Privacy is essential for secure mobile devices

IBM Journal of Research and Development

Volumn 53, Issue 2, 2009, Pages

  Karger, Paul A ^a   Kc, Gaurav S ^b   Toll, David C ^a  

^a IBM T J WATSON RESEARCH CENTER   (United States)

^b GOOGLE INC   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

NATIONAL SECURITY; SECURITY OF DATA; SMART CARDS;

ELECTRONIC GOVERNMENT; ELECTRONIC PASSPORTS; HIGH SECURITIES; ID CARDS; PERSONAL PRIVACY; PRIVACY AND SECURITY; SECURITY APPLICATION; SMART CARD OPERATING SYSTEM;

MOBILE SECURITY;

EID: 77955084210     PISSN: 00188646     EISSN: 00188646     Source Type: Journal    
DOI: 10.1147/JRD.2009.5429047     Document Type: Article

References (65)

1. D. Dyer, "Genisys," Proceedings of DARPATech 2002 Symposium (July 2002), Anaheim, CA, http://www.darpa.mil/DARPATech2002/presentations/iao- pdf/speeches/DYER.pdf.
2. S. Kumpf and N. Russell, "Getting the Jump on Fraud," Cellular Business 9, No.10, 24-26 (1992).
3. E. Barkan, E. Biham, and N. Keller, "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communications," Computer Science Department Technical Report CS-2006-2007, Technion - Israel Institute of Technology (2006), http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS- 2006-07.pdf.
4. Y. Frankel, A. Herzberg, P.A. Karger, H. Krawczyk, C.A. Kunzinger, and M. Yung, "Security Issues in a CDPD Wireless Network," IEEE Personal Communications 2, No.4, 16-27 (1995).
5. S. R. Fluhrer, I. Mantin, and A. Shamir, "Weaknesses in the Key Scheduling Algorithm of RC4," Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography Lecture Notes in Computer Science Vol. 2259, Springer-Verlag, Berlin (August 2001), pp. 1-24.
6. Public Law No. 107-173: Enhanced Border Security and Visa Entry Reform Act of 2002, United States, 107th Congress, second session (May 14, 2002), http:// frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107-cong-public- laws&docid=f:publ173.107.pdf.
7. G. W. Bush, "Policy for a Common Identification Standard for Federal Employees and Contractors," Homeland Security Presidential Directive/Hspd-12, The White House (August 27, 2004), http://csrc.nist.gov/ drivers/documents/Presidential-Directive-Hspd-12.html.
8. G. S. Kc and P.A. Karger, "Preventing Attacks on Machine Readable Travel Documents (MRTDs)," Research Report RC 23909, IBM Thomas J. Watson Research Center (March 2006), http://domino.research.ibm.com/library/ cyberdig.nsf/1e4115aea78b6e7c85256b360066f0d4/ 7cd740a9883615da8525713a0053766a? OpenDocument.
9. P. A. Karger, "Privacy and Security Threat Analysis of the Federal Employee Personal Identity Verification (PIV) Program," Proceedings of the 2nd Symposium on Usable Privacy and Security, ACM Press, New York (July 2006), pp. 114-121, http://cups.cs.cmu.edu/soups/2006/proceedings/p114-karger.pdf.
10. D. C. Toll, P. A. Karger, E. R. Palmer, S. K. McIntosh, and S. Weber, "The Caernarvon Secure Embedded Operating System," Operating Systems Review 42, No.1, 32-39 (2008).
11. H. Scherzer, R. Canetti, P. A. Karger, H. Krawczyk, T. Rabin, and D. C. Toll, "Authenticating Mandatory Access Controls and Preserving Privacy for a High-Assurance Smart Card," Proceedings of the 8th European Symposium on Research in Computer Security (ESORICS 2003), Lecture Notes in Computer Science 2808, Springer- Verlag, Berlin (October 2003), pp. 181-200.
12. A. C. Peterson Jr., "Vehicle Radiotelephony Becomes a Bell System Practice," Bell Laboratories Record, 137 (April 1947).
13. "Cybersnare Sting-Arrests," News Release, U.S. Attorney for the District of New Jersey, Newark, NJ (September 11, 1995), http://fas.org/irp/ news/1995/nj62-txt.html.
14. Cellular Digital Packet Data System Specification, Release 1.1, CDPD Forum Technical Report (January 1995).
15. R. Molva, D. Samfat, and G. Tsudik, "Authentication of Mobile Users," IEEE Network 8, No.2, 26-34 (1994).
16. W. Diffie and M. E. Hellman, "New Directions in Cryptography," IEEE Transactions on Information Theory 22, No.6, 644-654 (1976).
17. J. Edney and W. A. Arbaugh, Real 802.11 Security: Wi-Fi Protected Access and 802.11i, Addison-Wesley, Boston (2004).
18. M. Beck and E. Tews, "Practical Attacks Against WEP and WPA" (November 2008), http://dl.aircrack-ng.org/breakingwepandwpa.pdf.
19. "Biometrics Deployment of Machine Readable Travel Documents Version 1.9," Technical Report, International Civil Aviation Organization (May 2003), http://web.archive.org/web/20040716085423/http://www.icao.int/mrtd/ download/documents/Biometrics+deployment+of+Machine+Readable+Travel+Documents. pdf.
20. "Identification Cards-Contactless Integrated Circuit(s) Cards-Proximity Cards-Part 4: Transmission Protocol," International Standards Organization ISO/IEC 14443-14444 (2004).
21. D. Clark, "A Proposed Methodology for an ICAO PKI Infrastructure for Implementation of Digital Signatures on MRTDs," Technical Report Version 4, New Technologies Working Group, International Civil Aviation Organization, Montreal (April 2003).
22. "Development of a Logical Data Structure (LDS) for Optional Capacity Expansion Technologies," Technical Report WD-00-2003-04-16, International Civil Aviation Organization, Montreal (2003).
23. T. A. F. Kinneging, "PKI for Machine Readable Travel Documents Offering ICC Read-Only Access, Version 1.1," Technical Report, International Civil Aviation Organization (October 2004), http://web.archive. org/web/20051210191307/http://www.icao.int/mrtd/download/documents/ TR-PKI+mrtds+ICC+read-only+access+v1-1.pdf.
24. RFID Tags, Contactless Smart Card Technology and Electronic Passports: Frequently Asked Questions, Smart Card Alliance (January 2005), http://web.archive.org/web/20060925035421/http://www.smartcardalliance.org/pdf/ alliance-activities/RFID-Contactless-Smart-Cards-FAQ-FINAL-010305.pdf.
25. J. Yoshida, "Tests Reveal e-Passport Security Flaw," Electronic Engineering Times (August 30, 2004), http:// www.eetimes.com/news/latest/ showArticle.jhtml? articleID=45400010.
26. Z. Kfir and A. Wool, "Picking Virtual Pockets Using Relay Attacks on Contactless Smartcard Systems," Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm 2005), IEEE Computer Society, Piscataway, NJ (September 2005), pp. 47-58, http://eprint.iacr.org/2005/052.
27. "Naked Data: How the U.S. Ignored International Concerns and Pushed for Radio Chips in Passports Without Security," White Paper, American Civil Liberties Union (November 24, 2004), http://www.aclu.org/pdfs/ privacy/nakeddata20041124.pdf.
28. K. Zetter, "Feds Rethinking RFID Passport," Wired News (April 26, 2005), http://www.wired.com/news/privacy/ 0,1848,67333,00.html.
29. M. Witteman, "Attacks on Digital Passports," What the Hack (July 2005), http://wiki.whatthehack.org/index.php/Track:Attacks-on-Digital- Passports.
30. A. Juels, D. Molnar, and D. Wagner, "Security and Privacy Issues in E-passports," Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communication Networks (Secure- Comm 2005), online proceedings (September 2005), http://www.cs.berkeley.edu/;daw/papers/ epassports-sc05.pdf.
31. T. Matsumoto, "Gummy and Conductive Silicone Rubber Fingers: Importance of Vulnerability Analysis," Proceedings of the 8th International Conference on the Theory and Application of Cryptology and Information Security ASIACRYPT 2002, Lecture Notes in Computer Science 2501, Springer-Verlag, Berlin (December 2002), pp. 59-65.
32. P.-M. Ziegler, L. Thalheim, and J. Krissler, "Körperkontrolle: Biometrische Zugangssicherungen auf die Probe gestellt," (Body Check: Biometric Access Protection Devices and their Programs Put to the Test), c't - Magazin fü r Computertechnik, 114, November 2002, http://www.heise.de/ kiosk/archiv/ct/2002/11/114-kiosk.
33. D.M. J. Kamdi, "The Malaysian Electronic Passport," Presentation to the International Civil Aviation Organization (ICAO) at the Twelfth Session of the Facilitation Division (March 2004), http://www.icao.int/ icao/en/ atb/fal/fal12/Presentations/Malaysia.ppt.
34. "Advanced Security Mechanisms for Machine Readable Travel Documents - Extended Access Control (EAC) Version 1.11," Technical Guideline TR-03110, Federal Office for Information Security (BSI), Bonn (February 21, 2008), http://www.bsi.de/literat/tr/tr03110/TR-03110-v111.pdf.
35. N. K. Ratha, J. H. Connell, and R. M. Bolle, "Enhancing Security and Privacy in Biometrics-based Authentication Systems," IBM Systems Journal 40, No.3, 614-634 (2001).
36. A. Pfitzmann, "Biometrics-How to Put to Use and How Not at All?: How to Handle Security Problems of Biometrics and How to Handle Security and Privacy Problems Caused by Biometrics?" Proceedings of the Conference on Security and Privacy in Information Society (ISC 2005), online proceedings (October 2005), http://dud.inf.tu-dresden.de/literatur/Duesseldorf2005.10. 27Biometrics.pdf.
37. H. Krawczyk, "SIGMA: The 'SIGn-and-Mac' Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols," Proceedings of the 23rd Annual International Cryptology Conference (CRYPTO 2003), Lecture Notes in Computer Science 2729, Springer-Verlag, Berlin (August 2003), pp. 400-425.
38. D. Harkins and D. Carrel, "The Internet Key Exchange (IKE)," Request for Comments 2409, The Internet Society Network Working Group (November 1998), ftp://ftp.rfc-editor.org/in-notes/rfc2409.txt.
39. R. Canetti and H. Krawczyk, "Security Analysis of IKE's Signature-Based Key-Exchange Protocol," Proceedings of the 22nd Annual International Conference on Advances in Cryptology (CRYPTO 2002), Lecture Notes in Computer Science 2442, Springer-Verlag, Berlin (2002), pp. 143-161.
40. Application Interface for Smart Cards Used as Secure Signature Creation Devices- Part 1: Basic Requirements, Workshop Agreement CWA 14890-14891, Comité Européen de Normalisation (CEN) (March 2004), ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14890-01-2004-Mar.pdf.
41. J. van Beek, "ePassports Reloaded," Presentation at BlackHat Asia 2008 Briefings (October 2008), http://blackhat.com/presentations/bh-jp-08/ bh-jp-08-vanBeek/ BlackHat-Japan-08-Van-Beek-ePassports.pdf.
42. "PKD Procedures for the ICAO Public Key Directory (ICAO PKD), Version 2.0," International Civil Aviation Organization (October 31, 2006), http://www2.icao.int/en/MRTD/Downloads/PKD%20Documents/PKD-Procedures-Final- Version.pdf.
43. "PKD Regulations for the ICAO Public Key Directory (ICAO PKD)," International Civil Aviation Organization (April1, 2007), http://www2.icao.int/ en/MRTD/Downloads/PKD%20Documents/PKD-Regultions-Final-Version.pdf.
44. "ICAO PKD Update," International Civil Aviation Organization, Technical Advisory Group on Machine Readable Travel Documents (April 22, 2008), http://www.icao.int/icao/en/atb/meetings/2008/TagMRTD18/TagMrtd18-ip04.pdf.
45. J. Lettice, "Elvis Has Left the Border: ePassport Faking Guide Unleashed," The Register (September 30, 2008), http://www.theregister.co. uk/2008/09/30/epassport-hack-description/.
46. P. A. Karger and Y. Frankel, "Security and Privacy Threats to ITS," Proceedings of the Second World Congress on Intelligent Transport Systems '95, Vol.V, Yokohama (November 1995), pp. 2452-2458.
47. "Personal Identity Verification (PIV) of Federal Employees and Contractors," National Institute of Standards and Technology (NIST), FIPS PUB 201, Federal Information Processing Standards (February 25, 2005), http://web.archive.org/web/20050404114420/http://csrc.ncsl.nist.gov/ publications/fips/fips201/FIPS-201-022505.pdf.
48. R. Chandramouli, J. F. Dray, H. Ferraiolo, S. B. Guthery, W. MacGregor, and K. Mehta, "Interfaces for Personal Identity Verification-Part 1: End-Point PIV Card Application, Namespace, Data Model and Representation," Special Publication 800-73-82, National Institute of Standards and Technology (September 2008), http://csrc.nist.gov/publications/nistpubs/800-73-2/sp800-73- 2-part1-datamodel-final.pdf.
49. W. C. Barker and H. Ferraiolo, "Codes for the Identification of Federal and Federally Assisted Organizations," Special Publication 800-887, National Institute of Standards and Technology (March 2007), http://csrc.ncsl.nist.gov/publications/nistpubs/800-87/sp800-87-Final.pdf.
50. "Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems, Version 2.2," Government Smart Card Interagency Advisory Board, Physical Access Interagency Interoperability Working Group (July 30, 2004), http://www.smart.gov/information/TIG-SCEPACS-v2.2.pdf.
51. "Prime Item Product Function Specification for Magnetic Stripe Credentials (MSC)," Document SEIWG-012, U.S. Department of Defense, Security Enterprise Integration Working Group (SEIWG), Washington, D.C.(February 28, 1994).
52. "Personal Identity Verification (PIV) for Federal Employees and Contractors: Public Draft Version 1.0," Federal Information Processing Standard FIPS PUB 201, National Institute of Standards and Technology (November 8, 2004), http://web.archive.org/web/ 20041112042821/http://csrc.nist.gov/ publications/drafts/draft-FIPS-201-110804-public1.pdf.
53. P. A. Karger, "FIPS PUB 201 Security and Privacy Recommendations," Thomas J. Watson Research Center Research Report RC23871, IBM Corporation (January, 2005), http://domino.watson.ibm.com/library/CyberDig. nsf/1e4115aea78b6e7c85256b360066f0d4/0bb070e69e4f41518525711000536e73? OpenDocument.
54. D. Bailey, "Contactless Threats to FIPS 201 Systems," Presented at Public Meeting Addressing Privacy and Policy Issues in a Common Identification Standard for Federal Employees and Contractors, National Institute of Standards and Technology (January 19, 2005), http://csrc.nist.gov/ groups/SNS/piv/documents/workshop-Jan19-2005/ Bailey.pdf.
55. K. Carlson, One American Must Die: A Hostage's Personal Account of the Hijacking of Flight 847, Congdon & Weed, New York (1986).
56. S. Horwitz and M. E. Ruane, Sniper: Inside the Hunt for the Killers Who Terrorized the Nation, Random House, New York (2003).
57. "Chipcards with Digital Signature Application/Function According to SigG and SigV, Part 1: Application Interface," Deutsches Institut fü r Normung e.V., DIN V66291- 1 (December 15, 1998).
58. "Chipcards with Digital Signature Application/Function According to SigG and SigV, Part 4: Basic Security Services," Deutsches Institut fü r Normung e.V., DIN V66291-4 (October 17, 2000).
59. "Information Technology-Security Techniques-Key Management-Part 3: Mechanisms Using Asymmetric Techniques," International Organization for Standardization, ISO/IEC 11770-11773 (November 1, 1999).
60. G. Schellhorn, W. Reif, A. Schairer, P. Karger, V. Austel, and D. Toll, "Verification of a Formal Security Model for Multiapplicative Smart Cards," Proceedings of the 6th European Symposium on Research in Computer Security (ESORICS 2000), Lecture Notes in Computer Science 1895, Springer-Verlag, Berlin (October 2000), pp. 17-36.
61. "Information Technology-Security Techniques-Evaluation Criteria for IT Security-Parts 1, 2, and 3," International Organization for Standardization, ISO/IEC 15408-1, 15408-2, and 15408-15413 (1999).
62. D. E. Bell and L. J. La Padula, "Secure Computer System: Unified Exposition and Multics Interpretation," Technical Report MTR-2997, Rev. 1, The MITRE Corporation, HQ Electronic Systems Division (March 1976), http://csrc.nist.gov/publications/history/bell76.pdf.
63. K. J. Biba, "Integrity Considerations for Secure Computer Systems," Technical Report MTR-3153, The MITRE Corporation, HQ Electronic Systems Division (April 1977).
64. P. A. Karger, "Multi-Organizational Mandatory Access Controls for Commercial Applications," Research Report RC 21673, IBM Research Division, Thomas J. Watson Research Center, (February 22, 2000) http://domino.watson.ibm. com/library/CyberDig.nsf/1e4115aea78b6e7c85256b360066f0d4/ 3071057a742ec56285256897006c5307?OpenDocument.
65. "Information Technology-Identification Cards-Integrated Circuit(s) Cards with Contacts-Part 4: Inter- Industry Commands for Interchange," ISO/IEC 7816-7824, International Standards Organization (1995).