Idle time logout/ Continued work with MPC/ Tweak backend

righteousgaggleΔιαχείριση Δεδομένων

31 Ιαν 2013 (πριν από 4 χρόνια και 6 μήνες)

132 εμφανίσεις

Electrical and Computer Engineering

GeoVault:

Secure Location Tracking

Comprehensive Design Review

Nathan Franz

Emily Nelson

Thomas Petr

Shanka Wijesundara

Advisor: Prof. Burleson

2

Electrical and Computer Engineering

System Overview

GeoVault
Email
Cell Phone
Computer
3
rd Party
Server
Google Maps
API
HTTPS
HTTPS
Database
Database
Database
Access
Controls
Resolution
OAuth
Map
Queries
Map
Queries
Notifications
Stored Location
Data
Location
Data
Location
Data
Login
Credentails
3

Electrical and Computer Engineering

Feedback From MDR


Timing: Oracle vs. PostgreSQL


Threat Analysis


Security as a competitive advantage



4

Electrical and Computer Engineering

PostgreSQL


Re
-
evaluated database choices


SQLite + SpatiaLite for self
-
hosted environment


Extremely simple to setup


PostgreSQL for production environment


Fast, easy to manage


PostgreSQL is lighter
-
weight (faster) and provides all
required features


Insert 100,000 points across the USA


(average time per insert)


MySQL 5.1

26.258 ms

PostgreSQL 8.4

3.496 ms

Oracle 11g

199.670 ms

5

Electrical and Computer Engineering

GeoVault: Threat Risk

Threats

Consequences

Countermeasures

Integrity

Inaccurate
locations of users

Confusion, loss of
trust, or worse
(depending on
application)

Encryption / Shared
Secrets

Distributed Database


Confidentiality

Users location is
revealed

User privacy is
compromised,
susceptible to attack

Secret Sharing / MPC

Identity Verification

Timing Measures

Denial of
Service

Botnet attack

Rapid checkins /
logins

Inability to track
users

Rate limiting

Authentication

Spoofing, identity
theft

User privacy is
compromised


Identity Verification

Idle time logouts

Reject delay for login

*Stallings, William.
Network Security Essentails: Applications and Standards
. New Jersey: Pearson Prentice Hall, 2007.

6

Electrical and Computer Engineering

Other

Systems
:
Threat

Risk

Assets

Vulnerabilities

Defense

Privacy issues

Google
Latitude


Location Data


Friends Locations


No Verification


Password/login


Protection


Approve Friends


Limited access
settings

Foursquare


Location Data


Location Trends


Friends Locations


Create home/work
location


https


Approve Friends


Limited access
settings

Gowalla


Location Data


Location Trends


Friends Locations


Publishes location
to the entire world


Password/login


Protection


Approve Friends


No access settings

Twitter


Location Data


What you are
doing


Friends Locations


Uneducated users


3
rd

party services


https


OAuth


Limited access
settings

7

Electrical and Computer Engineering

Why GeoVault is More Secure


Secure Distributed Database


Location only available to those the user trusts [unlike: Gowalla]


Varied resolution [unlike: Twitter, Foursquare, Google Latitude,
Gowalla]


Integrity (user cannot lie about where they are) [unlike: Google
Latitude]


Only current location displayed (no trends) [unlike: Twitter,
Gowalla]

8

Electrical and Computer Engineering

Accuracy vs Permissions


Handling geographic resolution


Permissions > Accuracy


Contain accuracy circle in randomly placed permission
circle


Take into account (for FPR)


State Lines


Bodies of Water


Etc..


Permissions < Accuracy


Expand permission radius to accuracy radius


9

Electrical and Computer Engineering

Accuracy vs Permissions

Accuracy

Permissions

10

Electrical and Computer Engineering

OAuth

GeoVault

Twitter

Client

1. Get request token

2. Send request token

5. Exchange for
access token

6. Get access token

3. Redirect to Twitter

4. Sign in and ask for GeoVault
access

Grant 3rd party access to user information without sharing access permissions or
full extent of data

11

Electrical and Computer Engineering

Distributed

Database


Securely and robustly
store location data


Prevents a single point of
failure


Secret sharing is a form of
encryption



GeoVault
Node
Node
Node
Node
Node
Node
12

Electrical and Computer Engineering

Shamir’s Secret Sharing Scheme

(1, f(1)) = (1, 1494)

(2, f(2)) = (2, 1942)

(3, f(3)) = (3, 2578)

(4, f(4)) = (4, 3402)

(5, f(5)) = (5, 4414)

GeoVault

Node 1

Node 2

Node 3

Node 4

Node 5

(1, 1494)

(2, 1942)

(3, 2578)

(4, 3402)

(5, 4414)

f(x) =
94
x
2

+
166
x +
1234

13

Electrical and Computer Engineering

Demo

14

Electrical and Computer Engineering

Milestones

Oct 26

PDR

Specifications complete

Nov 9

Smart phone web client functional prototype

Dec 2

MDR

Database configured / example of multiparty computation

Dec 21

Platform complete / server security/ OAuth

Jan 4

Web clients complete / security for hijacked devices
(timing)

Jan 11

Platform input / output plugins complete

Jan 25

Bugfixes, Performance Testing

Feb 11

CDR

Demo / show security and weakness in other
systems / Threat Analysis

Mar 31

Political Boundaries/ Idle time logout/ Continued
work with MPC/ Tweak backend/ Polish interface

Apr 5


FPR

Project Complete


15

Electrical and Computer Engineering

Technical Roles

Past Tasks

Future Tasks

Tom (CSE)

Backend / MPC / Secret
Sharing

Secret Sharing

Nate (EE)


OAuth / Authentication
Middleware

Authentication
Middleware

Shanka (EE)

Backend / Django

Access Controls

Emily (CSE)

Frontend / Threat
Analysis

Adding Political
Boundaries

16

Electrical and Computer Engineering

Thank You





Questions?