© Ramon Martí, DMAG, Universitat Pompeu Fabra 1 WP2 UPF Contribution to MobiHealth Security in the MobiHealth BAN Enschede 2002/09/18-20.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Internet Protocol Security (IP Sec)
Chapter 17: WEB COMPONENTS
Telefónica Móviles España WP3 meeting G Communication Infrastructure.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security
Security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
Chapter 5 Network Security Protocols in Practice Part I
© Ramon Martí, DMAG, Universitat Pompeu Fabra 1 BAN Security Services MobiHealth Plenary Session Santorini 2003/05/26-27.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
K. Salah1 Security Protocols in the Internet IPSec.
Chapter 8 Web Security.
ITGS Networks Based on the textbook “Information Technology in a Global Society for the IB Diploma” by Stuart Gray.
NetComm Wireless VPN Functionality Feature Spotlight.
Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Course 201 – Administration, Content Inspection and SSL VPN
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Masud Hasan Secue VS Hushmail Project 2.
WSB / MobiHealth Hugo Geuverink MobiHealth WP3 meeting 12/13 November 2002, Madrid.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Web Security : Secure Socket Layer Secure Electronic Transaction.
C3 confidentiality classificationIntegrated M2M Terminals Introduction Vodafone MachineLink 3G v1.0 1 Vodafone MachineLink 3G VPN functionality Feature.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Chapter 9 Networking & Distributed Security. csci5233 computer security & integrity (Chap. 9) 2 Outline Overview of Networking Threats Wiretapping, impersonation,
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
© Ramon Martí, DMAG, Universitat Pompeu Fabra 1 MobiHealth Security Requirements and Proposal MobiHealth Security Requirements and Proposal Madrid 2002/11/12-13.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Network Layer Security Network Systems Security Mort Anvari.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Confidentiality using Conventional Encryption Chapter 5.
K. Salah1 Security Protocols in the Internet IPSec.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
Chapter 7 : Web Security Lecture #1-Week 12 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Cryptography CSS 329 Lecture 13:SSL.
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
Firewalls and Tunneling Firewalls –Acts as a barrier against unwanted network traffic –Blocks many communication channels –Can change the design space.
Remote Access Lecture 2.
Goals Introduce the Windows Server 2003 family of operating systems
Presentation transcript:

© Ramon Martí, DMAG, Universitat Pompeu Fabra 1 WP2 UPF Contribution to MobiHealth Security in the MobiHealth BAN Enschede 2002/09/18-20

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 2 UPF Participation Workpackages and Tasks WP2 - MobiHealth services and BAN integration  T2.2 - Development and integration of the BAN platform  T2.5 - Security Services for the BAN Starting on M3:  WP2 - MobiHealth services and BAN integration (M3-M13)  T2.2 - Development and integration of the BAN platform (M3- M13)  T2.5 - Security services for the BAN (M3-M13)

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 3 WP2 Security Timetable T2.5 - Security services in the MobiHealth BAN  Refinement of requirementsM03-M05(Aug-Sep)  BAN Test Security Platform Set-upM04-M06(Sep-Oct)  BAN Network Security TestsM05-M08(Oct-Dec)  BAN Transport Security TestsM05-M08(Oct-Dec)  BAN Application Security TestsM05-M08(Oct-Dec)  BAN Security IntegrationM08-M10(Jan-Feb)  BAN Final Security IntegrationM10-M13(Mar-May)

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 4 General security requirements Data protection:  Components  Storage  Access  Communications  Hop­to­hop  End­to­end

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 5 Other security services Traffic confidentiality (origin, destination, length, time,... of messages) Confidentiality of identity (anonymity, pseudonymity) Confidentiality of location Availability (counter DoS attacks) Accountability Reliability

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 6 MobiHealth System Architecture

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 7 MobiHealth System Components Sensor Actuator Front-End MBU (Mobile Base Unit) WSB (Wireless Service Broker) AppServer WorkStation

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 8 MobiHealth System Components Security Confidentiality / privacy: Data encryption and authentication  Data confidentiality  No data stored in some components Authenticity / integrity  User authentication (password, smartcard,... )  Terminal authentication (SIM,... )  Application/server authentication (certificate,... )

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 9 MobiHealth Communications Sensor Front-End Actuator Front-End Front-End PDA PDA WSB WSB AppServer PDA AppServer AppServer Workstation

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 10 Communications Security Security can be added to most communication layers Different security features depending on layer:  Data link layer: Bluetooth, GPRS/UMTS,...  Network layer: IPsec,...  Transport layer: SSL/TLS, HTTPS,...  Application layer: Data encryption (OpenSSL Libraries, MIME)

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 11 Data Link Layer / Network Layer Security Data Link Layer Security  Hop-to-hop protection (encryption and authentication).  No user or application authentication.  Security provided by Bluetooth or GPRS/UMTS, in each case, can be used. Network Layer Security  Host-to-host protection (encryption and authentication)  Hop-to-hop protection  End-to-end protection  No user or application authentication.  IPsec can be used.

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 12 Transport Layer / Application Layer Security Transport Layer Security  End-to-end protection (encryption and authentication).  Application-to-application protection; opt. user authentication  SSL/TLS or HTTPS can be used. Application Layer Security  Application-to-application and application_user-to- application_user protection, including user authentication.  Usually through encryption or/and signature of data sent through the communications stack.  SMIME or OpenSSL libraries could be used to encrypt and sign data.

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 13 MobiHealth Security BAN and Rest of the System BAN Security  Sensor Front-End  Front-End  Front-End PDA  PDA  PDA WSB  PDA AppServer Rest of MobiHealth Security  WSB  AppServer  Workstation  WSB AppServer  AppServer Workstation

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 14 WP2 Security Timetable T2.5 - Security services in the MobiHealth BAN  Refinement of requirementsM03-M05(Aug-Sep)  BAN Test Security Platform Set-upM04-M06(Sep-Oct)  BAN Network Security TestsM05-M08(Oct-Dec)  BAN Transport Security TestsM05-M08(Oct-Dec)  BAN Application Security TestsM05-M08(Oct-Dec)  BAN Security IntegrationM08-M10(Jan-Feb)  BAN Final Security IntegrationM10-M13(Mar-May)

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 15 Security Possible Setups First Approach iPAQ Linux (GPRS) to Linux Gateway using IPsec tunnel with pre-shared keys. iPAQ Linux (GPRS) to Linux Gateway using IPsec tunnel with x.509 certificates. iPAQ Linux (GPRS) to Windows 2000/XP Gateway using IPsec tunnel with pre-shared keys. iPAQ Linux (GPRS) to Windows 2000/XP Gateway using IPsec tunnel with x.509 certificates. iPAQ Windows CE (GPRS) to Linux Gateway using IPsec tunnel with pre-shared keys. iPAQ Windows CE (GPRS) to Windows 2000/XP Gateway using IPsec tunnel with pre-shared keys.

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 16 Setup Requirements Common part: certificates creation  Set-up a Certificate Authority (CA)  Certificates Generation  Installation of certificates in Gateway Machines (Linux)  Installation of certificates in Linux machines (PPC 2002 & PC)  Installation of certificates in Windows 2000/XP machines (PC) FreeS/WAN: IPsec for Linux (Linux PPC & PC)  Installation and configuration in Linux machines

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 17 Test Security Platform Set-up Linux PC Windows 2000 PC iPAQ  Just arrived  Test iPAQ GPRS connection  Serial port  Bluetooth GPRS Phones  Received beginning September from Movilforum  2 Motorola Timeport 260 GPRS  1 Ericsson T32m Bluetooth

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 18 Software Requirements and Installation Downloaded and installed  FreeS/WAN  X.509 Patch for FreeS/WAN (version or better)  Patches to add multiple encryption ciphers, etc. (optional)  Marcus Müller's Windows 2000 VPN Tool  OpenSSL package in Linux  AdmitOne(r) VPN Client for Pocket PC  Linux on iPAQ

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 19 Test Security Platform Set-up Current Status Install.Config.Tests Linux GW and CAyesyesyes W2K/XP GWyesyesyes Linux PC vs. Linux GWyesyesno W2K/XP PC vs. Linux GWyesyesyes W2K/XP PC vs. W2K/XP GWyesyesno iPAQ WCE vs. Linux GWnonono iPAQ WCE vs. W2K/XP GWnonono iPAQ Linux vs. Linux GWnonono iPAQ Linux vs. W2K/XP GWnonono

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 20 Open Security Issues in the BAN (1/4) What are the security requirements for the trial scenarios Which components are to be protected  Internal network: sensors, front­end, MBU  External network: GPRS/UMTS, application server How to integrate security into the BAN architecture Hardware, BAN OS What will be there at the server side? Where is the “intelligence” of the system to be developed? More cooperation required with the other WP2 partners

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 21 Open Security Issues in the BAN (2/4) Communication Protocols  Sensor Front-End  Actuator Front-End  Front-End PDA  PDA WSB  [WSB AppServer]  PDA AppServer  [AppServer Workstation] Communication Protocols Security

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 22 Open Security Issues in the BAN (3/4) MobiHealth System Components Functionality  Sensor  Actuator  Front-End  MBU (Mobile Base Unit)  [WSB (Wireless Service Broker)]  [AppServer]  [WorkStation] MobiHealth System Components Security  Storage  Access

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 23 Open Security Issues in the BAN (4/4) MobiHealth System Components Platform:  PDA  OS: Windows CE / Linux  Application Server  Hardware: PC / Workstation  OS: Windows 2000 / Linux  Workstation  Hardware: PC / Workstation  OS: Windows 2000 / Linux

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 24

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 25 BAN Architecture

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 26 General Security Threats Transmission or storage electronic data security threats  Interruption: Data transmission interrupted, or stored data deleted.  Interception: Data accessed and read during transmission or storage.  Modification: Data modified during transmission or storage.  Fabrication: Data created by a third party, supplanting the data originator.  Man in the middle: Third party introduced in the middle of communication, supplanting receiver from sender point of view, and supplanting sender from receiver point of view.

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 27 General Security Services General security services to avoid security threats:  Confidentiality: Protect data to be (almost) impossible to interpret for non authorised user in communication or storage.  Integrity: Protect data against non allowed modification, insertion, reordering or destruction during communication or storage.  Authentication: Allows the way to corroborate identity of the entities implied in the data creation or communication.  Non Repudiation: Protects against unilateral or mutual data repudiation.  Access control: Protects system and resources against not authorised use.

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 28 General Security Services and Threads Security services for security threats protection:  Interruption: --  Interception: Confidentiality  Modification: Integrity, Authentication  Fabrication: Authentication  Man in the middle: Authentication Threats addressed by security services:  Confidentiality: Interception  Integrity: Modification  Authentication: Fabrication, Man in the middle  Non Repudiation: --  Access control: --

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 29 General Security Mechanisms Symmetrical key encryption: “Low” computing power Asymmetrical key encryption: “High” computing power  Encryption with public key of receiver  Encryption with private key of sender Signature: Asymmetrical key encryption of message hash with private key of sender. “Low” computing power Combined: F.e. Asymmetrical key encryption for interchange of symmetrical key + Symmetrical key encryption for data interchange.

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 30 General Security Services and Mechanisms Confidentiality: Encryption. Symmetrical or asymmetrical. Symmetrical usually used. Integrity: Signature or Encryption (Symmetrical or asymmetrical). Signature is better. Authentication: Signature or Symmetrical Encryption with private sender key. Signature is better. Non Repudiation: Signature. Single or mutual. Access control: --

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 31 Communication layers Layer 7: The application layer Layer 6: The presentation layer Layer 5: The session layer Layer 4: The transport layer Layer 3: The network layer Layer 2: The data-link layer Layer 1: The physical layer

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 32 Sensor Front-End Security In principle, no data encryption is foreseen, except in case Bluetooth is used for wireless. Communications:  Wired: Maybe security is not really needed.  Wireless: Security may be required in the communication.  Bluetooth  Zigbee Data encryption and/or authentication: Only in wireless communication?  Bluetooth

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 33 Front-End Security Front-End stores data received from sensors. This data stored in the Front-End should be protected. Data encryption and authentication:  SMIME  OpenSSL libraries

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 34 Front-End PDA Security It must be decided if security is really needed. Communications:  Wired  Wireless: security is required.  Bluetooth  Flash memory Data encryption and authentication: Could be required  Bluetooth  SMIME  OpenSSL libraries

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 35 PDA Security PDA should act as communication component in BAN to get data from Front-end and send it secure through GPRS/UMTS to AppServer. Data encryption and authentication:  No data should be stored in the PDA. User authentication: May be required for accessing PDA  Password  SIM-card  X.509 key

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 36 PDA WSB Security  Communications:  GPRS/UMTS  WAP + WML  HTTP / HTTPS + HTML  User authentication: May be required.  SIM-card based?  Terminal authentication: May be required.  SIM-card  X.509 key  Data encryption and authentication:  GPRS/UMTS  Network layer security (f.e. IPsec) may be required.  Transport layer security (SSL/TLS, HTTPS) may be required  Application layer security (data encryption) (SMIME, OpenSSL libraries) may be required.

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 37 PDA AppServer Security  Should include some authentication and data encryption.  Communications:  TCP / IP (IPsec)  WAP + WML  HTTP / HTTPS + HTML  User Authentication: It should also include some user authentication.  SIM-card  X.509 key  Terminal authentication: Some terminal authentication may be required.  SIM-card  X.509 key  Data encryption and authentication:  Network layer security (f.e. IPsec) may be required.  Transport layer security (SSL/TLS, HTTPS) may be required  Application layer security (data encryption) (SMIME, OpenSSL libraries) may be required.

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 38 WSB Security No data should be stored in the WSB. Data encryption and authentication:  No data should be stored in the PDA.

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 39 AppServer Security Data stored should be encrypted to avoid interception. Data encryption and authentication:  SMIME  OpenSSL libraries User authentication: May be required for accessing the AppServer.  Password  SIM-card  X.509 key

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 40 Workstation Security Data Storage:  No data should be stored in the Workstation. User authentication: Some user authentication may be required for accessing the Workstation.  Password  SIM-card  X.509 key

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 41 WSB AppServer Security Communications:  TCP / IP (IPsec)  WAP + WML  HTTP / HTTPS + HTML Data encryption and authentication:  Network layer security (f.e. IPsec) may be required.  Transport layer security (SSL/TLS, HTTPS) may be required  Application layer security (data encryption) (SMIME, OpenSSL libraries) may be required.

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 42 AppServer Workstation Security Internal communication inside hospital or health centre. Communications:  TCP / IP (IPsec)  WAP + WML  HTTP / HTTPS + HTML Data encryption and authentication:  Network layer security (f.e. IPsec) may be required.  Transport layer security (SSL/TLS, HTTPS) may be required  Application layer security (data encryption) (SMIME, OpenSSL libraries) may be required.

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 43 Communications security Communication layers:  Data link layer (Bluetooth, GPRS,... )  Network layer (IPsec,... )  Application layer (SSL/TLS,... ) Data link layer security for hop­to­hop protection, Application layer security for end­to­end protection

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 44 MobiHealth Communication Sensor Front-End: Wired / Bluetooth / Zigbee Actuator Front-End: Wired / Bluetooth / Zigbee Front-End PDA: Bluetooth PDA WSB: GPRS / UMTS + [WAP + WML | HTTP / HTTPS + HTML] WSB AppServer: HTTP / HTTPS + HTML | WAP + WML PDA AppServer: HTTP / HTTPS + HTML | WAP + WML AppServer Workstation: HTML

© Ramon Martí, DMAG, Universitat Pompeu Fabra Page 45 Security services  Confidentiality / privacy  Data confidentiality  Authenticity / integrity  User authentication (password, smartcard,... )  Terminal authentication (SIM,... )  Application/server authentication (certificate,... )

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.