Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review...
-
date post
19-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review...
![Page 1: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/1.jpg)
Electrical and Computer Engineering
GeoVault:Secure Location Tracking
Comprehensive Design Review
Nathan Franz
Emily Nelson
Thomas Petr
Shanka Wijesundara
Advisor: Prof. Burleson
![Page 2: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/2.jpg)
2Electrical and Computer Engineering
System Overview
GeoVault
EmailCell Phone Computer
3rd Party Server
Google Maps API
HTTPS HTTPS
Database
DatabaseDatabase
Access Controls
Resolution
OAuth
Map Queries
Map Queries
Notifications
Stored Location Data
Location Data
Location Data
Login Credentails
![Page 3: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/3.jpg)
3Electrical and Computer Engineering
Feedback From MDR
•Timing: Oracle vs. PostgreSQL
•Threat Analysis
•Security as a competitive advantage
![Page 4: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/4.jpg)
4Electrical and Computer Engineering
PostgreSQL
• Re-evaluated database choices• SQLite + SpatiaLite for self-hosted environment
– Extremely simple to setup
• PostgreSQL for production environment– Fast, easy to manage
• PostgreSQL is lighter-weight (faster) and provides all required features
• Insert 100,000 points across the USA– (average time per insert)
MySQL 5.1 26.258 ms
PostgreSQL 8.4 3.496 ms
Oracle 11g 199.670 ms
![Page 5: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/5.jpg)
5Electrical and Computer Engineering
GeoVault: Threat Risk
Threats Consequences Countermeasures
Integrity Inaccurate locations of users
Confusion, loss of trust, or worse (depending on application)
Encryption / Shared Secrets
Distributed Database
Confidentiality Users location is revealed
User privacy is compromised, susceptible to attack
Secret Sharing / MPC
Identity Verification
Timing Measures
Denial of Service
Botnet attack
Rapid checkins / logins
Inability to track users
Rate limiting
Authentication Spoofing, identity theft
User privacy is compromised
Identity Verification
Idle time logouts
Reject delay for login
*Stallings, William. Network Security Essentails: Applications and Standards. New Jersey: Pearson Prentice Hall, 2007.
![Page 6: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/6.jpg)
6Electrical and Computer Engineering
Other Systems: Threat Risk
Assets Vulnerabilities Defense Privacy issues
Google Latitude
•Location Data
•Friends Locations
•No Verification •Password/login
•Protection
•Approve Friends
•Limited access settings
Foursquare •Location Data
•Location Trends
•Friends Locations
•Create home/work location
•https
•Approve Friends
•Limited access settings
Gowalla •Location Data
•Location Trends
•Friends Locations
•Publishes location to the entire world
•Password/login
•Protection
•Approve Friends
•No access settings
Twitter •Location Data
•What you are doing
•Friends Locations
•Uneducated users
•3rd party services
•https
•OAuth
•Limited access settings
![Page 7: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/7.jpg)
7Electrical and Computer Engineering
Why GeoVault is More Secure
• Secure Distributed Database
• Location only available to those the user trusts [unlike: Gowalla]
• Varied resolution [unlike: Twitter, Foursquare, Google Latitude, Gowalla]
• Integrity (user cannot lie about where they are) [unlike: Google Latitude]
• Only current location displayed (no trends) [unlike: Twitter, Gowalla]
![Page 8: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/8.jpg)
8Electrical and Computer Engineering
Accuracy vs Permissions
• Handling geographic resolution • Permissions > Accuracy
– Contain accuracy circle in randomly placed permission circle
– Take into account (for FPR)• State Lines• Bodies of Water• Etc..
• Permissions < Accuracy– Expand permission radius to accuracy radius
![Page 9: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/9.jpg)
9Electrical and Computer Engineering
Accuracy vs Permissions
Accuracy
Permissions
![Page 10: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/10.jpg)
10Electrical and Computer Engineering
OAuth
GeoVault Twitter
Client
1. Get request token
2. Send request token
5. Exchange for access token
6. Get access token
3. Redirect to Twitter
4. Sign in and ask for GeoVault access
Grant 3rd party access to user information without sharing access permissions or full extent of data
![Page 11: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/11.jpg)
11Electrical and Computer Engineering
Distributed Database
• Securely and robustly store location data
• Prevents a single point of failure– Secret sharing is a form of
encryption
GeoVault
Node
Node
Node
Node
Node
Node
![Page 12: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/12.jpg)
12Electrical and Computer Engineering
Shamir’s Secret Sharing Scheme
(1, f(1)) = (1, 1494)
(2, f(2)) = (2, 1942)
(3, f(3)) = (3, 2578)
(4, f(4)) = (4, 3402)
(5, f(5)) = (5, 4414) GeoVault
Node 1 Node 2 Node 3 Node 4 Node 5
(1, 1494) (2, 1942) (3, 2578) (4, 3402) (5, 4414)f(x) = 94x2 + 166x + 1234
![Page 13: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/13.jpg)
13Electrical and Computer Engineering
Demo
![Page 14: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/14.jpg)
14Electrical and Computer Engineering
Milestones
Oct 26 PDR Specifications complete
Nov 9 Smart phone web client functional prototype
Dec 2 MDR Database configured / example of multiparty computation
Dec 21 Platform complete / server security/ OAuth
Jan 4 Web clients complete / security for hijacked devices (timing)
Jan 11 Platform input / output plugins complete
Jan 25 Bugfixes, Performance Testing
Feb 11 CDR Demo / show security and weakness in other systems / Threat Analysis
Mar 31 Political Boundaries/ Idle time logout/ Continued work with MPC/ Tweak backend/ Polish interface
Apr 5 FPR Project Complete
![Page 15: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/15.jpg)
15Electrical and Computer Engineering
Technical Roles
Past Tasks Future Tasks
Tom (CSE) Backend / MPC / Secret Sharing
Secret Sharing
Nate (EE) OAuth / Authentication Middleware
Authentication Middleware
Shanka (EE) Backend / Django Access Controls
Emily (CSE) Frontend / Threat Analysis
Adding Political Boundaries
![Page 16: Electrical and Computer Engineering GeoVault: Secure Location Tracking Comprehensive Design Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649d3b5503460f94a1643f/html5/thumbnails/16.jpg)
16Electrical and Computer Engineering
Thank You
Questions?