1 / 57

Preserving Location Privacy in Wireless LANs

Preserving Location Privacy in Wireless LANs. Presented by Alvin Yonggang Yun April 9, 2008. CSCI 388 - Wireless and Mobile Security. Authors. Tao Jiang University of Maryland Helen J. Wang Microsoft Research Yih-Chun Hu University of Illinois Presented MobiSys’07,

milek
Download Presentation

Preserving Location Privacy in Wireless LANs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Preserving Location Privacy in Wireless LANs Presented by Alvin Yonggang Yun April 9, 2008 CSCI 388 - Wireless and Mobile Security

  2. Authors • Tao Jiang University of Maryland • Helen J. Wang Microsoft Research • Yih-Chun Hu University of Illinois Presented MobiSys’07, June 11–13, 2007, San Juan, Puerto Rico, USA

  3. Do you care someone know where you are?

  4. Someone does care location privacy

  5. 220,000 Cell Towers Can Find You

  6. Location-based Services Location-based Networking (Always connected + Continuous services) Location-based Fitness Assistant and Shopping Assistant

  7. Location and Location Privacy • Location Information can be obtained through direct communication with the respective entity or through indirect means such as observation and inference. • The claim/right of individuals, groups and institutions to determine for themselves, when, how and to what extent location information about them is communicated to others. • Location privacy is the ability to prevent other parties from learning one’s current or past location

  8. Problem • Broadcast nature of wireless networks and widespread deployment of Wi-Fi hotspots makes it easy to remotely locate a user by observing wireless signals. • Location information can be used by malicious individuals for blackmail, stalking, and other privacy violations.

  9. Balance Location Privacy Location-based Services What’s NEW? Adjustable Privacy Entropy More detail below Privacy

  10. Paper Overview So, how to improve location privacy? Obfuscate 3 types of privacy-compromising information: • Sender identity • Time of transmission • Signal strength

  11. Paper Overview Why? Because of 5 types of leakage of location information in the course of wireless communications: • Sender node identity • Time • Location • Receiver node identity -- resolved: MIX-net or Crowd • Content -- resolved: encryption

  12. FOCUS • Anonymize the user or node identity with frequently changing pseudonyms: MAC address in this paper • Unlink different pseudonyms of the same user with silent periods: optimal model • Reduce the transmission range through transmit power control

  13. Design Overview • Driven by real-system implementation and field experiments along with analysis and simulations • Privacy level available to choose, for both privacy-sensitive users and non- privacy-sensitive users. • Evaluate system based on real-life mobility data and wireless LAN coverage

  14. Research Background • Y.-C. Hu and H. J. Wang. Location privacy in wireless networks. In Proceedings of the ACM SIGCOMM Asia Workshop, Beijing, 2005. –extension and improvement • M. Gruteser and D. Grunwald. Enhancing location privacy in wireless LAN through disposable interface identifiers: a quantitative analysis. In WMASH ’03 • L. Huang, K. Matsuura, H. Yamane, and K. Sezaki. Enhancing wireless location privacy using silent period. • C. Shannon. A mathematical theory of communication. Bell Systems Technical Journal, 27:379–423, 623–656 – Entropy ( metric of privacy level )

  15. Related Work • Location technologies – RF-based • Application-Level Location Privacy • Network-Level Location Privacy • RF Fingerprinting

  16. Related WorkLocation technologies • Only consider RF-based localization systems • Location accuracy achievement: Indoor --- < 1 meter in 50% time Outdoor --- 15-30 meters as median • Two phases: Training phase – “war-driving” to collect a large amount of signal data Positioning phase – compare to the radio map

  17. Related WorkApplication-Level Location Privacy • Anonymous usage of location-based services through spatial and temporal • Design protocols and APIs that consider the privacy issues in the transfer of location information to external services • Target location information provided by applications • This paper: Privacy of location information that can be inferred from the wireless transmissions of network users

  18. Related WorkNetwork-Level Location Privacy • Frequently changing user pseudonyms: blind signatures for anonymous communication • Silent periods • Pseudo-randomly chosen channel – assume AP operator is trusted

  19. Related WorkNetwork-Level Location Privacy • Frequently changing user pseudonyms: blind signatures for anonymous communication – vs – Sender identity with MAC changing • Silent periods – vs – Opportunistic Silent periods • Pseudo-randomly chosen channel – vs – Reduce transmission power: less APs in range -- even AP cannot be trusted

  20. Anonymous Communication • Bob and the Server want to prevent outsiders from knowing the fact that they are communicating - Unlinkablility • Bob wants to prevent the server from knowing its identity - Sender (Source) anonymity

  21. Related WorkNetwork-Level Location Privacy Definition • Silent period: The time when privacy-sensitive users intentionally do not transmit, in order to reduce the effectiveness of correlation based on mobility pattern of users • Opportunistic silent period: Optimal silent period calculation methodology

  22. Related WorkNetwork-Level Location Privacy Again… Obfuscate 3 types of privacy-compromising information: • Sender identity • Time of transmission • Signal strength

  23. Related WorkRF Fingerprinting • Requires high speed and high resolution Analog-to-Digital Converter – Expensive to deploy • Prevented by intentionally adding strong noise • The paper can’t resolve this, important future work…

  24. Attacker Model • Silent attackers: sniffer, do not emit any signals, only listen and localize mobile users • Exposed attackers: network providers, trustworthy? How about accidentally leak • Active attackers: adjust base station transmission power • Passive attackers: no change on base station

  25. Measure of Privacy Given an attacker and the set of all mobile users U, let be the bservation of the attacker about the user at some location L. Given observation , the attacker computes a probability distribution P over users Entropy is the number of bits of additional information the attacker needs to definitively identify the user. Probability (%) = 1  enough information to identify the user How good we can preserve location privacy? We need to quantify… Privacy Entropy

  26. Ways to go… • Pseudonym for sender identity • Opportunistic Silent Period for transmission time • Transmit power control for signal strength

  27. Pseudonym • Anonymity is a prerequisite for location privacy • User must use frequently chahging pseudonyms for communications • Pseudonyms: MAC address, IP address

  28. How to choose pseudonym? • Join Address(well known address) is used to avoid MAC conflicts • MAC Address is got from the MAC address pool • Nonce – Cryptographic nonce, a 128-bit string used only once for multiple simultaneous requests Important! Avoid address collisions Let AP assign MAC addresses to users/clients

  29. How to choose pseudonym? Why not choose IP address? • MAC is enough, we do not need to extract and obfuscate application layer user identities • Sources cannot easily communicate with AP during IP changes ( trusted anonymous bulletin boards with cryptographic mechanisms is used )

  30. When to change pseudonym? Opportunistic Silent Period ONLY allows address changes just before the start of a new association ( between client and AP ) H = (N) Attacker can attempt to correlate different pseudonyms with the same user. Silent period can reduce such correlations.

  31. Opportunistic Silent Period • During silent period, a user does not send any wireless transmissions • The effectiveness of silent periods depends heavily on user density. ( higher  better ) • Forced silent periods can disrupt communications. Opportunistic silent period minimizes disruption, which takes place during idle time between communications

  32. Opportunistic Silent Period CDF of session duration from Dartmouth campus-wide WLAN trace CDF of Duration between Sessions from Dartmouth campus-wide WLAN trace Data shows opportunistic silent periods are quite suitable for WLAN:

  33. Methodology for choosing a Silent Period • Efficacy of silent period depends on user density • Mobility pattern data consists: < time, pseudonym, location > Probability that user i is linked to the new pseudonym among the Candidate: Pi is the probability distribution used for privacy entropy

  34. Maximize privacy entropy • Previous work shows the silent periods must be randomized( no detail in this paper… ) • Random silent period = Td + Tr Td : deterministic silent periods ( previous work ) Tr : between 0 and So, larger offers better possible privacy? Not necessary…

  35. Case Study Mobility data of Seattle bus system 5-days training set and 8-hour test set

  36. Case Study Mobility data of Seattle bus system 5-days training set and 8-hour test set

  37. Maximize privacy entropy Choose close to but not greater than 12 minutes

  38. Balance Location Privacy Service Quality Optimal silent period: upper bound on the necessary silent period Privacy

  39. Control Signal Strength • Reduce Location Precision: number of APs within the user’s communication range • Transmit power control(TPC): minimize the number of APs in the range while ensuring at least one AP for connectivity ( assume APs do not adjust transmit power ) • TPC scheme: hold transmit power to the lowest possible productive level to minimize imposed interference

  40. RSS-based Silent TPC • Mobile station must perform TPC silently • The only information available to mobile station is the received signal strength(RSS) from APs within range • Challenging: due to reflection, scattering, multipath fading and absorption of radio waves

  41. Asymmetry and Variations of Channels • Goal: determine the relationship between the two directions of a channel and use the path loss in one direction to infer the loss in the other direction • Two scenarios: corner of an office open outdoor space

  42. Asymmetry of 802.11 channels RSSI reading for both directions are strongly correlated

  43. Path loss margin (PLM) Definition: PLM is the magnitude of the maximum difference between path losses in opposite directions that result from environmental influences and wireless channel asymmetry

  44. PLM calculation

  45. PLM calculation

  46. PLM calculation From the experimental results on path asymmetry and variation above, we choose PLM: 11.3dB for indoor 10.5dB for outdoor So, PLM = 10 dB

  47. Silent TPC Design • Design Goal: adjust transmit power of mobile station(no AP), to reduce the numbers of Aps in range by only using the path loss observed from the opposite direction of the path, from the in-range Aps to the mobile station • The minimum signal strength reaches AP must be greater than RS

  48. TPC vs RSSI Transmission power is controlled by configuration parameters provided by Atheros drivers

  49. Silent TPC Scheme TPC scheme can work only when receive signal strength of two APs differs by at least 20 dB

  50. Effectiveness of Silent TPC • More than 73% of the sports(356) have RSS difference more than 20dB, and can use TPC to improve privacy

More Related