Your SlideShare is downloading. ×
Trusted Location Based Services
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Trusted Location Based Services


Published on

A virtual presentation for the paper "Trusted Location Based Services" …

A virtual presentation for the paper "Trusted Location Based Services"
Presented on the 10th of December 2012 at the ICITST conference (

Published in: Technology

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Trusted Location Based Services IAIK Institute forApplied Information Processing and Communications Graz University of Technology Peter Teufl -
  • 2. Myself PHD in 2012: Knowledge discovery in security related applications Lectures: Computer networks, smartphone security Current projects, research: Smartphone security, cloud security, Android malware IAIK
  • 3. IAIK Prof. Reinhard Posch e-Government NFC security Design and verification Cryptography Java security Smartphone IAIK
  • 4. Contents Location Based Services (LBS) and mobile devices Trusted services - Proving that you are at a location at a specific time Qualified digital signatures, cryptographic RFID tags Two prototypes based on Trusted Location Based Services (T-LBS) Using two smartphones Using a cryptographic RFID Tag Security IAIK
  • 5. Location Based Services Location Based Services (LBS) Success attributed to recent popularity of smartphones (especially iOS, and Android) Examples: Maps, navigation, Point-Of-Interests, context-aware applications (Google Now, Siri, etc.) Service: How accurate is the user’s location? Can it be used to prove that the user is at a certain place? IAIK
  • 6. LBS - Security? No security - in terms of proving that the user is at the claimed location Missing: Trusted GPS receivers, cryptographic measures, support of the operating system, defences against external influences Why? Not necessary for current applications (maps, navigation...) Users benefit from accurately providing their location ...and simply not possible with one user’s IAIK
  • 7. LBS - Trust? Current technology on smartphones cannot provide trusted locations We rely on a Trusted Third Party (further denoted as TTP) This party verifies the location/time claim of a user User, TTP use digital signatures to sign the location/time information We present two ways of implementing such a TTP Two users with smartphones, where one user represents the TTP One user with a smartphone: TTP based on cryptographic RFID IAIK
  • 8. Qualified Signatures Austrian Citzien Card Smartcard (on top of national health insurance card: ecard) Mobile Signature Solution (Signature is created on an external HSM) Smartcards cannot be deployed on smartphones (at least not in a simple way) Thus: deployment of mobile signature solution Based on two channels: Internet and SMS (mTans) IAIK
  • 9. Mobile Signature Login - 1st step: Login - 2nd step:Phone Number/Password entering the mTan SMS to phone number with IAIK
  • 10. Cryptographic Tag RFID tag, which is capable of executing cryptographic operations Tag stores assymetric key pair Private key cannot be extracted from tag Tag creates a digital signature with this private key Communication with NFC enabled IAIK
  • 11. Components, Definitions Service Provider (SP): An application service provider that employs trusted location based services User: The user who provides a trusted location to a Service Provider (SP) Creates signature with qualified signature (mobile signature) Trusted Third Party (TTP): A trusted party that verifies the claimed location of the user, and also signs the ticket which is already signed by the user Trusted Location Time Ticket (T-LTT): Digitally signed “Location Time Ticket” that contains the correct location and the IAIK
  • 12. Trusted Location Based Service1: The user initiates a session with the SP User Service Provider 1 (SP) 22: The SP requests a T-LTT from the user Signature Creation Signature Verification 5 Signature Verification3: The user signs his current location and 3 4time (LTT) and sends it to the TTP Trusted Third Party 1 … Access from User to service of SP (TTP) 2 … Request for T-LTT from SP to User4: The TTP verifies the LTT and the 3 … Request for T-LTT from User to TTP Signature Signature 4 … TTP sending T-LTT to User Creation Verificationsignature and signs the LTT (> T-LTT) 5 … User showing T-LTT to SP Location Time Source Source5: The user sends the T-LTT to the SP6: SP can now verify the T-LTT and provide a location/time specific service to the IAIK
  • 13. Prototype Overview Protoype A Protoype B Smartphone Service Provider Smartphone Service Provider T-LTT T-LTT User A (SP) User A (SP) Nonce LTT T-LTT Signed Nonce LTT Public Key T-LTT Smartphone User B Different TTPs TTP Server Cryptographic TTP Location of Tag crypto IAIK
  • 14. Prototype A - Two Smartphones Scenario A User A needs a trusted location that proves that he/she has been at the location of User B (TTP) User B has a strong interest that User A provides the right location (User A and B do not collaborate to fake the location) Requirements: Two smartphones digital IAIK
  • 15. Prototype A - Two Smartphones 1: User A signs location/ SP time Prover TTP User 5 Trusted User 2: User A submits LTT to User B (TTP) Smartphone 4 Smartphone 3: TTP verifies LTT and Signature Verification 2 Signature signs LTT > T-LTT Signature Creation Creation Signature 3 1a 1b Location Verification 4: T-LTT returned to User A Source Time Source 5: User A sends T-LTT to IAIK
  • 16. Security Analysis - Prototype A Main threat to prototype A: When User B (the TTP) and User A have the intention to work together in order to provide the wrong location When User A alone has this intention, the TTP (User B) will not sign the location More advanced threats described in the paper Malware installed on User’s B smartphone. Real User A at another location, fake User A has a IAIK
  • 17. Prototype B - Cryptographic Tag Scenario B A user is at a specific location at a specific time and needs to prove this. (e.g. a security guard that needs to inspect a certain location) An unremovable cryptographic tag has been placed at this location. With a smartphone, the cryptographic tag and an external server the user can prove that he was at the location at a given time. Threat: User A could fake the time/location (TTP is not a real person, which simplifies certain attacks) IAIK
  • 18. Prototype B - Cryptographic Tag1a/b: User: Gets public key from Tag SP Prover TTP2a/b: Public key sent to server (looks up User 6 Servertag in DB), User gets nonce from server 5c 5c 5a 5c Signature 5a Creation Smartphone3a/b: Tag returns signed nonce Signature 5a 4b 4a Signature Verification 5b Verification Time4a/b: Server verifies tag signature, Source Signature 2b Creation 2a Locationnonce, sends LTT to user Source 3b 3a5a/b/c: User signs LTT, Server verifies 1b Crypto Tag 4bLTT, signs LTT > T-LTT, returns T-LTT 1a Location Source6: User sends T-LTT to IAIK
  • 19. Security Analysis - Prototype B Main threat to prototype B TTP is not a real person, which makes it easier for User A to create the T- LTT at another location (e.g. sending someone else to the location and creating the digital signature remotely) Compared to Prototype A TTP is always trusted: more possible scenarios More IAIK
  • 20. Current State Prototypes are implemented Scenario A: User A/B have an accident, photos and report are signed by both users User B verifies location claim of User A Scenario B: Deployment of cryptographic tags, location/time log on a IAIK
  • 21. Questions? Thank you for your attention! Please send your questions to Best Regards from Graz, Austria! IAIK