Sg-whitespace-09/0026r04 Submission January 2009 Slide 1 Security Ad-Hoc Report Draft Date:...
-
Upload
lester-rice -
Category
Documents
-
view
213 -
download
0
Transcript of Sg-whitespace-09/0026r04 Submission January 2009 Slide 1 Security Ad-Hoc Report Draft Date:...
sg-whitespace-09/0026r04
Submission
January 2009
Slide 1
Security Ad-Hoc Report DraftDate: 2009-02-04
Name Affiliations Address Phone email Alex Reznik InterDigital 781, 3rd Ave.
King of Prussia, PA 19406, USA
610-878-5784 [email protected]
Ranga Reddy US Army [email protected]
Michael Williams
Nokia 650-823-0165 [email protected]
Richard Paine Self [email protected]
Authors:
Alex Reznik, InterDigital; Ranga Reddy, US Army;Michael Williams, Nokia, Richard Paine
sg-whitespace-09/0026r04
Submission
• This presentation summarizes the recommendations of the security ad-hoc group.
• Currently a draft. Aimed to become part of a recommendation to the EC as well as provide starting point for the tutorial
• Abstract to be removed/modified as needed.
Abstract
January 2009
Slide 2 Alex Reznik, InterDigital; Ranga Reddy, US Army;Michael Williams, Nokia, Richard Paine
sg-whitespace-09/0026r04
Submission
• Within the context of white spaces, security design needs to focus on two goals:
– Primary goal: Protection of incumbents– Secondary goal: Protection of secondary users
• The number of issues and technologies is larger than with protection of incumbents• Requires a comprehensive approach
• General Approach to Security– This bullet is subject to addition of information on the end-to-end slides and
approval by the group– The ad-hoc recommends that an end-to-end security design approach be used
in developing security aspects of white space technologies– Within 802 this means a focus on the following
• The interfaces required for support of higher-level security technologies, such as data/application security, secure identity protocols, device security, etc.
• Support of security technologies as discussed below
Security Goals and General Approach
January 2009
Slide 3 Alex Reznik, InterDigital; Ranga Reddy, US Army;Michael Williams, Nokia, Richard Paine
sg-whitespace-09/0026r04
Submission
• Illegal Use of Spectrum– Causing harmful interference to incumbents
• Denial of Service between Secondary Users– Threats to coexistence protocols between secondary devices
• e.g. Stealing/hogging spectrum
• Unauthorized disclosure or modification of “sensitive user/location” information– Disclosure of user location– Modification of database info
• “Sensitive user/location” information is not correct– Registered incumbent or secondary user location– Database info poisoning
• Sensitive user/location information may include– User location information– User identity– Database registration/authentication parameters– Sensor measurements reported to the database by user– Interference report from the database– Etc.
Threat Analysis: High Level Threats
January 2009
Slide 4 Alex Reznik, InterDigital; Ranga Reddy, US Army;Michael Williams, Nokia, Richard Paine
sg-whitespace-09/0026r04
Submission
Threat AnalysisMapping Use Cases to Threats – Master Devices
January 2009
Slide 5
Use Cases/Threats
4W Fixed
4W-4W fed by 100mW
4W-100 mW
100 mW(Registered Master)
100 mW(Un -registered Master)
50 mW (Sensing Only)
≤ 40 mW
Illegal Use of Spectrum X X X X X XDoS between Secondary Users
X X X X X X XDisclosure/Modification of “Relevant“ Info
X X X X X
“Relevant” Info Not correct
X X X
Alex Reznik, InterDigital; Ranga Reddy, US Army;Michael Williams, Nokia, Richard Paine
sg-whitespace-09/0026r04
Submission
Threat AnalysisMapping Use Cases to Threats – Client Devices
January 2009
Slide 6
Use Cases/Threats
4W Fixed
4W-4W fed by 100mW
4W-100 mW
100 mW(Registered Master)
100 mW(Un -registered Master)
50 mW (Sensing Only)
≤ 40 mW
Illegal Use of Spectrum X X XDoS between Secondary Users
X X X X X X XDisclosure/Modification of “Relevant“ Info
X X X X X
“Relevant” Info Not correct
X X X
Alex Reznik, InterDigital; Ranga Reddy, US Army;Michael Williams, Nokia, Richard Paine
sg-whitespace-09/0026r04
Submission
• For the “50mW (Sensing Only)” and “≤ 40mW” the Disclosure/Modification of Relevant Info & Relevant Info Not Correct threats, are not applicable as those devices will not make use of the database.
• The “≤ 40mW” use case is not affected by the Illegal Use of Spectrum threat due to low power. Devices can operate in adjacent channels.
• Client devices cannot pose the Illegal Use of Spectrum threat in some use cases because the master chooses the spectrum, polls the database, and bears the responsibility for violation. The exception is when the master device is unregistered.– Given that registration for the lower power devices is not required. This also
may be applicable for lower power networks operating in a mesh or peer to peer topology, where every device would be considered a master.
Threat Analysis: CaveatsJanuary 2009
Slide 7 Alex Reznik, InterDigital; Ranga Reddy, US Army;Michael Williams, Nokia, Richard Paine
sg-whitespace-09/0026r04
Submission
• Further Work– Present recommendation represents the best that could be accomplished with a limited time-span of this SG– The contributor and other security ad-hoc participant recognize the need for a much more detailed analysis resulting in
• A detailed use-case based threat analysis• Detailed recommendation for addressing identified threats
– 802 should plan to further pursue this topic either in a separate SG or as part of other whitespace activities
• Device Security– Key requirement for protection of incumbents
• Ensures that devices cannot be modified to “break the rules”– Potentially required to pass FCC certification– 802 may need to provide support of proper device security techniques. Some potential example are:
• Measurement and signaling required to verify that the device is operating according to applicable specifications and policies• Ability to affect device operations (e.g. disable transmissions) should device be found to be in violation of such policies • See Slide 9 for further details
• Low-Layer Security– Support of low-layer techniques by 802 is recommended to address the following
• Incumbent classification / identification• identification of malicious and negligent impersonators• Protection of coexistence signaling
– It is recommended that the WGs coordinate their efforts in this area
• Sensor and location measurement security– Support by 802 of techniques that secure and attest sensing and location measurements is recommended
• Protection of database information– Protection of database information on the device and its transmission over the air interface links is recommended and
appropriate techniques should be supported by 802
Ad-Hoc Recommendations
January 2009
Slide 8 Alex Reznik, InterDigital; Ranga Reddy, US Army;Michael Williams, Nokia, Richard Paine
sg-whitespace-09/0026r04
Submission
• Compliance attestation : an important piece in the cognitive radio puzzle
– Provides the most effective mechanism for ensuring that a radio is following the required specifications
– May be required to demonstrate regulatory compliance
– In particular, MAC and PHY (and perhaps even the RF) must be attested to
• The trend, especially in the area of “cognitive radios,” is toward implementations which are highly configurable.
• Code attestation is not sufficient to ensure compliance – Compliance must be attested over all possible
configurations
– The state space may be too large for full code-based attestations
• Limited attestation can address this problem however – May be defined within RF/PHY/MAC or external to it
– Must have the ability to monitor operation of the un-trusted entity for policy compliance
– Must have the ability to limit operation when non-compliance observed
– At a minimum, interfaces that enable monitor/limitation of operation must be defined and supported
Device Security and Configurable Radio
January 2009
Network and above T
CM
Certify Compliance
PHY
MAC
RF
PHY
MAC
RF
Un-trusted Trusted
Alex Reznik, InterDigital; Ranga Reddy, US Army;Michael Williams, Nokia, Richard Paine
Slide 9
sg-whitespace-09/0026r04
Submission
• Potential requirements– Support of mechanisms to prevent tracking of changes in location
of a mobile device based on information sent in database queries.
– Support of mechanisms to prevent long term tracking of a mobile device’s location based on it's transmissions.
• Mapping this to existing mechanisms within 802
• Mapping this to recommended additional mechanisms
Location Privacy: a full System-Picture View
January 2009
Slide 10 Alex Reznik, InterDigital; Ranga Reddy, US Army;Michael Williams, Nokia, Richard Paine
sg-whitespace-09/0026r04
Submission
End-to-End Secure Comm.January 2009
Slide 11
802.1x,etc.
Modem
OSI-Internetworking
Modem
OSI-Internetworking
IPSec, HIP, SMA, etc.
Physical Channel
Media Media
802.1x, etc.
802 Interface to the “outside world”
IETF’s SecureDataStore and Schema (MAP)
IETF’s SecureDataStore and Schema (MAP)
OSI-Session
Application
OSI-Session
ApplicationApplication-Secured Payload
SSL, TLS, etc.
FCC SecureWS DataStore
FCC SecureWS DataStore
TOG’s SMA Secure Datastore and SchemaTOG’s SMA Secure Datastore and Schema
SMA PKI DatastorePeople/Machines
SMA PKI DatastorePeople/Machines
Alex Reznik, InterDigital; Ranga Reddy, US Army;Michael Williams, Nokia, Richard Paine
sg-whitespace-09/0026r04
Submission
Vulnerabilities Associated with Location
January 2009
Slide 12
Modem = 802.xx PHY+MAC
OSI-netwk.: IP+TCP
Physical Channel
Media
802.1x, etc.
OSI-Session: HTTP
Application:Spectrum
Client/Server
FCC SecureWS DataStore
SMA PKI DatastorePeople/Machines
Vulnerabilities: server address spoofing.
Vulnerabilities: tracking of location via IP address tracking
Vulnerabilities: tracking of location via MAC ID
General Comments:• Location privacy can be compromised at every interface• Device/user tracking can be done through tracking of MAC IDs, IP addresses, HTTP sessions, etc.• A comprehensive solution to location privacy and anonymization is requiredAlex Reznik, InterDigital; Ranga Reddy, US Army;
Michael Williams, Nokia, Richard Paine