Location Privacy in Wireless Networks
Xiuzhen Cheng
CS/GWU
388 – Wireless and Mobile Security
Outline
• Introduction
• Preserving Privacy– Encryption and Access Control– Anonymization
• Example:– Mix Zone Model– Authorized-Anonymous-ID
What’s the Problem?Need to protect the location privacy of mobile users
Getting Location Information
• Direct:– Mechanical: FaroArm, Boom3C, Active Floor, InertiaCube
– Magnetic: Polhemus, Pinger
– Radio: GPS, GSM, RFID, WiFi, Ubisense
– Acoustic: Active Bat, Dolphin, Cricket
– IR: Active Badge, Phicons, Locust Swarm
– Visual: TRIP, ARToolkit, Cybercode
• Indirect:– ATMs, credit cards, loyalty cards, toll booths
Getting Location Information II
• There does not exist a perfect location system• Applications must accept some trade-offs:
– inside-out verses outside-in
– tagged verses tagless
– static error: spatial & angular distortion, creep
– dynamic error: latency, update rate, Doppler shift
– other: size, weight, robustness, power, coverage area, cost . . .
Representing Location Information
Example: Active Bat system
Example: Underwater Positioning Scheme
Outline
• Introduction
• Preserving Privacy– Encryption and Access Control– Anonymization
• Example:– Mix Zone Model– Authorized-Anonymous-ID
What is Privacy
Technological Privacy Measures
What Is Location Privacy
Access Control vs. Anonymisation
Static Pseudonyms Do Not Work
Dynamically Changing Pseudonyms
Outline
• Introduction
• Preserving Privacy– Encryption and Access Control– Anonymisation
• Example:– Authorized-Anonymous-ID– Mix Zone Model
Authorized-Anonymous-ID
• Motivation of location privacy protection• Centralized architecture for location privacy
protection• Authorized-Anonymous-ID scheme • Related work• Conclusion
A Mechanism for Personal Control over Mobile Location Privacy
By Dapeng Wu
Centralized Architecture for Location Privacy Control
Prefe
renc
esThis architecture for location privacy control was designed andExperimented on the 802.11-Based Wireless Andrew network at CMU
Drawbacks of Centralized Architecture
• The location privacy of mobile users is not completely under their own control
• The central server is a single-failure-point
• The centralized architecture is not scalable.
Solution: use distributed architecture
Not trivial
Why Location Privacy Protection under Distributed Architecture not trivial?
• Administration requires all users to provide information for authentication– Users can be easily figured out by admin
• Mobile users would prefer not to expose any of their information which would enable anyone, including the administration, to get clues regarding their whereabouts.
Dilemma
Basic Idea
• Key idea: replace the real ID by authorized-anonymous-ID
• Authorized-anonymous-ID created by blind signature
• Authorized-anonymous-ID used as the key for packet authentication
Contributions
• Studied the problem of protecting location privacy of mobile users in the setting of ubiquitous computing
• Proposed an authorized-anonymous-ID based scheme. • Authorized-anonymous-ID is created by blind signature• Designed an architecture that is able to provide the
mobile users with complete control over their location privacy while yet allowing the administration to authenticate the legitimate mobile users.
A Sketch of Ubiquitous Computing
Gateway
Data Repository
PANPersona Area Network
InternetInternet
infra
red
IEEE 802, etc.
PTCB(Personal Trusted Computing Base)
Mobile Device
A ubiquitous computing environment should be formed by a powerfulInfrastructure that is highly available, cost effective, and sufficiently scalable to support millions of users and low-power mobile devices.
An Agent-based Approach
• Administrator (A): is an agent that acts on behalf of the administration to authenticate legitimate users and grant them access to the wireless infrastructure.
• Rover (R): is an agent running at PTCB and acts on behalf of the owner of the mobile device.
• Manager (M): is an agent running at home PC and can be delegated to act on behalf of the mobile user.
• Connector (C): is an agent running at an access point and is delegated by the Administrator agent to authenticate mobile devices.
• Lookup (L): is an optional agent providing look-up service
Agent-based system architecture
M
R
Internet user
c
L
A
Wireless Andrew
1 Registration Protocol2 Controlled Connection Protocol3 Location Query/Response Protocol
3
2
1
3
2
Blind Signature• A provider wants his message to be signed by a signer
but does not want the signer to know the content of the message
• Blind Signature– Ballot Voting– Protocol
• Signer owns two functions: S (private) and S-1(public)• Provider owns blind functions C and C-1: both are private;
C-1(S(C(x)))=S(x); it is impossible to infer x from C(x) and S(x)• Redundancy Checking function r, which is Boolean, input is S(x)
– Features• Everyone can validate S(x) by r(S-1(S(x)))• Provider’s message is blind to the signer: no linkage between S(x) and
S(C(x))• Provider can not spoof the signer: can’t create S(y) without knowing S
NotationsA mobile user, identified by her public key. The corresponding private key is held by her Rover running in her PTCB and Manager in home-PC of PAN.
Rover of mobile user U.
Manager of mobile user U.
Public key of X.
Private key of X.
Encrypt m by using symmetric crypto-system with a key shared by x and y
Decrypt c by using symmetric crypto-system with a key shared by x and y
One-way hash function with input x.
Encrypt m by using asymmetric cryptosystem with the public key of x.
Decrypt a cipher c with the public key of x.
Random numbers.
Acknowledgement for the last received message.
U
uR
uM
xE
xD
)(mK xy
)(1 cK xy
)(xH
)(mEx
)(cDx
10 , rr
ack
Registration Protocol
The manager does not know the linkage between c1 and id due to r0
Controlled Connection Protocol
Access Control
Packet Authentication
Re-confusion Protocol
I am requesting a new authorized-anonymous-id
Access Authorization Revocation
• A periodically expires and changes its own keys for access authorization
• Time-Stamp the authorized-anonymous-id– Unique time stamp?
Untraceable Routing Infrastructure
• Frequent communication between a home computer and a mobile device could be another factor exposing the linkage– Untraceable routing infrastructure [1]
[1] M. Reed, P. Syverson, and D. Goldschlag, Anonymous connections and onion routing, JSAC, Vol. 16 (4), pp. 482-, 1998.
Mixed Zones: Threat Model• Increase privacy for outside-in loc. sys. and shared apps.• Users subscribe to trusted location middleware• Users register interest in specific applications• Applications are untrusted and are provided with
pseudonymised location information in restricted “application zones”(All apps are viewed as one global hostile observer)
• Mix zones are areas outside application zones, where no application can trace user movements
• Attacker wants to track long-term user movement and therefore find complex home locations to identify users
The Mix Zone
• Mix zones are areas not in app. zones• Change user pseudonyms:
– stateless: between every location event given to app.
– session state: between every visit to an app. Zone
– fixed state: same pseudonym for each user per app. zone
What Does An Attacker See?
How to determine the anonymity level?
Taking user movement into account
• Anonymity set does not account for:
– correlation between ingress and egress positions
– time taken to cross the mix zone
• A user movement model is required:
– Use historical data from nearby app. zones and build a movement matrix
– Use analytical model of human movement [Helbing et al. 2000]
An Attacker’s Information and Goal
• An attacker can observe the times, coordinates, and pseudonyms of all the ingress and egress events
• His goal is to reconstruct the correct mapping between all the ingress events and egress events– Equivalent to discovering the mapping between new and old
pseudonyms (how many mapping?)
– Can be viewed as a weighted bi-partite graph, where vertices model ingress and egress pseudonyms and edge weights model the probability of two pseudonyms representing the same person
Quick Bi-Partite Graph Introduction
Viewing the mix zone as a bipartite graph I
Viewing the mix zone as a bipartite graph II
Viewing the mix zone as a bipartite graph III
Real-time user anonymity
Mix Zone Conclusions
Top Related