Usage of thin clients on STB for secure interactive applications Francesc Pinyol Margalef1, Marc Rovira Vall1, Alex Iborra Garcia1, Gabriel Fernandez Ubiergo1, Carlos del Ojo Elias2, David Hernando3, Toni Felguera3 1
2
3
GTM- La Salle – Universitat Ramon Llull, Barcelona, Spain; esCERT-UPC, Barcelona, Spain; Barcelona Digital Centre Tecnològic, Barcelona, Spain;
E-mail: {fpinyol,marcr,aiborra,gabrielf}@salle.url.edu,
[email protected], {dhernando, afelguera}@bdigital.org Abstract: In our days, interactive TV has become an important distribution channel for service sector companies like banks or sellers. In that direction, the use of cloud computing solutions are today one of the most effective ways to provide new services and features to end users in an elastic and immediate manner. We have developed a solution based on open standards, which uses a cloud computing infrastructure to provide a great level of security, usability and multi-platform capability. The user connects through the VNC protocol to a virtual machine server held by the company, which provides a virtual browser session, which is used to securely connect to the company website to perform sensible operations. Keywords: Interactive TV, thin client, cloud computing, t-banking
1
INTRODUCTION
“On-line banking" refers to systems that enable bank customers to access accounts and general information on bank products and services through a personal computer or other devices. On-line banking products and services can include wholesale products for corporate customers as well as retail and fiduciary products for consumers. The products and services obtained through Internet banking may also mirror products and services offered through other bank delivery channels [4][4]. In addition, many banks are Internet-only ones; unlike their predecessors, these Internet-only banks do not maintain brick and mortar bank branches. Instead of this, they typically differentiate themselves by offering better interest rates and advanced on-line banking features [8]. These solutions have become a de-facto standard tool for most of the population, making their bank operating activity simpler, faster and much more comfortable. This technology allows performing usual banking operations from home, or even from a wireless device located anywhere in the world. Going further, as banks reap the benefits of non-branch service delivery channels that came of age in the recent past, their quest to expand reach via innovative offerings never ceases. Banking services made available via
television has been one such innovation that attracted significant attention a few years ago, but it was a case of early delivery for most countries. T-Banking is about exploiting the television existing reach into households as a viable banking service delivery channel. The commercial applications that can be further built on top of this platform could enable users to perform same ebanking activities than with other electronic devices [9]. However, those new services bring new security problems to deal with, as the management of such sensible information (bank accounts, credit card numbers...) in a remote way could be a very risky practice if the correct protective measures are not taken. In parallel, interactive TV (ITV) is changing the way that t-commerce used to be, eliminating the need for a telephone as the way the customer communicates with the company. Now, products can be ordered by pressing a simple remote control button, and more detailed information can be shown instantly on customer request. As TV's mass range of distribution makes it a great business opportunity to take profit from, banks and commerce companies are putting great efforts in research and development of new solutions that will grant them a new communication channel with end customers, opening a new market's sector. All that facts result in a great increase in the profits achieved by the use of ITV applications, but new security problems have to be resolved in order to correctly deploy those new solutions. In the following sections we will expose how security is addressed on interactive TV applications: first we will show the classical approach, followed by our proposed new approach based on thin clients. Although our solution could be implemented in any ITV middleware, DVB-MHP has been chosen, considering that the use of open standards is always recommended. We are conscious that the MHP future as a common platform for interactive television is uncertain and there is a lack of market penetration, but MHP is still the European standard. Another important fact to choose MHP is the similarity of its applications (xlets) with Java applets. As several open source VNC clients are available as applets, like
Corresponding author: Francesc Pinyol Margalef, GTM – Grup de Recerca en Tecnologies Mèdia, La Salle – Universitat Ramon Llull, Quatre Camins 2 08022, Barcelona, Catalonia, Spain,
[email protected]
“realVNC”, “TightVNC” or “UltraVNC”, the conversion to “xlets” is much simpler.
2
SECURITY ON INTERACTIVE TV APPLICATIONS
2.1 Classical approach MHP, the Multimedia Home Platform, is the collective name for a compatible set of middleware specifications developed by the DVB Project, based on JavaTM. MHP was designed to work across all DVB transmission technologies. The use of an open standard for interactive TV middleware means that receiver manufacturers can target multiple markets rather than developing products to the specification of a particular broadcaster. Applications based on MHP can be developed by multiple service providers, enabling a horizontal market in that area [2]. DVB-MHP has defined a security model that every secure MHP solution must support. This model guards the MHP against some different problems without preventing reasonable business models. It is based on two issues, channel encryption and authentication of parts. 2.1.1 Channel Encryption In MHP, general purpose security for the return channel is provided by the Transport Layer Security (TLS). The MHP implements the cipher algorithms RSA, MD5, SHA-1 and DES. Once the origin has verified the server, the application can establish a secure connection and use the HTTPS protocol [3]. Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems. The main idea of HTTPS is to create a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-inthe-middle attacks, provided that adequate mechanisms are used and that the server certificate is verified and trusted. The inherent trust in HTTPS is based on CA certificates pre-installed in different types of software like browsers [7]. 2.1.2 Authentication The authentication process performed by MHP uses a PKI infrastructure. Three main types of items are used: hash codes, signature and certificates A CA signs the certificate to enable a third-party trust environment. A certificate mechanism is specified to embrace key distribution and to ensure that the key used to perform the signature is valid and recognized by a CA authority. To grant integrity and authenticity of the application, the MHP security framework enables a receiver to authenticate the source of application code, as well as other files it uses. All the authentication messages are stored as files in specific directories, transferred to the receiver along with the broadcast information.
MHP security framework also holds tools for server authentication. Before the TLS connection is established, the MHP ensures that the certificate list sent by a server contains at least one trusted certificate. In an MHP environment, a downloadable application can establish a TLS session. This can be used for sensitive transactions. In such a scenario, the application knows which server to connect to, and it also knows how to access the trust chain for the validation of certificates. One or several TLS root certificates can be optionally broadcasted along with the application. The certificate files shall be authenticated as members of the same authenticated sub-tree as the application. When there are no TLS certificates sent with the application, the implementation will allow any connection to be established to any server. The application can then use the JSSE API to retrieve the certificate chain and check that it contains the certificate the application requires. In such a case, both name and public keys need to be checked by the application if the application wants to be sure about the remote server. [3] Finally, user needs to authenticate when he logs in a system. That can be accomplished in many ways: passwords, one-time passwords, public key cryptography or zero-knowledge proofs, etc. The usability factor cannot be ignored when designing authentication systems. If the authentication methods are not deemed usable by those forced to use them, then they will avoid using the system or persistently try to bypass them. Usability is a key issue to the adoption and maintenance of a security system.
2.2 New approach based on thin clients Thin clients need a computer (server) to provide full functionality as it minimizes computation at the client side because the application is executed at the server. Thin client approach has different interesting features such as 1) resources centralization, 2) multiple instances where to log and run applications, 3) remote inexpensive access, 4) hardware independency, 5) cheaper maintenance and updates, and 6) limited amount of sensitive information travelling across the network. One of the main advantages of thin clients is the possibility of accessing server based applications or devices with embedded web server software. 2.2.1 Thin Clients Despite new and more robust operating systems and better firewalls, information systems still has too many vulnerabilities. In order to minimise them, the original thin client concept has evolved, and it is now combined with cloud computing [1]. Thin client computing combines the mainframe approach with the display of graphical information. Applications run on a more secure environment, which is a key feature in most domains to boost security, but always complemented with a satisfactory user experience, as documented in recent studies [6]. Virtual Network Computing (VNC)[5] is an example of remote desktop software which can be tunnelled over an SSH or VPN connection to bring up integrity and confidenciality.
2.2.2 Virtualisation The main purpose of virtualisation in our approach is to replace the remote system by a virtualised environment; in this manner, the server does not rely in the security of the end user infrastructure, as for each connection a new browser session is created in a new clear virtual machine. Furthermore, this type of solution has a lower cost in terms of hardware and systems management, compared to dedicated hardware. Cloud computing is the term used to refer outsourced virtualisation structures. Its objective is to provide management information systems in a transparent manner providing an abstraction layer, so that certain functions such as scaling, management or use of hardware resources are performed in a transparent and more efficient manner than in locally managed systems. Currently, there are several tools dedicated entirely to the management of cloud environments that facilitate the administration of the resources provided by the cloud. One example is Enomalysm, a system that enables the management and deployment of virtual platforms quickly and easily through a web environment or a web-service interface based on REST technology. This software is not user-oriented but rather designed for the provider of cloud environment infrastructure. In addition to a cloud manager, we have implemented a system that centralizes all access to virtual systems by implementing the VNC communication channels.
3
because main processing charge is assigned to the server, making easy to implement different clients for a wide range of interactive devices. The first risk to care about is the authenticity of the application. The download and use of a false application by the user could result in disturbing consequences. But as previously described, MHP provides mechanisms to certificate authenticity and integrity of the application through digital signature systems. Source code and application resources must be signed by the issuing entity by using a specific private key for signing applications. Prior to connection with the server, this signature must be verified. Client application uses a HTTPS request to ask a connections manager for one of the cloud nodes to connect to, which instantiates a temporary minimal virtual machine that automatically launches a VNC server and the secured web browser in kiosk mode, being those applications the only ones available (Figure 1).
THIN CLIENT IMPLEMENTATION FOR INTERACTIVE TV
3.1.1 Software architecture As final user is always the most vulnerable part of the chain, we can assume that the client terminal could be hacked. That is why our application is based on an outsourced virtualisation structure: operations will be processed in an outer system, hosted by the company in a secure server. Each user accessing to the cloud obtains a personal instance of a virtual machine. This instance is created with a closed configuration specifically for that session, granting that it is clean from malicious software. The hardenization of the VM operative system (OS) ensures the security improvement. In fact, the only action possible with that OS is to navigate trough the company website with a web browser in kiosk mode. That way, we can limit badly intentioned behaviours, as well as reduce complexity of use. As another security measure, the instance will be destroyed when the session terminates, and will not storage any data. One of the advantages of this structure is its multiplatform compatibility. Any Java enabled device can access to the same cloud to obtain a browsing session. Computers, cell phones, television sets and other devices can connect with similar steps to the system. This fact makes much easier and cheaper to build and maintain a net intended to provide multi-platform service. The simplicity of the VNC protocol helps in that sense too,
Figure 1: Connection processes.
Communication between client and server takes place through secure VNC protocol. This protocol only transmits keyboard and mouse events from client to server, and the server screen buffer in the opposite direction. To prevent interceptions in the communication channels (man-in-the-middle attacks and other vulnerabilities), all communications are encrypted using the HTTPS/SSL protocol. 3.1.2 How it works To achieve a better understanding of the application operation, we will detail the processes done in the particular case it was intended for: a connection to an ebanking account. However, the same application can be used for other systems, with minor adaptations. In a first step, the user downloads the launcher application. This application is the responsible for obtaining the instance of virtual machine the VNC client will connect to. When the launcher application is loaded, it asks the user for identification. This identification could be achieved by the user by putting a smart card with a PKI personal certificate on ITV receiver card reader, or even by means of simpler mechanisms like user identifier and password. Once the user is identified, the launcher connects to a
“connection administrator" that will order the new instance of a virtual machine, and it will provide the VNC client for downloading (maybe through the return channel) with the correct configuration settings. After downloading the client, the application source code is verified using the issuing entity certificate. In case of failure, the proces does not continue. As the client application is downloaded and verified before each connection, risk of supplanting becomes extremely low. Once connected to the server, the application authenticates it using the TLS mechanisms described above, after this, the cloud server uses the Client Provision Interface to redirect connection to a node of the cloud computing infrastructure. Then, server instantiates a temporary minimal virtual machine on that node. This virtual instance automatically launches a VNC server as well as the secured web browser in kiosk mode. The browser is connected by default to the bank web application. When this process ends the user is allowed to operate in that outsourced environment. As the configuration of the environment is completely restricted, and the browser works in a closed kiosk mode that does not allow navigating through websites other than the bank one, a badly intended use of the system turns into a very challenging task, reducing attack risks dramatically. As the user finishes operating, the connection administrator module closes the session and the virtual machine is destroyed without storing any compromised data.
4
RESULTS
Following this new approach, we have developed a thin client that connects remotely to a server trough the VNC protocol, for use in virtualised systems. The application is based on the open source applet “UltraVNC”. As we mentioned before, this client has been implemented in DVB-MHP platform, but the idea is extensible to other ITV middleware. This client is used to ask for the creation of a virtual machine dynamically, that uses a customized FireFox browser to connect to an adapted version of the web of a savings bank. (Figure 2)
Figure 2: Application interface.
4.1.1 Proof of concept As first versions of the main parts of the system were released, operation tests were performed. Users were able to perform the same operations as in a direct connection through the bank site. One of the handicaps of the system is the time necessary to initiate the virtual machine, taking up to 30 seconds to get the operative environment. Ongoing research is being done in order to reduce it. As all the processes related with the connection establishment and the virtual machine initialisation are transparent to users, they perceive the solution as a standard banking application, ignoring that they are really operating through a remote session. 4.1.2 Usability test As this system is end user oriented, usability is a key factor to perform a successful deployment. The first step to create a user-friendly solution was transforming the user interface into a 10-foot one. A 10-foot user interface is a software GUI designed to be displayed on a large television (or similar sized screen) with interaction using a regular television-style remote control. "10-foot" refers to the fact that the GUI interface elements are theoretically large enough to be easily read at a distance of 10 feet (3 m) from the display. To avoid distractions and to be more clear, 10 foot UIs also tend to be very simple and usually only have the minimum core buttons [10]. Once the application was built, a usability test was performed on it. It presents some usability problems derived from difference between a computer (device the VNC protocol was designed for) and a TV. Intensive work is being done in this direction.
5
CONCLUSIONS
Systems based on cloud computer architectures are by now a good option for secure and reliable solutions for a high security environment, making it possible to perform transactions safely, even if the user connects through an infected host. There also exists enough open source tools to cover all the sections needed, decreasing the cost of deployment. To make it simpler, cloud computing net hosting and management, can be sub-contracted to a specialized company and accessed through web services. Company contracted will be responsible for the security of the structure. The simplicity of the environment help us to achieve great levels of usability, and the interface is very similar to the on-line banking solutions people is used to, making unnecessary for them to learn how to use new complicated proceedings to perform their usual operations. In fact, the company website does not need to be changed in any way. Monitoring activity is also much simpler with those solutions, as main processes are hosted on server side. Another great advantage is the potential of becoming a multi-platform solution, possibly to be available to a wide range of electronic devices with a small cost of development. However, infrastructure is needed to build the system, and we need to grant server security strongly to make the solution reliable. As an added drawback, performing sensible operations in a remote environment can make customers worry about confidentiality of their private data. Companies applying this solution need to be very concerned about this fact, especially if an external company hosts the cloud computing network.
As these solutions are still in a young phase of life, probably further research and development will be performed in the near future. As compromising confidentiality of user's data processed inside the cloud is probably the biggest disadvantage of outsourced virtualisation architecture, further research in that direction should be performed.
6
ACKNOWLEDGEMENTS
RAFFI Project (Research against financial fraud trough Internet) is a project developed by a holding of companies and universities from Barcelona. It focuses on researching new and more secure ways of operating in online banking applications, through strong authentication mechanisms, enhanced web application protection and user behavior analysis valid for a wide range of interactive devices (STB's, phones, PDA's...). This project is partially funded by ACC1Ó and European funds FEDER.
References [1] M. Armbrust, Above the clouds: A berkeley view of cloud computing, 2009. [2] MHP foundation, DVB-MHP-Fact-Sheet, 2009. [3] J. Luo, Home network application security (mhp), 2002. [4] V. Ravi, Advances In Banking Technology and management. Information science reference, 2008. [5] T. Richardson, Virtual network computing. IEEE Internet Computing, vol. 2(num. 1), 1998. [6] N. Tolia, Quantifying interactive user experience on thin clients. IEEE Computer Society, vol. 39 (num. 3), 2006. [7] E. Rescorla, HTTP Over TLS, Internet Engineering Task Force. May 2000 [8] T. Gandy, “Banking in e-space”, The banker, 145 (838), pages 7476 1995 [9] A. Vats, Your TV as your bank. pdf, 2007. [10] J.Steed, Intoduction and interface design guidelines to the 10-Foot Experience for windows game developers
