[go: up one dir, main page]

WO2008026180A1 - Procédé permettant d'empêcher la traçabilité à partir de l'adresse - Google Patents

Procédé permettant d'empêcher la traçabilité à partir de l'adresse Download PDF

Info

Publication number
WO2008026180A1
WO2008026180A1 PCT/IB2007/053483 IB2007053483W WO2008026180A1 WO 2008026180 A1 WO2008026180 A1 WO 2008026180A1 IB 2007053483 W IB2007053483 W IB 2007053483W WO 2008026180 A1 WO2008026180 A1 WO 2008026180A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
node
nodes
mobile communication
communication devices
Prior art date
Application number
PCT/IB2007/053483
Other languages
English (en)
Inventor
Andre M. Barroso
Hans-Juergen Reumerman
Original Assignee
Philips Intellectual Property & Standards Gmbh
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Philips Intellectual Property & Standards Gmbh, Koninklijke Philips Electronics N.V. filed Critical Philips Intellectual Property & Standards Gmbh
Publication of WO2008026180A1 publication Critical patent/WO2008026180A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers
    • H04L61/2525Translation at a client
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2539Hiding addresses; Keeping addresses anonymous
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2557Translation policies or rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/604Address structures or formats
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/26Network addressing or numbering for mobility support

Definitions

  • the invention relates generally to a method and a device for preventing address-based traceability of mobile communication devices.
  • information publicized by a communication agent should only serve its designed intent. In general, however, it is possible to combine fragmented pieces of information from different sources to obtain further information on an agent.
  • Mobile communication devices embedded into objects carried by users represent an important source of information that can be misused to infer people's movement and behaviour.
  • One form to trace users on the basis of a portable mobile wireless device is to record the identification or address these objects disclose during communication.
  • identification is unique and fixed, meaning that messages exchanged anywhere and anytime can be always traced back to the same object.
  • This widespread availability of traceable information and the easiness of eavesdropping on broadcast media create a fertile environment for information misuse and privacy violation.
  • Attaining untraceability is a subset problem of anonymous communication, which aims at preventing unwanted entities from identifying communication parties.
  • anonymous communication can be always defined by a set of identity related attributes to be protected, e.g. identity of source or destination, location of source or destination, and a set of entities like a service provider, authentication authority, etc. that must be prevented from accessing these attributes.
  • Location is an important attribute in preserving anonymity because it can reveal a great deal about the communication parties.
  • Ensuring anonymity in mobile communication has been the subject of extensive research for many years, mainly in infrastructure based networks.
  • the motivation scenarios have been primarily electronic banking and cellular communications.
  • One technique is proposed to provide anonymity of the user identity against a terminal or base-station providing network access or payment services.
  • Anonymity is ensured through the use of identity aliases, which can be translated into real identity only by authorized parties.
  • a new alias can be generated per transaction and cannot be correlated with the previous alias.
  • Each alias is generated by encrypting the user's name with a secret key.
  • aliases are a common mechanism to ensure anonymity in mobile communications.
  • the problem of managing these aliases is however quite distinct for infrastructure based networks and for wireless ad hoc networks.
  • Registration in these networks is only required sporadically and while the user is not performing a transaction he can remain entirely anonymous.
  • the short-lived and self-contained nature of each transaction makes it easy to use a new alias every time.
  • infrastructure based mobile networks communication is always with a single node, i.e., the base-station.
  • a new alias is only needed when first registering with the base station or in-between calls. Communication is thus not disrupted by the change of identities.
  • the use of secure channels prevents eavesdroppers from tracking a user.
  • Ad-hoc networks face a different challenge.
  • nodes should be able to communicate to any other node and the topology can be highly unpredictable and dynamic. Some nodes can be part of the neighbourhood for a long time, while others quickly enter and leave the same neighbourhood. A change of alias can thus disrupt communication with persistent neighbours, which need to update their view of the neighbourhood even though its composition may not have changed.
  • any node can listen to the medium, it becomes possible for an eavesdropper to correlate two aliases from the same node by analyzing the movement behaviour of the node, assuming adversaries can locate the source of transmissions.
  • Another proposed solution to minimize the impact of movement analysis consists in using "mixer" nodes, which are proxies routing all the traffic from a group of nodes.
  • the idea consists in preventing eavesdroppers from distinguishing among a group of nodes the source or destination of traffic.
  • the main disadvantage of this approach is increased communication latency and network organization complexity.
  • a solution to eliminate the possibility of traceability in the system consists of excluding any sort of identification on the devices. This approach precludes any form of communication where identification-based state must be known. In particular, this scheme prevents the implementation of ad hoc network protocols where neighbour tables must be maintained.
  • Certification is a variation of the previously described scheme in which anonymity is preserved against all non-certified devices. This can be achieved, for instance, by encrypting all identifications with a key shared by the certified participants. Certification schemes, however, preclude open communication and raise the question of how the certification process is implemented.
  • US 2006/0026438 Al discloses a method and a system for the generation of anonymous aliases for on-line communications, where a system generates an anonymous alias and the alias is displayed in an identification filed of an on-line document.
  • US 2005/0050352 Al discloses a method and a system for providing location privacy including the assignment of a pool of addresses with which a user can access a network, and preventing a third party from correlating the user's location with a mobile computing device. Additionally the prior art document discloses a method for providing a connection to an access point to a network including a detachably network interface for use in accessing the access point by a computing device without intervention by a user.
  • US 2004/0235493 Al discloses a method for use of tags in conjunction with location information to match wireless network users to other network users, service information or the like.
  • the tag enables secure and anonymous communication between users.
  • US 2002/0174364 Al discloses a method for the substitution of a pseudonym address for a Bluetooth Device Address, wherein the pseudonym address is a randomized address of the Bluetooth Device Address. In this manner the user's privacy is protected by preventing the user's identity from being correlated with his/her device's address.
  • US 2004/0083184 Al discloses a method for anonymous transactions including payment with a card by a party without revealing to true identity of the party by utilizing an alias.
  • the alias is additionally transferred by a second party.
  • the method prevents address-based traceability of mobile devices, defined here as the ability to identify if two messages were originated at the same device by inspecting their source addresses.
  • a method for communication between mobile communication devices preventing address-based traceability of the mobile communication devices, including assignment of addresses to mobile communication devices as nodes of a communication network or system and periodically or repeatedly applying a transformation function ⁇ to a node's address resulting in a new address of the node.
  • the new address may be recognized if the original address is known.
  • the transformation function ⁇ satisfies the following conditions: •an address a e A can be inferred from ⁇ (a) with high probability; •Inference of a e A from the address obtained by applying ⁇ to ⁇ a number of times greater or equal to h can only be done with small probability; • A high probability is above 90 % «a low probability is below 1 %
  • a node discloses the resulting address to a limited amount of neighbouring nodes after each application of the transformation function.
  • neighbouring nodes are able to identify the old and new address as belonging to the same node.
  • the transformation function applied on an address with a fixed number n of bits shifts the bits of the original address one bit to the left or right and replaces the rightmost or leftmost bit with a random value.
  • a device for mobile communication having an address characterized in the use of a method for communication between mobile communication devices preventing address-based traceability of the mobile communication devices, including assignment of addresses to mobile communication devices as nodes of a communication network or system wherein periodically a transformation function ⁇ will be applied to a node's address resulting in a new address of the node.
  • Fig.l is a block diagram of a system with nodes and a surveillance-constrained adversary
  • Fig.2 shows a table for three address devices
  • Fig.3 shows a listing of a procedure
  • Fig.4 shows another listing of a procedure.
  • Fig.1 shows a schematic diagram of an adversary constrained surveillance system.
  • the inventive system 1 is comprised of a variable set of mobile nodes 2, 3, 4 periodically transmitting messages 5 to neighbours in range.
  • Messages 5 include addresses that uniquely identify a node 2, 3, 4 in its neighbourhood with great probability.
  • Nodes 2, 3, 4 do not rebroadcast the address received by their neighbours.
  • a surveillance-constrained adversary 8 which attempts to trace mobile nodes 2, 3, 4 by eavesdropping their messages 5 in a certain area 6, 7.
  • a surveillance-constrained adversary 8 is defined as an eavesdropper entity able to log, locate and/or timestamp an e.g. unlimited amount of messages, but which misses all transmissions from the same mobile source during a continuous time interval t s every T time units. In practice, this means that the adversary 8 does not have omniscient presence and cannot cover all locations where the user broadcast messages during time T. Nodes 2, 3, 4 move in and out of surveillance range 6, 7 in a way that the duration of time interval t s and its starting point inside time interval T are random variables with high variance.
  • M be the set of all messages generated in the system and let T be the time interval defined previously.
  • the invention proposes an addressing method with the following desirable properties:
  • a surveillance-constrained adversary 8 is unable to identify with probability greater than a small value k, if mi ,ni2 are elements of M, have the same source when mi and ni2 are issued at least T time units apart and
  • a legitimate communication partner is able to identify with probability greater than a high value k' if mi ,ni2 e M have the same source when mi and ni2 are issued at most t c time units apart.
  • a legitimate communication partner is any node 2, 3, 4 other than the adversary 8. This property guarantees that communication requiring the identification of the source is still possible.
  • the proposed addressing method attains these properties by periodically applying a transformation function ⁇ to a node' s address.
  • This function is such that the resulting address is easily recognized if the original address is known. Recognition however becomes increasingly difficult depending on the number of times the function is applied to the address.
  • a function ⁇ :A --> A is said to satisfy the progressive randomization conditions if and only if:
  • An address a e A can be inferred from ⁇ (a) with high probability
  • a node 2, 3, 4 discloses the resulting address to its neighbours. This procedure ensures that neighbours are able to easily recognize the old and new address as belonging to a same node.
  • parameter t c can be defined as the minimum interval between two consecutive address transformations with function ⁇ .
  • function ⁇ is required to be applied to addresses at least h times every t s time units. Untraceability is supported because a surveillance- constrained adversary 8, by definition, misses all messages from a node every t s time units. Therefore, after time interval t s , a node has a complete new address that is uncorrelated to the old one. The adversary 8 is therefore unable to correlate both addresses on the basis of messages transmitted by the node alone.
  • the adversary 8 however can still use messages from more than one node 3, 4, 5 to achieve its objective.
  • an appropriate function displaying the progressive randomization properties and an address checking mechanism need to be defined.
  • An essential requirement for both mechanisms is simplicity, since the operations they implement will be frequently used.
  • a favourable function observing the progressive randomization properties can be defined over a set of addresses with a fixed number n of bits.
  • the function simply shifts the original address one position to the left or to the right and replaces the rightmost or leftmost bit with a random value as detailed in the pseudo-code shown in Fig.3.
  • the transformation imposed by the presented function is minimal.
  • the two addresses will differ possibly only by the rightmost or leftmost bit after shifting the original address also one position to the left or to the right.
  • the progressive randomization function should be applied at least n times every t s time units.
  • the probability of an adversary guessing that two addresses embedded into messages issued T or more time units apart is only l/2 n .
  • the adversary is unable to correlate with reasonable probability the new and transformed address based on their information alone.
  • L be a log with the addresses of nodes that broadcasted messages in the past ⁇ R time units.
  • Log L will contain the last address used by a node in its broadcast if ⁇ R is long enough.
  • a node keeping a log L applies the procedure described in Fig.4 to verify if the source of this message is a known neighbour. The procedure tests if the address is already contained in the log or if the prefix of the address matches the suffix of any address in the log. If there is a match, the procedure returns the matching address in the log, otherwise it returns a null value.
  • the described procedure will be able to successfully correlate a modified address with the original one with high probability when the address space used is much larger than the number of nodes. Otherwise, false matches could correlate two different nodes that are using the same address or differ by a single bit when shifted according to the matching algorithm.
  • the proposed invention can be applied in any system where devices communicate via wireless transceivers in an open and shared medium to increase the privacy of the communication parties.
  • the method is especially useful if media access control uses periodic beacons that disclose the identity of the nodes.
  • the mechanism is appropriate, for instance, to prevent tracking of vehicles equipped with warning and infotainment systems based on car-to-car or car-to-infrastructure communications.
  • Warning applications require low communication latency and rely on periodic transmission of beacons or messages to disseminate announcements. These periodic announcements are a potential source of tracking information as they may require the identification of the sender. Infotainment applications, on the other hand, usually require stable links for extended periods of time and may require session protocols that keep state during transactions. A sudden change of address to prevent traceability can thus be disruptive for these applications if the state associated with the old address cannot be assigned to the new address. The proposed scheme guarantees that addresses can be changed in a smooth way, without loss of state.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention porte sur un procédé et un dispositif de communication entre des dispositifs de communication mobiles qui empêchent la traçabilité à partir de l'adresse des dispositifs de communication mobile. Le procédé précité consiste à attribuer des adresses aux dispositifs de communication mobiles considérés comme les noeuds (2, 3, 4) d'un système de communication (1) et à appliquer périodiquement ou de manière répétée une fonction de transformation Φ à une adresse de noeud afin de créer une nouvelle adresse de noeud (2, 3, 4).
PCT/IB2007/053483 2006-08-31 2007-08-29 Procédé permettant d'empêcher la traçabilité à partir de l'adresse WO2008026180A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP06119850.3 2006-08-31
EP06119850 2006-08-31

Publications (1)

Publication Number Publication Date
WO2008026180A1 true WO2008026180A1 (fr) 2008-03-06

Family

ID=38983904

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2007/053483 WO2008026180A1 (fr) 2006-08-31 2007-08-29 Procédé permettant d'empêcher la traçabilité à partir de l'adresse

Country Status (1)

Country Link
WO (1) WO2008026180A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2107835A1 (fr) * 2008-04-04 2009-10-07 Vodafone Group PLC Système et procédé pour le contrôle côté réseau de paramètres d'information du système
DE102015204210A1 (de) * 2015-03-10 2016-09-15 Bayerische Motoren Werke Aktiengesellschaft Pseudozufällige Funkkennungen für mobile Funkvorrichtungen

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1996013920A1 (fr) * 1994-10-27 1996-05-09 International Business Machines Corporation Procede et dispositif destine a l'identification securisee d'un utilisateur itinerant dans un reseau de communication
WO2003094424A1 (fr) * 2002-05-03 2003-11-13 Nokia Corporation Procede et systeme d'attribution et modification d'adresses au niveau liaison dans un reseau
US20050050352A1 (en) * 2003-08-28 2005-03-03 International Business Machines Corporation Method and system for privacy in public networks
US20060165100A1 (en) * 2004-10-22 2006-07-27 Leping Huang Wireless location privacy

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1996013920A1 (fr) * 1994-10-27 1996-05-09 International Business Machines Corporation Procede et dispositif destine a l'identification securisee d'un utilisateur itinerant dans un reseau de communication
WO2003094424A1 (fr) * 2002-05-03 2003-11-13 Nokia Corporation Procede et systeme d'attribution et modification d'adresses au niveau liaison dans un reseau
US20050050352A1 (en) * 2003-08-28 2005-03-03 International Business Machines Corporation Method and system for privacy in public networks
US20060165100A1 (en) * 2004-10-22 2006-07-27 Leping Huang Wireless location privacy

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
A. BARROSO AND H.-J. REUMERMAN: "An Addressing Scheme to Support Untraceability in Mobile Ad Hoc Networks", IEEE, 2007, pages 869 - 873, XP002467622, Retrieved from the Internet <URL:http://ieeexplore.ieee.org/iel5/4196544/4196545/04196733.pdf> [retrieved on 20080205] *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2107835A1 (fr) * 2008-04-04 2009-10-07 Vodafone Group PLC Système et procédé pour le contrôle côté réseau de paramètres d'information du système
DE102015204210A1 (de) * 2015-03-10 2016-09-15 Bayerische Motoren Werke Aktiengesellschaft Pseudozufällige Funkkennungen für mobile Funkvorrichtungen

Similar Documents

Publication Publication Date Title
US7245602B2 (en) System and method for anonymous Bluetooth devices
US20090228708A1 (en) System and Method of Encrypting Network Address for Anonymity and Preventing Data Exfiltration
Wong et al. Location privacy in bluetooth
Pang et al. Tryst: The Case for Confidential Service Discovery.
Angermeier et al. PAL-privacy augmented LTE: A privacy-preserving scheme for vehicular LTE communication
Freudiger et al. Privacy of community pseudonyms in wireless peer-to-peer networks
Barbeau et al. Perfect identity concealment in UMTS over radio access links
WO2008026180A1 (fr) Procédé permettant d&#39;empêcher la traçabilité à partir de l&#39;adresse
CN110933050B (zh) 一种隐私保护的位置共享系统及方法
Shikfa et al. Local key management in opportunistic networks
Chung et al. DiscoverFriends: Secure social network communication in mobile ad hoc networks
Lei et al. Protecting location privacy with dynamic mac address exchanging in wireless networks
Taha et al. ALPP: anonymous and location privacy preserving scheme for mobile IPv6 heterogeneous networks
Joy et al. DiscoverFriends: secure social network communication in mobile ad hoc networks
Shikfa et al. Bootstrapping security associations in opportunistic networks
Zhang et al. Collusion-resistant query anonymization for location-based services
Choi et al. Practical solution for location privacy in mobile IPv6
Werner Privacy‐protected communication for location‐based services
CN1954577A (zh) 发送数据的匿名完整性
Barroso et al. An Addressing Scheme to Support Untraceability in Mobile Ad Hoc Networks
Li et al. Anonymous routing: A cross-layer coupling between application and network layer
Mocktoolah et al. Privacy challenges in proximity based social networking: Techniques & solutions
Piper et al. Cryptographic solutions for voice telephony and GSM
Pérez-Martínez et al. Location privacy through users' collaboration: A distributed pseudonymizer
Boukerche et al. Anonymity enabling scheme for wireless ad hoc networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07826200

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07826200

Country of ref document: EP

Kind code of ref document: A1