FC: Dorothy Denning on "geo-encryption": Tracking people by their locations

From: Declan McCullagh (declanat_private)
Date: Tue Nov 27 2001 - 08:46:21 PST

  • Next message: Declan McCullagh: "FC: American Antitrust Institute: Reject MS class action settlement"

    A paper from 1996 by Dorothy Denning and Peter F. MacDoran:
      "Location-Based Authentication: Grounding Cyberspace for Better Security"
      http://www.cs.georgetown.edu/~denning/infosec/Grounding.txt
    
    An excerpt:
    >  The location signature is virtually impossible to forge at the required
    >accuracy.  This is because the GPS observations at any given time are
    >essentially unpredictable to high precision due to subtle satellite
    >orbit perturbations, which are unknowable in real-time, and intentional
    >signal instabilities (dithering) imposed by the U.S.  Department of
    >Defense selective availability (SA) security policy.  Further, because a
    >signature is invalid after five milliseconds, the attacker cannot spoof
    >the location by replaying an intercepted signature, particularly when it
    >is bound to the message (e.g., through a checksum or digital signature).
    >Continuous authentication provides further protection against such
    >attacks.
    
    Below is a discussion from cypherpunks. Time magazine article:
    http://www.time.com/time/magazine/article/0,9171,1101011126-184999,00.html
    
    -Declan
    
    ********
    
    From: John Young <jyaat_private>
    Subject: Denning's Geo-crypto
    Date: Thu, 22 Nov 2001 11:06:21 -0800
    
    Time Magazine, November 26, 2001:
    
    Denning's pioneering a new field she calls geo-encryption.
    Working with industry, Denning has developed a way to keep
    information undecipherable until it reaches its location, as
    determined by GPS satellites. Move studios, for example,
    have been afraid to release films digitally for the same reasons
    record companies hate Napster: once loose on the Internet,
    there's little to stop someone from posting the latest blockbuster
    DVD on the Web for all to see and download. With Denning's
    system, however, only subscribers in specified locations --
    such as movie theaters -- would be able to unscramble the
    data. The technology works as well for national security
    as it does for Harry Potter. Coded messages that the State
    Department sends to its embassies, for example, could only
    be deciphered in the embassy buildings themselves, greatly
    reducing the risk of interception.
    
    For now, Denning says, terrorists "may want to bring down
    the power grid or the finance system, but it's still easier to
    blow up a building." If she's right, it's due in large part to her.
    
    ********
    
    From: Peter Wayner <pcw2at_private>
    Subject: Re: Denning's Geo-crypto
    Date: Thu, 22 Nov 2001 12:23:29 -0500
    
    At 11:06 AM -0800 11/22/01, John Young wrote:
     >Time Magazine, November 26, 2001:
    
    This is a fascinating idea, but problematic. The simplest approach
    is easy to spoof. Let's say that you encrypt the data with the GPS coordinates
    X. The software takes GPS coordinates from a GPS receiver and tries
    to decrypt the data using these coordinates. Only someone at the
    right place would be able to figure it out.
    
    Naturally, this could be spoofed by replacing the GPS receiver
    with one that spits out the right coordinates.
    
    A better system might rely upon the signals from the satellites
    themselves. The signals let the GPS receiver measure the
    time the signal took to travel from the satellite to the receiver.
    Knowing the distance from three or more satellites makes it
    possible to triangulate and come up with the real location.
    
    A more sophisticated system would encrypt the data with
    these signals themselves. It might take the data coming from
    satellites 1,2 and 3 at one particular instant. Only a person
    in the right location would see the right values at that particular instant.
    
    But I think this could be spoofed by time shifting the signals using
    a TIVO-like mechanism. If you're not in the right location you
    could pretend to be in another.
    
    Maybe they have a more complicated mechanism. Or maybe
    this is just FUD.
    
    -Peter
    
    ********
    From: Steve Schear <schearat_private>
    Subject: Re: Denning's Geo-crypto
    To: John Young <jyaat_private>, cypherpunksat_private
    Date: Thu, 22 Nov 2001 09:38:35 -0800
    
    At 11:06 AM 11/22/2001 -0800, you wrote:
     >Time Magazine, November 26, 2001:
     >
     >Denning's pioneering a new field she calls geo-encryption.
     >Working with industry, Denning has developed a way to keep
     >information undecipherable until it reaches its location, as
     >determined by GPS satellites. Move studios, for example,
     >have been afraid to release films digitally for the same reasons
     >record companies hate Napster: once loose on the Internet,
     >there's little to stop someone from posting the latest blockbuster
     >DVD on the Web for all to see and download. With Denning's
     >system, however, only subscribers in specified locations --
     >such as movie theaters -- would be able to unscramble the
     >data. The technology works as well for national security
     >as it does for Harry Potter. Coded messages that the State
     >Department sends to its embassies, for example, could only
     >be deciphered in the embassy buildings themselves, greatly
     >reducing the risk of interception.
     >
     >For now, Denning says, terrorists "may want to bring down
     >the power grid or the finance system, but it's still easier to
     >blow up a building." If she's right, it's due in large part to her.
    
    I believe several patents have been filed for something along this line
    (e.g. tamper resistant GPS-smart cards).  Mostly to enable casino to
    satisfy state regulators that their clients are in permitted geographic
    locales.
    
    steve
    
    ********
    
    From: John Young <jyaat_private>
    Subject: Denning on Denning's Geo-crypto
    Date: Fri, 23 Nov 2001 12:29:49 -0800
    
    --
    
    Date: Fri, 23 Nov 2001 08:38:13 -0800
    To: John Young <jyaat_private>
    From: Dorothy Denning <denningat_private>
    Subject: Re: Geo-encryption
    
    We don't have anything yet we are giving out to the public, but no,
    it isn't related to the CoinCard (which I hadn't even heard of).
    
    ********
    
    From: "Trei, Peter" <ptreiat_private>
    Subject: RE: Denning's Geo-crypto
    Date: Mon, 26 Nov 2001 11:35:51 -0500
    
    Curious. 4-5 years ago Denning and another associate (I
    forget who, it's in the archives :-) tried to market an authentication
    scheme which purported to authenticate the location of a remote
    user using GPS.
    
    The idea was that the user's machine would pick up the
    aggregate analog GPS signal available at it's location
    (either the regular, non-classified version or the
    high-precision classified signals), and transmit it to
    the server, which would use it to work out the
    location of the user - a user who was located at
    'Pentagon, third ring, fourth floor, Army segment'
    would be accorded different privilieges than one whose
    location decoded as 'Presidential Palace, Baghdad'.
    
    I and several other list subscribers pointed out numerous
    issues. Among them were:
    
    1. GPS signals don't work well in buildings of substantial
    construction, and the chance of them working at all in a
    TEMPEST shielded building are about zip.
    
    2. There are numerous DOS attacks available - the GPS
    signals are easily jammed. One amusing approach would
    be to use GPS test equipment to generate signals
    appropriate for a different location (eg, Pyongyang) and
    beam them at the site to be DOS'd.
    
    4. Conversely, an  attacker could use the same test equipment
    to make it look like he's in the Pentagon, when he's actually
    in Kandahar.
    
    5. GPS is based on the relative time delays of signals from
    different satellites. Since network lag of hundreds of
    milliseconds must be accepted, anyone who can see
    the same set of satellites as the location to be spoofed
    can separate the signals from the different satellites,
    modify the lags appropriately, and remix to generate a
    spoofed analog signal.
    
    --------
    I sent these concerns to Denning, who replied that she
    would address them only under NDA, which I declined to
    enter.
    
    This sounds an awful lot like old wine in new bottles. Many
    of the same concerns arise.
    
    Peter Trei
    Disclaimer: The above represents only my personal
    opinions.
    
    ********
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Tue Nov 27 2001 - 08:55:17 PST