11-04-2013, 03:09 PM
S-SPAN: Secure Smart Posters in Android using NFC
[attachment=52956]
Abstract
Smart posters are a promising new use case for NFC-enabled mobile devices, but to date there has been a general lack of security mechanisms for NFC smart posters. We present S-SPAN - a secure smart poster system consisting of three parts: an administrative web interface for managing posters, a backend server for storing and serving data, as well as an Android application for end-users. S-SPAN enforces confidentiality and integrity of smart poster data as well as authentication/authorization of administrators and end-users, thus ensuring that only authorized users can access the content.
INTRODUCTION
Smart posters, which allow businesses or other organizations to disseminate information to end-users in a more interactive fashion than standard posters, are an increasingly popular application of NFC tags. Such tags store small amounts of read-only (or less commonly, rewriteable) data. A typical use case for NFC smart posters is to provide users of NFC enabled smart phones with quick access to a URL related to the poster content; for example, a user interested in a product advertisement might swipe her phone over the ad poster to open a webpage containing detailed specifications and a link to purchase the item. There are also situations that call for smart posters to contain sensitive information only privy to specific users. For example, a museum may wish to use NFC smart posters in tandem with a custom smart phone application, to provide additional information about exhibits on the condition that the content should only be available to users who have paid for admission on a given day. S-SPAN aims to provide a framework for secure active-passive pairings between NFC tags and Android devices in a smart poster setting. This project was motivated by the Report on Smart Posters by the NFC Forum: “The benefit of signing tags is that they become secure - they can’t be changed to direct users to other content” [1].
Summary of Contributions
With the unimpeachable notion that smart posters need to be secure, S-SPAN is carefully designed to overcome a subset of the above-mentioned attacks and, at the same time, enhance the user’s tryst with the poster. We believe that this combination of resilience and experience makes S-SPAN a holistic, usable and off-the-shelf solution for securing smart posters. On the security front, S-SPAN is designed to overcome Tag Spoofing, Tag Cloning, Eavesdropping attacks and also provide avenues for auditing and revocation of posters. At the core of the application is the authentication framework that the application is interfaced with, which in our case is Carnegie Mellon’s WebISO framework, but can be any such generic system. In order to read from any of the applications services, one must be ‘logged in.’ Our approach to eliminating tag spoofing and cloning is to store no information other than a string of random bytes in the tag. This is different from the conventional approach of storing the complete resource in the tag itself. Thus, if an attacker attempts to clone our tag, all he gets is a bunch of random numbers, from which no information can be gleaned about the resource. These random numbers function as the tag ID, and an authenticated user queries the database using an HTTPS connection thereby thwarting any possibility of eavesdropping. The administrator, a trusted member, whose only responsibility is to register the tags, has access to the audit logs of the posters and can revoke any poster, if malicious activity is suspected. The Implementation section elucidates on the complete architecture and workings
Authentication
S-SPAN treats the authentication mechanism as a module, so any cookie-based authentication system can be adapted to secure the administrative interface as well as the Android application. For our initial implementation, we have chosen to use WebISO, a cookie-based single sign-on authenticationsolution for web pages within the Carnegie Mellon domain. All pages and scripts on our backend server are WebISOprotected, so the Smart Poster app must check the user’s authentication status on each request to the server. To perform this check, the app takes advantage of the fact that WebISO will automatically redirect requests with invalid cookies to the WebISO login page; if the check fails, then the app asks the user to once again provide credentials, as shown in Fig. 2. The app can easily be modified to accommodate authentication systems that treat invalid requests differently, e.g. by serving a standard error page or returning a specific HTTP status code.
Displaying Poster Contents
When a user scans an NFC tag, the app calls get poster with the poster/tag identifier stored on the tag. The server will return an XML file containing either an error code or the poster contents. In the case of the former, the app will parse the error code, which could be indicative of a nonexistent tag ID or revoked poster, and inform the user. Otherwise, the app displays the poster contents, i.e. a link or a poll
APPLICATION DEMO
Though we intend to bring our own phones for the demonstration, any NFC enabled Android phone with the app is all that is required to enjoy the experiment. The user can assume the role of an administrator or the role of an end-user. As an end user, one can enjoy the following features: Vox Populi, ShareIt! And Contextual Presentation. The Access Control and Revocation features are the perks of assuming an administrator role.
Contextual Presentation
In the context of smart posters, Contextual Presentation refers to displaying different ‘additional’ content for the same poster based on the user-group of the viewer. For instance, if a college recruiter would like to announce a seminar, but the teams meeting the CS students are different from those of the ECE students, there is no need to create two different posters. Instead, one poster can be created, and ‘presented’ differently, based on the ‘context’ of the user.
When an administrator registers tags for the smart poster, instead of providing a single content item for the poster’s tag ID, he would provide multiple content items for the same poster tag ID, along with the group name/ID for each content item by which he wants the viewers to be distinguished. Since we require the user to authenticate to view the content for the poster, we would be able to distinguish between different viewers based on their group membership and present the appropriate content
ShareIt!
Using the ShareIt feature the posters can be shared with social networking groups as the application has been integrated with third party APIs such as Google Calendar, Facebook and Twitter. If a user scans a poster which has an event associated with it and registers to attend it, then the application would automatically create an event in their Google Calendar.
Fine-grained Access Control
One essential requirement is that only an authenticated and authorized user should be shown the content associated with the poster; depending on the use case, an administrator can exert fine-grained control over poster access via a user whitelist/blacklist. Also, for the Admin UI, an administratorneeds to be authenticated and would be able to see and edit only entries created by him. Although we use WebISO, this fine-grained access control mechanism is designed and implemented in the application in such a way that it would be able to support multiple authentication mechanisms.
Revocation of Smart Posters
This feature would provide an ability to measure the usage of the smart poster tags and would help in amortizing the application. The idea behind revocation of tags is that a user would register a poster content with the tag in our database. While registering the tags, he will also provide a time till when the tag/tag ID should be active. So, once this time period has ended the tag ID would be revoked by our database. If a viewer scans a revoked tag, he will not see the content originally associated with the tag. So a user could be charged based on the duration the user registers the tag. Also, revocation of the tags could be done manually by an admin through the Admin UI. This feature provides users and admins a way to revoke a tag which might be incorrect or has been tampered.
[attachment=52956]
Abstract
Smart posters are a promising new use case for NFC-enabled mobile devices, but to date there has been a general lack of security mechanisms for NFC smart posters. We present S-SPAN - a secure smart poster system consisting of three parts: an administrative web interface for managing posters, a backend server for storing and serving data, as well as an Android application for end-users. S-SPAN enforces confidentiality and integrity of smart poster data as well as authentication/authorization of administrators and end-users, thus ensuring that only authorized users can access the content.
INTRODUCTION
Smart posters, which allow businesses or other organizations to disseminate information to end-users in a more interactive fashion than standard posters, are an increasingly popular application of NFC tags. Such tags store small amounts of read-only (or less commonly, rewriteable) data. A typical use case for NFC smart posters is to provide users of NFC enabled smart phones with quick access to a URL related to the poster content; for example, a user interested in a product advertisement might swipe her phone over the ad poster to open a webpage containing detailed specifications and a link to purchase the item. There are also situations that call for smart posters to contain sensitive information only privy to specific users. For example, a museum may wish to use NFC smart posters in tandem with a custom smart phone application, to provide additional information about exhibits on the condition that the content should only be available to users who have paid for admission on a given day. S-SPAN aims to provide a framework for secure active-passive pairings between NFC tags and Android devices in a smart poster setting. This project was motivated by the Report on Smart Posters by the NFC Forum: “The benefit of signing tags is that they become secure - they can’t be changed to direct users to other content” [1].
Summary of Contributions
With the unimpeachable notion that smart posters need to be secure, S-SPAN is carefully designed to overcome a subset of the above-mentioned attacks and, at the same time, enhance the user’s tryst with the poster. We believe that this combination of resilience and experience makes S-SPAN a holistic, usable and off-the-shelf solution for securing smart posters. On the security front, S-SPAN is designed to overcome Tag Spoofing, Tag Cloning, Eavesdropping attacks and also provide avenues for auditing and revocation of posters. At the core of the application is the authentication framework that the application is interfaced with, which in our case is Carnegie Mellon’s WebISO framework, but can be any such generic system. In order to read from any of the applications services, one must be ‘logged in.’ Our approach to eliminating tag spoofing and cloning is to store no information other than a string of random bytes in the tag. This is different from the conventional approach of storing the complete resource in the tag itself. Thus, if an attacker attempts to clone our tag, all he gets is a bunch of random numbers, from which no information can be gleaned about the resource. These random numbers function as the tag ID, and an authenticated user queries the database using an HTTPS connection thereby thwarting any possibility of eavesdropping. The administrator, a trusted member, whose only responsibility is to register the tags, has access to the audit logs of the posters and can revoke any poster, if malicious activity is suspected. The Implementation section elucidates on the complete architecture and workings
Authentication
S-SPAN treats the authentication mechanism as a module, so any cookie-based authentication system can be adapted to secure the administrative interface as well as the Android application. For our initial implementation, we have chosen to use WebISO, a cookie-based single sign-on authenticationsolution for web pages within the Carnegie Mellon domain. All pages and scripts on our backend server are WebISOprotected, so the Smart Poster app must check the user’s authentication status on each request to the server. To perform this check, the app takes advantage of the fact that WebISO will automatically redirect requests with invalid cookies to the WebISO login page; if the check fails, then the app asks the user to once again provide credentials, as shown in Fig. 2. The app can easily be modified to accommodate authentication systems that treat invalid requests differently, e.g. by serving a standard error page or returning a specific HTTP status code.
Displaying Poster Contents
When a user scans an NFC tag, the app calls get poster with the poster/tag identifier stored on the tag. The server will return an XML file containing either an error code or the poster contents. In the case of the former, the app will parse the error code, which could be indicative of a nonexistent tag ID or revoked poster, and inform the user. Otherwise, the app displays the poster contents, i.e. a link or a poll
APPLICATION DEMO
Though we intend to bring our own phones for the demonstration, any NFC enabled Android phone with the app is all that is required to enjoy the experiment. The user can assume the role of an administrator or the role of an end-user. As an end user, one can enjoy the following features: Vox Populi, ShareIt! And Contextual Presentation. The Access Control and Revocation features are the perks of assuming an administrator role.
Contextual Presentation
In the context of smart posters, Contextual Presentation refers to displaying different ‘additional’ content for the same poster based on the user-group of the viewer. For instance, if a college recruiter would like to announce a seminar, but the teams meeting the CS students are different from those of the ECE students, there is no need to create two different posters. Instead, one poster can be created, and ‘presented’ differently, based on the ‘context’ of the user.
When an administrator registers tags for the smart poster, instead of providing a single content item for the poster’s tag ID, he would provide multiple content items for the same poster tag ID, along with the group name/ID for each content item by which he wants the viewers to be distinguished. Since we require the user to authenticate to view the content for the poster, we would be able to distinguish between different viewers based on their group membership and present the appropriate content
ShareIt!
Using the ShareIt feature the posters can be shared with social networking groups as the application has been integrated with third party APIs such as Google Calendar, Facebook and Twitter. If a user scans a poster which has an event associated with it and registers to attend it, then the application would automatically create an event in their Google Calendar.
Fine-grained Access Control
One essential requirement is that only an authenticated and authorized user should be shown the content associated with the poster; depending on the use case, an administrator can exert fine-grained control over poster access via a user whitelist/blacklist. Also, for the Admin UI, an administratorneeds to be authenticated and would be able to see and edit only entries created by him. Although we use WebISO, this fine-grained access control mechanism is designed and implemented in the application in such a way that it would be able to support multiple authentication mechanisms.
Revocation of Smart Posters
This feature would provide an ability to measure the usage of the smart poster tags and would help in amortizing the application. The idea behind revocation of tags is that a user would register a poster content with the tag in our database. While registering the tags, he will also provide a time till when the tag/tag ID should be active. So, once this time period has ended the tag ID would be revoked by our database. If a viewer scans a revoked tag, he will not see the content originally associated with the tag. So a user could be charged based on the duration the user registers the tag. Also, revocation of the tags could be done manually by an admin through the Admin UI. This feature provides users and admins a way to revoke a tag which might be incorrect or has been tampered.