ImperialViolet

The deptment has a list o... (03 Jan 2003)

The deptment has a list of projects that people want doing. Sometimes they are specific and sometimes more in the form of "I wonder...". Here's the text of an I wonder project that I did in a loose hour today. Might be interresting for some people.

Detection of User Location 
-------------------------- 
Adam Langley, agl@imperialviolet.org

Problem:

"How can we reliably identify whether users are physically located in
any particular region when they access our systems across the LAN/WAN
(so that we can control what data access that have given different
secrecy constraints)."[0]

Since the system is to be accessed across a network the only proof of
location we can offer is information. Since the server's view of the
world is limited to the data that passes through its network card it
must trust another device to tell it the location of a user requesting
some service.

Having the server trust some special code is trivially vulnerable to a
replay attack. Thus, in order for the server to know the location of a
user, a challenge-response protocol must be used, and the challenges
must timeout.

The obvious answer to the problem of a trusted device to handle location
is a system based around a GPS receiver that the user possesses. The
problems with this are threefold:

Firstly, in order for the server to trust the device it must be
tamper-resistant. The level of tamper-resistance required varies with
the security needs of the server, but if a location based security
policy is even being considered then it's reasonable to expect that the
server has some pretty impressive security needs and, correspondingly,
that the device needs to be highly temper-resistant.

Unfortunately, strong tamper-resistance is a difficult problem.
Companies such as Cambridge Aero Instruments[1] manufacture
tamper-resistant GPS systems for applications such as gliding
competitions (so that the contestants can prove that they reached the
checkpoints). However, such a GPS system would have to be integrated
into a package that also contains enough processing power to perform
public-key cryptography (such as an IBM 4758). This is likely to be
prohibitively expensive.

Secondly, the GPS system[2] has no authentication built in. Even if the
device were perfectly tamperproof there would be nothing preventing an
attacker putting it in a Faraday cage and faking the GPS signals.

Thirdly, GPS jamming is reasonably simple[3]. A DoS attack could be
launched against a secure installation (where these devices are used) by
jamming GPS signals.

These aforementioned problems with GPS suggests that a trusted device
know its location be other means, such as its immobility. Assuming that
areas that are considered secure locations (by this system) are
physically controlled then it would be reasonable to use much less
tamper-resistance as the equipment and time available to an attacker
would be limited[4]. Thus the reduced tamper-resistance required makes
the cost viable. The method of keeping it in place remains to be decided

The interface of such a device deserves some consideration. A user must
present a server generated challenge and pass the reply back to the
server within the time limit. Since a strong connection to physical
location must be preserved, a physical interface is appropriate; a
keyboard for input and a till printer for output. The output could be a
monitor, but since the replies are going to be quite complex (say, 160
bits base64 encoded) then the users are going to write them down anyway
so a till printer will save them the time and effort. Postit notes and a
pen should be provided by the terminals for the same reason.

The challenges are not sensitive and the replies are only valid for a
short time (to be determined) and only on a single terminal. (It goes
without saying that man-in-the-middle attacks against the terminals must
be prevented by the cryptographic protocol). Also, it must be considered
that this location authentication is a hassel for the user and (with the
security requirements in mind) the number of authentications in a given
time should be less than for other schemes (such as passwords).

Conclusions
-----------

A location authentication system is certainly possible given a number of
assumptions:
	* that locations considered secure by the system are physically
	  secure against people bring in certain equipment (such as
	  X-ray machines[4] and shaped charges[5]) and spending long
	  amounts of time physically attacking the trusted location box
	* that the terminals are trusted not to leak the information
	  once accessed, or to allow a man-in-the-middle attack And at
	  certain costs:
	* Inconvenience for the user User training A trusted location
	* box per location
Much remains unconsidered:
	* The details of cryptographic chal-rep protocol The design and
	* cost of the trusted location box The method of keeping the
	* trusted location box in place The human factors, such as the
	* presentation of the data and
	  the length of the timeout

[0] http://www.doc.ic.ac.uk/%7Esjn5/docpp/cgi-bin/
    display_project.cgi?project=709
[1] http://www.cambridge-aero.com/
[2] http://www.phrack.com/phrack/55/P55-14
[3] http://www.phrack.org/phrack/60/p60-0x0d.txt
[4] Security Engineering, Ross Anderson, Chapter 14
[5]                                      Chapter 11, Section 5