Security Issues in Mobile Communications

V.Bharghavan and C.V. Ramamoorthy CS Division, Department of EECS University of California at Berkeley Berkeley, CA - 94720

Abstract
Recent years have witnessed the rapid growth of mobale computing environments. One of the major concerns in such environments is security, specially in the context of wireless communications. In this paper, we describe some of the important issues which need to be addressed in designing a security scheme for mobile communications. These include autonomy of communicating entities, mobility of the users, limitations of the hardware, etc. W e describe a scheme which addresses the above issues, and provides a correct and eficient mechanism to establish secure communications. Our scheme provades authentication of the communicating entities, location privacy, and secure messaging.

2
2.1

Scope and Goals

Development Environment

Introduction

Recent years have witnessed the rapid development of portable computing devices such as notebooks, PDAs, palmtops, etc. In the past, these portable devices were designed to operate as stand-alone entities. However, there is a growing trend towards providing portable computers with wireless networking functionality. This implies that portable computers of the future will have wireless connectivity with the rest of the networked world. The absence of wires facilitates mobility, and the presence of networking access facilitates communication-based applications. In fact, the combination of mobility and networking gives rise to a whole new class of very interesting applications, but also a whole new set of technological problems. One of the more challenging problems introduced by mobile networking is security. This paper addresses the security issues in mobile networking. We describe the problems in secure nomadic movement. We then propose a security scheme which provides authentication, location privacy, and secure messaging. The correctness of the scheme has been shown using the Burrows-Abadi-Needham Logic of Authentication [SI. The rest of the paper is organized as follows. Section 2 describes the development environment and the goals of our security scheme. Section 3 describes the issues that need t o be resolved to achieve our goals. Section 4 proposes a practical security scheme which achieves our goals. Section 5 explores the design space, and Section 6 concludes the paper.

We have adopted the popular Personal Communications Services (PCS) model for our mobile computing environment. We use the term workstations for static computers, and walkstations for mobile computers. There exists a high bandwidth wired backbone network to which workstations are connected. There are some special purpose networking devices which have wired and wireless networking functionality. Such devices are called basestations. Basestations serve as the communication intermediaries between static workstations and mobile walkstations. A basestation services a geographical region around it, called a cell. The environment we envision is one in which basestations are appropriately located to cooperatively service a large geographical region. Mobile walkstations are allowed unconstrained mobility within this region, while retaining their network connectivity. We make no assumptions about the size of the mobile computing environment. Our goal is to design a security scheme which scales from Indoor Wireless LANs to the PCS infrastructure. Each walkstation has a home workstation on the wired backbone network. A home workstation is trusted fully about any information pertaining to its walkstation(s). In our environment, home workstations and basestations are considered to be trusted special machines. The actual networking protocol used for mobile communications is irrelevent. Our implementation uses a TCP/IP/MACAW protocol stack. Our security scheme sits between MACAW and IP. An important point in our implementation is that we use dynamic addressing [5] at the media access layer. It turns out to be an important factor in providing location privacy. We have tried t o make as few assumptions as possible about the development environment in our security scheme. The important assumption is the trustworthiness of basestations and home workstations. Figure 1 shows the development environment. 2.2 Goals The establishment of secure wireless communication channels is one of the major requirements in PCS. While security is not the prime focus of experimental networks and short-range Indoor Wireless LANs, it is a major concern in commercially viable PCS infrastructure. In such environments, authentication and

19
0-8186-7087-8/95 $4.000 1995 IEEE

Figure 1: Mobile Computing Environment

privacy of communication are two major requirements. Our security scheme has four goals.

The walkstation and the basestation must be able to authenticate each other. Authentication protects the basestations (and by extension, the PCS infrastructure) from unauthorized intrusion. It also enables the walkstation to authenticate the basestation. This could be of importance for two reasons: firstly, it prevents a malicious station from pretending to be a basestation; secondly, it permits the walkstation to choose the services of a particular basestation in the presence of colocated networks. the latter feature will enable the walkstation to choose service from one among competing providers. Once authenticated, the walkstation and basestation should be able to communicate securely. Privacy has two dimensions: data privacy, and location privacy. Data privacy is well understood in the context of traditional wired communications. Data privacy protects data transmitted over a communication channel from being either faked or snooped by an unauthorized entity. It therefore prevents both active and passive forms of intrusion. Walkstations should be provided location privacy. Location privacy is of particular importance in mobile computing environments. It prevents a bystander from detecting the identity of the communicating entities. Some applications (specifically military applications) will require location privacy, while others may exploit the knowledge

of location of walkstations, such as Active Badges systems. Our goal is to provide location privacy at the lowest layer. Higher layers may disseminate location information according to the needs of the applications. The security scheme should be efficient, and optional. Many applications may not care about security at all. For example, given a walkstation with limited power, there is a trade-off between increasing bandwidth by data compression, or security. Essentially, the computing power at the walkstation could be a scarce resource, and we need to choose between encryption and compression. Our goal is to provide security as an optional feature, which an application can turn on or off depending on its needs. We want to provide an efficient security scheme.

Important Issues

Security in Mobile environments is governed by three major factors: (a) hardware characteristics, (b) systems characterisiics, and c) applications characteristics. We describe each o these in the following sections.

3.1

Hardware Characteristics

The limiting hardware components in a mobile computing environment are the walkstations and the wireless medium. Walkstations may range from simple PDAs to powerful notebook computers. Typically, the walkstations are low power, and their computing resource is scarce. This was in part the motivation for making security an optional feature.

20

Wireless media are inherently less secure than wire. For example, it is possible to snoop, or even jam radio channels very easily. This motivated moving the security scheme to the lowest communication layer. Our goal is to establish wireless communication channels which are at least as secure as wired communications. Note that we cannot prevent jamming in radio media. Wireless bandwidth is typically, orders of magnitude lesser than wired bandwidth. Our goal is to minimize the overhead of the securit,y scheme, since the wireiess medium is a scarce resource. This translates t o reducing the number of messages in the wireless network. Mobile communications work in the presence of network partitions. In the case of LANs, we assume network partitions to be negligible. However, it is possible for walkstations to operate very far away from their home network. Typically, mobile communications will span a WAN and a wireless MAN. Network partitions in this scenario are not to be neglected. Our goal is to eliminate (in the common case) the across-the-globe messages that are required in traditional and current protocols to authenticate the walkstation and basestation.

is not a valid assumption in the presence of mobility, where a walkstation may travel across multiple time zones without changing its clock. Our goal is to provide an implicit form of timestamping.

3.3

Applications Characteristics

3.2

Systems C Piaract erist ics

There are a number of Infrastructural characteristics in mobile environments. In this paper, we describe three of the most important.

Applications in mobile computing environments typically have certain unique requirements. The three most important being location privacy, mobility, and secure multicast. Location privacy implies that the identity of the communicating entities needs to be protected. We do this by using dynamic addressing, as described in [5]. Mobility implies frequent authentications upon handoffs, as described above. Secure multicast is an indirect consequence of mobility. We anticipate that among the major applications for Indoor Wireless LANs will be classrooms, and meeting. These applications t,ypically involve one transmitter and many listeners. Support for secure multicast is therefore an important aspect of our scheme. In summary, we believz that there are three major reasons why mobility poses a challange in designing an efficient security scheme: (a) autonomy of communicatiiig systems, (b) frequent sticure communicatiow setup, and (c) network partitions. Our solution addresses all the three issues described above. We effectively solve the problem of frequent secure communications, while we work around the problem of network partitions. We assume the presence of a global certifying authority (or set of cooperating authorities), but icvolve its use very rarely.

Autonomy is the critical issue in secure mobile

communications. In LANs, we usually assume that the communicating end-points and the intermediate nodes are all a part of the same organization. Security is thus a relatively simple issue, given that there is an authenticating authority which certifies all the nodes. In WANs, this assumption fails, since frequently, the communicating entities belong to different organizations, which are autonomously governed. It is still possible t o extend the schemes in L4Ns, given a single, or a set of mutually trusting authenticating authorities. In Mobile Environments, there is a new dimension added by mobility. The wired WAN, the basestations, and the walkstations are all governed by different organizations, and it is possible for a walkstation from anywhere in the world to walk into the cell of any basestation. Mobility has another implication on security. Walkstations move between cells, and need to be authenticated upon entering each new cell. Currently, each authentication requires communication with the home workstation, which could be across the globe. In the presence of network partitions, this can be an enormous problem. Our goal is to make handoffs as efficient as possible. Almost all currently available security protocols assume some form of time synchronization. This

Security Scheme

We have proposed a security scheme [2] which provides authentication. location privacy, and secure communications. Briefly, o u r scheme mutually authenticates the basestation and walkstation, and generates a shared key for encryption of messages. In case of multicast, our scheme relies on the traditional public/private key mechanism. The authentication scheme described here is safe against intrusions or replay. Data replay is not a consideration here since replayed data will be rejected at a higher layer (typically, TCP). For the purposes of this paper, we assume that it is possible to communicate securely using a shared key encryption. Various popular schemes, such as DES, IDEA, FEAL-32, etc. achieve this security. 4.1 Definitions We use the following definitions for the rest of the paper.
(x, y, z) authentication denotes the scheme by which two computers x and y authenticate each other via z and then arrive at a shared key. m denotes a walkstation. b and b l denote a basestation. h denotes the home workstation of m. Kxy denotes a shared key between two computers x and y. Kx and Kx denote the public key and private key respectively of a computer x.

21

{p}K denotes a messa e p encrypted with key K. Ix,y,K( denotes that t e computers x and y share a key K. N, N,and N denote a nonce. 4.2 Message Sequence

it

The security scheme involves an indirect handshake between the mobile and its home. All messages are routed through the basestation. In our scheme, m generates the shared key Kmb for m and b. h authenticates m to b, and b to m. A walkstation may first enter a cell by one of three ways - it may be powered-on in a cell, it may enter a cell through handoff from another cell, or it may enter a cell from an unserviced (no basestation s u p port) region. The last case reduces to one of the two previous cases, depending on whether the walkstation remembers its previous basestation or not. We expect that the common case in mobile environments will be handoff across cells. We optimize this case by observin that basestations are trusted and also that handoffimplies that the handing off basestation can act as the certifying authority for the new basestation and the walk station. We now describe the case of power-on. The handoff case is obtained by simply replacing the home h with the handing off basestation. Initially, m sends a message to h encrypted in Kmh. This message contains a nonce, a newly generated shared key Kmb, and a message for b encrypted in Kmb (the messa e from m to h is routed through b - m identifies h to ). h sees the encrypted message, and forwards to b a message encrypted in Kbh. This message contains a nonce, the shared key Kmb, the message from m to b, and a message to m encrypted in Kmh. b forwards the message from h to m encrypted in Kmb. At the end of this exchan e, m, b, and h are all aware that Kmb is the share! key between m and b. Note, that since h is trusted by both b and m, it actually acts as the Controlling Authority in this exchange. The security scheme involves 4 messages since the first message from m to h is routed throu h b. In terms of the idealized protocol, these are the following.

the home at all, only neighbouring basestations. This makes the protocol much more efficient, specially since it is possible for the mobile to be in a different continent from the home. In case of the power-on situation, it is not always true that the home and the basestation have authenticated each other. In that case, the home h and the base b need to authenticate each other through a central authority c. However, the (b, h, c) authentication problem reduces exactly to the (m, b, h) authentication problem, with b taking on the role of m, h taking on the role of b, and c taking on the role of h.

4.3

Security for Multicast packets

Only basestations are allowed to multicast data. Mobile computers are not allowed to communicate with each other directly. Enabling multicast is thus simple. After a basestation b authenticates a walkstation m, b provides m with its public key Kb. b multicasts packets by encrypting them with its private key Kb. Authorized mobiles can decrypt the data using Kb. Note that it is possible for the public key of a basestation to be divulged to unauthorized users (walkstations are not trusted). There does not seem to be any fully secure way to prevent this from happening. In order to reduce the chance of unauthorized users accessing multicast data, basestations frequently reissue public/private keys.

4.4

Proxy Home

When a walkstation moves away from its home network into a new network, it needs to establish a proxyhome for reasons described in 171. The proxy-home and the mobile need to authenticate each other and establish a shared key. For secure inter-network mobility, there has to be some common trusted central authority. Consider a mobile m moving from its home network to a new network. Let h be its home, and h l be the proxy home. When m initiates the authentication protocol with some basestation b in the new network, a flevel authentication scheme is involved -

1. m -+ b: h, {N, Im, b, KmbJ, {N, Im, b, Kmbl}Kmb }Kmh

thentication, (b, h l , c) h , C) authentlcation -

ity in the new network and C is the global central authority.

2. b 4 h: {N, Im, b, Kmbl, {N, Im, b, Kmb(}Kmb }Kmh

3. h + b: {N, Im, b, Kmbl, {N, Kmb(}Kmb, {N , Im, b, Kmbl}Kmh

Design Space
0

The design space is dictated by the characteristics of mobile communications. The limitations of hardware imply that in most cases, either the walkstation or the wireless medium will be the bottleneck. Our solution to this problem has been to push the decision (whether to employ a security scheme or not) u p wards in the communication protocol hierarchy, into the application space. This is because it is the application which can best predict its needs. In terms of the wireless medium, our approach is to reduce the number of messages transmitted over the wireless. We achieve the minimum PO% sible message exchanges (2) over wireless because

4. b 4 m: 6N Im, b, Kmbl, IN, Im, b, Kmb(}Km }dmb

Figure 2 shows the message sequence. At the end of the message exchange, m and b have both obtained the shared key Kmb using which they can communicate securely. Note that our scheme introduces two significant departures from existing schemes. Firstly, the walbtation generates the shared key. Second, in the common case, the authentication process does not involve

22

dobile Computer

Base Station

Home Computc

I
I

Time Axis:

Figure 2: Message Sequence in the Generic Scheme in our security scheme, it is the walkstation which generates the shared key.
0

Our security scheme ensure that communica tion over wireless is secure. Of course, it is still possible for an intruder to snoop or interfere in the wired network. For applications which care, higher level security protocols, such as Kerberos, are available. Our scheme thus makes the overall communication channel at least as secure as the wired part of the channel. Network partitions are not negligible when we consider WAN communication. Thus it is impractical to involve the home workstation in every authentication. Our solution to this problem has been twofold: firstly, we have eliminated communication with the home upon handoff, which we expect to be the common case; secondly, we establish a proxy-home in the network local to the walkstation. Setting up a proxy-home is a onetime cost, and significantly reduces the probability of negation of service to the walkstation due to a network partition between the home and the basest at ion. We still do not have a good solution to resolve the problem induced by autonomy of organizations. We have side-stepped this issue by replacing the home in the common case with a local basestation. However, we still require the presence of a global authority, or a set of cooperating authorities.
0

Since time synchronization is difficult to achieve in our environment, we have replaced it with implicit timestamping. Most protocols generate nonces by advancing including a time field in it. That way, if the nonce is replayed after a while, the replay can be detected. We replace the time field in the nonce by a pair of random numbers, with the second random number of a nonce being repeated as the first number of the subsequent nonce. This scheme works well for a pair of stations, and is described in [2]. Multicast is a very difficult problem in wireless communications. In [3], we describe the problems of multicast access. In some sense, this problem is analogous to the problem of arriving at a secure key for multicast transmission. Our solution has been to use the public/private key scheme, but this does not prevent an unauthorized walkstation from gaining access to the private key of a basestation and snoop on the transmission. We do not yet have a good solution to this problem.

Our implementation of the security scheme demonstrates the feasibility of the scheme, and our proof using the Lo ic of Authentication demonstrates its correctness [2f However, we still need to evaluate our scheme for performance in the presence of large-scale deployment of mobile computers.

Conclusion

One of the major factors in the commercial viability of PCS is security of communication in the PCS

23

environment. In general, designing efficient security schemes for mobile computing environments is a very difficult task. The major requirements are authentication, location privacy, and secure messaging. The major technical challenges arise from the autonomy f the communicating entities, m e of administration o bility of the users, and potential network partitions. f the imporIn this paper, we have described some o tant factors to consider in designing a security scheme for a mobile computing environment. We have also described a securit scheme which we proposed and proved correct in [$ We believe that our scheme successfully addresses many of the issues raised in this paper.

References
[l] A. Aziz and W. Diffie. Privacy and Authentication in Wireless Local Area Networks. IEEE Personal Communications, First Quarter, 1994.

[2]V. Bharghavan. Secure Wireless LANs. Proceedings of the A C M Conference on Computers and Communications Security, 1994.

[3] V. Bharghavan, A. Demers, S. Shenker, and L. Zhang. MACAW: A Media Access Protocol f o r Wireless LANs. Proceedings of the ACM SIGCOMM Conference on Communications Architectures, Protocols, and Applications, 1994.
[4] V. Bharghavan. LCMACA - A Limited Contention Protocol for Wireless LANs: Design Document. In Preparation.

[5] V. Bharghavan. Dynamic Addressing in Wireless LANs. Proceedings of the IEEE Intemational Communications Conference, 1995.

[ S I M. Burrows, M.Abadi, and R.Needham. A Logic

of Authentication. ACM l h n s a c t i o n s on Computer Systems, Vol. 8, No. 1, February 1990.

[7]J. Ioannidis, D. Duchamp, and G.Q. Mapire. IP[8]S.P Miller, C. Neumann, J.I. Schiller, and J.H.

based Protocols for Mobile Internetworkmg. Proceedings of ACM SIGCOMM, 1991. Saltzer. Kerberos authentication and authorization system. Project Athena Technical Plan MIT, July 1987.

24