Upload
quinta
View
67
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Mobile Networks - Module H2 Privacy in Mobile Networks. P rivacy notions and metrics L ocation privacy P rivacy preserving routing in ad hoc networks. The Lives of Others, 2006. Slides adapted from “Security and Cooperation in Wireless Networks, Chapter 8: Privacy Protection” . - PowerPoint PPT Presentation
Citation preview
Mobile Networks - Module H2 Privacy in Mobile Networks
Privacy notions and metricsLocation privacyPrivacy preserving routing in ad hoc networks
Slides adapted from “Security and Cooperation in Wireless Networks, Chapter 8: Privacy Protection”
The Lives of Others, 2006
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 2/37
Chapter outline
8.1 Important privacy related notions and metrics8.2 Location privacy8.3 Privacy preserving routing in ad-hoc networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 3/37
Privacy related notions Anonymity: hiding who performed a given action
Untraceability: making difficult for an adversary to identify that a given set of actions were performed by the same subject
Unlinkability: generalization of the two former notions: hiding information about the relationships between any item
Unobservability: hiding of the items themselves (e.g., hide the fact that a message was sent)
Pseudonymity: making use of a pseudonym instead of the real identity 8.1 Important privacy related notions
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 4/37
Privacy metrics (1/3)The adversary tries to de-anonymize an observed action
Anonymity set: set of subjects that might have performed the action– Is a good measure only if all the members of the set are equally
likely to have performed the observed action
Entropy-based measure of anonymity:
8.1 Important privacy related notions
.log
where is the anonymity set is the probability (for the adversary)
that the observed action has been performed by subject
x xx A
x
p p
Ap
x A
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 5/37
Privacy metrics (2/3)The adversary tries to link elements
Entropy-based measure for unlinkability:
8.1 Important privacy related notions
1 2
1 2
R
1 2
.log
where and are the sets of items that the adversary wants to relate is the probability (for the adversary) that the real relationship
between the elements in and in is ca
R RR I I
p p
I Ip
I I
1 2ptured by relation R I I
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 6/37
Privacy metrics (3/3)The adversary runs an inference attack
Entropy-based measure for certainty:
where is the set of possible values for a given attribute is the probability (for the adversary) that the value of the attribute is for a given user
Expected error-based measure for correctness:
8.1 Important privacy related notions
−∑𝑣∈𝑉
𝑝𝑣 log𝑝𝑣
How focused is the estimate on a value? Entropy
How accurate is the estimate?Confidence intervals
How close is the estimate to the true value? Expected error
∑𝑣∈𝑉
𝑝𝑣×𝑑 (𝑣 ,𝑣0)
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 7/37
Chapter outline
8.1 Important privacy related notions and metrics8.2 Location privacy8.3 Privacy preserving routing in ad hoc networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 8/37
Location privacy
8.2 Location privacy in vehicular networks
The contextual information attached to a trace tells much about our habits, interests, activities, and relationships
A location trace is not only a set of positions on a map
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 9/37
A first example: Vehicular networks
Variable Message Sign
Terrestrial BroadcastRDS, DAB
UMTS GSM
Beacon• CALM-IR• CALM-M5• DSRC
GPS, GALILEO
50
Broadcaster Vehicle to VehicleRFID
WiMAX
RSU to RSU
Hot-Spot(Wireless LAN,
WiFi)
8.2 Location privacy in vehicular networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 10/37
Vehicle Communication (VC)
VC promises safer roads,
… more efficient driving,
Warning:Accident at (x,y)
Warning:Accident at (x,y)
!!
TOC
RSU RSU
Traffic Update:Congestion at (x,y)
!
Congestion Warning:At (x,y), use alt. route
8.2 Location privacy in vehicular networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 11/37
Vehicle Communication (VC)
… more fun,
MP3-Download
Text message:We'll stop at next roadhouse
… and easier maintenance. Software Update
Malfunction Notification:Arriving in 10 minutes,
need ignition plug
RSU
CarManuf.
8.2 Location privacy in vehicular networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 12/37
Security and Privacy
More fun, but for whom?
Position Beacon
… and a lot more …Your new
ignition-control-software
RSU
Location Tracking
8.2 Location privacy in vehicular networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 13/37
The location privacy problem and a solution vehicles continuously broadcast heart beat
messages, containing their ID, position, speed, etc.
tracking the physical location of vehicles is easy just by eavesdropping on the wireless channel
one possible solution is to change the vehicle identifier, or in other words, to use pseudonyms
8.2 Location privacy in vehicular networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 14/37
Adversary model changing pseudonyms is ineffective against a global
eavesdropper
hence, the adversary is assumed to be able to monitor the communications only at a limited number of places and in a limited range
A, GPS position, speed, direction
predicted positionat the time of thenext heart beat
B, GPS position, speed, direction
8.2 Location privacy in vehicular networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 15/37
The mix zone concept
the unobserved zone functions as a mix zone where the vehicles change pseudonym and mix with each other
vehicles do not know where the mix zone is (this depends on where the adversary installs observation spots)
vehicles change pseudonyms frequently s.t. each vehicle changes pseudonym while in the mix zone
mix zone
1
2 3
4
56
ports
1
2
3
4
5
6
observationspots
unobserved zone
8.2 Location privacy in vehicular networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 16/37
Example of mix zone
8.2 Location privacy in vehicular networks
1
2
3
4
Pseudonym: X12
Pseudonym: Y23
Pseudonym: Z34
Pseudonym: W45
mix zone
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 17/37
time is divided into discrete steps pij = Pr{ exiting at j | entering at i } Dij is a random variable (delay) that represents the
time that elapses between entering at i and exiting at j
dij(t) = Pr{ Dij = t }
Pr{ exiting at j at t | entering at i at t } = pij dij(t-t)
Model of the mix zone
dij(t)
t
8.2 Location privacy in vehicular networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 18/37
Observations
tn1 n2 nk
x1 x2 xk
t2 tk
t1 tk
N1 N2 Nk
X1 X2 Xk
t1 = 0
the adversary can observe the points (ni, xi) and the times (ti, ti) of enter and exit events (Ni, Xi)
nodes change pseudonyms inside the mix zone no easy way to determine which exit event corresponds to which enter event
each possible mapping between exit and enter events is represented by a permutation p of {1, 2, …, k}:
mp = (N1 ~ Xp[1], N2 ~ Xp[2], …, Nk ~ Xp[k])where p[i] is the i-th element of the permutation
we want to determine Pr{ mp | N, X }
8.2 Location privacy in vehicular networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 19/37
Computing the level of privacy
8.2 Location privacy in vehicular networks
where mπ is the mapping described by the permutation π
where pij is a cell of the matrix P of size nxn, where n is the number of gates of the mix zoneand dij(t) describes the probability distribution of the delay when crossing the mix zone from gate i to gate j.
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 20/37
Another privacy metric tracking game:
– the adversary picks a vehicle v in the observed zone– she tracks v until it enters the mix zone at port s– then, she observes the exiting events until time T (where the
probability that v leaves the mix zone until T is close to one)– for each exiting vehicle at port j and time t, the adversary
computes qjt = psjdsj(t)– the adversary decides to the exiting vehicle v’ for which qjt is
maximal• this realizes a Bayesian decision (minimizes the error probability
of the decision)– the adversary wins if v’ = v
the level of privacy achieved is characterized by the success probability of the adversary– if success probability is high, then level of privacy is low
8.2 Location privacy in vehicular networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 21/37
Location-Based Services People share their location on-line
– Social purposes– Contextual services
8.2 Location privacy in location-based services
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 22/37
Quantifying location privacy
8.2 Location privacy in location-based services
The Framework
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 23/37
Protecting location privacy
8.2 Location privacy in location-based services
Anonymization– Pseudonyms
Obfuscation– Deleting
– Randomizing
– Discretizing
– Sub-sampling
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 24/37
Adversary Model
8.2 Location privacy in location-based services
Observation KnowledgeAnonymized and Obfuscated Traces Users’ mobility profiles
PDFanonymization
PDFobfuscation
LPPM
Inference Attack Examples
Localization Attack: “Where was Alice at 8pm?”What is the probability distribution over the locations for user ‘Alice’ at time ‘8pm’?
Tracking Attack: “Where did Alice go yesterday?”What is the most probable trace (trajectory) for user ‘Alice’ for time period ‘yesterday’?
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 25/37
Inference Attacks
8.2 Location privacy in location-based services
A practical solution: Decoupling De-anonymization from De-obfuscation
Computationally infeasible:s (anonymization / permutation) can take N! values
(Au is the actual trace of user u)
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 26/37
De-anonymization
8.2 Location privacy in location-based services
1 - Compute the likelihood of observing trace ‘i’ from user ‘u’, for all ‘i’ and ‘u’, using HMP (Hidden Markov Process): Forward-Backward algorithm.
2 - Compute the most likely assignment using a Maximum Weight Assignment algorithm (e.g., Hungarian algorithm). O(N4)
u1
u2
uN
…
Users
1
…Nyms
2
N
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 27/37
De-obfuscation
8.2 Location privacy in location-based services
Given the most likely assignment s*, the localization probability can be computed using Hidden Markov Model: the Forward-Backward algorithm
Tracking AttackGiven the most likely assignment s*, the most likely trace for each user can be computed using Viterbi algorithm
Localization Attack
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 28/37
The game
8.2 Location privacy in location-based services
User Adversary (leader) (follower)
𝑟 𝑟 ′ �̂�LBS message
Chooses to maximize it Chooses to minimize it
User accesses LBS from location known to adversary
user gain / adversary loss
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 29/37
Hands-on Exercises 3
8.2 Location privacy in location-based services
Part A– Wireless traces– Analysis– De-anonymization– Countermeasures– Bonus: Track (multiple) users
Part B– LPPM evaluation using LPM– E.g., sub-sampling: hoe3_lpm configFile s subsamplingProb– Bonus: Analyze and understand the privacy levels obtained
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 30/37
Chapter outline
8.1 Important privacy related notions and metrics8.2 Location privacy in vehicular networks8.3 Privacy preserving routing in ad hoc networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 31/37
8.3 Privacy preserving routing in ad hoc networks Goal: unlinkability (make it very hard for a global
observer to know who communicates with whom)
Some nodes may be compromised even the forwarding nodes should not know who the source and the destination are
We also want to hide the identity of the forwarding nodes from each other (because this information would be useful for the attacker)
8.3 Privacy preserving routing in ad hoc networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 32/37
Effective but inefficient solution Route establishment: flooding the network with a
route request
Source:– generates an asymmetric key-pair (K,K-1), a secret key k0,
and a nonce n0
– Encrypts D, S, and K-1 with the public key KD of the destination
– Encrypts k0 and n0 with K– Broadcasts the route request:
8.3 Privacy preserving routing in ad hoc networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 33/37
Effective but inefficient solution F1 receives this route request It verifies if it is the target of the request:
– decrypts with its private key
If F1 is not the target:– Generates a secret key k1 and a nonce n1– Concatenates them to – Encrypts the result with K– Broadcasts
General format of the route request message:
8.3 Privacy preserving routing in ad hoc networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 34/37
Effective but inefficient solution D attempts to decrypt and it succeeds D broadcasts a dummy request:
It decrypts and obtains the secret keys and the nonces of the forwarding nodes
It generates a link key for each link and sends a route reply:
8.3 Privacy preserving routing in ad hoc networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 35/37
Effective but inefficient solution Fi receives route reply: decrypts it with ki If ki works: checks if it received back its ni If this is the case:
– Fi peels the outer layer off the route reply– Applies some padding to retain its original length– Re-broadcasts
Sending data:– Source encrypts the packet with kout
0 and broadcasts it– Each node tries to decrypt it with its incoming link keys– If Fi succeeds to decrypt the packet with ki
in: it re-encrypts it with ki
out, and re-broadcasts it– Until the packet arrives to the destination
8.3 Privacy preserving routing in ad hoc networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 36/37
Improving efficiency Much computation from the nodes:
– Solution: replace the public key encryption with symmetric key encryption
Source and destination share a secret key kSD and a counter cSD
Source computes a one-time hint for the destination: h(kSD,cSD)
Each node can pre-compute the hint of each possible source:– only a table lookup when processing route request messages
8.3 Privacy preserving routing in ad hoc networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 37/37
Improving efficiency Modified route request:
Modified route reply:
Hint for Fi: hashing ni with g When processing route reply:
– Only a table lookup to determine which key should be used to decrypt the route reply
8.3 Privacy preserving routing in ad hoc networks
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection 38/37
Summary on Privacy Protection Location privacy in LBS services:
– Aversary model: sporadic location exposure (with LPPM)– The level of location privacy can be quantified based on the
result of the inference– Trade-off with utility
Location privacy in vehicular networks:– Adversary model: monitored zones and unmonitored zones– The level of location privacy can be quantified using an
entropy-based metric
Privacy in ad hoc network routing protocols: – A routing protocol that makes it very hard for a global
observer to know who communicates with whom
Security and Cooperation in Wireless NetworksChapter 8: Privacy protection
Our research projects on privacy protection Privacy in mobile and pervasive networks:
http://lca.epfl.ch/projects/privacyTo probe further on some aspects presented in this lecture:- R. Shokri, G. Theodorakopoulos, J.-Y. Le Boudec, and J.-P. Hubaux. Quantifying Location Privacy. In Proc. of the IEEE Symposium on Security and Privacy (S&P), Oakland, CA, USA, 2011.- R. Shokri, G. Theodorakopoulos, C. Troncoso, J.-P. Hubaux, and J.-Y. Le Boudec. Protecting Location Privacy: Optimal Strategy against Localization Attacks. In Proc. of the 19th ACM Conference on Computer and Communications Security (CCS), Raleigh, NC, USA, 2012.
- Genome privacy: http://lca.epfl.ch/projects/genomic-privacy/
- Privacy and security mechanisms with selfish players:http://lca.epfl.ch/projects/gamesec