Cryptography underlies the provision of security for just about every kind of communications network, and mobile networks are no exception. Just about every chapter in this volume makes use of cryptographic techniques and terminology, with which the reader is assumed to have a basic familiarity. The role of this preliminary chapter is to provide a very brief introduction to cryptography. Whilst reading this chapter is no substitute for a more detailed study of the subject, the main terms are introduced, with the goal of enabling much of the remainder of the book to be understood. There are many books on cryptography, and the interested reader is strongly encouraged to consult these books to gain a better grasp of the topic. Two books that can be recommended are Piper and Murphy's recent brief introduc tion to cryptography, which provides a basic introduction to the main concepts of cryptography, and Menezes, van Oorschot and Vanstone's encyclopaedic work on cryptography, which, despite now being some six years old, remains an enormously reliable source of information on all aspects of cryptography.

In current mobile systems, some applications already use public key techniques and an underlying Public Key Infrastructure (PKI) to provide security, and such use is widely expected to grow. This chapter provides an overview of the basic techniques and the entities that are involved in a PKI and describes how they are used in current mobile systems. The chapter also highlights the envisaged use of PKI in future mobile systems and the accompanying challenges it brings, drawing on recent results of the European Union's SHAMAN project.

After defining the requirements for PKI in a PAN, we have looked at concrete issues such as imprinting devices, management of certification authorities and revocation mechanisms. The discussions in this chapter have shown that whilst many mecha nisms and protocols from the fixed network environment may be used or adapted for the PAN environment, new mechanisms, not feasible in conventional fixed network PKI scenarios, may be advantageous in PANs. The latter category of mechanism is probably best represented by the new imprinting protocols where the user has to act as a trusted channel and by the various scenarios proposed for revocation checking based on push-mechanisms.

Modern society would like to replace paper material by electronic data carriers and mechanical processes by electronic processes. Smartcards offer one means to this end in the form of a personal mobile security device. Personal data can be stored in a mobile personal environment instead of a central database, and processor smartcards additionally provide a sort of pocket PC that can perform security functions with higher security than an ordinary PC. Interoperability of different smartcards with different smartcard readers and data terminals is very important; therefore, there exist certain standards for the structure of data objects on the card and for coding the commands sent to the card. Biometric user-authentication is becoming increasingly important for smartcards as an alternative to the previously used PIN or password authentication. Additional convenience for the user can be provided by contactless cards. This chapter gives an overview of the smartcard technologies and some of their applications.

Secure mobile tokens are widely used in consumer products. The most popular one is the Subscriber Identity Module (SIM) security module used in GSM mobile phones. In the future, IUCC security modules would be used for 3G mobile phones. The use of secure mobile tokens in commercial environments besides mobile voice call and SMS-based services is still an emerging market. Existing security module technology will follow the technology roadmap in the near future and expand functionality and performance while still under heavy cost pressure in the consumer market. New technologies combining existing services or integrating standard Internet protocols would show up and allow for new devices and scenarios based on advance secure mobile tokens like secure multimedia card (SMMC) or secured FLASH disks. The success story of the SIM technology in GSM mobile networks is currently followed by UICC and USIM technology in 3G networks and plans exist to make use of secure mobile tokens for securing WLAN access and usage as well as to make use of it for general heterogeneous network access, regardless of it being DSL, fixed line, GSM, WLAN or Universal Mobile Telecommunications Systems (UMTS).

The Universal Mobile Telecommunications System (UMTS) is one of the new 'third generation' mobile cellular communication systems. UMTS builds on the success of the 'second-generation' Global System for Mobile (GSM) system. One of the factors in the success of GSM has been its security features. New services introduced in UMTS require new security features to protect them. In addition, certain real and perceived shortcomings of GSM security need to be addressed in UMTS. This chapter surveys the major security features that are included in the first releases of the UMTS standards.

This chapter addresses security issues in future mobile communications systems, beyond the third generation currently being introduced in Europe under the name of Universal Mobile Telecommunications System (UMTS). A user in a future mobile communications system should be able to use services from anywhere in the system (global roaming), and when using these services, the particular access network technology should be transparent to the user. Finding a unique security solution that is largely independent of the potentially many different access technologies is a particular challenge that these future mobile systems pose. The security considerations presented in this article are based on the work of the EU-sponsored collaborative research project SHAMAN. The results can be easily generalised to various types of future mobile systems. The concepts discussed in this chapter focus on the security features and mechanisms required to provide global IP connectivity and various forms of mobility to a globally roaming user in a future mobile system.

The security of access procedures to mobile networks is very critical, because wireless communication can be easily compromised. So far, network access procedures to wireless networks have primarily been based on secret key techniques. In this chapter, we want to survey current secret key approaches, motivate public key approaches and present major public key protocols for network access.

This chapter discusses security for personal area networks (PANs). An overview of different PAN security issues and solutions is given. We define a PAN reference and trust model. A PAN security architecture based on the model is described. Especially we provide new solutions to the PAN device security initialisation problem using manual authentication techniques. We show that PAN key management can be sub stantially simplified using trust delegation or a personal 'Public Key Infrastructure (PKI)'. Internal PAN communication security as well as secure configuration and access control is discussed.

Mobile ad hoc networking is a technology designed to ease the burden of network management through the use of distributed solutions. Whereas in the past the design of such networks was aimed at satisfying military scenarios, recent growing awareness of the scope for commercial use has accelerated research into high-performance, self-configuring ad hoc networks. However, the performance advantages that ad hoc networks offer are counterbalanced by security vulnerabilities, which are not present in conventional networking. This chapter discusses these vulnerabilities, focusing on the network layer, and presents a threat model classifying the types of threats to ad hoc networks. A variety of different security requirements can be extracted from the threat model. The latter part of the chapter discusses security mechanisms which have been proposed to satisfy these requirements, and identifies areas for future research.

Introducing mobility into a communications environment that was initially designed for fixed nodes brings up many challenges that come from a technical as well as from a security point of view. The challenges posed by introducing mobility for seamlessly roaming between IP networks are addressed by the MobilelP standard. This chapter describes the solution proposed by MobilelP with a focus on the security mechanisms used in version 6 of this protocol.

The agent paradigm is currently attracting much research. A mobile agent is a particular type of agent with the ability to migrate from one host to another where it can resume its execution. In this chapter, we consider security issues that need to be addressed before multi-agent systems in general, and mobile agents in particular, can be a viable solution for a broad range of commercial applications. We do this through considering the implications of the characteristics given to agents and general properties of open multi-agent systems. We then look in more detail at technology and methods applicable to mobile agent systems.

'Software defined radio' (SDR) is a technology that will appear in future generations of mobile phones, that is, following the third-generation mobile phone technology that is currently being defined and developed. Early versions of 'pragmatic' SDR will allow the terminal to be reconfigured at any level of its protocol stack. Ultimately, the 'pure' SDR technology will allow a mobile phone or terminal to have its air interface software configured or reconfigured by other software (or software parameters) that have been downloaded to the terminal, for example, over the air, or from a remote server via the Internet and one's personal computer (PC). A number of security issues arise with downloaded code that implements the air interface functions, and these may not be obvious simply from looking at the way PC software is updated online today. This chapter starts with an outline of the code that allows a mobile phone to operate over a particular air interface. This sets the baseline for a discussion of the security issues surrounding the change of this code from one that is fixed and downloaded once only, to code that is reconfigurable during the life of a product.

M-commerce, or mobile commerce, is a major application domain for mobile devices, enabling users to perform commercial transactions wherever they go. However, these applications require a high level of security. In this chapter, we identify the special characteristics of m-commerce and reflect on some important security issues.

In this chapter, we will look at the security issues that arise for the browsing, selection and delivery of digital content over the Internet. Particular emphasis will be placed on the problems of finding security solutions for microtransactions (small items of content) and micropayments (low-value content), and the digital rights management issues concerning the protection of content after it has been delivered to consumers. The chapter will conclude with a description of the secure content delivery system developed during the Secure Interactive Broadcast Infotainment Services (SIBIS) project, which addresses many of the issues raised.

Digital Rights Management (DRM) is a generic term used to cover the protection of proprietary digital content against misuse, including unauthorised distribution and use. This chapter seeks to re-examine possible solutions to the provision of DRM by first examining the threats and resulting security requirements, and then classifying approaches to DRM depending on the nature of the operating system on which the proprietary content will be used. This then leads to a detailed analysis of security requirements for a DRM solution running on an 'open' operating system platform.

To achieve the goal of security and privacy in future mobile communication networks, further research and technology development will be required. The roadmap presented in this chapter pioneers the boundaries of mobile privacy and security from a broad perspective. It registers the mobile privacy and security requirements of the actors on whom the success of future mobile communications, systems and services depends, it gives an overview of the current state-of-the-art in mobile security and privacy, addresses non-technical aspects, conducts a SWOT analysis from a European perspective and ultimately identifies the areas where research, standardisation and development will be most needed and beneficial in the coming years, so that we can progress rapidly and efficiently towards a trusted mobile environment.