Transcript FPR Slides
GeoVault: Secure Location Tracking Final Project Review Nathan Franz Emily Nelson Thomas Petr Shanka Wijesundara Electrical and Computer Engineering System Overview Map Queries Google Maps API Map Queries Notifications Cell Phone Email Location HTTPS Data HTTPS Location Data Resolution GeoVault Stored Location Data Database Electrical and Computer Engineering Access Controls Login OAuth Credentails Database Database Computer 3rd Party Server 2 System Overview • Location data is transmitted from either cell phone or computer to the GeoVault Server. • The server is where the resolution and access settings are stored and can be applied to the updated location. • The location is transmitted from the server to the distributed database and then to the specific node by secret sharing. • The data can also be transmitted from the server to a third party via OAuth. • Emails are sent from the server to the user via emial. • The users device directly interfaces with the google map API to display their location on a map. Electrical and Computer Engineering 3 Feedback From CDR • Network was complicated – Lots of secret sharing • Trying to cover military and civilian has too many conflicts • Demo should include threats • Limitations in existing system Electrical and Computer Engineering 4 Timing of Secret Sharing • Not as fast as other encryption methods – Chosen because of its threshold scheme. Threshold Time (us) 3 135 4 212 5 308 6 423 7 549 8 693 9 858 10 1054 Electrical and Computer Engineering 5 Political Boundaries • • • Used U.S. Census Data Region selected by most overlapping area of accuracy circle Able to see down to – – – – Country State County (Massachusetts only for now) Town (Massachusetts only for now) Electrical and Computer Engineering 6 OAuth • Tokens are used to grant a third party website temporary access to GeoVault. • They regulate – What the third party has access to – How long they have access Location Data GeoVault Twitter OAuth Electrical and Computer Engineering 7 Motivation for Attacks Impersonation Snooping Denial of Service CSRF • Fool others to think a user is in different location • Obtaining information to blackmail/gain competitive advantage • Denying service to GeoVault to encourage user to go to a similar website • Trick user to update their location • Fool that users followers • Tracking trends for marketing purposes • Update their website unknowingly, increase network traffic and thus advertising prices will go up • Spouses spying on each other Electrical and Computer Engineering 8 Attacks & Countermeasures Snooping • Encryption • Distributed Database • Secret Impersonation • Idle Timeout Delays • Unrealistic CSRF • Session Id number check Man in the Middle • HTTPS Denial of Service • CAPTCHA’s • Failed login attempt delay Travel Check Sharing • Idle Timeouts • Difficult to statistically determine position Electrical and Computer Engineering 9 Demo Electrical and Computer Engineering 10 Division of Labor Emily (CSE) Frontend Implementation, Threat Modeling, Documentation Tom (CSE) Multiparty Computation, Django, Backend implementation, Project Manager, OAuth Nate (EE) HTML5, CAPTCHAs, Idle Time outs, Failed Login Delay, Update Delay, OAuth Shanka (EE) Django, Backend Implementation, Political Boundaries, CSRF Electrical and Computer Engineering 11 Thank you! Map Queries Google Maps API Map Queries Notifications Cell Phone Email Location HTTPS Data HTTPS Location Data Resolution GeoVault Stored Location Data Database Electrical and Computer Engineering Access Controls Login OAuth Credentails Database Database Computer 3rd Party Server 12 Snooping Database Idle Timeouts Secret Sharing Passwords Database Distributed Database Encryption Database Electrical and Computer Engineering 13 Impersonation Idle Time Outs Passwords Unrealistic Travel check Electrical and Computer Engineering 14 DDOS CAPTCHA’s Failed Login Attempt Delay Update Delay Electrical and Computer Engineering 15 Cross Site Request Forgery Protection GeoVault Session ID Verification Malicious Website Electrical and Computer Engineering 16 Man in the Middle Attack HTTPS Electrical and Computer Engineering 17