Spatial awareness in authentication of mobile subscriber and associated location privacy issues

1
Spatial awareness in authentication of mobile
subscriber and associated location privacy issues

• Geir M. Køien,
• Telenor RD (geir-myrdahl.koien_at_telenor.com ) /
• Agder University College (geir.koien_at_hia.no )
• Presented work done in collaboration with
  Vladimir Oleshchuk.
• 5th WIM meeting, 13-15.08.2003, Grimstad, Norway

2
Spatial information gathering and location
privacy issues

• It was the best of times, it was the worst of
  times, it was the age of wisdom, it was the age
  of foolishness (Charles Dickens, Tales of Two
  Cities)
• Today
• High-Resolution location infrastructure(s)
  present
• Location services about to become a reality
• Many wonderful services will emerge
• After 9-11 and Twin Towers
• Location data is obviously interesting
  intelligence
• Privacy invasion deemed justified under many
  circumstances
• Large scale pervasive tracking of individuals
  possible

3
Introduction

• The context
• Mobile Cellular Systems
• Home Domain (HD) administrative
  domain/subscriber databases
• Serving Network (SN) home or roaming network
• User Equipment (UE) Mobile Station (MS),
  Subscriber Identity Module (SIM) Terminal (TE)
• MS and TE is likely to owned or controlled by the
  user (or her employer)
• SIM is almost always the property of the HD
• Serving Network will have rough idea of where
  active UEs are located
• Home Domain only knows which SN the UE is
  attached to
• Legitimate need for HD to be able to determine
  the location of the UE
• Security service ability to provide location
  dependent access
• Fine grained and user selective security policy
  possible
• Regulatory requirement for networks to provide
  location information (Emergency E112/E911)
• Location Services of commercial interest to
  operators
• User Location Privacy is an issue
• Location information must be considered sensitive
  data

4
General Architecture and Involved Entities
Assumption SIM is issued by HD and can
explicitly be trusted by HD. Subscriber controls
(uncompromised) UE. That is MS, LMU
(Loc.measurement unit) and TE can be implicitly
trusted by HD
5
Spatially aware Authentication and Key Agreement
(AKA)

• Policy Control Issue
• Risk exposure and threats are spatially dependent
• Some environments are protected and trustworthy
• Some environments are wide open to adversaries
• Exposure Control Dimension (Validity of AKA
  results)
• Usage Exposure (KByte/packets)
• IPsec Security Association validity (lifetime
  KByte setting)
• No measurement problem with counting
  bytes/packets
• Temporal Exposure (seconds)
• IPsec Security Association validity (lifetime
  seconds setting)
• No measurement problem with counting passage of
  time
• Spatial Exposure (area)
• Not common to enforce spatial exposure
  restrictions (except very coarse granularity)
• How to independently and accurately determine UE
  position?

6
Spatially aware Authentication and Key Agreement
(AKA)

• Who should execute the spatial determination
• The Home Domain?
• This is generally not possible
• The Serving Network?
• The SN will generally be able to determine the UE
  position
• The methods and resolution will vary, but by
  radio access methods one will almost always have
  some measure of the position of the UE
• The subscriber?
• If at all possible it will be beneficial if the
  UE is able to (independently) establish its own
  position
• Alternatively, the UE may require network
  assistance (from SN) to determine its own position

7
Spatially aware Authentication and Key Agreement
(AKA)

• Location determination at the Serving Network
• Very crude
• Timing advance information of signal
  propagation delay
• Measure signal path distance (path may include
  reflections)
• Only very approximate distance
• Example GSM has a TA resolution of approx.550m,
  which gives as a 550 meter wide band with
  (estimated) distance n from the basestation
• More elaborate
• Multiple APs
• Measure time difference (UL) of signal between
  AP(s) and UE
• Applying triangulation

8
Spatially aware Authentication and Key Agreement
(AKA)

• Location determination at the UE
• Network provided information
• Coarse resolution
• Access Points broadcast their location
• Timing advance information of signal
  propagation delay
• Measure signal path distance (path may include
  reflections)
• More precise methods
• Access Points broadcast their location (precise
  timing information)
• Requires synchronized Access Network
• Measure time difference (DL) of signal between
  AP(s) and UE
• Applied to synchronized broadcast channel
• Triangulation by the UE

9
Spatially aware Authentication and Key Agreement
(AKA)

• Location determination at the UE
• Network independent information (possibly network
  assisted)
• Requires some form of positioning infrastructure
• Satellite provision already available
• Operational and commercially available
  NAVSTAR(GPS)
• Decision made, not yet operational Galileo
  (ESA/EU)
• Operational Glonass (Russian)
• Network assistance (optional)
• Kick-start information provided by Serving
  Network
• Differential (dGPS) information provided by
  Serving Network

10
Spatially aware Authentication and Key Agreement
(AKA)

• Measurement issues
• What is the required frequency/interval of
  measurements ?
• (real-time) Validity periods etc
• Is immediate position data required ?
• What is the accuracy required (spatially) ?
• How to handle missing or delayed position data ?
• AKA execution is imperative to cellular systems
• AKA execution is time critical for cellular
  systems
• AKA frequency may be high at times
• AKA is a critical mandatory procedure
• NO SERVICE WITHOUT SUCCESSFUL AKA (except E112)

11
Location Privacy issues

• What to protect and who to protect it from
• The question raises the issue of trust
• With respect to location data

12
Case 1 Spatial AKA for 3G-WLAN

• Case 3GPP-WLAN interworking
• 3G systems more secure than IEEE 802.11
  infrastructure
• 3G HD may need to restrict access to based on
  location and access type
• Many solutions possible (none presented to 3GPP)
• Basic idea
• A fixed reference grid (based on WGS-84 or
  similar)
• (http//www.wgs84.com/wgs84/wgs84.htm)
• Position given as a square within the grid
  reference system
• Function ad maps position (x,y) onto an Area
  Descriptor AD
• ad(x,y) ? AD
• Position determined by UE (, SN or both)
• We shall assume here that only UE derived
  position is used
• HD never given exact position
• but true location privacy is not attained

13
Case 1 Spatial AKA for 3G-WLAN

• UE
• Measure true position (x,y) by means of GPS
• Send REGISTRATION(Id) message to HD
• HD
• Send challenge CHALLENGE(RAND,AUTN,Scale)
• UE
• Calculate AD ad(x,y,scale) ? ADUE
• Send response RESPONSE(RES,ADUETimeStamp)
• HD
• Verify RES and AD
• Send SUCCESS

14
Case 1 Spatial AKA for 3G-WLAN

• UE AP HD

REGISTER(Id)
REGISTER(Id)
CHALLENGE(RAND, AUTN, Scale)

• Measure position
• Calculate AD
• Calculate RES
• Calculate Key material

RESPONSE(RES, AD, Time)

• Verify RES and AD

SUCCESS(key mat.)
SUCCESS()
protected link
15
Case 2 Enhanced Privacy

• Background
• Based on Secure Multiparty Computation field
• Public-key cryptosystems with special
  characteristics
• Inherently asymmetric (secret/private key, public
  key)
• Homomorphic property E(x) ? E(y) E(x y)
  (? some oper.)
• Point inclusion problem
• Is position Z included within boundary of polygon
  P
• Z is known to Alice, but Bob shall not be allowed
  to know Z
• P is known to Bob, but Alice shall not be allowed
  to know P

16
Case 2 Enhanced Privacy

• Secure Two-Party Location Inclusion Protocol
  (S2PLIP)
• Bob generates key pair (private,public) and sends
  public key to Alice
• Bob sends encrypted polygon E(P) to Alice
• Alice processes the encrypted polygon by means of
  public key
• Alice generates a random value v and calculates a
  value v that includes the operation ? on E(v).
  Alice will now ask Bob to decrypt v
• Bob returns D(v)
• Alice calculates, via complex transformations, a
  series of parameters e
• Bob decrypts the e parameters. If D(e)gt0 for all
  e, then Z is located within boundary of P
• The procedure involves many public-key operations
  ( high computational cost)
• But we shall assume that the computational cost
  is affordable
• The more important questions are
• How many (additional) round-trips will be
  required?
• What is the signaling payload cost of the
  procedure?

17
Case 2 Enhanced Privacy

• Complexity analysis of S2PLIP
• Polygon P has n angles
• Rectangles/squares and hexagons are most
  realistic shapes
• Selected cryptosystem has k bit keys
• We assume that all coefficients can be
  represented by a k bit number
• Bob sends encrypted polygon P and public-key to
  Alice
• 2nk bits must be sent
• Alice asks Bob to decrypt value v
• 2k bits must be sent
• Bob replies with D(v)
• 2nk bits must be sent
• Alice sends e parameters
• 2nk bits must be sent

18
Case 2 Enhanced Privacy

• Complexity analysis of S2PLIP -- Example
• Polygon P has n angles. Let P be a
  rectangle/square. n 4
• Selected cryptosystem has k bit keys. Let k
  1024
• Bob?Alice 8 Kb must be sent (public-key may be
  sent prior to AKA sequence)
• Alice?Bob 2 Kb must be sent
• Bob?Alice 8 Kb must be sent
• Alice?Bob 8 Kb must be sent
• Bob?Alice success/failure (1 bit)
• Summary
• Round-trips 2,5
• Ordinary AKA always have 1 round-trip
• 1-2 additional round-trips required (depending on
  possibility for piggybacking)
• Payload
• (Payload gt Link Layer MTU) ? Segmentation of
  frames (incurs a performance penalty)
• Simple polygons must be used (squares/rectangles
  and hexagons)
• Key lengths should be kept comparatively low
  (768 or 1024 seems appropriate)

19
Summary

• Measurement problem
• UE must be able to independently determine
  position
• Availability of pos.data is a concern
• Location privacy is important
• Weak privacy may be sufficient in some cases
• Strong privacy is preferred
• Real-time constraints
• No. of round-trips will be the single most
  important parameter wrt delay products
• Weak privacy is feasible and can be applied to
  existing systems
• Strong privacy may not yet be feasible for AKA
  of basic access
• Strong privacy is feasible at
  application/service level

20
Literature

• 1 Geir M. Køien and Vladimir Oleshchuk,
  Spatio-Temporal Exposure Control An
  investigation of spatial home control and
  location privacy preserving issues, The 14th
  IEEE International Symposium on Personal, Indoor
  and Mobile Radio Communications (PIMRC 2003),
  Beijing, China, September 7-10, 2003
• 2 Geir M. Køien and Vladimir Oleshchuk,
  Privacy-Preserving Spatially Aware
  Authentication Protocols Analysis and
  Solutions, Submitted to NORDSEC 2003, Gjøvik,
  Norway, October 15-17, 2003
• 2 3GPP, TS 23.271 v620 3rd Generation
  Partnership Project Technical Specification
  Group Services and System Aspects Functional
  stage 2 description of LCS (Release 6), 3GPP,
  Valbonne, France, 2002
• 3 3GPP, TS 33.102 v510 3rd Generation
  Partnership Project Technical Specification
  Group Services and System Aspects 3G Security
  Security architecture (Release 5), 3GPP,
  Valbonne, France, 2002
• 4 3GPP, TS 33.234 v050, 3rd Generation
  Partnership Project Technical Specification
  Group Services and System Aspects 3G Security
  Wireless Local Area Network (WLAN) Interworking
  Security (Release 6), work in progress, 3GPP,
  Valbonne, France, 2003
• 5 M.J Attallah and W. Du, Secure Multi-Party
  Computational Geometry in WADS 2001 7th
  International Workshop on Algorithms and Data
  Structures, Providence, Rohde Island, USA, August
  2001, published in LNCS 2125, Springer-Verlag,
  pp.165-179
• 6 S W. Du and M. J. Atallah, Secure
  multi-party computation problems and their
  applications A review and open problems, In New
  Security Paradigms Workshop, pages 11 - 20 ,
  Cloudcroft, New Mexico, USA, September 11-13,
  2001
• 7 S. Goldwasser. Multi-party computations
  Past and present, in Proceedings of the 16th
  Annual ACM Symposium on Principles of Distributed
  Computing, Santa Barbara, CA USA, August 21-24,
  1997
• 8 A. C. Yao. Protocols for secure
  computations, in proc. of the 23rd Annual IEEE
  Symposium on Foundations of Computer Science, 1982