Figure 1: A base station and 2 communicating mobile hosts
November 1995
Abstract
Wireless mobile systems introduces a new dimension to traditional distributed systems, which is untethered networking and unrestricted mobility. However, this exciting new technology comes with the price of higher security vulnerability. In this document we will highlight those vulnerabilities and discuss security issues of mobile systems.
The increasing interest in wireless communications have made mobile systems possible. Mobile systems will extend the usability of current distributed systems by allowing users of mobile devices access to a large pool of networked resources, as well as to send and receive messages (voice, video or data), from almost anywhere in the world. Mobile systems will also free its users from being tied to the office workstation, thus encouraging distributed working practices. Note, however, that "mobility" is not unique to users with mobile devices. For example, users accessing the internet from different workstations/terminals also demonstrate a "mobile" behaviour.
It is clear that the need for good security measures to be incorporated into such a distributed system is mandatory. Government bodies and large corporations need to be sure that their sensitive data is protected and consumers would not want their transaction information flowing through the internet to be eavesdropped on or tampered with. Within the context of mobile systems, companies providing services to visiting mobile users must protect against potentially malicious users, and mobile users will also need reassurance that the visited domain is safe enough for the network task the user is going to execute.
In the next section, a quick introduction to the properties of mobiles systems will be presented. Followed by the section on security issues within mobile systems. We then conclude with a recap of these issues.
Recent technological advances have allowed users to carry small sized portable computers with wireless networking capabilities. Currently, there is limited availability of fully fledged wireless computer networking services. One of the popular consumer services is AT&T's PersonaLink network, with access restricted to users in the USA. A more pervasive technology is mobile telephony, like the GSM or AMPS wireless networks. These are currently divided between analogue (eg. AMPS and TACS) and digital networks (eg. GSM and CDPD), but there is a trend towards the latter. All major developed countries, and most economically developing countries, have this service installed and its popularity is ever increasing worldwide. The latest digital mobile telephone networks have just started to provide 2-way data transmission capabilities and an e-mail like "short-message" service. The distinction between these two types of networks is blurring and the near future will see these two technologies merging giving full data and voice communications over existing mobile telephone networks. An important addition to future mobile networks will be seamless internetworking and roaming capability, giving mobile users access to a diverse range of resources from an increased pool of services. In this section, we will look at mobile systems more closely in order to get a feel for their inherent properties.
Wireless mobile communications at this current technological stage means either via radio, infra-red or satellite communications. The entity that connects the wireless to the wired world by translating the signals between the two medium is called a base station. A base station is usually an independent host on the fixed network. Signals are sent and received through the wireless medium through a device called a transceiver and an area (the wireless part) that is covered by a transceiver is called a cell. A transceiver can communicate with any other transceiver that is within its cell range. For example, in Figure 1, the base station can communicate with mobile host A but not B because A is within the base station's cell range and B is outside it.
The properties of the different wireless media, infra-red, radio and satellite, influences the design of mobile systems, especially its geographical layout. Infra-red is usually used for indoor communications because sunlight drowns infra-red signals [7]. Because of this, and also the fact that it provides lower throughput than radio as well as its reliance on a clear line-of-sight between the transmitter and receiver, it tends to be used only for low rate bulk data transfer, for example offloading data from a notebook computer into the office LAN at the end of each working day. Higher performance in-building LANs and outdoor communications favour either spread-spectrum RF (megahertz bands) or microwaves (gigahertz bands) [7,8].
Wireless networks deliver lower bandwidth than their wired counterparts. This problem is further aggravated when the bandwidth within a cell must be shared among the mobile hosts that are currently in it. To date, this problem have been handled at the physical layer through bandwidth re-use techniques to divide the scarce bandwidth between mobile hosts [1,2]. These techniques include 3 important channel access methods, namely frequency-division (FDMA), time-division (TDMA) and code-division (CDMA) as well as spatial re-utilisation by making cells smaller in diameter and larger in number. The channel access methods above are the same ones used in wired networks. Spatial re-utilisation exploits the fact that radio signals get weaker the further they travel so transceivers that are sufficiently far apart may use the same frequency without experiencing interference from each other.
As shown in Figure 2, cells are arranged side by side in a "hexagonal" fashion (1) (in practice, cells do not have a definite shape but they are shown as hexagonal in diagrams to lessen confusion, and because it's a first approximation to the real thing). Base stations are also connected to the wired network (3), usually through a Mobile Switching Centre (not shown in diagram). Mobile Switching Centres control a cluster of base stations, and they provide connectivity between the base stations and the public telephone network.
A handover, or handoff, process occurs when mobile hosts cross cell boundaries (5), and during the handoff, a small pause in communication usually happens because this process is not instantaneous (in the GSM system, handoffs take about 8 to 15 seconds). In actual fact, in some systems, handoffs can also occur while the mobile host is stationary. This may be due to various factors like load distribution [50], or carrier hopping.
Several mobile hosts may also communicate with each other without the assistance of a base-station (6), forming an ad-hoc network [3]. A mobile host in the ad-hoc network who is also connected to a base station at the same time can act as a router between the ad-hoc network and the base station. However, turning mobile hosts into effective routers are only a possibility as current technology have not actually reached this stage yet.
Mobility in fixed networks
In a previous section, it was mentioned that user mobility is not only demonstrated in mobile systems. Users of fixed networks too can be "mobile", although this is done by "jumping" from one fixed host to another. The difference between mobility in mobile and fixed systems lies in the users' continuity of motion, ie. mobile users using wireless workstations can and will be moving across consecutive domains while remaining on-line, whereas it is more intermittent with fixed hosts.
Agents
Agent systems are an important new technology which enables programs, usually written in high level scripting languages, to be despatched onto the internet and carry out any task or processing on behalf of its owner. There are 2 general types of agents, static and mobile agents, and it is the latter that has the potential to contribute greatly to mobile systems. By carrying out execution on a fixed server, agents do not use up the scarce resources on the mobile host. Bandwidth usage is also drastically cut down as communications are done locally on the server itself. This is true especially if compared with RPC or message based protocols where several flows may take place for each transaction. As agents are beyond the parameters of this work, the interested reader is referred to [25,25,26] for further information, and [27] for details of a real-world agent platform.
As we can see, mobility does not only exist in wireless networks,
but in other systems too, like fixed networks and agent systems.
However, mobility in these systems is limited to a certain extent,
and the mobility issues which affect them are not that great.
Some might even argue that they are less interesting, when compared
to wireless systems. To get a general idea of their respective
properties, as far as mobility is concerned, the table below shows
some comparison. Of course, the following list of properties is
not exhaustive.
| PROPERTIES | WIRELESS NODES | AGENTS | NOMADIC USERS |
| Vehicle | Wireless device/computer | Software | Human |
| Mobility performed voluntarily (ie. not server executed) | Yes User moves device |
No Server moves agents |
Yes |
| Foreign controlled execution environment | No On-board processing (unless cached) |
Yes Server translated script |
Yes Uses foreign domain's computer |
| Client-Server comms medium | Wireless (IR,radio,sat) |
Local Memory | Wired Via local terminal |
| Comms session continues across domains | Yes | Yes | No |
| Node-node (peer-peer) comms must be server mediated | No Ad-hoc networks |
Yes Message passing |
Yes Server must do routing |
| Node is self sufficient (can continue when disconnected) | Yes Executes on local node |
No Server required to execute agent |
Yes (For human activities) |
In this section, the inherent properties of mobile systems that affect security will be examined. We then discuss the additional threats faced in mobile communications and outline new security problems that must be resolved.Properties of mobile systems that affect security
Mobile devices are designed to be portable, ie. light and small. Until a more suitable alternative is found, mobile devices will more than likely be battery powered within the foreseeable future. In order to conserve energy, processing speeds need to be slower and processor cycles reduced. Data transmissions also consume energy therefore it must be reduced. The former imposes limits on the computational complexity of encryption algorithms and the number of messages involved in security protocols. Even though this problem can be alleviated by using special purpose circuitry or encryption chips, it still faces the hurdle of the public's suspicion towards any devices that claim to protect the privacy of their communication or data. This suspicion is not unreasonable since they will be putting their information totally into the hands of somebody (or some organisation) who is able to implant a "back door" function into their encryption device or algorithm, and this problem is not unique to mobile systems.
Mobile devices may not carry much (if at all) long-term storage, eg. hard-disks, due to space and power constraints. Therefore, it may be infeasible for mobile devices to store security related secrets, or caching the public-keys or authentication certificates of other network entities. Nevertheless, most mobile devices in use now carry some sort of long-term storage, like smart-cards, albeit very small in capacity. Therefore, it may be feasible to store a restricted amount of information for use in, for example, authentication protocols (eg. the mobile user's public-key certificate). However, we can safely assume that most general purpose mobile devices will carry some amount of storage.
Broadcast-based communications
The wireless medium is intrinsically a broadcast-based medium. An eavesdropper is able to tap into the wireless communications channels by positioning himself anywhere within the area of the cell. Since all transmitted packets travel directly between a mobile host and the base station, and not through different paths via different switching nodes as in switched wired networks, it is possible to copy all the packets of a particular message transmitted through the air.
It is also harder to control visiting hosts overloading the network with excessive transmissions, resulting in a sudden decrease in network performance. This may lead to denial of service to other mobile hosts because of the congested network.
Disconnections
Wireless communication also suffer from frequent disconnections due to a higher degree of noise and interference as well as the process of inter-cell handoffs. This problem is currently being tackled from two angles, ie. trying to minimise disconnections in the physical layer of the network, and making the system more tolerant to disconnections in the upper layers of the network. It is felt that mobile hosts can cope better with network disconnections if it has greater autonomy, making it less reliant on the network [4]. The latter approach may also allow handoffs to be viewed as a "disconnection" from the previous cell followed by a "reconnection" into the new cell [5].
There is a security threat during channel setup. When a mobile host "pops-up" in a cell, the base station (or any other network entity carrying out network management tasks and has jurisdiction over that cell) needs to update information on the network in order to allow messages to be routed to that mobile host correctly. This means that information on the physical location of the mobile host are available to entities that are able to see these routing information, and this may be undesirable if that mobile would like to keep his location private.
An impostor may also able to disguise as another mobile user by monitoring that mobile user and immediately connecting to the network using that mobile user's identity after a disconnection (See Figure 3). The impostor will then have access to all the resources that is available to the real user. The real user may even be denied connection later because the base station might think that it is trying to re-connect again for the second time.
 |
 |
 |
Heterogeneity
Both mobile and fixed components of a mobile systems will encounter increased heterogeneity of different sorts. Mobile hosts that move between cells will have to adjust to potentially different physical communication protocols (from radio frequencies to Quality of Service) and as we move up to higher levels of the network, security constraints and network management policies may change as domain boundaries are crossed. This poses problems particularly on traditional network management techniques, for example, host addressing/naming schemes have strongly relied on static network environments, and highly dynamic environments where hosts appear and disappear randomly have not been taken into consideration. This problem is currently being addressed in various mobile-ip protocols.
Mobile hosts will encounter different security domains while moving. This can happen quite frequently in certain areas where there are many small clusters of cells that are administered by different authorities. Domains may even overlap, for example, jumping between carriers within a single cell may entail repeating a whole security related protocol. A host may decide to jump onto a carrier of another network provider for various reasons, eg. for higher throughput or cheaper rates.
Highly distributed environment
Even though advances in distributed systems technology have encouraged most network implementations towards the distributed approach, a lot of network services are still not implemented in a fully distributed way; for example, authentication servers. These services rely on the "locality of activities" behaviour demonstrated by users, ie. users tend to work within a small administrative confine most of the time, for example within a corporate LAN, and services and resources (sometimes replicated) are placed near the user for improved system performance. Enhanced user mobility will (and should) allow this user to access the services and resources entitled to him from any arbitrary network access point globally, and he would expect the same kind of performance to be delivered to him. This means that the provision of some of these services and resources have to be re-implemented to fit into this new usage and access pattern.
Since failure to communicate with a host's home authentication server is more likely in this new environment, a more distributed approach to authenticating users must be devised. Furthermore users should not unconditionally be denied access to services in the event of this failure, so authentication techniques based upon a more relaxed notion of trust are essential.
We saw that mobile systems introduces a lot of new problems to the area of security. These problems may be numerous, but, most of them are not insurmountable. In this section, four major areas of mobile systems security are discussed, namely anonymity, device vulnerability, domain crossing and authentication. Some of these areas, like anonymity and domain crossing, have not surfaced before because of the research concentration on fixed networks. Other problems, like those of authentication (in the mobile systems context) and device vulnerability, are new ones introduced by mobile systems. These areas need to be looked at as seriously as security itself, if any satisfactory mobile security protocol are to be engineered.
Anonymity
Information about a particular person or organisation is private and should only be known to its owner and whoever its owner grants access rights to. Privacy should be preserved in any kind of information system, be it fixed or mobile. The kinds of information that a user may want to keep private includes his real user identity when on-line, his activities, his current location and his movement patterns. Anonymity and identity privacy have also been realised on the internet through the use of anonymous remailers [23]. Anonymous remailers are not "official" internet services, rather, they are run by users themselves. Remailers are becoming increasingly important as more and more internet users use them for anonymous e-mail and newsgroup postings.
Preserving anonymity is of greater concern in mobile systems for several reasons. Mobile systems yield more easily to eavesdropping and tapping, compared to fixed networks, making it easier to tap into communication channels and get to user information. As users move around, a new kind of information immediately becomes valuable, ie. detailed information about the movement and location of the user. This may also provide clues to who that user interacted with at a given point in time, by identifying other users that are within the same vicinity of that user. Users will also move in and out of foreign domains which the user may not have prior knowledge about, hence may not be fully trustworthy. Who knows what goes on within each domain, and how these domains handle sensitive user information. Moving across foreign domains thus results in increased risk to user information. Current network implementers of mobile communication systems store a lot of user related information on network databases, especially for mobile telecommunication networks. This is done to assist in user mobility support as well as billing and authentication. This makes the user information more widespread and highly available. It is also uncertain whether the environment where this data is stored is safe and trustworthy.
Different anonymity requirements for mobile systems have been proposed, eg. [9,13,14]. Basically, it boils down to preventing the disclosure of the real identities of the mobile user, his home domain and his visited domains. These lead naturally to the solution for the following anonymity issues:
In [12], Needham emphasised that anonymity of communication is essential to prevent selective denial of service in communication networks. Users can be denied service by various mechanisms, usually by either "cutting off" the communication channel between the client and the server or by flooding the network to the extent that no more bandwidth is available for use, rendering the network effectively unoperational. With unselective denial of service, whole services or large parts of a network are disabled (eg. using explosives), and these are usually detectable. Selective denial is less evident and its victims are usually well-defined (eg. a particular client on the network). Anonymity is an obvious solution to the latter problem.
Even when anonymity can be provided in full, some domains require a user's identity to be revealed. This is usually required when the domain has to contact the user's home domain together with the user's real-id for authentication, before any service is granted. Of course this is undesirable as it also means that the user's home domain identity needs to be revealed and it assumes that the home domain is always reachable. As this authentication procedure is repeated when dealing with visiting users from the same home domain, the foreign domain increases in its ability to infer the home domain's high-level strategies [5]. An alternative scheme must be provided, one where a user can be authenticated without revealing the user's real identity (or any other information that may lead to identifying the real user), and this scheme must give the foreign domain as much confidence as giving it the user's real identity in the clear. Zero-knowledge based schemes [18], where an entity proves its identity by demonstrating its knowledge about a secret piece of information (which no one else besides him would know) without the need for revealing its identity, may help in this area.
User location information can also be gathered at a lower level, by monitoring network routing table updates. Routers in a network need to know the physical location/address of a particular host in order to forward packets to it.
A common solution that has been adopted, providing a certain degree of anonymity in current systems, is by means of an alias, or a temporary identity. Aliases or nicknames allows a user to be referenced without revealing their real identity. Aliases could be short- or long-lived, and there are no general specifications on their life-span. Short-lived aliases for a particular user usually change as frequently as his inter-cell or inter-domain handoffs. A long-lived alias is more dangerous as it allows user tracking. Even though the real user might not be known at the moment of tracking the alias, that information can be kept and then matched at a later time to the real identities and their corresponding activity history that the subverted party manages to get hold of.
The alias scheme can be broken in some of its current implementations. For example, once a mobile user is disconnected in mid-conversation in the GSM system, the mobile user is required to transmit his real-identity (amongst other information) in the clear to the base station upon re-connection. A new travelling alias is then transmitted back to the user and this is used to carry out future communications with. This provides an easy target for eavesdroppers.
Solutions to anonymity have also been proposed by N. Asokan in [13] and a number of works by David Chaum in [19,20,21].
In [15], Spreitzer and Theimer mentioned an additional challenge to the problem of privacy: designing an architecture that allows implementers and users to be given a choice of how much privacy to be enforced in a particular administrative domain. This will provide for a more flexible working environment which determines the type of information to be revealed when the degree of "hostility" or "friendliness" of a domain is known.
Device vulnerability
Mobile devices are designed to be small and lightweight, making them highly portable. These features of mobile devices make them potentially vulnerable to being misplaced or lost, and worse, theft. Even though losing the physical device itself is an unsatisfactory enough outcome, a more detrimental consequence is the owner's deprivation of the information or data that is (or was) contained in his device. Hardware can be re-purchased, but information, especially the kind that is updated frequently, cannot be re-fabricated that easily once lost. Worse still, some of these data may contain a secret not even known to the owner. For example some random bytes used for authenticating a user may be issued by his home authentication server, but cryptographically stored in the device, without the user needing to know anything about it.
Mobile devices may also be used as a control device. Examples include active-badges for controlling access to workstations and building entrances and even devices used when purchasing goods or withdrawing money (e-cash?) from an ATM machine. Without these devices, the users will be denied access to most of these facilities and services. Furthermore, if procedures for obtaining a replacement device of this type take time to process, the device owner's industrial and social progress will be severely affected.
If the device is stolen, thieves who can disarm the safety features on the device can then get to the private information contained within. He may also get unauthorised access to services that are available via that device, if he is quick enough to act before the theft is discovered and privileges on that device (or user of that device) are revoked. In this case, the service provider will also be at risk because the unauthorised user may get access to other parts of the network using the stolen device for "entry". The additional threats mentioned here are breach of privacy and unauthorised access. The problem mentioned in this paragraph is similar to those faced by the credit card system.
Currently, mobile devices are protected from risks of theft as mentioned above by the use of passwords and smartcards. Even though passwords will deter or prevent another person from login in to the device, having physical access to the memory and disk storage is just a few easy steps away from obtaining the information contained in it. Of course, on-board data may be encrypted, but this will be at the expense of battery power and processing capability. Therefore, passwords offer a very poor degree of protection. A smart card allows itself to be detached from the actual device and stored elsewhere. Every time a user wants to use his device, however, he has to insert the smart card into the device to enable it. This leads to the smart card always being stored close to the device so that the owner can use the device immediately when he wants to. Indeed, users eventually keep the smart card in the device even when it is switched off, so there is still a problem there.
Storing data on disks on the fixed network may provide a solution to losing data/information. However, bandwidth and battery scarcity make this a very expensive option. Data access over the network will need to be speeded up, so mobile applications will undoubtedly make use of caching and temporary files to improve performance. This cached information needs to be properly managed; for example, it should be encrypted and disposed of when not in use. Another problem of transferring large amounts of encrypted data from a single source is the risk of cryptographic exposure. A malicious eavesdropper will be able to obtain large amounts of encrypted data at his disposal, facilitating cryptanalysis and potential discovery of an entity's encryption key(s).
Still, some classes of information are not suited to network storage, for example encryption/decryption keys which must be kept with the user at all times, and "address book" information for which retrieving and saving operations done through the network is not a satisfactory solution. Access to address book information must be immediate, so the latency and unpredictability of communication links make it unsuitable for storing on the network.
With this new mobile scenario, the importance of backing up, which has been emphasised time and again, cannot be ignored. However, users find this to be an effortful affair, and only a small number really bother. This issue is highly relevant as users will need to decide on which information to backup (cf. automatic network volume backups that backs up all data indiscriminately). It is not practical to backup everything because some information is not worth the bandwidth and battery power that will be involved in the process.
Domain boundary crossing
There are various definitions on what a security domain is (see [28] for a list of them). In this document, a security domain means a set of network entities on which a single security policy is employed by a single administrative authority. For example the employees and equipment of a company are entities within the domain of the company. These entities are subject to the company's, ie. the domain's, administrative policies, security policies included. Security measures and reactions to security threats in each domain are taken according to the policies that govern them. Security domain boundaries are crossed when a mobile user leaves one security domain and enters another. These crossings may not be immediate and domains left and entered may not be adjacent or consecutive. An example of the former is when the user switches off in one domain and reconnects to another domain hours or days later. The user may also reconnect to another domain which is miles away, or n number of domains away, giving an example of the latter.
Upon entering a new domain, the trustworthiness of the new domain environment has to be ascertained by the mobile user, and vice versa. This is usually carried out in current fixed network implementations using mutual authentication protocols where 2 entities mutually authenticate each other during one protocol execution. What is important at this stage is to determine the trustworthiness of the domain and user. The level of trust established will form the basis on which security related activities and decisions are made. This includes the level of security to uphold and disclosure of certain classes of information. If mutual trust is attained, for example, a decision to relax encryption constraints may be taken in favour of saving the battery and processor utilisation on the mobile host.
Another important motivation for domains to screen its visiting hosts is to uphold its image as a safe domain. Much like geographic domains (eg. cities or suburbs), a hostile environment will tend to be avoided and its resident occupants would want to migrate to a safer haven. The consequences would lay the economical soundness of that domain, among other activities, in jeopardy. Visited domains will also have to carry out certain accounting procedures relating to the visiting host, if users have to pay for services. During the authentication phase, the user's "solvency" has to be established and method of payment (eg. credit or debit based transactions) will have to be arranged.
As a mobile user enters a new domain, it may probably have to participate in a security protocol renegotiation process. This renegotiation may be necessary to ensure that the prevailing security level and policy is upheld as the user continues its on-line presence and activities into the new domain, so that no interruption is generated in the middle of any currently running user activity. it should be noted that apart from security related renegotiations, others, like Quality of Service (QoS) renegotiations will also take place at the same time. This, coupled with handoff processing will mean that a lot of system-level control messages will be exchanged, and this is major communications overhead. Therefore, any renegotiation protocols must be fast and efficient. This is particularly important in microcellular environments where the high density of cells leads to very frequent handoffs and boundary crossings. However, the task of juggling domain and physical boundary crossing problems are eased somewhat as domain and physical cell boundaries usually coincide.
Authentication
As with current distributed systems, authentication is a necessary procedure for verifying an entity's identity and authority as well. The level of trust for a particular entity depends on the outcome of this authentication process. However, some domains in mobile systems will almost certainly find that they will need to authenticate mobile users very frequently as they move in and out of the domain. Ideally, user authentication should be carried out transparently, without disruption to whatever the user's task is at the moment.
Most authentication protocols in practice requires the home authentication authority (or authentication server) to be contacted during the execution of the protocol. Consider the overhead that will be incurred when this has to be done for many mobile users entering the foreign domain. Furthermore, the "transparency" requirement for authentication protocols would be difficult to meet the completion time for the each protocol now also depends on the quality of the link between the visited domain and the mobile user's home authentication server. This also means that the home authentication server must always be up and running (ie. its service must be available all the time). These last two factors, the link quality between the visited domain and the user's home authentication server and the availability of the authentication server itself, is unpredictable and therefore cannot be guaranteed.
Since authentication server availability cannot be guaranteed, current inter-domain (sometimes termed inter-realm) authentication protocols which are designed to authenticate across multiple domains, become questionable (see also the paragraph in Section Error! Reference source not found. on inter-domain authentication or [35] for a real-world implementation). In fact, this problem is greater here because it implies that all the servers in the authentication chain must be available at the same time. This situation is further aggravated by the fact that the authenticating entity must trust all the servers that are part of the resulting inter-domain authentication chain. Asokan [33] stated that the lack of a satisfactory global authentication mechanism will result in either inadequate authentication or inconvenience to the user. He also mentioned that the following issues are relevant to designing a flexible global authentication system:
The use of certificates may relax the requirement of contacting the user's home authentication server. Unfortunately, this scheme also has some undesirable properties. Firstly, it is irrational to assume that the certifying authority that signed the certificate is globally and unconditionally trusted by every entity. A mobile user also cannot be expected to find out beforehand which domains it will be visiting and then obtain certificates that will be accepted by them. Another problem is that certificates do not reflect the current status of its owner/carrier, eg. the current balance of his bank account or a record of his behaviour in previously visited domains. It is difficult to embed some information about the current status of the user into the certificate by the server and at the same time be sure that the user cannot alter that information or present only certificates which provides the most positive credentials. Revocation of certificates will also become a harder problem, ie. one concerned with scalability, because mobile users move around a lot and their locations could be anywhere in the world.
Engineering good authentication protocols for mobile systems have been blessed with an extra burden of anonymity requirements (see section 0 on anonymity). It is imperative that authentication protocols give out as little information as possible relating to the principals involved in the protocol execution.
Other research challenges for authentication protocols include authenticating users that may not be registered with any "home domain" and authentication in ad-hoc mobile networks, ie. authentication between mobile users or groups of mobile users.
In this paper we have briefly introduced a typical mobile system and discussed its properties which affects its overall security. We then discussed specifically what the security problems are. most of these are not new problems ie. they exist in traditional distributed systems as well. However, these problems are accentuated in a mobile system, therefore their impact is much more serious.
In order to engineer good security protocols for a system, we must have an idea of the factors that will affect security and implementation of protection measures. Thus we presented those properties of mobile systems which affect security, which are the physical constraints on mobile devices, broadcast based communications making eavesdropping easier, disconnections, heterogeneity of mobile system entities and a highly distributed environment.
The actual security threats and issues in a mobile system are anonymity, device vulnerability, domain boundary crossing special requirements for authentication.
Effective security measures can only come about with a complete understanding of the actual mobile system in question, and its security threats.