Waseda Univ' Global Information and

1
Privacy and Security Considerations for Personal
Trusted Devices

• Jari Veijalainen, Mohammad A. Haq
• Mitsuji Matsumoto
• Waseda University
• GITI/GITS

2
The big picture convergence of Internet and
digital telecom networks

PC
PC
Mobile terminal
TV set
IP Backbone Network
Mobile NW Operator sphere
E-commerce server
CA server
Service provider Server (e.g. GIS)
Community server
3
The big picture Access Network technologies
4
Some measures for the big picture

• Global wireless infrastructure based on GSM
  technology is truly global with its roaming
  capability and coverage.
• At the end of 2002, there were 454 GSM operators
  worldwide in 182 countries, and they served over
  730 million users.
• In 2002, 75 percent of the new mobile customers
  started to use GSM terminals and services
  offered by the GSM networks Nok2003.
• The number of digital telecom handsets has
  exceeded 1 billion (in 2002, ca. 400 million
  handsets were sold) and by 2005 perhaps 2
  billions.

5
Some measures for the big picture

• Of these handsets hundreds of millions are
  Internet-enabled (WWW, WAP- or I-mode -enabled).
• There are over a hundred million of servers at
  the server side (in Internet 1) and many in
  private networks

6
What is a Personal Trusted Device?

• When the wireless terminals in the above big
  picture are capable of supporting seamless
  communication, authentication and authorisation
  of users, various kind of contents - including
  text, voice and video streams, geocoded contents,
  etc. and practically any conceivable
  application or service, one can begin to talk
  about a Personal Trusted Device (PTD)
• This is close e.g. M-commerce transactions can
  be launched, credit card information stored,
  access to corporate resources allowed through
  PTDs now

7
Functionality of a PTD
8
Security and privacy problems of PTDs

• The PTDs are able to host larger and larger
  amount of data as memories get bigger
• This data is a security risk, because the device
  could be stolen or lostgt minimise the amount of
  critical data kept at the PTD?
• on the other hand, for guarding against privacy
  violations it might be wise to store large
  amounts of data at the PTD
• what is an optimal approach and on what does the
  optimality depend?

9
Security and privacy risks

• Evidently, if there is no risk of loosing the
  device and data then it makes sense to keep as
  much as possible data, also critical, at the
  device
• On the contrary, if the risk of loosing the
  device for a thief, loosing the data because of
  a device crash or any other technical problem is
  high, it is advisable to minimise the amount of
  critical data kept at the device

10
Trade-off between the risk of loosing the PTD/the
stored data

• Amount of data stored at PTD

possible security/privacy policy settings taking
into account risks and usability
(0,0)
1
Risk of loosing the data
11
Assets, risks, threats, and countermeasures

• Assets any data stored at the PTD
• Risks 
• PTD data lost
• The data stored at PTD is lost for the data
  owner. There are many threats that result in
  this, as discussed below. 
• PTD data misused
• The data stored at PTD and subsequently extracted
  is misused by malicious persons.

12
Threats

• a) PTD is destroyed (PTDdstrd)
• In this case no one can use the data any more
• b) PTD is lost (PTDlost) for the owner
• In this case the owner does not get the device or
  data back he or she is unsure, whether the data
  will be misused or not
• c) PTD is stolen (PTDstolen) from the owner
• The owner knows that the device is stolen and
  certainly all the data is lost, and perhaps some
  or all the data is misused

13
Threats (cntnd)

• d) PTD data misused unnoticed (PTDmisused_u)
• In this case the data stored at the PTD is
  extracted and/or altered in a way that the owner
  does not notice it
• The PTD and the data remains at the disposal of
  the owner (perhaps, however, altered in some way)
• This case can lead to considerable security
  threats and damages from the owners point of view
  (misuse of cyber-identity, passwords, credit
  card, access to company infrastructure etc.)
• The privacy violation also belongs to this
  category, if the data provided by or stored at
  the terminal is misused

14
Threats (cntnd)

• e) PTD data misused but detected (PTDmisused_d)
• This case can result from theft, loosing the
  device and subsequent theft, or disclosure of a
  misuse attempt from logs or physical traces (cf.
  Bluetooth/Ir-connection).
• In this case the device owner detects the misuse
  either when it is evident from the context
  (theft) or sometimes afterward
• The difference to the previous case is that the
  device owner can take deliberate countermeasures

15
Countermeasures against loosing data

• l.a) minimizing the amount of critical data
  stored at PTD gt
• l.b) full (or partial) data replication at a safe
  network component,
• l.c) provision of safe backdoors to the data
  for which the legitimate owner has lost access
  for some reason (encrypted data, lost access to
  the entire device or to decryption keys, etc.)

16
Countermeasures against PTD misuse

• m.a) minimizing the amount of critical data
  stored at the device
• m.b) as good as possible physical protection of
  the PTD
• m.c) reliable access control to the PTD and the
  data stored at it
• m.d) encryption of the data stored at the device
• m.e) partition of the data and storing it at the
  device and at another safe location (server,
  memory card, etc.)

17
Countermeasures against PTD misuse

• m.f) self-destruction of the data if misuse
  attempt is detected by the device
• m.g) privacy related data and algorithms that
  monitor what combinations of data handed out
  from the device while using various external
  services could lead to privacy violations or
  threats
• m.h) refraining from accessing networked services
• m.i) providing full security for communications
  over the air interface (end-to-end message
  encryption, end to authentication, authorization)

18
Technical support for the countermeasures at PTD

• Reliable access control and authorization
• This is a prerequisite for any security and
  privacy scheme if a malicious person gets access
  to the data at the device just by getting hold of
  it physically, nothing much can be done anymore
  Physical security of the PTD is thus a key
  ingredient in the security field
• the second security sphere is a proper
  authentication (PIN, biometric authentication,
  etc.)
• Third sphere is a proper authorization of data
  access stored at the device
• Fourth sphere is protecting the device against
  malicious programs that are run there

19
Technical support for the countermeasures

• Categorization of the data
• Assess risk level of particular piece of data and
  tell this to the system software (e.g. high,
  medium, low)
• Minimizing the amount of vulnerable data at the
  PTD
• This can be semiautomatic, based on the risk
  level and the above categorisation
• If the risk level exceeds a threshold (e.g. due
  to movement to a high risk area), the vulnerable
  data is moved away from the device or encrypted
  in a suitable way

20
Technical support for the countermeasures

• Data partitioning
• The idea here is to store only a portion of a
  particular data half-granule at the PTD and
  another granule at a network component/other
  device so that both granules are useless alone,
  I.e. cannot be used unless first combined thus
  grabbing the device or the other half-granule at
  the network would not yet grant access to the
  other half-granule
• The problem with the scheme is that if there is
  no network connection, the legal user can neither
  use the data, because the half-granules cannot be
  recombined
• Another problem is the need for wireless capacity

21
Technical support for the countermeasures

• Data replication
• This scheme is solely against loosing the data
  for whatever reason (device crash, loss or theft)
• The data granules stored outside the device (at
  other devices, network components, etc.) function
  basically as back-up copies that must be
  refreshed from time to time
• The draw-back of the scheme is that it increases
  risk of misuse of the data, because the same data
  is stored in perhaps many places outside the
  device
• Another drawback is storage and wireless network
  cost

22
Technical support for the countermeasures

• Encryption of data
• Encryption means that even if a malicious person
  has got hold of the device, he or she should be
  able do decrypt the data in order to misuse it
• This can be only be done by passing authorization
  as a necessary step while accessing the data (PIN
  or authorizing the action by other means)

23
Technical support for the countermeasures

• Destruction of the data
• This is an ultimate measure that the device
  should launch automatically, if it detects a
  rather clear misuse attempt
• By destruction the misuse is prohibited, but so
  is the legal use, unless the data is replicated
• How the decision can be done automatically, is by
  no means clear at the moment

24
Conclusions and further research

• Added security and privacy protection tend to
  decrease the usability of the device and increase
  power consumption and network capacity
  requirements
• it is therefore vital that the security and
  privacy protection policies and methods used in
  PTDs are in the right proportion to the threats
• Support from the network side is needed in almost
  all schemes thus, there must be an integrated
  overall security and privacy scheme

25
Conclusions and further research

• Many problems remain open, such as
• the measures for the threat and for the
  similarity of the copies.
• a comprehensive analytical model with the help
  of which one could better assess the impact of
  the chosen policies and methods to the usability,
  security and privacy of the PTDs
• These are for further study