Safety and Privacy in Mobile Services

Qianhong Wu, Agusti Solanas and Josep

Domingo-Ferrer{qianhong.wu, agusti.solanas, josep.domingo}@urv.cat

Universitat Rovira i Virgili, Catalonia

Outlines

Safety and Privacy inVehicular ad hoc networks (VANETs)Location based services (LBSs)RFID

Introduction to VANETs The IEEE 802.11p task group

Dedicated Short Range Communications (DSRC)Support communications for vehicles and roadside infrastructure

Car manufacturers and telecommunication industries Gear up to equip each car with devices known as On-Board Units

(OBUs)

The European Union A batch of projects to give cars the ability to communicate

wirelessly with the road and among themselves. Those developing car- and road-communications systems will

begin testing their wares this at six sites in Europe. Experts expect the technologies to begin commercial deployment

as soon as 2011.http://www.spectrum.ieee.org/oct08/6792

Introduction to VANETs

The motivation of VANETs is to improvePublic safetyTraffic efficiencyDriver assistanceTransportation regulation

The precondition includesThe message from vehicles is trustworthyThe vehicles are cooperativeNo malicious deviation

Security concerns in VANETs

Safety concerns Compromise trustworthiness of communications

Produce false messagesGenerate messages by impersonationTamper with messagesJeopardize VANETs by message flooding (not further considered

here)

Privacy concerns Identity privacy

Driving profileLocation privacyLink location and identity

Countermeasures for securing VANETs

A posteriori countermeasures Punitive action against vehicles who have been

proven to have originated fraudulent messages.We must have means to identify malicious vehicles to take

punitive actions

Privacy is usually provided in existing solutionsA pseudonym mechanismGroup signatureA trusted third party can open the identities of dishonest

vehicles

Countermeasures for securing VANETs

A priori countermeasures Prevent the generation of fraudulent messages

A message is trusted if it is endorsed by many vehiclesAssume most vehicles are honest

Privacy is rarely provided in existing solutionsMessages from different vehicles must be distinguishable

This may imply anonymity is difficult

Some schemes adopt a special technique to achieve anonymity, but then anonymity cannot be revoked

On existing privacy-preserving VANET solutions

A posteriori countermeasures are solely not sufficientTaking strict punitive action can exclude some

rational attacksTaking strict punitive action cannot prevent

damages Taking strict punitive action cannot prevent

irrational attacks

On existing privacy-preserving VANET solutions

Existing solutions with a posteriori countermeasures use too strong assumptions that

There is a majority of honest vehicles in any caseWhat will happen in site scene of organizational criminals?

There is a universally suitable thresholdHow to find such a universally suitable threshold?Does the threshold depend on vehicle density?Does the threshold depend on message significance?Does the threshold depend on message urgency?…

On existing privacy-preserving VANET solutions

Privacy is not very compatible with existing solutionsSome schemes do not provide good privacy

Driving pattern can be extracted

The Sybil attack is possible for schemes with anonymity

Generating fraudulent messages is possible for privacy-preserving schemes without revocability

Towards a combination of a priori and a posteriori countermeasures

Security goal of the new design Flexible threshold authentication

A vehicle can verify whether a received message has been endorsed by at least t vehicles

The threshold t can dynamically change according to the VANET context

Privacy preservingAn attacker cannot trace vehicles generating messages

Identity revocabilityTrusted parties can trace vehicles generating fraudulent

messages

Our new privacy-preserving VANET solution Message m is trusted if endorsed by tm vehicles

tm is changeable according to m Tampered messages can be identified a priori countermeasures

Privacy is provided Message generator is anonymous

A third party can trace the message generators Vehicles producing fraudulent messages can be punished A posteriori countermeasures

Fast message verification techniques are provided to improve efficiency

Introduction to LBSs• A certain service that is offered to the users

based on their locations• A convergence of technologies• Popular examples

– Providing nearby points of interest based on the real-time location of the mobile user

– Advice on current conditions such as traffic and weather– Personalized dating services, – Personalized delivery, – Location-aware and context-sensitive advertising based on

mobile user profiles and preferences, – Providing routing and tracking information

Privacy Threats in LBSs

LBS provides great convenience and flexibility for users

To obtain a service, the user submits her (identity,location,query) to the service provider

A malicious provider or an attacker compromising the provider's database can track users anytime and anywhere

A malicious user can track other users

Countermeasures in LBSs

Privacy policy based approachPseudonym approachk-Anonymity

An anonymizer cloaks each user with k-1 other users into a less accurate location

Cryptographic approach: private information retrieval

Privacy risks in existing privacy-preserving LBSsToo strong trust assumption

– The policy based solution assumes that the provider is willing and able to protect the user’s privacy

– In TTP-based k-anonymity solution, the trust moves from the provider to the anonymizer

– In P2P based k-anonymity solution, each user has to fully trust other users in an ad hoc group

Privacy risks in existing privacy-preserving LBSsPrivacy risks from attacker’s a priori

knowledge: a mini exampleUsers: Alice, Bob, Carl; Provider: DevilAnonymizer: TrusteeRequest: (Fakename1, Fakename2,

Fakename3; Cloaked region; Where is the closest restaurant? Where is the closest pharmacy? Where is the closest bus stop?)

Privacy risks in existing privacy-preserving LBSs

Privacy risks from attacker‘s a priori knowledge: a mini example.– Points of interest in Cloaked region: one woman hospital,

one gymnasium, one funeral parlor and one restaurant– A priori knowledge: Alice is a girl. Bob is a sportsman. Carl

is a man– Infer:

Alice is now in the woman hospital and will go to a pharmacyBob now in the gymnasium and may go to the restaurant in that

cloaked regionCarl is now in the restaurant and leaving for a bus stop

Privacy risks in existing privacy-preserving LBSs

Privacy risks from privacy-preserving techniquesLocation cloaking in k-anonymity: cloaked location is

larger, more answers returned, including more information than requested=>privacy risks for the provider and other users

PIR: same situation as aboveLarger k, more privacy?

• choosing larger k =>caring more about privacy=>revealing identity information of the user?

• Larger k => more people in the cloaked region=>a better chance for a terrorist to produce more fears?

• Smaller k =>a better chance for a robber not being witnessed?

Our new privacy-preserving LBS solution It achieves the following: Full anonymity k cloaked location-query pairs such that

An attacker cannot physically monitor two POIs in the cloaked location

Cloaked queries do not provide useful information for the provider

The effects of the provider’s a priori knowledge are minimized

A user can only learn the requested answer Privacy of the provider is considered

No requirements to modify the underlying LBS database organization or its query processing procedure

Reasonable performance

RFIDs

• RFID technology is evolving fast

• The number of RFID tags is rapidly growing

• There is a need for scalable protocols• Manage thousands of tags simultaneously• And securely

Hash-locks approach

• The RFID reader must store a growing number of tag IDs.

• This approach does not scale properly

Collaboration-based solution

• Readers cooperate to distribute the tag IDs so that the whole system can correctly scale with the number of tags.

Main references [RPH06] M. Raya, P. Papadimitratos and J.-P. Hubaux. Securing vehicular

communications. IEEE Wireless Communications Magazine, vol. 13, no. 5, pp. 8-15, 2006.

[RPAJ07] M. Raya, P. Papadimitratos, I. Aad, D. Jungels and J.-P. Hubaux. Eviction of misbehaving and faulty nodes in vehicular networks. IEEE Journal on Selected Areas in Communications, vol. 25, no. 8, pp. 1557-1568, 2007.

[LSHS07] X. Lin, X. Sun, P.-H. Ho and X. Shen. GSIS: A secure and privacy preserving protocol for vehicular communications. IEEE Transactions on Vehicular Technology, vol. 56, no. 6, pp. 3442-3456, 2007.

[GGS04] P. Golle, D. Greene and J. Staddon. Detecting and correcting malicious data in VANETs. In Proceedings of the 1st ACM international workshop on Vehicular Ad Hoc Networks, pp. 29-37, 2004.

[PP05] B. Parno and A. Perrig. Challenges in securing vehicular networks. In Proceedings of the ACM Workshop on Hot Topics in Networks, 2005.

Main references [RAH06] M. Raya, A. Aziz and J.-P. Hubaux. Efficient secure aggregation in

VANETs. In Proceedings of the 3rd International Workshop on Vehicular Ad hoc Networks -VANET 06, pp. 67-75, 2006.

[DDSV08] V. Daza, J. Domingo-Ferrer, F. Sebe and A. Viejo. Trustworthy privacy preserving car-generated announcements in vehicular ad hoc networks. IEEE Transactions on Vehicular Technology, Accepted, July 2008.

[WD08] Q. Wu, J. Domingo-Ferrer and U. Gonzalez. Trustworthiness, Safety and Privacy in Vehicle-to-Vehicle Communications. Manuscript in preparation, 2008.

[DW08] J. Domingo-Ferrer and Q. Wu. Invited talk: Safety and Privacy in Vehicular Communications. PiLBA’08. pp. 6-11. To appear in LNCS, Springer-verlag, 2008.

[WD08] Q. Wu, A. Solanas, J. Castella-Roca, J. Domingo-Ferrer. Formal Privacy in Location Based Services: Beyond k-Anonymity. Manuscript in preparation, 2008.

Main references [SAV08] H. Shin, V. Atluri, J. Vaidya. A Profile Anonymization Model for

Privacy in a Personalized Location Based Service Environment. The Ninth International Conference on Mobile Data Management. PP. 73-80. IEEE Computer Society, 2008.

[SM08] A. Solanas and A. Martínez-Ballesté, "A TTP-Free Protocol for Location Privacy in Location-Based Services". Computer Communications . Vol. 31, pp. 1181-1191. Apr 2008. ISSN: 0140-3664.

[GL08]B. Gedik and L. Liu. Protecting location privacy with personalized k-anonymity: architecture and algorithms. IEEE Transaction on Mobile Computing, Vol. 7, No. 1. pp. 1-18, 2008.

[SMDD07] A. Solanas, A. Martínez-Ballesté, J. Domingo-Ferrer, and V. Daza. A distributed architecture for scalable private RFID tag identification. Computer Networks, 51(9):2268 – 2279, June 2007. (1) Advances in Smart Cards and (2) Topics in Wireless Broadband Systems. Elsevier. ISSN: 1389-1286.

Main references [SC08] A. Solanas and J. Castellà-Roca. RFID technology for the health

care sector. Recent Patents on Electrical Engineering, 1(1):22 – 31, January 2008. Bentham Science Publishers. ISSN: 1874-4761. Inaugural Issue

[SM08] A. Solanas and J. Manjón. RFID Security: Techniques, Protocols and System-On-Chip Design (Paris Kitsos and Yan Zhang (ed.)), chapter: RFID Readers Deployment for Scalable Identification of Private Tags. 2008. Springer-Verlag. ISBN: 978-0-38776-480-1.