Security
We would like KioskNet to be secure enough to serve as the
basis for secure transactions
that arise in applications such as
rural banking, microfinance,
tax and bill payment, and land registry.
This requires it to
meet the requirements of four distinct groups:
- KioskNet Franchisers: Franchisers, usually non-governmental organizations (NGOs)deploying KioskNet, are concerned with the integrity of their KioskNet components (gateways, ferries, kiosk controllers and proxies) and would want to detect, if not prevent, the misuse of their infrastructure.
- KioskNet Franchisees: Franchisees (i.e. kiosk operators) are concerned with the security of their kiosk terminals and would want protection against malware. The would also want to prevent any attacks from being launched through KioskNet.
- KioskNet Users: Users are concerned with the confidentiality and integrity of their data despite using untrusted ferries and snooping kiosk operators.
- Application Service Providers: Depending on the type of service they provide, application service providers (ASPs) would want franchisers to guarantee the integrity of their software when deployed on a KioskNet.
We satisfy these requirements through a combination of standard
cryptographic techniques such as PKI and
a transparent encrypted file systems.
Though our mechanisms may appear to be complex,
they are the least necessary to meet the security requirements listed above.
Certificates
To enable the authentication
and end-to-end encryption of in-flight data, all the entities named above
are issued unique credentials including a 2048-bit RSA private key and a
corresponding public key certificate.
Certificates are issued and signed in a hierarchical fashion, forming
chains: a secure central root CA server at the University of Waterloo issues
certificates to franchisers, who then issue certificates to
franchisees and ASPs operating in their region. Franchisees can then
certify users registered at their kiosks. Similarly, all
KioskNet components are issued unique credentials by the franchisers
that maintain them. Public key certificates for users, franchisees and
ASPs are periodically broadcast throughout a franchiser's region
through the use of a public key database maintained at the
proxy and replicated at all kiosk controllers.
Infrastructure integrity
Infrastructure integrity is ensured through the use of
digital signatures on all remote commands and software updates issued
by franchiser administrative personnel. Further, franchisees are not
given root access to deployed kiosk controllers, preventing them from
modifying the software on these systems. An encrypted root directory
on each KioskNet component prevents attackers from removing the
device's hard disk and booting it with a LiveCD to access the node's
private key. Industry-standard practices such as the use of intrusion
detection systems and firewalls can be additionally used to
protect KioskNet components against
remote attack through their network interfaces.
Protecting recycled PCs
Recycled PCs (or terminals) are protected against viruses and
other malware by forcing them to boot from read-only disk images
stored in reasonably tamper-proof kiosk controllers. Because only franchiser
administrative personnel are permitted to update these disk images,
franchisees can be assured of the integrity and security of the
operating system and applications running on their kiosks.
The measures taken to protect rural kiosks described above also
provide ASPs with assurance of the integrity of the platform their
applications are deployed on. Additional security can be provided by
ASPs issuing signed certificates for their application binaries,
allowing users and franchisees to verify their integrity as required.
User data protection
User data stored in kiosk controllers is secured by creating encrypted
virtual volumes for each user's home directory keyed with the user's
kiosk login password. These volumes are stored in encrypted form on
the kiosk controller and exported over NFS for mounting at kiosk
terminals when users login with a valid password. Linux's Pluggable
Authentication Module (PAM) is used to automate the decryption of
these volumes when users login and their encryption when users logout.
Users can transparently read and write to their encrypted home
directories through our use of the Linux DM-Crypt disk encryption
module. Because user data, including private keys, is stored in these
encrypted home directories, even attackers with root access are unable
to view or modify the data.
To support privacy for users who are not comfortable using
passwords, we envision the use of biometric devices,
such as thumbprint readers. We have not, however,
incorporated these devices into our system.
Communication privacy and integrity
In-flight user data that requires privacy and authenticity is
encrypted and signed at kiosk terminals before it is transferred to
the kiosk controller for forwarding to other KioskNet components
along its way to the proxy. This ensures secure user data cannot
be read, fabricated or tampered with while in transit within KioskNet.
%Note that the traditional approach to ensuring end-to-end secure communication,
%such as that used in SSL, is to use Public Key encryption to generate a shared secret and use it as a session key for ciphers such as AES. However due to the delay-tolerant nature of the network the time taken by the handshake necessary for generating a shared secret precludes this approach. Using Public Key encryption exclusively is also not feasible as it is computationally expensive for large data sizes. We therefore use AES-CBC with randomly generated 256 bit keys to encrypt data. This key is encrypted using the public key of the recipient and appended to the bundle. Hence recipients can decrypt the data by first decrypting the AES key using their own private keys.
When combined, the security measures described above serve to protect
KioskNet against a diverse set of attacks, ranging from simple
wireless packet sniffing to more sophisticated attacks that involve
removing an KioskNet component's hard disk and booting it with a LiveCD to gain root access and read or modify the data stored in it.
| 
