A Security Framework for Mobile Network based on Security Services and Trusted Terminals Xue Ming-fu
Hu Ai-qun
Research Center of Information Security, College of Information Science and Engineering, Southeast University, Nanjing, P.R. China
[email protected]
Research Center of Information Security, College of Information Science and Engineering, Southeast University, Nanjing, P.R. China
[email protected]
Abstract—As the mobile network migrates to an all-IP network with increasing speed, many new security requirements emerge. We analyze security threats and requirements of 3GPP/4G mobile networks and discuss various kinds of existing security measures. We argue that merely improving security mechanisms and protocols to protect the security of air interface is insufficient. The mobile network security must rely on the secure terminal environment. We also analyze the weaknesses of terminal protection by virus scanning, and propose a novel protection scheme for mobile networks based on security services and trusted terminals. By building a trusted computing environment at the mobile terminal, the proposed scheme combines verifying validity of software with access control, and checks the validity and the integrity of software in the security service provider. Under our scheme, the security ability supplied to the terminals and the whole network is much better.
secure access and the encryption algorithms cannot effectively protect information security of mobile networks.
Keywords-Mobile network security; Security service; Trusted computing; Access control; Validity and integrity
I. INTRODUCTION Future mobile wireless networks will undoubtedly be migrated to be all-IP based, making these networks more and more open. Protection of sensitive information is therefore challenged by a variety of malicious attacks from increasing number of directions. Security has become one of the key elements to address in mobile networks. In the literature, research in mobile network security has been mainly focused on authentication, encryption algorithms, key management, etc. These elements are for protecting transport security of information. We also notice that the risk of information security compromise in mobile networks is increasing at the mobile terminal side as mobile devices are becoming more and more intelligent and providing more functions and services due to the advancement of computer technologies. However, not much research has addressed the security problems at the mobile terminal side, such as information leakage caused by poisoning when mobile terminals access the Internet, unintended sending of text messages due to implanted Trojans, and additional spending caused by auto-dialing. These issues are related to application security, as a result of the insecure mobile terminal computing environment. If these issues of terminal security are not solved, even the best mechanisms for
Based on the study of security principles and the corresponding threats of 3GPP/4G mobile communication systems, we analyze and compare a variety of existing security programs. We argue that only improving security mechanisms and protocols for the air interface is not enough, and that mobile network security must also be relied on a secure terminal environment. In addition, we indicate the deficiencies of protection by antivirus programs. Based on these observations, we propose a general security protection framework based on security services and trusted terminals. Specific application of this framework to mobile networks is given. This paper is organized as follows. Previous works related to mobile system security are reviewed in Section Ⅱ. The weaknesses of terminal protection by virus scanning and our proposal are mentioned in Section Ⅲ. The proposed system is elaborated in Section Ⅳ. This paper is concluded in Section Ⅴ. II. P REVIOUS WORKS Studies on the network security of 3G and future 4G mobile communication networks can be divided into two areas. The first one is on the improvement of security systems and mechanisms, aiming at protecting the security of air interface and on preventing eavesdropping. Works of this area are focused on the security analysis and the improvement of algorithms on AKA, the core protocol of the 3G security mechanism. The second area is locking the objective and means of security protection at the terminal, based on the observation that the terminal is the source of security problems. Various terminal security technologies and means to protect the terminal from viruses have been introduced. The second area can also be divided into two main research topics. The first one is on anti-virus technologies in mobile terminals, and the second one is on the development of trusted computing environment for secure terminals. These two approaches require security services provided by operators in that the security services provide reference for the anti-virus programs or for verifying the integrity and legitimacy in the trusted computing environment.
This work was supported by National High-tech R&D Program(863 Program ) project (Research of Mobile terminal security system, 2009AA01Z427) and National 115 Program project (Research of Application Technology of Confidential mobile officing wireless Internet Safety, 2008BAH33B03-2).
978-1-4244-6252-0/11/$26.00 ©2011 IEEE
A. On the improvement of security systems and mechanisms In [1], Al-Muhtadi, Mickunas and Campbell proposed a lightweight reconfigurable security mechanism for 3G/4G mobile devices. In [2], Zhang and Fang proposed an enhancement of 3GPP Authentication and Key Agreement Protocol based on the analysis that the 3GPP AKA protocol is vulnerable to a variant of the so-called false base station attack. In [3], Kambourakis, Rouskas and Gritzalis discussed existing problems related to the AKA procedure, such as compromised authentication vectors attacks. They indicated how SSL/TLS, which has been proved effective in the wired Internet, can be used to overcome these problems. In [4], Deng et al. analyzed the AKA protocol adopted by 3GPP’s System Architecture Evolution (SAE) Release 8 standard, and indicated the security problems. They focused on several security defects in the protocol, such as exposure of user identity, interception of authentication vector, potential threat of shared K leakage, not supporting of data signature. In [5], Lu et al. investigated the security of the 3GPP AKA protocol, and analyzed four types of attacks to which it is vulnerable. B. On security protection technology based on terminal security In [6], Zheng et al. proposed a trusted computing-based security architecture for 4G mobile networks. This security framework, based on Trusted Mobile Platform (TMP) and PKI (Public Key Infrastructure), aims at providing a considerable robust platform for user’s access to sensitive services and data in the scenario of 4G systems. In [7] and [8], the researchers advocated a terminal security architecture based on trusted computing to achieve consistency between trusted terminals and the trusted network. The authors of [7] also summarized a variety of trusted computing architectures and the progress in terminal security protection, and pointed out the direction for the next step. However, [7] did not address the system efficiency and other practical factors, and it also did not mention how to build a unified whole-network security. In short, the above-mentioned two types of technologies are essential to ensuring information security of mobile network. The former is focused on protecting the security of the air interface, and the latter is designed to protect the terminal from viruses. In these two areas, the former has been mature, while the latter has become increasingly important due to the recent emergence of viruses in the mobile network. Therefore, this paper mainly focuses on the second area in the development of the proposed mobile network security framework. III.
T HE WEAKNESSES OF TERMINAL PROTECTION BY VIRUS SCANNING AND OUR PROPOSAL
As mentioned earlier, there are two approaches about how to protect mobile devices against virus attacks. The first one is to perform scanning with anti-virus software at the terminal, and the second one is to establish a trusted computing environment in the terminal. No matter what kind of approach is used, both approaches require a security service system. The first approach needs to build a service center of virus database in the mobile network, which provides regular or online antivirus service for mobile terminals. The second one needs a
security service to provide trust checking for the establishment and maintenance of the trusted environment at the terminal. We argue that maintaining terminal security by antivirus scanning has the following weaknesses. 1. As the mobile terminal has only limited storage, computing power and other hardware and software resources, it may not have the capabilities and resources like desktop computers to perform anti-virus scanning. 2. Antivirus scanning at the mobile terminal must rely on the virus database updating from a remote server, or need the server to check whether the software in the terminal is malicious, thus occupying the limited memory and communication bandwidth of the mobile terminal. 3. Mobile phones are more popular than computers, so that there are a larger number of mobile phone users using low-level mobile phones against computer users. It leads to a large number of low-level phone users even not knowing how to perform anti-virus scanning. 4. Compared to the trusted terminal approach which can be realized by secure access control, the anti-virus approach is always a remedial means. Certain loss must have already been produced. Due to the weakness of the anti-virus approach, we focus on the implementation of terminal security based on the trusted computing environment. It is expected that the credibility of the terminal can defend against attacks from the network. If the terminal is trusted, the terminal’s performance will meet the expected requirements. In addition, any unauthorized software cannot intrude into the terminal. That is, all software programs installed or run in the terminal must be licensed by the security server. Only in this way can the virus on the network not be embedded in mobile devices. IV.
P ROPOSED MOBILE NETWORK SECURITY FRAMEWORK
A. The security architecture based on trusted services We improve the existing mobile network infrastructure by the following ways. First, the Mobile Trusted Module (MTM) is added on to the mobile terminal. This module is an independent, secure module with computing power, and can communicate securely with the security service provider (SSP). It can calculate the integrity of all software in the mobile terminal, and report to the SSP. It can also check the legitimacy of the software to be installed or to run on the mobile terminal, to check whether the software is authorized by the SSP. If not, the software will be prohibited from installation and running. Second, the mobile network is required to install a SSP. Its main job is to provide legitimacy certification for software in the mobile terminal. The software provided to mobile users by the software provider (SWP) in the Internet must have legal proof from the SSP. That is, it must have a digital certificate issued by SSP. Then it can be installed and used in mobile terminals. SSP is responsible for the safety of the certified software, so SSP has to check the validity of the software provided by SWP before it certificates the software. Figure 1 shows the security architecture of the
mobile network based on trusted services. SWP
Mobile Terminal Embedded System
Access Network (AN)
startup. Trusted verification codes are attached to the end of the corresponding program, which are responsible for checking the integrity of the next block. Check by MTM
Internet
MTM
Secure Channel Figure 1.
In Figure 1, the SSP server is directly connected to the access network (AN) server, so that there are only minor changes to the original system structure. The mobile terminals that have access to certification are allowed to access the network. The SSP checks the integrity of the mobile terminal. If the integrity of the terminal software is compromised, it indicates that the terminal may have been infected with some viruses. The terminal is then denied access to the network to avoid the spread of the possible viruses to other network terminals. If the integrity of the terminal software is not destroyed, the SSP will be used to oversee the process of the software installation and software running in the mobile terminal, in order to provide dynamic security services to the mobile terminal. B. Trusted computing environment in mobile terminals The key to the effective operation of the protection system based on security services is the design of the trusted computing environment for mobile terminals. We provide the mobile terminals with two states: START and AFTER START. The trusted environment established in START is called the static trusted environment, while the one established in AFTER START is called the dynamic trusted environment. Methods to establish static credible codes have been given in many previous research works. Here we give a brief overview only. After the mobile device is powered on, it will start from the solidified credible codes in the trusted module. The features of the hardware can ensure that the codes cannot be changed. First, credible codes check whether the system loading code is complete. If it is complete, control to the system will be given to system loading codes. Second, the system loading codes check whether the operating system kernel is complete. If it is complete, the operating system kernel will be loaded. Third, the operating system kernel checks other parts of the operating system. The operating system will start after these checks. Fourth, the integrity of all applications on the top is checked. Users can use the terminal after all the applications are checked. If one link does not pass the check, the previous configuration needs to be reloaded or the system is reinstalled. Through this integrity check, the chain of trust is passed from the trusted code to the operating system, and finally, passed to the application software. Then the static trusted environment for the whole system is constituted. Figure 2 shows the structure of system resources at
Program ROM
OS Kernel Program
OS Loading
Trusted Verification Program B
CPU
OS Dynamic Service Program 1
Secure Service Provider
Mobile network security system based on trusted services
OS Loading Program Trusted Verification Program A
Check By Program A
SSP
Program region
OS Dynamic Service Program 2
MTM
Check By Program B
RAM
OS Dynamic Service Program M
Trusted Application 1 Trusted Application 2 . Trusted Application N
Figure 2.
Structure of the system resources for trusted system at startup
From Figure 2, it can be seen that in order to ensure system security, the OS kernel program and the verification program B cannot be destroyed after the static trusted chain is established. These two parts of programs need to be protected by the MTM. After the system boots, the kernel program needs to run, and the trusted verification program B is used to dynamically check the new started applications or generate the terminal’s integrity information for the SSP. After the system is running, it relies on the dynamic trusted mechanism to achieve system protection. As the user starts various kinds of applications, the integrity of the system changes dynamically. For example, when the user runs the browser software, the system increases some programs associated with running the browser. It is clear that a change is happened to the system integrity. If one cannot properly update the system integrity of information in a short time, the malicious software may take advantage of the loophole. However, to calculate the dynamic integrity of the system is bound to consume the system’s computing resources. Therefore, how to protect the security for a running system is the difficult problem of trusted computing. We give the requirements in trusted computing as follows. (1) Calculate the integrity of the programs and regional resources, and report it to the SSP. (2) Check the legality of the program that is to be installed. The program cannot be installed if it is illegal. (3) Check the legality of the program that is to be run. The program cannot be run if it is illegal. (4) secure.
The above security mechanism itself must be
(5) The above security mechanism significantly affect system efficiency.
should
not
The intention of the requirement (1) is to check whether the operation of the system software or software resource is modified such that such modification can be discovered at once. The method of computing the integrity of a piece of code is usually done by calculating its digest value and comparing this value with the existing hash values provided by the SSP. It is also possible that randomly selected code bits in the piece of code are used in the calculation of the digest value. When the code is long, the latter method has obvious advantages. When the mobile terminal needs to install or run a program, it not only needs to check the program’s integrity but also needs to verify its legitimacy. In requirements (2) and (3), checking the legality of the program is by verifying whether there is authorization from the SSP. This verification process is also provided by the SSP. The SSP makes agreements with SWPs, and stores versions of legitimate software and digest information in the SSP server. The process shown in Figure 3 can be used to describe this process. SSP
Mobile Terminals Software version Information Software Codes
Signed by MTM Software version Information Digest Values
Obtain the digest values after verification of SSP signature If the digest values are equal, then allows the operations Figure 3.
1.Decrypt the signature signed by MTM. 2. Query the corresponding digest value.
Software version information Digest values SSP signature
The validation process of integrity and legitimacy of the software by the mobile terminal
For requirement (4), the reason is to protect, e.g., the trusted verification program B in Figure 2 from destruction. It usually requires specialized hardware. An effective protection method implemented in hardware is to ensure that the address space of the trusted verification program B cannot be written unless it gets the permission from MTM. This hardware protection circuit can even be implemented inside the MTM. C. SSP According to what has been described, it is easy to understand the following two main security services features of SSP. (1) Check the integrity of the software in the mobile terminal. If compromised, the SSP does not allow the mobile terminal to access the network. (2) Provide services for the mobile terminal’s inquiries on software legitimacy. When the mobile terminal is about to install or run software, it needs to check whether the software
is legal at first. It is queried in the local MTM at first. If there is no result, the query is submitted to the SSP. The SSP return the query result to the terminal after verifying the identity of the mobile terminal. The SSP’s accessibility features include: interacting with the security software providers in order to achieve software security checking and the function of generating legitimacy information; interacting with the AAA server in the mobile network operators in order to achieve security authentication and billing functions; interacting with the AN server in the mobile network to achieve access control based on the integrity of the mobile terminal; and so on. V.CONCLUSION It can be expected that, in the near future, mobile terminals will be Internet terminals. Users can achieve almost all of the features of PC by using mobile devices, such as e-commerce, e-mail, mobile wallets, etc. It is therefore important to ensure the information security of mobile phones. We have shown that mobile network security needs to be proceeded from the consideration of the entire mobile networks rather than just adopting the traditional method of anti-virus protection at the mobile terminal. Since operators have the advantages in technology, facilities, management, etc., they can provide effective protection against malicious attacks for the security of mobile networks. We expect that, with the mobile network security incidents continue to occur, whether or not the mobile network can provide users with high-quality security services will become the key factors of winning business competitiveness among mobile network operators. The proposed security solution based on security services and trusted terminals will become an effective and significant approach in the development of network information security. REFERENCES [1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
Jalal Almuhtadi, Dennis Mickunas, Roy Campbell. A Lightweight Reconfigurable Security Mechanism For 3G/4G Mobile Devices, IEEE Wireless Communications, 2002: 60-66. Muxiang Zhang, and Yuguang Fang, Security Analysis and Enhancements of 3GPP Authentication and Key Agreement Protocol, IEEE Transactions on Wireless Communications, 2005: 734-743. Georgios Kambourakis, Angelos Rouskas, Stefanos Gritzalis. Using SSL/TLS in Authentication and Key Agreement Procedures of Future Mobile Networks, IEEE 2002: 152-157. Yaping Deng, Hong Fu, Xianzhong Xie, Jihua Zhou, Yucheng Zhang, Jinling Shi. A Novel 3GPP SAE Authentication and Key Agreement Protocol, Proceedings of IC-NIDC2009:557-562. Lu Feng, Zheng Kangfeng,Niu Xinxin, Yang Yixian.Li Zhongxian. Security Analysis of 3GPP Authentication and Key Agreement Protocol, Journal of Software, V01.21, No.7, July 2010: 1768—1782. Yu Zheng, Dake He, Weichi Yu and Xiaohu Tang. Trusted Computing-Based Security Architecture For 4G Mobile Networks, Proceedings of the Sixth International Conference on Parallel and Distributed Computing, Applications and Technologies,2005:251 - 255 Liu Weipen, Hu Jun, Fang Yanxiang, Shen Changxiang. Research and Development on the Secure Architecture of Terminal Based on Trusted Computing, Computer Science, 20007V01.34Na, 10: 257-269. Wu Zhenqiang, Ma Jianfeng,Research of mobile Internet's trusted architecture based on the TPM, Network Security Technology and Application,2007(11): 18-20.
