Wireless lock
Encyclopedia
Wireless lock is a protection concept for authenticated
LAN
or WLAN network clients offered from various vendors in various functional shapes and physical designs. In contrast to wireless keys wireless lock puts emphasis on automatic locking instead of just locking by time-out or unlocking.
The wireless lock concept supports initialising the client with authentication and log-on
as electronic key solutions. Beyond that a wireless lock supports automatic log-off
after user leaves unlocked network client and independent from time-out conditions. Protection comes into effect, while integrated or galvanically attached and paired receiver/transceiver stays connected with protected client object as soon as wireless token
gets separated from client exceeding a set maximum allowed distance, generally the manual reach required for operating keyboard
attached to client.
Currently (2011-07) there is no general standard supporting inter-operability of wireless lock concepts.
A wireless communication distance metrics sets the protected object to ‘’locked’’, as soon as the set distance level between paired transmitter and receiver of a wireless signal transmission is exceeded. The protected object returns to status ‘’unlocked’’ as soon as the distance gets lesser and the received signal strength level higher than set limit..
Transmitters may be worn by the owner of an object, whereas the other receiver item gets attached to the protected object for logically protecting it to usage by the owner only.
Basic electronic gadget is a wireless token that communicates with a counterpart attached to the object to be controlled wirelessly. User guides for mode of operation recommend to bear a very light designed alarm token with a necklace, a wristband or similarly directly bound to the body. Very low transmission power levels secure low electromagnetic interference as well as entirely biologically harmless operation
After setting the object to protect to work and initially pairing the two wireless token devices with each other, the protected object refuses operation when exceeding the set distance between token and protected object.
Advanced solutions offer communications on the basis of standardized communication protocols and based on standardized air interface links.
Simple solutions make use of passive RFID tokens, thus requiring a higher transmission level from a reader attached to the protected object and illuminating the token for response. Chosen frequency band and allowed maximum transmission power level define the possible reach for the response from the token in the vicinity of the protected object.
), W3C (XML
), ITU
(X.509
) is going on.
Basically there are different concepts available for implementing a sound security concept:
The safe approach is travel time estimation with ultra-short pulses (e.g. UWB
and CSS
), the cheap approach is RSSI estimate with just variation of power levels.
and WINDOWS available BlueProximity solution. The hosting on PC like systems allows for detecting presence of mobile phones in proximity to PC-attached Bluetooth dongle or equivalent interface. PC gets locked on leave. Reported and other simple deficiencies of this solution are:
However this Bluetooth based approach is the best protected solution compared to other proprietary approaches without means comparable to mobile phone SIM locking ot to Bluetooth link protection.
shaping to protected object is easily made via USB port. Small security application will make use of protection mechanisms of operating system of protected object. Neither dongle nor protected unit may be comprimsed as long as any tampering of security application gets detected.
Major advantage with wireless locking comes with automating log-off. Hence common lacking of caution by mobile users may be entirely compensated. Automatic wireless authentication factors do not require any handling. The only requirement to the user just to wear a token without any keying is unsurpassed in comfort and functional value. Wireless locking provides additional security for networks against fraudulent access and usage. Reported security deficits with second factor authentication may be compensated by reducing all burdens with keeping, handling and wearing such factors.
Transmission power of the wireless token for the object may be very low in the 1 mW range, as just the distance between the bearer and the item to be protected shall be bridged. That is a level causing no harm in any environment nor electromagnetic interference to sensitive may occur, i.e. interference with medical devices may be neglected.
Wireless locking offers best robustness against de-authentication attacks. Continuous connection based encrypted key exchange between active token and receiver dongle provides a sufficient security level prepared for certification under ISO/IEC 15408 common criteria
specification. Initially connection based encrypted key exchange serves for a lower security level which appears sufficient for most requirements.
Unidirectional communication between beaconing token and receiver dongle may be hacked with Man-in-the-middle attack
. However, connection based challenge-response initialisation serves a much higher security level.
Clear specification of battery wear is not published with all known vendors' offerings.
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
LAN
Län
Län and lääni refer to the administrative divisions used in Sweden and previously in Finland. The provinces of Finland were abolished on January 1, 2010....
or WLAN network clients offered from various vendors in various functional shapes and physical designs. In contrast to wireless keys wireless lock puts emphasis on automatic locking instead of just locking by time-out or unlocking.
The wireless lock concept supports initialising the client with authentication and log-on
Login
Login is the method whereby a user obtains access to a computer system.Login may also refer to:*Magazines:** LOGiN, published by Enterbrain** ;login:, published by USENIX* Login, Carmarthenshire, an hamlet in Carmarthenshire...
as electronic key solutions. Beyond that a wireless lock supports automatic log-off
Login
Login is the method whereby a user obtains access to a computer system.Login may also refer to:*Magazines:** LOGiN, published by Enterbrain** ;login:, published by USENIX* Login, Carmarthenshire, an hamlet in Carmarthenshire...
after user leaves unlocked network client and independent from time-out conditions. Protection comes into effect, while integrated or galvanically attached and paired receiver/transceiver stays connected with protected client object as soon as wireless token
Security token
A security token may be a physical device that an authorized user of computer services is given to ease authentication...
gets separated from client exceeding a set maximum allowed distance, generally the manual reach required for operating keyboard
Keyboard (computing)
In computing, a keyboard is a typewriter-style keyboard, which uses an arrangement of buttons or keys, to act as mechanical levers or electronic switches...
attached to client.
Currently (2011-07) there is no general standard supporting inter-operability of wireless lock concepts.
- Most offered air interface solution is based on ISO/IEC 18000-3 HF (13,56 MHz) passive RFID tags and near field communicationNear Field CommunicationNear field communication, or NFC, allows for simplified transactions, data exchange, and wireless connections between two devices in proximity to each other, usually by no more than a few centimeters. It is expected to become a widely used system for making payments by smartphone in the United States...
(NFCNFCNFC may refer to:* Nagacorp FC, a Cambodian sporting club* National Finance Center, a division of the United States Department of Agriculture* National Football Conference, a constituent conference of the National Football League...
)-like reader specification. - Most offered authentication procedures make use of IETF public key infrastructure (PKIPKIPKI can refer to any of several things:* Kings Island, an amusement park formerly known as Paramount's Kings Island.* Partai Komunis Indonesia...
). - Comfortable solutions support single sign-onSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
servicing. - Bluetoth BLE profile proximity is said to support such application.
Usage principles
The wireless token serves as an independent second authentication factor. Local pairing of token with protected networked client object is the authentication procedure. Personalisation of token with user is a preparative action that may be administered apart from network. Allocated user credentials shall be served from networked authorisation server for allowed access to data and function and from authentication server for allowed access to network and clients.A wireless communication distance metrics sets the protected object to ‘’locked’’, as soon as the set distance level between paired transmitter and receiver of a wireless signal transmission is exceeded. The protected object returns to status ‘’unlocked’’ as soon as the distance gets lesser and the received signal strength level higher than set limit..
Transmitters may be worn by the owner of an object, whereas the other receiver item gets attached to the protected object for logically protecting it to usage by the owner only.
Basic electronic gadget is a wireless token that communicates with a counterpart attached to the object to be controlled wirelessly. User guides for mode of operation recommend to bear a very light designed alarm token with a necklace, a wristband or similarly directly bound to the body. Very low transmission power levels secure low electromagnetic interference as well as entirely biologically harmless operation
After setting the object to protect to work and initially pairing the two wireless token devices with each other, the protected object refuses operation when exceeding the set distance between token and protected object.
Advanced solutions offer communications on the basis of standardized communication protocols and based on standardized air interface links.
Simple solutions make use of passive RFID tokens, thus requiring a higher transmission level from a reader attached to the protected object and illuminating the token for response. Chosen frequency band and allowed maximum transmission power level define the possible reach for the response from the token in the vicinity of the protected object.
Applications
Application is mainly known PC locking under for authenticated log-in conditions. Protected object controlling works with the token at hands working as a transceiver (RFID passive) or beacon transmitter (RFID active. Currently some similar applications are offered by several no-name vendors and under non-guaranteed specification.Standardization
Relevant existing standard for such application is Bluetooth V4.0 Low Energy of 2009-12-17 with the profiles Find Me and Proximity.Security modes
Published concepts for secure key transmission is published in several context. Standardisation in IETF (PKIPKI
PKI can refer to any of several things:* Kings Island, an amusement park formerly known as Paramount's Kings Island.* Partai Komunis Indonesia...
), W3C (XML
XML
Extensible Markup Language is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications, all gratis open standards....
), ITU
Itu
Itu is an old and historic municipality in the state of São Paulo in Brazil. The population in 2009 was 157,384 and the area is 641.68 km². The elevation is 583 m. This place name comes from the Tupi language, meaning big waterfall. Itu is linked with the highway numbered the SP-75 and are flowed...
(X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
) is going on.
Basically there are different concepts available for implementing a sound security concept:
- Active token sends fixed identity to be read by receiver (not robust against attacks)
- Transceiver sends initial code in challenge-response procedure and active token answers agreed code to prevent from fraudent attacking
- Transceiver sends with varied power levels to stimulate various response levels from passive tag
- Transceiver and token communicate bi-directional for travel time (time of flight, TOF) estimates
- Beaconing token sends with varied power levels to support RSSIRSSIIn telecommunications, received signal strength indicator is a measurement of the power present in a received radio signal.RSSI is a generic radio receiver technology metric, which is usually invisible to the user of the device containing the receiver, but is directly known to users of wireless...
estimation with receiver
Metrics options
The metrics options for detecting separation of protected object and authenticated user have to take into account various physical phenomena and thus offer a variety of signal processing to overcome- multipath propagation,
- crinked and direct paths
- multipath fading and
- excess reach of nearby colliding transmitters
- higher populations of transmitters.
The safe approach is travel time estimation with ultra-short pulses (e.g. UWB
UWB
UWB may refer to:* Ultra-wideband, a very wide band radio technologyIn education:* University of West Bohemia, Czech Republic* University of Washington, Bothell, United States...
and CSS
CSS
-Computing:*Cascading Style Sheets, a language used to describe the style of document presentations in web development*Central Structure Store in the PHIGS 3D API*Closed source software, software that is not distributed with source code...
), the cheap approach is RSSI estimate with just variation of power levels.
Standards based products available
Many current product offers with reference to communication standards are just prototypes. Basic design is proposed e.g. with Texas Instruments sample offer using Bluetooth V4.0 low energy protocol standard and with comparable proposals of other chip foundries.Critics
Currently (2011-07) there is no certified product according to ISO/IEC 15408 security requirements on offer. However any workable solution is better than nothing compared to logged-in work positions left unobserved.Freeware implementation
Well known implementation is LINUXLinux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
and WINDOWS available BlueProximity solution. The hosting on PC like systems allows for detecting presence of mobile phones in proximity to PC-attached Bluetooth dongle or equivalent interface. PC gets locked on leave. Reported and other simple deficiencies of this solution are:
- just local locking logically independent of other security means
- wide variety of overall receiver sensitivity and RSSI feedback dynamics
- wide variety of transmitter efficiency adjusting to RSSI feedback
- varying lock-up distance with any combination of transmitter and reveicer
- manual setting the pairing of mobile phone and PC interface
- no integration to network authentication and authorisation management
- no integration to user role management and access credentials for application access
- lack of protection against MIM attacking and other relevant attacking concepts
However this Bluetooth based approach is the best protected solution compared to other proprietary approaches without means comparable to mobile phone SIM locking ot to Bluetooth link protection.
Advantages
Basic infrastructure requirements with wireless locking are very low. There are no additional server function requiremements beyond public key infrastructure standards. The infrastructure requirement to include wireless receiver to protected objects via integration or using dongles is state-of-the-art. All tampering may be detected automatically. Attachment of receiver/transmitter in dongleDongle
A software protection dongle is a small piece of hardware that plugs into an electrical connector on a computer and serves as an electronic "key" for a piece of software; the program will only run when the dongle is plugged in...
shaping to protected object is easily made via USB port. Small security application will make use of protection mechanisms of operating system of protected object. Neither dongle nor protected unit may be comprimsed as long as any tampering of security application gets detected.
Major advantage with wireless locking comes with automating log-off. Hence common lacking of caution by mobile users may be entirely compensated. Automatic wireless authentication factors do not require any handling. The only requirement to the user just to wear a token without any keying is unsurpassed in comfort and functional value. Wireless locking provides additional security for networks against fraudulent access and usage. Reported security deficits with second factor authentication may be compensated by reducing all burdens with keeping, handling and wearing such factors.
Transmission power of the wireless token for the object may be very low in the 1 mW range, as just the distance between the bearer and the item to be protected shall be bridged. That is a level causing no harm in any environment nor electromagnetic interference to sensitive may occur, i.e. interference with medical devices may be neglected.
Wireless locking offers best robustness against de-authentication attacks. Continuous connection based encrypted key exchange between active token and receiver dongle provides a sufficient security level prepared for certification under ISO/IEC 15408 common criteria
Common Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
specification. Initially connection based encrypted key exchange serves for a lower security level which appears sufficient for most requirements.
Disadvantages
All known approaches for wireless locking are either proprietary or just industrial standard, as e.g. ZigBee, ANT or other communication platforms, hence requiring special pairing of token and receiver/transmitter resp. Adherence to wireless air interface standards and wireless communications protocols compensates for such top level standardisation gap.Unidirectional communication between beaconing token and receiver dongle may be hacked with Man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
. However, connection based challenge-response initialisation serves a much higher security level.
Clear specification of battery wear is not published with all known vendors' offerings.
Transmission concepts
- BluetoothBluetoothBluetooth is a proprietary open wireless technology standard for exchanging data over short distances from fixed and mobile devices, creating personal area networks with high levels of security...
- Bluetooth low energyBluetooth low energyBluetooth low energy is a feature of Bluetooth 4.0 wireless radio technology, aimed at new, principally low-power and low-latency, applications for wireless devices within a short range...
- Fuzzy locating
- UnilaterationMultilaterationMultilateration is a navigation technique based on the measurement of the difference in distance to two or more stations at known locations that broadcast signals at known times. Unlike measurements of absolute distance or angle, measuring the difference in distance results in an infinite number of...
- NFCNFCNFC may refer to:* Nagacorp FC, a Cambodian sporting club* National Finance Center, a division of the United States Department of Agriculture* National Football Conference, a constituent conference of the National Football League...
- WPAN
- Public Key InfrastructurePublic key infrastructurePublic Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
- RTLSRTLSRTLS may refer to:* Real-time locating system - general techniques for asset and staff tracking using wireless hardware and real-time software* Ravenna Training and Logistics Site - an Ohio Army National Guard base....
- Smart key
- WBANBody Area NetworkBody area network , wireless body area network or body sensor network are terms used to describe the application of wearable computing devices. This will enable wireless communication between several miniaturized body sensor units and a single body central unit worn at the human body...
- WLAN
- IEEE 802.11IEEE 802.11IEEE 802.11 is a set of standards for implementing wireless local area network computer communication in the 2.4, 3.6 and 5 GHz frequency bands. They are created and maintained by the IEEE LAN/MAN Standards Committee . The base version of the standard IEEE 802.11-2007 has had subsequent...
- IEEE 802.15.1
- IEEE 802.16IEEE 802.16IEEE 802.16 is a series of Wireless Broadband standards authored by the Institute of Electrical and Electronics Engineers . The IEEE Standards Board in established a working group in 1999 to develop standards for broadband Wireless Metropolitan Area Networks...