1. 1 Security Challenges of Location-Aware Mobile Business Emin Islam Tatlı, Dirk Stegemann Theoretical Computer Science, University of Mannheim February 2005

2. 2 Outline The Mobile Business Research Group Context- and Location-awareness Application Logic Framework Security Challenges Further Research

3. 3 Mobile Business Research Group Generic platform for location-based and context-based mobile business applications Joint project of 7 research groups at the University of Mannheim Cooperations with SAP AG, Walldorf CAS Software AG, Karlsruhe Web: http://www.m-business.uni-mannheim.de/http://www.m-business.uni-mannheim.de/

4. 4 Location and Context Context = any information that can be used to characterize the situation of an entity Examples: location, time, identity, level of mobility A Context-based application considers context when providing its service.

5. 5 Examples Find the nearest haircutter Display the special offers of nearby shops that sell men’s shirts Find a pizza delivery service that can deliver my favorite pizza for less than 8 EUR within 15 minutes to my current location Location-based Post-it

6. 6 Application Logic CONTEXT AWARE MOBILE BUSINESS SERVICES Request Dispatcher Service Registration Service Repository Mobile User Service Provider Service Provider Service Provider 1 - register 2- service query 3- service descriptions 4- service request 5- service result

7. 7 Research Areas Service-oriented software architectures Service discovery and service brokerage Wireless networks, localization, content-to-device adaption Data exchange formats, location-based ontologies User requirements and preferences Mobile solutions in supply chain management Security

8. 8 Security Challenges Anonymity Privacy of personal data Confidentiality of the communication Confidentiality of locally stored data Usability vs. security

9. 9 Anonymity Mobile users require to hide their real identity Anonymity ensures that a user may use a resource or service without disclosing the user's identity [1] Service providers require a unique representation of users (partial) Solution Pseudonymity Pseudonyms are faked names (e.g. nicknames)

10. 10 Unlinkability of Pseudonyms Linkability of pseudonyms may break anonymity „unlinkability requires that users and/or subjects are unable to determine whether the same user caused certain specific operations in the system“ [1] Mix-net [2] based solutions not flexible Future Research Analyzing existing protocols and enhancing them to satisfy m-business unlinkability

11. 11 Mix-net Mix: Computer between sender and receiver Decrypts messages and forwards to receiver SenderReceiverMix-net K M (R 1, K R (R 0,M), Addr_R) K R (R 0,M) Sender Receiver

12. 12 Privacy of Personal Data Service providers request different kinds of personal data (even only for profiling of users) Personal data is private, especially location Privacy is “the ability and/or right to protect your personal secrets” [4] Solution Identity Manager [5] P3P [6]

13. 13 Identity Manager Enables full control of personal data Presents an interface for creating different virtual IDs binding a subset of personal data to each ID During communication with a service provider, the user chooses a suitable ID for this particular type of communication Before any personal data is sent to a service provider, the user is asked to allow this transmission

14. 14 Identity Manager (cont.) quoted from http://tserv.iig.uni-freiburg.de/telematik/forschung/projekte/kom_technik/atus/idm-demo/

15. 15 Confidentiality of the Communication Communication messages contain sensitive information e.g. personal data, credit card numbers, location, queries of users results from broker registration data of providers Any mobile device can receive data transmitted over air Confidentiality ensures that unauthorized disclosure of personal data is not possible Solution End-to-end security (e.g. SSL-based protocol) Future research How to avoid SSL-handshake delay

16. 16 Confidentiality of Locally Stored Data Thefts are very common in the mobile world User’s local data (e.g. profiles, passwords, private keys, etc.) should be protected from unauthorized disclosure Solution Two-factor authentication Password-based encryption

17. 17 Usability vs. Security Trade-off usability and security: users prefer usability weak, easily-guessable passwords digital certificates Different sensitivity of users for security Enhance usability and security according to personal needs Solution Dynamically configurable security policy management system

18. 18 Usability vs. Security (cont.) Components of a dynamically configurable security policy management system Password Manager Single-Sign-On Security Level Manager Identity Manager

19. 19 Research Focus Design an open security architecture which can easily be integrated within the m-business application framework

20. 20 Remarks Workshop 22.03.2005 - Public Workshop on Mobile Business organized by the University of MannheimWorkshop on Mobile Business Mobile Business: Geschäftsfelder und Softwaretechnologien More Information: http://www.m-business.uni- mannheim.de/workshopMBusiness/mBusinessWorkshop.htm http://www.m-business.uni- mannheim.de/workshopMBusiness/mBusinessWorkshop.htm Hiwi Jobs, Studien-, Bachelor- and Diplomarbeiten: Emin Islam Tatlı A5,6 B105 – tatli@th.informatik.uni-mannheim.detatli@th.informatik.uni-mannheim.de Dirk Stegemann A5,6 B125 – stegemann@th.informatik.uni-mannheim.destegemann@th.informatik.uni-mannheim.de... and co-workers in the project

21. 21 References [1]ISO99 ISO IS 15408, 1999, http://www.commoncriteria.org. [2]D. Chaum. Untraceable Electronic Mail, Return Ad- dresses, and Digital Pseudonyms. Communications of the ACM, 1981. [3]D. Chaum. The Dining Cryptographers Problem: Unconditional Sender and Receipient Untraceability. Journal of Cryptography, 1988. [4]Anderson R., Security Engineering, Wiley Computer Publishing, 2001. [5]U. Jendricke, D. Gerd tom Markotten, Usability meets security - the Identity-Manager as your personal security assistant for the Internet, Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC'00), p.344, December 11-15, 2000. [6]W3C, P3P (Platform for Privacy Preferences Initiative), http://www.w3.org/P3P/. [7]OpenCA Research \& Development Labs, www.openca.org. [8]eTrust Pki, http://www3.ca.com/Solutions/Product.asp?ID=2623. [9]Netscape Certificate Management System, http://enterprise.netscape.com/products/identsvcs/certmgmt.html. [10]Raheem Beyah, Shantanu Kangude, George Yu, Brian Strickland, and John Copeland. ``Rogue Access Point Detection using Temporal Traffic Characteristics.'' Appeared in the Proceedings of IEEE GLOBECOM 2004, December 2004. [11]Preventing Internet Denial-of-Service using Capabilities, Tom Anderson, Timothy Roscoe and David Wetherall. Proceedings of the Second Workshop on Hot Topics in Networking (HotNets-II), Cambridge, MA, USA, November 19-20, 2003.

22. 22 Security Challenges of Location-Aware Mobile Business Emin Islam Tatlı, Dirk Stegemann Theoretical Computer Science, University of Mannheim February 2005 Thank you for your attention !