Transcript FPR Slides
GeoVault:
Secure Location Tracking
Final Project Review
Nathan Franz
Emily Nelson
Thomas Petr
Shanka Wijesundara
Electrical and Computer Engineering
System Overview
Map
Queries
Google Maps
API
Map
Queries
Notifications
Cell Phone
Email
Location
HTTPS
Data
HTTPS Location
Data
Resolution
GeoVault
Stored Location
Data
Database
Electrical and Computer Engineering
Access
Controls
Login
OAuth
Credentails
Database
Database
Computer
3rd Party
Server
2
System Overview
• Location data is transmitted from either cell phone or
computer to the GeoVault Server.
• The server is where the resolution and access settings are
stored and can be applied to the updated location.
• The location is transmitted from the server to the
distributed database and then to the specific node by
secret sharing.
• The data can also be transmitted from the server to a third
party via OAuth.
• Emails are sent from the server to the user via emial.
• The users device directly interfaces with the google map
API to display their location on a map.
Electrical and Computer Engineering
3
Feedback From CDR
• Network was complicated
– Lots of secret sharing
• Trying to cover military and civilian has too many conflicts
• Demo should include threats
• Limitations in existing system
Electrical and Computer Engineering
4
Timing of Secret Sharing
• Not as fast as other encryption methods
– Chosen because of its threshold scheme.
Threshold
Time (us)
3
135
4
212
5
308
6
423
7
549
8
693
9
858
10
1054
Electrical and Computer Engineering
5
Political Boundaries
•
•
•
Used U.S. Census Data
Region selected by most overlapping area of accuracy circle
Able to see down to
–
–
–
–
Country
State
County (Massachusetts only for now)
Town (Massachusetts only for now)
Electrical and Computer Engineering
6
OAuth
• Tokens are used to grant a third party website temporary
access to GeoVault.
• They regulate
– What the third party has access to
– How long they have access
Location Data
GeoVault
Twitter
OAuth
Electrical and Computer Engineering
7
Motivation for Attacks
Impersonation
Snooping
Denial of
Service
CSRF
• Fool others to think a
user is in different
location
• Obtaining
information to
blackmail/gain
competitive
advantage
• Denying
service to
GeoVault to
encourage user
to go to a
similar website
• Trick user to update
their location
• Fool that users
followers
• Tracking trends
for marketing
purposes
• Update their website
unknowingly, increase
network traffic and
thus advertising
prices will go up
• Spouses spying
on each other
Electrical and Computer Engineering
8
Attacks & Countermeasures
Snooping
• Encryption
• Distributed
Database
• Secret
Impersonation
• Idle Timeout
Delays
• Unrealistic
CSRF
• Session Id
number
check
Man in the
Middle
• HTTPS
Denial of
Service
• CAPTCHA’s
• Failed login
attempt delay
Travel Check
Sharing
• Idle Timeouts
• Difficult to
statistically
determine
position
Electrical and Computer Engineering
9
Demo
Electrical and Computer Engineering
10
Division of Labor
Emily (CSE)
Frontend Implementation, Threat Modeling,
Documentation
Tom (CSE)
Multiparty Computation, Django, Backend
implementation, Project Manager, OAuth
Nate (EE)
HTML5, CAPTCHAs, Idle Time outs, Failed
Login Delay, Update Delay, OAuth
Shanka (EE)
Django, Backend Implementation, Political
Boundaries, CSRF
Electrical and Computer Engineering
11
Thank you!
Map
Queries
Google Maps
API
Map
Queries
Notifications
Cell Phone
Email
Location
HTTPS
Data
HTTPS Location
Data
Resolution
GeoVault
Stored Location
Data
Database
Electrical and Computer Engineering
Access
Controls
Login
OAuth
Credentails
Database
Database
Computer
3rd Party
Server
12
Snooping
Database
Idle Timeouts
Secret
Sharing
Passwords
Database
Distributed
Database
Encryption
Database
Electrical and Computer Engineering
13
Impersonation
Idle Time Outs
Passwords
Unrealistic Travel
check
Electrical and Computer Engineering
14
DDOS
CAPTCHA’s
Failed Login Attempt Delay
Update Delay
Electrical and Computer Engineering
15
Cross Site Request Forgery Protection
GeoVault
Session ID Verification
Malicious
Website
Electrical and Computer Engineering
16
Man in the Middle Attack
HTTPS
Electrical and Computer Engineering
17