Establishing Trusted Identities In Disconnected Edge .
2016 IEEE/ACM Symposium on Edge ComputingEstablishing Trusted Identities in DisconnectedEdge EnvironmentsSebastián Echeverrı́a, Dan Klinedinst, Keegan Williams, Grace A. LewisCarnegie Mellon Software Engineering InstitutePittsburgh, PA USA{secheverria, djklinedinst, kmwilliams, glewis}@sei.cmu.eduAbstract—When establishing communication between twonodes, identification, authentication, and authorization providethe information and assurances necessary for the nodes to trusteach other. A common solution for establishing trust between twonodes is to create and share credentials in advance, and then use athird-party, online trusted authority to validate the credentials ofthe nodes. However, the characteristics of tactical environments— such as those in which first responders, search and rescueteams, and military personnel operate — do not consistently provide access to that third-party authority or certificate repositorybecause they are DIL environments (disconnected, intermittent,limited). The goal of this paper is to present a solution forestablishing trusted identities in disconnected environments basedon secure key generation and exchange in the field. For theimplementation and evaluation of the solution we use our opensource implementation of a tactical cloudlets system that istargeted at supporting disconnected operations.field, mobile devices discover proximate cloudlets, query forservices, and then start services on demand. The initial versionof our tactical cloudlets implementation had no security ortrust embedded into the system other than at the networklevel, meaning that a user could connect to a cloudlet if ithad network accessibility to it.When establishing communication between two nodes —such as between a mobile device and a tactical cloudlet inthe field — identification, authentication, and authorizationprovide the information and assurances necessary for the nodesto trust each other (i.e., mutual trust). A common solutionfor establishing trust between two nodes is to create andshare credentials in advance, and then use a third-party, onlinetrusted authority to validate the credentials of the nodes.However, the characteristics of tactical environments do notconsistently provide access to that third-party authority orcertificate repository.In the context of tactical cloudlets we need to develop atrusted identity solution that meets four major requirements:1) The solution cannot require network connectivity to athird party such as the Internet, an enterprise or widearea network (WAN), or a Certificate Authority (CA). Ina DIL environment, these connections may be unreliable,non-existent, or even undesirable. Therefore the solutioncannot use technologies such as a central authenticationservice or Internet-based identity management.2) The solution cannot place any specific security requirements on hardware, such as a Trusted Platform Module (TPM) processor (Section II-A). Multi-organizationgroups often come together to support missions andneed to be able to join the group without speciallyprovisioned hardware.3) The solution cannot require pre-provisioning of credentials on the mobile devices. Although cloudlets themselves can be pre-provisioned for a specific mission ordeployment, end devices must be able to join during themission, in a contested environment.4) The solution must address the threats of a tactical environment (Section III-A). The main difference with otherthreat models is that there is likely to be an adversaryin physical proximity to the system. Therefore, the solution must consider loss or theft of the mobile devices,proximity to short-range radios, and the ability of anadversary to control or contest any network connectionI. I NTRODUCTIONFirst responders, search and rescue teams, military personnel, and others operating in crisis environments increasinglymake use of handheld devices to help with tasks such asface recognition, language translation, decision support, andmission planning and execution. Due to the computationintensive — and often data-intensive — nature of these tasks,mobile systems can make use of cyber-foraging to leverageproximate resource-rich surrogates to augment the capabilities of resource-limited mobile devices through computationoffload and data staging [1]. In these tactical environments,often characterized as DIL environments (disconnected, intermittent, limited), surrogates are pre-provisioned with all thecomputation and data needed for a mission so that they donot have to rely on reach back to the enterprise.To support mobile computing at the edge we developedtactical cloudlets. These are forward-deployed, discoverable,virtual-machine-based servers that can be hosted on vehiclesor other platforms to provide infrastructure to offload computation, provide forward data-staging for a mission, perform datafiltering to remove unnecessary data from streams intendedfor users, and serve as collection points for data headingfor enterprise repositories. The forward-deployed, single-hopproximity to mobile devices promotes energy efficiency aswell as lower latency (faster response times) [25]. Tacticalcloudlets are intended in many cases to work completelydisconnected from the enterprise [26]. Prior to a deployment,cloudlets are pre-provisioned with the capabilities and datathat will be needed for a particular mission. Once in the978-1-5090-3322-5/16 31.00 2016 IEEEDOI 10.1109/SEC.2016.2751
to the Internet or enterprise network.The goal of this paper is to present a solution for establishing trusted identities in disconnected environments based onsecure key generation and exchange in the field that meets theabove requirements. For the implementation and evaluation ofthe solution we use our open source tactical cloudlets systemthat is targeted at supporting disconnected operations.Section II presents related work in the area of trustedidentities. Section III describes our trusted identity solution,including the development process and rationale. Section IVpresents the implementation of the solution in the tacticalcloudlets system. Section V presents the evaluation of thesolution. Finally, Section VI summarizes and concludes thepaper. II. R ELATED W ORKEstablishing trust in disconnected environments requiresdecentralized security solutions and infrastructure that arechallenging to implement due to basic security concerns suchas how to exchange keys, how to manage keys, how tointegrate with existing applications, and how to configuresecurity policies [2]. This section presents potential solutionsfor decentralized security with discussion related to theirapplicability to disconnected environments, in particular thoseinvolving mobile clients interacting with servers deployed inthe field. A. Hardware-Based SolutionsHardware-based solutions require the presence of an onboard secure hardware component that stores security credentials. Because credentials are embedded in hardware, thesesolutions are typically harder to break than software-basedsolutions. In addition to cost, a problem with hardware-basedcredentials is that these need to be delivered to the fieldshould they need to be changed, which could be problematicin disconnected environments. Examples of hardware-basedsolutions include Trusted Platform Module (TPM) [3], ARMTrustZone [4], and SmartCards [5].key escrow because the KGC knows the user’s privatekey.Secure Key Agreement without a Trusted Third Party(TTP): Work in this area leverages out-of-band channelsfor securely pairing two devices (computational units)without previous exchange of a secret key, or needing tohave each other’s public key. The challenge is to do sowithout relying on a trusted third-party to create and distribute this secret key. Examples of solutions in this spaceinclude SafeSlinger which leverages physical proximityand visual confirmation to provide secure communicationbetween members of a group [7]; MVSec which leveragesvarious out-of-band channels readily available in commercial vehicles and mobile devices, such as humans,light, sound, and vibration, to secure communicationbetween an individual’s smartphone and his/her vehicle[8]; and SPATE which relies on visual channels andphysical interactions to establish trust in small groups [2].The advantage of these solutions is the ability to generatecredentials in the field. The disadvantages are related tothe lack of centralized control, which makes it difficult toadd a node to a group of trusted nodes once credentialshave been exchanged and validated, or to remove a node.Distributed Trust Models: These solutions are commonin ad-hoc networks, in which there are mechanisms thatallow a node to evaluate the trustworthiness of othernodes based on, for example, trust chains, trust tables orreputation scores [9][10]. The advantage of these solutions is that they leverage peers for trust verification. Thedisadvantage is that they rely on nodes that are connectedor aware of other nodes, which is not necessarily the caseof mobile devices that leverage field-deployed servers indisconnected environments.C. Hybrid SolutionsHybrid solutions have a software and a hardware component. As an example, layered trust models have a softwarelayer built on top of a hardware layer, such as using smartcards as secure containers for digital certificates and a softwarePKI-based trust model built on top [11]. Hybrid solutionsinherit both advantages and disadvantages of software-basedand hardware-based solutions.B. Software-Based SolutionsSoftware-based solutions rely on credentials stored in software components of a system, such as certificate stores,configuration files, and databases. Examples of software-basedsolutions that could be applicable to disconnected environments include: Identity-Based Cryptography (IBC): In IBC, a public keyis derived from an arbitrary data string, and the corresponding private key is created by binding this string witha system master secret owned by a trusted authority calleda public key generator (PKG) or key generation center(KGC) [6]. IBC is ideal for disconnected environmentsbecause (1) it does not require users to pre-compute keypairs and obtain certificates for their public keys and (2)nodes contact KGCs only once to obtain their privatekey. The main disadvantage of IBC is the property ofD. Human-Centric SolutionsHuman-centric solutions, as the name indicates, involvehumans for establishing trust. Examples of human-centric solutions that could be applicable to disconnected environmentsinclude: 52Social Networks: In these solutions the trust relationshipsbetween users in their real social networks are automatically translated to trust relationships between theirdevices [12]. The advantage is that there is no need toexchange keys or certificates. However, the disadvantageis that the relationships in the social world have to betrusted.
Biometrics and Behaviometrics: These solutions usebiometrics (e.g., fingerprints, face recognition, voicerecognition, retinal scans) and/or behaviometrics (e.g.,keystroke analysis, handwriting, gestures) as identities[13][14][15][16]. The advantage of these solutions isidentity strength. The main disadvantage is that theyneed to compare against a saved or network-accessibletemplate that may not be available in disconnected environments.code identity will require mechanisms for code signing andvalidation, and (3) threats in which mobile devices and serversare compromised will require mechanisms to limit connectiontime and identity expiration.The analysis of Table II by solution, in conjunction with ananalysis of the advantages and disadvantages of each, and thesolution requirements presented in Section I, shows that: III. D EVELOPMENT OF THE T RUSTED I DENTITYS OLUTIONThis section presents the approach by which our trustedidentity solution components were selected and our trustedidentity solution was developed. We first identified a threatmodel for disconnected environments, then validated the solutions from Section II against the threat model, and finallydeveloped an identity solution based on components that bestaddressed the threats in the threat model, and the requirementsfrom Section I.A. Threat Model for Disconnected EnvironmentsThe context for the threat model is a client/server typeof system in which the client is a mobile device and theserver is providing capabilities to mobile devices. The server isfully disconnected from the network and provides capabilitiesto proximate mobile devices connected via WiFi. The threatmodel was developed using Microsoft’s SDL Threat Modeling Tool [17] which generated 60 potential threats. Thesethreats were examined by a threat modeling expert on ourteam, evaluated for their applicability to trust in disconnectedenvironments, and consolidated into the 14 relevant threatsshown in Table I. Assigning priorities to those threats based onimpact and probability of occurrence in an operational settingis also part of the threat model. B. Evaluation of Existing Solutions Against Threat ModelTable II maps threats against identity solutions. The numberof plus signs ( ) in a cell represents the potential of theidentity solution (or elements of the identity solution) tomitigate the threat. None Solution fully addresses the threatSolution mostly addresses the threat butneeds to be combined with other solution(s)to fully address the threatSolution has some elements that could beused to address the threat but need to beneeds to be combined with other solution(s)to fully address the threatSolution has minimal support to address thethreatSolution has no support to address the threat Based on an analysis of Table II by threat we can notethat (1) most solutions will address threats that involve mobiledevice and server identity/authentication, (2) threats related to 53Traditional PKI addresses most of the threats and thereis a lot of out-of-the box support and easy integrationwith HTTP and TLS. However there are several majordrawbacks to Traditional PKI systems. One is that itrequires regular, frequent network connectivity to someform of central hub for one or more of the followingfunctions: (1) authentication against a central server (e.g.,Kerberos), (2) the ability to receive Certificate RevocationLists (CRLs), and (3) the ability to revoke an entireCA if it is compromised. This violates Requirement 1,which is to not require network connectivity to a thirdparty. Furthermore, existing PKI solutions use very longpublic keys by the standards of DIL environments —even the MD5 signature of a public key certificate is32 hexadecimal characters. Because credentials cannotbe pre-provisioned per Requirement 3, keys need to bebootstrapped on to devices, sometimes over very lowbandwidth channels (e.g., voice, visual). This is furtherlimited by Requirement 4, the ability to remain secure inan adversarial, tactical environment.Hardware-based solutions are the strongest, but the reliance on special servers and mobile devices with hardware trust components make it a challenge for disconnected environments. Our use cases envision teamsfrom multiple services, countries, and agencies beingable to form ad hoc networks with their own equipment(Requirement 2).IBC is a decentralized solution that maps well to disconnected environments. There are several algorithms andimplementations that could enable the server to act asthe PKG.Secure Key Agreement without a Trusted Third Partyis also a decentralized solution that maps well to disconnected environments, specifically exploiting initialphysical proximity between servers and mobile devicesfor secure key exchange, and also as part of two-factorinitial authentication (bootstrapping).Distributed trust models do not address many of thethreats by themselves, but elements of this solution couldbe employed as part of a two-factor authentication solution.Layered trust models combine the advantages and disadvantages of hardware- and software-based solutions.This type of solution could work well in a homogeneoushardware environment.Social network solutions do not address many of thethreats. Even though elements of a social network solution could be employed as part of a two-factor authen-
TABLE IT HREAT M ODEL FOR D ISCONNECTED E NVIRONMENTS#Name1Impersonating a deviceUnauthorized device attempts to gain access to the server environmentDescriptionH2Finding an active clientAuthorized phone is lost with an established connectionH3Finding a deviceAuthorized phone is lost without a connection currently operatingH4Altered softwareSoftware on an approved device is changed due to downloaded malicious code, tampering,unintended changes, or some other meansM5Daisy chainingExternal device is able to connect to the authorized device and exploit its approved accessM6Lost credentialsAuthorization information is obtained by a malicious person who then tries to spoof the deviceH7Sniffing wirelessWiFi signal is monitored by an external party providing visibility of traffic streamH8Site intrusionPhysical access to server is obtained providing hands-on access to the equipmentH9On the netNetwork access to the service infrastructure is obtainedH10On the boxAccess to server OS is obtainedH11Super-user compromiseSystem admin access is compromised and software and data can be stolen or changed impactingservices and integrityH12Application compromiseApplication controls are compromisedL13Seeing everythingData management controls are compromisedL14Server impostorImpersonating a trusted server environment and enticing devices to connectHE VALUATIONThreatOFTABLE IIS OLUTIONS AGAINST T HREAT M ODEL FOR D ISCONNECTED E NVIRONMENTSTraditional PKISoftware-BasedKeyAgreeDistributedment w/oTTPHardware-BasedIBC1. Impersonating a device 2. Finding an active client Priority HybridHuman-CentricLayeredSocialNetworksBio- andBehaviometrics 3. Finding a device 4. Altered software 5. Daisy chaining 6. Lost credentials 7. Sniffing wireless 8. Site intrusion9. On the net 11. Super-user compromise 12. Application compromise 13. Seeing everything 14. Server impostor 343934332140163510. On the boxSCORE Overall, from a quantitative perspective (last row of TableII), 5 of the 7 alternative solutions to Traditional PKI provide similar threat mitigation potential (in the 33-40 range).Hardware-based and hybrid solutions provide greater threatmitigation because they provide hardware elements that canbe used for device/server identities as well as user identities.However, from a qualitative perspective, IBC and Secure KeyAgreement without a Third Party provide very similar threatmitigation potential to Traditional PKI but also address someof its limitations. A combination of IBC and Secure Keytication solution, there is no equivalent of software-levelsocial relationships in disconnected environments, otherthan for example being part of the same team or squad,which even then would require that relationship to berepresented at the software-level.Biometrics and behaviometrics provide very strong identities but are not a good match for disconnected environments because access to templates for comparison wouldneed to be available, violating Requirement 1.54
which uses the Boneh Franklin scheme as a Key EncapsulationMechanism (KEM) and off-the-shelf (OpenSSL) ciphers andHMACs for the actual encryption [20]. Identity-Based ShortSignatures [21] are used for the WiFi Authentication process.The selected Secure Key Agreement without a TrustedThird Party ceremony takes advantage of deployments indisconnected environments; specifically, the presupposition ofphysical proximity. The proposed solution requires a participant’s physical proximity to the PKG (i.e., server) for theinitial identification and authe
A. Threat Model for Disconnected Environments The context for the threat model is a client/server type of system in which the client is a mobile device and the server is providing capabilities to mobile devices. The server is fully disconnected from the network and provides capabilities to proximate mobil
25 More Trigonometric Identities Worksheet Concepts: Trigonometric Identities { Addition and Subtraction Identities { Cofunction Identities { Double-Angle Identities { Half-Angle Identities (Sections 7.2 & 7.3) 1. Find the exact values of the following functions using the addition and subtraction formulas (a) sin 9ˇ 12 (b) cos 7ˇ 12 2.
7 Trigonometric Identities and Equations 681 7.1Fundamental Identities 682 Fundamental Identities Uses of the Fundamental Identities 7.2Verifying Trigonometric Identities 688 Strategies Verifying Identities by Working with One Side Verifying Identities by Working with Both Sides 7
654 CHAPTER 7 Trigonometric Identities, Inverses, and Equations 7–000 Precalculus— 7.1 Fundamental Identities and Families of Identities In this section, we begin laying the foundation necessary to work with identities successfully. The cornerstone of this effort is a healthy respect for the fundamental identities and vital role they play.
Analytic Trigonometry Section 5.1 Using Fundamental Identities 379 You should know the fundamental trigonometric identities. (a) Reciprocal Identities (b) Pythagorean Identities (c) Cofunction Identities (d) Negative Angle Identities You should be able to
identities related to odd and . Topic: Verifying trig identities with tables, unit circles, and graphs. 9. verifying trigonometric identities worksheet. verifying trigonometric identities worksheet, verifying trigonometric identities worksheet
percent of disconnected young men and 43 percent of disconnected young women. Wald and Martinez further conclude that the South has more disconnected young adults than the Northeast and West combined, with nearly 61 percent of the nation’s disconnected African-American males living in the r
Algebra 2B Unit 1 – Basic Trigonometric Identities Page 2 Quitient Identities Pythagorean Identities sin2 t cos2 t 1 1 tan2 t sec2 t csc2 t 1 cot2 t Symmetric Identities If a function is even, then f(-x) f(x) and the graph is symmetric about the y-axis.
English/Language Arts 4. Grade Level i. Ninth grade 5. Length of Class Time i. 90 minute class 6. Length of Time to Complete Unit Plan th i. The unit on Non-fiction began on March 8 and was competed on March th 30 . The class had instruction on the topic everyday of the week. Student population Contextual/Environmental Factors Source Implications for Instruction and Assessment Rural School .
