Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 214 times |
Download: | 0 times |
Electrical and Computer Engineering
GeoVault:Secure Location Tracking
Comprehensive Design Review
Nathan Franz
Emily Nelson
Thomas Petr
Shanka Wijesundara
Advisor: Prof. Burleson
2Electrical and Computer Engineering
System Overview
GeoVault
EmailCell Phone Computer
3rd Party Server
Google Maps API
HTTPS HTTPS
Database
DatabaseDatabase
Access Controls
Resolution
OAuth
Map Queries
Map Queries
Notifications
Stored Location Data
Location Data
Location Data
Login Credentails
3Electrical and Computer Engineering
Feedback From MDR
•Timing: Oracle vs. PostgreSQL
•Threat Analysis
•Security as a competitive advantage
4Electrical and Computer Engineering
PostgreSQL
• Re-evaluated database choices• SQLite + SpatiaLite for self-hosted environment
– Extremely simple to setup
• PostgreSQL for production environment– Fast, easy to manage
• PostgreSQL is lighter-weight (faster) and provides all required features
• Insert 100,000 points across the USA– (average time per insert)
MySQL 5.1 26.258 ms
PostgreSQL 8.4 3.496 ms
Oracle 11g 199.670 ms
5Electrical and Computer Engineering
GeoVault: Threat Risk
Threats Consequences Countermeasures
Integrity Inaccurate locations of users
Confusion, loss of trust, or worse (depending on application)
Encryption / Shared Secrets
Distributed Database
Confidentiality Users location is revealed
User privacy is compromised, susceptible to attack
Secret Sharing / MPC
Identity Verification
Timing Measures
Denial of Service
Botnet attack
Rapid checkins / logins
Inability to track users
Rate limiting
Authentication Spoofing, identity theft
User privacy is compromised
Identity Verification
Idle time logouts
Reject delay for login
*Stallings, William. Network Security Essentails: Applications and Standards. New Jersey: Pearson Prentice Hall, 2007.
6Electrical and Computer Engineering
Other Systems: Threat Risk
Assets Vulnerabilities Defense Privacy issues
Google Latitude
•Location Data
•Friends Locations
•No Verification •Password/login
•Protection
•Approve Friends
•Limited access settings
Foursquare •Location Data
•Location Trends
•Friends Locations
•Create home/work location
•https
•Approve Friends
•Limited access settings
Gowalla •Location Data
•Location Trends
•Friends Locations
•Publishes location to the entire world
•Password/login
•Protection
•Approve Friends
•No access settings
Twitter •Location Data
•What you are doing
•Friends Locations
•Uneducated users
•3rd party services
•https
•OAuth
•Limited access settings
7Electrical and Computer Engineering
Why GeoVault is More Secure
• Secure Distributed Database
• Location only available to those the user trusts [unlike: Gowalla]
• Varied resolution [unlike: Twitter, Foursquare, Google Latitude, Gowalla]
• Integrity (user cannot lie about where they are) [unlike: Google Latitude]
• Only current location displayed (no trends) [unlike: Twitter, Gowalla]
8Electrical and Computer Engineering
Accuracy vs Permissions
• Handling geographic resolution • Permissions > Accuracy
– Contain accuracy circle in randomly placed permission circle
– Take into account (for FPR)• State Lines• Bodies of Water• Etc..
• Permissions < Accuracy– Expand permission radius to accuracy radius
9Electrical and Computer Engineering
Accuracy vs Permissions
Accuracy
Permissions
10Electrical and Computer Engineering
OAuth
GeoVault Twitter
Client
1. Get request token
2. Send request token
5. Exchange for access token
6. Get access token
3. Redirect to Twitter
4. Sign in and ask for GeoVault access
Grant 3rd party access to user information without sharing access permissions or full extent of data
11Electrical and Computer Engineering
Distributed Database
• Securely and robustly store location data
• Prevents a single point of failure– Secret sharing is a form of
encryption
GeoVault
Node
Node
Node
Node
Node
Node
12Electrical and Computer Engineering
Shamir’s Secret Sharing Scheme
(1, f(1)) = (1, 1494)
(2, f(2)) = (2, 1942)
(3, f(3)) = (3, 2578)
(4, f(4)) = (4, 3402)
(5, f(5)) = (5, 4414) GeoVault
Node 1 Node 2 Node 3 Node 4 Node 5
(1, 1494) (2, 1942) (3, 2578) (4, 3402) (5, 4414)f(x) = 94x2 + 166x + 1234
13Electrical and Computer Engineering
Demo
14Electrical and Computer Engineering
Milestones
Oct 26 PDR Specifications complete
Nov 9 Smart phone web client functional prototype
Dec 2 MDR Database configured / example of multiparty computation
Dec 21 Platform complete / server security/ OAuth
Jan 4 Web clients complete / security for hijacked devices (timing)
Jan 11 Platform input / output plugins complete
Jan 25 Bugfixes, Performance Testing
Feb 11 CDR Demo / show security and weakness in other systems / Threat Analysis
Mar 31 Political Boundaries/ Idle time logout/ Continued work with MPC/ Tweak backend/ Polish interface
Apr 5 FPR Project Complete
15Electrical and Computer Engineering
Technical Roles
Past Tasks Future Tasks
Tom (CSE) Backend / MPC / Secret Sharing
Secret Sharing
Nate (EE) OAuth / Authentication Middleware
Authentication Middleware
Shanka (EE) Backend / Django Access Controls
Emily (CSE) Frontend / Threat Analysis
Adding Political Boundaries
16Electrical and Computer Engineering
Thank You
Questions?