570 likes | 700 Views
Preserving Location Privacy in Wireless LANs. Presented by Alvin Yonggang Yun April 9, 2008. CSCI 388 - Wireless and Mobile Security. Authors. Tao Jiang University of Maryland Helen J. Wang Microsoft Research Yih-Chun Hu University of Illinois Presented MobiSys’07,
E N D
Preserving Location Privacy in Wireless LANs Presented by Alvin Yonggang Yun April 9, 2008 CSCI 388 - Wireless and Mobile Security
Authors • Tao Jiang University of Maryland • Helen J. Wang Microsoft Research • Yih-Chun Hu University of Illinois Presented MobiSys’07, June 11–13, 2007, San Juan, Puerto Rico, USA
Location-based Services Location-based Networking (Always connected + Continuous services) Location-based Fitness Assistant and Shopping Assistant
Location and Location Privacy • Location Information can be obtained through direct communication with the respective entity or through indirect means such as observation and inference. • The claim/right of individuals, groups and institutions to determine for themselves, when, how and to what extent location information about them is communicated to others. • Location privacy is the ability to prevent other parties from learning one’s current or past location
Problem • Broadcast nature of wireless networks and widespread deployment of Wi-Fi hotspots makes it easy to remotely locate a user by observing wireless signals. • Location information can be used by malicious individuals for blackmail, stalking, and other privacy violations.
Balance Location Privacy Location-based Services What’s NEW? Adjustable Privacy Entropy More detail below Privacy
Paper Overview So, how to improve location privacy? Obfuscate 3 types of privacy-compromising information: • Sender identity • Time of transmission • Signal strength
Paper Overview Why? Because of 5 types of leakage of location information in the course of wireless communications: • Sender node identity • Time • Location • Receiver node identity -- resolved: MIX-net or Crowd • Content -- resolved: encryption
FOCUS • Anonymize the user or node identity with frequently changing pseudonyms: MAC address in this paper • Unlink different pseudonyms of the same user with silent periods: optimal model • Reduce the transmission range through transmit power control
Design Overview • Driven by real-system implementation and field experiments along with analysis and simulations • Privacy level available to choose, for both privacy-sensitive users and non- privacy-sensitive users. • Evaluate system based on real-life mobility data and wireless LAN coverage
Research Background • Y.-C. Hu and H. J. Wang. Location privacy in wireless networks. In Proceedings of the ACM SIGCOMM Asia Workshop, Beijing, 2005. –extension and improvement • M. Gruteser and D. Grunwald. Enhancing location privacy in wireless LAN through disposable interface identifiers: a quantitative analysis. In WMASH ’03 • L. Huang, K. Matsuura, H. Yamane, and K. Sezaki. Enhancing wireless location privacy using silent period. • C. Shannon. A mathematical theory of communication. Bell Systems Technical Journal, 27:379–423, 623–656 – Entropy ( metric of privacy level )
Related Work • Location technologies – RF-based • Application-Level Location Privacy • Network-Level Location Privacy • RF Fingerprinting
Related WorkLocation technologies • Only consider RF-based localization systems • Location accuracy achievement: Indoor --- < 1 meter in 50% time Outdoor --- 15-30 meters as median • Two phases: Training phase – “war-driving” to collect a large amount of signal data Positioning phase – compare to the radio map
Related WorkApplication-Level Location Privacy • Anonymous usage of location-based services through spatial and temporal • Design protocols and APIs that consider the privacy issues in the transfer of location information to external services • Target location information provided by applications • This paper: Privacy of location information that can be inferred from the wireless transmissions of network users
Related WorkNetwork-Level Location Privacy • Frequently changing user pseudonyms: blind signatures for anonymous communication • Silent periods • Pseudo-randomly chosen channel – assume AP operator is trusted
Related WorkNetwork-Level Location Privacy • Frequently changing user pseudonyms: blind signatures for anonymous communication – vs – Sender identity with MAC changing • Silent periods – vs – Opportunistic Silent periods • Pseudo-randomly chosen channel – vs – Reduce transmission power: less APs in range -- even AP cannot be trusted
Anonymous Communication • Bob and the Server want to prevent outsiders from knowing the fact that they are communicating - Unlinkablility • Bob wants to prevent the server from knowing its identity - Sender (Source) anonymity
Related WorkNetwork-Level Location Privacy Definition • Silent period: The time when privacy-sensitive users intentionally do not transmit, in order to reduce the effectiveness of correlation based on mobility pattern of users • Opportunistic silent period: Optimal silent period calculation methodology
Related WorkNetwork-Level Location Privacy Again… Obfuscate 3 types of privacy-compromising information: • Sender identity • Time of transmission • Signal strength
Related WorkRF Fingerprinting • Requires high speed and high resolution Analog-to-Digital Converter – Expensive to deploy • Prevented by intentionally adding strong noise • The paper can’t resolve this, important future work…
Attacker Model • Silent attackers: sniffer, do not emit any signals, only listen and localize mobile users • Exposed attackers: network providers, trustworthy? How about accidentally leak • Active attackers: adjust base station transmission power • Passive attackers: no change on base station
Measure of Privacy Given an attacker and the set of all mobile users U, let be the bservation of the attacker about the user at some location L. Given observation , the attacker computes a probability distribution P over users Entropy is the number of bits of additional information the attacker needs to definitively identify the user. Probability (%) = 1 enough information to identify the user How good we can preserve location privacy? We need to quantify… Privacy Entropy
Ways to go… • Pseudonym for sender identity • Opportunistic Silent Period for transmission time • Transmit power control for signal strength
Pseudonym • Anonymity is a prerequisite for location privacy • User must use frequently chahging pseudonyms for communications • Pseudonyms: MAC address, IP address
How to choose pseudonym? • Join Address(well known address) is used to avoid MAC conflicts • MAC Address is got from the MAC address pool • Nonce – Cryptographic nonce, a 128-bit string used only once for multiple simultaneous requests Important! Avoid address collisions Let AP assign MAC addresses to users/clients
How to choose pseudonym? Why not choose IP address? • MAC is enough, we do not need to extract and obfuscate application layer user identities • Sources cannot easily communicate with AP during IP changes ( trusted anonymous bulletin boards with cryptographic mechanisms is used )
When to change pseudonym? Opportunistic Silent Period ONLY allows address changes just before the start of a new association ( between client and AP ) H = (N) Attacker can attempt to correlate different pseudonyms with the same user. Silent period can reduce such correlations.
Opportunistic Silent Period • During silent period, a user does not send any wireless transmissions • The effectiveness of silent periods depends heavily on user density. ( higher better ) • Forced silent periods can disrupt communications. Opportunistic silent period minimizes disruption, which takes place during idle time between communications
Opportunistic Silent Period CDF of session duration from Dartmouth campus-wide WLAN trace CDF of Duration between Sessions from Dartmouth campus-wide WLAN trace Data shows opportunistic silent periods are quite suitable for WLAN:
Methodology for choosing a Silent Period • Efficacy of silent period depends on user density • Mobility pattern data consists: < time, pseudonym, location > Probability that user i is linked to the new pseudonym among the Candidate: Pi is the probability distribution used for privacy entropy
Maximize privacy entropy • Previous work shows the silent periods must be randomized( no detail in this paper… ) • Random silent period = Td + Tr Td : deterministic silent periods ( previous work ) Tr : between 0 and So, larger offers better possible privacy? Not necessary…
Case Study Mobility data of Seattle bus system 5-days training set and 8-hour test set
Case Study Mobility data of Seattle bus system 5-days training set and 8-hour test set
Maximize privacy entropy Choose close to but not greater than 12 minutes
Balance Location Privacy Service Quality Optimal silent period: upper bound on the necessary silent period Privacy
Control Signal Strength • Reduce Location Precision: number of APs within the user’s communication range • Transmit power control(TPC): minimize the number of APs in the range while ensuring at least one AP for connectivity ( assume APs do not adjust transmit power ) • TPC scheme: hold transmit power to the lowest possible productive level to minimize imposed interference
RSS-based Silent TPC • Mobile station must perform TPC silently • The only information available to mobile station is the received signal strength(RSS) from APs within range • Challenging: due to reflection, scattering, multipath fading and absorption of radio waves
Asymmetry and Variations of Channels • Goal: determine the relationship between the two directions of a channel and use the path loss in one direction to infer the loss in the other direction • Two scenarios: corner of an office open outdoor space
Asymmetry of 802.11 channels RSSI reading for both directions are strongly correlated
Path loss margin (PLM) Definition: PLM is the magnitude of the maximum difference between path losses in opposite directions that result from environmental influences and wireless channel asymmetry
PLM calculation From the experimental results on path asymmetry and variation above, we choose PLM: 11.3dB for indoor 10.5dB for outdoor So, PLM = 10 dB
Silent TPC Design • Design Goal: adjust transmit power of mobile station(no AP), to reduce the numbers of Aps in range by only using the path loss observed from the opposite direction of the path, from the in-range Aps to the mobile station • The minimum signal strength reaches AP must be greater than RS
TPC vs RSSI Transmission power is controlled by configuration parameters provided by Atheros drivers
Silent TPC Scheme TPC scheme can work only when receive signal strength of two APs differs by at least 20 dB
Effectiveness of Silent TPC • More than 73% of the sports(356) have RSS difference more than 20dB, and can use TPC to improve privacy