280 likes | 384 Vues
Safety and Privacy in Mobile Services. Qianhong Wu, Agusti Solanas and Josep Domingo-Ferrer {qianhong.wu, agusti.solanas, josep.domingo}@urv.cat Universitat Rovira i Virgili, Catalonia. Outlines. Safety and Privacy in Vehicular ad hoc networks (VANETs) Location based services (LBSs) RFID.
E N D
Safety and Privacy in Mobile Services Qianhong Wu, Agusti Solanas and Josep Domingo-Ferrer {qianhong.wu, agusti.solanas, josep.domingo}@urv.cat Universitat Rovira i Virgili, Catalonia
Outlines • Safety and Privacy in • Vehicular ad hoc networks (VANETs) • Location based services (LBSs) • RFID
Introduction to VANETs • The IEEE 802.11p task group • Dedicated Short Range Communications (DSRC) • Support communications for vehicles and roadside infrastructure • Car manufacturers and telecommunication industries • Gear up to equip each car with devices known as On-Board Units (OBUs) • The European Union • A batch of projects to give cars the ability to communicate wirelessly with the road and among themselves. • Those developing car- and road-communications systems will begin testing their wares this at six sites in Europe. • Experts expect the technologies to begin commercial deployment as soon as 2011. • http://www.spectrum.ieee.org/oct08/6792
Introduction to VANETs • The motivation of VANETs is to improve • Public safety • Traffic efficiency • Driver assistance • Transportation regulation • The precondition includes • The message from vehicles is trustworthy • The vehicles are cooperative • No malicious deviation
Security concerns in VANETs • Safety concerns • Compromise trustworthiness of communications • Produce false messages • Generate messages by impersonation • Tamper with messages • Jeopardize VANETs by message flooding (not further considered here) • Privacy concerns • Identity privacy • Driving profile • Location privacy • Link location and identity
Countermeasures for securing VANETs • A posteriori countermeasures • Punitive action against vehicles who have been proven to have originated fraudulent messages. • We must have means to identify malicious vehicles to take punitive actions • Privacy is usually provided in existing solutions • A pseudonym mechanism • Group signature • A trusted third party can open the identities of dishonest vehicles
Countermeasures for securing VANETs • A priori countermeasures • Prevent the generation of fraudulent messages • A message is trusted if it is endorsed by many vehicles • Assume most vehicles are honest • Privacy is rarely provided in existing solutions • Messages from different vehicles must be distinguishable • This may imply anonymity is difficult • Some schemes adopt a special technique to achieve anonymity, but then anonymity cannot be revoked
On existing privacy-preserving VANET solutions • A posteriori countermeasures are solely not sufficient • Taking strict punitive action can exclude some rational attacks • Taking strict punitive action cannot prevent damages • Taking strict punitive action cannot prevent irrational attacks
On existing privacy-preserving VANET solutions • Existing solutions with a posteriori countermeasures use too strong assumptions that • There is a majority of honest vehicles in any case • What will happen in site scene of organizational criminals? • There is a universally suitable threshold • How to find such a universally suitable threshold? • Does the threshold depend on vehicle density? • Does the threshold depend on message significance? • Does the threshold depend on message urgency? • …
On existing privacy-preserving VANET solutions • Privacy is not very compatible with existing solutions • Some schemes do not provide good privacy • Driving pattern can be extracted • The Sybil attack is possible for schemes with anonymity • Generating fraudulent messages is possible for privacy-preserving schemes without revocability
Towards a combination of a priori and a posteriori countermeasures • Security goal of the new design • Flexible threshold authentication • A vehicle can verify whether a received message has been endorsed by at least t vehicles • The threshold tcan dynamically change according to the VANET context • Privacy preserving • An attacker cannot trace vehicles generating messages • Identity revocability • Trusted parties can trace vehicles generating fraudulent messages
Our new privacy-preserving VANET solution • Message m is trusted if endorsed by tm vehicles • tm is changeable according to m • Tampered messages can be identified • a priori countermeasures • Privacy is provided • Message generator is anonymous • A third party can trace the message generators • Vehicles producing fraudulent messages can be punished • A posteriori countermeasures • Fast message verification techniques are provided to improve efficiency
Introduction to LBSs • A certain service that is offered to the users based on their locations • A convergence of technologies • Popular examples • Providing nearby points of interest based on the real-time location of the mobile user • Advice on current conditions such as traffic and weather • Personalized dating services, • Personalized delivery, • Location-aware and context-sensitive advertising based on mobile user profiles and preferences, • Providing routing and tracking information
Privacy Threats in LBSs • LBS provides great convenience and flexibility for users • To obtain a service, the user submits her (identity,location,query) to the service provider • A malicious provider or an attacker compromising the provider's database can track users anytime and anywhere • A malicious user can track other users
Countermeasures in LBSs • Privacy policy based approach • Pseudonym approach • k-Anonymity • An anonymizer cloaks each user with k-1 other users into a less accurate location • Cryptographic approach: private information retrieval
Privacy risks in existing privacy-preserving LBSs • Too strong trust assumption • The policy based solution assumes that the provider is willing and able to protect the user’s privacy • In TTP-based k-anonymity solution, the trust moves from the provider to the anonymizer • In P2P based k-anonymity solution, each user has to fully trust other users in an ad hoc group
Privacy risks in existing privacy-preserving LBSs • Privacy risks from attacker’s a priori knowledge: a mini example • Users: Alice, Bob, Carl; Provider: Devil • Anonymizer: Trustee • Request: (Fakename1, Fakename2, Fakename3; Cloaked region; Where is the closest restaurant? Where is the closest pharmacy? Where is the closest bus stop?)
Privacy risks in existing privacy-preserving LBSs • Privacy risks from attacker‘s a priori knowledge: a mini example. • Points of interest in Cloaked region: one woman hospital, one gymnasium, one funeral parlor and one restaurant • A priori knowledge: Alice is a girl. Bob is a sportsman. Carl is a man • Infer: • Alice is now in the woman hospital and will go to a pharmacy • Bob now in the gymnasium and may go to the restaurant in that cloaked region • Carl is now in the restaurant and leaving for a bus stop
Privacy risks in existing privacy-preserving LBSs • Privacy risks from privacy-preserving techniques • Location cloaking in k-anonymity: cloaked location is larger, more answers returned, including more information than requested=>privacy risks for the provider and other users • PIR: same situation as above • Larger k, more privacy? • choosing larger k =>caring more about privacy=>revealing identity information of the user? • Larger k => more people in the cloaked region=>a better chance for a terrorist to produce more fears? • Smaller k =>a better chance for a robber not being witnessed?
Our new privacy-preserving LBS solution • It achieves the following: • Full anonymity • k cloaked location-query pairs such that • An attacker cannot physically monitor two POIs in the cloaked location • Cloaked queries do not provide useful information for the provider • The effects of the provider’s a priori knowledge are minimized • A user can only learn the requested answer • Privacy of the provider is considered • No requirements to modify the underlying LBS database organization or its query processing procedure • Reasonable performance
RFIDs • RFID technology is evolving fast • The number of RFID tags is rapidly growing • There is a need for scalable protocols • Manage thousands of tags simultaneously • And securely
Hash-locks approach • The RFID reader must store a growing number of tag IDs. • This approach does not scale properly
Collaboration-based solution • Readers cooperate to distribute the tag IDs so that the whole system can correctly scale with the number of tags.
Main references • [RPH06] M. Raya, P. Papadimitratos and J.-P. Hubaux. Securing vehicular communications. IEEE Wireless Communications Magazine, vol. 13, no. 5, pp. 8-15, 2006. • [RPAJ07] M. Raya, P. Papadimitratos, I. Aad, D. Jungels and J.-P. Hubaux. Eviction of misbehaving and faulty nodes in vehicular networks. IEEE Journal on Selected Areas in Communications, vol. 25, no. 8, pp. 1557-1568, 2007. • [LSHS07] X. Lin, X. Sun, P.-H. Ho and X. Shen. GSIS: A secure and privacy preserving protocol for vehicular communications. IEEE Transactions on Vehicular Technology, vol. 56, no. 6, pp. 3442-3456, 2007. • [GGS04] P. Golle, D. Greene and J. Staddon. Detecting and correcting malicious data in VANETs. In Proceedings of the 1st ACM international workshop on Vehicular Ad Hoc Networks, pp. 29-37, 2004. • [PP05] B. Parno and A. Perrig. Challenges in securing vehicular networks. In Proceedings of the ACM Workshop on Hot Topics in Networks, 2005.
Main references • [RAH06] M. Raya, A. Aziz and J.-P. Hubaux. Efficient secure aggregation in VANETs. In Proceedings of the 3rd International Workshop on Vehicular Ad hoc Networks -VANET 06, pp. 67-75, 2006. • [DDSV08] V. Daza, J. Domingo-Ferrer, F. Sebe and A. Viejo. Trustworthy privacy preserving car-generated announcements in vehicular ad hoc networks. IEEE Transactions on Vehicular Technology, Accepted, July 2008. • [WD08] Q. Wu, J. Domingo-Ferrer and U. Gonzalez. Trustworthiness, Safety and Privacy in Vehicle-to-Vehicle Communications. Manuscript in preparation, 2008. • [DW08] J. Domingo-Ferrer and Q. Wu. Invited talk: Safety and Privacy in Vehicular Communications. PiLBA’08. pp. 6-11. To appear in LNCS, Springer-verlag, 2008. • [WD08] Q. Wu, A. Solanas, J. Castella-Roca, J. Domingo-Ferrer. Formal Privacy in Location Based Services: Beyond k-Anonymity. Manuscript in preparation, 2008.
Main references • [SAV08] H. Shin, V. Atluri, J. Vaidya. A Profile Anonymization Model for Privacy in a Personalized Location Based Service Environment. The Ninth International Conference on Mobile Data Management. PP. 73-80. IEEE Computer Society, 2008. • [SM08] A. Solanas and A. Martínez-Ballesté, "A TTP-Free Protocol for Location Privacy in Location-Based Services". Computer Communications . Vol. 31, pp. 1181-1191. Apr 2008. ISSN: 0140-3664. • [GL08]B. Gedik and L. Liu. Protecting location privacy with personalized k-anonymity: architecture and algorithms. IEEE Transaction on Mobile Computing, Vol. 7, No. 1. pp. 1-18, 2008. • [SMDD07] A. Solanas, A. Martínez-Ballesté, J. Domingo-Ferrer, and V. Daza. A distributed architecture for scalable private RFID tag identification. Computer Networks, 51(9):2268 – 2279, June 2007. (1) Advances in Smart Cards and (2) Topics in Wireless Broadband Systems. Elsevier. ISSN: 1389-1286.
Main references • [SC08] A. Solanas and J. Castellà-Roca. RFID technology for the health care sector. Recent Patents on Electrical Engineering, 1(1):22 – 31, January 2008. Bentham Science Publishers. ISSN: 1874-4761. Inaugural Issue • [SM08] A. Solanas and J. Manjón. RFID Security: Techniques, Protocols and System-On-Chip Design (Paris Kitsos and Yan Zhang (ed.)), chapter: RFID Readers Deployment for Scalable Identification of Private Tags. 2008. Springer-Verlag. ISBN: 978-0-38776-480-1.