Authentication Via Geographical Location? 159
RudeDude asks: "
While reading Cryptonomicon I became a bit paranoid about encryption and digital signatures but it has me thinking a bit as well.
I'm trying to visualize a way to prove my physical location in a cryptographically strong way and I can't think of one. My digital signature proves who I am, but wouldn't it be nice if I could also give proof of my physical location at a given time stamp?
I've thought of only a few things that would be very hardware dependent, etc. but what I really think would be cool would be something that is as strong as digital signatures. Some sort of GPS/MD5 signature that a third party could confirm so that it would be impossible to spoof my location. " This question has been asked a bit by people looking to restrict services to various countries, but currently one can't be sure if the IP a person is using is really the location from which the connection is being made. Would a system like the one described above be a possible answer?
"This is mostly just a thought experiment, but I am curious to see what other Slashdot readers could maybe dream up. In my opinion (and I'm sure many others as well) my current meatspace coordinates usually mean much less than my network 'location' does, but I can think of many times where proving my meatspace location could be just as important as proof of identity."
Authorities.... (Score:1)
Why not location authorities that say "we are reasonably sure this person is who he says he is, and he was at this location at this date/time".
"How does the LA (location authority) know where ou are, pictures would be good. Go to the "Location Authority", stop and get your picture taken.
Then you would have a certificate that said "I was in Paris on Nov 11/2000" You could use that for tourist tax refunds, or whatever.
This could even work for trucks... The location authority has a camera set up at a roadside location. As the truck goes by a picture is taken and datestamped, and now you can prove that that truck was at that location at that time.
Regional Registries: APNIC, ARIN, RIPE NCC (Score:1)
The fundamental problem with using IP to establish location is that IP was designed to seperate physical topology from network topology. In other words, you're not supposed to know where hosts are at.
There are three main reasons in my experience why people want to do this:
There was a Spatial Relation BOF at the IETF in Australia this spring, but I don't know how that work is progressing. I expect that voluntary location is a solvable problem. You can also pinpoint someone's farthest possible location with simple speed of light calculations. Anything else I expect is either impossible or intractable.
Shane
Spacetime (Score:1)
Now, whether this is politically good or bad I'll leave to those more savvy in that arena.
Yes but .. (Score:1)
Not to mention that the killer app for WAP and bluetooth and the whole "mobile internet" thing will be mobility based.
If you can prove where you are, your provider can use that information to be able to return information based on your locale.
Re:Impossible in the general case (Score:1)
You don't have to have it embedded in your skin - you simply have to provide a piece of information only you would know, such as your PGP/GPG private key
And what if I log in over a secure connection during the bank robery to prove that I was at home then? I could even use the X10 connection to flip the lights on and off so my neighbors could vouch for me.
Re:But... (Score:1)
I still like having the encryption in the satellites because it is very hard to tamper with. A scheme where the encryption is done in the receiver seems easier to break. There's a better solution but I can't quite think of it right now.
As for the usefulness of this, I hope this can be a tool for people to prove their whereabouts, but that it never becomes a requirement for anything.
Re:Uhmmm.... Pictures ?? (Score:1)
-David T. C.
Re:Fringe benefits for various internet sites (Score:1)
We seem to be doing fine with IPv4 combined with NAT. Ugly, but it works. IPv6 seems to be suffering from a combination of second-system effect, and too many cooks.
The geographical features in particular show that the people who built it haven't taken the Internet and what it represents to heart.
Inside IPv6 is a small, easy-to-implement protocol waiting to get out. Hopefully someone will notice.
Re:Fringe benefits for various internet sites (Score:1)
Yet another reason not to adopt IPv6.
signed by your key doesn't prove you signed it! (Score:1)
Location Authenticator? (Score:1)
I heard a rumor that satelite phone occationally wake up and broadcast their position the the satellites, even when they are not in use. Any truth to that?
Re:Pseudo-random data stream? (Score:1)
My understanding of how GPS works (yes, probably another poorly informed slashdot poster) is that the GPS satellites send out clocking information and some other magic that allows recievers to triangulate to determine position. If you're trying to authenticate your location via GPS AND the system you're trying to authenticate to has its own independant system of GPS data verification, wouldn't the authenticatee be able to pass raw GPS data to the authentication system for verification?
I guess what I'm getting at: Is there anything in the GPS datastream that is unique enough over a short timespan that an authenticator with its own GPS information feed could use to at least verify the GPS information it receives? Of course this might mean having compromisable GPS authenticator "field offices" that have access to some high percentage of GPS satellites so you know the information being passed to you is valid, but hey, it could be one of the few
What about time authentication? (Score:1)
"Today, April 23rd 1982, I will sleep with Rebecca"
Someone replies,
"That's amazing! How did you know that?"
He replies,
"Simple, I make a new one every day."
For example you have to make sure that someone can't just sign multiple documents saying that "Nader will win", "Bush will win", "Gore will win" etc..
So, how do you prove that you signed something on a particular date? Does it require a third party? I don't like the idea of a centralized third party. Perhaps some sort of system where the time/date was verified by several timeservers in different countries run by various groups so you could be pretty sure that the system wasn't compromised.
Any thoughts?
Re:IPs allocated on regional basis... (Score:1)
I would suspect that AOL also suballocates its IP addresses, and probably gets its European IP addresses from the European pool.
I'll buy the hit about connecting long distance to your ISP though!
Credit Card Number and Mobile Phones (Score:1)
For these records one could then determine the 'average' shopping location (ignoring on-line purchases) and the last shopping location...
Mobile phones could also be used - the phone companies (can) know the current location of the phone and have details of its owner... You just need them to give access to the data...
One such service is available already (Score:1)
Back when iCraveTV was litigated, they promised to return with better security, implemented with the help of www.bordercontrol.com [bordercontrol.com]. Try it out, it's pretty exact (at least with the country).
However, all this will be useless if you use a bouncer or a web proxy at a different location. Any location information on the Internet can be spoofed with the current technology. I'm not sure if IPv6 will change anything, so far I haven't noticed any location-specific header field in the specs.
Lo-tech solutions... (Score:1)
Do a couple of jumping-jacks.
Yeah, ok, you're there, third window
from the left.
Good. Can you send me the software,
then?
Re:Lo-tech solutions... (Score:1)
<person1> I'm waving now.
<person2> Do a couple of jumping-jacks.
<person2> Yeah, ok, you're there, third window from the left.
<person1> Good. Can you send me the software, then?
Re:GPS (Score:1)
Re:GPS becomes mandatory in USA for mobile phones (Score:1)
This is a good example of a "Trusted" 3rd party system. And I mean trusted in teh sense "I trust the information" and not in the sense "I trust the phone company"
Also TDMA / GSM systems use "advance timing" signaling to tell the cell phone broadcasts a packet a little ahead of its time slot so that when the signal reaches the antena from a far off distance, the packet will arrive within its window - thus on digital systems the switch knows how far you are based on timing errors!!
Re:GPS becomes mandatory in USA for mobile phones (Score:1)
The current digital Cellular standards - in the US this is VoiceStream, AT&T - including GSM and D-AMPS (Not Sure about CDMA) use some thing called Time Division Multiplexed Access (TDMA). For North America every cellular "channel" ( channel is 30 Mhz of bandwidth) is split into 3 time slots (This is why all cellular companies are moving to digital 3 times as many phone calls in one older analogue - AMPS - channel )
Now if I am 20 km from a cell site it will take 60 micro seconds for my signal to arrive at the antenae. The switch will detect this. If my signal arrives to much out of sync I will squash the signal arriving from someone else using the next time slot. So the switch - through signaling embeded in the downstream link (phone is full-duplex) - will tell my phone to send the digitized voice packet 60 micro seconds ahead of time so that the time to travel to the antanea is taken into account and my packet hits its time slot to perfection. A time slot is in the order of 10's of milliseconds wide - I don't remember.
From this - the switch can know roughly how far you are from the antenae. This info is currently not collected unless you are debugging the air interface - and collecting this information IS CPU intensive on a switch degrading its performance. That is "advanced timming"
Currently what they are doing for phone tracking is placing a second receiver on the base station antenae. The switch also know what other antanae are in the vicity of the cell phone (for handoff purposes). On a 911 call the switch will signal these additional receivers on the surrounding base stations to listen and time stamp your voice packet. This information is passed back to a computer that can calculate your location.
In Any given cellular switch ( handles about 60000 simultaneous phone calls !!! ) there is only a handfull of 911 calls - a switch could not track EVERY phone call in a system, it would make the network cost too much!!! And remember AT&T makes no money tracking you
Fingerprints (Score:1)
Mark
phone # (Score:1)
Re:But... (Score:1)
This would prove that the GPS data was provided by the card and was not tampered with after it came out. From there, it's up to the person to sign the GPS data to verify that he/she believes the GPS data represents their position.
It would be quite simple for a GPS receiver to have a built in manufacturer key and sign data it produces.
Re:But... (Score:1)
or something like that.
Re:Fringe benefits for various internet sites (Score:1)
--------
Life is a race condition: your success or failure depends on whether you get the work done on time.
Re:A solution of sorts (Score:1)
Then just have it so if it's tampered with, the power is cut.
--------
Life is a race condition: your success or failure depends on whether you get the work done on time.
Re:Fringe benefits for various internet sites (Score:1)
IPv4 addresses can also be traced to you, albeit with *slightly* more difficulty.
NAT and dynamic IP addresses are the two most troublesome systems on the internet. They're the reason we have all these klugy client-server protocols (instant messengers and the DynDNS come to mind) that would be better replaced by true peer-to-peer protocols (like SMTP, DNS, internet phone, etc).
If you're worried about anonymity, have a look at the Freenet [sourceforge.net] project, rather than hindering the much-needed adoption of IPv6.
Some benefits of IPv6 off the top of my head:
--------
Life is a race condition: your success or failure depends on whether you get the work done on time.
Re:Pseudo-random data stream? (Score:1)
AFAIK, it's not signed or anything.
--------
Life is a race condition: your success or failure depends on whether you get the work done on time.
Re:But... Here's how you could do it (Score:1)
hack it physically will destroy the device. Then you call a phone number, or some agency calls your cell phone, and you give a voiceprint and some PIN-like key to prove that it is, in fact, you on the other end.
This should be sufficient if you want to prevent others from impersonating you. For situations where one might *want* their buddy to impersonate them (e.g. provide an alibi), the agency that is relying on this device as proof of position, could equip the device with a fingerprint scan or a retina scan. That way, *you* are confident that nobody will impersonate you against your will, and *they* are confident that nobody is impersonating you against *their* will.
Physical ID's (Score:1)
Any company that we depend upon to design or implement this technique, will become (at least to some perspectives) a big-brother entity.
Who can be trusted to take on such a role? If it is an open - source solution, how would we keep the code from forking like the Windows Manager(s) of an OS that we all know and love? What happens when a company is trusted to implement this system by 51% of the "known good and decent computers of the world" and then mandates the use of an obscure field (MS-Kerberos)?
And why can we expect that this would be accepted by the computing public, given our reaction to cookies, the PIII Proc. ID, and any number of other percieved infringements on our privacy? I know Slashdot is not representative of the Computing Public as a Whole, but our sample reactions may not be too far off-base.
Where does the right to privacy give way to the right to be properly identified and trusted? and Vice Versa?
Verification requires a reproducible test. (Score:1)
It could be something like a tightbeam transmission to the asserted location (which must then be encoded and sent back to us), but what you've actually done there is verify that the person making the assertion has a receiver at the tested location.
An Orwellian "1984"-esque surveillance system would allow for visual verification of asserted location (and depending on the available data, verification that you aren't anywhere else either (you don't have a doppel at the claimed location)), but would come at a serious cost of privacy, hopefully made obvious by my choice of a definition.
In short, I'm not interested in paying for the installation of an infrastructure that allows you or anyone else to verify my current location...
Regards, Ross
Re:A solution of sorts (Score:1)
Hitchhiker's Guide... (Score:1)
For instance, (after establishing identity conventionally) I claim that I am at my college's computer lab, at XX terminal. It tells me to read the serial number from under the keyboard. if I get it right, I'm in.
Of course you would need a large number of facts for any verifiable location, and they'd have to be things you wouldn't think to memorize beforehand, and preferably things that won't change too often, unless you can keep the DB up to date with the changes, in which case fast changes are good.
Source generated routes? (Score:1)
Re:Fringe benefits for various internet sites (Score:1)
They already have your ZIP. Wouldn't that work just as well?
--
Two things (Score:1)
Art thou on crack? If so what brand crack of art on thou?
A fax counts as digitally secure and binding. Yuck. A 5 year old could forge one easy. Clicks count as a binding agreement.
Digital signatures may be strong "legally" in that you can get sued even if you don't even own a computer, but that only makes me more worried.
The other thing was:
Someone earlier mention an interesting chain of authentication to prove that they were who they said they were.
How about having the user enter the key into the system to decrypt that days instructions on how to finish authenticating.
Re:digital angel (Score:1)
Re:Fringe benefits for various internet sites (Score:1)
-----
Re:Is that really desirable? (Score:1)
Some working methods (Score:1)
Re:Impossible in the general case (Score:1)
GPS becomes mandatory in USA for mobile phones (Score:2)
As I am reading this thread, I just returned from a job interview at a company that manufactures GPS receiver chips and learned that a new FCC regulation will require all new mobile phones released on the market starting in January 2001 to have onboard GPS.
The interviewer would not go into details as to which purpose the FCC hopes to achieve (find wounded hunters lost in the middle of nowhere in an emergency situation, or make localization of mobile-savvy criminals easier) but it sure looks like Big Brother is watching us.
Re:GPS (Score:2)
No problem. It's not a different algorithm, but not giving an exact timing. It was called SA (Selective Availibity) and it basiclly made the time recieved from the sats a bit random. Seeing as the sats/reciever depend on timing to get position, IIRC, you had up to 100m epe (estimated position error) on a civilian gps unit. Two ways to bypass this: Get a differintal GPS, basicly two recievers in one unit, and average your location, so to speak. Or get the encrypted miliary band, via military reciever, which broadcasts the corrections to cancel out SA.
BTW, SA has been off for the better part of this year, so my handheld garmin gets accuracy near that of a military handheld unit. Thou differential units found in aircraft are still more accurate.
bash: ispell: command not found
Re:But... (Score:2)
Let's say that I'm accused of an armed robbery which occured while I'm on a hunting trip (this really happened to a friend of mine). To have a system intended to prove my location which were usable as a defense, it would have to be proof against my own spoofing.
As a result, it would be more effective to have a system with two-way communication (thus utterly unlike GPS) which permits a user to request that their position and some arbitrary data (eg. biometrics, signed by the user's key, recovered from the user to demonstrate that they're with their equipment) be returned with the digital signature of the verifying service. Such a token would demonstrate the position of my equipment (via the reading) and my presence (via the biometrics... yeah, I know this is shaky... I hate biometrics too). A timestamp should also go inside the service-verified info.
Though I haven't had 'nuff sleep lately to really think something like this through seriously, that should work. Main issues is that it requires two-way communication, and a replacement of the current GPS system (perhaps w/ towers doing triangulation if it only needs to be used inside a fairly small area; otherwise larger/heavier/more expensive equipment is needed).
Misconception (Score:2)
I am most definatley NOT talking about a proof of location that is broadcast without user control. I'm talking about a voluntary "location signature" type technology. (For example I do not have to use digital signatures at all times and I can produce an "anonymous" one as needed to hide my own identity.)
I've also had the suggestion from someone else in the office that a third party signature of time stamps would be handy. For example, instead of having certified postal mail sent back to myself to prove my patent is pre-dated, perhaps there could be a way to get a third party time stamp included in my digital signature.
Just more fun thoughts. :)
---
Don Rude - AKA - RudeDude
I can think of other uses... (Score:2)
--
Re:Mobile computing? (Score:2)
So, the laptops were fitted with PCMCIA GPS cards, and these were integrated with some of the apps on the laptops. The employee couldn't access some things if they were in the wrong country.
I'm not sure if the project was ever widely released or seen as practical. Obviously it relies on not being able to hack the GPS card, and not getting administrator/root access to the machine.
GPS, fun as it is, is limited. The GPS system is passive and cannot determine the location of GPS devices - unlike, say, the mobile GSM system that CAN determine where mobile phone devices are. Rather, the GPS receiver devices can determine the location of the GPS satellites, and then compute their own location from that data. That makes it rather less useful for proving the location of a GPS receiver.
Also, in my experience of GPS, which is quite good, it is utterly useless at determining altitude. But maybe I've been unlucky with handsets
an idea (Score:2)
Re:But... (Score:2)
Re:Fringe benefits for various internet sites (Score:2)
why should they be afraid? There has been numerous cases where people in countries that don't have any anti-cracking laws couldn't be touched by US laws for crimes they committed in the US...why should it be different the other way around?
Gambling is legal in North America..the only catch I can see is making sure that the gambler is 18 (or 21 or what ever).
IPs allocated on regional basis... (Score:2)
Similarly ISPs are allocated a pool of IP addresses, so when you connect it is highly probable you can be located down to country or even local level, unless you indulge in a little spoofing.
Hell, we can't even get reliable timestamps... (Score:2)
The author mentioned timestamps, but timestamps have all of the same problems GPS data have.
When you create a signature with a timestamp, where does the time come from? If you're using only software, the timestamp is probably coming from the operating system, which thinks the time is whatever you tell it it is. It's not especially hard to generate an incorrect timestamp.
So in both cases we have to rely on trusted hardware, which is always a tricky thing. Even if I have a hardware device which includes a clock as well as the ability to store keys and generate timestamps, I still have to trust that all of the code involved is bug-free and the clock is correct. And it's easy to make sure the clock is correct only if you assume a few different parties can be trusted.
So sure, you can make a GPS receiver that signs and timestamps its data. But you have to trust everything inside the box, you have to trust the people who created the firmware, and you have to trust that the box can't be modified. Even the most secure hardware devices are subject to attacks. And this doesn't even address the question of where the GPS signal itself might bve coming from...
I think this is doable (Score:2)
I believe this is the proper way to do it in a military setting where you can serialize each device, hand create and install encrpytion and authentication keys. It's not entirely useful in the general sense because after you sell a million trusted GPS devices people could start doing fraudulent things like buying two, leaving one in a particular place, having their friend read the numbers off of it to you over the phone and then let you report that you're in a place where you're not. Plus you still have to hand create each GPS reciever to keep it trusted..
I'm thinking that it would be partially realtime though. Like this. Billy claims he is at 40NX105W and send you a stream of bits sent to him by a set of satellites. Susie examines his signature and believes that he is Billy then she examines the data and it looks like he really is where he says. To be positive Susie talks to the set of satellites Billy is in contact with and causes them to send random tokens in a random order and since she knows the order and his location she can tell what order he should recieve them in. Then Billy has some small number of milliseconds to report the series of bits he sees in the correct order to verify his location, if he has too much time he could be in a different location, recieve all the streams, reassemble them as they should be and then transmit them back so we're talking about very very small timing tolerences. Maybe you need anonymous satellites to do this.. Right now GPS knows which satellites it is talking to and can tell the difference between them.
Re:cryptographically secure witnesses? (Score:2)
GPS + Crypto Sig (Score:2)
However, this does not prevent some one who is at one location sending the stream he recieves to an intermediary at a different location who will then authenticate with the first (fake) location.
There could also be a sort of small scale distributed location finding algorithim. If you have a large group of people with transmitter/receiver pairs within some distance (dependant on transmit/recieve power), you could have everyone triangulate on each other. The more people you have in your system, the more compromised units you'd have to have before you'd get spoofed results. Of course you could never be sure that the location data hasn't been spoofed, but given enough people, you could have some high confidence probability in the result. If you have a high enough density of people, you could spred the network of transmitter/recivers across the entire planet.
Now what do you folks think, should I get a patent on this?
Re:Uhmmm.... Pictures ?? (Score:2)
Re:data driven (Score:2)
Re:A solution of sorts (Score:2)
Re:digital angel (Score:2)
A GPS antenna is significantly larger.
Re:But... (Score:2)
Bank Shot (Score:2)
The edge device you connect to to access the 'Net will be registered with the Feds (this is only a matter of time). Knowing how long it takes light to travel to the closest fiber-to-copper demarc point by your house, it will be easy for the edge device and/or your PC to spit out some numbers showing what will essentially be a ping time delay. Knowing that Registered Router X serves the geographic area of Y, and you are 2.003ms away from Router X, then you must be 1.22 miles from the router. The fiber run you are on goes down Big Brother Ave, so you're 1.22 miles from the end of Big Brother Ave.
It's not a pin-pointer, but it proves that you're not on the other side of the world impersonating yourself...
Re:GPS (Score:2)
You're wrong
An impractical Holy Grail. (Score:2)
As a for-instance, I've been doing a lot of transatlantic communications lately with a fellow named Roger [last name deleted]. At least, he says his name is Roger... but since I've never met him, I haven't been able to verify his identity by examining his passport, his driver's license, etc. So I just have a voice to identify, and that voice is self-identified as Roger, which is no identification at all.
Roger and I exchanged OpenPGP keys. His OpenPGP key identifies him as "Roger John Laurence [last name deleted]". But I still didn't know if this was really him or not, so we talked voice. After verifying that it was the same voice I'd talked to earlier, and he doing the same (a process no more complex than "Hey, Roger?" "Yeah, mate?"), we exchanged SHA-1 hashes of our OpenPGP keys and verified we'd received each other's keys successfully.
We still haven't verified anything.
For all I know, Roger has given a copy of his OpenPGP key and passphrase to another person, and all of my email is coming from this third person who's not Roger. And for all Roger knows, I've done the exact same thing.
Signatures can only verify identity in the case of two parties who trust each other. Trust is antithetical to proof; therefore, it's hard to say "digital signatures prove identities". They don't. They make it easier to trust, but that's not the same as proof.
Insofar as this GPS verification scheme--good luck. The likelihood of a system being subverted increases with the square of the number of people involved. How does the trusted third party ensure that both parties are reporting their location honestly? If I'm really in Cedar Rapids, Iowa (42N 42W--Cedar Rapids is the closest city I could find to the Magical Location of Life, the Universe and Everything), I can have a conspirator in Quito, Ecuador (0N, approx 55W). When the third party tells me, "Okay, verify your location according to this protocol," I can have my conspirator in Quito perform the protocol and send the result back to me; then I send the result on to Trent, the trusted arbitrator.
How is Trent to know that I've done a man-in-the-middle attack against his system? Well, it's possible that this system can be patched up to solve the man-in-the-middle problem. But those patches will themselves have attacks against them, and the entire situation quickly devolves from there.
Crypto works well with communicants who (a) want to talk to each other and (b) trust each other to apply a protocol properly. Once you take away either assumption, most crypto falls flat on its face.
Re:But... (Score:2)
I work in the GPS business and would be interested in pursuing this a little further. If anyone has any bright ideas, let's throw a prototype together.
Re:A solution of sorts (Score:2)
Nope. The satellite can be sure of Bob's location if he signs a reply to its message and sends it "instantly". Then only somebody with his key could be in France.
BUT... he could leave a copy of his key in France. And at this point you're right, and that is the killer for my original suggestion. Protocols which relly on secret information are broken if one of the parties doesn't want to keep it secret! We can't trust Bob not to duplicate his identity, unless his "location key" is embedded in a closed box, which is designed to self destruct if anyone breaks the seal :)
Now of course, the perfect self destructing locked box is non-existent. However, you can do pretty well with pre-written EEPROMs inside a microcontroller. Beaking one of those open and reading it would be a pain and a half; add a few anti-tamper measures, and it gets really evil. If you were completely paranoid, you could add an "expiry date" so that you needed a new chip each month.
Maybe I shouldn't be saying any of this, because I can think of many more evil applications of this technology than good ones.
Re:An impractical Holy Grail. (Score:2)
If you'd like to verify that signature, my public key is posted on my user page here on /. and also on the common key servers. I can't however provide any was for you to actually verify that I correctly keyed in the location displayed on my GPS receiver, nor do you have any way of verifying that the position it reported was accurate.
_____________
Re:An impractical Holy Grail. (Score:2)
Hash: SHA1
41 58 34N 91 57 12W
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBOgxeoLfXGCgiKZQGEQKVHwCeKFq+fp9CmTNOQp0
lw5HmpKwc2AJDqzDxJtacLji
=q06U
-----END PGP SIGNATURE-----
Trying that again. Gotta remember, Preview is the one on the right.
_____________
Scary (Score:2)
I'd rather keep it so that no one really knows where I'm from online, unless I tell them (and don't lie).
Re:A solution of sorts (Score:2)
Re:IPs allocated on regional basis... (Score:2)
Unless you happen to be on AOL?
Re:Doesn't this exist already? (Score:2)
First of all, to clarify: no, Quova can NOT _pinpoint_ users in real time. They have catalogued IP addresses and correlated them with locations. If your IP is not static, or has changed since their cataloguing (sp?), their data is meaningless. Same for dial-up users, who will all appear to be in the same place (wherever the server is) even though they may be spread far and wide. Think AOL. A simple example: say I have an account with my ISP. I could be dialing in to the same number from home; or from a friend's house; or from across town; or from another state, for that matter, if I'm willing to pay long-distance charges; all of these would give an IP address that appears to be in the same location.
The main thrust of this problem is not just knowing where someone is generally, but using exact location for authentication/identification. You would need a way of verifying that the person/device is precisely where they claim to be. Knowing that a particular IP implies that they are in a certain city or even on a certain street means little in this context. Authentication requires much more precise, verifiable information than could be provided by Quova.
One case where physical loc is important... (Score:2)
Imagine a system that can accept appointment requests for you and based on rules you specify, either accept, reject, or notify you of this appointment request. This sounds great, right: agent based appointment scheduling. Might save everyone a lot of time, etc.
Okay, pretend you want to build this system. If your agent wants to schedule you (or you do it yourself) for an appointment at 2:30 and you are currently engaged until about 2:15 it may only be a good idea to schedule this if the travel time is less than 15 minutes.
Now you could specify a "map" of your normal stomping grounds and the distances between some of them, and let the computer do the math, but this is limiting and requires "thought". If all the little networked devices involved in all this scheduling know thier co-ords (either stored, accessed from a database, or by GPS) the whole problem becomes easier. You enter some upper/lower bounds for travel times (over some set ranges) and the whole system becomes more more general.
Finally, one of the best reasons to have security and encryption is so people can prove they are who they say they are... If you build geographics into the authentication this may be useful but wouldn't it be easy to spoof the location? The input has to come from somewhere...
--8<--
GPS (Score:2)
the GPS information needs to be signed (Score:2)
I am no GPS guru, but I think I know enough to do some handwaving -
My understanding is that the GPS satellites transmit timing information, and the receivers use this information (from multiple satellites) to perform a triangulation computation, and to determine a location.
What you could do is have the satellites transmit a signature along with the timing information, and this could prove that the timing information could only have come from a GPS satellite.
This means that your receiver knows that it is receiving real GPS information - however, everyone else in your immediate vicinity also receives the same information. The receiver actually carries out the computation to determine a location, so therefore, you would need to have the receiver sign the computation - this proves that the output was computed by a legitimate process.
Then, you could sign the result with your private key - this would prove that you signed some location information.
To verify all of this, the client (who you are proving to) would verify that you signed the location information - then it could verify that the location was created by a trusted process, but verifying the signature. It could also verify the timing signals from the satellite, to verify that they were legitmate, and that your signed location information was generated within a recent period of time (to prevent a replay of older information).
How does that sound ? Other technologies - differential GPS may blur this, and perhaps a GPS guru could comment on the above.
Re:But... (Score:2)
Your detail is fine, but to protect against malicious users, the GPS data needs to be signed by the "GPS server" [1] to prevent the user from simply changing the GPS location data to another value. In this instance and MD5 isn't sufficient: the user could simply substitute the MD5 for another known value.
Oh, the GPS data will also need to be timestamped - this prevents replay attacks.
[1]Either the data from the satelite could be signed in some way I guess, or the GPS decoder could be a "trusted host".
Time coded satellite based challenge-reply (Score:2)
A network of satellites constantly transmit time-coded challenges.
The land based receiver grabs at least three of these challenges at the same time, combines them, signs them with the user's private key and sends them back up to the sky. By using the time difference and the speed of light, the receiving satellite can verify that the private key is within a certain distance from the receiving satellite. Verifying that the private key is the same place as the user is a bit more difficult, but we have to start somewhere.
The actual precision with which this method could pinpoint the user would depend upon the speed of computation.
If specialized hardware could perform the capture, signing and transmission in 10 microseconds, then the position of the signer could be pinpointed to within 3e8 * 1e-5 / 2 = 1.5 kilometers. (Speed of light in m/s times the number of seconds equals the time it would take to transmit the signal to somewere else and back)
Assumptions:
* User alone maintains control of their private key. (This is a biggie. A user could give the signing device to an accomplice and send them off somewhere. )
* Tamper proof, time-synchronized satellites (this is fairly safe now, but for how long?).
* No information travels faster than the speed of light in a vacuum. (I believe work has been done with connected quantum spins that already threatens this assumption.)
Use speed of light timing, same as GPS (Score:2)
A: Your device sends a authentication session request to the satellite network.
B: Several satellites in range [after coordinating with each other to ensure precise timing] send out a "packet" addressed specifically to your device.
C: Your device, upon recieving each packet, immediately sends out a response.
D: The satellites compare the time they recieved the response, and know where you are.
Basically, it's like being pinged from several locations at once. It's a reversal of the semantics of GPS itself. Current GPS works because each satellite is sending out time stamps continously, and your reciever compares the difference in local arrival time from the stamps sent at the same time. [This is because the speed of light is finite, and the satellites are at different distances from you].
You just need to reverse the process, sending back a ping, and have the satellites coordinate the difference in arrival time of the signal.
Come to think of it, a special device wouldn't really be necessary. Any transmission that can be intercepted by the sattelites could be sampled, and arrival time differences used to locate the source precisely. Hmmm.
I'd be willing to bet good money the government already has just such a capability.
---
man sig
Heisenberg... (Score:2)
Re:Heisenberg... (Score:2)
This is stuff that matters (Score:2)
...because the rest of us might finally understand where he's coming from :)
Re:But... (Score:2)
I'm not sure how read the question, but I started to think about the question "how can I prove after the event that I wasn't at the scene of a crime?"
Now at very first thinking various issues come up:
Data must be controlled by me - I don't want my location tracked by any third parties; I just want to be able to reveal/prove where I was at a certain time, at my instigation.
Maybe some kind of trusted third party injecting random but recorded bitstreams into the ether as radio waves at every gridpoint, and changing every minute or so.
There would need to be process and crytographic controls on this infrastructure.. might not be possible.
You would record the bitstreams on a pocket recorder or mobile phone device, and then you can say "look, the random code at this time and place was xxx".
Then there is the question of cheating... I just ask my friend who was there what the number was. So I guess I have to record the numbers on a "tamper proof" (see Secrets& Lies [slashdot.org] for why I put quotes around that) device like a Smart card, that only the "authorities" (whoever they are) can extract the information from.
There would need be a password protected scheme so I have to give my authorisation for a date-range of location data to be extracted as well. So I would have to trust this device, a lot more than I trust say Canivore.
Then what if know I'm going somewhere bad and I just give my card to a friend for a day or so. Not sure here.. maybe the device has to randomly demand some biometric data from me at random times.
Pretty interesting stuff.. gonna have to re-read Schneier's books (again). I recommend the section in Applied Cryptography that deals with protocols, for stuff along these lines.
I might put this up and work on it some more at my web site [lot105.com]. Or I might not.
Re:But... (Score:2)
The idea of using a trusted third party to validate people's locations, already mentioned here, would need an international standard to be agreed and would probably need to rely on fingerprints / retina scans et cetera to work, so probably not any time soon...
I'm a bit worried that people who don't want to prove that they are in a particular region (don't want their fingerprints on file, for example) will be denied various services, such as the latest encryption software.
Can be used for Evil (Score:2)
"There's a party," she said,
"We'll sing and we'll dance,
It's come as you are."
This has been researched before... (Score:2)
Title of the paper is Location-Based Authentication: Grounding Cyberspace for Better Security
This idea is also explained in her book Information Warfare. The idea is using GPS signatures which are not forward-predictable. As other posters pointed out, that only proves the existence/access to GPS receiver located at some point and time not necessarily the presence of the *individual* there.
WakeTurbulence
Base it on a SecurID-type model? (Score:3)
Re:But... (Score:3)
Impossible in the general case (Score:3)
The only other way to achieve position guarantees would involve trusted 3rd parties (postion escrow anyone?) and we all know how much we trust those kinds of solutions! (Unless we are talking about people who are detained at the government's pleasure)
Doesn't this exist already? (Score:3)
Of course then you'd have to deal with spoofing...
Re:But... (Score:3)
The problem here is dealing with the GPS data. You basically have to prove that the data has come a GPS receiver that has been unmodified. There is nothing stopping me fixing the stream of GPS data to the application signing it, to make it look as though I was anywhere in the world. Therefore there are several areas you have to lock down to make sure that this data is authenticable:
1. The position determined by the GPS receiver is accurate, and can not be manipulated by somebody with a small transceiver nearby convincing the GPS receiver that you are located somewhere else. On a 3 or 4 satellite track, you may not be able to move youself very far, but in the US you could probably "cross" a state boundary, and in Europe you could probably mangle things around to move across country borders.
2. Once you can be sure that the data being received by the GPS receiver is genuine, you have to get it into the PC untampered. What's more, it has to make it all the way to being signed without being vulnerable to tampering at any point. If the longitude and latitude is stored somewhere in memory location 'X' just before being signed, I could conceivably tamper with it.
3. You then of course have to sign it, and then ensure that this mechanism is strong and that it can't be manipulated either at this stage or further along the transmission.
The problem really is that signing the location is the wrong approach - you have both your private and public key, and you can sign *ANYTHING* you want to authenticate it as belonging to you, but in actual fact, you need the GPS receiver to store the private/public pair and not divulge it to anybody else. How then, do you stop people tampering with the receiver?
Thinking about it, I think that may be the best approach - the GPS does the crypto internally, and you build measures to ensure that it can't be tampered with. Even then, you still have to make sure you're talking to a real GPS receiver etc. so challenge/response stuff may have to be added in. Nasty.
The future is here (Score:3)
The SIM is your encrypted device. To activate it you need a PIN, which could be considered your digital signature and presto:
The location of Your SIM is trackable within a couple 100 yards or so.
The problem of course is, that the location is attached to the device. Nobody prevents you from sticking it under a car and pretend that you went all the way from Malmoe to Lissabon.
That's probably also the most tricky issue with your question:
How can you make a position dependant signature device independant, or at least (if you use a device) make it non-functional if you're not physically there.
Pseudo-random data stream? (Score:3)
Or would that be easily faked?
I'm not a GPS expert, so I don't really know for certain.
-C
--
Re:Location Authenticator? (Score:3)
Extremely easy when surfing pr0n.
Re:But... (Score:4)
Errmm.... surely if his GPS data is encrypted with his private key then isn't that enough to "prove" that at least he believes that his GPS is with him?
The chain of trust is therefore:
At the end of this exchange, the receiver trusts that the owner believes s/he's in the position exchanged between them.
This doesn't cover the case that the authentic Owner is trying to spoof his location, but I don't believe that was the question - which I read as "How can I prevent someone masquarading as me from a remote location at a given time?"
But... (Score:4)
Of course, it really depends what you want to do. In Switzerland, devices are being installed into trucks which register position and time in order to collect road taxes. The device is attached to the vehicle and tampering with the fixing will probably get you a heavy fine.
Re:Pseudo-random data stream? (Score:4)
So, the bottom line is that anything that relies on GPS data can be faked. Obviously these simulators are expensive, but I presume that the GPS receiver manufacturers all have them, so there most be quite a few in the world.
Mobile computing? (Score:4)
Fringe benefits for various internet sites (Score:5)
The drawback: pr0n users in the bible belt would be suddenly unable to hit their favorite sites. Site operators would restrict content to areas where they could be certain of legalities.
And even worse, Amazon could now target prices based on the economy of your neighborhood.
A solution of sorts (Score:5)
The simplest example would be an "authentication satellite", where Jane asks the satellite,
"is Bob really in France?"
If Bob knows the contents of the message, he's in France.
Of course, Bob could just have a tranceiver in France.... so.... quantum encrypt it in a single photon :). Single photon quantum encyption is nearly good enough for Earth-satellite links, IIRC.
None of this fixes the "problem" (is it really a bad thing?) mentioned elsewhere in this discussion, that physical devices and people are separable...
only on slashdot (Score:5)
--