Keiji MaekawaGraduate School of Informatics, Kyoto University

Yasuo OkabeAcademic Center for Computing and Media Studies, Kyoto

University

Mobility and location privacy Capability of preventing others from

learning one’s location Your location might be leaked out to

others…▪ Correspondents▪ Eavesdroppers

Alice is now connecting from

that college’s network .

Alice is now connecting from

that college’s network .

Alice(Mobile Node) Bob

(Correspondent Node)

Eve

This person in my network is probably Alice!

This person in my network is probably Alice!

Alice(Mobile Node)

Desired conditions Anonymity against eavesdroppers▪ They cannot identify the sender and the receiver of

packets.

Both end-points can authenticate each other,but they don’t know about exact location.This is surely from

Alice, though I don’t know where she is.

This is surely from Alice, though I don’t know where she is.

Bob

Eve

Who the hell is this???

Who the hell is this???

Case study: Mobile IP Home Address is the identifier. Care-of Address is the locator.

Correspondent Node

Correspondent Node

Mobile Node

Mobile Node

Home AgentHome Agent

Mobile Node

Mobile Node

Mobile Node

Mobile Node

MN’s Home Network

Never knows MN’s location

Never knows MN’s location

Always knows MN’s location

Always knows MN’s location

Case study: Mobile IP (Route Optimization) CN, HA, and eavesdroppers on the path can trace

the MN’s location simply looking at IP headers.

Correspondent Node

Correspondent Node

Mobile Node

Mobile Node

Home AgentHome Agent

Mobile Node

Mobile Node

Mobile Node

Mobile Node

MN’s Home Network

It is difficult to design a protocol so that ANY node doesn’t know the MN’s location. Including trusted nodes such as Home

Agent It’s trade-off between privacy and

performance. In some case, privacy may be more

important than performance.

Related Works HIP and BLIND

Problem Statement What is to be solved

Our Proposal Protocol Design

Conclusion

ID/locator separation Host Identity is a public key pair Host Identity Tag (HIT) is the identifier▪ 128-bit hash of Host identity

Base Exchange 2 round trip key exchange Exchange public keys for authentication Establish SAs (IPsec ESP)

Rendezvous Mechanism HIT & IP address stored in a Rendezvous

Server (RVS)▪ MN’s IP address is kept up to date

The first (I1) packet is forwarded▪ Then, end-points start to communicate directly

RVSRVS

AA BB

Registration / Location Update

To: HIT of B IP of RVS

MN sends UPDATE messages to CN and RVS on roaming. Sessions in upper layers are kept

AA BB AA

UPDATE

RVSRVS

UPDATE

Complete identity protection Only end-points can recognize the IDs in

packets. Eavesdroppers can’t identify them.

AA BBHIT(A) HIT(B)

HIT(A) HIT(B)

???

src/dst IDs are Blinded HIT with nonce N BHIT= hash(N || HIT) Nonce is randomly generated in each

session Extended Base Exchange

A variation of Diffie-HellmanAA BBHIT(A)

HIT(B)HIT(A) HIT(B)

BHIT(A)BHIT(B)

InitiatorInitiator ResponderResponder

I1: BHIT[I] → BHIT[R] , Nonce

BHIT[I] = hash(Nonce || HIT[I])BHIT[R] = hash(Nonce || HIT[R])

Determines HIT[R] by trying all own

HITs.

Determines HIT[R] by trying all own

HITs.

R1: BHIT[R] → BHIT[I] , DH[R]Generates the Key by DH

Encrypt HI[I] with the Key

Generates the Key by DH

Encrypt HI[I] with the Key

I2: BHIT[I] → BHIT[R] , DH[I] , { HI[I] }

R2: BHIT[R] → BHIT[I] , { HI[R] }

Generates the Key by DH

Decrypt HI[I] with the Key

Encrypt HI[R] with the Key

Generates the Key by DH

Decrypt HI[I] with the Key

Encrypt HI[R] with the Key

Location privacy for the BLIND Forwarding Agent (FA)

SPINAT FA conceals MN’s location from CN FA doesn’t know both IDs.

AA BBFAFA

HIP communication

Not know A’s ID

Not know A’s address

Goal To achieve both Mobility and Location

Privacy Approach

The protocol is based on BLIND▪ Good identity protection

Introduce mobility into BLIND

To realize mobility with BLIND Rendezvous mechanism dealing with

blinded HIT Movement transparency support

Problems are: RVS cannot resolve blinded HIT. Raw HITs should be concealed.

HIP-in-HIP tunneling Establish SAs with RVS with BLIND, then

securely send a packet with raw HITs as a HIP option.

The raw HIT info is deletedat RVS on forwarding.

AA

BB

FF

RVSRVS

Blinded Channel

BHIT[B]+HIT[B]

BHIT[B]

Mobility support by Forwarding Agents Use a temporary HIT for FA registration

Intra-FA handover MN sends update message only to FA.▪ MN is identified by the temporary HIT

This roaming is traced by FA and nodes in MN-FA.

AABBFF

AA

Inter-FA handover The MN registers to another FA with a

new temporary HIT after roaming. All identifiers are changed at once. There’s possibly packet loss.▪ Expects retransmission in upper layers

AA

F2F2 AHIT(A)IP(A) THIT(A)’ IP(A)’

SPI’ THIT(A)’ IP(A)’

SPI’

BB

IP(A)’

IP(A)’

THIT(A)’THIT(A)’

F1F1

THIT(A) IP(A) SPI THIT(A) IP(A) SPIRVSRVS

updateupdate

Single Points of Failure There may be some extensions for

robustness. Forwarding Agents▪ Multiplexing

Rendezvous Server▪ DHT-based

Collusion If CN and FA collude, MN’s ID and

location can be combined. When some incident happens,

police can inspect MN’s location.

Implementation and evaluation is ongoing.

We proposed the Mobile BLIND Framework Achievement▪ Anonymity for eavesdroppers▪ Conceal location from correspondents▪ Movement Transparency

Extensions to BLIND▪ Blind Rendezvous Mechanism▪ Mobility support by extended Forwarding

Agents