Next Generation Secure multimodal wireless communicator
Jeffrey Jonas
December 2004
NJIT ECE 684: Professor Lopes
Abstract
Wireless
communications has matured from a curiosity to a serious business tool. PDAs have totally replaced Daytimers and
notepads. But security has been lacking
or weak, making such automation untrustworthy for critical applications. By adding strong security and authentication,
these tools will facilitate trustworthy electronic methods for commerce,
financial transactions, medical data, even prescriptions.
Detailed description
This is an
exciting time for the cellular phone, wireless communication and PDA
communities! Cellular phones and PDAs
are merging and melding in a variety of ways.
Pagers have evolved from simple "beepers" to receiving numeric
messages, to text messages, to bidirectional messaging. Palm's Treo is a PDA evolved into a cellular
phone. RIM (Research In
Motion) makes the Blackberry device: originally a bidirectional alphanumeric
pager, it evolved into a PDA and now a cellphone.
Focusing on
the text-only (non-voice) devices, a variety of services are offered: web (
In CIS 786
(Ubiquitious/Pervasive Computing) we critiqued movies and televisions shows for
"the future as we saw it". Space
1999 was dead-on with the concept of the com-link: a device that's a doorlock,
universal remote control, wireless/cellular picturephone.
(even Star Trek didn't envision that: the communicator
was always separate from the tricorder and tricorders were specialised devices
too!). Comlinks are already here with
the way cellphones are being used not just for placing calls but for
identifying the user for things like paying for items. As PDAs and CellPhones continue to merge and
melt,
I foresee
more permission-based ID schemes, such as a slot for inserting ID cards as
required
by different applications (as opposed to
the "universal remote" idea of the PDA containing all permissions and
privileges at once).
form factor
When I worked
at GoAmerica (a wireless middleware vender), I had a BlackBerry and got to
appreciate why it's the preferred business tool.
·
it's
as small as a pda
·
no
external antenna (or minimal antenna, a far cry from Walkie-talkies)
·
the "thumb" keyboard is EXTREMELY
intuitive to use, has TERIFFIC tactile feedback; far faster than using a PDA's
"grafitti" keystrokes or an on-screen keyboard.
·
the scroll wheel pushes to click, like the
scroll wheels now on computer mice.
That's why
I'd license the RIM Blackberry keyboard, scroll wheel and interface software instead
of reinventing it. There are many
imitators but none work as well.
Security basics
There are 3
basics to security: authentication, authorization & identification
1.
identification:
who are you
2.
authentication:
prove it
3.
Authorization:
are you allowed to do that? For example:
cell phones users are usually NOT authorized to change certain carrier-specific
settings; operating systems administrator accounts have higher privilege than
user's accounts.
The four
categories of authenticating information are:
1.
What
you know: a password or PIN
2.
What
you do: e.g., how one signs one's name or speaks;
3.
What
you have: e.g., a token such as a key or a certificate such as a driver's
license.
4.
What
you are: that's getting into biometrics: fingerprint, retina scan, iris scan, hand
geometry, facial recognition, etc. The idea is to verify something that is
unique about you that's
hard to
forge, spoof or alter.
For low to
medium security: just one authentication is enough.
For higher
security: use 2 categories. Possessing
the PDA may count as "what you have", but for higher security, an ID
card such as a SmartCard would be better.
I'm an
advocate of SmartCards because they are not just memory cards: there's a CPU
inside with a cryptographic unit. A
SmartCard can carry my private cryptographic key for encrypting messages and
signing documents but since it's built into the hardware, there is no way for
me to accidentally reveal that key (the primary way private key systems fail is
accidental exposure of the private key).
Cellular phones already use SmartCards for identifying the phone: that's
the tiny SIMM card that's usually behind the battery. But it does not identify the
The Intel
Let me
"fast forward" and assume you're familiar with secure systems: existing
cellphones and PDAs can establish secure channels but can't prove identity. E-commerce requires digital signatures for
non-repudiation (so I can't deny I placed an order). There are several devices to assist with
that: fingerprint readers, SmartCard readers.
They can be built into the device, or plugged in via USB or an expansion
slot.
Now to put
the pieces together: by offering 2 part authentication, the PDA not only sends
transactions, but uses that information to undeniably prove WHO sent the
request. The message can be
electronically signed to prove who sent it.
Even if the message is not encrypted, it can be transmitted securely using
AES (the new encryption standard that's replacing DES and 3DES) and verified using
SHA-1.
Hospitals are
exploring WiFi for replacing clipboards with laptop and tablet PCs. Paper charts have a signature area to track
who added notes, and when. There are
checkoffs for treatment, medication and such.
If that's to be all-electronic, then an electronic-signature is required
to prevent anyone from just entering data to anyone's chart. There must be some machine-readable way to
prove WHO was using the PC when the data was entered. User IDs and passwords are insufficient. Some insurance companies are already
demanding stricter data assurance by using fingerprint readers on PCs. SmartCard ID cards would be ideal because
everyone has an ID card anyway, and they'll work while wearing gloves, or when
your hands are dry. (my cousin is a cardiologist and
her hands get chapped from scrubbing, thus interfering with the fingerprint
reader!).
My doctor has
a PDA in his pocket for looking up symptoms, perhaps for tracking billing and
scheduling.
If the PDA
had similar capabilities to assure who is holding it, then it would be possible
to replace the prescription pad with an e-Rx since there would be a clear audit
trail who issued the prescrition and when.
I foresee a
trememdous COLLABORATION of devices: pda (id/authenticate/audit) -> fixtures
/ lab equipment / dispensers where the PDA augments the ID card to provide a
secure interface to sensitive equipment, preventing unauthorizedor accidental
alteration.
Intended market
Business and
professional people are the intended market because they require rugged devices
that work all the time and they're willing to pay for it. It's not "price sensitive" like the
consumer market. They want products that
let them conduct business, not things that "look pretty". The financial and medical areas are the first
focus since they’re most likely to appreciate the security aspects and be early
adopters.
Components
|
Part |
Part number |
Supplier |
cost |
|
|
|
|
|
|
CPU |
|
Intel |
$40.00 |
|
Peripheral
CPU |
PIC 18f4550 |
Microchip |
$5.00 |
|
PCI to
PCMCIA ctrl |
PCI1410 |
|
$5.00 |
|
Bluetooth
transceiver |
BSN6030 |
|
$4.00 |
|
SDRAM |
MT48LC128M4A2 |
Micron |
$9.00 |
|
Power
regulator |
|
Maxim |
|
|
GSM module |
GSM12 |
Nokia |
|
|
Screen
assembly |
|
Toshiba |
|
|
48 MHz XTAL |
|
|
|
|
5v 1F
Supercapacitor |
PB-5R0V105 |
PowerStor |
$1.00 |
|
USB “A”,
“B” connector |
|
|
$0.50 |
|
NiMh
battery |
|
|
$8.00 |
|
RIM
keyboard, thumbwheel |
|
|
|
Manufacturing
cost: $100
MSRP: $400
To ensure
privacy, there's an optional privacy screen filter similar to that used by
ATMs. There are several available
technologies such as holograms that are visible only to the side to obscure the
screen, or a plastic that blurs from the side for security.
Block Diagram
Physical
Layout
Front view: the
look and feel licensed from RIM Blackberry
Internal layout:
frontmost layer: keyboard, LCD
center layer: PCB
rearmost layer: batteries, connectors, slots
diagram B: component placement, rear view
Detailed
Specifications
The
Despite all
the on-chip controllers, the
A JTAG
connector near the battery compartment allows upgrades, debugging and other
development in the field. The JTAG
connector is intentionally hard to reach because it is not for casual use. A tamper sensor is triggered by opening the
case because this is a possible way to circumvent security, but it’s essential
for hardware and software development, which customers are encouraged to
perform.
Until there
is in-house microwave and cellphone expertise, the GSM cellphone functionality
will be a module such as the Nokia 12 GSM module.
citing http://press.nokia.com/PR/200306/908010_5.html
The
Nokia 12 is a compact and intelligent GSM module for machine-to-machine,
mobile-to-machine and machine-to-mobile (M2M) applications and other wireless
solutions that can be integrated into devices during assembly.
While it is
usually more expensive to buy modules instead of building it yourself, there
are many immediate advantages
·
the
FCC approval is transferable with the module
·
faster
time to market
Board space
permitting, TI's BSN6030 offers a ROM-based Bluetooth baseband controller.
RAM
According to http://www.theregister.co.uk/2001/02/12/micron_launches_lowpower_sdram/ several companies are competing for the
JEDEC (Joint Electron Device Engineering Council) upcoming standard. The
leading contender is Infineon's "Mobile-RAM": 128Mb (16MB) in 8Mb x 16 configuration.
Micron's "BAT-RAM" is not considered as technically capable. Samsung has announced "UtRAM", its
low-power
The
Tamper sensor, JTAG
Since this
may contain sensitive information, the JTAG connector is inside the case. Opening the case triggers a tamper switch which
erases the RAM (at least by removing power, perhaps triggering a CPU function
too) just like crypto modems, desktop PCs.
Unfortunately this is only effective once, for a clever hacker will note
the position of the JTAG connector and drill thru the case for subsequent
access, or defeat the tamper switch.
Operating system
The Embedded
Linux system is preferred for many reasons.
·
it
is already ported to the
·
many
mobile devices are already using Embedded Linux
·
Linux
is fast to support new devices, such as the cryptographic chips and USB devices
·
Linux
is open source, allowing full security auditing to assure compliance with standards
and expose vulnerabilities (or more preferably, verify proper security)
·
Linux
supports all standard security methods: Certificates, SSL/SSH, IPsec, VPN
·
it
enables the owner to modify the system as needed. The large scale "enterprise" users
will appreciate the ability to configure their devices for their particular
needs.
·
it's
royalty free
There are
drawbacks, though. Many desirable
business applications are available only for specific systems such as Windows
CE, Palm OS, RIM OS.
The C++
programming language preferred for clarity of code and methods. Object Oriented
Programming is a mature technology that makes it easier to share
building-blocks such as libraries and classes of objects.
Java is a
good choice too since there are many embedded versions, particularly with
SmartCards running Java applets and the need for supporting Java even for micro
web-browsers.
E-books and
databases tend to be in a vender-neutral form, so it's reasonable to import
such files either directly or after a one-time conversion. My physician keeps his PDA in his pocket and
apparently has a
Physician's
Handbook in electronic form. No more books, and easier to keep updated!
Marketing
Competition Analysis
Research
In Motion (RIM) is a leading designer, manufacturer and marketer of innovative
wireless solutions for the worldwide mobile communications market. RIM's portfolio of award-winning products are
used by thousands of organizations around the world and include the BlackBerry®
wireless platform, software development tools, and software/hardware licensing
agreements.
They have
achieved a significant market share of the business market with ergonomic,
rugged designs and good human-interface. Instead of competing, we license their
technology and compete on our "value added".
http://www.palmone.com/us/products/smartphones/treo650/
The Palm Treo
650 has a color screen, touch-screen and keyboard.
Our product
is better due to not just a faster CPU but significantly more processing power
per cycle. Admittedly, PalmOS has free
development environments for developing applications, but PalmOS has many
deficencies and is far from a real-time OS.
Embedded Linux has already surpassed PalmOS for supporting background
tasks and real time scheduling, and Linux is getting new features almost daily.
http://www.pdabuyersguide.com/Dell_axim_X30.htm
lists and
compares many PDAs
Advertising
The internal
name for the project is Stealth-Ferret. We
need a cute logo of a fuzzy ferret hiding his secrets. Here are some marketing ideas:
As a proud
member and Embedded Linux advocate, use the logo in all advertising!
Business
travelers are the target audience. (Consider the the ads already inside airports
and train stations for business communications and services). Emphasize the
PRIVACY and SECRECY aspects.
1.
There
are currently ads for Fidelity trading on web enabled phones. Co-brand with
them for "Fidelity prefers Ferretronix's Stealth-Ferret to assure your
privacy and security".
2.
“What
you say is secret. How we secure it
isn’t”
The Stealth-Ferret keeps all your messages from snooping: whether SMS, e-mail, Instant-messaging
or web browsing. We're proudly use the embedded Linux system for reliability, support,
open standards and open source. So look
under the hood and tinker with the engine; we’re not afraid. In fact, we encourage it!
3.
Cell
phone manners: it's not just polite to use text on a train or bus but it keeps
your messages from your competitors!
4.
WW2
"retro" look with old sayings "loose lips sink ships" showing
a cell phone user telling company confidential information, surrounded by
listening ears.
5.
<<
drawings of Mad Magazine's "Spy Vs. Spy" >>
a.
BEFORE:
the Black spy listens into the White Spy's calls and gets the super secret recipe
before the White Spy can enter the baking contest.
b. AFTER: the White Spy uses the Ferretronix
Stealth-Ferret PDA: Then the Black Spy’s
spy-o-phone only gets garble-de-goo-fizz.
The white spy smiles and eats his blue-ribbon-prize-winning cake.
6.
<<
photo of "Get Smart" using the cone of silence >>
Ferretronix's Stealth-Ferret is your own personal "cone of silence".
7.
Does
Macy's Tell Gimbel's ? That's an old
phrase for "don't tell your competitors!". (Macy's and Gimbel's were competing
department stores next to each other in
8.
on the left: a photo of a conference room full of business people using
identical looking Blackberries, StarTac phones, etc.
on the right: a photo of the same office but everyone's Stealth-Ferret is
personalized with color cases, faceplates and background-screens.
"WHICH ONE IS MINE? the pretty
one!"
9.
<<
photo on left: business user: guy in business suit, making a business call>>
<< photo on right: same person in loud hawaiian shirt, showing off his
high-score to buddies at the bar >>
"WE DON’T PLAY GAMES – DURING O
The Stealth-Ferret is a serious business tool.
But all work and no play makes Jack a dull boy. Who says business technology has to be dull? The
Stealth-Ferret: fun colors, fun stuff, serious security.
Special features: connectivity
The Card Bus
(PCMCIA) slot and the USB port are competing for their roles. WiFi (802.11)
adapters are available for both. Memory
cards are available for both (the USB flash drives are more popular because
they attach to more devices). RFID
adapters are available for both too. As
such, the PCMCIA slot may be omitted from some models to make it slimmer and
eliminate the support chip.
The USB
"A" connector (the flat one) is a MASTER: it controls other devices
such as Flash memory drives, security dongles, WLAN interfaces, fingerprint
readers, etc. It also provides power to
the device. Devices such as http://www.Key-Computing.com/ or http://www.techabsorbed.com/gadgets/xkey.htm will be supported to encapsulate all
data securely and provide more secure user authentication.
The USB
"B" connector (the square one) is a SLAVE: it connects TO other
devices. That's the port used to
"hotsync" to the PC host. For true portability without the need for
PDA specific drivers, the PDA may also appear as a USB drive to the host
computer (similar to many digital cameras). If power is provided by the host, the PDA will
operate from that power and recharge the battery if possible.
BLUETOOTH:
secure mode preferred (if other end supports that) to prevent eavesdropping.
Future plans
1.
Find
a way to add a SmartCard reader without making it too thick or sacrificing the
PCMCIA slot.
2.
Integrate
more wireless interfaces, using the raw components instead of modules to save
space and lower cost.
3.
Monitor
what low power SDRAM becomes the JEDEC standard.
4.
Monitor
Intel's roadmap for the cryptographic series of X-scale CPUs.
5.
Add
voice features for a full-fledged cell phone, via GPS and VoIP for least-cost
routing.
6.
Explore
the merits of the MEMS microphone.
7.
Add
MP3, stereo sound, movie playback to complete with the high end entertainment
cellular phones.
8.
Higher
multimodal integration for talking anywhere, anyway
9.
Embrace
UbiComp concepts such as location awareness.
The Open Developer’s Forum will encourage customers to experiment with
such concepts, and this product ought to be the preferred developer’s platform
10.
RFID
mode 2 (or higher) transceiver
References
http://www.intel.com/design/network/products/npfamily/ixp425.htm
Intel 533 MHz
[jonas04]
Jonas,
Jeffrey
Authentication
Of People: term paper for NJIT ECE699: Information Assurance.
May 2004,
unpublished.
[jonas03]
Jonas,
Jeffrey
Balancing
Privacy and Trust With A Smart Card Based National Identity Card
paper
presented for NJIT's CIS786 Pervasive Computing
Summer 2003,
unpublished.
[jonas03a]
Jonas,
Jeffrey
Introduction
to Smart Cards
paper
presented for NJIT's CIS786 Pervasive Computing
Summer 2003,
unpublished.
[jonas03b]
Jonas,
Jeffrey
Introduction
to WiFi
paper
presented for NJIT's CIS786 Pervasive Computing
Summer 2003,
unpublished.
[lutz03]
Lutz,
Robert Augmented Reality, paper
presented for NJIT's CIS786 Pervasive Computing
Summer 2003,
unpublished.
[RISKS]
FORUM ON
RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee
on Computers and Public Policy, Peter G. Neumann, moderator
mirrored at
http://catless.ncl.ac.uk/Risks/23.19.html
http://www.csl.sri.com/users/risko/risks.txt
[
Schneir, B.
Applied
Cryptography Second Edition
[
Schneir, B.
Beyond Fear:
thinking sensibly about security in an uncertain world
[
Schneir, B.
Crypto-Gram
is a free monthly e-mail newsletter on computer security and cryptography from
Bruce Schneier
http://www.counterpane.com/crypto-gram.html
[SCHNE03]
Bruce
Schneier. Beyond Fear. Copernicus Books, 2003
other recommended reading
http://developer.netscape.com/tech/security/basics/index.html
How SSL Works
Makes
security products most notably they are the top level Certificate Authority
A major
source of security software and devices such as SecurId tokens
http://en.wikipedia.org/wiki/Embedded_Linux
Embedded Linux
http://www.embedded-linux.org/
the Embedded
Linux Consortium
http://www.bluemug.com/research/els/els.sht
This survey
presents the state of embedded Linux as applied to consumer electronics
devices, from wristwatches to PDAs to cellular handsets.
Need to keep
your sensitive information on your monitor private and away from onlookers? Try a Fellowes LCD privacy screen. Screen images become blurred from a side view
so only you can view what's on your screen.
http://www.nullsoft.com/free/waste/network.html
Nullsoft
Encrypts Communication with WASTE. Nullsoft
has released a beta version of a new tool called WASTE designed to secure
communication within small groups of users.
The brainchild of Winamp creator Justin Frankel, WASTE utilizes encryption
and public keys to keep sensitive data hidden from prying eyes. WASTE currently features instant messaging
and chat capabilities, along with file sharing functionality with support for
browsing and searching.
...
WASTE was not
built for public sharing of data, but rather private trusted groups of 10 to 50
people. Privacy is a primary focus and all network links are secured with RSA
and authenticated with public key hashes.
WASTE messages are then sent within an encrypted channel, making it
nearly impossible for a third party to spy on users communicating via WASTE
http://www.knowlesacoustics.com/
Knowles
Acoustics has today announced its new ΓÇ£MiniΓÇ¥ series of
SiSonicä silicon microphones, representing the smallest MEMS based
surface mount microphones available in the world today. With a footprint of
less than 18mm2, the device is ideally suited for applications where component
density is at an absolute premium ΓÇô such as Mobile Phones, Digital Still
Cameras, and MP3 Players. Engineering samples are available today, with mass
production scheduled for Q2, 2005. The ΓÇ£MiniΓÇ¥ SiSonic can be seen
at the Electronica trade show ΓÇô Neue Messe ΓÇô
MUSCLE -
Movement for the Use of Smart Cards in a Linux Environment.
MUSCLE is a
project to coordinate the development of smart cards and applications under
Linux. The purpose is to develop a set of compliant drivers, API's, and a
resource manager for various smart cards and readers for the GNU environment.
Identification,
Authentication and Authorization on the World Wide Web Nice paper with many
links, products and methods descriptions
http://www.maxking.com/titanium.htm
Titanium
Card: Smartcard ISO 7816 Multi OS
Flash: 32 kB
Eeprom: 32 kB
Crypto: RSA