Kaj J. Grahn

Securing Control Signaling in Mobile IPv6 with Identity-Based Encryption

Control signaling messages in Mobile IPv6 are mainly used to inform the home agent (HA) and the correspondent node (CN) about the mobile node’s (MN’s) new address when its network attachment point is changed. In order to prevent various security attacks, these messages must be protected. In the current standard, the control sig naling messages between a HA and a MN are authenticated using IPSec, often with IKEv2 and X.509 certificates. Control signaling messages between a MN and a CN are currently protected by an effective but insecure protocol, known as Return Routability. Using IBE (Identity-Based Encryption) for authenticating control signaling messages requires more processing power but significant security enhancements are achieved. The current protocols for protecting control signal ing messages are outlined in this paper. Proposed approaches for implementing IBE-authentication between a MN and a HA as well as between a MN and a CN are presented. Environments where the MN and the CN use the same Public Key Generator (PKG) as well as environments where they use different PKGs are taken into account. Finally, the performance of some proposed signaling protocols is estimated. An overview of IBE is given and the elements and operations needed to set up an IBE infrastructure are described in an appendix.

Security and Trust of Public Key Cryptography Options for HIP

Host Identity Protocol (HIP) gives cryptographically veriable identities to hosts. These identities are based on public key cryptography and consist of public and private keys. Public keys can be stored, together with corresponding IP addresses, in DNS servers. When entities are negotiating on a HIP connection, messages are signed with private keys and verified with public keys. Even if this system is quite secure, there are some vulnerabilities concerning the authenticity of public keys. We examine various possibilities to derive trust in public parameters. These are DNSSEC, public key certificates (PKI), identity based cryptography (IBE) and certificate-less public key cryptography (CL-PKC). Both IBE and CL-PKC seem to offer better properties than DNSSEC and PKI, but experimental evaluation is needed, before we can make final conclusions.

Anonymous Communication on the Internet

There are many kinds of systems developed for anonymous communication on the internet. We survey a number of systems and evaluate their security. Among these systems we compare functionalities like Onion Routing, anonymous VPN services, probabilistic anonymity, and deterministic anonymity. Other types of anonymous communication such as messaging, peer-to-peer communication, web use, emailing, and use of other Internet applications are also presented. We follow up by presenting different types of attacks with the purpose of identifying anonymously communicating users. These attacks fall into the following categories: internal/external attacks, passive/active attacks, and static/adaptive attacks. We describe the following attacks as well as known protections against these attacks: predecessor attacks, intersection attacks, timing attacks, and Sybil attacks. Lastly we discuss design choices, operation, and security of the current TOR network – The 2G Onion Router. Access control methods to restrict malicious use of TOR are also proposed. In conclusions the significance of anonymous communication is outlined.

Analytics for Network Security: A Survey and Taxonomy

IT operations produce data such as log files, events, packets, configuration data, etc. Security attacks, for example, an intrusion, can be detected and mitigated by analyzing and finding abnormal patterns from collected data. Intelligent and effective algorithms are needed for analyzing the massive amount of unstructured data created within computing networks. This has motivated research on and development of information analytics like tools, solutions, and services for network security.

Teaching Mobile Communication in an e-Learning Environment

Introduction Wireless communication technologies provide significant advantages compared to wired technologies. A wireless networks eliminate the need for network cables since wireless radio interfaces are accessed over the air. Wireless networks also provide support for mobility, which means that a moving device can remain network connected also while the network access point changes and even when the access network type changes. The evolution of wireless technologies and mobility management schemes is currently advancing rapidly. Existing networking services can be offered on mobile communication platforms and the availability of mobile communication platforms also makes new network service types possible. (Pagani, 2005) Wireless and mobile networking is thus an important and highly relevant topic for IT education in universities and polytechnics. Arcada Polytechnic offers IT engineering education on Mobile and Wireless Communication Systems also in an e-learning environment. Course Content The course content consists of three structured sections: Generic Wireless Technology, Wireless Technology Types, and Mobility Management. These sections can be found from a navigational menu on the course portal. In the menu there are also links to the course index, all the exercises and the weekly topics. Generic Wireless Technology Section The general protocol architecture for mobile networking is outlined. Radio interfaces in wireless networking are described. Quality of Service (QoS) of a network and QoS management are characterized. Modulation and access methods are described. Wireless Technology Type Section Wireless communication technologies are described according to the following taxonomy (See Appendix for list of abbreviations): * Wireless Cellular Network Technologies * GSM evolution based technologies * 2G (GSM, HSCSD, GPRS, EDGE, EDGE Evolution) * 3G (UMTS, HSDPA, HSUPA, HSPA+, SAE/LTE) * 4G * other wireless cellular network technologies * MBWA * Flash OFDM * Wireless Network Technologies Classified By Coverage Range * Wireless PAN Technologies * IrDA * UWB * RFID * Bluetooth * Wibree * Zigbee * Wireless LAN Technologies * WLAN * Wireless MAN Technologies * WiMAX * Wireless ATM * Wireless WAN Technologies * Satellite Communication * GPS Each wireless communication technology is described by * An Introduction * Underlying Standards * System Architecture * Radio Interface and Modulation * Protocol Architecture * Quality of Service (QoS) Issues * Security Mobility Management Section Networking mobility types are terminal mobility, application mobility, and identity mobility. Terminal mobility or node mobility means that a terminal or network node moves to another location or to another network domain with preserved network connectivity. Application mobility means that a software process moves to another host node. Software agent technologies are typical implementations of application mobility. Identity mobility means that an identity defined as a name, a number, or cryptographic key moves to another location or to another computer. (Candolin, 2005) In this section only the case of terminal mobility or node mobility will be considered. A mobility management scheme for node mobility must solve the following problems: * the node location problem, to find the current point of network attachment * data transfer to and from the current node location * continuation of data transfer after the node or the network has moved * controlled disconnection of a node from the network * performance optimization, for example minimization of the network load of a mobility management scheme. …

A Virtual Learning Environment for Mobile IP

This paper presents a virtual learning environment for Mobile IP (Internet Protocol). The learning environment has been produced in a production circle of Virtual Polytechnic of Finland. Protocols and mechanisms for secure mobility in the Internet are surveyed. A detailed description of the development of the learning environment and the content of the Mobile IP animation is given. The chosen didactical approach and the graphical design of the learning platform are presented and motivated. The IT technology and the IT infrastructure needed to implement and use the learning platform are also described and assessed.

Security of Mobile and Wireless Networks

This paper gives a topical overview of wireless network security aspects. Security measures taken depend on the different protocols, standards, techniques and systems available. A brief introduction to security protocols, standards and corresponding technologies is given. The essay will concentrate on 2G, 2.5G, 3G and wireless local area networks. Standards, like WAP, IEEE 802.11, HomeRF, HIPERLAN/2, IPSec and Bluetooth, are included. A local area network, MediaPoli, has been implemented to work as a testbed for new innovations, products and services. The development environment is based on this high-capacity wired/wireless broadband network. Key research areas, actual projects and offered services are discussed. All activities aim at the future information society.

Mobile virtual private networking

Mobile Virtual Private Networking (VPN) solutions based on the Internet Security Protocol (IPSec), Transport Layer Security/Secure Socket Layer (SSL/TLS), Secure Shell (SSH), 3G/GPRS cellular networks, Mobile IP, and the presently experimental Host Identity Protocol (HIP) are described, compared and evaluated. Mobile VPN solutions based on HIP are recommended for future networking because of superior processing efficiency and network capacity demand features. Mobile VPN implementation issues associated with the IP protocol versions IPv4 and IPv6 are also evaluated. Mobile VPN implementation experiences are presented and discussed.

Measurement Data Logging via Bluetooth

Introduction Bluetooth is a low cost, low power and short range radio technology based on open standards. It supports both voice and data services, i.e. a combination of circuit and packet switching is used. Bluetooth is likely to be one of the most popular technologies for wireless personal area networks (PANs) (Bray & Sturman, 2001). A number of vendors supply Bluetooth application development kits. These kits consist of a Bluetooth module connected to a computer, proper software and monitoring and debugging tools. Application Programming Interfaces (APIs) are used during the development work. APIs provide function calls that allow the application developer to access any protocol layer functionality. The paper describes a Bluetooth project carried out by students in Arcada (Arcada, 2005). The details of Bluetooth application development are described by the design of two Bluetooth applications for measurement data logging. Application Architecture The objective is to implement measurement data logging using Bluetooth technology. A user with a notebook PC or a PDA can receive measurement data from a Bluetooth enabled sensor system without any cable connection. Application areas are: * Industrial applications to record temporary data * Car industry to monitor wheel pressure * System engineering to monitor the actual state of an electrical installation * Technical service to check and program a system Two applications have been designed, built and tested: 1. An alarm system, i.e. Digital Port Request System, to monitor alarm sensors and warning systems on a mobile device. With appropriate software is it possible to immediately locate an alarming sensor. 2. A temperature and voltage measurement system, which transfers temperature and voltage values. The architecture of both applications consists of 3 functional blocks (see Figure 1): * Recording analogue measurement data on a control unit * Receiving data from the control unit to a Bluetooth enabled system * Transferring data via a Bluetooth connection from the system to the user equipment [FIGURE 1 OMITTED] The functionality of the measurement data logging system is implemented by software modules written in C and C-BASIC code. The data communication of the Bluetooth connection is created by a C programmed client/server socket application. Technological Design The following technology is used to realize the Bluetooth data logging architecture: * Two BlueGiga WRAP 2151 Starter Kits (BlueGiga Technologies, 2003) * Two C-control Plus Starter Sets (CONRAD, 2004) * One PC for Bluetooth with Linux operating system * One Notebook PC to receive and visualize data with Windows XP operating system * One Bluetooth supported Palm m515 Handheld (Palm, 2004) * One Bluetooth USB dongle (WIDCOMM, 2004) * Sensors: AD592 transducer (temperature), C-control + batteries (voltage), C-control + switchboard (alarm system) * LabView 7.0 software (University of Toronto, 2004) * Laboratory facilities A WRAP Starter Kit receives and records the measurement data through the RS-232 interface from the C-control unit. Then asynchronous transmission over the PPP/RFCOMM Bluetooth connection to the user equipment, notebook PC or handheld PDA, occurs. On the notebook PC data is displayed by means of a customized LabView application. Correspondingly, on the handheld PDA data is received and screened by using a server application. Development Kit. The WRAP 2151 Starter Kit is a turnkey evaluation and development environment based on BlueGigas WRAPTM MicroServer Technology (BlueGiga Technologies, 2004). In optimal conditions the working range is 30 m and the ordinary range is 10 m. The Starter Kit supports: * Fully embedded Bluetooth protocol stack: Baseband, L2CAP, RFCOMM, SDP, Point-topoint and Point-to-multipoint. …

Security and Trust of Public Key Cryptography for HIP and HIP Multicast

Host Identity Protocol (HIP) gives cryptographically verifiable identities to hosts. These identities are based on public key cryptography and consist of public and private keys. Public keys can be stored, together with corresponding IP addresses, in DNS servers. When entities are negotiating on a HIP connection, messages are signed with private keys and verified with public keys. Even if this system is quite secure, there is some vulnerability concerning the authenticity of public keys. The authors examine some possibilities to derive trust in public parameters. These are DNSSEC and public key certificates (PKI). Especially, the authors examine how to implement certificate handling and what is the time complexity of using and verifying certificates in the HIP Base Exchange. It turned out that certificates delayed the HIP Base Exchange only some milliseconds compared to the case where certificates are not used. In the latter part of our article the authors analyze four proposed HIP multicast models and how they could use certificates. There are differences in the models how many times the Base Exchange is performed and to what extent existing HIP specification standards must be modified. Security and Trust of Public Key Cryptography for HIP and HIP Multicast