Conservation of Mobile Data and Usability Constraints
ZERO INTERACTION AUTHENTICATION (ZIA)
Zero Interaction Authentication, or ZIA, is a cryptography file system that can deal with this type of transient authentication (Corner, 2002).
ZIA is a system that allows an owner of a laptop to authenticate to the laptop with no actual effort on the user’s part (hence the name Zero-Interaction Authentication). The threat model addressed by ZIA is essentially physical theft of the laptop while
the legitimate user is still authenticated: since the laptop wouldn’t know the difference between the attacker and the real user, the attacker could obtain the user’s data. One solution to this is to require the user to re-authenticate frequently. Unfortunately, many users find this annoying, and as a result, may disable security features, leaving them vulnerable to attack. ZIA attempts to find a “happy medium”
between security and convenience by letting the user authenticate without having to do anything.
The basic idea of ZIA is as follows. All on-disk files are encrypted, but for performance reasons, cached files are not. The user has a token in the form of a wearable device. The laptop has a set of keys for encrypting the contents of its file system, and for each of these keys, the token contains a key-encrypting key that is used to store the corresponding key on the laptop in encrypted form. The laptop polls the token periodically to determine if the user is present. When the token is near the laptop, the keys and file cache on the Figure 5. Polling, laptop-mobile phone
Figure 6. Declaring the absence of user after three ‘present check’ message(s) without acknowledgements
laptop can stay decrypted and the laptop is usable.
If the laptop detects that the token is not near, it assumes that the user has left, flushes its cached keys, and re-encrypts everything. This prevents an attacker who gains physical possession of the laptop from obtaining any data. When the user returns, the laptop fetches keys and decrypts the file cache, returning to the state it was in when the user left.
Wireless Link Security
The authentication system preserves against exploitation of Bluetooth wireless link between the mobile computing device and the Bluetooth security token. It protects against observation, modification, and insertion of messages. The system provides confidentiality for messages that exchanged between the mobile computing device and the Bluetooth security token by encrypting it using the symmetric session key that has been created in both side and the AES algorithm.
Because the system uses the encrypted chal-lenge as the primary numbers in the process of creation the session key, it supports against man-in-the-middle attack (also called bucket brigade attack), which works against Diffie-Hellman key exchange algorithm, causing it to fail.
This system implemented through the Java APIs for Bluetooth, which support secure client and server connections. The Bluetooth security token (server) connection specified as secure before the connection is established using a con-nection URL that specifies the security parameters.
CONCLUSION
The use of mobile computing devices provides flexibility and enhanced communications that al-low more productivity. However, the use of these devices poses risks to mobile and fixed resources.
Therefore, additional security measures must be implemented to mitigate increased security risks
presented by mobile computing This chapter discuss threat and risks of mobile computing and explore the cyber security standardization extracts considering mobile computing security;
furthermore, the chapter discuss the transient authentication mechanism to consider usability constraint.
REFERENCES
Chen, L., Pearson, S., & Vamvakas, A. (2000).
On enhancing biometric authentication with data protection. Fourth International Conference on Knowledge –Based Intelligent Engineering System and Allied Technologies, Brighton, UK.
Clark, A. (1990). Do you really know who is using your system?Technology of Software Protection Specialist Group.
Corner, M. D., & Noble, B. D. (2002). Zero inter-action authentication. In Proceeding of the ACM International Conference on Mobile Computing and Communications (MOBICOM’02), Atlanta, Georgia, USA.
Corner, M. D., & Noble, B. D. (2002). Protect-ing applications with transient authentication.
MOBICOM’02, Atlanta, Georgia, USA.
Evans, A., & Kantrowitz, W. (1994). A user au-thentication schema not requiring secrecy in the computer. ACM Annual Conf. M.I.T. Lincoln Laboratory and Edwin Weiss Boston University.
Hardjono, T., & Seberry, J. (2002). Information security issues in mobile computing. Australia.
Intel. (2002). Biometric user authentication fingerprint sensor product evaluation summary.
ISSP-22-0410. (2004). Policy draft: Mobile com-puting. Overseas Private Investment Corporation.
Kahate, A. (2003). Cryptography and network security (1st ed.). Tata, India: McGraw-Hill Company.
National Institute of Standards and Technology.
(2009). Special publications 800-114, 800-124.
National Institute of Standards and Technology (NIST). (2009). Special publication 800-53, revi-sion 3: Recommended security controls for federal information systems and organizations.
Negin, M., Chemielewski, T. A. Jr, Salgancoff, M., Camus, T., Chan, U. M., Venetaner, P. L., &
Zhang, G. (2000, February). An iris biometric system for pubic and personal use. IEEE Com-puter, 33(2), 70–75.
Noble, B. D., & Corner, M. D. (September 2002).
The case for transient authentication. In Proceed-ing of 10th ACM SIGOPS European Workshop, Saint-Emillion, France.
Sharp, R. I. (2004). User authentication. Technical University of Denmark.
University of Central Florida. (2007). Security of mobile computing, data storage, and communica-tion devices. University of Central Florida.
Ward, R. (2008). Laptop and mobile computing security policy. Devon PCT NHS.
KEY TERMS AND DEFINITIONS
Access Control: is a mechanism that limits availability of information or information-pro-cessing resources only to authorized persons or applications.
Authentication: is a process of verifying identity of an individual, device, or process.
Mobile Communication Device: Cellular telephones, smart phones, and mobile computing devices equipped with wireless or wired com-munication capability.
Mobile Computing Device: a mobile comput-ing device is any Portable device that is capable of storing and processing information with infor-mation storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones), and is intended to be used outside of an organization office.
Mobile Data: Data that are stored in a mobile computing/storage device and are considered sensitive, as defined in data classification and protection policy.
Mobile Storage Device: is any device that is capable of storing but not processing information and is intended to be used outside of an organiza-tion office.