Security for Emerging Ubiquitous Networks - Semantic Scholar

Download PDF
14 downloads 215474 Views 542KB Size Report
Comment
for users of the network applications and services in Ambient. Networks [1], [2]. I. INTRODUCTION. Ubiquitous networking [3], [4], [5] represents the avail-.
Security for Emerging Ubiquitous Networks Chan Yeob Yeun

Eng Keong Lua and Jon Crowcroft

LG Eletronics Inc. Mobile Handset R&D Center 219-24, Kasan-dong, Kumchon-gu Seoul, 153-801, South Korea Email: [email protected]

University of Cambridge, Computer Laboratory William Gates Building, 15 JJ Thomson Avenue Cambridge CB3 0FD, United Kingdom Email: [email protected] [email protected]

Abstract— Emerging ubiquitous networks will enable interactions between various types of device, in both wired and wireless networks, and among Peer-to-Peer (P2P) overlay networks. Dynamic, heterogeneous and distributed P2P overlay networks will help to create new ubiquitous services, through the convergence of communication technologies and highly adaptive reconfigurable devices. In this paper, we will give an overview of the evolution of ubiquitous networks, its security architectures and challenges. We describe our proposal of a practical security protocol model for ubiquitous networks which is computationally fast and requires low memory resources. Our technique combines both network authentication technique based on symmetric keys and single sign-on mechanisms. In our security protocol model, there are three stages of securing user and application access in ubiquitous networks: Authentication, Access Control and Key Negotiation. Our proposal is also able to fully satisfy the security requirements for users of the network applications and services in Ambient Networks [1], [2].

challenges in Section II and preview its security characteristics in Section III. Then, we proceed to illustrate the secure heterogeneous environments for ubiquitous networking and describe our proposed security protocol model for ubiquitous networks in Section IV. Section V provides an evaluation of our security protocol model and Section VI concludes by highlighting the on-going potential areas of future research on security protocol model for ubiquitous networks. II. S ECURITY C HALLENGES IN U BIQUITOUS N ETWORKS Basically, the security requirements of ubiquitous networks consist of two categories: General and Specific. A. General Security •

I. I NTRODUCTION Ubiquitous networking [3], [4], [5] represents the availability of pervasive computing and communication resources. Similar to Ambient Networks [1], [2] that are based on All-IP for emerging 4G systems, ubiquitous networks consist of multiple networks from different network operators with differing access technologies. This leads to the trends of increasing ubiquitous network communications as the users have the freedom to choose the access technologies, applications and services. They are also the methods of enhancing the usage of mobile devices and computers, by making them available throughout the physical environment, and effectively invisible to the users. Due to the dynamism of ubiquitous communications, there exist numerous threats, for example, a hacker can gain control of users’ devices, eavesdropping of communications channels, modification of sensitive m-commerce transactions, Denial of Service (DoS), transaction of services or goods in other party’s identities, etc. Therefore, one must not only provide the safeguards and counter-measures from these threats but also to develop ubiquitous security applications in an increasingly interconnected ubiquitous networks, where there is continuous, seamless use of wireless networking and broadband technologies. In addition, secure communications with anyone, any organizations, anytime, anywhere, using any networks and any devices (A6) have to be accomplished. In this paper, we firstly attempt to understand the security issues in ubiquitous networks by identifying the security







Confidentiality and Integrity. This is a service to ensure authorized access of information. Ubiquitous network management information needs to be protected in storage and during transmission. One such protection is through password. Other protection could be done through the use of a cryptographic hash of a file’s contents as the key during the storing and retrieval of the file. Authentication. This is the most important of all security services, as it allows one entity to verify the identity of another entity. Mutual authentication is required in the ubiquitous networks. Thus, we require mutual authentication protocols to prevent man-in-the-middle for User-to-Device (U2D), Device-to-Device (D2D), Deviceto-Network (D2N), and User-to-Service-Provider (U2S) authentications. Authorization. This is the process of giving a ubiquitous network device the permission to execute tasks and assign user’s access rights on that device. For ’home’ devices, ubiquitous network environment authorization corresponds to the user’s access rights on particular devices. For ’foreign’ devices, the owner of the device delegates certain access rights to foreign users who will need to pay for the use of these foreign devices in most cases. Non-repudiation. This is a service that prevents an entity from denying previous commitments or actions.

B. Specific Security •

Interoperability with local security solutions. Ubiquitous networks comprise of devices in different security









domains. Each domain has the local security solutions but it is doubtful that they will be well matched with security solutions in other domains and at the ubiquitous network level. Since these local security solutions are very difficult to be altered, the security for ubiquitous network architecture needs to be compatible with existing local security solutions. Availability of Ubiquitous Network Management Functions. Ubiquitous networking is a very dynamic selfadapting environment with devices joining and leaving the networks. If a device behaved as a gateway to a subnetwork, it will affect the entire subnetwork when it leaves. As the ubiquitous network environment requires to be in proper operation despite these dynamic changes, Ubiquitous Device Management (UDM) function to maintain such operation need to be globally available. Protection, revocation, and renewal of credentials. Ubiquitous network user’s credentials exist at different layers. For example, these credentials can exist at the link layer for wired and wireless communications, and IP (and IPSec) at the network layer. At the transport layer, SSL/TLS security protocols could be embedded. The ubiquitous network user credentials also exist at the ubiquitous network overlays, above the transport layer, but below the application layer (middleware layer where the user services run). Of course, all these credentials need to be adequately protected, and protocols put in place for their revocation and renewal. In addition, we have to bear in mind that, depending on the technology, the end points of the security associations may differ. Different security protocols exist in the different subnetworks of the ubiquitous network infrastructure; uniform protocols are required at the ubiquitous network level. These protocols unify the existing solutions of a heterogeneous and dynamic environment. Delegation. Ubiquitous networking has environments that engage numerous devices and services running on these devices on behalf of the ubiquitous network users. Because of the self-adapting characteristics of the ubiquitous networking, a service could change the device or the entire subnetwork where it is running, for example, a device moves from a car network environment into the home network environment. It is very much complicated for the ubiquitous network users to authorize all these changes and therefore it is necessary that the users delegate their rights to a management function acting on their behalf by using mobile agents [6]. Platform protection. A major motivation behind the development of the ubiquitous networking is the ability to download applications securely to the ubiquitous network devices [6], [7] and allowing the ubiquitous network devices to be reconfigured in a secured manner. Since the goal of the ubiquitous network devices is to give access to a vast variety of services, if restrictions are not placed on the source of downloaded applications, then there is a risk





that malicious applications may reconfigure a device in an unauthorized manner. Therefore, it is important to provide some form of Secure Mobile Execution Environment (SMExE) to protect the platform from such attacks. Single sign-on. Ubiquitous networks interoperate with other existing environments, each of which has a specific authentication infrastructure in place. Since the users need to authenticate different devices, networks, and services, all acting in different roles, it is necessary to implement a single sign-on solution. This will allow users to authenticate only once to initiate ubiquitous networks seamless operations in all network domains. This allows the ubiquitous network users can leave and join the ubiquitous networks without any interruptions. Content Protection. Significant driving force behind the development of the ubiquitous networking is the capability to deliver new services to the ubiquitous network users. We envisaged that a considerable number of these services will engage the provisioning and delivering of next-generation DMB mobile content to end users. As the digital nature of such digital content allows perfect copies to be made, content providers are naturally concerned that their copyright is protected. For ubiquitous network environments to fully exploit the potential access to DMB mobile content, some forms of Digital Rights Management (DRM) system will be required to be implemented in ubiquitous network devices. III. S ECURITY C HARACTERISTICS O F U BIQUITOUS N ETWORKS

There exist numerous threats that are difficult to track and secure in ubiquitous networks, for example, a hacker gaining control of users’ devices, eavesdropping of communication channels, modification of sensitive m-commerce transactions, DoS, transaction of services or goods in other identities, etc. in differing and seamless network environment. Thus, ubiquitous network infrastructure will require the provision of certain degree of security between participating user devices. A. Heterogeneous Characteristics One of the most important objectives of ubiquitous network infrastructure is to allow interconnection of wired and wireless networks, so that services and applications are accessible in any networks. Attack by malicious nodes in any networks can happen. An example of such attacks is the DoS attack, which corrupts application-level communications by giving erroneous response to request and mis-route of traffic. Therefore, the challenge is to prevent DoS attacks by incorporating appropriate security protocols and managing credentials in a manner that end-to-end security is achieved from the user’s perspective, as unobtrusively as possible. B. Dynamic and Self-Organizing Characteristics A major motivation for ubiquity is to allow ubiquitous network users to obtain a vast variety of services from a wide choice of service providers. Thus, there exist many services

that could be supplied on demand, with security policies enforced. These services could be utilized by a variety of different ubiquitous network users’ devices. Thus, Quality of Service (QoS) levels that are available to ubiquitous network users will depend on locations and the processing resources available at a certain specific time. As ubiquitous network users travel from one network to another networks, security must be reconfigured dynamically because ubiquitous network users’ network environment may change when they join, leave or rejoin the networks. Moreover, the security threats imposed by one network differ from another network. Thus, due to this dynamism, ubiquitous network users’ devices will require computationally fast authentication and authorization security protocol to be devised, as they join, leave and rejoin the ubiquitous network.

Office Area

Shopping Area

Home Area

Mobility Area

Fig. 1.

C. Privacy and Trust Characteristics Different degrees of trust may be required for different users and their devices to access services in ubiquitous networks. These will be reflected in the ubiquitous network record and resources to determine whether the users and their devices are authorized to access. Applications implemented must be trusted to operate correctly and have full privileges to access the network and devices’ resources. Trust models that are based on real world and social properties to identify trustworthy entities and develop capability to reason about trust [8] is required in ubiquitous networks. Thus, security architecture for ubiquitous network environment should be designed to allow safe execution of trusted applications in a real world and social scenario. In addition to trusted environment, a robust reputation system [9] is required for mis-behavior detection for ubiquitous network environment.

Ubiquitous Networks

The basic concept of the ubiquitous networking is regarded to be founded on the belief that future ubiquitous telecommunications systems will allow heterogeneous wired and wireless access to a vast range of services. As a result, many collaboration networks are created, such as the Mobile Ad hoc P2P (MAP2P) network, which form self-organizing P2P infrastructures [13], [14]. According to [3], [4], the ubiquitous network associates with multiple user devices accessing multiple services through different networks. This situation resembles the IST WSI Project concept of a MultiSphere [15] where the user has access to many different user devices interlinked by a number of gateways.

IV. T HE S ECURITY P ROTOCOL M ODEL F OR U BIQUITOUS N ETWORKS A. Ubiquitous Society With the current usage of 3G communications systems [10], [11] and WiFi, it is obvious that future mobile devices will require access to an increasing number of services. The immense potential exists to provide these services to a variety of ubiquitous computing devices using a range of communications technologies. Some of these devices could be linked to form Wireless Personal Area Networks (WPANs) [12], allowing the users to have access to home, car, and office networks, as illustrated in Figure 1. Considering wireless personal networking concept, we could envision an infrastructure to allow interaction between personal devices using a wide range of ubiquitous communications technologies. The availability of Peer-to-Peer (P2P) overlay network environment [13] will also enable wider access to on-demand services, creating overlays of ubiquitous networks. This has obvious benefits to the consumers, the network operators, and the service providers. Thus, there is a need to work towards the development of secure ubiquitous applications and provisioning of secure environment to operate on.

Fig. 2.

Security Environment for Ubiquitous Networks

Ubiquitous networks’ coverage is not inevitably widespread but could take place in islands. This may or may not be interlinked by clusters of cooperating networks. Thus, a specific session may not be seamless but it is established or continued whenever the user is within the coverage of the service delivery mechanisms. These delivery mechanisms could comprise of Digital Multimedia Broadcast (DMB) [16], [17], wireless networks, or personal MAP2P. As shown in Figure 2, the devices grouping in MAP2P are diverse and

originated from different ubiquitous computing environments that users have associated with, namely the office environment (e.g. remote access control and corporate Intranet), the home environment (e.g. home PC, consumer electronics, Set-Top Box (STB) and home gateway), the vehicle environment (e.g. car networks, DMB system and navigation systems), and the personal (WPAN) environment (e.g. mobile devices, Pocket PC and WiFi laptop). For illustration, a user of ubiquitous network could configure easily a home server or STB in the home network to monitor schedules for selecting the movie of choice. When the user is traveling, he is able to receive a message forwarded by the STB about a selected movie will be starting to be screened. The user may receive this message through MMS provided by 3G or IEEE 802.11/802.15 systems. The user could send an instruction to home server/STB to transmit the movie to him via the ubiquitous network infrastructures. Such delivery of service is delivered by differing network infrastructures that are interconnected, so that the user would continue to enjoy the service seamlessly, without any interruptions. To capitalize on this trend described, we could build Structured or Unstructured P2P overlays [13], to create a self-organizing MAP2P substrate. These overlay networks form part of ubiquitous networking infrastructure that are scalable, self-organizing, and fault-tolerant and provide effective load-balancing.

Most U3 mobile devices are small, with limited computational and memory resources. This places stringent constraints on the cryptographic primitives deployed for these devices in ubiquitous networks. Storing and performing operations with long cryptographic keys so as to ensure realistic security will be resource draining. These devices may require its memory shared, by the device operating system and applications in ubiquitous networks. As a result, this leaves the devices with little memory for implementing many of the commonly available cryptographic primitives. Under these constraints, asymmetric cryptography is deemed unfit for use, and symmetric cryptography is a feasible option which uses smaller key size and is orders of magnitude faster. With this computationally fast secured environment, U3 users can easily roam from one ubiquitous network domain to another, and they can join or leave the communication sessions seamlessly with minimal computational resources. Figure 3 illustrates an overview of our model and the algorithmic descriptions. There are three stages of securing ubiquitous network users and application environments in our model which are described as follows: •

B. Description of Security Protocol Model The motivation of our security protocol proposal for Ubiquitous-to-Ubiquitous-User (we term this ”U3”) is that the U3 users and devices, once authenticated in a computationally fast manner, will have seamless and secured access in all roaming network domains as illustrated in sub-section IVA. In other words, a U3 user will be able to securely use one or more ubiquitous network services that are provided by different ubiquitous network servers which are connected over insecure networks. Our security protocol proposal attempts to address the security challenges listed in the section II, except non-repudiation and delegation. We will briefly discuss on the future work to address these challenges in section VI. We assume that all the devices that belong to one particular network domain have been securely bootstrapped with the ubiquitous network server within that network domain [18]. Our security protocol is based on the enhanced version of Kerberos [19] scheme which is based on symmetric key cryptography, and key management can be based on trust relationships [20]. Conceptually, Kerberos is simple with its fundamental atoms: tickets and session keys. For proving of ones’ identity to others, ones must first obtain a ticket [21] from a centralized authority to present. In Kerberos, this authority is known as the Key Distribution Center (KDC), and this service is implemented in each network domain controller. We improve the Kerberos network authentication technique by including time stamp and nonce, which is combined with single sign-on mechanism for all roaming network domains. The advantage of using symmetrical key authentication is computationally fast than asymmetric/public key algorithm.









Authentication stage. U3 users first authenticate themselves to an Authentication Server (AS) (by using single sign-on techniques) that will issue U3 users with a temporary permit to request access to services. This permit is called a Ticket-Granting Ticket (TGT) and is comparable to a passport with a limited duration of validity period (lifetime). Access control stage. Each U3 user uses the TGT in a second stage to receive a service-specific access authorization, for example, it can be used for access to servers S1 , S2 , . . . , SN that offering network services. The TGT verifies that each U3 user is authorized to have access to the service requested and it responds with a Service Granting Ticket (SGT) for servers S1 , S2 , . . . , SN . Key negotiation stage. The AS generates a session key for communication between U3 users and Ticket Granting Server (TGS). The TGS generates a corresponding session key for communication between U3 users and the service-specific servers. Step 1: U3 users log into their mobile devices and request access to a particular service. The mobile devices send the first message M 1 with U3’s time stamp TU 3 and nonce NU 3 : M 1 : U 3 → AS : (U 3, T GS, TU 3 , NU 3 ) Step 2: AS verifies in its users’ database that it knows U3 users. From U3 users’ biometrics data (scanned fingerprints, voice and face recognitions implemented together with password protection), where they are also stored in the users’ database, a symmetric key KU 3 is then generated. It then extracts the identities such as IP address and MAC address of U3 users’ devices (IDU 3 ) from the U3’s protocol data unit received. AS then creates a ticket T icketT GS and a session key KU 3,T GS , and sends the second message M 2 to U3:

Fig. 3.







Overview of Proposed Security Model in Ubiquitous Networks

M 2 : AS → U 3 : EKU 3 (KU 3,T GS , T GS, NU 3 , TAS , LT GS ), T icketT GS where EK is encryption by using a symmetric key K, Kx means x’s secret key, Kx,y means a session key for x and y and L is Lifetime (validity period) of T icketT GS which is defined as follows: T icketT GS = EAS,T GS (KU 3,T GS , U 3, IDU 3 , T GS, TAS , LT GS ) Step 3: Upon receipt of M 2, the mobile devices or devices request U3 users to enter biometric data together with their passwords. These are used to compute symmetric key KU 3 so that the mobile devices can decrypt the message. If any of the U3 users did not enter the correct passwords, the key KU 3 will not be computed correctly and consequently it will fail. Finally, U3 users generate an Authenticator and send it together with their T GT and the name of desired server S1 , S2 , . . . , SN to T GS: M 3 : U 3 → T GS : (S3 , T icketT GS , AuthenticatorU 3,T GS ) where AuthenticatorU 3,T GS = 0 0 EKU 3,T GS (U 3, IDU 3 , TU 3 ), and TU 3 is time stamp generated by U3 and same mobile terminal at that particular time instance. Step 4: After T GS decrypted T icketT GS , it then obtains a session key KU 3,T GS and uses it to decrypt AuthenticatorU 3,T GS . Following on, T GS verifies the name and time stamp. If these procedures were successful, then U3 users will be granted access rights to the server (e.g. S3 ). A time stamp of TT GS , a session key KU 3,S3 and a ticket T icketS3 are generated for access to server S3 . T GS sends the following message M 4 to U3 users: M 4 : T GS → U 3 : EKU 3,T GS (KU 3,S3 , S3 , TT GS ), T icketS3 where T icketS3 = EKT GS,S3 (KU 3,S3 , U 3, IDU 3 , S3 , TAS , LS3 ) Step 5: U3 users decrypt M 4 and obtain a session key for secure communication with server S3 . U3 users generate new Authenticator and send it together with U3 users’

ticket to S3 as follows: M 5 : U 3 → S3 : (T icketS3 , AuthenticatorU 3,S3 ) 0 where AuthenticatorU 3,S3 = EKU 3,S3 (U 3, IDU 3 , TU 3 ) • Step 6: Server S3 decrypts the received ticket using key KT GS,S3 and obtains session key KU 3,S3 . Then, server S3 uses this key to verify the Authenticator and sends message M 6 to U3 users as follows: 0 M 6 : S3 → U 3 : EKU 3,S3 (TU 3 + 1) • Step 7: U3 users then decrypt this message and verify the time stamp incremented by one. If these processes were successful, then U3 users would need to establish secure communications with only server S3 but not with T GS. This basic security protocol is extended for inter-domains authentication in our proposal. Taking an example, U3 users with access to server S3 can also access services in other network domains at different locations (S1 , S2 , . . . , SN ). Figure 4 illustrates the extension proposal of the above basic security protocol for inter-domain communications. Operator AAA Server

Domain 3 M1:Request TGS

AS

M2: TGT, Session Key

M3: Request TGT1 M4: TGT1, Session Key

TGS M8: Service Authenticator

M7: Request to Service

M5: Request SGT

AS

M6: SGT, Session Key

S1

Domain 1 Fig. 4.

TGS

Proposal for Inter-Domain Security in Ubiquitous Networks

Inter-domain authentication requires two T GSes belonging to both network domains to have a path of trust established from one network domain to another domain, and they must have agreed secret keys, such as KT GS3 ,T GS1 for T GS3 and T GS1 in network domain 3 and 1 respectively. To illustrate inter-domain security protocol, local T GS3 for server S3 views the remote T GS1 for server S1 as a remote roaming server and thus T GS3 can issue a ticket for T GS1 . After U3 users obtained a T icketT GS1 for the remote network domain 1, U3 users send a request to the remote T GS1 in remote network domain 1 and T GS1 proceeds to issue U3 users with a T icketS1 for the establishment of secure communication with the requested server S1 , as described in the above algorithm steps. It is vital to note that remote network domain trusts the AS of the local domain as the remote AS do not carry out their own authentication check of the visiting U3 users. Thus, with our proposed security protocol for ubiquitous network access, we could achieve computationally fast and uniform

credentials securely and seamlessly. V. S ECURITY P ROTOCOL E VALUATION Our security protocol model uses symmetric algorithm to secure communications in ubiquitous networks. Such authentication mechanism is computationally fast. The model is able to prevent password guessing techniques by implementing biometrics data (what you are) with password (what you know) protections (note also that the biometric should be done in live test condition, otherwise there exist possible attacks due to the problem of human failures that was discussed by Ross Anderson in his book [22]). We improve the enhanced Kerberos scheme by including a time stamp and nonce, and combine with single sign-on mechanism. The nonce and time stamp are introduced for the freshness of the message in the ubiquitous network environment. This will prevent a replay attack. Due to the possibility that the time stamp requires synchronized clocks for communication between both ends, we have to introduce an additional counter measure, i.e. a nonce. In addition, our proposed security protocol model prevents passive and active attackers who impersonate other identities when accessing ubiquitous services in the different network domains, through the use of tickets and session keys to confer identity ownership. This proposed inter-domain security protocol can be easily implemented in the existing Authentication, Authorization and Accounting (AAA) servers and Authentication Dial-In User Service (RADIUS) provided by existing mobile operators’ network infrastructure, allowing access to differing ubiquitous network services in these network domains. The vision of Ambient Intelligence, developed by IST EU 6th Framework Program (FP6) research effort [1], within the Wireless World Initiative (WWI) [2], has the major goals of defining an affordable and computationally fast 4G ubiquitous networks that opens up ways to securely communicate with others. Within this framework, the Ambient Networks are based on all-IP based 4G networks and also adopted IPv6. In addition, All-IP based 4G networks can use Ambient Networking Services easily. It is geared towards supporting multimedia traffic, total mobility in ubiquitous networks, and a variety of wireless access technologies. Ambient Networks also aim to provide a domain-structured, peer-to-peer view for the network control so that it is expected to accommodate the heterogeneity arising from the different network control technologies. It is designed to appear to be homogenous to the users of the network applications and services. Hence, our proposed security protocol model for ubiquitous networks is also able to fully satisfy the security requirements of Ambient Networks that we described here. VI. C ONCLUSION AND F UTURE W ORK Emerging ubiquitous communication systems will enable interaction between increasingly diverse ranges of devices that are Internet-enabled and based on All-IP configurations. This will allow ubiquitous services using a combination of different

communication technologies in various network domains. Dynamic, heterogeneous and distributed networks will create new opportunities, through the convergence of communications technologies and creation of highly adaptive re-configurable devices. Increased mobility results in interesting new security challenges. In this paper, we have discussed various security characteristics and challenges for ubiquitous networks and attempt to define a seamless security protocol model based on single sign-on mechanism and computationally fast network authentication technique. The objective of the our security work for ubiquitous networks is to define a global and seamless security architecture which addresses these security requirements for ubiquitous networks (with different access technologies in various network domains). We have achieved this objective in our proposal. However, this security protocol model requires further improvements and enhancements, which would involve addressing delegation and revocation issues in access control rights through the use of security policy primitives. For services (e.g. non-repudiation and key escrow) requiring public key cryptography, deployment of asymmetric encryption techniques such as digital signatures in ubiquitous networks requires a significant amount of computing resources and it is infeasible or uneconomical to implement such mutual authentication services between mobile devices in ubiquitous networks. Unlike symmetric/secret key cryptography that inherits shared secret keys problems such as it is difficult to get started (Alice needs to go to see Bob before she can send him a secret message), hard to scale (If Alice wants to send a message to Carol, she has to start over with a new secret) and an oxymoron (If Alice and Bob both have the secret key, Alice has to trust Bob completely), asymmetric/public key cryptography has the advantage of no shared secret keys. It is therefore a research challenge to develop hybrid and lightweight asymmetric and symmetric key techniques for ubiquitous network environment, i.e. asymmetric key cryptography to solve the key distribution problem and then symmetric key cryptography to encrypt bulk data. Lightweight asymmetric techniques such as ID-based crypto-systems [23], [24], [25] could provide intelligent facilities for securing applications in inter-domain network environments, as well as securing military applications. ID-based systems require no explicit public key available and the key is constructed from public available information. It is an asymmetric system where unique name plays the role of the public key. These characteristics of ID-based techniques make it very suitable for the global ubiquitous network security architecture. These research work are still on-going as we continue to strive to develop feasible security infrastructure for ubiquitous networks. R EFERENCES [1] “Ambient networks project,” http://www.ambient-networks.org/. [Online]. Available: http://www.ambient-networks.org/ [2] “Wireless world initiative,” http://www.wireless-world-initiative.org/. [Online]. Available: http://www.wireless-world-initiative.org/

[3] M. Satyanarayanan, “Pervasive computing: Vision and challenges,” in Proceedings of the IEEE Personal Communications, August 2001. [4] M. Weiser, “The computer for the twenty-first century,” Scientific American, pp. 94–104, September 1991. [5] F. Stajano, Security for Ubiquitous Computing. John Wiley and Sons Inc., February 2002. [6] C. Yeun, G. Kalogridis, and G. Clemo, “Secure mobile delegation for future reconfigurable terminals and applications,” in Proceedings of the Software Defined Radio Technical Conference (SDR’02), San Diego, California, USA, November 2002. [7] C. Yeun and T. Farnham, “Secure software download for programmable mobile user equipment,” in Proceedings of the 3G Mobile Communication Technologies, at the 3rd IEE International Conference, London, UK, May 2002, pp. 505–510. [8] A. Abdul-Rahman and S. Hailes, “Supporting trust in virtual communities,” in Proceedings of the IEEE Hawaii International Conference on System Sciences 33. IEEE, 4-7 January 2000. [9] S. Buchegger and J. Y. L. Boudec, “A robust reputation system for peerto-peer and mobile ad-hoc networks,” in Proceedings of the P2PEcon 2004, June 2004. [10] “3rd generation partnership project (3gpp),” http://www.3gpp.org/. [Online]. Available: http://www.3gpp.org/ [11] “Introduction to 3G,” http://www.3g.co.uk/AllAbout3G.htm. [Online]. Available: http://www.3g.co.uk/AllAbout3G.htm [12] “IEEE 802.15 Working Group for WPAN,” http://grouper.ieee.org/groups/802/15/. [Online]. Available: http: //grouper.ieee.org/groups/802/15/ [13] E. K. Lua, J. Crowcroft, M. Pias, R. Sharma, and S. Lim, “A survey and comparison of peer-to-peer network schemes,” IEEE Communications Surveys and Tutorials, vol. 7, no. 2, July 2005. [14] Y. C. Hu, S. M. Das, and H. Pucha, “Exploiting the synergy between peer-to-peer and mobile ad hoc networks,” in Proceedings of the HotOSIX: Ninth Workshop on Hot Topics in Operating Systems. IEEE, 18-21 May 2003. [15] N. Niebert, “Results of the think tank work 2000 - the issues,” http://www.ist-wsi.org/N Niebert.pdf. [Online]. Available: http://www. ist-wsi.org/N Niebert.pdf [16] G. Lee, S. Cho, K.-T. Yang, Y. K. Hahm, and S. I. Lee, “Development of terrestrial dmb transmission system based on eureka-147 dab system,” IEEE Transactions on Consumer Electronics, vol. 51, no. 1, pp. 63 – 68, February 2005. [17] K. Fazel, S. Aign, A. Romanowski, and M. Ruf, “Mobile multimedia services via dab: Dmb,” in Proceedings of the IEEE Global Telecommunications Conference 1997 (GLOBECOM ’97), 3 - 8 November 1997, pp. 1312 – 1317. [18] F. Stajano and R. Anderson, “The resurrecting duckling: Security issues in ad-hoc wireless networks,” in Proceedings of the 3rd AT&T Software Symposium, Middletown, NJ, USA, October 1999, pp. 505–510. [19] J. Kohl and C. Neuman, “The kerberos network authentication service,” Network Working Group Request for Comments: 1510, Tech. Rep., September 1993. [20] L. Kagal, T. Finin, and A. Joshi, “Trust-based security in pervasive computing environments,” IEEE Computer, vol. 24, no. 12, pp. 154 – 157, December 2001. [21] B. Patel and J. Crowcroft, “Ticket based service access for the mobile user,” in MobiCom ’97: Proceedings of the 3rd annual ACM/IEEE international conference on Mobile computing and networking. New York, NY, USA: ACM Press, 1997, pp. 223–233. [22] R. Anderson, Security Engineering: A guide to building dependable distributed systems. John Willey and Sons Inc., April 2001. [23] A. Shamir, “Identity-based cryptosystems and signature schemes,” in Proceedings of the Cryptology 1984, vol. 196, 1984, pp. 47–53. [24] D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,” in Proceedings of the Cryptology 2001, vol. 2139, 2001, pp. 213–229. [25] C. Cocks, “An identity based encryption scheme based in quadratic residues,” in Proceedings of the Cryptography and Coding 2001, vol. 2260, 2001, pp. 360–363.

ACKNOWLEDGMENT The authors would like to thank the reviewers for their comments and feedback.