Authentication and Privacy

Abstract

Authentication and privacy refer to the problems of ensuring that communication takes place only between the right parties without disclosure of information to unauthorized eavesdroppers. Radio communication is highly appealing for the convenience of mobility—the freedom from a fixed location. For this reason, wireless services have been growing rapidly. In 2005, an ITU study found more than 2 billion cellular phone subscribers and more than 1.26 billion land phone lines in the world. It has become easy to find IEEE 802.11 wireless LANs in residences, hotels, stores, and corporate sites. Smart phones and a variety of wireless messaging devices cansend SMS, e-mail,and browse the WorldWide Web through a number of wireless services. IEEE 802.16 ‘‘WiMax’’ is starting to offer broadband wireless services in the local loop. The enthusiasm for wireless services makes it easy to ignore the inherent insecurity of the radio medium. The most obvious risk is that radio signals can be received by anyone within range of the transmitter. Radio communications are easy to intercept, possibly by someone who is beyond sight. In contrast, it is more difficult to intercept wired communications. An eavesdropper must physically access a wired medium and therefore tends to be more visible. In wireless communications, the loss of privacy (or confidentiality) is always a possibility, which motivates the need to devise measures to protect privacy. The primary means used to protect privacy in wireless systems is cryptography, which is described in this chapter. Another clear risk is impersonation where someone presents a false identity to attempt to access unauthorized services. For land line phones, impersonation is a much smaller risk because phones are typically in an indoor environment under private ownership. It is implicitly assumed that the owner is responsible for physical access. The identity of a land line phone user is associated with that fixed location. However, users in a wireless network are mobile, so their identities cannot be associated with a particular location. Instead, mobile users must carry their credentials (e.g., passwords) and present them to the network to verify their identity. It is important that authentication credentials are difficult to duplicate by someone else. Authentication of mobile user identities, also largely based on cryptography, is another topic covered in this chapter.