logging in or signing up Storage of sensitive data in a Java enabled cell p Carmela Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 506 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: January 31, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Storage of sensitive data in a Java enabled cell phone: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006Agenda: Agenda Introduction Problem Methods Results Conclusion Further WorkIntroduction : Introduction Cell phones → small computers Stores a lot of sensitive information RMS, email, SMS, calendar … Able to run Java applications Mobile SSO solution Store passwords -IntroductionMain problem : Main problem Will a Java MIDlet on a cellular phone be a secure location to store sensitive information? -ProblemResearch Questions : Research Questions What is already known about security in Java enabled cell phones? Will information stored on a cellular phone be easy to extract? How can we secure the stored sensitive information even if the cellular phone is lost or stolen? What kind of threats will the cell phone be vulnerable to? What kind of countermeasures can be used to reduce or eliminate the threats? -ProblemMethods : Methods Literature study J2ME specifications Communication link; cell phone ↔ server Prototype Try to break into the prototype Security analysis Identify threats and vulnerabilities -MethodsDigital safe : Digital safe Master password PIN Pass-faces Stored as a SHA1 hash digest The sensitive information AES encrypted with a 128 bit key Key derived from master password, username and a iteration count of 20, like described in PKCS5v2 [1] -MethodsRemote deletion : Remote deletion SMS sent to the phone with the digital safe installed Defined port number The AMS starts the digital safe SHA1 value of password Deletes the stored information -MethodsStealing MIDlet : Stealing MIDlet Upgrade a previously installed MIDlet The RMS will not be erased Read the stored information Identical values in the JAD file Can be used to inject Trojan code -MethodsResults : Results Encryption and decryption Bouncy Castle Crypto API [2] AES, SHA1, … Remote deletion is a poor functionality Can easily be deactivated Data stored in the RMS can easily be extracted -ResultsData extraction: Data extraction Forensic methods [3] Desoldering techniques, boundary-scan (JTAG) Native applications Windows Mobile, Symbian OS Stealing MIDlet Phone Managers Backup of MIDlet’s RMS -ResultsStealing MIDlet: Stealing MIDlet Overwrite the installed MIDlet MIDlet-Name and MIDlet-Vendor Source code Add Trojan code A signed MIDlet can not be upgraded with an unsigned MIDlet! -ResultsPhone Managers: Phone Managers Oxygen Phone Manager II [4] Backup Java MIDlets Backup MIDlet's RMS MOBILedit! [5] Forensic edition available -ResultsRMS backup : RMS backup -ResultsSlide15: -ResultsThreats & Vulnerabilities : Threats & Vulnerabilities Information extracted Trojan code Keyboard sniffer, send information to hacker, … Phone is stolen Brute-force attacks Remote deletion disabled MIDlet installation request -ResultsCountermeasures : Countermeasures Reflash cell phone OS Check MIDlet size and functionality Sign the MIDlet Prevent Stealing MIDlets Strong master password and encryption Frequently update the login credentials -ResultsConclusion : Conclusion A strong master password must be chosen The key in the encryption process, access to the application Data easily extracted Encryption extremely important The MIDlet should be signed Prevent installation of Stealing MIDlets, trusted source -ConclusionFurther Work: Further Work SATSA (The Security and Trust Service API) Biometric authentication Speech recognition (Java Speech API) Proactive password checking Synchronization service Update the stored login credentials if the phone is lost -Further workReferences : References [1] RSA-Laboratories. March 1999. Pkcs5v2.0: Password-based cryptography standard. [2] Bouncy Castle. Bouncy Castle Crypto Package. Light-weight API, release 1.33. [3] Willassen, S. Y. Spring 2003. Forensics and the GSM mobile telephone system. International Journal of Digital Evidence, 2, 10–11. [4] Oxygen-Software. Oxygen phone manager for Nokia phones (forensic edition) http://www.opm-2.com [5] Compelson laboratories. MOBILedit! Forensic http://www.mobiledit.com You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Storage of sensitive data in a Java enabled cell p Carmela Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 506 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: January 31, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Storage of sensitive data in a Java enabled cell phone: Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006Agenda: Agenda Introduction Problem Methods Results Conclusion Further WorkIntroduction : Introduction Cell phones → small computers Stores a lot of sensitive information RMS, email, SMS, calendar … Able to run Java applications Mobile SSO solution Store passwords -IntroductionMain problem : Main problem Will a Java MIDlet on a cellular phone be a secure location to store sensitive information? -ProblemResearch Questions : Research Questions What is already known about security in Java enabled cell phones? Will information stored on a cellular phone be easy to extract? How can we secure the stored sensitive information even if the cellular phone is lost or stolen? What kind of threats will the cell phone be vulnerable to? What kind of countermeasures can be used to reduce or eliminate the threats? -ProblemMethods : Methods Literature study J2ME specifications Communication link; cell phone ↔ server Prototype Try to break into the prototype Security analysis Identify threats and vulnerabilities -MethodsDigital safe : Digital safe Master password PIN Pass-faces Stored as a SHA1 hash digest The sensitive information AES encrypted with a 128 bit key Key derived from master password, username and a iteration count of 20, like described in PKCS5v2 [1] -MethodsRemote deletion : Remote deletion SMS sent to the phone with the digital safe installed Defined port number The AMS starts the digital safe SHA1 value of password Deletes the stored information -MethodsStealing MIDlet : Stealing MIDlet Upgrade a previously installed MIDlet The RMS will not be erased Read the stored information Identical values in the JAD file Can be used to inject Trojan code -MethodsResults : Results Encryption and decryption Bouncy Castle Crypto API [2] AES, SHA1, … Remote deletion is a poor functionality Can easily be deactivated Data stored in the RMS can easily be extracted -ResultsData extraction: Data extraction Forensic methods [3] Desoldering techniques, boundary-scan (JTAG) Native applications Windows Mobile, Symbian OS Stealing MIDlet Phone Managers Backup of MIDlet’s RMS -ResultsStealing MIDlet: Stealing MIDlet Overwrite the installed MIDlet MIDlet-Name and MIDlet-Vendor Source code Add Trojan code A signed MIDlet can not be upgraded with an unsigned MIDlet! -ResultsPhone Managers: Phone Managers Oxygen Phone Manager II [4] Backup Java MIDlets Backup MIDlet's RMS MOBILedit! [5] Forensic edition available -ResultsRMS backup : RMS backup -ResultsSlide15: -ResultsThreats & Vulnerabilities : Threats & Vulnerabilities Information extracted Trojan code Keyboard sniffer, send information to hacker, … Phone is stolen Brute-force attacks Remote deletion disabled MIDlet installation request -ResultsCountermeasures : Countermeasures Reflash cell phone OS Check MIDlet size and functionality Sign the MIDlet Prevent Stealing MIDlets Strong master password and encryption Frequently update the login credentials -ResultsConclusion : Conclusion A strong master password must be chosen The key in the encryption process, access to the application Data easily extracted Encryption extremely important The MIDlet should be signed Prevent installation of Stealing MIDlets, trusted source -ConclusionFurther Work: Further Work SATSA (The Security and Trust Service API) Biometric authentication Speech recognition (Java Speech API) Proactive password checking Synchronization service Update the stored login credentials if the phone is lost -Further workReferences : References [1] RSA-Laboratories. March 1999. Pkcs5v2.0: Password-based cryptography standard. [2] Bouncy Castle. Bouncy Castle Crypto Package. Light-weight API, release 1.33. [3] Willassen, S. Y. Spring 2003. Forensics and the GSM mobile telephone system. International Journal of Digital Evidence, 2, 10–11. [4] Oxygen-Software. Oxygen phone manager for Nokia phones (forensic edition) http://www.opm-2.com [5] Compelson laboratories. MOBILedit! Forensic http://www.mobiledit.com