Location Privacy in Wireless Networks

Xiuzhen Cheng

CS/GWU

388 – Wireless and Mobile Security

Outline

• Introduction

• Preserving Privacy– Encryption and Access Control– Anonymization

• Example:– Mix Zone Model– Authorized-Anonymous-ID

What’s the Problem?Need to protect the location privacy of mobile users

Getting Location Information

• Direct:– Mechanical: FaroArm, Boom3C, Active Floor, InertiaCube

– Magnetic: Polhemus, Pinger

– Radio: GPS, GSM, RFID, WiFi, Ubisense

– Acoustic: Active Bat, Dolphin, Cricket

– IR: Active Badge, Phicons, Locust Swarm

– Visual: TRIP, ARToolkit, Cybercode

• Indirect:– ATMs, credit cards, loyalty cards, toll booths

Getting Location Information II

• There does not exist a perfect location system• Applications must accept some trade-offs:

– inside-out verses outside-in

– tagged verses tagless

– static error: spatial & angular distortion, creep

– dynamic error: latency, update rate, Doppler shift

– other: size, weight, robustness, power, coverage area, cost . . .

Representing Location Information

Example: Active Bat system

Example: Underwater Positioning Scheme

Outline

• Introduction

• Preserving Privacy– Encryption and Access Control– Anonymization

• Example:– Mix Zone Model– Authorized-Anonymous-ID

What is Privacy

Technological Privacy Measures

What Is Location Privacy

Access Control vs. Anonymisation

Static Pseudonyms Do Not Work

Dynamically Changing Pseudonyms

Outline

• Introduction

• Preserving Privacy– Encryption and Access Control– Anonymisation

• Example:– Authorized-Anonymous-ID– Mix Zone Model

Authorized-Anonymous-ID

• Motivation of location privacy protection• Centralized architecture for location privacy

protection• Authorized-Anonymous-ID scheme • Related work• Conclusion

A Mechanism for Personal Control over Mobile Location Privacy

By Dapeng Wu

Centralized Architecture for Location Privacy Control

Prefe

renc

esThis architecture for location privacy control was designed andExperimented on the 802.11-Based Wireless Andrew network at CMU

Drawbacks of Centralized Architecture

• The location privacy of mobile users is not completely under their own control

• The central server is a single-failure-point

• The centralized architecture is not scalable.

Solution: use distributed architecture

Not trivial

Why Location Privacy Protection under Distributed Architecture not trivial?

• Administration requires all users to provide information for authentication– Users can be easily figured out by admin

• Mobile users would prefer not to expose any of their information which would enable anyone, including the administration, to get clues regarding their whereabouts.

Dilemma

Basic Idea

• Key idea: replace the real ID by authorized-anonymous-ID

• Authorized-anonymous-ID created by blind signature

• Authorized-anonymous-ID used as the key for packet authentication

Contributions

• Studied the problem of protecting location privacy of mobile users in the setting of ubiquitous computing

• Proposed an authorized-anonymous-ID based scheme. • Authorized-anonymous-ID is created by blind signature• Designed an architecture that is able to provide the

mobile users with complete control over their location privacy while yet allowing the administration to authenticate the legitimate mobile users.

A Sketch of Ubiquitous Computing

Gateway

Data Repository

PANPersona Area Network

InternetInternet

infra

red

IEEE 802, etc.

PTCB(Personal Trusted Computing Base)

Mobile Device

A ubiquitous computing environment should be formed by a powerfulInfrastructure that is highly available, cost effective, and sufficiently scalable to support millions of users and low-power mobile devices.

An Agent-based Approach

• Administrator (A): is an agent that acts on behalf of the administration to authenticate legitimate users and grant them access to the wireless infrastructure.

• Rover (R): is an agent running at PTCB and acts on behalf of the owner of the mobile device.

• Manager (M): is an agent running at home PC and can be delegated to act on behalf of the mobile user.

• Connector (C): is an agent running at an access point and is delegated by the Administrator agent to authenticate mobile devices.

• Lookup (L): is an optional agent providing look-up service

Agent-based system architecture

M

R

Internet user

c

L

A

Wireless Andrew

1 Registration Protocol2 Controlled Connection Protocol3 Location Query/Response Protocol

3

2

1

3

2

Blind Signature• A provider wants his message to be signed by a signer

but does not want the signer to know the content of the message

• Blind Signature– Ballot Voting– Protocol

• Signer owns two functions: S (private) and S-1(public)• Provider owns blind functions C and C-1: both are private;

C-1(S(C(x)))=S(x); it is impossible to infer x from C(x) and S(x)• Redundancy Checking function r, which is Boolean, input is S(x)

– Features• Everyone can validate S(x) by r(S-1(S(x)))• Provider’s message is blind to the signer: no linkage between S(x) and

S(C(x))• Provider can not spoof the signer: can’t create S(y) without knowing S

NotationsA mobile user, identified by her public key. The corresponding private key is held by her Rover running in her PTCB and Manager in home-PC of PAN.

Rover of mobile user U.

Manager of mobile user U.

Public key of X.

Private key of X.

Encrypt m by using symmetric crypto-system with a key shared by x and y

Decrypt c by using symmetric crypto-system with a key shared by x and y

One-way hash function with input x.

Encrypt m by using asymmetric cryptosystem with the public key of x.

Decrypt a cipher c with the public key of x.

Random numbers.

Acknowledgement for the last received message.

U

uR

uM

xE

xD

)(mK xy

)(1 cK xy

)(xH

)(mEx

)(cDx

10 , rr

ack

Registration Protocol

The manager does not know the linkage between c1 and id due to r0

Controlled Connection Protocol

Access Control

Packet Authentication

Re-confusion Protocol

I am requesting a new authorized-anonymous-id

Access Authorization Revocation

• A periodically expires and changes its own keys for access authorization

• Time-Stamp the authorized-anonymous-id– Unique time stamp?

Untraceable Routing Infrastructure

• Frequent communication between a home computer and a mobile device could be another factor exposing the linkage– Untraceable routing infrastructure [1]

[1] M. Reed, P. Syverson, and D. Goldschlag, Anonymous connections and onion routing, JSAC, Vol. 16 (4), pp. 482-, 1998.

Mixed Zones: Threat Model• Increase privacy for outside-in loc. sys. and shared apps.• Users subscribe to trusted location middleware• Users register interest in specific applications• Applications are untrusted and are provided with

pseudonymised location information in restricted “application zones”(All apps are viewed as one global hostile observer)

• Mix zones are areas outside application zones, where no application can trace user movements

• Attacker wants to track long-term user movement and therefore find complex home locations to identify users

The Mix Zone

• Mix zones are areas not in app. zones• Change user pseudonyms:

– stateless: between every location event given to app.

– session state: between every visit to an app. Zone

– fixed state: same pseudonym for each user per app. zone

What Does An Attacker See?

How to determine the anonymity level?

Taking user movement into account

• Anonymity set does not account for:

– correlation between ingress and egress positions

– time taken to cross the mix zone

• A user movement model is required:

– Use historical data from nearby app. zones and build a movement matrix

– Use analytical model of human movement [Helbing et al. 2000]

An Attacker’s Information and Goal

• An attacker can observe the times, coordinates, and pseudonyms of all the ingress and egress events

• His goal is to reconstruct the correct mapping between all the ingress events and egress events– Equivalent to discovering the mapping between new and old

pseudonyms (how many mapping?)

– Can be viewed as a weighted bi-partite graph, where vertices model ingress and egress pseudonyms and edge weights model the probability of two pseudonyms representing the same person

Quick Bi-Partite Graph Introduction

Viewing the mix zone as a bipartite graph I

Viewing the mix zone as a bipartite graph II

Viewing the mix zone as a bipartite graph III

Real-time user anonymity

Mix Zone Conclusions