Privacy Concerns for UWB technology?
dj at deadhat.com
dj at deadhat.com
Sat Apr 3 01:06:21 EST 2004
Damien,
The answer to the question "Is UWB secure" depends entirely on the
assumptions you make. UWB is after all a physical layer radio/modulation
technology that is only peripherally related to the layers above that may
provide security in a number of forms, say link security, VPNs, SSL etc.
Here are a couple of assumptions I am throwing in:
1) You are referring to one of the two significant adopters of UWB in a
standardized context, namely IEEE 802.15.3a and Wireless USB.
2) The actual UWB technology being considered is the MBOA (Multi Band OFDM
Alliance) flavor.
3) The UWB technology provides and underlying bit rate of 1 Gbps. This is
realistic.
As an 802.15.3a standard (when or if they finish it) there are two places
that security specific to the technology will come from. The first is
802.1X/ae/af (EAP conduit, link ciphers and authenticated key exchange).
These standards are works in progress (.1X is currently withdrawn awaiting
necessary undercarriage work). The second is from native 802.15 link
security that the 802.15 working group may choose to supply. Above the
link layer, it is not the IEEE's problem. 802.15 is an IEEE link layer
spec and upper layer methods that might apply are more generic E.G. those
from the IETF.
If we are talking about its application in Wireless USB then it is the job
of the writers of the Wireless USB standard to provide the appropriate
security mechanisms. They have a bigger problem to solve, since they are
having to secure a set of higher layer functions that are outside the
scope of IEEE 802. Beyond observing thats its not written yet, there's not
much to go on other than low expectations set by a long and sorry history
of wireless security mechanisms.
Getting down to specifics, if its 1 Gbps, then the currently in vogue IEEE
802 link cipher (AES-CCM) will do fine in terms of implementation
constraints. However 802.1ae has chosen GCM as its link cipher and this
holds the promise of linearly scalable implementability up to much higher
speeds.
The short range of UWB technology may provide security from some attack
models (the guy next door), but don't count on it and you can be sure that
by the nature of networks, remote attacks will be possible unless
anticipated and secured against. I remember reading recently about a
succesful bluetooth fishing expedition at a trade show. The short range
didn't help there.
The pessimistic view of IEEE 802 link security mechanisms is that first
time publications of standards will always come with broken security
because they never get the attention they deserve from the crypto
community until the flaws are identified and need fixing. In support of
that allegation, I offer you 802.11 WEP, 802.16 PKM, The 802.16 link
cipher, and 802.1X. All are broken and currently being overhauled.
The optimistic view of IEEE 802 link security is that 802.1X/ae/af is the
second go around, it is getting the attention it deserves and may deliver
an appropriate result in terms of security. However its meeting the needs
of wireline standards (802.3, 802.17) and is too high in the stack to
support the needs of mobile wireless links.
Just to complicate matters and to lower your expectations further, the use
of UWB in media centric home networks leads to new usage models and
unsophisticated users, tied in with the horrors of DRM on the media side.
This presents problems that arguably are not solved in a practical,
deployable sense today. Your example of the neighbour watching your TV is
a fine example.
Regards,
DJ https://www.deadhat.com
> Hi,
>
> I was at a talk last night on Ultra Wideband (UWB) technology which is
> sometimes referred to as "Bluetooth on Steroids".
> An example of what a UWB home might look like was given and it mainly
> consisted of everything that a normal
> home has today except without the wires. So you have your plasma TV
> connected to your DVD player using
> UWB and you can hook up a camcorder to it as well etc.
>
> UWB offers rates of about 100Mb/s which is comparable with the 802.11n
> standard. I asked the speaker what
> was the general thoughts on privacy concerns with this technology and he
> basically said there wasn't any concerns
> but I don't think it was something he had thought about before. UWB works
> over a very large bandwidth (the FCC
> allocated something like 7GHz of the spectrum for it) however it uses very
> low power. Its range is very limited (about
> 10m or so). I don't know much about the technology itself but he
> mentioned
> that is was something like spread
> spectrum so I assume it uses some kind of pseudorandom code to allow
> successful requisition of signals.
>
> I am curious about the privacy issue however. The speaker said that
> encryption would be used and that that would
> protect a persons privacy but at these high data rates would encryption
> not
> hinder the overall process? I assume
> a stream cipher like RC4 would be used as in WiFi? I realise that the
> range
> in this case is very small and that privacy
> is not as big a problem as other wireless technologies however this
> doesn't
> stop your next door neighbour watching the
> home made video of you and your family on holidays.
>
> Any thoughts?
>
> Regards,
> Damien.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> majordomo at metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list