Security and Privacy in a Ubiquitous Information Screen

(1)

LAPPEENRANTA UNIVERSITY OF TECHNOLOGY DEPARTMENT OF INFORMATION TECHNOLOGY

Security and Privacy in a Ubiquitous Information Screen

The topic of the master’s thesis has been accepted in the departmental council of the Department of Information Technology, November 27th, 2007.

Examiners: Professor Esa Kerttula D.Sc. (Tech.) Supervisor: Pekka Jäppinen D.Sc. (Tech.) Lappeenranta, July 21st, 2008

Were S. Oyomno Kiviharjunkatu 8 B 18 53100 Lappeenranta Tel. +358 405 275 575 were.oyomno@lut.fi http://www.oyomno.org

(2)

Abstract

Lappeenranta University of Technology Department of Information Technology Were Oyomno

Security and Privacy in a Ubiquitous Information Screen Thesis for the Degree of Master of Science in Technology 2008

71 pages, 23 figures, 18 tables, 8 algorithms and 4 appendices.

Examiners: Professor Esa Kerttula

Pekka Jäppinen D.Sc. (Tech.)

Keywords: Ubiquitous Computing, Privacy, Security, Anonymity, Bluetooth, Personal Information, Preference

We expose the ubiquitous interaction between an information screen and its’ viewers mobile devices, highlights the communication vulnerabilities, suggest mitigation strategies and finally implement these strategies to secure the communication. The screen infers information preferences’ of viewers within its vicinity transparently from their mobile devices over Bluetooth. Backend processing then retrieves up-to-date versions of preferred information from content providers. Retrieved content such as sporting news, weather forecasts, advertisements, stock markets and aviation schedules, are systematically displayed on the screen. To maximise users’ benefit, experience and acceptance, the service is provided with no user interaction at the screen and securely upholding preferences privacy and viewers anonymity. Compelled by the personal nature of mobile devices, their contents privacy, preferences confidentiality, and vulnerabilities imposed by screen, the service’s security is fortified. Fortification is predominantly through efficient cryptographic algorithms inspired by elliptic curves cryptosystems, access control and anonymity mechanisms. These mechanisms are demonstrated to attain set objectives within reasonable performance.

(3)

Preface

This master’s thesis was carried out in the department of Information Technology at Lappeenranta University of Technology as a partial fulfilment of the requirements for the Master of Science.

Although writing a thesis is an indication that one is at the final stages of their studies, it is undoubtedly the most daunting and difficult part of the studies. Many a times it felt more like the end of the beginning than, that beginning of the end. This is because this stage is filled with more questions than answers - where should I begin? how should I begin?

what is wrong with code? and other numerous frustrations which are part and parcel of this trade.

Despite these difficulties I managed, a feat that would have been impossible without guidance, support and encouragement of many whom am compelled to acknowledge.

I would like to thank the my supervisors, Professor Esa Kerttula and Dr. Pekka Jäppinen for guiding me throughout the course of my thesis, the IMPIT coordinators for their support and the Department of Information technology at Lappeenranta.

Finally, many thanks go to my father, Gordon Oyomno, for your invaluable feedback, comments and critics regarding this thesis, my family for the encouragement and support you shown me in this period I have been away from home and, last but not least to my friends who have been patient and understanding in the crucial moments.

Lappeenranta, July 21st, 2008

Were Oyomno

(4)

List of Algorithms

1 Personality definition . . . 21

2 Service providers’ definition . . . 22

3 PP algorithm . . . 57

4 PR algorithm . . . 59

5 EC key-pair generation . . . 1

6 ECDH shared secret computation . . . 1

7 ECDSA signing . . . 1

8 ECDSA verifying . . . 2

(7)

List of Figures

1 Mobile devices shipments projections. . . 10

2 Simplified information screen architecture. . . 13

3 Information screen architecture. . . 17

4 Bluetooth market forecasts and proportions. . . 19

5 IrDA forecasts in 1000’s and product proportions . . . 20

6 Zigbee market forecasts. . . 20

7 Alice - PR communication. . . 24

8 information screen vulnerabilities. . . 30

9 Mitigation of eavesdropping. . . 32

10 public-key approach to deter Eve. . . 33

11 DH key-exchange algorithm. . . 34

12 Hughes DH key-exchange variation. . . 35

13 Hash functions and digital signatures. . . 40

14 ECC basic operations . . . 42

15 Secure information screen. . . 51

16 PP device. . . 53

17 Maemo platform components. . . 54

18 PPs database structure. . . 55

19 PP’s components assembly. . . 56

20 PP’s unit’s components. . . 58

21 Secure interactions. . . 62

22 Risk analysis of the secure information screen. . . 65

E1 CA in Mozilla Firefox 3 Beta 4. . . 1

(8)

List of Tables

1 Convergent devices market - Canalys estimates. . . 10

2 PR (Notebook - v2.0) - PP (Desktop - v1.2). . . 64

3 PR (Desktop - v2.0) - PP (Nokia N770). . . 64

6 Dramatics Personae. . . 1

9 PR (Notebook - v1.2) - PP (Nokia N770). . . 1

(9)

Acronyms and abbreviations

ubicomp Ubiquitous Computing PARC Palo Alto Research Centre LAN Local Area Network

MIT Massachusetts Institute of Technology VR Virtual Reality

3D Three-Dimensional

NFC Near Field Communication HCI Human Computer Interaction AI Artificial Intelligence

OS Operating System PC Personal Computer

RFID Radio-Frequency Identification ME Mobile Electronic Personality PDA Personal Digital Assistance DoS Denial of Service

MITM Man In The Middle CA Certificate Authority

RSA Rivest, Shamir and Adleman DH Diffie-Hellman

SAFER Secure and Fast Encryption Routine AES Advanced Encryption Standard

WAKE Word Auto Key Encryption Algorithm TTP Trusted Third Party

PKI Public Key Infrastructure ECC Elliptic curve Cryptosystems

ECDLP Elliptic Curve Discrete Logarithm Problem ECDSA Elliptic Curve Digital Signature Algorithm

AP Access Points

WML Wireless Markup Language SP Service Provider

WLAN Wireless LAN

RA Risk-Analysis

RM Risk-Management

UI User Interface

XML Extensible Markup Language XSD XML Schema Definition

2D Two-Dimensional

GSM Global System for Mobile Communications GPRS General Packet Radio Service

DB Database

ACID Atomicity, Consistency, Isolation, Durability GTK+ The GIMP Toolkit

PyGTK+ Python wrappers for the GTK+ library.

(10)

Acronyms and abbreviations

BD_ADDR Bluetooth Device Address

PR Preference Requester

PP Preference Provider

PKI Public Key Infrastructure

PGP Pretty Good Privacy

GnuPG/GPG GNU Privacy Guard

CAC Channel Access Code

DAC Device Access Code

NSA National Security Agency

MD Message Digest

SSH Secure Shell

DNSSEC Domain Name System Security Extensions TLS Transport Layer Security

SSL Secure Socket Layer

HTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol over SSL/TLS NHL National Hockey League

NBA National Basketball Association

UEFA Union of European Football Associations

RFU Rugby Football Union

IS Information Systems

IrDA Infra-red Data Association

LAP Lower Address Part

UAP Upper Address Part

FMCG Fast Moving Consumer Goods SDK Software Development Kit

MB Mega Byte

GB Giga Byte

kb Kilo bit

MHz Mega Hertz

CPU Central Processing Unit

MB Mega Byte

RAM Random Access Memory

LMP Link Manager Protocol

SCP Secure Copy

AMD Advanced Micro Devices

TLS Transport Layer Security

DNS Domain Name Service

SL Security Level

IEEE Institute of Electrical and Electronics Engineers WiMAX Worldwide Inter-operability for Microwave Access SDP Service Discovery Profile

(11)

Acronyms and abbreviations

SQL Structured Query Language

RF Radio Frequency

RISC Reduced Instruction Set Computer

WAN Wide Area Network

ARM Advanced RISC Machine

ETSI European Telecommunications Standards Institute PAN Personal Area Network

SD Service Discovery

IETF Internet Engineering Task Force

ICT Information and Communication Technology

GHz Giga Hertz

ECIES Elliptic Curve Integrated Encryption Scheme ECMQV Elliptic Curve Menezes-Qu-Vanstone

EC Elliptic Curve

FHSS Frequency Hopping Spread Spectrum

IM Instant Messaging

3G Third Generation

RFCOMM Radio Frequency Communication

L2CAP Logical Link Control and Adaptation Protocol RS-232 Recommended Standard 232

TCP/IP Transmission Control Protocol/Internet Protocol WSN Wireless Sensor Networks

MSC Message Sequence Chart

NISSG Network and Information Security Steering Group

ICTSB Information and communications Technology Standards Board EESSI European Electronic Signature Standardisation Initiative VOIP Voice over Internet Protocol

FP Prime Field

F2^M Binary Field

C Ciphertext

E Encryption algorithm

P Plaintext

Si Signature by i

D Decryption algorithm

Kpbc Public Key Kpvt Private Key Ktrent−pbc Trent’s Public Key Ktrent−pvt Trent’s Private Key

(12)

1 Introduction

Information plays an increasingly important role in our lives today. This role is better fulfilled by the right information, which is accurate and the most recent version. Acquiring such vital information is time-consuming. One often has to sieve large volumes of data most of which is irrelevant. Furthermore, the information obtained is often incomplete, inaccurate and soon becomes obsolete. These limitations on the value of information are attributed to the sources used such as:

• Static billboards provide stale, generic and often irrelevant information.

• Commercial screens often supply us with irrelevant information.

• Newspapers/Magazines are quickly rendered obsolete. Furthermore, their physical bulkiness has additional financial implications.

• The Internet is time-consuming, requires access tools and has additional cost implications.

These limitations are particularly relevant to up-to-date sports information, weather forecasts, stock markets, sales offers and aviation reports, among others. For instance, up-to- date sports information may include such items as league standings (e.g. National Hockey League (NHL), National Basketball Association (NBA), Women’s NBA (WNBA), Union of European Football Associations (UEFA), Rugby Football Union (RFU)), players trad- ing, injured players, game results and so on. Weather forecasts information ranges from hurricanes warnings to tomorrows forecast, flight schedules, delayed or grounded flights that composes the aviation reports. Such information is important to a wide range of viewers from all walks of life, including sports enthusiasts, businessmen, stockbrokers, sports betters, investment bankers, shoppers, travellers and others who might use it for decision making.

Establishing an information service that filters, retrieves and display accurate and relevant information on behalf of the viewers without the burden of user interaction and information overload would be beneficial to many. To provide such a service we should be able to determine the information each user prefers. Informational preferences’ vary from one individual to another. The variations are based on their backgrounds, careers, interests, hobbies and other factors. This makes it difficult to predict individual informational preferences. Access to these preferences may entail use of millions of mobile devices (e.g. mobile phones, Portable Digital Assistances (PDA), smart phones¹ and handhelds) as personality definitions for the users.

Mobile devices shipment growth rates reveal overwhelming statistical data. Devices markets are estimated to exceed one billion units by the year 2009 as depicted in Figure 1,

1Operating Systems based or advanced mobile phones

(13)

with smart phones shipments reaching 200 million units. Both conventional mobile devices and smart phones sales have surpassed earlier sales predictions [1, 2].

Figure 1. Mobile devices shipments projections.

Convergent devices (smart phones and wireless enabled handhelds) markets as illustrated in Table 1 is the fastest growing segment, represented 10% of the mobile devices market as of year 2007. Studies have also revealed that more users are open to new features such as location-based services and Bluetooth connectivity, with relatively fewer showing interest in multimedia services, witnessed in the decline of camera phones. Big trends over the next half a decade are poised to include adoption of various wireless capable devices [2].

Vendor Q4 2007 units % share Q4 2006 units % share Growth Q407-Q406

Total 35,552,360 100.0 20,667,200 100.0 71.9%

Nokia 18,802,480 52.9 11,114,630 53.8 69.2

RIM 4,046,860 11.4 1,829,260 8.9 121.2

Apple 2,320,840 6.5 - - -

Motorola 2,301,260 6.5 1,463,090 7.1 57.3

Others 8,050,920 22.7 6,260,220 30.3 28.6

Table 1. Convergent devices market - Canalys estimates.

These statistics suggest an outstanding base of devices capable utilising the information service and are sufficient motivation for the service. Mobile devices serve adequately for the purpose however, to establish a mobile devices service with sufficient capacity for the purpose, fundamental issues need to be addressed. Most individuals accord some privacy protection to the information we seek or the device hosting this information and are reluctant to avail it.

The benefits of such a service often reinforce users’ willingness to provide personal information to permit user-specific information personalisation. Additionally demands for accurate information, displayed on a larger screen securely without any privacy or security

(14)

compromises despite being inferred transparently motivates users even further for such service. Security reinforcements encompass assurance that personal information will be strictly safeguarded, users’ privacy and anonymity upheld, and certainty that no personal information will be stored or used beyond the stated reasons. A personalised information service consistent with the detailed security and privacy features will most likely convince users into providing their information preference in order to reap the service benefits.

In a typical scenario “As Alice, Bob and Carol walk by the ubiquitous information screen en-route to pick David from the airport. The screens changes from displaying cycling news to WNBA team standing to international weather reports, to delayed flights and then to UEFA match fixtures before displaying the 50% discount sale at XYZ cosmetics shop”. Assuming that Alice and Bob have interests in the latest WNBA teams results and cosmetics. Carol is a soccer fan and frequently bets on UEFA games thus is particularly interested in match fixtures. In this example the trio confirms that David’s flight will be two hours later attributed to bad weather, giving them time to attend the XYZ sale rather than wait for two hours at the airport. Alice, Bob and Carol view their preferred information securely, without Bob disclosing his interests in cosmetics to Alice, nor Carol exposing her betting desires.

The example above underpins the notion of ubiquitous information service, which is at the heart of the study reported here. Specifically, explores how such communication systems may be secured from malicious entities. The study examines among other things, the architecture of security system, its implementation, performance and overhead eval- uations with specific regard to the services and the benefits the system provides to users.

Safeguarding users’ private preference information from likely malicious target marketers and eavesdroppers enable user acceptance and service proliferation. The implementation maintains users’ anonymity within reasonable performance overhead.

1.1 Background

Securing such a ubiquitous information service requires some basic grounding in Ubiqui- tous Computing (ubicomp). Ubicomp is a shift from traditional Human Computer Inter- action (HCI), by integrating information processing into everyday objects. These objects transparently process information and present their results to the users. The results are presented in a manner that eases users life unobtrusively often without their awareness and noticing, like water and electricity [3].

Electricity offers a good comparison to ubicomp systems. We often we use coffee ma- chines, dish washers, Personal Computers (PC) and other electrical devices without getting involved in issues relating to the generation of electricity (e.g. hydroelectric, solar or nuclear power), its transmission or management. Similarly, in ubicomp systems, users need not be concerned about how their mobile phone locates their missing cat, how the restaurant knows their wife’s favourite music, how the waitress knows their coffee mug is empty or how the information screen knows that a particular user has vested interest

(15)

in UEFA match fixtures. In ubicomp, users engage numerous computing devices and systems simultaneously in the course of everyday activities often without realising it.

The term ‘ubiquitous computing’ was coined by Mark Weiser in 1988 while Chief Tech- nologist at the Xerox Palo Alto Research Centre (PARC). Weiser recognised that extending processing capabilities to everyday objects would require consideration of the social, cultural and psychological phenomena beyond its proper ambit [4, 5]. This recognition motivated Weiser’s envision of ubicomps as: “the third wave in computing, just now beginning. First were mainframes, each shared by lots of people. Now we are in the personal computing era, person and machine staring uneasily at each other across the desktop. Next comes ubiquitous computing, or the age of calm technology, when technol- ogy recedes into the background of our lives”.

Early ubicomp contributors include Massachusetts Institute of Technology (MIT) Me- dia Laboratory’s Hirochi Ishii, with “Things that think” and Natalie Jeremijenko’s ‘Live Wire’. Live Wire also known as ‘Dangling Strings’ was among the earliest ubicomp sys- tems. Developed at PARC by Natalie Jeremijenko and Mark Weiser, it consisted of a set of strings connected to a motor controlled by a Local Area Network (LAN). The strings twitched giving noticeable indications of network traffic. The unobtrusive nature of Live Wire, lead Weiser to associate the term “calm technology” with ubicomps. Since then, ubicomp has grown to encompass an array of calm technology in research topics like distributed computing, mobile computing, sensor networks, HCI and Artificial Intelligence (AI) [5].

In its growth ubicomp established relationships with emerging concepts like everyware, pervasive computing, invisible computing, ambient environments, wearable computing, augmented reality, locative media and bodyarea networking [3, 4, 5, 6]. Supported by technological advances that have enabled smaller hardware footprints with better performance, ubicomp has resulted in a rapid proliferation of digital intelligence into pets, mobile phones, coffee mugs, jeans and billboards, now considered to be part of the ubiquitous network. This deployment suggests that it is no longer surprising for your cat to communicate with your PDA and your coffee mug with your boss ‘transparently’. Trans- parency has facilitated rich ubicomp application areas like pets monitoring, management of employees and property security. These intertwined and transparent interactions make it important to assure the security of our devices, our pets and their interactions, lest we fall victim to ridicule, exploitation and harm [3, 6, 7].

Despite these concerns, the vision of “invisible computing” has inspired enabling tech- nological innovations in the context of developing a fertile breeding ground for ubicomp. Innovations like embedded sensors, microcontrollers, Radio-Frequency Identifica- tion (RFID) tags, Two-Dimensional (2D) barcodes, biometrics and ubiquitous networking e.g. (Wireless LAN (WLAN), IEEE 802.15.4 (Zigbee), Bluetooth, Near Field Commu- nication (NFC), Infrared Data Association (IrDA)) [3]. Such innovations have expanded ubicomp into such domains as gaming, hospitals, airports, hotels, university networks, emergency services, advertising and information screens [4, 8, 9, 10]. The vision of re- placing desktop computing with numerous intimately intertwined computations in every-

(16)

day form factors acting as sensing and processing sites motivates us to consider such an information service. The service interacts with backgrounds processing, to transparently avail up-to-date information to users’ as Figure 2 illustrates.

Internet

Service Provider (SP)

ice−hockey fan stockbroker

ME enabled mobile device

NHL results NYSE index Delayed Flights Holiday discount

tourist

<ice−hockey news>

Content Provider (CoP)

Bluetooth Access Point (AP)

Figure 2. Simplified information screen architecture.

Mobile Electronic Personality (ME) [8] and Digital Aura [11] are two ubicomp systems from perspectives of users carrying personal devices describing their preferences/personality.

From the information screen perspective such devices sufficiently define an individual’s information preferences to enable the personalisation. In the information screen architecture, the Service Provider (SP) requests and retrieves the informational preference from an individual’s ME device. The novelty of the ME system lies in enabling the SP to make the requests and retrievals transparently using Bluetooth technology, thereby allowing the SP retrieve the preferred content from Content Providers (CoP) and display information that users in the vicinity prefer to see. This results in a personalised and better targeted information service, which is every SP’s goal. The information screen’s basic idea is illustrated in Figure 2. The ME devices are Bluetooth enabled devices installed and running ME application from which the user defines their information preferences. The differential nature of preferences implies that the screen displays different information for different viewers [8].

Information exchange between the ME devices’ and the SP is automatic with limited or no user interaction. This is the essence of processing transparency. This automation requires a mechanism for users to determine their preferences in advance to make the interactions natural and seamless. An Extensible Markup Language (XML) and XML Schema Defi- nition (XSD) are adopted for the definition and persistence of personal information pieces and associated security levels in the ME system. A potential privacy and vulnerability of the ubicomp system arises from automation that limits user interaction with the system.

This is especially the case in situations where such systems interact with users’ personal

(17)

information or devices with access to such information. Improper handling of such personal information could result in harm, embarrassment or financial implications for the users’. It is therefore important that the operations of the ubicomp systems including the information screen are safeguarded. Typical vulnerabilities of the information screen include:

• Data modifications

• Replay attacks

• Disrupting the communication

• Eavesdropping

• Rogues Access Point (AP)/Malicious nodes

• Hotlisting

• Profiling users

• Location tracking

• Denial of Service (DoS) attacks

Similar threats in the electronic transactions and services led the Information and Com- munications Technologies Standard Board (ICTSB), a European Standardisation board to steer various work groups in addressing these concerns. Such groups included the European Electronic Signature Standardisation Initiative (ESSI) and Network and In- formation Security Steering Group (NISSG). The groups recognised the importance in mitigating two categories of threats: system and application threats, and infrastructure threats within the European Union (EU) information space using a set of security services, technical procedures and policy security controls based on the United Kingdom’s (UK) e-business/e-governance model. Various issues were addressed in the model ranging from confidentiality and privacy services to assurance services. Despite the conclu- sion of the work groups, they generated a number of directives the most known being Directive-1999/93/EC:1999. This directive stipulates guidance for protection profiles and the implementation of Secure-Signature Creation Devices²(SSCD) for signature-creation data [12, 13, 14].

These vulnerabilities are undesirable, Greenfield [3] emphasises that “ubiquitous systems must default to a mode that ensures users’ physical, psychic, and financial safety”. This mode is realised through various confidentiality, integrity and accountability strategies that mitigates the listed vulnerabilities via security and privacy mechanisms in ubicomp systems. Incorporating these mechanisms into the ubiquitous communication of the information service is the core concern of this study.

2Signature-Creation Device (SCD) is a configured software or hardware used to implement the signature-creation data

(18)

1.2 Research methodology

The objective of this study is to model and implement the secure transmission of personal information between user’s ME devices and the SP within reasonable performance. The challenge of securing such a service is complicated by differentiated and unpredictable privacy views of users. One user may consider a shopping list as private, while another may care less for it. These varying privacy requirements “faces or masks” are inter- changed depending on the context of use [15]. Typically most users wear different masks when dealing with their employers and a different one with family members. In mod- elling this secure information service; we define reasonable privacy level for its context.

Bluetooth as the chosen transmission medium also enforces additional challenges.

The Bluetooth medium complicates the task by giving potential adversary proximity of 10-100 meters, extendible to 1610 meters through hardware modification. This gives adversaries proximity camouflage to launch attacks, implying they could be next to us or a mile away using a Bluetooth sniper rifle and more powerful machine [16, 17]. Further- more various Bluetooth insecurity issues, such as negative publicity due to flawed vendor implementations, may also affect users overall perception of the system. While the numerous security breaches of Bluetooth technology are well documented in literature, the security tools and Internet publications detailing how to accomplish the feats worsens this situation [18, 19, 20]. Restricting this study to safeguarding the personal information communication between ME devices and the SP, renders issues on Bluetooth security out of scope, though such issues are briefly discussed where appropriate. Similarly security attacks involving physically threatening or torturing (rubber hose attacks) and radio jamming attacks are not considered.

To achieve the set goals we have implemented cryptographic schemes in the ME devices and SP. Furthermore to ease description of schemes, scenarios and algorithms the characters illustrated in Appendix A, Table A were utilised.

1.3 Organisation

This thesis is organised into six Chapters. This is done to enables a natural flow of events to address the challenges. Chapter 2 reviews the theoretical and architectural underpin- ning of the ubicomp information system. This is accomplished by presenting an architectural layout of the system, its component tiers’, working and considerations. Flowing from this overview, Chapter 3 critically analyses the security concerns of the ubicomp system and suggests mitigation strategies. The overall vulnerabilities of the systems are first introduced before splitting their analysis into cryptographic and non-cryptographic mitigated vulnerabilities. Before discussing non-cryptographic mitigations, the limitations cryptographic solutions are addressed, thus justifying the need for alternative strategies.

In Chapter 4, the security architecture and implementations required to meet the objectives are addressed to provide a secure ubicomp information service environment. Chapter 5

(19)

is defined based on the performance measures, comparisons and analysis of implemented strategies. In Chapter 6 of the thesis, the discussions and conclusions drawn from the study are presented.

(20)

2 Ubicomp information systems

To understand the security requirements and implications for ubicomp systems, it is necessary to conduct a systematic analysis of the structure of such systems. In doing so, it is imperative to first partition such systems into their main architectural components and then subject each to the required examination. In the study reported here, three dimen- sions of ubicomp systems were examined, namely.

1. The architecture of the information screen 2. The communication between tiers of the system 3. The implementation challenges the system poses

2.1 The architecture of the ubicomp screen

Typically, the ubicomp system is composed of three functional layers to tiers namely:

1. The Preference Provider (PP) tier, referred to as tier 1

2. The Preference Requesting (PR) tier, referred to as tier 2, and 3. The Content Provider (CoP) tier, referred to as tier 3.

Figure 3 illustrates the layered relationship between these components.

Screen

Bluetooth

Preference Requestor (PR)

PP2

PP3

PP4 PP5 Preference

Provider (PP) Information

Access Point (AP) Information

Content Providers (CoP)

NHL results Delayed Flights

50% Discounts Weather report Sports

Server Information

Server

Advertisement Information Server Airports

Internet Tier 3

Tier 2

Tier 1

Figure 3. Information screen architecture.

(21)

The personalised information service system utilises the information preferences of users to customising services suites individual specific preferences and tastes. To achieve this, it retrieves pieces of personal information from individuals who are running ME application on their mobile devices. These individuals are synonymously referred to as the screen users, PPs or viewers. Retrieved pieces of personal information are viewers’ information preferences. If some information servers’ require users to login into some predefined accounts, additional information such as username, passwords and nicknames may be retrieved.

Despite the fact that current range of services only retrieves users’ names and preferences, the unmistakable novelty of the system lies in the ubiquitous manner in which it retrieves, handles and utilises the personal information. It materialises the ubiquitous interactions by splitting of the entire architecture into units that act as responsibility delegates for other tiers. The communications between the tiers occur transparently in the vicinity of the screens vicinity without user intervention. To facilitate preference determination and initialise ubiquitous functionality, the architecture of tier one has predefined values and Service Discovery (SD) mechanism.

2.1.1 Tier one: the preference provider component

Most mobile devices that users carry with them today offer multiple wireless interfaces for both local area access (e.g. WLAN, Bluetooth, IrDA, Zigbee or NFC) and wide area access (e.g. 2.5G or 3G cellular technologies). Of the local area access technologies, the most desirable functionalities for the information screen implementation should as a minimum:

• Be able to distinguish PPs from each other

• Be widely deployed on mobile devices

• Be based on open-standard as opposed to closed-standard/propriety technology.

• Be efficient on energy in relation to processing and cost

• Supported on heterogeneous devices

• Have a built-in mechanism to advertise supported services

• Support automatic device and service discovery forming ad-hoc networks

• Be omni-directionally connectable

• Posses a transport protocol supporting a client-server architecture

Bluetooth is currently the most popular and the fastest growing area of the local area access technology. Its market was estimated to be 272 million in 2005, 540 million in

(22)

2006 and is expected to exceed the one billion mark in 2009. This market is currently differentiated to over 3599 products, almost half (1624) of which are mobile phones, PDA’s and handhelds. As Figure 4 illustrates the rapid growth of the market is attributed mostly to the rapid adoption of mobile devices. Other growth contributors include lower chip costs and resolution of inter-operability with WLAN [21, 22, 23].

Figure 4. Bluetooth market forecasts and proportions.

As comparisons of Bluetooth and WLAN shipments is complicated by the price and us- age differences. Although Bluetooth surpasses WLAN in shipment volumes, it still has lower volumes in dollar terms. This situation, however is bound to changes soon. Be- yond its rapid proliferation, Bluetooth technology is a superior choice for tier one communication. It has implementation and functional advantages. Its closest competitor, WLAN in ad-hoc mode, has been implemented on comparatively fewer mobile devices.

At the same time, it experiences lower mobile device incorporation rates than Bluetooth.

WLAN also consumes more resources (energy, storage, bandwidth). Furthermore, it’s higher price/throughput relationship renders it extravagant compared to both Bluetooth and IrDA technologies [22, 23].

Comparatively, IrDA’s transceivers shipped in year 2006 were 314 million units, an increase of 6% from previous year. The shipment growth rate is estimated at 6.5% for years 2007 - 2008 as Figure 5a illustrates. In terms of Figure 5b, the bulk of the shipment was in mobile phones (85% - 267 million phones). IrDA is experiencing market reduction in the PDA and notebook markets due to competition from WLAN and Bluetooth. The introduction of a new IrDA standard, IrSimple (2007) with data rate of 4 Mbit/s is expected to fill mobile devices requirements for low power and costs, previously held by the SIR based transceivers. IrDA fails on the grounds that it is directional, thus requiring line- of-sight/point-and-shoot style applications. This is unlike the omni-directional Bluetooth that connects through solid non-metal objects (e.g. walls). IrDA linear range of about one meter is restrictive as its lack of automatic device discovery to form ad-hoc networks.

This is primarily because it, lacks an in-built device distinguishability [24].

(23)

(a) (b) Figure 5. IrDA forecasts in 1000’s and product proportions

Zigbee is an alternative closed standard of the Zigbee Alliance 802.15.4. Zigbee is poised for monitoring and control as opposed to Bluetooth the cable replacement. Being a closed standard it limits potential users to a handful compared to Bluetooth. Zigbee also lacks service discovery, ad-hoc and profile capabilities. Despite Zigbee and Bluetooth hardware being closely priced, Bluetooth outsold Zigbee by 2006 at 20:1 ratio. Zigbee additionally deploys a complex yet to be proven mesh technology with long recovery times [25].

Figure 6. Zigbee market forecasts.

The argument presented above positions Bluetooth technology as the best ubiquitous network for PPs at this level of granularity. Thus, PPs’ comprise a number of Bluetooth- enabled devices running the ME application. These heterogeneous devices include mobile phones, smart phones, PDAs’ and other handheld devices which, according to recent market surveys, have surpassed PCs in sales volume. Despite the heterogeneity of these devices, a substantial number are capable of benefiting from information screen services.

In fact, the number of shipped Bluetooth devices (Figure 4) comprise mostly of mobile phones [1, 2, 22, 23]. These devices form the tier one architecture of the information service.

(24)

Tier one represents the finest granularity level of the service architecture. At this level users’ define their personality details like information preferences, names and other personalisation requirements data. Along with each defined personal data is an associated security level definition as XML schema in Algorithm 1 depicts. Security definitions, discriminate the information availed to different SPs, for instance social number should only be availed to trusted SPs’ like the police and hospitals. Similarly generic information like favourite colour has lower security definitions possible. Algorithm 1 reflects this on Alice’s favourite colour.

Algorithm 1 Personality definition

<?xml version = “1.0” encoding=“UTF-8”?>

xmlns:xsi“http://www.w3.org/2001/XMLSchema-instance”

xsi:schemaLocation=“http://www.babylonFive.axi/%7Babylonians/ME ME.xsd”

<firstName securityLevel=“2”>alice</firstName>

<lastName securityLevel=“7”>skywalker</lastName>

</fullName>

<address securitylevel=“8”>Ruskonlahdenkatu 4 B 3</address>

<sports securityLevel=“2”>Hockey</sports>

</personality>

Alice’s personality as defined by her PP in Algorithm 1 avails her personal information to certain SPs. These SPs need to be known a prior with predefined security clearance levels. Approved SP’s definitions are stored in an XML format depicted in Algorithm 2.

SPs approving by Alice means she will not be bombarded with unsolicited SPs messages nor will her PP respond to preferences requests by unapproved SPs. The schema defines the SP’s security clearance, name and public-key. The higher the SP’s security clearance the more personal is the information retrieved and service provided. St. Johns Hospital ranked 10 accesses all personality information from Alice’s PP, in contrast Millennium Advertisement rank 3 only retrieves her first name, sports and favourite colour.

Tier one devices run the ME application with their Bluetooth radios’ in discoverable mode advertising support for ME services. This advertisement allows the PR to discover the PP devices and verify ME service capability. Upon confirmation the PR then request personal information from the PP. On receiving the request the PP authenticates the PR and responds with appropriate personal information. These responses are delivered to the next upper tier - tier two.

(25)

Algorithm 2 Service providers’ definition

<?xml version = “1.0” encoding=“UTF-8”?>

xmlns:xsi“http://www.w3.org/2001/XMLSchema-instance”

xsi:schemaLocation=“http://www.babylonFive.axi/%7Babylonians/ME ME.xsd”

<serviceName securityLevel=“10”>St. Johns Hospital</serviceName>

</Service>

<serviceName securityLevel=“3”>Millennium Advertisements</serviceName>

</Service>

<serviceName securityLevel=“6”>sport information screen</serviceName>

</Service>

<serviceName securityLevel=“9”>Precinct 13 Police Station</serviceName>

<servicePublicKey>XXXDEY78654X6</servicePublicKey>

</Service>

</serviceProviders>

2.1.2 Tier two

Coming between Tiers one and three, Tier two receives responses from PPs, formats them appropriately and forwards them to Tier three. Architecturally, the Tier consists of a Bluetooth AP, the PR and the screen. The AP operates in a range of 10 - 100 meters.

The number deployed varies depending on the screen size and desired performance level.

Large screens with high traffic anticipations viewable from longer distances utilise many long range APs in their deployment. On the other hand, less sensitive and fewer AP radio deployments are reserved for smaller screens that anticipate less PP traffic.

In general a 20 PPs traffic and a Bluetooth version 1.1 (v1.1) AP takes about 31 seconds for the PR to retrieve the users’ information preferences. The 31 seconds duration suggests that some PPs could have moved beyond the screen and not benefited from the service. However, using Bluetooth v1.2, v2.0 or v2.1 for the AP reduces this duration to 2.5 seconds for same amount of traffic. While this is a significant improvement, further optimisations are tunnelled using numerous long range APs [8]. We estimated that an average viewer will spend 15-30 seconds to viewing information of interest to them. This range is then used as rough guidance for anticipated ubicomp latency.

It should be noted that whenever no PPs’ are within the range of the screen, the PR updates its cache from CoPs as well as displays random information news like cycling results in

(26)

the previous Alice, Bob and Carol scenario in Chapter 1. Updating the cache improves the systems overall performance by reducing cache updates that may be required when PPs’ are within the vicinity of the screen. Random displaying of information proceeds until a PP enters the vicinity and responds with its requests for information preferences.

This means That the screen is never blank.

Received preferences are tallied to formulate a displaying policy. The policy is based on displaying most requested information first rather than longer or First-In-First-Out (FIFO). As the contents are retrieved from the CoPs earlier and cached the time to display the news is relatively small. Also due to latencies in scanning, getting preferences from all PPs in the vicinity before displaying, these actions happen simultaneously. Rather than scan all PP devices before displaying their preferred information, only five devices are scanned at time, with possibility of previously identified devices not re-scanned. Instead, their preferences are assumed not to have changed hence only tallied.

2.1.3 Tier three

Distributed across the Internet are numerous reliable information sources providing up- to-date coverage on a variety of subjects, such as weather reports, news headlines, airport flights schedules, stock markets. Groups of these information providers that can be successfully queried by Tier two are CoPs. Numerous CoPs’ are bundled together forming the Tier three architecture. CoPs include information servers maintained by different special and general news providers. Special news providers include NHL, NBA, WNBA, golf, tennis, rugby, Entertainment and Sports Programing Network (ESPN), eurosports, local and international stock markets (NYSE, JSE), airport flight schedules and weather reports, while such news providers like Cable News Network (CNN), British Broadcast- ing Corporation (BBC) are general news providers. Relevant predefined pages from the CoPs are cached in Tier two and are regularly updated. This is particularly true for the more general information like weather and flight information. However, personal information like Carol’s actual UEFA game bets is not cached; rather it is fetched on the query.

Considering the three-tier architecture, the quality and functionality of the service is de- termined by the quality of inter-tier communications. The more personal the information, the better the personalisation. For instance, if Carol registered to UEFA betting service as previously illustrated, with a username and password. Providing these details to PR enables her to view specific informational requirements. This raises concern on: sufficient level of personalisation, anticipated risks at this level of personalisation, can personal information be kept anonymous in public and what is the upper limit one informational requests?

Despite unclear answers to the questions, basic inter-tier communication is through requests and responses. Tier one and Tier two accomplish the communication over wireless medium (Bluetooth) while, Tier two and Tier three use a wired high speed connection to benefit from the speed up. Remotely located screens lacking wired connection may

(27)

use wireless media, like Worldwide Inter-operability for Microwave Access (WiMAX), other Wide Area Networks (WAN) or satellite connectivity. The focus of this thesis is on the Tier one - Tier two communication. Close scrutiny of exchanged messages eases the formulation of solutions to previous questions.

2.2 Inter-tier communication

Restructuring inter-tier communications to scenarios of characters illustrated in Table A makes its analysis easier. This restructuring refers to Tier one (groups of PPs) as Alice and the tier two as the PR. The PR scans its landscape for all Bluetooth devices in discoverable mode. Bluetooth Device Addresses (BD_ADDR) of discovered devices are appended to a list that is then sequentially polled. Polling is through the inquiry and Service Discovery Profile (SDP) allowing the devices that still are in discoverable mode to respond listing supported services as illustrated in Figure 7.

CoPs

add alice’s BD_ADDR to list Inquiry + Service discovery

Inquiry response

alice+pref(wnba)

Alice’s PP SP’s PR

Information screen

request information ( sports, weather, stock markets) sports, weather, stock markets) up−to−date information(

update information cache screen random information

display wnba information SPname+PrefReq

Figure 7. Alice - PR communication.

Each received inquiry response is parsed to determine if the ME service is supported.

Consequently, devices lacking the ME service are dropped from the list, while those supporting the ME service are further queried over Radio Frequency Communication (RF- COMM³) for preferences as illustrated in Figure 7. The request contains preference re-

3A simple set of transport protocols, based on (Logical Link Control and Adaptation Protocol) L2CAP protocol (single connection multiplexing) that emulates RS-232 serial ports connecting up to 60 concurrent connections of a Bluetooth device at a time. The protocol is based on the (European Telecommunications Standards Institute) ETSI standard TS 07.10 and provides roughly the same service and reliability guaran- tees as (Transmission Control Protocol) TCP with similar scenarios [26].

(28)

quest (pref Req) and the SP’s identity/name (SP name). Receiving this request Alice responds with her name (alice) and preferred information (wnba). On receiving Al- ice’s response, the PR updates the list status by incrementing WNBA requests. After incrementing WNBA request, the most requested information (assuming it is WNBA) is displayed first. The displayed information represents the most recently cached version of the WNBA web page.

Noticeable from Figure 7, the PR also requests other varying information from other different CoPs notwithstanding the depiction of a single CoP. Requests from Tier two to Tier three (dashed arrows) are background activities occurring concurrently with foreground activities (solid arrows). Displaying preferred information is also overlapped with query- ing PPs’ for preferences or scanning the landscape for new PPs.

PR’s subsequent scanning of the landscape most likely discovers Alice again. In this round no preferences are requested from Alice. The PR assumes her preference will not have changed in this short time. Considering that the service has limited user interaction at screen’s vicinity and as Alice is still present, it might be pointless to re-query her preferences. Rather use previously obtained values (WNBA) are used. If Alice wishes change her preferences at the vicinity of the screen, she alters the preferences then turns the PP into non-discoverable mode for about 0.25 - 1 minute. This time period is sufficient for the PR to refresh its PPs list, dropping the PPs that are no longer discoverable within its landscape.

Predefinitions of parameters like preference, security levels and SPs of interest to Alice, gives the Tiers’ interactions their unobtrusive nature, distinctive in ubicomp. The lack of visible user interaction at the screen vicinity accords some convenience and privacy.

Ubicomp services like the information screen have distinctive advantages compared to conventional informational approaches. However, there are also issues that need further consideration.

2.3 Implementation challenges

The presented ubicomp information screen offers considerable benefits to the users. Its ability to make inferences of its environment and determine an appropriate behaviour model is one such benefit. The environmental inferences borders on the realm of context- aware computing. Context-aware computing describes systems conscious of their context of use, through various sensors allowing them to adapt their behaviour appropriately. The benefits of such context-aware functionality pose a number of implementation challenges ranging from resource optimisations to social aspects. Typically these include devices heterogeneity, device disclosures and device sharing [3].

Determining sufficient automation so that the benefits of automation do not overwhelm the users should also be looked into. Striking a good automation-complexity balance is what Greenfield [3] terms as ’complexification’. In brief complexification is the introduction

(29)

of complexities and failure modes in areas they were previously non-existent, often as a result of endowing everyday objects with digital intelligence where none is needed or necessary [3]. Typical complexification victims are often play, hiking and exercise. Thus marginal improvements of everyday life have to be balanced against the risk of ruining things already working well. This questions the potential advantages and risks of such ubicomp information services.

Additionally ubicomp systems have the potential to unmask us in a manner similar to early social network applications, which were out rightly explicit representation of relationships (e.g. Bob considers Alice a contact and Carol is a friend). Likewise, if the ubicomp states explicitly all information it may also unveil the users in public. This unveiling has the potential to reveal our history of irresponsibilities, like unpopular political views and religious concerns that might cause embarrassment, discomfort or resentment.

Based on these considerations, it is evident that conventional screens also have their advantages. Advantages of contemporary approaches are often difficult to replicate and when attempted often fail. Hence, it is necessary to weigh the pros of a ubicomp screen against its challenges.

2.3.1 Screen’s pros

The immediate advantages of the ubicomp screen are time and cost saving. Time advantage is realised by eliminating the effort and time spent on searching for particular pieces of information by sieving through a large pile of irrelevant data. Cost saving materialises when one need not to spend money and time at Internet cafes to read news or other information. Unlike traditional screens that repeatedly displayed a set of predetermined information, for (example, first displayed perfumes, then movie releases then new beer then back to perfumes) this information screen displays information randomly depending on the PR’s landscape.

Other intrinsic benefits are manifested in the systems seamlessness. Seamlessness illustrates smoothened interactions between the system’s Tiers and its inner working such that junctures are imperceptible to the user. Alice and Bob simply select their preferences and on walking by screen, their preferences are displayed without their immediate input.

Things just work naturally without any effort on their part in such a manner that they may not realise their involvement. Seamless interaction of ubicomp is a delicate topic among scholars [3]. Some feel it promotes dishonesty and gives no feeling of ownership to users, while others advocate for non-seamless interactions but with beautiful seams [3]. Most mobile devices are currently bundled with vast functionalities like digital cameras, Global Positioning Systems (GPS), Internet connectivity and so on. Few users exhaustively use these features, so when availed a mechanism allowing further use of their devices capabilities at no extra cost, it fulfils further intrinsic desires.

(30)

2.3.2 Screen’s challenges

A challenge for the information screen is determining the optimal amount of information to request from the PP’s in providing sufficient personalisation. On the one hand, retrieving too much information from the PP escalates security and privacy concerns. On the other, retrieving insufficient information results in mediocre personalisation. This intri- cate balance has to be considered. Otherwise, the information screen could suffer from too much precision and detail that increase the communication latency. If numerous users wish to view detailed information requiring sign into accounts, such actions might slow down the systems performance. This delicate balance puts into question whether users should be able to request precise or more generic predefined content.

Most of our daily activities as human beings are based on tacit and unspoken words.

Such activities lack the precision and strict definitions required by Information and Com- munication Technology (ICT) systems generally and ubicomp systems specifically. This render them difficult to replicate. Occasionally a user may simply browse a sports or stock markets web pages, or old newspapers/magazines for generic outdated news or to gain an overall feel of the sporting or investment worlds. Alice might be a women’s basketball fan. This however does not stop her from wanting to know what is happening in ladies golf tour three months. Such tacit acts are difficult to replicate in this ubicomp screen.

The aggregation of users’ preferences is not an accurate representative of individualism.

Often the case is that Alice has interests in American women’s basketball while Bob prefers the European league. Carol might prefer recent stock shifts in New York (NYSE) while Dave is focussed on offshore stocks at Johannesburg Stock Exchange (JSE). If the screen sums their preferences as women’s basketball and displays South American women’s basketball league then London Stock Exchange (GBX). This information becomes irrelevant news to them. Fine-tuning the preference is an alternative that renders the risk of overwhelming devices resources and issues raised in previous section. It may be wise to limit information that users might request to be general enough to benefit a broader population of screen viewer and to prevent inappropriate uses like requesting inappropriate or copyright infringement content.

The screen also suffers the challenge of manipulation detection and reproach. Given that displayed information is based on preferences, it is possible for marketers to pur- chase many Bluetooth devices and set them all to their particular product (e.g. root beer).

Thus, by positioning themselves within the screens vicinity, they might successfully in- fluence it to continuously display their information or advertisements at the expense of other viewers’ preferences. Appropriate scheduling policy renders this unprofitable for them. Similarly adequate business model renders this impractical. For instance, having the screen display advertisements along-side the information. Thus, only registered marketers’ information is displayed or a billing system based on advertisement display times.

Security concerns are the dominant challenges considering they have high computational and resource complexities.

(31)

Border crossing is one such concern where our right to keep certain parts of our lives in isolations is violated. Violations materialise as informational eruption in unexpected context or time. A typical scenario can be described by extending scenario in Chapter 1 where Bob keeps his enjoyment of cosmetics use in isolation from his relationship with Alice. This would easily erupt should the screen display this information together with Bob’s name and picture. Evidently other security and privacy concerns are potential in the ubicomp information screen beyond those previously described. This thesis focuses on such issues and while trying to eradicate them, care must be taken not to unearth other vulnerabilities. In this mindset we take a closer look at the system from a vulnerability perspective. Countermeasures to the vulnerabilities are also considered in this analysis.

(32)

3 Vulnerabilities and mitigations

Information screen vulnerabilities occurs at numerous junctures during its operations.

Typical junctures are the networking between PR and CoP, PR host and, PP devices.

Haphazard aggregation of potential vulnerabilities and their countermeasures are a con- fusing and non-trivial task. To incorporate logical structure to the analysis. the following four-step approach is proposed.

1. Comprehensive visualisation.

2. Cryptographic mitigations.

3. Ubicomp perspective.

4. Non-cryptographic mitigations.

Comprehensive visualisation depicts the information screen’s threat vectors graphically.

Vulnerabilities are depicted using characters and their associated roles as illustrated in Appendix A. Since this study focused on vulnerabilities between Tier one and Tier two (communication vulnerabilities), it is convenient to depict most threats in the same communication MSC diagram. Fragmentation of compound vulnerabilities into single compromises has two advantages. Firstly, it instils some ordering in these threats by numbering them. Secondly, it optimises the task of selecting relevant mitigations that stretch beyond single threat vectors. The comprehensive depiction of visualisable vulnerabilities is detailed in Section 3.1.

With some visual logic of potential threats, the task of demonstrating and motivating countermeasures is eased. We can now consider cryptographic mitigated strategies upon the vulnerabilities. As these vulnerabilities are numbered systematically, following the logical numbering in search of effective mitigations eases the comprehension of our actions. Section 3.2 takes on this task, and discusses mitigations of eavesdropping on confi- dential communication, establishment and exchange of shared secrets, ridding of imper- sonations, ensuring communications integrity and deterring relay attacks. Also discussed in this section are a family of cryptographic algorithms, Elliptic Curve Cryptosystems (ECC).

Naturally, having applied suitable cryptographic mitigation strategies, there are special case vulnerabilities that linger on. These cases are unique to ubicomp environment and therefore require a different mindset to address. To get us in that frame of thinking, Section 3.3 is presented after consideration of cryptographic mitigations. In this section relevant issues pertaining to users perceptions of privacy and security in ubicomp systems are discussed. Arising from the discussions are privacy issues concerning space, time and personality as well as trust and anonymity concerns. The Section 3.3 also reviews and compares users’ perceptions in the implementation other ubicomp systems.

(33)

With a reasonable frame of reference, Section 3.4 ventures into a realm beyond cryp- tographic mitigations, suitably titled ‘Non-cryptographic mitigations’. Here attention is paid on alternative countermeasure like access control, PPs anonymity concerns, ex- ceedance security clearance, location tracking and its counterparts (profiling and hotlisting) are discussed.

3.1 Comprehensive visualisation

To reduce complexity and ease comprehension, we subdivide often compounded vulnerabilities into single threats and graphically depict these as the screen’s vulnerabilities in Figure 8. These threats numbered (i−vi) involve personified entity interactions illustrated by the MSC diagram. The illustration differentiates attack modes into active (solid line) and passive attacks (dashed line).

PR Inquiry + SD Inquiry response

req+name+secLevel

Inquiry + SD

Inquiry response

req+name+secLevel

Inquiry + SD

Inquiry + SD Henry (Hostlisting)

(iv)

(iii)

(vi)

req+name+secLevel

req+name+secLevel cache

cache

cache cache

(i)

Inquiry response Inquiry response

bob+Pref(beer) alex+Pref(cars)

Felix (Rogue AP)

passive participant active participant

(ii)

cache cache Eve Tim (Tracking)

(v) _cache

Alice Mike (MITM) Paul (Profiler) Bob

alice+Pref(wnba)

bob+Pref(hokcey)

Figure 8. information screen vulnerabilities.

Passive attackers are indirectly involved in the communication protocol. They simply observe the communication in an attempt to acquire information. In contrast, their active

(34)

counterparts make attempts at altering the protocol to their advantage through deletion, substitution, addition or replaying messages. Perhaps a more logical distinction of the screen’s vulnerabilities is on the basis of potential mitigations strategies. Mitigations to threats in Figure 8 can be broadly distinguished as cryptographic or non-cryptographic based. The later involves mechanisms like software control, access control, hardware control, policies, procedures and physical control; presented in Section 3.4. The former involves using cryptographic protocols and algorithms to deter adversaries are discussed in Section 3.2.

3.2 Cryptographic mitigations

Cryptography is the art of keeping messages/data securely concealed using encryption [27]. It is an art deeply rooted in complex mathematical problems to formulate encryption algorithms. Encryption algorithms transfer the mathematical complexities to adversaries via functions that encrypt plaintext data into ciphertext. However, having sufficient clues, one can solve the mathematical problem with considerable ease to recover the orig- inal plaintext. The clues are represented by shared secret tokens held by communication parties [28].

Cryptographic mitigations facilitate the alignment of confidentiality, integrity and availability of the services, messages and communication partners. Confidentiality guaran- tees only authorised persons (e.g. Alice and PR) access to the system and its’ resources and services. Integrity preserves that communicated data as precise, accurate, consistent, meaningful, usable and unmodified. However, if modified, it is left in acceptable ways by acceptable people and through acceptable processes. Availability relates to both data and services presented in usable formats, capacity to meet the needs, through timely responses and fair allocations. Message confidentiality safeguards communication privacy by effectively mitigating eavesdroppers.

3.2.1 Eavesdropping

Surreptitious viewing of private communication, in our case preference data and personal information, is considered eavesdropping. Eavesdropping also occurs in other communications like telephone lines (wiretaps), Ethernet data, emails and Instant Messaging (IM).

Unfortunately, it is more detrimental in a wireless medium as it requires no physical at- tachments to networking, thereby conceals adversaries better. This makes it more difficult to notice or detect their presence or malice. The scenario is numbered(i)in Figure 8 Eve views the PR - Alice communications, as they interact in plaintext.

PPs confide in the PR to ensure the discretion of their transmissions. As long as the PR-PP interaction proceeds in plaintext and Eve maintains her passiveness, it is difficult for either Alice or PR to detect or even realise the occurrence of the compromise. The difficulty

Security and Privacy in a Ubiquitous Information Screen