location privacy in wireless networks xiuzhen cheng cs/gwu 388 – wireless and mobile security
TRANSCRIPT
![Page 1: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/1.jpg)
Location Privacy in Wireless Networks
Xiuzhen Cheng
CS/GWU
388 – Wireless and Mobile Security
![Page 2: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/2.jpg)
Outline
• Introduction
• Preserving Privacy– Encryption and Access Control– Anonymization
• Example:– Mix Zone Model– Authorized-Anonymous-ID
![Page 3: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/3.jpg)
What’s the Problem?Need to protect the location privacy of mobile users
![Page 4: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/4.jpg)
Getting Location Information
• Direct:– Mechanical: FaroArm, Boom3C, Active Floor, InertiaCube
– Magnetic: Polhemus, Pinger
– Radio: GPS, GSM, RFID, WiFi, Ubisense
– Acoustic: Active Bat, Dolphin, Cricket
– IR: Active Badge, Phicons, Locust Swarm
– Visual: TRIP, ARToolkit, Cybercode
• Indirect:– ATMs, credit cards, loyalty cards, toll booths
![Page 5: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/5.jpg)
Getting Location Information II
• There does not exist a perfect location system• Applications must accept some trade-offs:
– inside-out verses outside-in
– tagged verses tagless
– static error: spatial & angular distortion, creep
– dynamic error: latency, update rate, Doppler shift
– other: size, weight, robustness, power, coverage area, cost . . .
![Page 6: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/6.jpg)
Representing Location Information
![Page 7: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/7.jpg)
Example: Active Bat system
![Page 8: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/8.jpg)
Example: Underwater Positioning Scheme
![Page 9: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/9.jpg)
Outline
• Introduction
• Preserving Privacy– Encryption and Access Control– Anonymization
• Example:– Mix Zone Model– Authorized-Anonymous-ID
![Page 10: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/10.jpg)
What is Privacy
![Page 11: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/11.jpg)
Technological Privacy Measures
![Page 12: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/12.jpg)
What Is Location Privacy
![Page 13: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/13.jpg)
Access Control vs. Anonymisation
![Page 14: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/14.jpg)
Static Pseudonyms Do Not Work
![Page 15: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/15.jpg)
Dynamically Changing Pseudonyms
![Page 16: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/16.jpg)
Outline
• Introduction
• Preserving Privacy– Encryption and Access Control– Anonymisation
• Example:– Authorized-Anonymous-ID– Mix Zone Model
![Page 17: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/17.jpg)
Authorized-Anonymous-ID
• Motivation of location privacy protection• Centralized architecture for location privacy
protection• Authorized-Anonymous-ID scheme • Related work• Conclusion
A Mechanism for Personal Control over Mobile Location Privacy
By Dapeng Wu
![Page 18: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/18.jpg)
Centralized Architecture for Location Privacy Control
Prefe
renc
esThis architecture for location privacy control was designed andExperimented on the 802.11-Based Wireless Andrew network at CMU
![Page 19: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/19.jpg)
Drawbacks of Centralized Architecture
• The location privacy of mobile users is not completely under their own control
• The central server is a single-failure-point
• The centralized architecture is not scalable.
Solution: use distributed architecture
Not trivial
![Page 20: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/20.jpg)
Why Location Privacy Protection under Distributed Architecture not trivial?
• Administration requires all users to provide information for authentication– Users can be easily figured out by admin
• Mobile users would prefer not to expose any of their information which would enable anyone, including the administration, to get clues regarding their whereabouts.
Dilemma
![Page 21: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/21.jpg)
Basic Idea
• Key idea: replace the real ID by authorized-anonymous-ID
• Authorized-anonymous-ID created by blind signature
• Authorized-anonymous-ID used as the key for packet authentication
![Page 22: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/22.jpg)
Contributions
• Studied the problem of protecting location privacy of mobile users in the setting of ubiquitous computing
• Proposed an authorized-anonymous-ID based scheme. • Authorized-anonymous-ID is created by blind signature• Designed an architecture that is able to provide the
mobile users with complete control over their location privacy while yet allowing the administration to authenticate the legitimate mobile users.
![Page 23: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/23.jpg)
A Sketch of Ubiquitous Computing
Gateway
Data Repository
PANPersona Area Network
InternetInternet
infra
red
IEEE 802, etc.
PTCB(Personal Trusted Computing Base)
Mobile Device
A ubiquitous computing environment should be formed by a powerfulInfrastructure that is highly available, cost effective, and sufficiently scalable to support millions of users and low-power mobile devices.
![Page 24: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/24.jpg)
An Agent-based Approach
• Administrator (A): is an agent that acts on behalf of the administration to authenticate legitimate users and grant them access to the wireless infrastructure.
• Rover (R): is an agent running at PTCB and acts on behalf of the owner of the mobile device.
• Manager (M): is an agent running at home PC and can be delegated to act on behalf of the mobile user.
• Connector (C): is an agent running at an access point and is delegated by the Administrator agent to authenticate mobile devices.
• Lookup (L): is an optional agent providing look-up service
![Page 25: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/25.jpg)
Agent-based system architecture
M
R
Internet user
c
L
A
Wireless Andrew
1 Registration Protocol2 Controlled Connection Protocol3 Location Query/Response Protocol
3
2
1
3
2
![Page 26: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/26.jpg)
Blind Signature• A provider wants his message to be signed by a signer
but does not want the signer to know the content of the message
• Blind Signature– Ballot Voting– Protocol
• Signer owns two functions: S (private) and S-1(public)• Provider owns blind functions C and C-1: both are private;
C-1(S(C(x)))=S(x); it is impossible to infer x from C(x) and S(x)• Redundancy Checking function r, which is Boolean, input is S(x)
– Features• Everyone can validate S(x) by r(S-1(S(x)))• Provider’s message is blind to the signer: no linkage between S(x) and
S(C(x))• Provider can not spoof the signer: can’t create S(y) without knowing S
![Page 27: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/27.jpg)
NotationsA mobile user, identified by her public key. The corresponding private key is held by her Rover running in her PTCB and Manager in home-PC of PAN.
Rover of mobile user U.
Manager of mobile user U.
Public key of X.
Private key of X.
Encrypt m by using symmetric crypto-system with a key shared by x and y
Decrypt c by using symmetric crypto-system with a key shared by x and y
One-way hash function with input x.
Encrypt m by using asymmetric cryptosystem with the public key of x.
Decrypt a cipher c with the public key of x.
Random numbers.
Acknowledgement for the last received message.
U
uR
uM
xE
xD
)(mK xy
)(1 cK xy
)(xH
)(mEx
)(cDx
10 , rr
ack
![Page 28: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/28.jpg)
Registration Protocol
The manager does not know the linkage between c1 and id due to r0
![Page 29: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/29.jpg)
Controlled Connection Protocol
Access Control
Packet Authentication
![Page 30: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/30.jpg)
Re-confusion Protocol
I am requesting a new authorized-anonymous-id
![Page 31: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/31.jpg)
Access Authorization Revocation
• A periodically expires and changes its own keys for access authorization
• Time-Stamp the authorized-anonymous-id– Unique time stamp?
![Page 32: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/32.jpg)
Untraceable Routing Infrastructure
• Frequent communication between a home computer and a mobile device could be another factor exposing the linkage– Untraceable routing infrastructure [1]
[1] M. Reed, P. Syverson, and D. Goldschlag, Anonymous connections and onion routing, JSAC, Vol. 16 (4), pp. 482-, 1998.
![Page 33: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/33.jpg)
Mixed Zones: Threat Model• Increase privacy for outside-in loc. sys. and shared apps.• Users subscribe to trusted location middleware• Users register interest in specific applications• Applications are untrusted and are provided with
pseudonymised location information in restricted “application zones”(All apps are viewed as one global hostile observer)
• Mix zones are areas outside application zones, where no application can trace user movements
• Attacker wants to track long-term user movement and therefore find complex home locations to identify users
![Page 34: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/34.jpg)
The Mix Zone
• Mix zones are areas not in app. zones• Change user pseudonyms:
– stateless: between every location event given to app.
– session state: between every visit to an app. Zone
– fixed state: same pseudonym for each user per app. zone
![Page 35: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/35.jpg)
What Does An Attacker See?
How to determine the anonymity level?
![Page 36: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/36.jpg)
Taking user movement into account
• Anonymity set does not account for:
– correlation between ingress and egress positions
– time taken to cross the mix zone
• A user movement model is required:
– Use historical data from nearby app. zones and build a movement matrix
– Use analytical model of human movement [Helbing et al. 2000]
![Page 37: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/37.jpg)
An Attacker’s Information and Goal
• An attacker can observe the times, coordinates, and pseudonyms of all the ingress and egress events
• His goal is to reconstruct the correct mapping between all the ingress events and egress events– Equivalent to discovering the mapping between new and old
pseudonyms (how many mapping?)
– Can be viewed as a weighted bi-partite graph, where vertices model ingress and egress pseudonyms and edge weights model the probability of two pseudonyms representing the same person
![Page 38: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/38.jpg)
Quick Bi-Partite Graph Introduction
![Page 39: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/39.jpg)
Viewing the mix zone as a bipartite graph I
![Page 40: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/40.jpg)
Viewing the mix zone as a bipartite graph II
![Page 41: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/41.jpg)
Viewing the mix zone as a bipartite graph III
![Page 42: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/42.jpg)
Real-time user anonymity
![Page 43: Location Privacy in Wireless Networks Xiuzhen Cheng CS/GWU 388 – Wireless and Mobile Security](https://reader034.vdocuments.mx/reader034/viewer/2022050908/56649e295503460f94b1726b/html5/thumbnails/43.jpg)
Mix Zone Conclusions