+ All Categories
Home > Documents > Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Date post: 26-Dec-2015
Category:
Upload: tyler-parrish
View: 225 times
Download: 0 times
Share this document with a friend
Popular Tags:
43
Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security
Transcript
Page 1: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Location Privacy in Wireless Networks

Xiuzhen Cheng

CS/GWU

388 – Wireless and Mobile Security

Page 2: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Outline

• Introduction

• Preserving Privacy– Encryption and Access Control– Anonymization

• Example:– Mix Zone Model– Authorized-Anonymous-ID

Page 3: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

What’s the Problem?Need to protect the location privacy of mobile users

Page 4: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Getting Location Information

• Direct:– Mechanical: FaroArm, Boom3C, Active Floor, InertiaCube

– Magnetic: Polhemus, Pinger

– Radio: GPS, GSM, RFID, WiFi, Ubisense

– Acoustic: Active Bat, Dolphin, Cricket

– IR: Active Badge, Phicons, Locust Swarm

– Visual: TRIP, ARToolkit, Cybercode

• Indirect:– ATMs, credit cards, loyalty cards, toll booths

Page 5: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Getting Location Information II

• There does not exist a perfect location system• Applications must accept some trade-offs:

– inside-out verses outside-in

– tagged verses tagless

– static error: spatial & angular distortion, creep

– dynamic error: latency, update rate, Doppler shift

– other: size, weight, robustness, power, coverage area, cost . . .

Page 6: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Representing Location Information

Page 7: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Example: Active Bat system

Page 8: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Example: Underwater Positioning Scheme

Page 9: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Outline

• Introduction

• Preserving Privacy– Encryption and Access Control– Anonymization

• Example:– Mix Zone Model– Authorized-Anonymous-ID

Page 10: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

What is Privacy

Page 11: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Technological Privacy Measures

Page 12: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

What Is Location Privacy

Page 13: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Access Control vs. Anonymisation

Page 14: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Static Pseudonyms Do Not Work

Page 15: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Dynamically Changing Pseudonyms

Page 16: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Outline

• Introduction

• Preserving Privacy– Encryption and Access Control– Anonymisation

• Example:– Authorized-Anonymous-ID– Mix Zone Model

Page 17: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Authorized-Anonymous-ID

• Motivation of location privacy protection• Centralized architecture for location privacy

protection• Authorized-Anonymous-ID scheme • Related work• Conclusion

A Mechanism for Personal Control over Mobile Location Privacy

By Dapeng Wu

Page 18: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Centralized Architecture for Location Privacy Control

Prefe

renc

esThis architecture for location privacy control was designed andExperimented on the 802.11-Based Wireless Andrew network at CMU

Page 19: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Drawbacks of Centralized Architecture

• The location privacy of mobile users is not completely under their own control

• The central server is a single-failure-point

• The centralized architecture is not scalable.

Solution: use distributed architecture

Not trivial

Page 20: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Why Location Privacy Protection under Distributed Architecture not trivial?

• Administration requires all users to provide information for authentication– Users can be easily figured out by admin

• Mobile users would prefer not to expose any of their information which would enable anyone, including the administration, to get clues regarding their whereabouts.

Dilemma

Page 21: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Basic Idea

• Key idea: replace the real ID by authorized-anonymous-ID

• Authorized-anonymous-ID created by blind signature

• Authorized-anonymous-ID used as the key for packet authentication

Page 22: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Contributions

• Studied the problem of protecting location privacy of mobile users in the setting of ubiquitous computing

• Proposed an authorized-anonymous-ID based scheme. • Authorized-anonymous-ID is created by blind signature• Designed an architecture that is able to provide the

mobile users with complete control over their location privacy while yet allowing the administration to authenticate the legitimate mobile users.

Page 23: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

A Sketch of Ubiquitous Computing

Gateway

Data Repository

PANPersona Area Network

InternetInternet

infra

red

IEEE 802, etc.

PTCB(Personal Trusted Computing Base)

Mobile Device

A ubiquitous computing environment should be formed by a powerfulInfrastructure that is highly available, cost effective, and sufficiently scalable to support millions of users and low-power mobile devices.

Page 24: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

An Agent-based Approach

• Administrator (A): is an agent that acts on behalf of the administration to authenticate legitimate users and grant them access to the wireless infrastructure.

• Rover (R): is an agent running at PTCB and acts on behalf of the owner of the mobile device.

• Manager (M): is an agent running at home PC and can be delegated to act on behalf of the mobile user.

• Connector (C): is an agent running at an access point and is delegated by the Administrator agent to authenticate mobile devices.

• Lookup (L): is an optional agent providing look-up service

Page 25: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Agent-based system architecture

M

R

Internet user

c

L

A

Wireless Andrew

1 Registration Protocol2 Controlled Connection Protocol3 Location Query/Response Protocol

3

2

1

3

2

Page 26: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Blind Signature• A provider wants his message to be signed by a signer

but does not want the signer to know the content of the message

• Blind Signature– Ballot Voting– Protocol

• Signer owns two functions: S (private) and S-1(public)• Provider owns blind functions C and C-1: both are private;

C-1(S(C(x)))=S(x); it is impossible to infer x from C(x) and S(x)• Redundancy Checking function r, which is Boolean, input is S(x)

– Features• Everyone can validate S(x) by r(S-1(S(x)))• Provider’s message is blind to the signer: no linkage between S(x) and

S(C(x))• Provider can not spoof the signer: can’t create S(y) without knowing S

Page 27: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

NotationsA mobile user, identified by her public key. The corresponding private key is held by her Rover running in her PTCB and Manager in home-PC of PAN.

Rover of mobile user U.

Manager of mobile user U.

Public key of X.

Private key of X.

Encrypt m by using symmetric crypto-system with a key shared by x and y

Decrypt c by using symmetric crypto-system with a key shared by x and y

One-way hash function with input x.

Encrypt m by using asymmetric cryptosystem with the public key of x.

Decrypt a cipher c with the public key of x.

Random numbers.

Acknowledgement for the last received message.

U

uR

uM

xE

xD

)(mK xy

)(1 cK xy

)(xH

)(mEx

)(cDx

10 , rr

ack

Page 28: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Registration Protocol

The manager does not know the linkage between c1 and id due to r0

Page 29: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Controlled Connection Protocol

Access Control

Packet Authentication

Page 30: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Re-confusion Protocol

I am requesting a new authorized-anonymous-id

Page 31: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Access Authorization Revocation

• A periodically expires and changes its own keys for access authorization

• Time-Stamp the authorized-anonymous-id– Unique time stamp?

Page 32: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Untraceable Routing Infrastructure

• Frequent communication between a home computer and a mobile device could be another factor exposing the linkage– Untraceable routing infrastructure [1]

[1] M. Reed, P. Syverson, and D. Goldschlag, Anonymous connections and onion routing, JSAC, Vol. 16 (4), pp. 482-, 1998.

Page 33: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Mixed Zones: Threat Model• Increase privacy for outside-in loc. sys. and shared apps.• Users subscribe to trusted location middleware• Users register interest in specific applications• Applications are untrusted and are provided with

pseudonymised location information in restricted “application zones”(All apps are viewed as one global hostile observer)

• Mix zones are areas outside application zones, where no application can trace user movements

• Attacker wants to track long-term user movement and therefore find complex home locations to identify users

Page 34: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

The Mix Zone

• Mix zones are areas not in app. zones• Change user pseudonyms:

– stateless: between every location event given to app.

– session state: between every visit to an app. Zone

– fixed state: same pseudonym for each user per app. zone

Page 35: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

What Does An Attacker See?

How to determine the anonymity level?

Page 36: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Taking user movement into account

• Anonymity set does not account for:

– correlation between ingress and egress positions

– time taken to cross the mix zone

• A user movement model is required:

– Use historical data from nearby app. zones and build a movement matrix

– Use analytical model of human movement [Helbing et al. 2000]

Page 37: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

An Attacker’s Information and Goal

• An attacker can observe the times, coordinates, and pseudonyms of all the ingress and egress events

• His goal is to reconstruct the correct mapping between all the ingress events and egress events– Equivalent to discovering the mapping between new and old

pseudonyms (how many mapping?)

– Can be viewed as a weighted bi-partite graph, where vertices model ingress and egress pseudonyms and edge weights model the probability of two pseudonyms representing the same person

Page 38: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Quick Bi-Partite Graph Introduction

Page 39: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Viewing the mix zone as a bipartite graph I

Page 40: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Viewing the mix zone as a bipartite graph II

Page 41: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Viewing the mix zone as a bipartite graph III

Page 42: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Real-time user anonymity

Page 43: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security.

Mix Zone Conclusions


Recommended