research-article

Strengthening Authentication with Privacy-Preserving Location Verification of Mobile Phones

Authors:

Diego Alejandro Ortiz-Yepes,

Franz-Stefan PreissAuthors Info & Claims

WPES '15: Proceedings of the 14th ACM Workshop on Privacy in the Electronic Society

Pages 37 - 48

https://doi.org/10.1145/2808138.2808144

Published: 12 October 2015 Publication History

Abstract

Mobile devices are increasingly used in security-sensitive contexts such as physical access control and authorization of payment transactions. In this paper we contribute a mechanism to verify whether a mobile device currently resides within a geographical area at a given time, thus enabling the use of the location as an additional authentication factor. Trustworthiness, privacy, and practicability are central to our mechanism. In particular, to provide trustworthy location information, our mechanism uses the location of the phone as detected by the Mobile Network Operator instead of relying on the location detected by the phone itself, which can be manipulated. We have followed a privacy-by-design approach to ensure that sensitive information, e.g., location and subscriber data, are only revealed to parties with a need to know. Privacy safeguards are realized using anonymous credentials, an established privacy-enhancing technology. Finally, our mechanism is practical and has little requirements on the mobile phone beyond the ability to run computations on anonymous credentials, as well as Internet and mobile network connectivity. These requirements are fulfilled by most smartphones in the market.

References

[1]

3GPP. Feasibility Study on Uplink TDOA in GSM and GPRS, June 2002.

[2]

N. G.-I. Agency. Datums, ellipsoids, grids, and grid reference systems, 2014.

[3]

Apple Inc. iOS Security. http://www.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf, February 2014.

[4]

D. Bartlett. Essentials of positioning and location technology. Cambridge University Press, 2013.

[5]

A. Bensky. Wireless positioning. Technologies and applications. Artech House, 2008.

Digital Library

[6]

P. Bichsel, J. Camenisch, M. Dubovitskaya, R. R. Enderlein, S. Krenn, I. Krontiris, A. Lehmann, G. Neven, J. D. Nielsen, C. Paquin, F.-S. Preiss, K. Rannenberg, A. Sabouri, and M. Stausholm. Architecture for Attribute-based Credential Technologies. ABC4Trust Deliverable D2.2, 2013.

[7]

P. Bichsel, J. Camenisch, and F.-S. Preiss. A comprehensive framework enabling data-minimizing authentication. In 7th ACM Workshop on Digital Identity Management (DIM), Chicago, Illinois, USA, 2011.

Digital Library

[8]

S. Brands. Rethinking Public Key Infrastructure and Digital Certificates--Building in Privacy. PhD thesis, Eindhoven Institute of Technology, Eindhoven, The Netherlands, 1999.

[9]

J. Camenisch, M. Dubovitskaya, R. R. Enderlein, A. Lehmann, G. Neven, C. Paquin, and F.-S. Preiss. Concepts and languages for privacy-preserving attribute-based authentication. Journal of Information Security and Applications, 19(1):25--44, 2014.

Digital Library

[10]

J. Camenisch, S. Hohenberger, M. Kohlweiss, A. Lysyanskaya, and M. Meyerovich. How to win the clonewars: efficient periodic n-times anonymous authentication. In 13th ACM CCS, 2006.

Digital Library

[11]

J. Camenisch and A. Lysyanskaya. An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In Advances in Cryptology - EUROCRYPT'01, 2001.

Digital Library

[12]

J. Camenisch and E. Van Herreweghen. Design and implementation of the idemix anonymous credential system. In 9th ACM conference on computer and communications security (CCS), 2002.

Digital Library

[13]

B. Carbunar and R. Potharaju. You unlocked the Mt. everest badge on Foursquare! countering location fraud in geosocial networks. In IEEE 9th International Conference on Mobile Adhoc and Sensor Systems (MASS), pages 182--190. IEEE, 2012.

Digital Library

[14]

B. Carbunar, M. Rahman, N. Pissinou, and A. V. Vasilakos. A survey of privacy vulnerabilities and defenses in geosocial networks. Communications Magazine, IEEE, 51(11):114--119, 2013.

[15]

D. Chaum. Security without identification: Transaction systems to make big brother obsolete. Communications of the ACM, 28(10):1030--1044, October 1985.

Digital Library

[16]

D. Chaum and E. Van Heyst. Group signatures. In Advances in Cryptology - EUROCRYPT'91, pages 257--265. Springer, 1991.

Digital Library

[17]

D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (Proposed Standard), May 2008. Updated by RFC 6818.

[18]

J.-E. Ekberg, K. Kostiainen, and N. Asokan. The untapped potential of trusted execution environments on mobile devices. Security & Privacy, IEEE, 12(4):29--37, July 2014.

[19]

T. Engel. Locating mobile phones using Signalling System#7. In 25th Chaos communication congress, 2008.

[20]

L. Faith-Cranor and S. Garfinkel, editors. Security and Usability. Designing Secure Systems that People can use. O'Reilly Media, Inc., August 2005.

[21]

S. Gambs, M.-O. Killijian, M. Roy, and M. Traoré. PROPS: A PRivacy-preserving lOcation Proof System. In 2014 IEEE 33rd International Symposium on Reliable Distributed Systems (SRDS), pages 1--10. IEEE, 2014.

Digital Library

[22]

W. He, X. Liu, and M. Ren. Location cheating: A security challenge to location-based social network services. In 31st International Conference on Distributed Computing Systems (ICDCS), pages 740--749. IEEE, 2011.

Digital Library

[23]

A. J. Kerns, D. P. Shepard, J. A. Bhatti, and T. E. Humphreys. Unmanned aircraft capture and control via GPS spoofing. Journal of Field Robotics, 31(4):617--636, 2014.

Digital Library

[24]

M. Li, H. Zhu, Z. Gao, S. Chen, L. Yu, S. Hu, and K. Ren. All your location are belong to us: Breaking mobile social networks for automated user location tracking. In Proceedings of the 15th ACM international symposium on Mobile ad hoc networking and computing, pages 43--52. ACM, 2014.

Digital Library

[25]

A. Lysyanskaya, R. L. Rivest, A. Sahai, and S. Wolf. Pseudonym systems. In Selected Areas in Cryptography (SAC), pages 184--199, 1999.

Digital Library

[26]

G. Maganis, E. Shi, H. Chen, and D. Song. Opaak: using mobile phones to limit anonymous identities online. In Proceedings of the 10th international conference on Mobile systems, applications, and services, pages 295--308. ACM, 2012.

Digital Library

[27]

C. Marforio, N. Karapanos, C. Soriente, K. Kostiainen, and S. Capkun. Secure Enrollment and Practical Migration for Mobile Trusted Execution Environments. In Proceedings of the third ACM workshop on Security and privacy in smartphones and mobile devices, SPSM'13, 2013.

Digital Library

[28]

C. Marforio, N. Karapanos, C. Soriente, K. Kostiainen, and S. Capkun. Smartphones as Practical and Secure Location Verification Tokens for Payments. In Proceedings of the Network and Distributed System Security Symposium, NDSS'14, 2014.

[29]

J. Medbo, I. Siomina, A. Kangas, and J. Furuskog. Propagation channel impact on LTE positioning accuracy: A study based on real measurements of observed time difference of arrival. In IEEE 20th International Symposium on Personal, Indoor and Mobile Radio Communications, 2009.

[30]

National Geospatial-Intelligence Agency (NGA). World Geodetic System 1984. Its Definition and Relationships with Local Geodetic Systems, 2014.

[31]

D. Ortiz-Yepes. Enhancing Authentication in eBanking with NFC-Enabled Mobile Phones. Master's thesis, Technische Universiteit Eindhoven, 2008.

[32]

F. Park, C. Gangakhedkar, and P. Traynor. Leveraging Cellular Infrastructure to Improve Fraud Prevention. In Computer Security Applications Conference, 2009. ACSAC '09. Annual, pages 350--359, December 2009.

Digital Library

[33]

A. Saracino, D. Sgandurra, and D. Spagnuelo. Addressing privacy issues in location-based collaborative and distributed environments. In IEEE Conference on Collaboration Technologies and Systems (CTS), 2014.

[34]

S. Saroiu and A. Wolman. Enabling new mobile applications with location proofs. In Proceedings of the 10th workshop on Mobile Computing Systems and Applications, page 3. ACM, 2009.

Digital Library

[35]

J. P. Snyder. Map Projections -- A Working Manual, 1987.

[36]

N. O. Tippenhauer, C. Pöpper, K. B. Rasmussen, and S. Capkun. On the requirements for successful gps spoofing attacks. In Proceedings of the 18th ACM conference on Computer and communications security, pages 75--86. ACM, 2011.

Digital Library

[37]

N. O. Tippenhauer, K. B. Rasmussen, C. Pöpper, and S. Capkun. Attacks on public WLAN-based positioning systems. In Proceedings of the 7th international conference on Mobile systems, applications, and services, pages 29--40. ACM, 2009.

Digital Library

[38]

J. Willaredt. WiFi and Cell-ID based positioning-protocols, standards and solutions. SNET Project WT, 2011.

[39]

P. A. Zandbergen. Accuracy of iPhone locations: A comparison of assisted GPS, WiFi and cellular positioning. Transactions in GIS, 13(s1):5--25, 2009.

[40]

P. A. Zandbergen. Comparison of wifi positioning on two mobile devices. Journal of Location Based Services, 6(1):35--50, 2012.

[41]

F. Zhang, A. Kondoro, and S. Muftic. Location-based authentication and authorization using smart phones. In IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2012.

Digital Library

[42]

Z. Zhu and G. Cao. Toward privacy preserving and collusion resistance in a location proof updating system. IEEE Transactions on Mobile Computing, 12(1):51--64, 2013.

Digital Library

Cited By

Haque AMadathil VReaves BScafuro APöpper CVanhoef MBatina LMayrhofer R(2021)Anonymous device authorization for cellular networksProceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3448300.3468285(25-36)Online publication date: 28-Jun-2021
https://dl.acm.org/doi/10.1145/3448300.3468285
Zafar FKhan AAnjum AMaple CShah M(2020)Location Proof Systems for Smart Internet of Things: Requirements, Taxonomy, and Comparative AnalysisElectronics10.3390/electronics91117769:11(1776)Online publication date: 26-Oct-2020
https://doi.org/10.3390/electronics9111776
Morales-Trujillo MGarcia-Mireles G(2018)Extending ISO/IEC 29110 Basic Profile with Privacy-by-Design Approach: A Case Study in the Health Care Sector2018 11th International Conference on the Quality of Information and Communications Technology (QUATIC)10.1109/QUATIC.2018.00018(56-64)Online publication date: Sep-2018
https://doi.org/10.1109/QUATIC.2018.00018

Index Terms

Strengthening Authentication with Privacy-Preserving Location Verification of Mobile Phones
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Location privacy protection with a semi-honest anonymizer in information centric networking
ICN '18: Proceedings of the 5th ACM Conference on Information-Centric Networking

Location-based services, which provide services based on locations of consumers' interests, are becoming essential for our daily lives. Since the location of a consumer's interest contains private information, several studies propose location privacy ...
A practical quadratic residues based scheme for authentication and privacy in mobile RFID systems

In this paper we propose a novel approach to authentication and privacy in mobile RFID systems based on quadratic residues and in conformance to EPC Class-1 Gen-2 specifications. Recently, Chen et al. (2008) [10] and Yeh et al. (2011) [11] have both ...
Concepts and languages for privacy-preserving attribute-based authentication

Existing cryptographic realizations of privacy-friendly authentication mechanisms such as anonymous credentials, minimal disclosure tokens, self-blindable credentials, and group signatures vary largely in the features they offer and in how these ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WPES '15: Proceedings of the 14th ACM Workshop on Privacy in the Electronic Society

October 2015

142 pages

ISBN:9781450338202

DOI:10.1145/2808138

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Nicholas Hopper
University of Minnesota, USA
,
Rob Jansen
Naval Research Laboratory, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

European Community Seventh Framework Program

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12, 2015

Colorado, Denver, USA

Acceptance Rates

WPES '15 Paper Acceptance Rate 11 of 32 submissions, 34%;

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
369
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)4

Reflects downloads up to 02 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Haque AMadathil VReaves BScafuro APöpper CVanhoef MBatina LMayrhofer R(2021)Anonymous device authorization for cellular networksProceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3448300.3468285(25-36)Online publication date: 28-Jun-2021
https://dl.acm.org/doi/10.1145/3448300.3468285
Zafar FKhan AAnjum AMaple CShah M(2020)Location Proof Systems for Smart Internet of Things: Requirements, Taxonomy, and Comparative AnalysisElectronics10.3390/electronics91117769:11(1776)Online publication date: 26-Oct-2020
https://doi.org/10.3390/electronics9111776
Morales-Trujillo MGarcia-Mireles G(2018)Extending ISO/IEC 29110 Basic Profile with Privacy-by-Design Approach: A Case Study in the Health Care Sector2018 11th International Conference on the Quality of Information and Communications Technology (QUATIC)10.1109/QUATIC.2018.00018(56-64)Online publication date: Sep-2018
https://doi.org/10.1109/QUATIC.2018.00018

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents