Electrical and Computer Engineering GeoVault: Secure Location Tracking Final Project Review Nathan...
-
date post
21-Dec-2015 -
Category
Documents
-
view
217 -
download
1
Transcript of Electrical and Computer Engineering GeoVault: Secure Location Tracking Final Project Review Nathan...
Electrical and Computer Engineering
GeoVault:Secure Location Tracking
Final Project Review
Nathan Franz
Emily Nelson
Thomas Petr
Shanka Wijesundara
2Electrical and Computer Engineering
System Overview
GeoVault
EmailCell Phone Computer
3rd Party Server
Google Maps API
HTTPS HTTPS
Database
DatabaseDatabase
Access Controls
Resolution
OAuth
Map Queries
Map Queries
Notifications
Stored Location Data
Location Data
Location Data
Login Credentails
3Electrical and Computer Engineering
System Overview
• Location data is transmitted from either cell phone or computer to the GeoVault Server.
• The server is where the resolution and access settings are stored and can be applied to the updated location.
• The location is transmitted from the server to the distributed database and then to the specific node by secret sharing.
• The data can also be transmitted from the server to a third party via OAuth.
• Emails are sent from the server to the user via emial.• The users device directly interfaces with the google map
API to display their location on a map.
4Electrical and Computer Engineering
Feedback From CDR
• Network was complicated
– Lots of secret sharing
• Trying to cover military and civilian has too many conflicts
• Demo should include threats
• Limitations in existing system
5Electrical and Computer Engineering
Timing of Secret Sharing
• Not as fast as other encryption methods – Chosen because of its threshold scheme.
Threshold Time (us)
3 135
4 212
5 308
6 423
7 549
8 693
9 858
10 1054
6Electrical and Computer Engineering
Political Boundaries
• Used U.S. Census Data• Region selected by most overlapping area of accuracy circle• Able to see down to
– Country– State– County (Massachusetts only for now)– Town (Massachusetts only for now)
7Electrical and Computer Engineering
OAuth
• Tokens are used to grant a third party website temporary access to GeoVault.
• They regulate– What the third party has access to – How long they have access
GeoVault Twitter
OAuth
Location Data
8Electrical and Computer Engineering
Motivation for Attacks
Impersonation Snooping Denial of Service
CSRF
• Fool others to think a user is in different location
• Fool that users followers
• Obtaining information to blackmail/gain competitive advantage
• Tracking trends for marketing purposes
• Spouses spying on each other
• Denying service to GeoVault to encourage user to go to a similar website
• Trick user to update their location
• Update their website unknowingly, increase network traffic and thus advertising prices will go up
9Electrical and Computer Engineering
Attacks & Countermeasures
Snooping Impersonation CSRF Man in the Middle
Denial of Service
• Encryption
• Distributed
Database
• Secret
Sharing
• Idle Timeouts
• Difficult to
statistically
determine
position
• Idle Timeout
Delays
• Unrealistic
Travel Check
• Session Id
number
check
• HTTPS • CAPTCHA’s
• Failed login
attempt delay
10Electrical and Computer Engineering
Demo
11Electrical and Computer Engineering
Division of Labor
Emily (CSE) Frontend Implementation, Threat Modeling, Documentation
Tom (CSE) Multiparty Computation, Django, Backend implementation, Project Manager, OAuth
Nate (EE) HTML5, CAPTCHAs, Idle Time outs, Failed Login Delay, Update Delay, OAuth
Shanka (EE) Django, Backend Implementation, Political Boundaries, CSRF
12Electrical and Computer Engineering
Thank you!
GeoVault
EmailCell Phone Computer
3rd Party Server
Google Maps API
HTTPS HTTPS
Database
DatabaseDatabase
Access Controls
Resolution
OAuth
Map Queries
Map Queries
Notifications
Stored Location Data
Location Data
Location Data
Login Credentails
13Electrical and Computer Engineering
Snooping
Database
Database
Database
Encryption
Idle Timeouts
Distributed Database
Secret Sharing
Passwords
14Electrical and Computer Engineering
Impersonation
Idle Time Outs
Unrealistic Travel check
Passwords
15Electrical and Computer Engineering
DDOS
CAPTCHA’s
Failed Login Attempt Delay
Update Delay
16Electrical and Computer Engineering
Cross Site Request Forgery Protection
Session ID Verification
GeoVault
Malicious Website
17Electrical and Computer Engineering
Man in the Middle Attack
HTTPS