2013 IEEE/ACM 6th International Conference on Utility and Cloud Computing
Privacy Preserving Cloud-based Computing Platform (PPCCP) for using Location Based Services Fizza Abbas, Rasheed Hussain, Junggab Son and Heekuck Oh Department of Computer Science and Engineering, Hanyang University Korea
[email protected],
[email protected] shared resources, software and information, are provided to computers and other devices on-demand, such as the electric grid. It has the capacity to access a common collection of resources on request. User can utilize services, the service can be Infrastructure as a Service (IaaS), Data storage as a Service (DaaS), Communication as a Service (CaaS), Security as a Service (SecaaS), Hardware as a Service (HaaS), Software as a Service (SaaS), Business as a Service (BaaS), and Platform as a Service (PaaS) through cloud. Cloud benefits include better performance, optimal software cost, instant updates, huge storage capability, device independence, increased data reliability, and improved document format compatibility. As mentioned in [2], Mobile Cloud Computing provides an infrastructure where both the data storage and the data processing happen outside the mobile device. The last decade has witnessed a tremendous growth in LBS which have emerged as an indispensable part of mobile computing. LBS use the geographical position of a user to provide services such as health services (finding nearby hospitals), business services (locations of banks) and finding nearby restaurants or cinemas etc. There are various devices and techniques that can be used to detect the location of the user in the system such as Global positioning system (GPS) and RFID. LBS facilitates a user to find mobile client destination with tools (for example MapQuest). There are also applications that link users with Facebook, as well as for helping them to find nearby event. There are friend-finder applications and those related to social networking.These and many more services have shown that LBS have opened an exciting new way of utilizing a mobile phone. However, LBS have some limitations and challenges in preserving users privacy. LBS collect information of user location to provide him services which also increases the threat of violating users location privacy. A user sends his/her current location coordinates to LBS provider to get location based services. A hacker can trace user activities from location information and can harass user. LBS provider can also link users visited locations and can deduce private information.Privacy is the right of user, and many of the customers want services without revealing identity or location information. This is one key issue because anyone can trace a users activities and someone can easily finds the present or past locations of a user. Protecting user privacy and application secrecy from adversary is a key to
Abstract—Mobile cloud computing (MCC) is an emerging trend which combines the benefits of cloud computing with the mobile devices. This new technology not only offers tremendous computing power and storage to the mobile devices with limited processing and storage capabilities but also increases the affordability and reliability. Despite providing various benefits, MCC is still in its early stages in providing trust guarantees to a user. Location-Based Services (LBS), on the other hand, are those services which operate on a users location to provide him/her services such as finding nearby restaurants, hospitals, bus terminal and ATMs, to name a few. While a users location is mandatory for LBS to work, it imposes serious threats to the users privacy. In this paper we propose a privacy preserving cloud-based computing architecture for using location-based services. On one hand, our architecture provides a secure mechanism for using LBS services anonymously while on the other hand it utilizes untrusted but fast and reliable cloud services for its implementation in an efficient and effective manner. Moreover, we provide various attack scenarios and show that how our architecture preserves the privacy of the user and is difficult to compromise. Index Terms—mobile cloud computing, location based services, location privacy.
I. I NTRODUCTION Nowadays mobile phones are not only used for mere communication with each other but have become an integral part of a persons lifestyle. People use them for entertainment, information and even for finding various kinds of services such as Location-Based Services (LBS). There is a rich collection of such applications available online such as Google apps and iPhone apps. While getting the useful services from these applications, most of the mobile devices face problems regarding security, storage, bandwidth and battery life time due to their limited hardware capabilities. To overcome these problems the developers move to cloud computing and integrate mobile devices with cloud computing and name them as mobile cloud computing.The LBS scenery has rehabilitated significantly in the past decade as devices are more location aware than ever before, and LBS applications are more demanded by subscribers. The Allied Business Intelligence (ABI) research predicts that the number of mobile cloud computing subscribers is expected to grow from 42.8 million (1.1 percent of total mobile users) in 2008 to 998 million (19 percent of total mobile users) in 2014 [1]. This new trend is based on Cloud computing which is internet-based computing, where 978-0-7695-5152-4/13$26.00 CFP13UCC-USB/13 $26.00©©2013 2013IEEE IEEE DOI 10.1109/UCC.2013.26
60
by incrementally requesting and retrieving Points-Of-Interest (POI) based on their ascending distance from a fake location which is near to the query point, called as anchor point. This approach has several drawbacks which were found in similar cloaking region based approaches. If exact results are required then this technique suffers from various privacy leaks and increased communication and computational cost. In case of choosing an anchor point too close to the query point, this technique lacks in making of a comprehensive cloaking region, while choosing an anchor point far away increases the computational and communication cost significantly.
establish and maintain consumers trust in the mobile platform. The security requirements include: 1) Privacy: An attacker should not know a clients location during communications phase to get LBS. 2) Prevention from over collection: A service provider should know only sufficient location information of the client. 3) Authentication:The service provider should verify whether a client’s location is correct. 4) Unforgeability: An attacker should not forge a client’s location. 5) Resistance to Replay-attack: When a clients location is authenticated and used for the service, LBS should not reuse it again without clients permission. In this paper we show that processing of a users location data can cause significant threat to the users privacy. Not only this, but it also involves significant liability and security implications for the LBS providers involved in this scenario.We named our architecture as PPCCP (Privacy preserving cloud computing platform). This platform is composed of software and hardware capability. Our platform using LBS based on the idea of an untrusted cloud server. In our architecture, we used a methodology to encounter malicious users by storing the hashes of their devices International Mobile Subscriber Identity (IMSI) in the server for authentication. The cloud server is intermediate between a user and an LBS service provider preventing users to directly exposing to LBS service providers. Finally we explain that how our architecture can increase a users trust in using LBS services without the threat of compromising mobile user identity and location privacy and at the same time reduces the reliability and security implications on the LBS providers. The paper is further organized as follows. In Section II, we present the related work of some of the common LBS techniques. In Section III, we give a threat model to understand the security and privacy implications while using LBS services. In section IV we present our proposed privacy enhanced architecture. Section V provides the discussion and comparative analysis of our proposed architecture, while conclusions and final remarks are presented in Section VI.
B. Private information Retrieval Private Information Retrieval (PIR) enables a user to send a query to a LBSs server database without revealing the request. The recent techniques proposed by [6,7] are both based on using PIR to achieve location privacy in the framework discussed above. However, while Ghinita et al. [6] utilises theoretical PIR protocols to blind the server, Khoshgozaran et al. [7] uses practical PIR techniques to enable location privacy. These techniques provide perfect privacy guarantee to support spatial queries but faces hardware dependence, limited secure co-processor space, computational complexity and communication cost. C. Cloaking/ Anonymity The central idea behind using Cloaking/ Anonymity is to form a group of K users and hide or blur the users exact location among these K users. These K users can be real or dummies in the cloaked region. The cloaked region formation is either centralized or decentralized depending on where the cloaking takes place. Centralized Cloaking uses the idea of a trusted server, i.e. trusted location anonymizer which is used to protect the users location and identity information [8, 9]. The main idea is to put a location anonymizer between users and LBS servers to prevent the server from learning user’s precise location information and identities. There are several drawbacks in this approach: First anonymizers have to be trusted. It knows the locations and identity of all users. If anonymizer is compromised then the security intended to be provided to the user vanishes. The drawback of using this centralized anonymizer is its design limitations. It should be as sophisticated as a location based server itself. Another drawback of using anonymizer is that, in case a user asks for LBS services repeatedly he can be distinguished among K other users. Cloaking or K-anonymity is an efficient technique as all calculations are done on TTP (Trusted third party) but have high probability of identifying the users identity. To address above mentioned drawbacks of centralized anonymizer, several studies propose a decentralized mechanism to form a cloaked region. Generation of dummies technique hides users location and trajectory by sending several queries instead of only one [10]. The drawback is slow servers response due to growing number of requests sent out by a user. Additionally, the LBS may suspect that it is under an attack and thus the requests may be ignored. Again the location
II. R ELATED W ORK To preserve a users privacy while using location based services has been a serious concern for the researchers. Some of the approaches presented so far are described in Fig. 1. A. Transformation This approach is based on transforming query in safe manner so that a server is not able to identify the user location. This approach uses two techniques: (i) Non- spatial transformation that applies cryptographic protocols to give strong privacy but requires high computational and communication cost [3, 4], and (ii) spatial transformation that is based on modifying user location through geometric transformation [5], i.e., scaling, translation and rotation. In [4] author proposed a framework named as SpaceTwist which blinds an untrusted location server
61
privacy depends on number of queries sent by the mobile user. Also if this location information is exposed to the adversary, he/she can extract the true users information. In this approach dummies must be selected intelligently, otherwise they can easily reveal real users information. The work proposed in [11,12] assumes user’s communication with each other in forming a collaboratively formed cloaking region. The work in [11] proposes to form a cloaking region in which each user communicates with his surrounding users until he finds enough of them to form a cloaking region of K users. In case of not finding enough users nearby, each request receiver then recursively broadcasts the request in his surrounding until K users are found. This peer to peer cloaking region approach has significant privacy issues because usually the user who initiates the request is near to the center of cloaked region. Ghinita et al. [12] proposed a hierarchical overlay network in their work that is similar to a distributed B+ tree for constructing a cloaking region which attempts to overcome the above mentioned drawback. This approach suffers from very low response time because the server knows the exact location of the user provided in the anonymity set. It raises serious security threats to a users location. The monitoring of sequences of query by an adversary can easily reveal critical information to the server about the actual location of the user. Decentralized techniques assume that all the subscribed users are trusted users and they can harmlessly collaborate with each other in forming a cloaked region. It is hard to assume such thing as we are far from this trust level on internet. There are also European projects working on privacy issues of mobile application, like PICOS (Privacy and Identity issues in context Rich Mobile Community services) [19] and PRIME (Privacy and Identity Management for Europe) [20] projects. In [19] approach use partial identities and blurring methods to hide user identity and location. In [20] researchers design a framework according to new social, technical and legal perceptive of identity and privacy. The approach as described in [13], gives an efficient and fair anonymous authentication scheme to overcome the strong assumption used in TTP and communication cost of TTP-free approaches. But this scheme has main focus on user authentication. Other recent developments are using the concept of cloud computing and take advantage of this new paradigm to provide user privacy. In [14] authentication, continuity and privacy are achieved in cloud computing environment, but the approach focused on client processing and mobile has limited computational and battery issues. After studying the recently and past approaches for preserving user privacy in LBS, we aimed to design some hybrid approach that overcome these limitation. Our main focus is on using K anonymity in such a way that we can harness its effectiveness while answering all the threat issues being raised in previously proposed works. Our architecture uses a cloud based untrusted server for processing user’s queries. The approach also has the mechanism to deal with the untrusted users.
Fig. 1.
Various techniques being used in LBS
III. T HREAT M ODEL Location based services usually have two types of privacy threats: 1) Communication Threats: These threats are related to a senders anonymity, which means an eavesdropper or an LBS provider cannot determine the identity of the originator of a message from his Internet Protocol (IP) address. In the case, a customer is using Wifi his IP can be tracked to his physical location. 2) Location privacy threats : This threat relates to a senders anonymity which can be compromised by correlating the location information by observing or/and having a prior knowledge about the message originator. Location Privacy can be further divided into three categories: (i) Restricted space identification which assumes that a residential location strictly belongs to a person. LBS providers are not trusted but it can be semihonest. Consider the scenario in which the third-party LBS providers are honest and can correctly process and respond to messages, but are curious in that they may attempt to determine the identity of a user based on information received and information of physical world. If an attacker finds the location coordinates than he can find the particular physical place for that location and can easily find the resident with the help of a public phone directory, (ii) Observation Identification in which if an attacker knows a previously sent message from a location and then if the sender now wishes to send a message anonymously, the attacker can find location and knows the location owner. (iii) Location tracking which relates a series of locations and messages about a user. An attacker may know about the history of a users activities. In our threat model, we assume to have the existence of local eavesdropper who is either monitoring the internet traffic between user and cloud server or traffic between cloud server and LBS providers. However it is worth mentioning that our model does not assume an omnipresent global eavesdropper which is able to monitor all the traffic even if the traffic uses proxy websites to hide their addresses. Furthermore, we currently do not consider such mechanisms which are used by an attacker to break into a users mobile device to hack the client side application or his internet connection. Apart from this, currently we do not utilize any mechanism which prevents trace anonymity, i.e., by matching redundant anonymized requests against a particular service or by requesting sequence of
62
services in a particular area in some specific pattern which can be traced by an attacker. Finally, we assume that a malicious user can attack our model by flooding attempts.
Fig. 2.
Fig. 3.
accordance with these, we divide our proposed architecture in two parts. For communication privacy, we propose a mechanism by which a user can communicate with PPCCP server with the help of Orbot [17] which is free proxy software available at Google play for android devices. Any phone using Orbot can surf the web anonymously. Orbot uses Tor [17] to use internet securely by encrypting the internet traffic. It hides the IP address by bouncing through different computers over the Internet. Fig. 2 shows our proposed architecture without Orbot with possible threats, while Fig. 3 shows the secure model with Orbot. A user installs an Orbot supported web browser such as Orweb [18] and then can access PPCCP for anonymous communication. A user uses LBS by providing his location coordinates. This information can harm a user. Consider the scenario if a user provides its location to find an AIDS clinic. Even if he uses Orbot, he still gives his location to a LBS provider. A malicious attacker, who has access to this location information, can find the location address easily through Google maps. With the help of a telephone directory it is easy to find the identity as the resident of the address. We argue that if we make this process of providing location to find a particular service ambiguous enough such that a malicious user cannot be certain about who has actually asked for which service, then we can preserve the anonymity of the user. In this regard we propose architecture for using LBS services anonymously. In the proposed architecture we divide the geographic space of the world into cloaking regions. A cloaking region can be recognized as a subdivision of entire world database. Consider the world is plotted as a two dimensional grid of rectangular shape regions of different sizes, then one of such regions can be used as cloaking region. It will be adequate to identify each region of the grid by a grid identifier. If we imagine such grid, then coordinates of any corner (e.g. upper left corner) for each region can be taken as an identifier for the region. Fig. 4 illustrates a grid on the map of South Korea with different sized rectangular regions and their identifiers. The division of varied size regions onto a two dimensional map can be done by a method such as commonly used Miller cylindrical projection [15]. The uniform point of interest (POI) distribution can then be done by Hilbert space-filling curve [16].
Threats being imposed without Orbot
Orbot use in Proposed Architecture
IV. P ROPOSED A RCHITECTURE We proposed a cloud server based architecture named as Privacy Preserving Cloud-based Computing Platform (PPCCP) for location based services. The main component of our architecture is a cloud-based server PPCCP. This server is like a bridge between users and LBS servers. The main reason to choose a cloud-based server is to harness the ultra-fast computing facilities offered by a cloud including processing power, reliability and scalability. It is worth mentioning that the proposed architecture is designed in such a way that it requires no trust assumptions for the PPCCP server. In fact even if the PPCCP is ever compromised, the attacker will get no benefit from its data. The users should be safe from being compromised. The other important aspect of this architecture is that all of the communication used in it is based upon AES128 bit encryption. The entities share secret keys with each other using Diffie-Hellman key exchange in the start of their communication. As we have mentioned above in the threat model that there are communication threats and location privacy threats. In
Fig. 4.
63
An illustration of the concept of regions in proposed architecture
Our proposed architecture comprises following three participants:
(v) LBS provider searches its database for the required service in the given region, writes all the POI on a file and sends back to PPCCP. LBS Server → P P CCP : P OIf ile (vi) PPCCP then chooses K users in the region and sends them nonce. It also sends nonce to the requesting user. PPCCP → K + 1users : N once (vii) On receiving nonce, all users client side application finds their current location and sends it to PPCCP. K + 1 → P P CCP : Locationcoordinate (viii) PPCCP then calculates nearest POI for each user using Euclidean formula. It then sends each user their nearest POI for that service PPCCP → K + 1users : N earestP OI (ix)The intended user gets the required service while others discard it. The ultimate blurring takes place in step (viii) where all the K+1 users send their locations to the PPCCP server. PPCCP has no idea which user actually requires the service because only K+1 locations come with K+1 anonymous IP addresses and same nonce. PPCCP then calculates and sends results back to those anonymous addresses just not knowing which location has actually requiring the service.
A. Users The users connect to the PPCCP server with the help of Orbot for anonymous communication. They are also required to install a light-weight client side application on their devices which contains a small database having region identifiers, and a small routine to find the region in which the user is currently located. This routine is also capable to ping a server after an interval of time for letting the server continuously aware of current region of the user. Upon request from PPCCP server, this routine can also send users locations to the server anonymously using Orbot. B. A cloud-based server (PPCCP) PPCCP contains a database of hashes of all user’s IMSIs. We use SHA-1 cryptographic hash function to hash the IMSI of user’s devices. After registration, PPCCP stores the hash of the new user in its database to authenticate it later on service request. PPCCP also triggers users to send their locations. It also contains a database of region identifiers, while its computing module is responsible for calculating the nearest POI from a file containing POIs against a users location. The last component of PPCCP is an interface to LBS providers which is used to send requests for getting the POI file from the LBS provider. On receiving the POI file, the PPCCP forwards the POI file to the computing module. C. LBS Provider They are independent location-based service providers. They keep POI database and has a field for regions in their databases, which is similar to the region field in the databases of PPCCP and client side application. They also maintain the region identifier table. On receiving a service request from the PPCCP server containing a region identifier and a service name, they search their database for the required service in the particular region, write all the POIs on a text file and send this to PPCCP server. Fig. 5 demonstrates the complete working and internal diagram of PPCCP. Following are the typical steps performed while a user requests for a service and the PPCCP provides this service to the user while preserving his privacy. (i) Client side application finds the current region in which user is located and sends a service request to PPCCP. User → P P CCP : (SERV ICE||REGION ) (ii) On receiving a request PPCCP starts the authentication protocol by sending a request to the user for hash of his IMSI. PPCCP → U ser : Request(SHA − 1(IM SI)) (iii) The user side application then sends the hash of its IMSI. User → P P CCP : SHA − 1(IM SI) (iv) The PPCCP then searches for this hash in its database. On finding a correct match it forwards the service request to the LBS provider. PPCCP → LBSServer : Service, Regionidentif ier
Fig. 5.
Internal diagram and work flow of PPCCP
V. D ISCUSSION In this section we will enlighten the significance of our proposed architecture, its contribution in privacy preserving of user while using LBS and finally we also thoroughly examined our model under various attack scenarios. First of all our proposed idea eliminates the need of trusted server i.e. the architecture does not require any assumption for the use of a trusted server. In other words, we can say that our system increases the level of trust and confidence of a user who is using our architecture. Therefore, we will show that even if PPCCP is compromised, no harm will be done regarding a users privacy. The next significant thing is the use of Orbot in client-server communication. PPCCP cannot
64
determine the identity of a user because the IP in the packet does not belong to the user. The use of hashes of users IMSI makes it possible for PPCCP to not only authenticate a user but also in case a malicious user tries a DoS (Denial of service) attack by repeatedly sending multiple queries in an interval of time, PPCCP will identify such threat. It will compare last n service requests by the same user over an interval of time t such that t/n
