130 likes | 563 Views
Solutions to Security and Privacy Issues in Mobile Social Networking. Presented By Aman Sharma Naga Mohan Pokala Pratik Kathalkar University at Buffalo. Introduction. Focus on Location Aware Mobile Social network(LAMSN) systems.
E N D
Solutions to Security and Privacy Issues in Mobile Social Networking Presented By Aman Sharma Naga Mohan Pokala Pratik Kathalkar University at Buffalo
Introduction • Focus on Location Aware Mobile Social network(LAMSN) systems. • LAMSN systems provide the infrastructure to leverage social networking context within a local physical proximity using mobile smart phones. Eg.. WhozThat, Serendipity • Pay little attention to Security and Privacy concerns. • Paper identifies three classes of privacy and security problems associated: • (1) Direct anonymity issues, • (2) Indirect or K-anonymity issues, and • (3) eavesdropping, spoofing, replay, and wormhole attacks. • Present a design for a system, called the identity server • Describe implementation of the identity server
Security and Privacy Problems Direct anonymity issue • In P2P context aware mobile networking systems like WhozThat, SocialAware user info can be tracked by logging the date and time that each mobile or stationary device detects the user’s social network ID. Thus history of locations visited can be found. • Given users social network ID and this history, someone can access the public info of the user in a way the user didn’t intend leading to privacy exploitation • Hence the cleartext exchange of ID allows user’s anonymity to be easily compromised. • Also possible in client-server systems.
Security and Privacy Problems Indirect or K-anonymity issues • Even though user may not provide his identity, but using unique information pertaining to a particular user eg.. List of favorite movies, preferences etc. the user can be traced back. • When n-sets of info can be uniquely map back to a user’s identity it gives rise to K-anonymity problem. Further if a set of info can be mapped to K or fewer sets of user, anonymity is compromised to a degree k. • This needs an algo to be designed which prevents sharing of that personal information which will make it difficult to identify or trace back to the user or set of users. • Applies to both P2P and Client-Server systems.
Security and Privacy Problems Eavesdropping, spoofing, replay, Wormhole attacks • Once a user’s social network ID has been intercepted in a peer-to-peer mobile social network system, it can be used to mount a replay and spoofing attack. • In the replay attack, the compromised user’s ID is maliciously repeated, and used to perform the spoofing attack. • In wormhole attack, wireless transmissions are captured on one end of the network and replayed on another end of the network. • In a system such as WhozThator SocialAware, a malicious user could use a wormhole attack to capture a user’s ID and masquerade as that user in a different, perhaps distant, location. Similarly, social information of user can be intercepted/eavesdropped. • Generally Not major threats
Security and Privacy Solutions Design of the Identity Server and Anonymous Identifier • IS acts like a centralized trusted server, which assigns AID(anonymous identifier) to the user’s mobile device. • AID is a nonce generated using SHA-1 with a random salt value. • This AID is then shared by device(A) with other devices(B), B then sends this AID to IS to get the social information of the user on A. • When a new device(B) wants to contact A, A will again ask IS to provide AID and pass this to B. • Once the social network information for an AID has been retrieved by the IS, the IS removes this AID from the list of AIDs associated with the mobile user. • Solves all the security and privacy problems
Security and Privacy Solutions Design of the Identity Server and Anonymous Identifier • Data Persistence is provided using SimpleJPA, a Java Persistence API (JPA) implementation for Amazon’s SimpleDB. • taking advantage of Amazon’s simple, scalable, and reliable distributed database system, SimpleDB which structures all data into domains. Use of SimpleJPAand SimpleDB allows to easily launch new IS instances that all communicate with the same set of domains backed by a shared distributed database, providing for an implementation of the system that is quite scalable. • SHA-1 cryptographic hash function uses a 16-byte random salt value • FB REST API service is used by IS to obtain the social profile of the user.
Security and Privacy Solutions Design of the Identity Server and Anonymous Identifier • Implemented using J2SE, all IS services are exposed as REST services • Open Source Reslet f/w was used to implement IS • All web service network traffic between the IS and other mobile devices is encrypted using HTTPS, and access to all resources is authenticated using HTTP basic access authentication. • Each user must signup with IS prior to participation, where user submits FB-userid and choose username and password. • Username and paswd stored securely on mob device to use later in authentication. • Access to the web resource for the user’s Facebook profile information (“user A”) is provided to any authenticated user with a user account on the IS, provided that the authenticated user’s device is within an acceptable range of user A’s mobile device. See below for more information on location-based access control for a user’s Facebook profile.
Security and Privacy Solutions Design of the Identity Server and Anonymous Identifier
Conclusion • The design and implementation of the Identity Server protects the user from Direct anonymity issue and Eavesdropping, spoofing, replay, Wormhole attacks. • AID time out value is 30 seconds, Maximum acceptable range is 20 meters • Research is still going on effectiveness of this solution on Indirect or K-anonymity issues, which guarantees anonymity with the degree of 20 (with friends of 200-300 in the social network). • Still many tests needs to be done in this issue. • This solution support anonymous exchange of social network information with real world location-based systems, enabling context-aware systems that do not compromise users’ security and privacy.
Reference • Solutions to Security and Privacy Issues in Mobile Social Networking, Aaron Beach, Mike Gartrell, and Richard Han, in International Conference on Computational Science and Engineering 2009. • This PPT is based on the paper above.