.

Firstly three preprocessing tasks will take out to intellect and perceive the input by the

accelerometer and inputted data will be sampled, synchronized and will align the data in

the two devices separately. As a result of these steps following graph is generated to

the both devices which need to authenticate.

Page 9: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

9

Figure 5 - Spectrum of an accelerometer outcomes by 'shaking' the devices - Mayrhofer & Gellersen (2007, p.147)

Finally in the authentication phase these two spectrums will be matched and

authentication will be completed. The main advantage of the method is that two devices

can be authenticated spatially and foremost disadvantage can be defined as the

shaking is done by the human and there can be probability occurrences which both

devices are not in the same spectrum.

Page 10: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

10

4.3 Ultrasonic Authentication

According to Gellersen & Mayrhofer (2007) ultrasonic waves can be used as an

authentication approach within two devices. As ultra wave sound travels in the air in a

really slow behavior according Gellersen & Mayrhofer (2007, p.1) using ultra wave

sound beams the distance, arrival time of the signal and arrival angle of the signal can

be calculated. Relative to the position and the angle of the signal of the devices the

authentication can be achieved.

Ultrasonic

Device

Ultrasonic beams

Device 1

Device 2

T=t

T=t+1

Figure 6 - Ultrasonic Authentication

As the above diagram by transmit an ultrasonic sound wave and at the receivers end

the angle of the signal, arrival time can be calculated. With these data two devices can

be authenticated.

Page 11: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

11

4.4 Visible Laser for Authentication

According to Mayrhofer & Welch (2007, p.6) visible laser can be generated using a laser

diode and could be used to authenticate devices without human interaction in a wireless

approach. As Mayrhofer & Welch (2007, p.7) defines that this technique. The devices

which required authenticate should be kept in line of sight.

Device 1

Device 2

Laser

Beam

Laser

Diode

Figure 7 – Authentication using visible laser light

But further described by Mayrhofer & Welch (2007, p.7) the visible laser channel cannot

be consider as an authentic and confidential because and effortlessly exposed to

attackers and even can modify the channel.

Device 1

Device 2

Laser

Beam

Laser

Diode

Attacker

Figure 8 - Attack on visible laser light scheme

Mayrhofer & Welch (2007, p.8) classify that using a cryptography scheme like Diffie –

Hellman key exchange the data on the laser channel can be secured and authenticate.

Page 12: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

12

5.0 Security Vulnerabilities

5.1 Physical Security

According to Mayrhofer (2009,p.8) as ubiquitous computing environment reflect on

many interconnected devices other than the modern computing ubiquitous

environments can create more scenarios of security treats specially in devices physical

security. As Mayrhofer (2009, p.8) an invader can plan an attack on the ubiquitous

devices by following tactics,

5.1.1 Replacing or Modify the Hardware Devices/Software

Reflect on a scenario which several devices are interconnected to provide a ubiquitous

service to a user. An attacker gain access to this ubiquitous organism by replacing of

modifies one of these devices and remains not informed to the user.

Not only hardware devices potions or full software applications in ubiquitous

environments can replaced with malicious applications and break the functionalities or

steal user’s sensitive data.

5.1.2 Damage or Destroy Hardware Devices /Software

Even an attacker can damage or destroy or damage the physical properties of hardware

devices. Damage to a physical device can halt a procedure of a large ubiquitous

component or loss of large sets of users sensitive data and information.

Page 13: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

13

5.2 Wireless attacks

In ubiquitous environments devices and users are interconnected to exchange data and

instructions for provide services to the user. Especially in ubiquitous devices will be

connected each other using wireless networks.

5.2.1 Denial-of-Service Attacks ( DoS attacks)

According to Hole (2008) DoS attack is an attackers approach to preventing users from

accessing a certain service or disrupts or reduces the efficiency of a service by creating

unnecessary bulk number of traffic requests. Especially a key symptom of a DoS attack

is that the large number of unnecessary data packets travels though the network the

network consumption increases and the network becomes slow.

Attacker

User

Attacker

DoS attack

Request

DoS attack

NetworkTarget Server

Attacker

Figure 9 – Denial-of-Service Attack

Especially in a ubiquitous environment unavailability of a service or a slow access to a

service will create large catastrophe because devices will be depended each other for

information.

Page 14: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

14

5.2.2 Network eavesdropping

Even wireless network eavesdropping currently a considerable issue. According to

Arbaugh (2002) network eavesdropping can be defined as capturing data packets which

are transmitted in wireless or wired networks by an attacker.

Attacker

D

Attacker capturing data packets

Sender

Receiver

Figure 10 - Network eavesdropping in a network

An attacker can listen to the network and capture the data packets and by using this

information can create attacks or steal user confidential information. Even these

attackers can modify the data stream and add malicious code into it.

Page 15: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

15

5.2.3 Man in the Middle attacks

According to Eriksson (n.d, p.7) a common way of network eavesdropping is ‘Man in the

Middle attack’ which an attacker assembles between the sender and receiver and

capture the traffic which was transmitted by the sender and modify the information by

adding malicious scripts and resend back to the original receiver.

Attacker

ReceiverSender

Man in the Middle

Connection

Original Connection

Figure 11 - Man in the middle attack

In ubiquitous environment when two devices required to transmit sensitive user data an

intermediate attacker can capture the data, modify it and communicate back to the

original receiver or the sender. Even the man in the middle attacks can be avoided by

creating secure channels between the two communication parties comparable to SSL,

SSH but this secure communication cannot assure an entirely secure communication

because even these channels can be attacked rarely.

Also these secure communication channels will be not ready to survive in ubiquitous

environments because they are designed for general network communication.

Page 16: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

16

5. 3 Attacks on Cryptography Schemes

Most of the users sensitive information which stored in data repositories are not in plain

text because if attackers gain entrée to the data repository they can easily manipulate

the information. But using cryptography schemes the data can be encrypted and when

required data can be decrypted and utilize. But with modern computing these

cryptography methods cannot be considered as a secure approach because various

attacks have been built to fracture into these cryptography algorithms.

5.3.1 Bruce-force attacks

According to Jakobsson & Myers (2006) brute-force attack can be defined as an

approach to break encrypted data by checking for possible encryption key of the cipher

text. Using a brute-force search the combination can be guessed.

With having the encryption key the attacker can decrypt the data from the data

repository and gain access. A Bruce-force attack takes large amount of processing time

and computation power.

5.3.2 Rainbow attacks

As Norbutaite & Jorgensen (2007) confirms rainbow attack can be consider as a

variation of a Bruce force attack. As Jakobsson & Myers (2006) brute-force attack

searches for the all possible keys in the cipher text but according to Norbutaite &

Jorgensen (2007,p.2) claims in rainbow attacks will generate a table with possible

selected keys combinations called rainbow table and then create the attack.

Relative to Bruce-force attack, rainbow attacks require less computation power and

processing time because only selected keys are seek in the searching process.

Page 17: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

17

5.4 Social engineering attacks

5.4.1 Phishing Attacks

According to Jakobsson & Myers (2006) phishing is an attacking approach with

combination of spoofing which impress users to steal user’s sensitive data by faking

various services like emails, web sites and telephone calls.

Phishing attacks can be transmitted to users by various forms. But the most common

way of phishing attack is using e-mails or fake web forms. Other than that phishing

attacks can target a specific user group of an organization.

In ubiquitous environments phishing can be a devastating attack type because attackers

can easily create false web pages or e-mails and other type of approach and gain user’s

authentication details. With having the authentication details attacker have a wide

records of user’s sensitive personal information.

Page 18: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

18

6.0 Security Mechanisms

Security Mechanisms can be considered as according to Sastry & Roosta (2008, p.65)

are arrangements of methods to secure the systems from attackers and protect

sensitive data. Security mechanisms in computing can be divided in to three core parts

as:

1. Prevention

2. Detection

3. Survivability

6.1 Prevention

As described by Sastry & Roosta (2008, p.65) ‘prevention’ is the technique of secure

sensitive data by controlling the access to the data to attackers. Specifically prevention

can be achieved by cryptography schemes from encryption ciphers to secure

communication channels. Enciphering data using key based cryptography algorithm will

prevent the expose of data on unauthenticated hands.

6.2 Detection

Detection is acquiring the knowledge and alert about the unusual activities before a

system outbreak will take place .As Sastry & Roosta (2008, p.65) if an attacker trying to

break into to a system the malicious activity can be perceived and reported or trigger

the security systems.

6.3 Survivability

Keep the common activities preformed while an attack is already placed can be

considered survivability.

Ubiquitous environments require security from these above mentioned three

mechanisms. Especially the secure ubiquitous designs should consider about

survivability because as human activities fundamentally depends on these ubiquitous

systems failure of a system will be produce frustration in people. Even in some

Page 19: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

19

scenarios data on a one device will be dependent on activities of other several devices

so one failure in a device will be a failure to a huge ubiquitous eco system.

The following table will describes attack at each level of a ubiquitous environment and

security mechanisms.

Attacks Prevention Detection Survivability

Physical Security Implement security

locks.

Security alarms or

user authentication.

Pe

rform

the

no

rma

l u

biq

uitou

s s

erv

ice

s.

Denial-of-Service

Attacks

Firewalls and block

unnecessary inbound

traffic to the network.

Activity profiling,

Change point

detection.

Network

eavesdropping

Use encrypted

communication

channels, SSID hiding.

Using precise timing

techniques.(Synchroni

zation between the

sender and receiver –

Carl et al.(2006)

Man in the Middle

attacks

Use of secure

communication

channels.

Rainbow attacks Use large key size for

the encryption process,

Salting techniques.

Provide certain locking

mechanisms and

detect invalid attempts. Bruce-force

attacks

Table 2 – Security mechanisms for various attacks

Page 20: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

20

7.0 Ethics

According to Greenfield (2004) to secure the well being in the ubiquitous environments

five major ethical guidelines have introduced. These guiding principles will secure the

sensitive user information which set out in the ubiquitous environments.

The proposed ethical principals as follows:

1. Default to harmlessness

As Greenfield (2004) defines a proposed ubiquitous system should always

guarantee the users physical, physiological and financial safely.

2. Be self-disclosing

Always the system should hold information of the ownership of the device , its full

capabilities and which information will transmit to another device .For an example

if there is a device capable of tracking the users geographical location if this

device is designed unethically it can transmit the location details to spy

personals.

3. Be conservative of face

As Greenfield (2004) proposed ubiquitous system should respect all the users

without embarrass, humiliate or shame them.

4. Be conservative of time

Some ubiquitous applications may root with critical activities of users like medical

activities. These vital activities should not deem as ordinary operations and

concern totally.

5. Be deniable

As Greenfield (2004) clarifies that in a proposed ubiquitous system user have

privileges not receive product and service information of service provides

marketing campaigns (Opt-out).For example if a device will send service

information while the subscriber sleeps it will be irritating to the user.

Page 21: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

21

8.0 Conclusion

Within few years time or few decades ubiquitous computing technologies will lead the

day to day human activities and people will depend on these technological expansion.

But without security and ethics ubiquitous computing will not reach its goals.

A ubiquitous environment consists of its foremost organisms which are devices,

networks which interconnect the devices and the service providers. By securing each

aspect at each level the entire ubiquitous environment can be secured. Attacks and

security harms can be barred using security mechanisms which are prevention,

detection and severability. But always the equilibrium in the information security triangle

between security, integrity and availability should be preserved because without this

equilibrium security entities cannot be consider as a successful system.

Also concerning the authentication ubiquitous environments required spontaneous

authentication approaches which are beyond biometric authentication methods.

Finally a proper format of ethical guidelines are not yet standardized but a strong set of

guidelines will strength the security of ubiquitous systems further.

Page 22: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

22

References

Arbaugh, W. (2002) eta al., Your 80211 wireless network has no clothes, Wireless

Communications, IEEE.

Blaauw, G. & Frederick ,B. (1997),Computer Architecture: Concepts and

Evolution,Boston:Addison-Wesley Longman Publishing Co.,Inc.

Carl, G et al. (2006), Denial-of-Service Attack-Detection Techniques,Pennsylvania

United States: Pennsylvania State University.

Eriksson, M (n.d).An Example of a Man-in-the-middle Attack Against Server

Authenticated SSL-sessions. Sweden: Simovits Consulting.

Gellersen, H. & Mayrhofer, R., On the Security of Ultrasound as Out-of-band Channel

,UK: Computing Department, Lancaster University.

Greenfield, A., (2004), Some ethical guidelines for user experience in ubiquitous-

computing,[Online].Available

from:http://www.boxesandarrows.com/view/all_watched_over_by_machines_of_loving_

grace_some_ethical_guidelines_for_user_experience_in_ubiquitous_computing_setting

s_1.[Acessed: 31st of January 2011].

Hole, K., (2008), Denial of Service Attacks, Bergen: Department of Informatics,

University of Bergen.

Jakobsson, M. & Myers, S. (2006).Phishing and Countermeasures: Understanding the

Increasing Problem of Electronic Identity Theft,Canada: Wiley-Interscience.

Jorgensen, K. H. , Norbutaite, R. (2007).Rainbow attack.Ireland:Dublin City University.

Kang, B. , (2007), Ubiquitous Computing Environment Threats and Defensive

Measures, Tasmania: School of Computing and Information Systems, University of

Tasmania.

Mayrhofer, R. & Gellersen, H. (2007).Shake well before use: Authentication based on

Accelerometer Data, UK: Lancaster University.

Page 23: Security and Ethics in Ubiquitous Computing Environments

Security and Ethics in Ubiquitous Computing Environments

23

Mayrhofer, R., & Welch M. , (2007),A Human-Verifiable Authentication Protocol Using

Visible Laser Light, UK: Computing Department, Lancaster University.

Mayrhofer, R., (2009), Ubiquitous Computing Security: Authenticating Spontaneous

Interactions, Habilitation Colloquium.

Roosta , T. & Sastry S. , (2008),Distributed Reputation System for Tracking Applications

in Sensor Networks, California :Department of Electrical Engineering & Computer

Science, University of Berkeley.

Stajano , F.,(2002),Security for Ubiquitous Computing, USA: John Wiley & Sons,Ltd.

Weiss, R., & Craiger, J. (2002), Ubiquitous Computing, Omaha: University of Nebraska.

Bibliography

Lipasti , M., (n.d) ,Role of Ethics in Pervasive Computing Security,Otaniementie:Helsinki

University of Technology.

Kanai, G. (2004), Ethics for Ubiquitous Computing.[Online].November 2004.Available

from:http://kanai.net/weblog/archive/2004/11/01/11h03m19s.[Accesssed: 30th January

2011].