Location leakage in distance bounding: Why location privacy does not work
Artikel i vetenskaplig tidskrift, 2014

In many cases, we can only have access to a service by proving we are sufficiently close to a particular location (e.g. in automobile or building access control). In these cases, proximity can be guaranteed through signal attenuation. However, by using additional transmitters an attacker can relay signals between the prover and the verifier. Distance-bounding protocols are the main countermeasure against such attacks; however, such protocols may leak information regarding the location of the prover and/or the verifier who run the distance-bounding protocol. In this paper, we consider a formal model for location privacy in the context of distance-bounding. In particular, our contributions are threefold: we first define a security game for location privacy in distance bounding; secondly, we define an adversarial model for this game, with two adversary classes; finally, we assess the feasibility of attaining location privacy for distance-bounding protocols. Concretely, we prove that for protocols with a beginning or a termination, it is theoretically impossible to achieve location privacy for either of the two adversary classes, in the sense that there always exists a polynomially-bounded adversary winning the security game. However, for so-called limited adversaries, who cannot see the location of arbitrary provers, carefully chosen parameters do, in practice, enable computational location privacy.

Location privacy

Distance-bounting

Authentication

Location indistinguishability

Relay attacks

Författare

Aikaterini Mitrokotsa

Chalmers, Data- och informationsteknik, Nätverk och system

C. Onete

Université de Rennes 1

S. Vaudenay

Computers and Security

0167-4048 (ISSN)

Vol. 45 199-209

Ämneskategorier

Systemvetenskap

DOI

10.1016/j.cose.2014.06.001

Mer information

Senast uppdaterat

2018-12-07