research-article

Trusting Mobile User Devices and Security Modules

Authors:

Andreas Pfitzmann,

Birgit Pfitzmann,

Matthias Schunter,

Michael WaidnerAuthors Info & Claims

Computer, Volume 30, Issue 2

Pages 61 - 68

https://doi.org/10.1109/2.566159

Published: 01 February 1997 Publication History

Publisher Site

Abstract

The market for devices like mobile phones, multifunctional watches, and personal digital assistants is growing rapidly. Most of these mobile user devices need security for their prospective electronic commerce applications. While new technology has simplified many business and personal transactions, it has also opened the door to high-tech crime. In this article, we investigate design options for mobile user devices that are used in legally significant applications. Such applications authorize transactions: mobile phone calls, access to an office or car, electronic payment in stores, retrieval of stored medical data, and access to information on portable computers. Digital signatures-the electronic equivalent of handwritten signatures-are at the core of most of these applications and are explained briefly in the "Digital Signatures" sidebar. A trustworthy mobile user device should suit its purpose well and have credible quality. Because mobile user devices act on someone's behalf, we use the analogy of agents to describe approaches to security. There are three types of agent trustworthiness: Personal-agent trust. Here, the device must act according to the user's wishes while it is in the user's hands. For example, it should not sign unintended statements or unintentionally delete electronic money. Captured-agent trust. In this case, the user is protected even if the mobile user device is lost, stolen, or given away (inserted into a point-of-sale terminal or sent away for maintenance). For example, the finder or thief should not be able to sign statements in the legitimate user's name. Undercover-agent trust. In this case the mobile user devices will protect a third party from the device's legitimate user. For example, in prepaid offline payment systems users have so-called "electronic cash" in their mobile user devices, which they can use without connecting to a bank. The bank wants the mobile user device to prevent its legitimate user from "spending" the same bit string in several shops. Contrary to popular belief, undercover-agent trust is not needed in many applications, including online payment systems and general signature applications. A mobile user device by itself may not be able to keep data secret or uncorrupted-it may not be tamper-resistant. A tamper-resistant device is called a security module, whether the security mechanism is on a separate device or incorporated into the mobile user device itself. Such devices secure "mobile" applications and applications on stationary devices like PCs and public kiosks, if all security-relevant actions are controlled via the trustworthy mobile device.

References

[1]

Common Criteria Editorial Board, "Common Criteria for Information Technology Security Evaluation," Version 1.0, Jan. 1996; ftp.cse.dnd.ca/pub/criteria/CC1.0/.

Google Scholar

[2]

R. Anderson, "Why Cryptosystems Fail," Comm. ACM, Nov. 1994, pp. 32-40.

Digital Library

Google Scholar

[3]

J. Brown, "Roll Up for the Flexible Transistor," New Scientist, Sept. 1994, p. 5.

Google Scholar

[4]

D.W. Davies and W.L. Price, Security for Computer Networks, An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer, 2nd Ed., John Wiley & Sons, New York, 1989, pp. 169-207.

Crossref

Google Scholar

[5]

B. Miller, "Vital Signs of Identity," IEEE Spectrum, Feb. 1994, pp. 22-30.

Crossref

Google Scholar

[6]

S. Brands and D. Chaum, "Distance-Bounding Protocols," Proc. Eurocrypt '93, Springer-Verlag, Berlin, 1994, pp. 344-359.

Crossref

Google Scholar

[7]

M. Abadi, et al., "Authentication and Delegation with Smart-Cards," Science of Computer Programming, Oct. 1993, pp. 93-113.

Crossref

Google Scholar

[8]

S. Brands, "Untraceable Off-line Cash in Wallet with Observers," Proc. Crypto '93, Springer-Verlag, Berlin, 1994, pp. 302-318.

Crossref

Google Scholar

[9]

D. Chaum and T. P. Pedersen, "Wallet Databases with Observers," Proc. Crypto '92, Springer-Verlag, Berlin, 1993, pp. 89-105.

Crossref

Google Scholar

[10]

S. Weingart, "Physical Security for the μABYSS System," Proc. 1987 IEEE Symp. Security and Privacy, Oakland, Calif., pp. 52-58.

Google Scholar

[11]

W. Myers, "On Trial at the Summer Olympic Games: Smart Cards," Computer, July 1996, pp. 88-91.

Crossref

Google Scholar

[12]

R. Anderson and M. Kuhn, "Tamper Resistance—A Cautionary Note," Second Usenix Electronic Commerce Workshop, Oakland, Calif., Nov. 1996, pp. 1-11.

Crossref

Google Scholar

[13]

B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, John Wiley & Sons, New York, 1996.

Crossref

Google Scholar

Cited By

View all

Roth CSaur MKesdogan D(2020)kUBI: A Framework for Privacy and Transparency in Sensor-Based Business Models for Consumers: A Pay-How-You-Drive ExampleComputer Security10.1007/978-3-030-66504-3_7(114-132)Online publication date: 14-Sep-2020
https://dl.acm.org/doi/10.1007/978-3-030-66504-3_7
Mujtaba GTahir MSoomro M(2019)Energy Efficient Data Encryption Techniques in SmartphonesWireless Personal Communications: An International Journal10.1007/s11277-018-5920-1106:4(2023-2035)Online publication date: 1-Jun-2019
https://dl.acm.org/doi/10.1007/s11277-018-5920-1
Herzberg AJbara A(2008)Security and identification indicators for browsers against spoofing and phishing attacksACM Transactions on Internet Technology10.1145/1391949.13919508:4(1-36)Online publication date: 6-Oct-2008
https://dl.acm.org/doi/10.1145/1391949.1391950
Show More Cited By

Index Terms

Trusting Mobile User Devices and Security Modules
1. Computer systems organization
  1. Architectures
    1. Other architectures
      1. Special purpose systems
    2. Parallel architectures
      1. Cellular architectures
2. Networks
  1. Network services
    1. Network management
  2. Network types
    1. Mobile networks
    2. Wireless access networks

Recommendations

Management of security policies for mobile devices
InfoSecCD '07: Proceedings of the 4th annual conference on Information security curriculum development

This paper discusses management of security policies for mobile devices. The increasing use of mobile devices in the workplace is covered, as well as new software applications that allow employees to use their mobile devices to increase their ...
User authentication on mobile devices: Approaches, threats and trends
Abstract
Mobile devices have brought a great convenience to us these years, which allow the users to enjoy the anytime and anywhere various applications such as the online shopping, Internet banking, navigation and mobile media. While the users enjoy the ...
Mobile device security
InfoSecCD '04: Proceedings of the 1st annual conference on Information security curriculum development

Because of their small size, memory capability, and the case with which information can be downloaded and removed from a facility, mobile devices pose a risk to organizations when used and transported outside physical boundaries. Mobile devices, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

Computer Volume 30, Issue 2

February 1997

100 pages

ISSN:0018-9162

Issue’s Table of Contents

Publisher

IEEE Computer Society Press

Washington, DC, United States

Publication History

Published: 01 February 1997

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Roth CSaur MKesdogan D(2020)kUBI: A Framework for Privacy and Transparency in Sensor-Based Business Models for Consumers: A Pay-How-You-Drive ExampleComputer Security10.1007/978-3-030-66504-3_7(114-132)Online publication date: 14-Sep-2020
https://dl.acm.org/doi/10.1007/978-3-030-66504-3_7
Mujtaba GTahir MSoomro M(2019)Energy Efficient Data Encryption Techniques in SmartphonesWireless Personal Communications: An International Journal10.1007/s11277-018-5920-1106:4(2023-2035)Online publication date: 1-Jun-2019
https://dl.acm.org/doi/10.1007/s11277-018-5920-1
Herzberg AJbara A(2008)Security and identification indicators for browsers against spoofing and phishing attacksACM Transactions on Internet Technology10.1145/1391949.13919508:4(1-36)Online publication date: 6-Oct-2008
https://dl.acm.org/doi/10.1145/1391949.1391950
Schunter MWaidner M(2007)Simplified privacy controls for aggregated servicesProceedings of the 7th international conference on Privacy enhancing technologies10.5555/1779330.1779344(218-232)Online publication date: 20-Jun-2007
https://dl.acm.org/doi/10.5555/1779330.1779344
Bell MHall MChalmers MGray PBrown B(2006)DominoProceedings of the 4th international conference on Pervasive Computing10.1007/11748625_10(153-168)Online publication date: 7-May-2006
https://dl.acm.org/doi/10.1007/11748625_10
Xu BWolfson O(2004)Data management in mobile peer-to-peer networksProceedings of the Second international conference on Databases, Information Systems, and Peer-to-Peer Computing10.1007/978-3-540-31838-5_1(1-15)Online publication date: 29-Aug-2004
https://dl.acm.org/doi/10.1007/978-3-540-31838-5_1
Jones KWadaa AOlariu SWilson LEltoweissy MSaydjari OFoley SSekar R(2003)Towards a new paradigm for securing wireless sensor networksProceedings of the 2003 workshop on New security paradigms10.1145/986655.986672(115-121)Online publication date: 13-Aug-2003
https://dl.acm.org/doi/10.1145/986655.986672
Čapkun SButtyán LHubaux J(2003)Self-Organized Public-Key Management for Mobile Ad Hoc NetworksIEEE Transactions on Mobile Computing10.1109/TMC.2003.11951512:1(52-64)Online publication date: 1-Jan-2003
https://dl.acm.org/doi/10.1109/TMC.2003.1195151
Weippl EEssmayr W(2003)Personal trusted devices for web servicesMobile Networks and Applications10.1023/A:10222372150268:2(151-157)Online publication date: 1-Apr-2003
https://dl.acm.org/doi/10.1023/A%3A1022237215026
Buchegger SLe Boudec JHubaux JGarcia-Luna-Aceves JJohnson D(2002)Performance analysis of the CONFIDANT protocolProceedings of the 3rd ACM international symposium on Mobile ad hoc networking & computing10.1145/513800.513828(226-236)Online publication date: 9-Jun-2002
https://dl.acm.org/doi/10.1145/513800.513828
Show More Cited By

Abstract

References

Cited By

Index Terms

Recommendations

Management of security policies for mobile devices

User authentication on mobile devices: Approaches, threats and trends

Mobile device security

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations