IP Security: IPSec
Download
Report
Transcript IP Security: IPSec
WP2
UPF Contribution to MobiHealth
Security in the MobiHealth BAN
Enschede
2002/09/18-20
© Ramon Martí, DMAG, Universitat Pompeu Fabra
1
UPF Participation
Workpackages and Tasks
•
WP2 - MobiHealth services and BAN integration
•
T2.2 - Development and integration of the BAN platform
T2.5 - Security Services for the BAN
Starting on M3:
WP2 - MobiHealth services and BAN integration (M3-M13)
T2.2 - Development and integration of the BAN platform (M3M13)
T2.5 - Security services for the BAN (M3-M13)
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 2
WP2 Security Timetable
•
T2.5 - Security services in the MobiHealth BAN
Refinement of requirements
BAN Test Security Platform Set-up
BAN Network Security Tests
BAN Transport Security Tests
BAN Application Security Tests
BAN Security Integration
BAN Final Security Integration
© Ramon Martí, DMAG, Universitat Pompeu Fabra
M03-M05
M04-M06
M05-M08
M05-M08
M05-M08
M08-M10
M10-M13
(Aug-Sep)
(Sep-Oct)
(Oct-Dec)
(Oct-Dec)
(Oct-Dec)
(Jan-Feb)
(Mar-May)
Page 3
General security requirements
•
Data protection:
Components
Storage
Access
Communications
Hoptohop
Endtoend
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 4
Other security services
•
•
•
•
•
•
Traffic confidentiality (origin, destination, length, time,
... of messages)
Confidentiality of identity (anonymity, pseudonymity)
Confidentiality of location
Availability (counter DoS attacks)
Accountability
Reliability
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 5
MobiHealth System Architecture
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 6
MobiHealth System Components
•
•
•
•
•
•
•
Sensor
Actuator
Front-End
MBU (Mobile Base Unit)
WSB (Wireless Service Broker)
AppServer
WorkStation
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 7
MobiHealth System Components Security
•
Confidentiality / privacy: Data encryption and
authentication
•
Data confidentiality
No data stored in some components
Authenticity / integrity
User authentication (password, smartcard, . . . )
Terminal authentication (SIM, . . . )
Application/server authentication (certificate, . . . )
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 8
MobiHealth Communications
•
•
•
•
•
•
•
Sensor <-> Front-End
Actuator <-> Front-End
Front-End <-> PDA
PDA<->WSB
WSB <-> AppServer
PDA <-> AppServer
AppServer <-> Workstation
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 9
Communications Security
Security can be added to most communication layers
• Different security features depending on layer:
•
Data link layer: Bluetooth, GPRS/UMTS, ...
Network layer: IPsec, ...
Transport layer: SSL/TLS, HTTPS, ...
Application layer: Data encryption (OpenSSL Libraries, MIME)
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 10
Data Link Layer / Network Layer Security
•
Data Link Layer Security
•
Hop-to-hop protection (encryption and authentication).
No user or application authentication.
Security provided by Bluetooth or GPRS/UMTS, in each case,
can be used.
Network Layer Security
Host-to-host protection (encryption and authentication)
Hop-to-hop protection
End-to-end protection
No user or application authentication.
IPsec can be used.
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 11
Transport Layer / Application Layer
Security
•
Transport Layer Security
•
End-to-end protection (encryption and authentication).
Application-to-application protection; opt. user authentication
SSL/TLS or HTTPS can be used.
Application Layer Security
Application-to-application and application_user-toapplication_user protection, including user authentication.
Usually through encryption or/and signature of data sent
through the communications stack.
SMIME or OpenSSL libraries could be used to encrypt and
sign data.
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 12
•
MobiHealth Security
BAN and Rest of the System
BAN Security
•
Sensor <-> Front-End
Front-End
Front-End <-> PDA
PDA
PDA <-> WSB
PDA <-> AppServer
Rest of MobiHealth Security
WSB
AppServer
Workstation
WSB <-> AppServer
AppServer <-> Workstation
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 13
WP2 Security Timetable
•
T2.5 - Security services in the MobiHealth BAN
Refinement of requirements
BAN Test Security Platform Set-up
BAN Network Security Tests
BAN Transport Security Tests
BAN Application Security Tests
BAN Security Integration
BAN Final Security Integration
© Ramon Martí, DMAG, Universitat Pompeu Fabra
M03-M05
M04-M06
M05-M08
M05-M08
M05-M08
M08-M10
M10-M13
(Aug-Sep)
(Sep-Oct)
(Oct-Dec)
(Oct-Dec)
(Oct-Dec)
(Jan-Feb)
(Mar-May)
Page 14
Security Possible Setups First Approach
•
•
•
•
•
•
iPAQ Linux (GPRS) to Linux Gateway using IPsec tunnel
with pre-shared keys.
iPAQ Linux (GPRS) to Linux Gateway using IPsec tunnel
with x.509 certificates.
iPAQ Linux (GPRS) to Windows 2000/XP Gateway using
IPsec tunnel with pre-shared keys.
iPAQ Linux (GPRS) to Windows 2000/XP Gateway using
IPsec tunnel with x.509 certificates.
iPAQ Windows CE (GPRS) to Linux Gateway using IPsec
tunnel with pre-shared keys.
iPAQ Windows CE (GPRS) to Windows 2000/XP
Gateway using IPsec tunnel with pre-shared keys.
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 15
Setup Requirements
•
Common part: certificates creation
•
Set-up a Certificate Authority (CA)
Certificates Generation
Installation of certificates in Gateway Machines (Linux)
Installation of certificates in Linux machines (PPC 2002 & PC)
Installation of certificates in Windows 2000/XP machines (PC)
FreeS/WAN: IPsec for Linux (Linux PPC & PC)
Installation and configuration in Linux machines
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 16
Test Security Platform Set-up
•
•
•
Linux PC
Windows 2000 PC
iPAQ
Just arrived
Test iPAQ <-> GPRS connection
Serial port
Bluetooth
•
GPRS Phones
Received beginning September from Movilforum
2 Motorola Timeport 260 GPRS
1 Ericsson T32m Bluetooth
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 17
Software Requirements and Installation
•
Downloaded and installed
FreeS/WAN
X.509 Patch for FreeS/WAN (version 0.9.12 or better)
Patches to add multiple encryption ciphers, etc. (optional)
Marcus Müller's Windows 2000 VPN Tool
OpenSSL package in Linux
AdmitOne(r) VPN Client for Pocket PC
Linux on iPAQ
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 18
Test Security Platform Set-up
Current Status
Install.
Linux GW and CA
yes
W2K/XP GW
yes
Linux PC vs. Linux GW
yes
W2K/XP PC vs. Linux GW
yes
W2K/XP PC vs. W2K/XP GW yes
iPAQ WCE vs. Linux GW
no
iPAQ WCE vs. W2K/XP GW no
iPAQ Linux vs. Linux GW
no
iPAQ Linux vs. W2K/XP GW no
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Config.
yes
yes
yes
yes
yes
no
no
no
no
Tests
yes
yes
no
yes
no
no
no
no
no
Page 19
Open Security Issues in the BAN (1/4)
What are the security requirements for the trial
scenarios
• Which components are to be protected
•
Internal network: sensors, frontend, MBU
External network: GPRS/UMTS, application server
How to integrate security into the BAN architecture
Hardware, BAN OS
What will be there at the server side?
Where is the “intelligence” of the system to be
developed?
• More cooperation required with the other WP2 partners
•
•
•
•
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 20
Open Security Issues in the BAN (2/4)
•
Communication Protocols
Sensor <-> Front-End
Actuator <-> Front-End
Front-End <-> PDA
PDA<->WSB
[WSB <-> AppServer]
PDA <-> AppServer
[AppServer <-> Workstation]
•
Communication Protocols Security
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 21
Open Security Issues in the BAN (3/4)
•
MobiHealth System Components Functionality
•
Sensor
Actuator
Front-End
MBU (Mobile Base Unit)
[WSB (Wireless Service Broker)]
[AppServer]
[WorkStation]
MobiHealth System Components Security
Storage
Access
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 22
Open Security Issues in the BAN (4/4)
•
MobiHealth System Components Platform:
PDA
OS: Windows CE / Linux
Application Server
Hardware: PC / Workstation
OS: Windows 2000 / Linux
Workstation
Hardware: PC / Workstation
OS: Windows 2000 / Linux
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 23
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 24
BAN Architecture
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 25
General Security Threats
•
Transmission or storage electronic data security threats
Interruption: Data transmission interrupted, or stored data
deleted.
Interception: Data accessed and read during transmission or
storage.
Modification: Data modified during transmission or storage.
Fabrication: Data created by a third party, supplanting the
data originator.
Man in the middle: Third party introduced in the middle of
communication, supplanting receiver from sender point of
view, and supplanting sender from receiver point of view.
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 26
General Security Services
•
General security services to avoid security threats:
Confidentiality: Protect data to be (almost) impossible to
interpret for non authorised user in communication or
storage.
Integrity: Protect data against non allowed modification,
insertion, reordering or destruction during communication or
storage.
Authentication: Allows the way to corroborate identity of the
entities implied in the data creation or communication.
Non Repudiation: Protects against unilateral or mutual data
repudiation.
Access control: Protects system and resources against not
authorised use.
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 27
General Security Services and Threads
•
Security services for security threats protection:
•
Interruption: -Interception: Confidentiality
Modification: Integrity, Authentication
Fabrication: Authentication
Man in the middle: Authentication
Threats addressed by security services:
Confidentiality: Interception
Integrity: Modification
Authentication: Fabrication, Man in the middle
Non Repudiation: -Access control: --
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 28
General Security Mechanisms
Symmetrical key encryption: “Low” computing power
• Asymmetrical key encryption: “High” computing power
•
Encryption with public key of receiver
Encryption with private key of sender
Signature: Asymmetrical key encryption of message
hash with private key of sender. “Low” computing
power
• Combined: F.e. Asymmetrical key encryption for
interchange of symmetrical key + Symmetrical key
encryption for data interchange.
•
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 29
General Security Services and
Mechanisms
•
•
•
•
•
Confidentiality: Encryption. Symmetrical or
asymmetrical. Symmetrical usually used.
Integrity: Signature or Encryption (Symmetrical or
asymmetrical). Signature is better.
Authentication: Signature or Symmetrical Encryption
with private sender key. Signature is better.
Non Repudiation: Signature. Single or mutual.
Access control: --
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 30
Communication layers
•
•
•
•
•
•
•
Layer
Layer
Layer
Layer
Layer
Layer
Layer
7:
6:
5:
4:
3:
2:
1:
The
The
The
The
The
The
The
application layer
presentation layer
session layer
transport layer
network layer
data-link layer
physical layer
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 31
Sensor <-> Front-End Security
In principle, no data encryption is foreseen, except in
case Bluetooth is used for wireless.
• Communications:
•
Wired: Maybe security is not really needed.
Wireless: Security may be required in the communication.
Bluetooth
Zigbee
•
Data encryption and/or authentication: Only in wireless
communication?
Bluetooth
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 32
Front-End Security
Front-End stores data received from sensors. This data
stored in the Front-End should be protected.
• Data encryption and authentication:
•
SMIME
OpenSSL libraries
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 33
Front-End <-> PDA Security
It must be decided if security is really needed.
• Communications:
•
Wired
Wireless: security is required.
Bluetooth
•
Flash memory
Data encryption and authentication: Could be required
Bluetooth
SMIME
OpenSSL libraries
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 34
PDA Security
PDA should act as communication component in BAN to
get data from Front-end and send it secure through
GPRS/UMTS to AppServer.
• Data encryption and authentication:
•
•
No data should be stored in the PDA.
User authentication: May be required for accessing PDA
Password
SIM-card
X.509 key
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 35
PDA <-> WSB Security
Communications:
GPRS/UMTS
WAP + WML
HTTP / HTTPS + HTML
User authentication: May be required.
SIM-card based?
Terminal authentication: May be required.
SIM-card
X.509 key
Data encryption and authentication:
GPRS/UMTS
Network layer security (f.e. IPsec) may be required.
Transport layer security (SSL/TLS, HTTPS) may be required
Application layer security (data encryption) (SMIME, OpenSSL
libraries) may be required.
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 36
PDA <-> AppServer Security
Should include some authentication and data encryption.
Communications:
TCP / IP (IPsec)
WAP + WML
HTTP / HTTPS + HTML
User Authentication: It should also include some user authentication.
SIM-card
X.509 key
Terminal authentication: Some terminal authentication may be required.
SIM-card
X.509 key
Data encryption and authentication:
Network layer security (f.e. IPsec) may be required.
Transport layer security (SSL/TLS, HTTPS) may be required
Application layer security (data encryption) (SMIME, OpenSSL libraries) may
be required.
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 37
WSB Security
No data should be stored in the WSB.
• Data encryption and authentication:
•
No data should be stored in the PDA.
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 38
AppServer Security
Data stored should be encrypted to avoid interception.
• Data encryption and authentication:
•
SMIME
OpenSSL libraries
•
User authentication: May be required for accessing the
AppServer.
Password
SIM-card
X.509 key
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 39
Workstation Security
•
Data Storage:
•
No data should be stored in the Workstation.
User authentication: Some user authentication may be
required for accessing the Workstation.
Password
SIM-card
X.509 key
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 40
WSB <-> AppServer Security
•
Communications:
TCP / IP (IPsec)
WAP + WML
HTTP / HTTPS + HTML
•
Data encryption and authentication:
Network layer security (f.e. IPsec) may be required.
Transport layer security (SSL/TLS, HTTPS) may be required
Application layer security (data encryption) (SMIME, OpenSSL
libraries) may be required.
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 41
AppServer <-> Workstation Security
Internal communication inside hospital or health centre.
• Communications:
•
•
TCP / IP (IPsec)
WAP + WML
HTTP / HTTPS + HTML
Data encryption and authentication:
Network layer security (f.e. IPsec) may be required.
Transport layer security (SSL/TLS, HTTPS) may be required
Application layer security (data encryption) (SMIME, OpenSSL
libraries) may be required.
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 42
Communications security
•
Communication layers:
Data link layer (Bluetooth, GPRS, . . . )
Network layer (IPsec, . . . )
Application layer (SSL/TLS, . . . )
Data link layer security for hoptohop protection,
• Application layer security for endtoend protection
•
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 43
MobiHealth Communication
•
•
•
•
•
•
•
Sensor <-> Front-End: Wired / Bluetooth / Zigbee
Actuator <-> Front-End: Wired / Bluetooth / Zigbee
Front-End <-> PDA: Bluetooth
PDA<->WSB: GPRS / UMTS + [WAP + WML | HTTP /
HTTPS + HTML]
WSB <-> AppServer: HTTP / HTTPS + HTML | WAP +
WML
PDA <-> AppServer: HTTP / HTTPS + HTML | WAP +
WML
AppServer <-> Workstation: HTML
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 44
Security services
Confidentiality / privacy
Data confidentiality
Authenticity / integrity
User authentication (password, smartcard, . . . )
Terminal authentication (SIM, . . . )
Application/server authentication (certificate, . . . )
© Ramon Martí, DMAG, Universitat Pompeu Fabra
Page 45