1 / 19

Mobile and Wireless Security INF245 Guest lecture 17.10.2007 by Bjorn Jager

Molde University College. Mobile and Wireless Security INF245 Guest lecture 17.10.2007 by Bjorn Jager. Overview of lecture. Litterature: Wireless and Mobile Security (Ch 6 Mallic) VPN portals http://forskningsnett.uninett.no/wlan/vpn.html

devin
Download Presentation

Mobile and Wireless Security INF245 Guest lecture 17.10.2007 by Bjorn Jager

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Molde University College Mobile and Wireless SecurityINF245 Guest lecture 17.10.2007 by Bjorn Jager

  2. Overview of lecture Litterature: • Wireless and Mobile Security (Ch 6 Mallic) • VPN portals http://forskningsnett.uninett.no/wlan/vpn.html • Background – for further study:See on-line references for info on 802.11 security: http://www.drizzle.com/~aboba/IEEE/

  3. Overview of lecture • What are you afraid of? • Security is: • Security Threats: • Security Technologies • Products and Standards

  4. 1. What are you afraid of? Brainstorming session with the students .... Relate to data traffic in wireless and mobile environments, and related to voice using mobile phones Mention some examples: • In norwegian: 5.9.07: Mobilen hører alt http://pub.tv2.no/nettavisen/it/article1318955.ece • http://www.nrk.no/programmer/tv/schrodingers_katt/1.3340261 • MMS Flooding (PocketPC can use WAPPush)

  5. 2. Security is: • Confidentiality • Integrity • Authentication • Nonrepudiation

  6. 3. Security Threats: • Exposure: Sniffing, theft • Violates Confidentiality • Tampering: change or delete • Violates Integrity • Spoofing, Exposure • Violates Authentication • Repudiation • Violates Non-Repudiation NOTE: Be careful to distinguish between threats on something you are afraid of and the reason for the threat! E.g. You may fear exposure of sensitive information, the reason can be to weak authentication, virus or other malware that cause exposure, etc.

  7. 4 Security Technologies • Cryptology • Cryptology • Cryptology • Cryptology All security issues (Confidentiality, Integrity, Authentication, and Nonrepudiation) are solved using Cryptology!

  8. 5. Products and Standards • PKI • IPSec • VPN • SSL. TLS • HTTPS • Firewalls • WEP WPA • Voice Encryption • Security Development Tools and Kits

  9. Cryptology basics We look at major principles for: • Symmetric encryption schemes • Asymmetric encryption schemes • Hybrid encryption systems

  10. Code excerpt for synchronous encryption in Java • We looked at code from: • Beginning J2ME at page 363 • The remaining parts of the presentation was skipped due to time limits....

  11. Layered Architecture

  12. Encryption can be done at each layer! • Layer 1: Physical • Layer 2: Link layer: by link protocol (WPA-protocol, Access list at MAC layer) • Layer 3: Network layer: by link protocol (IPsec-protocol, VPN) • Layer 4: Transport layer (SSL, TLS, HTTPS) • Layer 5-7: Up to Application layer: BY YOU! Develop your own solutions using Java framework or other. • (See e.g. http://www.opus1.com/www/whitepapers/8021xbindingproblem.pdf)

  13. VPN • Threat: evesdropping at hotspots etc. • All through the infrastructure: WLAN, Micro Wave Systems, Internet routers, ... • By connecting a mobile device with the home office via VPN ALL TRAFFIC to the home office AND all traffic to/and from the public Internet is sent through the encrypted VPN connection. • VPN connects to host • VPN Client establish a connection • The mobile user is prompted for proof of identity using a token such as a SecurID password or a digital certificate. • A VPN tunnel is established between the mobile phone and the corporate network and all data traveling to and from the device is encrypted. • See: VPN portals http://forskningsnett.uninett.no/wlan/vpn.html

  14. SSL: Secure Sockets Layer • SSL is part of many standard applications: E.g: • Browsers and WEB servers • E-mail clients and servers • FTP (file transfer protocol) etc. • To use SSL you need a Server ID, i.e. a Digital Certificate for a Web-server. Web-clients (browsers use this to authenticate a server and encrypt information). • SSL forerunner of TLS used by HTTPS

  15. WPA • WPA: Wi-Fi Protected Access • Industry standard by Wi-Fi Alliance • WPA is WEP with fast change of keys • WPA consists of: • WEP( Wireless Equivalent Privacy) • TKIP • Checksum that ensures that no single bit is changed (CRC) • 802.1x authentification is an option

  16. Bluetooth security issues.www.trifinite.org See trifinite.stuff • BlueSnarf • Read SMS, contacts, calender • BlueBug • Complete control of mobile • HeloMoto • Connect to headset/handsfree • BlueSmack • DoS-attack, buffert overflow • BlueStab • Makes the phone crash • BlueSnarf++ • Read files, full read and write access, access to memory card

  17. Get address book from Sony Ericsson T610 • You need • Linux distribution with hcitool and obexftp

  18. Get address book from Sony Ericsson T610 Do • # hcitool scan • Scanning . • 00:0A:D9:15:0B:1C T610-phone • # obexftp -b 00:0A:D9:15:0B:1C --channel 10 -g telecom/pb.vcf -v • Browsing 00:0A:D9:15:0B:1C ... • Channel: 7 • No custom transport • Connecting...bt: 1 • done • Receiving telecom/pb.vcf...\ • done • Disconnecting... • done

  19. This works on: • Nokia • 6310 • 6310i • 8910 • 8910i • Sony Ericsson • T68 • T68i • R520m • T610 • Z600

More Related