Title: Spatial awareness in authentication of mobile subscriber and associated location privacy issues
1Spatial awareness in authentication of mobile
subscriber and associated location privacy issues
- Geir M. Køien,
- Telenor RD (geir-myrdahl.koien_at_telenor.com ) /
- Agder University College (geir.koien_at_hia.no )
- Presented work done in collaboration with
Vladimir Oleshchuk. - 5th WIM meeting, 13-15.08.2003, Grimstad, Norway
2Spatial information gathering and location
privacy issues
- It was the best of times, it was the worst of
times, it was the age of wisdom, it was the age
of foolishness (Charles Dickens, Tales of Two
Cities) - Today
- High-Resolution location infrastructure(s)
present - Location services about to become a reality
- Many wonderful services will emerge
- After 9-11 and Twin Towers
- Location data is obviously interesting
intelligence - Privacy invasion deemed justified under many
circumstances - Large scale pervasive tracking of individuals
possible
3Introduction
- The context
- Mobile Cellular Systems
- Home Domain (HD) administrative
domain/subscriber databases - Serving Network (SN) home or roaming network
- User Equipment (UE) Mobile Station (MS),
Subscriber Identity Module (SIM) Terminal (TE) - MS and TE is likely to owned or controlled by the
user (or her employer) - SIM is almost always the property of the HD
- Serving Network will have rough idea of where
active UEs are located - Home Domain only knows which SN the UE is
attached to - Legitimate need for HD to be able to determine
the location of the UE - Security service ability to provide location
dependent access - Fine grained and user selective security policy
possible - Regulatory requirement for networks to provide
location information (Emergency E112/E911) - Location Services of commercial interest to
operators - User Location Privacy is an issue
- Location information must be considered sensitive
data
4General Architecture and Involved Entities
Assumption SIM is issued by HD and can
explicitly be trusted by HD. Subscriber controls
(uncompromised) UE. That is MS, LMU
(Loc.measurement unit) and TE can be implicitly
trusted by HD
5Spatially aware Authentication and Key Agreement
(AKA)
- Policy Control Issue
- Risk exposure and threats are spatially dependent
- Some environments are protected and trustworthy
- Some environments are wide open to adversaries
- Exposure Control Dimension (Validity of AKA
results) - Usage Exposure (KByte/packets)
- IPsec Security Association validity (lifetime
KByte setting) - No measurement problem with counting
bytes/packets - Temporal Exposure (seconds)
- IPsec Security Association validity (lifetime
seconds setting) - No measurement problem with counting passage of
time - Spatial Exposure (area)
- Not common to enforce spatial exposure
restrictions (except very coarse granularity) - How to independently and accurately determine UE
position?
6Spatially aware Authentication and Key Agreement
(AKA)
- Who should execute the spatial determination
- The Home Domain?
- This is generally not possible
- The Serving Network?
- The SN will generally be able to determine the UE
position - The methods and resolution will vary, but by
radio access methods one will almost always have
some measure of the position of the UE - The subscriber?
- If at all possible it will be beneficial if the
UE is able to (independently) establish its own
position - Alternatively, the UE may require network
assistance (from SN) to determine its own position
7Spatially aware Authentication and Key Agreement
(AKA)
- Location determination at the Serving Network
- Very crude
- Timing advance information of signal
propagation delay - Measure signal path distance (path may include
reflections) - Only very approximate distance
- Example GSM has a TA resolution of approx.550m,
which gives as a 550 meter wide band with
(estimated) distance n from the basestation - More elaborate
- Multiple APs
- Measure time difference (UL) of signal between
AP(s) and UE - Applying triangulation
8Spatially aware Authentication and Key Agreement
(AKA)
- Location determination at the UE
- Network provided information
- Coarse resolution
- Access Points broadcast their location
- Timing advance information of signal
propagation delay - Measure signal path distance (path may include
reflections) - More precise methods
- Access Points broadcast their location (precise
timing information) - Requires synchronized Access Network
- Measure time difference (DL) of signal between
AP(s) and UE - Applied to synchronized broadcast channel
- Triangulation by the UE
9Spatially aware Authentication and Key Agreement
(AKA)
- Location determination at the UE
- Network independent information (possibly network
assisted) - Requires some form of positioning infrastructure
- Satellite provision already available
- Operational and commercially available
NAVSTAR(GPS) - Decision made, not yet operational Galileo
(ESA/EU) - Operational Glonass (Russian)
- Network assistance (optional)
- Kick-start information provided by Serving
Network - Differential (dGPS) information provided by
Serving Network
10Spatially aware Authentication and Key Agreement
(AKA)
- Measurement issues
- What is the required frequency/interval of
measurements ? - (real-time) Validity periods etc
- Is immediate position data required ?
- What is the accuracy required (spatially) ?
- How to handle missing or delayed position data ?
- AKA execution is imperative to cellular systems
- AKA execution is time critical for cellular
systems - AKA frequency may be high at times
- AKA is a critical mandatory procedure
- NO SERVICE WITHOUT SUCCESSFUL AKA (except E112)
11Location Privacy issues
- What to protect and who to protect it from
- The question raises the issue of trust
- With respect to location data
12Case 1 Spatial AKA for 3G-WLAN
- Case 3GPP-WLAN interworking
- 3G systems more secure than IEEE 802.11
infrastructure - 3G HD may need to restrict access to based on
location and access type - Many solutions possible (none presented to 3GPP)
- Basic idea
- A fixed reference grid (based on WGS-84 or
similar) - (http//www.wgs84.com/wgs84/wgs84.htm)
- Position given as a square within the grid
reference system - Function ad maps position (x,y) onto an Area
Descriptor AD - ad(x,y) ? AD
- Position determined by UE (, SN or both)
- We shall assume here that only UE derived
position is used - HD never given exact position
- but true location privacy is not attained
13Case 1 Spatial AKA for 3G-WLAN
- UE
- Measure true position (x,y) by means of GPS
- Send REGISTRATION(Id) message to HD
- HD
- Send challenge CHALLENGE(RAND,AUTN,Scale)
- UE
- Calculate AD ad(x,y,scale) ? ADUE
- Send response RESPONSE(RES,ADUETimeStamp)
- HD
- Verify RES and AD
- Send SUCCESS
14Case 1 Spatial AKA for 3G-WLAN
REGISTER(Id)
REGISTER(Id)
CHALLENGE(RAND, AUTN, Scale)
- Measure position
- Calculate AD
- Calculate RES
- Calculate Key material
RESPONSE(RES, AD, Time)
SUCCESS(key mat.)
SUCCESS()
protected link
15Case 2 Enhanced Privacy
- Background
- Based on Secure Multiparty Computation field
- Public-key cryptosystems with special
characteristics - Inherently asymmetric (secret/private key, public
key) - Homomorphic property E(x) ? E(y) E(x y)
(? some oper.) - Point inclusion problem
- Is position Z included within boundary of polygon
P - Z is known to Alice, but Bob shall not be allowed
to know Z - P is known to Bob, but Alice shall not be allowed
to know P
16Case 2 Enhanced Privacy
- Secure Two-Party Location Inclusion Protocol
(S2PLIP) - Bob generates key pair (private,public) and sends
public key to Alice - Bob sends encrypted polygon E(P) to Alice
- Alice processes the encrypted polygon by means of
public key - Alice generates a random value v and calculates a
value v that includes the operation ? on E(v).
Alice will now ask Bob to decrypt v - Bob returns D(v)
- Alice calculates, via complex transformations, a
series of parameters e - Bob decrypts the e parameters. If D(e)gt0 for all
e, then Z is located within boundary of P - The procedure involves many public-key operations
( high computational cost) - But we shall assume that the computational cost
is affordable - The more important questions are
- How many (additional) round-trips will be
required? - What is the signaling payload cost of the
procedure?
17Case 2 Enhanced Privacy
- Complexity analysis of S2PLIP
- Polygon P has n angles
- Rectangles/squares and hexagons are most
realistic shapes - Selected cryptosystem has k bit keys
- We assume that all coefficients can be
represented by a k bit number - Bob sends encrypted polygon P and public-key to
Alice - 2nk bits must be sent
- Alice asks Bob to decrypt value v
- 2k bits must be sent
- Bob replies with D(v)
- 2nk bits must be sent
- Alice sends e parameters
- 2nk bits must be sent
18Case 2 Enhanced Privacy
- Complexity analysis of S2PLIP -- Example
- Polygon P has n angles. Let P be a
rectangle/square. n 4 - Selected cryptosystem has k bit keys. Let k
1024 - Bob?Alice 8 Kb must be sent (public-key may be
sent prior to AKA sequence) - Alice?Bob 2 Kb must be sent
- Bob?Alice 8 Kb must be sent
- Alice?Bob 8 Kb must be sent
- Bob?Alice success/failure (1 bit)
- Summary
- Round-trips 2,5
- Ordinary AKA always have 1 round-trip
- 1-2 additional round-trips required (depending on
possibility for piggybacking) - Payload
- (Payload gt Link Layer MTU) ? Segmentation of
frames (incurs a performance penalty) - Simple polygons must be used (squares/rectangles
and hexagons) - Key lengths should be kept comparatively low
(768 or 1024 seems appropriate)
19Summary
- Measurement problem
- UE must be able to independently determine
position - Availability of pos.data is a concern
- Location privacy is important
- Weak privacy may be sufficient in some cases
- Strong privacy is preferred
- Real-time constraints
- No. of round-trips will be the single most
important parameter wrt delay products - Weak privacy is feasible and can be applied to
existing systems - Strong privacy may not yet be feasible for AKA
of basic access - Strong privacy is feasible at
application/service level
20Literature
- 1 Geir M. Køien and Vladimir Oleshchuk,
Spatio-Temporal Exposure Control An
investigation of spatial home control and
location privacy preserving issues, The 14th
IEEE International Symposium on Personal, Indoor
and Mobile Radio Communications (PIMRC 2003),
Beijing, China, September 7-10, 2003 - 2 Geir M. Køien and Vladimir Oleshchuk,
Privacy-Preserving Spatially Aware
Authentication Protocols Analysis and
Solutions, Submitted to NORDSEC 2003, Gjøvik,
Norway, October 15-17, 2003 - 2 3GPP, TS 23.271 v620 3rd Generation
Partnership Project Technical Specification
Group Services and System Aspects Functional
stage 2 description of LCS (Release 6), 3GPP,
Valbonne, France, 2002 - 3 3GPP, TS 33.102 v510 3rd Generation
Partnership Project Technical Specification
Group Services and System Aspects 3G Security
Security architecture (Release 5), 3GPP,
Valbonne, France, 2002 - 4 3GPP, TS 33.234 v050, 3rd Generation
Partnership Project Technical Specification
Group Services and System Aspects 3G Security
Wireless Local Area Network (WLAN) Interworking
Security (Release 6), work in progress, 3GPP,
Valbonne, France, 2003 - 5 M.J Attallah and W. Du, Secure Multi-Party
Computational Geometry in WADS 2001 7th
International Workshop on Algorithms and Data
Structures, Providence, Rohde Island, USA, August
2001, published in LNCS 2125, Springer-Verlag,
pp.165-179 - 6 S W. Du and M. J. Atallah, Secure
multi-party computation problems and their
applications A review and open problems, In New
Security Paradigms Workshop, pages 11 - 20 ,
Cloudcroft, New Mexico, USA, September 11-13,
2001 - 7 S. Goldwasser. Multi-party computations
Past and present, in Proceedings of the 16th
Annual ACM Symposium on Principles of Distributed
Computing, Santa Barbara, CA USA, August 21-24,
1997 - 8 A. C. Yao. Protocols for secure
computations, in proc. of the 23rd Annual IEEE
Symposium on Foundations of Computer Science, 1982