towards a unified framework for mobile device security
play

Towards a Unified Framework for Mobile Device Security Wayne A. - PowerPoint PPT Presentation

Jun 06, 2023 •272 likes •478 views

Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device Background* Mobile Device Background* Mobile Device Background* Mobile Device Background* Inexpensive, ubiquitous, wireless, networked,

  1. Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST

  2. Mobile Device Background* Mobile Device Background* Mobile Device Background* Mobile Device Background* • Inexpensive, ubiquitous, wireless, networked, expandable • Increasingly hold sensitive information or the means to access sensitive information • At the fringe of corporate influence and control • Physical security exposure to theft or loss • Limited computing power, display size, battery life • Intermittent connectivity • Many devices per user • Many operating systems – Palm OS, Pocket PC, Linux • Users unaware of security implications • Lack of adequate security mechanisms *Commercial products and trade names are identified in this presentation to illustrate technical concepts; it does not imply recommendation or Mobile Security Project endorsement by NIST

  3. Security Enhancements User Authentication Framework Components Content Policy Controls Encryption Network Authentication Firewall/IDS Anti-Virus VPN Mobile Security Project

  4. Framew ork Components • Piecemeal add-on security solutions often present problems in software integration, usability, and administration. • As an alternative, we have developed a unified framework that incorporates the following core security components: – User Authentication – Strong user authentication is the first line of defense for an unattended, lost, or stolen device. Multiple modes of authentication increase the work factor for an attacker; however, very few devices support more than one mode, usually password-based authentication – Content Encryption – With sufficient time and effort an authentication mechanism can be compromised. Content encryption is the second line of defense for protecting sensitive information – Policy Controls – When a device is active, various attacks can occur. Policy rules, enforced for all programs regardless of associated privileges, protect critical components from modification and limit access to security-related information Mobile Security Project

  5. Framew ork Schema Multi-mode Content Policy Controls Authentication Encryption • Required Effective Cryptographic • Authentication Policy Repository • Zero or Level 3 Policy C Yes/No More Zero or Policy B Yes/No Level 2 More Zero or Yes/No Policy A Level 1 More M i n None – default at Most Unavailable Level 0 power on and boot Restrictive up Mobile Security Project

  6. Example Configuration Required Effective Cryptographic Authentication Policy Repository All PIMS & wireless Token with socket Available L2 - Medium restrictions All PIMS, but no Password Unavailable L1 - Low communications None – default at Most Unavailable L0 - Locked power on and boot Restrictive up Mobile Security Project

  7. Example Configuration (cont.) Required Effective Cryptographic Authentication Policy Repository All PIMS with no L3 - High Token wireless socket Unavailable restrictions All PIMS & wireless None – user Available L2 - Medium with socket choice restrictions A few basic PIMS, Password, Available L1 - Low IrDA, Bluetooth Biometric None – default at Most Unavailable L0 - Locked power on and boot Restrictive up Mobile Security Project

  8. Conceptual Operation 1 p Delay Auto Auto/Man Fail Tran 1 Tran 3 1A 3 p Auto/Man Delay Pass Tran 3 Fail Fail 1B 3A Power Man Tran 2 Pass Pass On 0 1 p 3 p 1 2 3 Man Tran 1 Auto/Man Tran 2 Man Tran 0 Man Tran 1 Man Tran 0 Conventions: Man Tran 0 # -- echelon level # # p – pre-handler for level # # p – post-handler for level # Mobile Security Project # α – authentication mechanism α at level #

  9. Level Selector • An echelon selector GUI is used to navigate among echelon levels as needed • The buttons at the center are used to change levels • A change in level may trigger the execution of one or more authentication modules • The button for the current echelon level is highlighted • A slider at the left sets the maximum level to which the device can transition automatically • An icon is used to display the current echelon level and launch the Level Selector Mobile Security Project

  10. Authentication Modules • We are developing authentication modules for the framework that include visual authentication and novel forms of smart cards • The traditional means for user authentication is an alphanumeric password, but a number of drawbacks exist for handheld devices, such as the lack of a full keyboard • Moreover, translating existing desktop solutions to handheld devices can be problematic: – Obstacles include computational speed, network connectivity, battery capacity, and supported hardware interfaces – Any inconvenience due to a cumbersome peripheral attachment, lengthy authentication process, or error-prone interaction discourages use – Handheld devices have features (e.g., power-on/off behavior) that need addressing Mobile Security Project

  11. Picture Passw ord • During enrollment, the user selects a sequence of images, which must be entered for any subsequent login attempt • The software supports several different themes and user-defined images/themes • Two selection methods are provided: single (single tap) and paired (tap-and-hold, tap) • The password generated from the image sequence is used to authenticate the user • Reenrolling the same image sequence results in a different password value • Shuffling images between authentications is an option Mobile Security Project

  12. Smart MultiMedia Card • The mechanism relies on a smart card chip packaged in a multimedia card format • The authentication mechanism adjusts the echelon level on insertion or removal of a valid card and entry of its PIN • In addition to its smart card capabilities, the card functions as a memory device • This technology eliminates the need for an expansion sleeve, smart card reader, and full sized smart card that would otherwise be needed Mobile Security Project

  13. Proximity Token • Instead of bringing a token into physical contact with a PDA, LED Indicators use a short distance wireless interface • A challenge-response protocol Power periodically verifies the Switch presence of the device • If verification or communications between the token and the device fail, the PDA shuts down Conceptual Illustration of the • The proximity token has its Solution in a Key Fob own battery and been Form Factor prototyped using both Bluetooth and near-field magnetic communications Mobile Security Project

  14. Bluetooth Smart Card • Rather than bringing a smart LED Indicators card into physical contact with a PDA, use a wireless interface instead LCD • Bluetooth is present on most Screen Power handheld devices – no Switch specialized smart card reader 0 1 2 3 is needed by the PDA or Control 4 5 6 7 another computer Keys • Unlike wireless smart cards, C 8 9 E which draw power directly from the PDA, the Bluetooth smart card token has its own Conceptual Illustration of the battery Solution in a Key Fob Form Factor • The device also houses a smart card and Bluetooth radio – it could be a cell phone Mobile Security Project

  15. Implementation Authentication Level Opie Information Selector Picture UI Plug-in Password Socket Handler 1 Picture Socket Multiplexer Password UI Other Handler 3 Other UI • • • User Space Kernel Space Policy Enforcement Linux Kernel Power on Event Multi-Mode Authentication Secure Repository Mobile Security Project

  16. Policy Expression • Policy is represented by a set of policy entries • The policy language follows a grant-style specification by which all actions are denied unless enabled by a policy entry • Policy entries are a triple of action , source , and target values – Action refers to operations performed at the PDA, such as enabling an interface or accessing a file – Source refers to objects (resources or services) on the PDA, such as interfaces for PC cards, the serial port, or connections via Bluetooth, 802.11, etc. – Target refers to external points of interface or reference needed to complete the semantics of the operation – Web access example: action="socket" source="out:inet:*:129.6.0.0/16:80" target="*" Mobile Security Project

  17. Policy Representation • X.509-formatted certificate: Version Owner Issuer Issuer Signature Signature Algorithm ID Represented Certificate Serial Number In XML Validity Period PDA Policy Attributes Rules Issuer Unique ID Extensions <policyEntry action="socket" source="out:inet:*:129.6.0.0/16:80" target="*" /> Mobile Security Project

  18. Framew ork Recap • Generic multi-policy level framework for centrally assigning and administering security policies on handheld devices – Externally represented security policy, with an extensible policy language and format – Multi-mode authentication and content encryption at any policy level – Policies can be conveyed within certificates and handled as part of a policy management infrastructure – Simple policy perspective for users – Easy to navigate among echelon levels – Several suitable authentication mechanisms including visual login and novel forms of smart cards Mobile Security Project

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps Defense

1.17k views • 93 slides
Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Spring 2018 CS 155 Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories n Physical, platform malware, malicious apps Defense against physical theft Thurs

1.28k views • 64 slides
CS 563 Mobile OS &amp; Device Security Advanced Computer Security CS 563 University of Illinois

CS 563 Mobile OS &amp; Device Security Advanced Computer Security CS 563 University of Illinois

CS 563 Mobile OS &amp; Device Security Advanced Computer Security CS 563 University of Illinois at Urbana-Champaign Presentation by: Gliz Seray Tuncay Administrative Announcements : Reaction paper was due today (and all classes)

807 views • 52 slides
Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device Security 2013 Boston, MA Presen sented ted by: Francis Brown &amp; Joe DeMesy Bishop Fox www.bishopfox.com Introductions VERY QUICKLY

3.77k views • 83 slides
Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda

Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda

Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda Protecting mobile devices and your privacy Protecting Mobile Devices and Your Privacy Before We Start The City of Phoenix does not

971 views • 52 slides
Edgefield SS Mobile Device Management Briefing Date: 17 th April 19 Mobile device management

Edgefield SS Mobile Device Management Briefing Date: 17 th April 19 Mobile device management

Edgefield SS Mobile Device Management Briefing Date: 17 th April 19 Mobile device management (MDM) An MDM solution control to deploy, monitor, and manage devices Basic F c Fea eatures in ScreenGuide de [Parent] Configure daily Screen Time

144 views • 12 slides
Enterprise GRC Framework p Unified Approach to Address Silo Cyber Security Landscape

Enterprise GRC Framework p Unified Approach to Address Silo Cyber Security Landscape

Ministry of Science, People First, Performance Now Technology and Innovation Enterprise GRC Framework p Unified Approach to Address Silo Cyber Security Landscape Ramaguru Ramasubbu and Rahul Moondra 7 th November 2012 h Ministry of

404 views • 37 slides
CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mobile Phones Networked device

302 views • 11 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC

Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC

Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC (August 2006) Srivaths Ravi (Email: sravi@nec- labs. com) NEC Laboratories America Princeton, NJ Security Requirements of Mobile Appliances

159 views • 12 slides
A Unified Framework for the A Unified Framework for the Consumer-Grade Image Pipeline

A Unified Framework for the A Unified Framework for the Consumer-Grade Image Pipeline

Multimedia &amp; Mathematics July 23-28, 2005 Banff, Alberta A Unified Framework for the A Unified Framework for the Consumer-Grade Image Pipeline Consumer-Grade Image Pipeline

672 views • 27 slides
CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Mobile computing You are tasked in developing a mobile computing system. What features do you need? How do you ensure device

383 views • 24 slides
Practical Attacks against Mobile Device Management Solutions Michael Shaulov, CEO

Practical Attacks against Mobile Device Management Solutions Michael Shaulov, CEO

Practical Attacks against Mobile Device Management Solutions Michael Shaulov, CEO michael@lacoon.com Daniel Brodie, Sr Security Researcher daniel@lacoon.com About: Daniel Security researcher for nearly a decade From PC to Mobile

693 views • 54 slides
MOBILE TOUCHSCREEN UI FARHANA HAQUE TOUCHSCREEN MOBILE Input device: mobile phone Layered

MOBILE TOUCHSCREEN UI FARHANA HAQUE TOUCHSCREEN MOBILE Input device: mobile phone Layered

MOBILE TOUCHSCREEN UI FARHANA HAQUE TOUCHSCREEN MOBILE Input device: mobile phone Layered with special type of glass on top User interact directly on the glass Interaction through finger or stylus HAPTIC FEEDBACK Touch

294 views • 17 slides
What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University tl;dr The computers inside the computer Every chip has one or more CPUs inside; they have exploitable bugs

1.23k views • 87 slides
Data Collection through Device- to-Device Communications for Mobile Big Data Sensing Hanshang Li,

Data Collection through Device- to-Device Communications for Mobile Big Data Sensing Hanshang Li,

Data Collection through Device- to-Device Communications for Mobile Big Data Sensing Hanshang Li, Ting Li, Xinghua Shi and Yu Wang College of Computing and Informatics University of North Carolina at Charlotte May 17 , 2016 @ The First

566 views • 39 slides
The Windows Hello for Business: Protocol Level Deep Dive Obaid Farooqi Sr. Escalation Engineer

The Windows Hello for Business: Protocol Level Deep Dive Obaid Farooqi Sr. Escalation Engineer

The Windows Hello for Business: Protocol Level Deep Dive Obaid Farooqi Sr. Escalation Engineer Microsoft Introduction } Obaid Farooqi } Microsoft } Sr. Escalation Engineer in Developer Support: Protocols Team } Support Developers implementing

2.45k views • 22 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018

1.23k views • 78 slides
Authentication in Distributed Systems Austen Barker Access Control Operation Object principal

Authentication in Distributed Systems Austen Barker Access Control Operation Object principal

Authentication in Distributed Systems Austen Barker Access Control Operation Object principal Reference monitor Challenges of a distributed system Autonomy : Path from principal to an object may be long and convoluted. Size : Usually much

304 views • 29 slides
TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication After the Handshake The user navigates to the sites landing page, no client authentication required. Eventually, the user requests a

69 views • 6 slides
HOW TO AUTH: SECURE A GRAPHQL API WITH CONFIDENCE MANDI WISE | GRAPHQL SUMMIT 2020 AGENDA

HOW TO AUTH: SECURE A GRAPHQL API WITH CONFIDENCE MANDI WISE | GRAPHQL SUMMIT 2020 AGENDA

HOW TO AUTH: SECURE A GRAPHQL API WITH CONFIDENCE MANDI WISE | GRAPHQL SUMMIT 2020 AGENDA Authentication Authorization Federation GRAPHQL SUMMIT 2020 AUTH AUTHENTICATION AUTHORIZATION YOU ARE WHO YOU SAY YOU ARE YOU CAN DO WHAT YOU WANT

347 views • 23 slides
OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing Institute (RENCI) UNC - Chapel Hill Context and Use Case NIH Data Commons Web application - CommonsShare.org Compute Platform and

318 views • 11 slides
1 Devris Isler , imec-COSIC, KU Leuven, Leuven, Belgium Alptekin Kupcu, Aykut

1 Devris Isler , imec-COSIC, KU Leuven, Leuven, Belgium Alptekin Kupcu, Aykut

1 Devris Isler , imec-COSIC, KU Leuven, Leuven, Belgium Alptekin Kupcu, Aykut Coskun, Koc University, Istanbul, Turkey User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19 Introduction Two

585 views • 31 slides
Zero-Interaction Authentication Mark Corner, Brian Noble University of Michigan Presented by

Zero-Interaction Authentication Mark Corner, Brian Noble University of Michigan Presented by

Zero-Interaction Authentication Mark Corner, Brian Noble University of Michigan Presented by Martin Meyer Overview Introduction Design of System Encryption Model Authentication Token File Ownership Departure and Return

580 views • 42 slides

More recommend