310 likes | 670 Vues
MobiShare : Flexible Privacy-Preserving Location Sharing in Mobile Online Social Networks. Wei Wei, Fengyuan Xu, Qun Li The College of William and Mary in INFOCOM IEEE 2012. Introduction. Mobile Online Social Networks ( mOSNs ). Mobile Online Social Networks ( mOSNs ).
E N D
MobiShare: Flexible Privacy-Preserving Location Sharing in Mobile Online Social Networks Wei Wei, Fengyuan Xu, Qun Li The College of William and Mary in INFOCOM IEEE 2012 A.C. Chen @ ADL
Introduction Mobile Online Social Networks (mOSNs) A.C. Chen @ ADL
Mobile Online Social Networks (mOSNs) • Many existing OSNs have created content and access mechanisms tailored to mobile users A.C. Chen @ ADL
New mOSNs • Some mOSNs are designed specifically to be accessed by mobile devicessuch as Foursquareand Gowalla A.C. Chen @ ADL
Privacy Concerns • While the location-based features make mOSNs more popular, they also raise significant privacy concerns • Because users’ physical locations are now being correlated with their profiles • All the current mOSNs are under centralized control • Users’ location privacy will be compromised if the location data collected by the mOSNs are abused, inadvertently leaked, or under the control of hackers A.C. Chen @ ADL
Related Work • SmokeScreen[ACM MobiSys, 2007] • Flexibly share presence with both friends and strangers while preserving user privacy • In [HotMobile, 2010] and [Privacy Enhancing Technologies, 2007], locations are shared between established relations in a privacy-preserving way • limits a large class of mobile social applications A.C. Chen @ ADL
The Main Idea of This Paper… • In a mOSN, users should be able to control how their own location information is accessed by others • The system should work in a way that an adversary controlling the mOSNcannot obtain users’ location information A.C. Chen @ ADL
MobiShRE USER Cellular Tower Location Server Social Network Server A.C. Chen @ ADL
MobiShare Architecture A.C. Chen @ ADL
Trust and Threat Model • Assumption: • Either the social network server or the location server can be compromised, but the adversary cannot control both entities • Threat Model • Some users may also be malicious seeking to obtain the location information • The social network server or the location server may collude with these malicious users A.C. Chen @ ADL
The Cellular Towers are Trusted • The cellular carrier generally knows theowner’s name and addressfor each subscribed cell phone • The FCC’s wireless Enhanced 9-1-1 rules[E9-1-1]require that the cellular carriers can locate the subscribed cell phones with an accuracy of 50 to 300 meters • We make no attempt toconceal the devices’ locations from the cellular networks A.C. Chen @ ADL
Social Network Server and User • The social network server manages users’ identity-related information (profiles, friend lists…) • It can be a server of any existing OSN that wants to provide the location-sharing service • Each user has a unique identifier at the social network server, a public-private key pair, anda symmetric session key • the session key is sharing with all his social network friends. A.C. Chen @ ADL
Location server and Cellular Tower • The location server is an untrusted 3rd-party server storing anonymizedlocation updates of the users • A company may implement the location server so as to profit from the OSNs or the users • Shares a symmetric secret key with the cellular towers • Each cellular tower has a unique identifier and generates by itself a symmetric secret key • It also shares its secret key with the location server A.C. Chen @ ADL
system Design Service Registration Authentication Location updates Querying location A.C. Chen @ ADL
MobiShare System • Registration • Before using the location-sharing service, each user needs to register for the service at the social network server • Authentication • Establish an authenticated and secure communication link between the user and the cellular tower • Location updates • Querying location • Friends’ case • Strangers’ case A.C. Chen @ ADL
Service Registration • User A shares his public key PubKeyA with the social network server • User A defines access control setting of dfA and dsA • threshold distances of sharing with friends and strangers • After registration, the social network server stores an entry as <IDA,PubKeyA,dfA,dsA> in its subscriber table A.C. Chen @ ADL
Authentication request(IDA, ts, SigA(IDA,ts)) forward (IDA, ts, SigA(IDA,ts)) Verification (IDA,dfA,dsA) forward (IDA,dfA,dsA) Verification OK On the reception of the OK message, the cellular tower stores an entry as <IDA,dfA,dsA> in its `user info` table A.C. Chen @ ADL
Location Updates • The cellular tower perform anonymizationwhen a user upload his location updates to the location server • Pseudonyms + dummy location updates • Each cellular tower periodically generates fake IDs and saves them in a fake ID pool • the fake IDs can be efficiently generated using a cryptographic hash function e.g. fake IDi = SHA(fake IDi−1⊕salt) A.C. Chen @ ADL
Location Updates – Anonymization sends(IDA,(x,y), SessA(x,y)) update `user info` pick k fake IDs and choose FIDA store FIDA in `user info` sends mapping (IDA, FIDA, FID1, ..., FIDk−1) update `fake ID` A.C. Chen @ ADL
Location Updates – Anonymization (con.) update (FIDA,(x,y),SessA(x,y),dfA,dsA) 1 real update update `regionA` update (FIDi,(xi,yi),stri,dfi,dsi) update `regioni` k-1 dummy updates . . . The cellular tower sends k location updates to the location server in a random order with random time intervals following the exponential distribution A.C. Chen @ ADL
Dummies Must Behave Like True Users • The cellular tower follows the method [Kido et al. 2005] to generates k−1 dummy locations within its coverage • Anonymous communication technique using false position data (dummies) mixed with true position data A.C. Chen @ ADL
Table View - location A.C. Chen @ ADL
Querying Friends’ Locations query (IDA,’f’,‘1mi’) forward (IDA,’f’,‘1mi’, SecKeyLoc(CIDC,seq)) create `FIDlist` by looking up `fake ID` query(FIDA,’f’,FIDlist,’1mi’,SecKeyLoc(CIDC,seq)) access control SecKeyc ((FIDi,Sessi(xi,yi))…,seq) (SecKeyc((FIDi,Sessi(xi,yi))…,seq),mapping entries) decrypt location entries ((IDi,Sessi(xi,yi)), (IDj,Sessj(xj,yj))…) Each mapping entry is of the form as (FIDj,IDj) of all of A’s friends consists of the fake IDs (real and dummies) of all A’s friends A.C. Chen @ ADL
Querying Strangers’ Locations query (IDA,’s’,‘1mi’) forward (’s’,‘1mi’, SecKeyLoc(FIDA,CIDC,seq)) forward looks up `region` (SecKeyc((FIDi,(xi,yi)), (FIDj,(xj,yj))…,seq), FIDlist) (SecKeyc((FIDi,(xi,yi)), (FIDj,(xj,yj))…,seq), mapping entries) the n nearby fake IDs are mixed with the randomly picks (k−1)n fake IDs from the location update database decrypt location entries and double check ((IDi,(xi,yi)), (IDj,(xj,yj))…) FIDlist consists of the n nearby fake IDs mixed with the (k − 1)n randomly selected fake IDs Each mapping entry is of the form as (FIDj,IDj,dsj) A.C. Chen @ ADL
Evaluation Experiment and Evaluation A.C. Chen @ ADL
Experimental Setup • Cellular tower :emulated by a laptop • the smartphone communicates with the laptop through Verizon’s 3G data service • Social network server :deployed on a third-party cloud hosting services provided by JoyentCloud • Location server : deployed on a 3rd-party cloud hosting services provided Linode A.C. Chen @ ADL
Experimental Setup (cont.) • Client : implemented in java on a MOTOROLA DROID 2 Global smartphone • the size of this executable is 252KB. • memory footprint of 12MB when running • Use a data set consisting of 48,014 users and the social network topology among them as a social network sample A.C. Chen @ ADL
Client Interface A.C. Chen @ ADL
Experiment • The anonymity level k is set to be 5 • Use 128-bit AES for symmetric key encryption and decryption • The client is set to update its location every 30 seconds, and query the locations of friends or nearby strangers every 1 minute A.C. Chen @ ADL
Experiment Results • Low overhead of the client • a client only consumes 1.5% of the battery power, with average CPU utilization of 0.3% • Low overhead incurred by our scheme on the cellular towers • when there are 1000 connecting users, the cellular tower service only uses 4.1% of the CPU power and 91MB memory A.C. Chen @ ADL
Conclusion • MobiShare supports the features of location sharing in real-world mOSNs : • querying locations within a certain range • user-defined access control • no change to the existing OSNs’ architectures, the adversary cannot link a precise location to an identified user A.C. Chen @ ADL