1 / 43

Location Privacy in Wireless Networks

Location Privacy in Wireless Networks. Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security. Outline. Introduction Preserving Privacy Encryption and Access Control Anonymization Example: Mix Zone Model Authorized-Anonymous-ID. What’s the Problem?.

keala
Télécharger la présentation

Location Privacy in Wireless Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security

  2. Outline • Introduction • Preserving Privacy • Encryption and Access Control • Anonymization • Example: • Mix Zone Model • Authorized-Anonymous-ID

  3. What’s the Problem? Need to protect the location privacy of mobile users

  4. Getting Location Information • Direct: • Mechanical: FaroArm, Boom3C, Active Floor, InertiaCube • Magnetic: Polhemus, Pinger • Radio: GPS, GSM, RFID, WiFi, Ubisense • Acoustic: Active Bat, Dolphin, Cricket • IR: Active Badge, Phicons, Locust Swarm • Visual: TRIP, ARToolkit, Cybercode • Indirect: • ATMs, credit cards, loyalty cards, toll booths

  5. Getting Location Information II • There does not exist a perfect location system • Applications must accept some trade-offs: • inside-out verses outside-in • tagged verses tagless • static error: spatial & angular distortion, creep • dynamic error: latency, update rate, Doppler shift • other: size, weight, robustness, power, coverage area, cost. . .

  6. Representing Location Information

  7. Example: Active Bat system

  8. Example: Underwater Positioning Scheme

  9. Outline • Introduction • Preserving Privacy • Encryption and Access Control • Anonymization • Example: • Mix Zone Model • Authorized-Anonymous-ID

  10. What is Privacy

  11. Technological Privacy Measures

  12. What Is Location Privacy

  13. Access Control vs. Anonymisation

  14. Static Pseudonyms Do Not Work

  15. Dynamically Changing Pseudonyms

  16. Outline • Introduction • Preserving Privacy • Encryption and Access Control • Anonymisation • Example: • Authorized-Anonymous-ID • Mix Zone Model

  17. Authorized-Anonymous-ID A Mechanism for Personal Control over Mobile Location Privacy By Dapeng Wu • Motivation of location privacy protection • Centralized architecture for location privacy protection • Authorized-Anonymous-ID scheme • Related work • Conclusion

  18. Centralized Architecture for Location Privacy Control Preferences This architecture for location privacy control was designed and Experimented on the 802.11-Based Wireless Andrew network at CMU

  19. Drawbacks of CentralizedArchitecture • The location privacy of mobile users is not completely under their own control • The central server is a single-failure-point • The centralized architecture is not scalable. Solution: use distributed architecture Not trivial

  20. Why Location Privacy Protection under Distributed Architecture not trivial? • Administration requires all users to provide information for authentication • Users can be easily figured out by admin • Mobile users would prefer not to expose any of their information which would enable anyone, including the administration, to get clues regarding their whereabouts. Dilemma

  21. Basic Idea • Key idea: replace the real ID by authorized-anonymous-ID • Authorized-anonymous-ID created by blind signature • Authorized-anonymous-ID used as the key for packet authentication

  22. Contributions • Studied the problem of protecting location privacy of mobile users in the setting of ubiquitous computing • Proposed an authorized-anonymous-ID based scheme. • Authorized-anonymous-ID is created by blind signature • Designed an architecture that is able to provide the mobile users with complete control over their location privacy while yet allowing the administration to authenticate the legitimate mobile users.

  23. Internet Data Repository IEEE 802,etc. infrared Gateway PAN Persona Area Network PTCB (Personal Trusted Computing Base) Mobile Device A Sketch of Ubiquitous Computing A ubiquitous computing environment should be formed by a powerful Infrastructure that is highly available, cost effective, and sufficiently scalable to support millions of users and low-power mobile devices.

  24. An Agent-based Approach • Administrator (A): is an agent that acts on behalf of the administration to authenticate legitimate users and grant them access to the wireless infrastructure. • Rover (R): is an agent running at PTCB and acts on behalf of the owner of the mobile device. • Manager (M): is an agent running at home PC and can be delegated to act on behalf of the mobile user. • Connector (C): is an agent running at an access point and is delegated by the Administrator agent to authenticate mobile devices. • Lookup (L): is an optional agent providing look-up service

  25. L 3 Internet user 3 Wireless Andrew 1 M A 2 • Registration Protocol • Controlled Connection Protocol • Location Query/Response Protocol R 2 c Agent-based system architecture

  26. Blind Signature • A provider wants his message to be signed by a signer but does not want the signer to know the content of the message • Blind Signature • Ballot Voting • Protocol • Signer owns two functions: S (private) and S-1(public) • Provider owns blind functions C and C-1: both are private; C-1(S(C(x)))=S(x); it is impossible to infer x from C(x) and S(x) • Redundancy Checking function r, which is Boolean, input is S(x) • Features • Everyone can validate S(x) by r(S-1(S(x))) • Provider’s message is blind to the signer: no linkage between S(x) and S(C(x)) • Provider can not spoof the signer: can’t create S(y) without knowing S

  27. Notations A mobile user, identified by her public key. The corresponding private key is held by her Rover running in her PTCB and Manager in home-PC of PAN. Rover of mobile user U. Manager of mobile user U. Public key of X. Private key of X. Encrypt m by using symmetric crypto-system with a key shared by x and y Decrypt c by using symmetric crypto-system with a key shared by x and y One-way hash function with input x. Encrypt m by using asymmetric cryptosystem with the public key of x. Decrypt a cipher c with the public key of x. Random numbers. Acknowledgement for the last received message.

  28. Registration Protocol The manager does not know the linkage between c1 and id due to r0

  29. Controlled Connection Protocol Access Control Packet Authentication

  30. Re-confusion Protocol I am requesting a new authorized-anonymous-id

  31. Access Authorization Revocation • A periodically expires and changes its own keys for access authorization • Time-Stamp the authorized-anonymous-id • Unique time stamp?

  32. Untraceable Routing Infrastructure • Frequent communication between a home computer and a mobile device could be another factor exposing the linkage • Untraceable routing infrastructure [1] [1] M. Reed, P. Syverson, and D. Goldschlag, Anonymous connections and onion routing, JSAC, Vol. 16 (4), pp. 482-, 1998.

  33. Mixed Zones: Threat Model • Increase privacy for outside-in loc. sys. and shared apps. • Users subscribe to trusted location middleware • Users register interest in specific applications • Applications are untrusted and are provided withpseudonymised location information in restricted“application zones”(All apps are viewed as one global hostile observer) • Mix zones are areas outside application zones, where no application can trace user movements • Attacker wants to track long-term user movement andtherefore find complex home locations to identify users

  34. The Mix Zone • Mix zones are areas not in app. zones • Change user pseudonyms: • stateless: between every location event given to app. • session state: between every visit to an app. Zone • fixed state: same pseudonym for each user per app. zone

  35. What Does An Attacker See? How to determine the anonymity level?

  36. Taking user movement into account • Anonymity set does not account for: – correlation between ingress and egress positions – time taken to cross the mix zone • A user movement model is required: – Use historical data from nearby app. zones and build amovement matrix – Use analytical model of human movement [Helbing etal. 2000]

  37. An Attacker’s Information and Goal • An attacker can observe the times, coordinates, and pseudonyms of all the ingress and egress events • His goal is to reconstruct the correct mapping between all the ingress events and egress events • Equivalent to discovering the mapping between new and old pseudonyms (how many mapping?) • Can be viewed as a weighted bi-partite graph, where vertices model ingress and egress pseudonyms and edge weights model the probability of two pseudonyms representing the same person

  38. Quick Bi-Partite Graph Introduction

  39. Viewing the mix zone as a bipartite graph I

  40. Viewing the mix zone as a bipartite graph II

  41. Viewing the mix zone as a bipartite graph III

  42. Real-time user anonymity

  43. Mix Zone Conclusions

More Related