The deptment has a list o... (03 Jan 2003)
The deptment has a list of projects that people want doing. Sometimes they are specific and sometimes more in the form of "I wonder...". Here's the text of an I wonder project that I did in a loose hour today. Might be interresting for some people.
Detection of User Location -------------------------- Adam Langley, email@example.com Problem: "How can we reliably identify whether users are physically located in any particular region when they access our systems across the LAN/WAN (so that we can control what data access that have given different secrecy constraints)." Since the system is to be accessed across a network the only proof of location we can offer is information. Since the server's view of the world is limited to the data that passes through its network card it must trust another device to tell it the location of a user requesting some service. Having the server trust some special code is trivially vulnerable to a replay attack. Thus, in order for the server to know the location of a user, a challenge-response protocol must be used, and the challenges must timeout. The obvious answer to the problem of a trusted device to handle location is a system based around a GPS receiver that the user possesses. The problems with this are threefold: Firstly, in order for the server to trust the device it must be tamper-resistant. The level of tamper-resistance required varies with the security needs of the server, but if a location based security policy is even being considered then it's reasonable to expect that the server has some pretty impressive security needs and, correspondingly, that the device needs to be highly temper-resistant. Unfortunately, strong tamper-resistance is a difficult problem. Companies such as Cambridge Aero Instruments manufacture tamper-resistant GPS systems for applications such as gliding competitions (so that the contestants can prove that they reached the checkpoints). However, such a GPS system would have to be integrated into a package that also contains enough processing power to perform public-key cryptography (such as an IBM 4758). This is likely to be prohibitively expensive. Secondly, the GPS system has no authentication built in. Even if the device were perfectly tamperproof there would be nothing preventing an attacker putting it in a Faraday cage and faking the GPS signals. Thirdly, GPS jamming is reasonably simple. A DoS attack could be launched against a secure installation (where these devices are used) by jamming GPS signals. These aforementioned problems with GPS suggests that a trusted device know its location be other means, such as its immobility. Assuming that areas that are considered secure locations (by this system) are physically controlled then it would be reasonable to use much less tamper-resistance as the equipment and time available to an attacker would be limited. Thus the reduced tamper-resistance required makes the cost viable. The method of keeping it in place remains to be decided The interface of such a device deserves some consideration. A user must present a server generated challenge and pass the reply back to the server within the time limit. Since a strong connection to physical location must be preserved, a physical interface is appropriate; a keyboard for input and a till printer for output. The output could be a monitor, but since the replies are going to be quite complex (say, 160 bits base64 encoded) then the users are going to write them down anyway so a till printer will save them the time and effort. Postit notes and a pen should be provided by the terminals for the same reason. The challenges are not sensitive and the replies are only valid for a short time (to be determined) and only on a single terminal. (It goes without saying that man-in-the-middle attacks against the terminals must be prevented by the cryptographic protocol). Also, it must be considered that this location authentication is a hassel for the user and (with the security requirements in mind) the number of authentications in a given time should be less than for other schemes (such as passwords). Conclusions ----------- A location authentication system is certainly possible given a number of assumptions: * that locations considered secure by the system are physically secure against people bring in certain equipment (such as X-ray machines and shaped charges) and spending long amounts of time physically attacking the trusted location box * that the terminals are trusted not to leak the information once accessed, or to allow a man-in-the-middle attack And at certain costs: * Inconvenience for the user User training A trusted location * box per location Much remains unconsidered: * The details of cryptographic chal-rep protocol The design and * cost of the trusted location box The method of keeping the * trusted location box in place The human factors, such as the * presentation of the data and the length of the timeout  http://www.doc.ic.ac.uk/%7Esjn5/docpp/cgi-bin/ display_project.cgi?project=709  http://www.cambridge-aero.com/  http://www.phrack.com/phrack/55/P55-14  http://www.phrack.org/phrack/60/p60-0x0d.txt  Security Engineering, Ross Anderson, Chapter 14  Chapter 11, Section 5