Communications for Mobile People
description
Transcript of Communications for Mobile People
![Page 1: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/1.jpg)
Communications for Mobile People
Mary Baker
http://mosquitonet.stanford.edu
MosquitoNet GroupDepartments of Computer Science and
Electrical EngineeringStanford University
![Page 2: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/2.jpg)
Spring 2001 cs444n 2
Mobile people
• Mobile people move between different applications, different devices, and different roles– Desktop PC, laptop, PDA, cell phone, pager, hotel phone
• Why do they do this?– One device does not serve all purposes
• Much previous mobility work provides “anywhere/anytime” connectivity to a single device
• People are the true endpoints of much communication
![Page 3: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/3.jpg)
Spring 2001 cs444n 3
Problems
work emailhome emailwork phonepagerhome phone
cell phonework emailwork phoneICQhome phoneDan Jane
•On what device do I reach a mobile person in a timely manner? (Mobile People Architecture)
•How do I name mobile people as endpoints, rather than their devices? (IdentiScape)
![Page 4: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/4.jpg)
Spring 2001 cs444n 4
Current network model
Each layer provides
•Routing
•Naming
•Mapping to layer below
Problem: there’s no layer with people as endpoints
NameTypes
emailaddress
TCP/IPaddress
Ethernetaddress
LDAP, address book
NameLookup
Link
Transport/Network
Application
LayersPacketHeaders
00:a0:24:96:40:df
10.0.0.2port 25
DNS, /etc/hosts
ARP
10.0.0.2port 25
![Page 5: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/5.jpg)
Spring 2001 cs444n 5
Solution: extend model
Extend network model to incorporate people
•New person layer
•People are communication endpoints
NameTypes
person'sname
emailaddress
TCP/IPaddress
Ethernetaddress
LDAP, address book
NameLookup
JaneMobile
Link
Transport/Network
Application
Person
LayersPacketHeaders
00:a0:24:96:40:df
10.0.0.2port 25
DNS, /etc/hosts
LDAP, address book
ARP
10.0.0.2port 25
JaneMobile
JaneMobile
JaneMobile
![Page 6: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/6.jpg)
Spring 2001 cs444n 6
Person layer requirements
1. A way to route communications between people– Person-level router
– Mobile People Architecture
2. A naming scheme to identify people uniquely– Personal Online ID (“IdentiName”)
– IdentiScape project
3. A way to map to application-layer names– IdentiName => application-specific addresses
– IdentiScape project
![Page 7: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/7.jpg)
Spring 2001 cs444n 7
Mobile People Architecture (MPA)
• Routing communications between people• Make it possible to reach mobile people easily
– Anytime
– Anywhere
– On any communication device
– From any communication device
– With receiver controlling nature of communication
– While maintaining receiver privacy
![Page 8: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/8.jpg)
Spring 2001 cs444n 8
Motivation – receiver control
• Currently sender controls how/where/when messages sent– Sales calls at home during dinner
– Email spam
– Useless pages
• But as a recipient, I want control over my reachability– Only calls from the daycare center can go to my pager
– No phone calls while I’m having dinner
– No more “Make money fast at home!!!!” email
– Would like to handle these issues in one place if possible
![Page 9: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/9.jpg)
Spring 2001 cs444n 9
Motivation – privacy
• Sender may be able to infer receiver’s location from the address or phone number that actually works– Email address [email protected]
– Home phone
• Once I give out direct addresses, I can’t revoke them– I can only change them
– Filtering callers must now be done for each application/address
• But as a recipient, I may want to keep my location or direct addresses a secret
![Page 10: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/10.jpg)
Spring 2001 cs444n 10
Personal proxy as person-level router
Dan Sender Jane Mobile
GSM Internet
Jane's TrustedPersonal
Proxy(415) 555-1234
(650) 555-5678171.64.67.74,
port 2222
• Naming: Dan only knows Jane’s name
• Mapping: Dan’s phone uses Jane’s name to look up her Proxy phone # & calls her there
• Routing: Her Proxy converts call to email & sends it to Jane’s laptop [email protected]
![Page 11: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/11.jpg)
Spring 2001 cs444n 11
Personal proxy design philosophy
• “Personal” service implemented at the edge of the network (near the person)
• Scalability– Set top box (or PC) at home
– Hosted at an ASP
• Trust– Sensitive data & functions located where user chooses
– User knows what components are involved
• Deployment– Does not require changes to infrastructure of network
![Page 12: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/12.jpg)
Spring 2001 cs444n 12
Personal proxy design
Personal Proxy
Dispatcher
Application Drivers
TrackingAgent
RulesEngine
• Tracking Agent tracks receiver moving between devices/applications
• Rules Engine implements filtering preferences
• Dispatcher converts and routes communications to the mobile person using Application Drivers
![Page 13: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/13.jpg)
Spring 2001 cs444n 13
Tracking agent
• Tracks mobile person’s current connectivity state– Application-specific addresses
– Communication formats that can be handled at those addresses
• Via registrations– Automatic (with varying granularity)
– Manual
– Preset schedule
– Combinations of these
![Page 14: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/14.jpg)
Spring 2001 cs444n 14
Rules engine
• Passes directives to the Dispatcher on how to route a particular communication
• Uses current connectivity state and user preferences• User preferences stored in form of rules
![Page 15: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/15.jpg)
Spring 2001 cs444n 15
Rules
• Rule = (condition, action)• Conditions
– Is this from daycare?
– Does this contain “Make money fast”?
• Actions– Send it to my pager
– Drop it
– Truncate to 50 bytes
![Page 16: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/16.jpg)
Spring 2001 cs444n 16
Dispatcher
• Dispatcher is the routing component of Personal Proxy• Uses directives from Rules Engine to convert & route
communications• Consists of plug-in application drivers• Uses a goal-based planner to find a path through
conversion drivers– Currently just breadth-first search
![Page 17: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/17.jpg)
Spring 2001 cs444n 17
Prototype evaluation
• Deployment– Can be one server, set up by one individual
– No need to modify the underlying infrastructure
– Useful to individuals without need for global adoption
• Location privacy and data security– As secure as the Personal Proxy
• Thwarting spam– As effective as email filters (procmail)
– But supports application-independent rules
• Extensibility– Plug&play driver framework, drivers queried for their abilities
– No need to bring down system to install new drivers
![Page 18: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/18.jpg)
Spring 2001 cs444n 18
Related work
• UMTS, TOPS, etc.– Often no location privacy– Not set up for true any-to-any communications
• Wildfire, uReach.com, etc.– Limited scope of applications
• Iceberg (UC Berkeley)– Underlying infrastructure changes– Larger sphere of trust– Iceberg paths more efficient– Iceberg has better extensibility (easier to share components)
![Page 19: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/19.jpg)
Spring 2001 cs444n 19
IdentiScape goals
• Easily name people online• Name maps to
– Contact information for personal proxy– General contact information– Other stuff people want
• Reduce contact information management problems – Avoid update of other people’s copies of our contact info– Contact other people reliably– Name reuse issues– Name change issues– Name robustness issues
![Page 20: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/20.jpg)
Spring 2001 cs444n 20
Naming problems
• Name reuse– Defunct pizza parlor phone number reassigned to Jane
– Jane gets lots of pizza orders
• Name changes– Email from Jane’s lawyers arrives at Jane’s old address
– Old address controlled by party she’s now suing
• Name robustness– Your address/number is too similar to someone else’s
![Page 21: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/21.jpg)
Spring 2001 cs444n 21
Idealized naming service attributes
• Ubiquity– I can have the same name everywhere– I can transfer my names over different media– My names don’t give out private information
• Human-centricity– I can define/change my name– My name is “manageable” by humans
• Robustness– My name is not similar to anybody else’s– It is easy to catch simple typos in a name
• Persistence– My names are valid as long as I want them to be– I control what my old names point to
![Page 22: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/22.jpg)
Spring 2001 cs444n 22
IdentiScape solution
• Naming service(s) that– Allow callers to use one identifier to reach a person
– Provide robustness of names
• Directory services (identity object services) that– Enable people to control the contents and accessibility of
their own online identity information
• Separation of naming and directory information– Scalability
– Trust
![Page 23: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/23.jpg)
Spring 2001 cs444n 23
IdentiScape Architecture
Sender’s terminal
IdentiScape service
Identity object
1
2
3
4
Query “[email protected]”
Return: address of identity object
1
3
2
4
Query identity object
Return: contact information
janedansanta’s little helper
proxy phone: 650-432-1234proxy email: [email protected] ...
![Page 24: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/24.jpg)
Spring 2001 cs444n 24
Scalability issues
• IdentiScape service just provides a pointer to identity object– Information changes infrequently (cacheable)
– Adds delay (but name to pointer is cacheable)
• Identity object service– Scalability requirements usually less stringent
– Can be very privately managed (on your home PC)
• Useful to individuals even if not widely deployed
![Page 25: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/25.jpg)
Spring 2001 cs444n 25
Mix and match architecture
• Can use IdentiScape without MPA– For managing names and contact information
• Can use MPA without IdentiScape (give out proxy addresses)– For timely contact– For receiver control over communications– For privacy
• Identity object may be collocated with personal proxy– Identity object allows personal proxy to move
• Time scales of IdentiScape/MPA information differs– IdentiScape information changes more slowly
• On order of changes to business cards– Personal proxy deals with changes on finer time scale
• I’m at office phone now• In five minutes I’m only available by PDA
![Page 26: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/26.jpg)
Spring 2001 cs444n 26
Persistence problem
• Involuntary name changes inevitable– IdentiScape.nom goes out of business
– I forget to pay my bill to IdentiScape.nom
• People will use (leak) names from other name spaces– These names are used within organizations– These names are used with reference to organizations
![Page 27: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/27.jpg)
Spring 2001 cs444n 27
Solutions to persistence problem?
• Solution: global service with flat namespace?– Single “ownership” or unpleasant names?
– Who will trust it?
– Someone else will start one too
– Doesn’t solve name leakage
• Solution: global coverage by independent name services?– Doesn’t provide organization-independent names
• Solution: name history service – Given (old name,date), look up current name
– This could be implemented in a peer-to-peer manner
– Participants are entities with interest in such history
![Page 28: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/28.jpg)
Spring 2001 cs444n 28
History service
• Authenticated list of name transitions– Signed by name holder
– Time stamped
• “Persistence” and control over old names– You’ll reach me with my old name if you run it through
history service
– Nobody else can prove they used that name at that time
– Name space manager cannot retract existence of old name
![Page 29: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/29.jpg)
Spring 2001 cs444n 29
Example use of history service
•In 1990 mgb gets a name from UCB
•In 1994 mgb gets a name from Stanford
•After 1994 name change inserted
•In 1996 Berkeley removes mgb name
•In 1998 another mgb gets a name from UCB
•In 2050 user queries service: Current name ([email protected], 1992)??
•Returns [email protected]
[email protected] 1996 1998
![Page 30: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/30.jpg)
Spring 2001 cs444n 30
Problems
• Who provides the keys?– Assume PKI for name services (similar to DNSSEC)
– Local name spaces handle public key services within their spaces
• Who runs the history service?– Need a censorship resistant global archive
– Archived documents are self-secured (preserve their own integrity)
Long-term archival of signed documents
• Longevity of signed documents?– Old signed documents need old verification keys
– Was signature produced during validity period of key?
Need old key archival and secure time stamping
![Page 31: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/31.jpg)
Spring 2001 cs444n 31
KASTS
• Like a notary public [Haber et al., 1995]
• Secure time stamping service (TSS)– Establishes time when a digital document is signed– Time stamp the signature when it is produced
• Archival of signature verification keys (KAS)– Allows users to request and receive correct signature
verification key for a signer at any time in the past– Stores signed certificates from certificate authority (CA)– In particular, stores CA’s master verification keys
• Typically self-certified certificates• Originally distributed through a secure channel
![Page 32: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/32.jpg)
Spring 2001 cs444n 32
Centralized time stampers
• Surety is an example [www.surety.com]
• Build up tree of documents signed during a round– “Root hash” represents the ordered set of leaves of the tree
– Based on collision-resistant hash functions like SHA1
• Time stamp of digest is– Time at which round was created
– Proof of inclusion of digest in the linking data structure
• Result of a “round” represented as a hash– Published independently (provides accountability)
• Widely distributed
• Write-once
– This hash used as input to next round
![Page 33: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/33.jpg)
Spring 2001 cs444n 33
How to use multiple TSSes
• People will use the TSSes they trust
• How do we verify time stamps from other TSSes?
• Distributed peer-to-peer system of TSSes?– Replaces publication medium through agreement
– Uses Byzantine fault-tolerant techniques for agreement over time stamps and group membership
– Potentially survives complete change in membership over time
– Expensive
• For 150 nodes, round change can take 30 hours in the worst case
• Comfortable for some human-scale time granularities
• Key revocation: 2 weeks is reasonable
– Prokopius
![Page 34: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/34.jpg)
Spring 2001 cs444n 34
Timeline entanglement
• Timeweave [Usenix Security 2002]
• Give up global consistency of event ordering• Use group of TSSes that application task involves• Link (entangle) past of one timeline into future of
another
![Page 35: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/35.jpg)
Spring 2001 cs444n 35
![Page 36: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/36.jpg)
Spring 2001 cs444n 36
Timeline entanglement characteristics
• Can survive demise or non-cooperation of originating service– Must have some service you still trust, though
• Less expensive – depends on– Number of entangled services
– Rate of entanglement
– For up to 1200 PCs, 10-minute entanglement, maintenance ranges between 2-8% of processing resources
![Page 37: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/37.jpg)
Spring 2001 cs444n 37
Key archival service
• Maintains timed history of signature verification keys– Most notably the master verification keys used and published by CAs
• Accumulates key updates and revocation information
• At end of round key archive is modified and time stamped to reflect changes– Use hash trees to represent “time stampable” snapshots of CA– Uses authenticated search trees for accountability [Buldas et al., 2000]
• Snapshot roots archived in a Time Tree– Also an authenticated search tree
– Ordered by time
![Page 38: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/38.jpg)
Spring 2001 cs444n 38
Time tree
Rn
AnT0
A0 An
…
…
A’s = archive snapshotsT’s = time stamped rootsRn = nth root of time tree
![Page 39: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/39.jpg)
Spring 2001 cs444n 39
Related work• Most similar to IdentiScape goals
– Specialist Task Force 157 of European Telecommunications Standards Institute
– Charged with finding “personal identifier of the 21st century” they combine name with public key
• OneName.com– They run the directory service as well as provide the account name
– No help with name reuse or robustness issues
• Centralized time stamping services such as Surety– Require trust of single organization
– What happens when they go out of business?
• LOCKSS (Lots of Copies Keep Stuff Safe)– Long-term archival of documents (doesn’t handle signing issues)
![Page 40: Communications for Mobile People](https://reader035.fdocuments.in/reader035/viewer/2022081513/568149a3550346895db6e4c4/html5/thumbnails/40.jpg)
Spring 2001 cs444n 40
Conclusions
• People are the true end-points of much communication– Mobile communications should reflect this
• More support needed to integrate mobile communications into our lives– Increase receiver control of communications
– Privacy is important
– Ease of use is important
• Services at “edge” of network– Easier deployment
– Users gain benefits without global adoption
– Personal services close to person