Location-based Authentication and Access Control mechanism using Smartphones

ARON KON DORO

KTH Information and Communication Technology

Master of Science Thesis Stockholm, Sweden 2012 TRITA-ICT-EX-2012:244

To my lovely parents, John and Consolatha Kondoro, who I owe everything.

I would also like to thank my Supervisor, Sead Muftic, for his guidance, encouragement, and collaboration. The whole SecLab team at DSV, KTH for all their help and tutelage; and last but not least my whole family John, Consolatha, Annette and Alfred, and friends for all their love.

Abstract
Authentication is one of the important aspects of Information Systems and Computing Networks security. Since the time the first computing systems came into existence, there has always been a need to properly authenticate a user in order to grant access to protected resources. With the proliferation of the Internet this need has turned into a necessity. As more and more aspects of our lives are transferred into the Internet as services, it becomes critical to ensure that strong and secure authentication models and mechanisms exist to support the use of these services. Likewise, access control is another aspect that is important in the security of information systems. It goes hand in hand with authentication. After an entity has been authenticated, access control mechanisms usually kick in to ensure that only actions that are authorized for that particular entity are allowed to be performed. Today, many authentication and access control schemes already exist and have been deployed on the Internet in various sectors such as Banking, e-Commerce, social networking and so on. Most of these schemes have traditionally and also continue to depend on three main factors for proof of a users identity: (1) what you know (2) what you have, and (3) what you are. In general, it is accepted that the more use of multiple factors, the better the security. Varieties of schemes have been designed and implemented that try to incorporate all of these authentication factors in order to boost security. However, the main challenge in the use of these schemes has been to achieve the proper balance between security and usability. In many cases improvement of one comes at the expense of the other. While the use of the above mentioned factors has been sufficient for authentication and access control decisions in many cases, some existing literature suggests the use of location as an additional factor. With the emergence of mobile and pervasive computing, location information or, in a more general sense, contextual information is going to start to play a big role in authentication and access control mechanisms. The main problem has been how to introduce this into existing schemes in a seamless way. In this thesis, we investigate the possibilities for a new location-based authentication and access control mechanism. With the rise in popularity of smartphone platforms, author(s) propose an authentication and access control scheme that uses a mobile phone/smartphone to obtain a users location and includes that information in the authentication and access control process and decision making. Since people already carry their mobile phones everywhere, this mechanism would be seamless and transparent. In addition, we designed, implemented and tested a prototype application on the Android platform to demonstrate and test the viability and security of the proposed scheme. With the continuous emergence of new smartphones with further capabilities and with the increase in popularity of their use, our work would act as a first step in further research effort into the possibilities of using smartphone technologies in improving existing security mechanisms. Our research results show that smartphone platforms potentially provide a strong base upon which new and improved security mechanisms can be built. In this instance an improved location-based authentication and access control mechanism using location sensing technologies, such as GPS, was successfully built on an Android smartphone. 4

Table of Contents
Table of Contents ........................................................................................ 5 LIST OF TABLES .......................................................................................... 8 LIST OF FIGURES ........................................................................................ 9 1 Introduction ........................................................................................ 11
1.1 1.2 1.3 1.4 1.5 Background ................................................................................................. 11 Problem Definition........................................................................................ 12 Purpose and Goals of the Thesis .................................................................... 13 Research Methodology .................................................................................. 15 Thesis Organization ...................................................................................... 15 Authentication ............................................................................................. 16 Introduction .......................................................................................... 16 Authentication Factors ............................................................................ 17 Existing Authentication Mechanisms: Advantages & Disadvantages .............. 18 Multi-factor authentication ...................................................................... 25 Introduction .......................................................................................... 27 Access control components ..................................................................... 28 Access Control Matrix ............................................................................. 28 Access Control Lists and Capabilities ........................................................ 29 Access Control Models ............................................................................ 30

Authentication and Access Control ...................................................... 16

2.1 2.1.1 2.1.2 2.1.3 2.1.4 2.2 2.2.1 2.2.2 2.2.3 2.2.4 2.2.5

Access Control ............................................................................................. 27

Location factor in authentication and access control ........................... 32

3.1 3.2 3.3 Background ................................................................................................. 32 Importance and benefits of location in security ................................................ 32 Location modeling/Representation.................................................................. 34 Symbolic Location Models ....................................................................... 35 Geometric Location Models ...................................................................... 36 Hybrid Location Models ........................................................................... 37

3.3.1 3.3.2 3.3.3 3.4 3.5 3.6 3.7

Location-based security models ..................................................................... 38 Privacy issues .............................................................................................. 41 Related work Location-based systems .......................................................... 42 Summary .................................................................................................... 45 Introduction ................................................................................................ 46

Location Positioning Technology ......................................................... 46

4.1

4.2

Basic positioning techniques .......................................................................... 47 Dead Reckoning ..................................................................................... 47 Proximity Sensing .................................................................................. 48 Trilateration .......................................................................................... 49 Multilateration ....................................................................................... 50 Triangulation ......................................................................................... 51 GPS ..................................................................................................... 52 Assisted GPS (A-GPS) ............................................................................. 56 Galileo .................................................................................................. 59 Others .................................................................................................. 61 Overview .............................................................................................. 61 Cell-ID ................................................................................................. 62 U-TDOA ................................................................................................ 62 E-OTD .................................................................................................. 63 A-FLT ................................................................................................... 63 Mobile Assisted GPS ............................................................................... 63 Overview .............................................................................................. 65 Wi-Fi based positioning systems .............................................................. 65 How it works ......................................................................................... 66 IP-Based ............................................................................................... 68

4.2.1 4.2.2 4.2.3 4.2.4 4.2.3 4.3 4.3.1 4.3.2 4.3.3 4.3.4 4.4 4.4.1 4.4.2 4.4.3 4.4.4 4.4.5 4.4.6 4.5 4.5.1 4.5.2 4.5.3 4.6 4.7 4.8 4.6.1

Satellite-based Positioning ............................................................................ 51

3G-based (Cellular Telephone Network) Positioning .......................................... 61

Wi-Fi based Positioning ................................................................................. 65

Hybrid and Other Positioning Technologies ...................................................... 68 Comparison of Positioning Techniques ............................................................ 69 Summary .................................................................................................... 70 Introduction ................................................................................................ 71 Overview .............................................................................................. 71 Emergence of smartphone technology ...................................................... 71

Smartphone Technology ...................................................................... 71

5.1 5.1.1 5.1.2 5.2 5.3

Smartphone usage and popularity .................................................................. 73 Smartphone hardware .................................................................................. 73 Smartphone classes ............................................................................... 73 Hardware components ............................................................................ 74 iOS ...................................................................................................... 77 Android ................................................................................................ 78

5.3.1 5.3.2 5.4 5.4.1 5.4.2

Smartphone software platforms ..................................................................... 77

5.4.3 5.4.4 5.4.5 5.5 5.5.1 5.5.2 5.5.3 5.5.4 5.6 5.7

Windows Phone 7................................................................................... 79 Symbian ............................................................................................... 80 BlackBerry OS ....................................................................................... 80 Skyhook Location Service ....................................................................... 81 Navizon Location Service ........................................................................ 82 Android Location API .............................................................................. 82 Apple Location API ................................................................................. 83

Location in smartphones ............................................................................... 81

Smartphone location accuracy ....................................................................... 84 Summary .................................................................................................... 86 Introduction ................................................................................................ 87 LBAAS What is it? Why smartphone? Why Android? ....................................... 87 System Design ............................................................................................ 88 Architecture and components .................................................................. 88 Location verification ............................................................................... 89 Registration Protocol .............................................................................. 94 Authentication and authorization protocol ................................................. 96 Mobile marketing application (m-Market) .................................................. 97 LBID Server .......................................................................................... 98 Authentication ....................................................................................... 98 Authorization ....................................................................................... 101

LBAAS Design and Implementation ..................................................... 87

6.1 6.2 6.3

6.3.1 6.3.2 6.4 6.4.1 6.4.2 6.5 6.5.1 6.5.2 6.5.3 6.5.4 6.6

Security Protocols ........................................................................................ 93

Prototype implementation ............................................................................. 97

Summary .................................................................................................. 102 Security Analysis ....................................................................................... 103 Threats against authentication and authorization ..................................... 103 LBAAS security evaluation ..................................................................... 103 Security limitations .............................................................................. 105 Performance limitations ........................................................................ 105

Evaluation and Discussion ................................................................. 103

7.1 7.1.1 7.1.2 7.2 7.2.1 7.2.2 7.3

Limitations ................................................................................................ 105

Summary .................................................................................................. 105 Conclusions ............................................................................................... 106 Future work .............................................................................................. 107

Conclusions and Future work ............................................................ 106

8.1 8.2

REFERENCES ................................................................................................... 108

LIST OF TABLES
Table 1: Table 2: Table 3: Table 4: Table 5: Table 6: Table 7: Table 8: Table 9: Attacks against various authentication modes [16] .....................................................................25 An access control matrix ......29 Comparison between GPS and A-GPS ....59 Comparison of 3G-based positioning methods 64 Comparison of Location Positioning Techniques ....70 Smartphone classes ..74 Smartphone Screen Types ...75 Location coverage, average accuracy, and technology for different smartphone devices ...85 Security evaluation of LBAAS compared to other common mechanisms 104

LIST OF FIGURES
Figure 1: Examples of tokens (what an entity has) 17 Figure 2: An example of a smart card 20 Figure 3: Classification of symbolic location models 36 Figure 4: Classification of geometric location models ..37 Figure 5: Hybrid location model 38 Figure 6: LBAC System internal model 40 Figure 7: Dead Reckoning .47 Figure 8: Trilateration 49 Figure 9: Multilateration 50 Figure 10: Triangulation 51 Figure 11: A GPS device ...53 Figure 12: GPS Signal Construction ..55 Figure 13: Assisted GPS 57 Figure 14: Google Street view car .67 Figure 15: IBM Simon First smartphone 71 Figure 16: Smartphone Components .77 Figure 17: Smartphone OSs market share 81 Figure 18: Average location accuracy from 100 meters to 3 kilometers ...85 Figure 19: LBAAS Architecture 89 Figure 20: Representation of location information stored in database ..91 Figure 21: Step 1 of the location verification mechanism .92 Figure 22: Step 2 of the location verification mechanism .93 Figure 23: LBAAS Registration Protocol ..95 Figure 24: LBAAS Authentication and Authorization Protocol 97 Figure 25: Location Registration in m-Wallet ...99 Figure 26: Local Authentication in m-Wallet 99 Figure 27: Location Verification in m-Wallet .100 Figure 28: Unauthenticated Location Alert in m-Wallet .100 Figure 29: Opening mWallet after successful Authentication ...100 Figure 30: Upload Coupons with Location Policies in m-Merchant ...101 Figure 31: Database Schema of Authorization Policy .101 Figure 32: Authorization Enforcement Result in m-Wallet .102

ABBREVIATIONS
3G 3rd Generation mobile telecommunications A-FLT Advance Forward Link Trilateration A-GPS Assisted Global Positioning System ACL Access Control List AOA Angle of Arrival AP Access Point API Application Programming Interface BS Base Station BSSID Basic Service Set Identification C/A Code Coarse and Acquisition Code CA Certificate Authority CPU Central Processing Unit D-GPS Differential Global Positioning System DAC Discretionary Access Control E-FLT Enhanced Forward Link Trilateration E-OTD Enhanced Observed Time Difference ESSID Extended Service Set Identification GPS Global Positioning System GSM Global System for Mobile Communications ICC Integrated Circuit Chip IP Internet Protocol LBAAS Location-based Authentication and Access Control using Smartphones LBAC Location-based Access Control LBC Location-Based Client LBID Location-Based Identification LSS Location Signature Sensor m-PKI mobile Public Key Infrastructure MAC address Media Access Control address MAC Mandatory Access Control MSA Mobile Station Assisted MSB Mobile Station Based NFC Near Field Communication OS Operating System OTDOA Observed Time Difference of Arrival OTP One-Time Password PDA Personal Digital Assistant PIN Personal Identification Number PKI Public Key Infrastructure RAM Random Access Memory RBAC Role-Based Access Control RSSI Received signal strength indication SAFE Secure Applications for Financial Environments SDK Software Development Kit SIM Subscriber Identity Module SP Service Provider SRBAC Spatial Role-based Access Control TDOA Time Difference of Arrival TOA Time of Arrival TTFF Time to First Fix UTDOA Uplink-Time Difference of Arrival XAMCL eXtensible Access Control Markup Language

10

1 Introduction
1.1 Background
Today the use of Information Technology (IT) systems is growing rapidly in all aspects of our lives. Businesses continuously depend more and more on IT systems for their core functionalities. Individuals perform most of their daily functions online through the Internet. People communicate through various web-based email services, such as Gmail and Hotmail, they socialize through social networks, such as Facebook, and they buy things on web stores, such as Amazon and EBay. Many services in various sectors such as banking, law and health-care are increasingly offering their services online through the Internet. With all this increase in the use of IT systems for these sensitive functions, security also becomes more and more crucial. This involves security services such as confidentiality, authentication, authorization and access control. The most common and popular method for authentication is passwords. This has been due to its ease of implementation for the service providers, cost effectiveness and its familiarity to the end user. However, it has also been one of the least secure methods compared to others. People have generally chosen weak passwords and used the same ones in multiple services. As a result, accounts have been hacked, people have lost money, privacy has been breached and so on. In order to combat this, security critical services, such as online banking services, have started using multi-factor authentication measures. For example, permanent passwords are combined with other measures, such as special tokens that can generate one time passwords. The use of more than one factor has been observed to be more secure than depending only on a single one. Most solutions have depended on factors that fall under three categories, namely: (1) what you know e.g. passwords, PINs (2) what you have e.g. smart cards, tokens and (3) what you are e.g. biometrics, such as fingerprints, voice recognition and retinal scans. Even though these factors have been sufficient for most cases, there is still additional room for other factors to improve things. One of them is the location. Location of a user can be quite useful information for authentication and access control decisions. For example, Alice is a user who is in Sweden has a password that she uses to login into her account. By some unfortunate circumstances the password is disclosed to Bob who is a user in US. Bob can login successfully and impersonate Alice. Clearly in this case if location was considered, this unauthorized access attempt could have been detected and prevented. In another example, lets say there is a multinational company with branches in different locations all over the world. All of these branches have access to a central database located at the headquarters of the Company. Since the locations of branches are known and fixed, this information, if it can be detected and used during access attempts, can help improve security by preventing unauthorized access attempts from unknown places. In addition, in cases of authorized attempts, it can be useful in making authorization and access control decisions. For example, a user in branch A can only access the portion of the database with Branch A information. Location information can play a part in the process in one of the following ways. Firstly, it can act as an additional fourth factor as in the previous example. Secondly, it can act as a prerequisite for choosing between different options of authentication and access control methods. For example, a simple 11

mechanism e.g. passwords can be used if the user is in a secure location and a stronger method, e.g. a cryptographic token, is used when the user is an insecure location such as at home. A number of authentication and access control solutions that incorporate location have been proposed and designed. The main challenge has been how to detect and integrate the location of the user in a secure way. This would require a user to carry an additional location sensing device that can be used for this purpose all the time. This is not an ideal solution. In recent times, smartphones have increasingly gained popularity among users especially in the US, Europe and Asia. A lot of innovation is constantly occurring in the area of smartphones technology. Many big companies, such as Apple, Google, Samsung, HTC and Microsoft, are fiercely competing, every time coming up with new and better device. The result has been a wide range of smartphone device with a variety of chips and technologies built in together. One of this has been location sensing technologies. Most of these smartphones now come with inbuilt GPS chips that can accurately obtain the location of the user. This is evidenced by the explosion of location-based services, such as Google Maps, Foursquare, Gowalla and Yelp. In addition, companies such as Skyhook, Google and Apple continually improve their location technologies by creating large databases of wireless access point and cell tower locations. The overall result has been the improvement in the accuracy of locations obtained. It is now conceivable to pinpoint the location of the user within meters of her actual location. As such, the use of a smartphone can be a potential solution in location-based authentication and access control schemes. It can act as the device to detect and send the location of a particular user to backend server. This can be a good solution due to several reasons: (1) Many people already have smartphones, (2) They carry them everywhere, (3) These smartphones have stable platforms on which secure application and services can be built, (4) Location can be accurately determined within meters.

1.2 Problem Definition

There is a constant challenge of improving the security and usability of the authentication process in the Information and Communication systems security field. Approaches that employ more than one factor known as multi-factor authentication schemes, have generally been viewed as more secure and have been implemented in a variety of settings in need of strong user authentication. One of the factors shown to be relevant in authentication process has been the location of the authenticating entity. However, only a few schemes have been proposed that incorporate the location factor in their process.

12

The main challenges/problems are; Registration of locations Classification of locations as criteria for authentication Design of location-based authentication client for mobile phones Design of location-based authentication protocol Reliably obtaining accurate location of the authentication entity. Securely incorporating the obtained location to the authentication process

1.3 Purpose and Goals of the Thesis

The goal of this thesis project is to propose and design an authentication system that incorporates the location factor using various technologies, such as GPS, Wi-Fi and Bluetooth built in a mobile phone/smartphone. This system will help to improve the security of the authentication process by limiting locations from which an entity is able to successfully authenticate. In order to achieve the goal of designing and implementing this system, the following activities have been performed in this project; Literature review on the existing authentication models that employ the use of a mobile phone. This involved gaining a basic understanding of the approaches used, and then performing critical analysis and evaluating the different options available. The outcome of this aided and formed a basis for the design of the proposed authentication system which also takes advantage of a mobile phone. The approach chosen extended to include the location factor in the process. Therefore, the best option depended on how in a practical sense the additional parameters in this case location can be introduced while maintaining the desirable features of the process. Extensibility was the judging factor. Investigation of the concept of location awareness in the authentication process. The purpose of this was to find the best way of including location information in the process of authenticating an entity. In order to achieve this objective, specifically these tasks were conducted; Identifying the desired granularity of the location information that would be necessary to distinctively differentiate between attempts from authorized and un-authorized locations. Determining the appropriate technique or combination of techniques of obtaining reliable and accurate location Determining other authenticating factors that would be combined with the location factor to form the combined information that would be used to prove the identity of the entity during authentication attempt Formulating the method of securely exchanging this information among entities involved in the authentication system.

13

 Formulation of a conceptual model that would act as a framework for the proposed authentication system. From the knowledge and information gained in previous activities, a design of the proposed system was formulated. This design revealed the architecture of the system showing all the components and modules that will be involved and how they relate to each other. The whole process of authentication from start to finish was described, detailing all the steps involved, the proper sequence of actions, what information will be exchanged among the components involved and what kind of processing will be performed. Qualitative and quantitative constraints on the system were also highlighted in order to take them into account when developing the system and also in measuring of its performance in the testing and evaluation phase. The overall outcome of these tasks and activities was the formulation of a complete specification of the system. Development of a prototype system. In order to demonstrate and test the proposed system a prototype was implemented according to the specifications that have been formulated. Every component specified in the design was implemented and integrated into the overall structure in order to achieve the final system. An appropriate development model was proposed and followed in order to achieve a working system with the desired specifications in a reasonable amount of time. Since this was a prototype that will be used for demonstration and testing, the focus will be on having a working system with the basic functionality. The choice of implementation language also reflected this. Each component was implemented using the language that best suits the needs of time and functionality and also on the availability of the necessary tools to accomplish this. For example, open source options were preferred. This activity also involved choosing the devices and platforms that the system will be tested on. These needed to have hardware capabilities required to achieve the objectives such as all the technologies to obtain location in a mobile phone. For example GPS and Wi-Fi. Testing of the developed system in a simulated environment. The system will need to be tested in order to observe its functionality and to be tested against the set requirements and see how it performs against them. The testing cases will be designed in manner that simulates how the system would be used in real world scenarios. The aim will be to replicate the real world scenario as close as possible in order to deduce conclusions that would be relevant. The observations made from this activity will aid in the final analysis of the feasibility and limitations of the proposed system. Analysis, evaluation, discussion and reporting of the findings on the usage of the prototype system. After testing and observing the functioning of the system, analysis on the findings was performed. The aim of this was to determine how well the system met the objectives set forth which would aid in deducing the feasibility of the proposed system in solving the problem tackled in this thesis work. This led to the discussion of any limitations that were met and weaknesses that would have to be dealt with in future work.

14

1.4 Research Methodology

In order to fulfill its goals the methodology of this research has relied on the logical approach based on both deduction and induction methods. From the background study of existing research and solutions the motivation for a new solution is highlighted. The specifications and requirements of the new solutions are deduced from problems and weaknesses of existing systems. The design of the proposed research solution is then logically based on these specifications and requirements. Implementation of a prototype then follows the proposed design which eventually leads to the testing and analysis of the effectiveness of the proposed research solution compared to existing ones. The analysis will provide the assessment of solution in regards to answering the problem statement and offer opportunities and suggestions for further improved designs and future work. Throughout the research process data collection will be based on extensive analysis of existing work, mechanisms and technology in the related research field.

1.5 Thesis Organization

The organization of this research thesis is as follows. Chapter 1 starts with describing the background of the research area, defines the main problem and challenges to be addressed, breaks down the purpose and goals that need to be achieved to solve the problem, and finally describes the methodology used. Chapter 2 describes the basic authentication and access control mechanisms and provides a theoretical background for the design of the research solution. In addition this chapter also analyzes existing authentication mechanisms, compares them and highlights their weaknesses. Chapter 3, Location factor in authentication and access control, examines the importance and role of location in authentication and access control decisions. It defines the concept of location and how it can modeled and represented. It highlights privacy issues that usually arise in location based systems and finally examines existing or previously proposed related work location-based security mechanisms. Chapter 4 introduces and describes in detail various methods, techniques and technologies that exist and can be used to provide locations of objects and people. It describes how they work and compares them to one another. Chapter 5 provides an overview of smartphone technologies, their increase in popularity and usage, and the hardware and software components that they possess and are built into them. It also examines how location can be detected using the technologies in the smartphone and its accuracy and effectiveness. Chapter 6 describes the design and implementation of the proposed research solution. Chapter 7 provides the assessment and evaluation of the implemented design. It performs a security analysis of the design against typical common threats and attacks. It also highlights the security, performance and hardware limitations of the implementation. Chapter 8 presents conclusions from the research work and recommendations for further improvement and future work.

15

2 Authentication and Access Control

2.1 Authentication
2.1.1 Introduction Authentication is a general term and concept that has a common meaning which applies to many areas and fields. The Free Dictionary [3] defines it as a noun from the word authenticate which means to establish the authenticity of; prove genuine. It is a means of identifying individuals and verifying their eligibility for example when entering another country. In other scenarios its the evidence by proper signature or seal that a document is genuine and official. It further explains that it is a security measure that is designed to protect a communications system against acceptance of a fraudulent transmission or simulation by establishing the validity of a transmission, message, or originator. In the field of Information Security, this definition is sufficient to explain the concept and process in some of the cases. For example, cases that involve computer networks, like the Internet, where messages are exchanged between entities that are initially unknown to one another. However, in many other cases a better definition would suffice. There have been numerous attempts to try to formalize the definition of authentication. Bishop [1] has a good definition in his book. He defines it as the binding of an identity to a subject. Security systems normally control access to protected resources based on the subject requesting the access. For example, Subject A is only allowed to access Resource A and not Resource B, which might belong to a subject B. These subjects represent and act on behalf of external entities, such as users of the system. The identities of these external entities are the ones that control the actions of a particular entity and therefore as a result, there needs to be a binding of an identity of that entity with a subject that is recognized by the security system. Another definition from Charlie Kaufman et al [2] describes it as process of reliably verifying the identity of someone (or something). Essentially, what it all comes down to is that authentication is the process by which an Information security system can be sure of the identity of an entity that is attempting access. We humans can recognize and confirm the identity of another person by looking at him if already know him or for example by looking at a picture ID of him. Digital systems cannot do this. Any system or user of a system can claim to be another. Therefore, for secure systems this claim needs to be verified. Authentication is the mechanism that is used to achieve that.

16

2.1.2 Authentication Factors Authentication factors are the basic instruments available to a human user to authenticate herself in order to convince a computing system of her true identity is known or registered in the system in question [4]. In order for an authentication system to verify the identity of the user or entity acting on behalf of the user, it needs to receive these factors as presented by the user. Based on this, a decision can be made on the authenticity of the identity claimed by the user. There are many different kinds of factors that are used in authentication schemes and mechanisms. Generally in many texts, they are classified into three categories: (1) what an entity knows, (2) what an entity has, and (3) what an entity is. What an entity knows: This refers to instruments such as passwords, secret questions and Personal Identification numbers (PIN). These factors are the most popular and commonly used ones. It is something secret that ideally only the valid subject should know. When the correct secret information is thus supplied during authentication, it proves to the system that the entity that supplied it is whom it claims to be. What an entity has: This refers to items such as badges, smart cards, access cards and hand-held tokens. They are usually something physical that the user possesses. Only a user who possesses the correct token can be successfully authenticated. For example, in building or offices if a user wants to enter a secured room, she may have to swipe an access card of some sort in order to be allowed access. This verifies her identity to the system so that a decision can be made to either allow or disallow her access. These factors are usually used in conjunction with what an entity knows to provide what is called multi-factor authentication (See section 2.1.4).

Figure 1: Examples of tokens (what an entity has)

What an entity is: This refers to measurable biological features such as fingerprints, voice recognition, retinal and iris scans, hands geometry, face recognition and handwriting. Since these features are unique for each person and can be measured, they can be used for authenticating purposes. For example, many laptops nowadays come with fingerprint readers that can be used to login into the computer. 17

In addition, some authors have suggested further factors that can be used for authentication; Where an entity is (Location): This refers to the either the logical or physical location of the authenticating entity. Physical location of an entity can refer to geometrical coordinates that for example be determined by GPS systems. Some research that has been done [5] shows that location information is relevant and can play a part in the authentication process. For example, a user A in Sweden who has a password, has accidentally disclosed it. User B who is in Russia finds this password and uses it to successfully login into user As account. User B here is clearly impersonating user A. Consideration of location in this case could have been a tipoff and the impersonation could have been prevented. Somebody an entity knows: This is one of a newer and novel factor dubbed the fourth factor that has been suggested by Brainard, J. et al. [6]. It refers to the use of human relationships as a factor for authentication. It achieves this by using the process called vouching, where one user called a helper uses her primary authenticator to assist a second user called an asker in cases of emergence authentication.

2.1.3 Existing Authentication Mechanisms: Advantages & Disadvantages 2.1.3.1 Passwords Password authentication is the most popular and common method of authentication used currently on the Internet. Passwords are secret credentials that are presented by a user in order to prove her identity. They belong to the category of what an entity knows. They are used on login pages on numerous services on the Internet, such as webmail service, online bank services, social network sites on so on. In order to provide the necessary security and prevent impersonation, passwords chosen by users should be good. A good password is a password that is not easily guessable. Therefore, in order to make good and strong passwords, the strategy used is to make them as hard as possible to guess. Good passwords include the following features: They are sufficiently long e.g. more than 8 characters They are not words or a combination of words from the dictionary They are made up of a mixture of alphabets (uppercase and lower case), numbers, symbols etc. They are not something closely related to the user e.g. date of birth, name of a dog etc.

Despite the existence of strategies for making strong passwords, authentication using passwords is still easy to abuse. Due to the simplicity and inexpensiveness in implementation, many systems use passwords for authentication. Total number of systems an average user interacts with has grown tremendously and keeps getting bigger each day. As a result, an average user has to deal with and remember a significant number of passwords in her daily use [89]. This is very difficult. As a result most users cut corners in 18

order to make their passwords use much easier to manage. For example they choose passwords that are simple and easy to remember [7][13], they use the same password in multiple systems in order to decrease the total number of passwords they have to manage [90]. All of this increases the risk impersonation. In addition, authentication using passwords also suffers from other problems. Passwords can be easily shared. One user, who is authorized, can easily disclose her password to another user who is not authorized. Also, since passwords are intangible things, their disclosure and abuse can easily occur without the users knowledge. In order to counter some of these problems and many others, many strategies and mechanisms have been designed and introduced. One such strategy has been the use of one time passwords (OTP) [8]. With this mechanism a password can be used only once and becomes invalid in the moment it has been used or after a certain period of time has passed. This can be achieved for example by using a special token device which has been synchronized with the authentication server and generates a random new password each time a user wants to authenticate. This minimizes the window of opportunity in which a password can be compromised. Similarly, many organizations also enforce password policies which force users to change their passwords regularly after a certain period of time [91]. Nevertheless users still try to find ways around these policies [92]. Another strategy which will be discussed further in a follow-up section used to compensate for the deficiency of passwords is to use them in combination with other factors, such as tokens and biometrics [12]. This is known as multi-factor authentication. It minimizes the chances of breach of authentication security. When for example the user password becomes compromised, the other factor (token or biometric) will act as a safeguard to prevent impersonation. 2.1.3.2 Smart Cards Smart card authentication is another example of an authentication mechanism which falls under the category of what you have. Smart card is a token that a user needs to have in order to successfully authenticate to a system. The use of a token is considered to be an improvement over the use of passwords. For example, remote authentication attacks become much more difficult. The attacker needs to get hold of the token (smart card) in order to authenticate as the user. Such tokens, such as smart cards, are more often used in applications which require a higher level of security. A smart card is a device that includes an embedded integrated circuit chip (ICC) that can be either a secure microcontroller or equivalent intelligence, with internal memory or a memory chip alone [10]. It is usually made of plastic and resembles a business card in size.

19

Figure 2: An example of a smart card

Smart cards are a popular choice for token-based authentication mechanisms. They are in common use especially in the financial sector, where they are used in combination with a PIN to provide a high level of authentication security for sensitive financial transactions. Examples include credit cards and debit cards. Another common use of smart cards is in the mobile telephony sector in the form of subscriber identity module (SIM) cards where they provide authentication for a mobile subscriber. Smart cards exist in many forms, shapes and sizes, but generally they can be categorized into three main types: Contact: These exist in form of a plastic card with a chip embedded in it. The chip can be used to store sensitive secret data such as cryptographic keys or to perform cryptographic operations. A contact smart card is used by inserting it into a special card reader and usually entering a PIN. In order to be read, the embedded chip has to be exposed and come in contact with the reader thus the term contact. Contactless: These are similar in appearance to contact smart cards, but in addition they come embedded with an antenna. This allows wireless communication with a wireless card reader over a very short distance. No electrical contact is required for the card to be read, thus the term contactless. In order to be read the card is just placed close to the reader. Thus they are more convenient to use than contact ones. Hybrid: These combine the technology of contact and contactless smart cards. Thus they combine the advantages of both types. They can be used with cheaper contact card reader that are more commonly available or they can advantage of the more convenient wireless card readers when they are available.

2.1.3.2.1 Advantages of smart cards as an authentication mechanism Smart cards as a token based authentication mechanism as has been mentioned in the previous section provide an improvement to use of a something you know mechanism such as password. With many problems facing password authentication mechanisms as has been highlighted, applications that require a much stronger level of security opt to use smart card mechanisms. Smart cards offer several advantages over passwords that improve the security in their use: 20

They are tamper resistant. Secret information can be safely stored in a smart card without the fear of being compromised or disclosed. The contents are protected with a PIN, thus preventing the information being divulged to unauthorized users. If an attempt to either compromise the data or brute force, the PIN is made the information would be locked or destroyed thus rendering the card useless. As such, smart cards can act as a safe repositories for sensitive data such as keys, passwords etc. They provide a possession factor. A user needs to be in a possession of a card in order to be successfully authenticated. This makes it harder for an attacker to impersonate a victim. If for example a card is used together with a password, an attacker has to steal both, the password and the card, which is much more difficult. In addition it is much easier to detect when a physical token is stolen than when a password has been compromised. They cannot be easily shared Since smart cards are physical tokens sharing of authentication credentials becomes more difficult. Passwords for example can be infinitely duplicated and shared between users, authorized and unauthorized. These users can then all use the same password at the same time. With smart cards, only one user can be successfully authenticated at a time.

2.1.3.2.2 Problems with smart cards Even though smart card authentication addresses some problems facing mechanisms, such as passwords and provide much stronger security, some problems still remain with their use. They can be stolen Even though it is more difficult to do so, smart cards can still be stolen. This is especially a problem, since they are something that is not used frequently. As such, it is not easy to detect when one is missing, thus giving an attacker a window of opportunity to do mischief. They require special readers In order for smart cards to be used, they require special reader to be available. These readers are still expensive and cumbersome for an average user to use. Most computers for example dont come inbuilt with a smart card reader thus making it difficult for smart cards to be used in many scenarios. Other advanced attacks against smart cards [93][94]

21

2.1.3.3 Biometrics Biometrics authentication mechanisms fall under the third category of authentication methods based on who you are. The use of biometrics is generally considered to provide much stronger authentication security compared to the other mechanisms, such as passwords and smart cards which are based on what you know and what you have. As such, biometric mechanisms have become a preferred method of authentication in systems and places with the highest requirement for security such as military bases, research facilities. Biometrics authentication works by using physical characteristics that can uniquely identify a user and match them to known profile. Every human being has some physical features distinctly unique to him or her. If these features can be sufficiently measured, then they can be used as a good means of authenticating a particular user. Since these features are biological, the identity that is authenticated is much more closely linked to a human user. As such, this type of authentication can provide a stronger basis for situations that require a higher level of non-repudiation. Biometric authentication systems are automated methods of verifying or recognizing identity of a person based on some unique physiological feature. These systems usually involve a device that measures a particular physiological property and a database storage containing a collection of previously scanned user profiles used for a comparison. Biometric authentication involves two main aspects: identity verification and identity recognition. With identity verification the aim to is to prove that a certain user is who she claims to be. As such, a user being identified presents a claim to an identity. The system checks and compares this against a stored copy of the identity and either accepts or rejects the claim made by the user. Identity recognition on the other hand is somewhat different. The focus here is to determine if a particular person or user belongs to set of authorized or recognized users. When a user presents an identity claim, the system has to look through a collection of stored profiles and pick one that matches. This aspect of identity recognition is thus much harder process and problem, since the system has to compare many records before a decision can be made. If the differences between people are subtle, the process becomes even harder. There are many examples of specific biometric technologies that are used to achieve authentication. They can be classified into two main categories: physical-based and behavioral-based. Physical-based biometric authentication mechanisms are based on unique body features found on people. These features are measured, quantified and used to provide a means of identifying people. Examples include: Fingerprint scanning which has is one of the oldest techniques that has been used for identifying people. Retinal scanning which relies on unique patterns in an individuals retina. A person looks through a scanning device where a low-energy light is shone onto his retina and from the patterns of her capillaries, she can be identified.

22

Face scanning, a relatively new technology which depends on a select number of facial features that can uniquely distinguish one person from another. For example size, shape and position of eyes, cheek bones and nose [14]. Hand scanning which involves measuring and analyzing the shape and patterns on a persons hand.

Behavioral-based mechanisms depend on dynamic characteristics of people that are sufficiently unique from individual to individual. These include: Keyboard keystrokes timing where the way and the rhythm in which a person types is measured and recorded to create a unique profile which can later be used to authenticate the person Hand signatures which is a traditional method that has been used for a long time in the paper world for proving the authenticity of the identity that produced a document. This technique has also found its way in the digital world where hand signatures can be scanned and compared digitally.

2.1.3.3.1 Advantages of biometric-based authentication methods Biometric authentication methods offer several unique advantages compared to other methods that are based on different factors: They provide authenticity of an identity that is more closely linked to a real human being. They provide a higher degree of proof to support non-repudiation. Since biometric authentication depends on features that are derived from a real human, the actions that are performed after authentication can be attributed with a high level of confidence to a particular unique user. With other methods for example passwords it cannot be easily determined the real person who was authenticated. The password can be easily acquired and present by any person. Biometric authenticating factors cannot be easily shared from user to user. As such it is not easy for one authorized user to transfer his or her level of access to another who may not be authorized to have it. Only one person who possesses the biometric feature can be successfully authenticated to the system. There is no need for remembering secret information or carrying additional tokens. Our memories are limited and as such remembering secret information for authenticating into many systems becomes a problem. The same also applies with carrying tokens. As the number of systems increase it becomes cumbersome to carry around different tokens in order to authenticate. Biometric-based mechanisms solve this. The features used for authentication are already possessed by the user (who you are). Nothing else is needed. This is more convenient and user friendly. 23

2.1.3.3.2 Problems with biometric authentication Despite the unique advantages offered by biometric authentication mechanisms, the level of adoption especially in consumer-level applications has not been extensive. Some of the problems that have led to this include the following: High implementation costs. The special biometric devices used to perform authentication are still expensive to be employed in normal use-cases. Unreliability of the technology (False positives and negatives). The technology used for biometric authentication still has not been advanced and developed enough to produce results with 100% accuracy all the time. Since the physiological features that can uniquely identify us are highly variable, the system can still make mistakes in many instances. These mistakes can be of two types; false positive where a wrong user is successfully authenticated as another or false negative where a valid user cant be authenticated and is rejected by the system. Until these errors can be reduced to a negligible percentage, biometric-based authentication methods wont be viewed as a viable option in the majority of use-cases. Biometric-based methods are highly intrusive to the privacy of users. The process of authenticating involves scanning, recording and storing of biological features such as faces, fingerprints and other sensitive private and personal characteristics. If this information is not sufficiently protected it can lead to a serious leakage and violation of a persons privacy since this information can be directly linked to a specific person. With other methods e.g. username and passwords even if disclosure occurs there is still some small level of anonymity that can be attained especially if the information is not descriptive. Also in addition many people are still not completely comfortable with using biometric mechanisms [95]. For example looking through an eye piece in order for iris or retinal scan to be performed Changes (natural and unnatural) to physical features can cause a lot of problems to the authentication process. For example with systems that depend on voice recognition problems can occur if a user has a cold or the level and pitch of the voice changes for some reason. Fingerprint scanning systems can find it difficult to recognize a fingerprint if a persons finger has been cut, burnt or is dirty. If a user for example damages an eye, she can longer be authenticated using retinal or iris scanning. In addition even with the specialized technologies that are being used in biometric mechanisms, these methods can still be fooled in various methods and with varying degrees of difficulty [17]. For example fingerprints from an authorized user can be lifted from things that she has touched and be used to fool a fingerprint based authentication system [96]

24

2.1.4 Multi-factor authentication From the previous few sections we have seen a discussion of a few examples of authentication methods based on the classical three factors of authentication. Each particular method has been shown to have some specific strengths and weaknesses. Many protected systems usually choose one mechanism and rely on it for the purpose of doing authentication. For example many systems on the Internet use a combination of username and passwords as the main authentication method. The main problem with this kind of approach is that the system ends up having a single point of failure. Since each single mechanisms has some potential weaknesses, if these are exploited and the system depends solely on the particular mechanism then the whole systems security would be breached or bypassed. Clearly depending on a single factor of authentication is not enough.

Table 1: Attacks against various authentication modes [16]

25

In order to address this problem, a common strategy employed is to use a combination of multiple methods or factors instead of one. This is known as multi-factor authentication. The reasoning behind this strategy being that, if a system relies on multiple different factors and one of them becomes compromised then the other remaining will offer an added layer of protection. The strength of a particular single factor compensates for the weaknesses of another. It becomes much more difficult for an attacker to bypass the authentication protection. One has to find vulnerabilities for each specific mechanism which in combination can be exploited in order to breach the systems security. For example, in an authentication system that depends on a username/password and a smart card (two different factors), if the users password becomes disclosed or is stolen, she would still be safe since the token would still be in her possession. Both factors are needed for successful authentication. This offers a higher level of authentication security especially in security critical applications. Even some of the biggest Internet companies such as Google and Facebook have realized the benefits of multi factor authentication and have rolled out these features in their core products [18][19]. Other examples include the use of SecureID [20] which is one of the popular multi-factor authentication schemes that is being used on the Internet. Multi factor authentication has even lend its benefits to poor people in areas such as India where it has been used with success to aid in providing food to the proper people [11]. In general from this line of reasoning it can be seen that the more number of authentication factor a system relies on the stronger it will be security wise [97]. A system that relies on two factors will be much less resistant to attacks compared to a three-factor based mechanism which in turn will also be less resistant compared to a four-factor based method and so on. Despite this obvious outcome, it is usually not feasible or even desirable to keep increasing the number of factors for an authentication system. A major reason for this is the increase in complexity of the process which leads to usability problems. One of the guiding principles of security systems design is simplicity [98]. A security solution should be as simple as possible. The moment a mechanism starts to become too complex, the risk of something going wrong also rises. When users find a process too cumbersome to use, they tend to cut corners and make shortcuts that may end up being very costly. For example users in organizations who have to deal with too many restrictions in their password choices end up trying to game the system by choosing similar passwords as previous ones, writing their passwords down on a piece of paper, using the same passwords on different systems and so on. In conclusion, multi-factor authentication is clearly offers a better approach security-wise when designing or implementing an authentication mechanism. However, a balance has to be observed and maintained to ensure that a mechanism doesnt become too complex so as to offset the benefits of using it. In this thesis we are introducing an additional location factor to further improve authentication schemes in the most convenient way using smartphones technology. This will be described further in future sections.

26

2.2 Access Control

2.2.1 Introduction Access control is another central theme in the field of computer security. It is one of the important aspects and goals when securing systems. When a systems is being secured, access to its protected resources and objects should only be allowed to a given to the entities that have been authorized to have that kind of access. An access-control system is defined as the secure evaluation of whether an established identity has access to a particular computing resource, also referred to as an object [22]. Sometimes it is also referred to as access authorization or simply authorization. Due to the nature and architecture of many IT systems computer resources are usually shared among multiple users, processes and machines. In organizations employees generally share and have access to centralized resources such as databases, records and various internal systems that are necessary for performing their duties. On the Internet due to the server-client architecture of many applications, a large number of users (clients) are usually served by a single or only a handful of servers. For example, when using popular web-based email services, the email records for a large number of users may be located in a central repository database. Since this information is private or might be sensitive, it would be undesirable for one user to be able to access anothers data. The same goes for any other IT system that deals with many users and involves sensitive data and processes. The system should be able correctly identify, distinguish its users and act accordingly. Access control is an aspect that is closely linked with authentication. In order to function and achieve its goals, it needs to go hand in hand with authentication. Before a decision can be made about whether a certain entity has a right to access an object or not, the identity of the entity involved needs to be confirmed first. This as has been described in previous chapters is what authentication does. After an entity has been properly identified and authenticated then the access control system can safely grant access the correct entity. Some examples of access control use both in the IT environment and in real life include; a lock on your front door house is a form of access control ensuring that only authorized people (your family perhaps) with keys can enter your house. Access control in computer security involves controlling which principals i.e. people or programs acting on behalf of people, have access to which resources in in the system i.e. files, programs, network, with what kind of access rights i.e. read, write, execute and under what conditions [21]. Only entities that meet and satisfy all the requirements can be granted access to the resources. In order to be able to control this, first an access control system intercepts all access requests to protected objects. This can be achieved through a variety of ways and levels depending on the architecture of the system in question. Secondly, an access control system also depends on a collection of rules and directives that govern its decision on

27

whether to allow a certain request or not. This is usually called an access control policy. It will be described further in a future section. 2.2.2 Access control components The description of any access control system and mechanism at its core involves a small number of components or terms. As described in the previous section the purpose of an access control system is to evaluate whether a subject representing a principal can have access to an object. This definition contains a number of important terms that represent these components that form the basis of an access control mechanism. These are as follows; User A user is usually a human being. In other cases it can also be a program or process that has been started by a human and is acting on behalf of the human. In the context of access control systems it is a term that describes an association between a computer and an entity that is accessing the computer resources. It is the entity that wishes to perform a certain function or access certain data on the system. Principal This is the internal representation of a user in the protected computer system. This can be in various forms for example a name, user ID, number and so on. It is an identifier that has to be unique for each user in the scope of a particular access control system. A single principal cannot be shared by a multiple number of users. However, a single user can have more than one principal in the system that is associated with her. Subject A subject is a running process that acts on behalf of a particular principal inside a system. It inherits the identity and privileges of a principal and performs actions that the principal was authorized to conduct. Subjects are the entities that are used in the description of access control policies to represent the users and describe what capabilities those users have in the system Object An object is simply the protected entity that is accessed through the access control system. It can exist in many forms. It can be a software resource e.g. a computer file, a database record, a program or part of a program and so on. It can also be a hardware resource e.g. the network adapter, printer, external hard disk etc.

2.2.3 Access Control Matrix An access control system controls access to protected objects by making decisions based on a policy that is usually created by the administrator of system. A policy is a collection of rules governing and determining who has access (subject), what kind of access she has (right) and what type of resource she has access to (object). 28

In order for this policy to be used, it has to be expressed in some that can be recognized and understood by the access control system. There are a variety of ways of doing this [99]. However, there is a general model that is used to conceptually describe an access control policy of a system. This is called the access control matrix. Table below shows how a typical access control matrix would look like
file 1 read, write, own append file 2 read read, own process 1 read, write, execute, own read process 2 write read, write, execute, own

process 1 process 2

Table 2: An access control matrix [1]

Rows from the table represent subjects while columns represent objects (Note: process can both be treated as subjects and objects. Each cell (intersection between rows and columns) represents the specific rights the corresponding subject has on the object.

2.2.4 Access Control Lists and Capabilities In order to reduce complexity and for easier management, access control matrices are not usually implemented as they are in practice. Instead simpler variations of the matrix Access Control Lists (ACLs) & Capabilities are used to express the access control policies [1]. Access control lists correspond to columns of the access control matrix. Every object in a system is associated with an ACL which is used to control access to it. The ACL is usually stored together with the object that it represents. It consists of a set of pairs, each containing a subject and a set of actions (access types) that the subject is allowed to perform. Since in practice this set of pairs might be quite long, subjects are usually organized in a small number of groups in order to reduce the size of the ACL. A good example of ACLs is the UNIX (and Linux) system of access control permission. Every object (file) created in UNIX system contains a set permissions that are expressed using an ACL. The subjects in the ACL are divided into 3 classes: owner, group (owners group) and others. Actions that each class is allowed to perform are then specified. These usually include read, write or execute. One big practical advantage of ACLs is that they facilitate in answering common system security queries such as which subjects are allowed to read a particular file X in this system? and so on. Capabilities on the other hand correspond follow a somewhat opposite approach. They correspond to rows of the access control matrix. Every subject recognized by the system is associated with a collection of pairs, each containing an object and a set of actions that are allowed on that object. Before a subject can access a particular object it needs to present a capability that proves its authority to access it. These capabilities are usually presented in a system by a process that is acting on behalf of a user. 29

Both ACLs and capabilities can be used to efficiently represent and implement a particular access control matrix. However when you compare them, you can see a slight advantage of ACLs over capabilities due to the different approach they take in dividing and representing the matrix. In general, there are usually two questions that can be asked of in an access control system: (1) given a subject, what objects can she/he access and with what rights? And (2) given an object, what subjects can access it and with what rights? Capabilities are better suited to answer question 1 while ACLs are suited to answer question 2. Since in practice the second question occurs many times more, it becomes more useful to ACLs instead of capabilities. 2.2.5 Access Control Models 2.2.5.1 Discretionary Access Control (DAC) Model This form of access control is owner-based. It is the most flexible among the classical access control models. The owner of the object in the system controls access to it. Privileges and access rights to objects are granted in a discretionally fashion. Typically, the creator of an object in the system by default becomes the owner of the object and possesses all the rights over it. From then on, in a discretional way an owner can grant access to the object to other users or processes. This way access rights can propagate step by step throughout the system in an unbounded fashion. Because of this a DAC-based model is usually suitable in less sensitive scenarios such as civilian and commercial application and systems. In practice, in order to maintain a stronger level of security the model is usually implemented with deny as default. This means that access to an object is denied by default unless it is explicitly allowed by the owner. This way access is granted to only authorized subjects. 2.2.5.2 Mandatory Access Control (MAC) Model In this model access to objects is administrator-controlled. The administrator of the system decides and controls who has access to what in the system. Users/Owners of objects have no control over them. They cannot propagate access rights for objects (even the ones created by them) to other subjects. This type of model is more restrictive compared to the other classical access control models. As a result it is usually used in systems that require stronger security controls such as military systems. As an example one of the original examples of a MAC-based model was the Bell-LaPadula model. In the model, subjects possess clearance labels and objects possess classification labels. These labels signify the security level of the entity concerned. Access to an object is granted or denied depending on the security levels of the subject and object. Only subjects at the same or higher security level (clearance label) can access (read) an object with a particular security level. In addition, subjects cannot create or write to an object with a lower security level than they possess. This way access to objects is restricted to a need to know basis and disclosure of high-level secrets is prevented. 2.2.5.3 Role-based Access Control (RBAC) Model Access control in this model as the name suggests is based on roles and not subjects. Access to objects in the system is controlled depending on a few numbers of roles that are assumed by subjects. This type of model tries to mimic how access occurs and is controlled in real life situations. Users usually access 30

systems and perform functions depending on their roles and what is required of them. These roles provide an abstraction that encapsulates a set of responsibilities and authorized actions that are associated with them [22]. An administrator of a system usually defines a small set of roles and what kind of actions those roles can perform. Subjects in the system are then assigned to these different roles. Typically, a subject can be assigned to multiple roles as needed. Since an administrator has to deal with a small set of roles (he does not need to assign permissions on a per user basis), the model facilitates easier access control management. In addition, it provides a level of flexibility which allows it to be a policy neutral kind of access control model. As we are going to see in future sections this is one of the reasons most locationbased access models are based on RBAC-based models.

31

3 Location factor in authentication and access control

3.1 Background
In the previous chapter we have looked at some of existing authentication methods. We have seen that these methods and mechanism are not completely attack-proof and that there is still room for other solutions and improvements. One such solution is the use of an additional location factor. In this chapter we are going to describe the concept of location and how exactly it might improve the authentication process and consequently the security of computer systems and networks. We are also going to look at some potential location-based security models that may provide the foundation and framework for implementing location-based security systems. We have already looked at some traditional access control models. In this chapter we are going to describe some extensions to these models that have been proposed in order to accommodate the location information in access control decisions.

3.2 Importance and benefits of location in security

With computer networks or cyberspace, the notion of location usually becomes non-existent. In the physical world we are used to distinguish and separate entities depending on their physical locations. We have different nations separated by national borders; we have regions, cities, streets and so on. It is trivial to associate a person with his/her location. This situation however, is different in cyberspace. In cyberspace it is very difficult to associate a user or a node with a physical location. Systems in cyberspace do not care about or consider a users location. A user with username X is treated the same whether he logs in from Australia or Canada. This situation has caused several problems. First, it has made it very difficult to prevent unauthorized access to computer systems or to privileged accounts. It is still common to hear every now and then stories about intrusions to sensitive computer systems of big companies and institutions [100] [101]. Secondly, it has also made the task of finding the perpetrator difficult, once an intrusion has occurred. When the attacker hides behind a layer of nodes and proxies it becomes almost impossible to trace him back to his physical location. There have been numerous stories about cyberattacks where the source was unknown or never found [102] [103]. The security of computer systems can be improved by the use of physical geographic locations in the authentication and authorization process location-based authentication. Dorothy and Macdoran [23] have written about the importance of location-based authentication. They have stated that location-based authentication has the effect of grounding cyberspace in the physical world. It removes the borderless nature of cyberspace and makes it resemble the physical world more closely. The location information adds a new dimension to the normal interactions between users and systems in cyberspace. The location from where a user is logging in from can be determined. This can be used to control access to sensitive computer systems, transactions and information. For example, an attacker from Sweden wont be able to login into a Bank in the UK while pretending to originate from somewhere else. 32

Location-based authentication has many benefits over existing authentication methods. It can provide a continuous authentication service which helps to prevent connection hijacking. For instance, through continuous location detection a user can be automatically and transparently logged out a session when he moves away from the computer. The location of the user is used for authenticate and maintain the session with the computer. With other methods manual logout is necessary once a session is no longer needed. Otherwise valid session could be hijacked by an attacker who finds it. Location can function as a common authenticating factor for all systems that a user may need to authenticate to. With other factors such as passwords and tokens, it is usually not advisable to share or use the same common factor with many systems. For example, as described in the previous chapter a common advice for password usage is to try to use a different one for every single system. This of course starts to get cumbersome and unmanageable once the number of systems becomes large. With location however, a single location value can be used for many systems without any problems. A particular physical location is unique by nature. If access to two different systems is limited to the users physical office location, then it is the same single location value that is used for both systems. This way of location use becomes particularly helpful in single-on scenarios. If location is used, a token device cannot be stolen and used somewhere else to gain authorized access to protected systems. With purely token-based systems there is a risk of the device being stolen or lost and be successfully used in another location. For example, if a user uses her mobile phone as a token to login into her account on a banking site and it becomes stolen, the perpetrator could use it to successfully login and impersonate the user. However, if location is taken into account it becomes more difficult to compromise the system. If a user has to be situated in her home with the mobile phone, then the attacker cannot use the mobile phone as the token elsewhere. He has to physically be in the users home to do so. Location-based authentication does not necessarily require a secret at the user side or at the authenticating system. If the mechanism used to produce the location signature cannot be spoofed and the location can be verified securely then no secret is needed to ensure a secure authentication process. Location is a physical property that is not a secret. If a user is the particular physical location and can unambiguously prove it then thats all that is needed to perform authentication. Location can be used to ensure that sensitive or privileged operations can only be done in secure and authorized locations. Operations such as elevating user privileges, editing systems files, initiating electronic funds and so on can be limited to particular locations such as inside offices buildings. It can also be used for the purposes of authenticating financial transactions, for remote control of critical systems and for preventing corporate secrets from being downloaded outside of company systems. Location can be used to supplement and complement other authentication methods. It can add an extra layer of protection to ensure a much higher level of assurance against intrusions from unauthorized location regardless of whether other methods have been compromised. It makes it much more difficult for an attacker to compromise a system. This is especially useful in critical systems that require a high level 33

of security assurance military command and control systems, air traffic control systems, banking systems etc. If the location factor can be introduced in a transparent and non-obtrusive way, the security of these critical systems can be strengthened without affecting usability much. One major problem for security in the digital world is trying to identify perpetrators and attackers of computer systems. It is very difficult to trace back a particular attacker to a physical location. Locationbased authentication can be very useful in this regard. It can help in locating of perpetrators of computer attacks and breaches, originators of fraudulent transactions in financial systems, sources of death threats in online communications systems and so forth. This ability for tracing back location of users and sources (the loss of anonymity) would also act as a deterrent for potential attackers and hackers. In a similar manner instead of tracing and apprehending perpetrators, location-based authentication can be used to absolve innocent people who have been accused of malicious digital activities. Host spoofing another major problem in cyberspace can be prevented by using and incorporating location information in host communications. In many existing systems, protocols and networks, hosts usually communicate and identify each other by using logical IDs e.g. hostnames, IP addresses, MAC addresses, SSIDs etc. These forms of identification can be easily spoofed by malicious hosts leading to different kinds of attacks. Even though there are many other solutions that can be used to prevent this, location information can also provide a simple solution to protect against host spoofing. A hosts location would also have to be authenticated before it can be accepted as valid host in communication. Location-based authentication can be used to enforce export controls for digital products. With existing systems and authentication methods it is very difficult or practically impossible to limit distribution of digital goods and information across nation borders. For example, export of cryptographic software, distribution of digital media and licenses etc. These are usually subject to laws and regulations which control their distributions depending on locations i.e. countries, regions and so on. Several schemes such as IP-based localization have been used to enforce these controls with unsatisfactory results. Locationbased authentication schemes which can provide precise physical locations can offer a much better solution in these scenarios.

3.3 Location modeling/Representation

Domnitcheva [25] discusses and highlights the importance of having a solid location model that can sufficiently serve the purpose of a particular location-based system. A location model should first allow a system to communicate with people in a human understandable way. It should also allow a system to determine or estimate the exactness of location information provided depending on the usage scenario. And finally it should be able to deal with various ways and formats in which location data is obtained from different location sensors. A location-based security system is mainly based on the physical location of a particular user or node at a particular moment of time. It is important that this information, called the location signature is represented and modeled in a clear and non-ambiguous way. The design and functionality of a location34

based security system greatly depends on the foundation of a good location model. For example, the geographic coordinate model (latitude and longitude) specifies a precise location but it is difficult for human beings to deal with. Instead human understand and describe locations using descriptive names which are not exact and can be become ambiguous to digital systems. Location can be obtained through a variety of ways and sensors. These sensors, called location signature sensors (LSS) e.g. GPS receivers produce signatures that are in different formats and with varying uncertainty values. A security system should be able to deal with all these various formats in order to make correct security decisions. There are a number of different ways in which location can be represented and specified into location models. One of these divides location into two models; physical location and geographical location [25]. Physical location provides an absolute, accurate and grid-based position in the form of a latitude and longitude pair sometimes with the addition of altitude measurements. Geographical location on the other hand deals with natural geographic objects and describes them in terms of for example countries, cities, postal addresses and so on. For the purpose of location-based computer systems there are three basic models of representing location: symbolic, geometric and hybrid. 3.3.1 Symbolic Location Models Symbolic models refer to locations using abstract symbols i.e. names [26]. For example home, office, room 500 etc. In the model, locations are represented as sets while located objects are represented as members of sets. Symbolic location models can be classified according to whether locations can overlap or not and their hierarchical ordering. A simple symbolic model such as the cell model will result to an exclusive symbolic model e.g. zone model if location overlap is restricted. Furthermore, if hierarchical ordering is included a simple symbolic model and an exclusive symbolic model will lead another class of symbolic models known as location lattice and location tree respectively.

35

Figure below shows the classification of symbolic location models.

Figure 3: Classification of symbolic location models [26]

Since symbolic models represent and allow locations to be referenced using abstract symbols/names, they provide a system that is very convenient for human interaction [25]. Access control to the location information is also facilitated by the fact that the location is referred to by name [26]. In addition, names of places can organized hierarchically more easily and additional secondary models of location information can be overlaid on top in order to achieve further semantic flexibility [25]. Some of the disadvantages of symbolic location models include: their requirements for additional layers of indirection; their dependency on the application domains the usefulness of named locations depends on the domain; the need for manual management and constructions of symbols for locations; and the restriction of spatial resolution of the location information represented in the model [26]. 3.3.2 Geometric Location Models Geometric models refer and represent locations as points, areas or volumes within a coordinate system [26]. These models are based on other reference coordinate systems. Locations (and also located objects within) are all represented by sets of coordinate tuples. Everything in these systems is represented by location tuples. A geographic location model can be based on a single reference coordinate model thus forming a simple geometric model or it can be based on multiple reference coordinate models forming a unified geometric model. The use of multiple coordinate systems can be useful in many cases. For example, a person driving a car through a city can be located relative to the car or relative to the geocoordinate system (i.e. the city).

36

Figure below shows the classification of geometric location models.

Figure 4: Classification of geometric location models [26]

Some of the advantages of geometric models include: accuracy preservation of the location information (unless there is a loss during mapping between coordinate systems); flexibility in querying for the location information; simplicity of sensors and applications since they only need to understand and recognize a single coordinate system in order to exchange information with the location-based system; and the coordinate systems can typically be reused without any need for customization [26]. On the other hand, geometric models make efficient design difficult since the location coordinate data is only structured weakly. All location information about objects of interest have to be transformed into one of the reference coordinate systems in order to be used. As a result applications and device especially with restricted memory and processing capabilities are burdened and overloaded with geometric data and computation. In addition, management of the location information i.e. access control becomes much harder since it requires symbolic location names. As a result a separate directory might also be required in order to map coordinates into data that is easier for applications and people to understand. 3.3.3 Hybrid Location Models This model combines the features of the previous two models. Location here is represented by using both coordinates as in geometric models and by abstract symbols/names with membership in multiple location domains as in symbolic models [25]. A location can be fixed with a well-defined area or it can be a large moving object with changeable absolute coordinates and thus also its own coordinate system. In this model once an association between two located objects is established, it cannot be changed anymore in a single instance of the model. For example a person and the building he currently is in office, his house etc. The reason for this is because time is not considered as a parameter in order to keep the system simple.

37

Figure below depicts the hybrid location model

Figure 5: Hybrid location model [25]

3.4 Location-based security models

In previous chapters we have discusses about some of the existing classical access control security models: DAC, MAC and RBAC. In most use cases, these models were sufficient to formally represent and enforce typical security policies involved in computer systems use. Access control decisions are typically based on the combination of logical factors such as subject, object, role and action. The models were designed to particularly represent these features. As such in order to incorporate location information in security decisions, new location-based models are needed. Many such models have been proposed in various literatures [104] [8]. The main approach has been to extend the already existing classical models especially RBAC, to include location related features and form a new class of access control model known as Location-based access control models - LBAC. There have been a few proposals of LBACs such as by Ray and Kumar [28] that have been based on the much older Mandatory Access Control Model (MAC). Decker [27] describes specific requirements and features that a location-based access control model should satisfy: A model should have the ability to support the concept of abstract location in addition to geometric locations. This allows easier and more general policy design. For example, the role 38

secretary can be restricted to an abstract location of office room. This office room could apply to any physical location and could have different values for different individuals Location restrictions should be assignable and applicable to all or several entities involved in the model. This makes it much easier to define location-based security policies in all kinds of different scenarios. For example, a location restriction could be assigned to a role such as a nurse such that she can access medical records only when she is in a hospital room. Location restrictions could also be assigned to permissions. For example, the remote control of x-ray machine could be restricted to a user in the x-ray lab despite location restriction of the users role. A model should be able to express both positive and negative permissions. It should not only be able to state what is allowed at a particular location but also what is not allowed at a particular location. This ability would be useful in some cases where it is much easier to enumerate locations that access is not allowed. A model should allow the concept of dynamic location restrictions. The creation of location restriction should be flexible enough to satisfy more usage scenarios and to ease management i.e. in addition to configuration by administrator location policies can also be specified by users themselves or by certain actions during runtime. It should be possible to express the requirements for the location sensing technology that is used in a location-based security model. Different location sensing technologies and architectures have different levels of easiness that allows for location spoofing. For example, a location reported by a GPS equipped mobile device is completely self-determined by the device and the trustworthiness of the estimates depends totally on the security state of the device. Additional security measures would we advisable in this case for instance The imperfection of location results should be taken into account by model. Many location technologies usually report their location estimates with a range of possible error or probability of accuracy. Therefore, the model should also allow security policies to be expresses in this kind of language. For example, if a user is within 10 meters of an office building he should allowed access to company documents. Also since location determination technology is not 100% perfect, a location-based access control model should allow fuzzy access control decisions. The decision to allow access should not be limited to yes and no or to permit and deny. It should also allow a range of values in between. For example, if the location of a user cannot be determined with a certain level of accuracy then only some of his privileges or actions may be activated and allowed respectively.

In Location-based access control systems (LBAC), in addition to roles or security levels subjects also need to be in certain locations to perform certain actions. Location-based conditions also need to be expressed in the policy and evaluated during the authentication and authorization process. In addition to location, other types of contextual information can also be exploited leading to temporal and movement aware location-based access control systems respectively. 39

Cleeff et al. [29] describe a general model of a location-based access control model and how it deals with location and other contextual information in general.

Figure 6: LBAC System internal model [29]

Contextual information such as location is combined with the logical access control factors and applied on extensions of the classical access control models to form an LBAC system. There are many examples of location-based access control models that have been proposed by various authors. Most of them as already described have been a result of extending existing models especially RBAC. They are all similar in the fact that they abstract the concept of location (they can support multiple location models) and can use it to provide additional restrictions in access control decisions. The difference is in what stages or points in the model the location restrictions are applied. In the GEO-RBAC model [30] the location restriction is applied during role activation. The model defines the concept of role schema. Actual roles that are used are instances of a particular role schema. Roles assigned to users are activated based on their locations. The model also describes the type of location e.g. building, town etc. that a certain role can be restricted to. On the other hand with the SRBAC model [31], the location restriction is applied during the assignment of permissions to roles. Specific permissions and privileges associated with a role are either turned on or off depending on the location. For example, a doctor in an authorized location i.e. hospital building can obtain the full set of permissions to patients record such as read and write while for the other locations the write permissions for the doctor may be turned off. These location restrictions can be extended to apply even in cases of role inheritance where a senior role inherits permissions of junior roles.

40

Lastly, the LoT-RBAC model [32] provides more flexibility by combining and supporting the features of the previous two examples. In this model, location restriction can be applied during role activation, associations between roles and permissions and during the assignment of users to roles.

3.5 Privacy issues

Location-based authentication and authorization entails collecting a lot of location information associated with the user. Every time a user accesses a system protected by a location-based scheme, his/her location has to be determined and verified by the system. Since this can happen many times even on a single day there is a potential to track the physical location of users. This is great concern that has been pointed out in many works related to location-based systems [105] [106]. The physical location of a person is a sensitive and a private piece of information. It is something that should be handled with great care and not abused in any shape or form. The recent iPhone debacle [107] demonstrates the seriousness of this issue. There is usually a huge uproar whenever people get a feeling or realize that something closely associated with them such as their physical location is being tracked or misused. Companies with such practices or who make such mistakes can even get into legal trouble because of it [108]. As such any system that has the potential to collect this location information has to take measures to ensure that it is handled in a proper way. There are a lot of suggestions and strategies (by organizations and research studies) that have been put forward to ensure that location-related information is not abused [109] [110] [111]. One of the solutions proposed is the introduction of stronger laws and regulations to control and protect the privacy of users whose location is collected. There are of course already a number of laws in different countries that are related to this kind of information [112]. These laws and regulations offer protection to users regarding the collection and disclosure of their location information. For example, in some jurisdictions subpoenas and court orders are required before this kind of information can be disclosed to a government agency. Even private companies have some restrictions and limits on what kind of location information they can collect, how much can be collected and how it can be used. Laws and regulations however is only the first step in ensuring the protection of location information. There are also additional technical and procedural measures that can be taken to protect this sensitive information. One such procedural safeguard is making sure that only location information that is absolutely needed is retained in the system. Location can be determined at different resolutions and precisions e.g. within meters, within a building, city or country. Depending on the application different systems may require different levels of precision. If a system only needs the general location of the user in order to perform its function then a more precise location is not necessary and should not be provided. For example, if a location-based authentication and authorization system is country based i.e. it only needs to confirm that a particular user is in a specified country, then the specific location within the country is not required and should not be provided even if the particular location sensing technology allows more precise location to be determined. In addition, the location can also be represented and used in a way that doesnt reveal too 41

much information. For instance, logical names i.e. at home, in office can be used for description instead of specific coordinates. Another strategy is to retain the location information only for a limited amount of time. In many cases like for the purposes of security the users location does not need to be retained for a long time. Once it has been determined and verified there is no longer any need to keep the information stored in the system. Or even if this information is needed only the most current might be necessary. This reduces the chances of the information being disclosed or misused. That was the problem with the recent iPhone location scandal [107] where too much information about the users location was stored and on top of that was easily accessible. In some cases information up to a year past was still accessible. Lastly, another possibility would be to relinquish the control of location information disclosure to the users. Give users a chance to opt-in into giving out their physical location and giving them total control over the process. This means notifying them that the information is collected, when it is collected, what kind of information it is and giving them the ability to opt out in case they dont want to do this anymore. Most smartphone applications and operating systems (Android and iOS), already use this kind of approach where the user is asked for permission every time his/her physical location is to be determined. For a location-based security system a user can be given a chance to opt-in into the process or not. However, since by opting-out the protection offered by the location factor wont be available, one solution would to be disable some of the more sensitive actions or privileges unless the location-based security is used.

3.6 Related work Location-based systems

A fair number of research studies have been performed in the area of location-based security. Many of them have been focused on designing and constructing general conceptual security models for these kinds of mechanisms. Some have demonstrated and justified the use of location in improving existing security mechanisms. Others have proposed protocols, which however apply only to specific scenarios. A general and flexible approach that can be applied in many different situations is still lacking. A method that takes advantage of the recent advancement in locationsensing technologies, especially in smart phones, is needed. These advancements have led to the improvement and reliability of location information and thus rendering it more useful. Earlier approaches have relied on technologies, once considered stateoftheart, but currently either obsolete or mainly not adequate. In addition, these approaches require extensive user involvement making them less userfriendly. With the current technology it is possible to make this technology transparent and convenient for users. Denning and Macdorman [23] were among the first authors to perform research studies about locationbased authentication and to highlight its importance for improving network security. In their paper they argued that location information can be used for both preventing network breaches and also for facilitating investigations in cases when breaches occur. In a virtual environment where physical borders 42

are blurred, location determination during authentication can be helpful in many scenarios e.g. remote access to critical systems, authenticating financial transactions, enforcing export controls on software and so on. They describe a technology by the International Series Research in USA, called CyberLocator, that is used to achieve location-based authentication by using what is called a location signature. A client that wants to access a protected resource is challenged to provide a location signature, which is then verified by the Server. The Server does this by also computing its own location and comparing it to the one provided by the client. Since the location signature is unique for each location at any given time, this information cannot be spoofed or replayed later. However, in order to achieve this, CyberLocator needs its clients to possess a special kind of GPS sensor that is different to the ones that are commercially available. Looi, M. [33] suggests the use of location factor (a fourth factor) in order to enhance authentication services on the Internet. Two advantages are pointed out: (i) improved access control, since access can be controlled depending on the users location, and (ii) improved audit/evidence information, since the location from which a user authenticates can be recorded. This information can be of great help in cases of investigations when something goes wrong or if a breach occurs. Also, in the paper the author proposes and describes an authentication system that incorporates multiple factors and uses the help of mobile networks to retrieve and produce location ID that can be added to the proposed authentication scheme. Location is only determined using GSM Cells ID with the help of mobile operators. The author discusses other potential methods that can be used to improve the accuracy of user location. Kyasuk et al. [34] designs and shows a security model for location-based authentication. The proposed architecture takes advantage of a trusted third party, similar to PKI, to ensure authenticity of location information. They introduce and describe two protocols based on their model that ensures the accuracy, privacy and authenticity of location information used in the authentication process. In this study the authors focus more on creating general security model and security requirements for locationbased methods by performing an analysis of risks that may be expected. YounSun et al. [35] propose a locationaware access control mechanism (LAAC) based on a WLAN infrastructure of wireless access points and wireless mobile devices, such as PDAs and wireless laptops. Access is granted to a device located inside a region formed by overlapping coverage of multiple access points. Each access point periodically broadcasts a random nonce which is captured and used by the device to generate a location key. Devices outside the range of the access points wont be able to receive these random nonces and consequently wont be able to derive valid location IDs. In this way access is granted only within specific locations. Bao [5] proposes similar mechanism using wireless access points. His system is known as LENA (Location Enforced Network Access). LENA has two schemes, one known as LENA-SK (LENA using Security Keys) uses Diffie-Helman key exchange protocol to authenticate user location, authorize network access, and distribute a key for data encryption. The other scheme, LENA-PAP (LENA using Personal AP Protocol) uses mobility management protocol to ensure authenticity of location claims. These mechanisms are designed specifically for controlling access to wireless networks.

43

Zhang et al. [36] developed special-context role based access control scheme (SC-RBAC) by extending the traditional role based access control method (RBAC) with utilization of location information insecurity policy definitions. In his scheme traditional roles are combined with logical location domain information to form so called spatial role. These roles are dynamic, activated and deactivated automatically, depending on the location of the user. The authors managed to design formal access control model that can form a basis for securing locationaware applications. Ray et al. [37] extended RBAC to include location information and showed how it can be used in access control decisions. Location in access control decisions is important and traditional models such as DAC, MAC and RBAC cannot support this. They proposed formal model for locationbased access control suitable for commercial applications. They formalized the concept of location, so that it can be included in a model and they finally showed how it can be used to determine whether a subject can get access to an object or not. Ray and Kumar [8] also extended MAC model to incorporate location information of users suitable especially for military applications. They showed how location is related to all the other components of the model and how it affects them. Jansen and Kolarev [38] designed a locationbased authentication mechanism that involves policy beacons and mobile devices. These policy beacons broadcast and communicate location data to mobile devices using Bluetooth. Mobile devices determine their proximity to beacons and calculate their location relative to them. Based on this location certain functionalities in the mobile devices are enabled or disabled accordingly. Policy beacons establish a perimeter with a distinct organization policy. Devices within this perimeter inherit this policy. Their setup, however, focuses only on controlling the use of mobile devices, especially in an environment such as in an organization and it requires a significant costly infrastructure setup and synchronization of policy beacons. Takamizawa and Kaijiri [39] proposed and designed an authentication method using location information obtained from mobile telephones that is suitable in web-based education applications. A student who wants to login into the web-based application, in addition to using username and passwords, has also to provide her location through a mobile telephone in order to prove her authenticity. In their method, location from a mobile phone is determined using GPS. For that, mobile phone must be equipped with a GPS receiver and a clear view of the sky is needed for the process to work. QR codes are also used for web applications to prompt the mobile phone for the location. The user has to scan the code from the screen using her mobile phone and therefore a phone needs a camera. In addition, the authors did not pay attention to security threats and vulnerabilities for their locationbased authentication method and as such the mechanism may be susceptible to trivial attacks. For example, the location could be easily spoofed or modified. Ardagna et al. [40] analysed how location information can be used to strengthen access control mechanisms by adding features for defining and enforcing locationbased policies. They proposed design of a Locationbased Access Control (LBAC) architecture and provided an extension to the XACML policy language (introduced by the Open Geospatial Consortium OGC) for defining and describing geographic location coordinates. This extension is known as GEO XACML. They showed examples of how this can be used to express access control rules that can be used in a typical application. 44

3.7 Summary
This chapter has introduced the concept of location and how it relates to security requirements. It has highlighted the importance of location information in making some important security decision during the access of secure systems. What location is and how it is represented and modeled have been clearly defines and described. The chapter has also looked at location-based security models which can act as a theoretical foundation for location-based security systems. Some important privacy issues related to security and how they can be solved have been highlighted. Finally, a number of related existing locationbased security approaches have been described and discussed.

45

4 Location Positioning Technology

4.1 Introduction
Since the dawn of human civilization, people have been using all kinds of techniques in order to find out their locations and that of other objects relative to other reference points. The fundamental techniques and mathematics involved has largely remained the same throughout the years. Many thousands of years ago people from the jungles of Africa and the ancient Chinese used smoke signals to locate their homes when returning from hunting parties and other adventures. They also used these signals to communicate with one another, from tribe to tribe. This was a very effective and accurate means for locating but the problem was that it couldnt be used for long distances. The ancient explorers and navigators used mathematical calculations to determine their locations by measuring the angles of view of the sun and stars. In Europe and some parts of Asia, certain types of pigeons were bred and used by individuals and kingdoms for finding and locating their homes, locating and communicating between sections of armies during wars and conquests. Thousands of years later (between 1100 -1200 AD), the ancient Chinese invented the magnetic compass. The device consisted of a magnetized pointer that was free to accurately align itself with the Earths magnetic field. The pointer aligned itself to point to the earths poles and by using this, the early navigators were able determine their heading, in addition to their latitudes. In the 18th century, English clockmaker John Harrison invented the marine chronometer, a device for the solving the problem of determining the longitude of ships at sea. By accurately tracking the time change between their current location and their homes, the device allowed sailors to establish their longitudes. By the early 20th century, with the development of wireless radio communication, ships, aircraft and armies started to use radio signal strength measurements to estimate their location coordinates from very long distances. As years progressed, more and more systems were being put in place in order to ease the process of determining location coordinates and improving the accuracy of the results obtained. For example, in the 1960s the US government started to implement the Global Positioning System (GPS) initially for military purposes, but later also opened up for consumer use. Today, there exist a multitude of wireless techniques and technologies that can be used to locate a person or an object of interest. All these techniques differ in a variety of ways [41]. Some of the differences include: Coverage: the extent of the geographic area that is covered e.g. building, city, country or global Indoors/Outdoors: whether the technology works indoors or outdoors e.g. technology such GPS does not work properly indoors since its signals are blocked by buildings and walls Resolution: the smallest change in location that the sensor can detect e.g. in terms of centimeters, meters and so on 46

Accuracy: the degree to which the detected and reported location coordinates are close to the true values Interference: how easily the signals used to establish location can be interfered with e.g. by solid objects, other signals etc. Cost: how much it costs to implement a working system i.e. infrastructure, receivers, devices Sensing method: how location is determined i.e. by relying on a centralized technology or solely on the device itself

Wireless location technologies can be categorized into four major groups depending on the general wireless technology that is used to transmit signals which enable location determination: (1) Satellitebased (2) 3G-based (3) Wi-Fi based (4) Hybrid. We are going to describe each category in the coming sections.

4.2 Basic positioning techniques

Even though specific technologies used to implement the various positioning methods differ from one to another, the basic underlying algorithms and techniques remain largely the same. For instance, if a technique depends on proximity to a signaling device for positioning purposes, then it doesnt matter whether these signals are satellite, Bluetooth or 802.11 wireless signals. The general method for calculation will remain the same. The difference will come from the practical issues involved with each technology i.e. range, coverage etc. 4.2.1 Dead Reckoning Dead reckoning is a positioning technique in which ones current location is estimated based on a previously established location. With a known or estimated speed (acceleration), elapsed time, and moving direction, the previous location point can be advanced and extrapolated to sufficiently determine the current location.

Figure 7: Dead Reckoning

47

It is a method that was used by the early explorers such as Christopher Columbus and most other sailors of his era in navigation and discovering the new world. Today, it is a method that is widely used in modern inertial navigation systems (INS). The advantage with dead reckoning is that, the location of an object can be calculated without the help of any external infrastructure or reference. Everything needed to pinpoint the location of an object can be done by carefully measuring the positional properties of the object using devices possessed by it. For instance, ships equipped with INS consists of a number of devices such as gyroscopes, accelerometers and other motion sensing devices, all of which maintain measurement records that can be used to determine the location at any given point. Once the known initial location is fed, all the subsequent location positions can be estimated. This independence from external factors is cost-effective and very convenient especially in scenarios where reliable communication might be difficult to achieve. On the other hand, dead reckoning is not a very accurate technique and suffers from integration drift [113]. Since measurements of new locations depend on previous estimated locations, any errors from previous positions are compounded in new estimations. There is a slow accumulation of errors and with time the deviation from the true values becomes bigger and bigger. In addition, any uncertainties in the measurements of the velocity, direction or time only adds to the inaccuracy of the results 4.2.2 Proximity Sensing Proximity sensing is a positioning technique where the location of an entity is determined from the position of a nearby known stationary object. An object whose location is to be determined is able to sense the presence of a nearby stationary object or objects by receiving some kind of signals from them. With the known location coordinates and the signals that are detected, an object can then perform calculations to estimate its own position. These stationary points act as reference points to aid in location calculations. The more reference points available, the better the results obtained. In order to come up with a better location estimate, an object should receive signals from multiple stationary objects. It is important that the origin of each signal received can be determined (so that all nearby reference points can be identified). As such the signal uniqueness is an important characteristic for this this technique to work. Each signal should have a signature and be distinguishable from another. For example, in mobile telephone networks the location of a mobile device can be determined by monitoring signal signatures or cell IDs of nearby base stations. Each base station possesses a unique signal pattern, which it transmits in its broadcast signals and some synchronization channels. The mobile device first scans and identify the signature of different signals in the vicinity, then from this it generates a list of neighboring stations and finally from this information it can perform the analysis and calculate its position. The advantage of proximity sensing is that is doesnt suffer from multipath propagation errors which usually plague the other basic techniques. The signature that is detected and used for location estimation already takes this factor into account and in some ways is a result of this phenomenon. 48

4.2.3 Trilateration Trilateration is another basic positioning technique where the absolute or relative location of an object is determined in relation to the location of two or more reference points using distance measurements between the object and each of the reference points. It is a popular mathematical process that is used by GPS receivers to calculate the location of objects in two or three dimensional spaces. The basic principle of this technique is very simple. Lets say for starters there is a point A with a known location and that you discover that your distance from this point is 1km. With this information you can then deduce that your location might be anywhere in a circle of 1km from this point A. Lets say again there is another known location (point B) whose distance from where you are you discover to be 2km. With this additional information you can further narrow down your locations to two points where the circles surrounding points A and B intersect with one other. Finally, if there is another known third location (point C) whose distance is also known, then you can further reduce your location to precisely one point where the three circles intersect each other.

Figure 8: Trilateration

This is how the technique works in 2D. In 3D the principle is the same but instead of dealing with circles, one is dealing with spheres. The location of an object is located by the intersection point of three spheres. Other than GPS, trilateration is also used for instance in cell network to determine the position of mobile devices using signal strength analysis. Since distance is proportional to received signal strength, a device can calculate its distance from three or more base stations by measuring the received signal strength from these stations. With this data it can then its estimate its location. Another approach for calculating the distances can be done using the time of arrival (TOA) of signals. By measuring the times in which signals arrive from three or more stations, a device can again derive the three circles and estimate its location.

49

4.2.4 Multilateration Multilateration (hyperbolic lateration) is a technique of estimating the location of an object by accurately measuring the time difference of arrival (TDOA) of signals received from three or more transmitters. It is similar to the TOA estimation technique but without the need for clock synchronization between the object receiving the signals and the transmitters. When two or more transmitters emit signals, these signals will arrive at the receiver at different times due to the different distances between the transmitters and the receiver. Lets assume there are 3 points (A, B and C) with known locations that are transmitting signals. By measuring the difference in arrival times between the receiver and any two pairs of transmission points, an object can be placed in a parabola. With three points, three TDOA measurements can be made (A-B, A-C and B-C) resulting in three parabolas. From the intersection of the first two parabolas, the object can be positioned at any point on the resulting curve. With the intersection between the curve and the third parabola, the objects location can then be finally deduced to a single unique point in 2D space. This also works similarly in 3D but with hyperboloids instead of parabolas. In order to increase the accuracy of location estimation, multiple TDOA measurements are usually made and then averaged to a single stable value.

Figure 9: Multilateration

Since the technique depends on the difference in arrival times, absolute correct times at all involved points is not needed. No clock synchronization is needed between the transmitters and receiver. This is an advantage over the TOA method.

50

4.2.3 Triangulation Triangulation is a basic technique for positioning an object by measuring the angles of arrival (AOA) of signals between the object and fixed reference points with known locations at either ends of a fixed line away from the object. In contrast to the trilateration method which measures distances, triangulation depends on angular measurements. The basic concept of this method depends on trigonometric calculations. Signals from two fixed points will arrive at an objects location at different angles (lets say A and B). If the location of the two fixed points is known then the distance between them can also be deduced. These two points can then be combined with the objects point to form a triangle with two known angles and one known side. With this information the objects coordinates (location) can then be calculated.

Figure 10: Triangulation

This method is usually used in many fields such as astronomy, navigation and so on. In wireless systems when using the triangulation method, the angle of arrival (AOA) is usually determined by using multiple antennas set up at a base station. The problem with this however, is that antennas usually transmit signals over wide angles (up to 120o). This causes uncertainty and reduces the accuracy in the determination of AOA. In addition, signals are usually affected by reflections and refractions which lead to randomization of the signal direction once it reaches the receiving device.

4.3 Satellite-based Positioning

Satellite-based positioning systems use technology that depends on a system of satellites orbiting around the earth and providing autonomous geo-spatial positioning service to objects and people with a line of sight on the surface of the earth. These satellites cover the whole globe and transmit time signals to receivers, enabling them to calculate their coordinates to within an accuracy of a few meters. These systems include the Global Positioning system (GPS), Galileo, GLONASS and Assisted GPS which is an

51

extension to the GPS system. In the following sections we are briefly going to look into the details of these technologies. 4.3.1 GPS 4.3.1.1 Overview The Global Positioning System (GPS) is a constellation of satellites (a total number of 32 as of 2011 [114]) that orbit around the Earth and help to provide accurate location and time information services to receivers on Earth for different purposes. This system of satellites was developed by the Department of Defense (DoD) of US Government originally in order to assist the US and Allied military forces in accurate location estimations for navigational and other purposes. The project was started around 1973 and the first satellite was launched into orbit in 1978. From then on development continued with additional satellites being launched one after another. This process continued until 1994 when the system became fully operational with a total of 24 satellites. Initially it was only for military use but later in 1983 that changed and the system was opened for civilian and commercial use. Since then it has become very popular leading to an explosion of devices with GPS receivers and services based on location. As of today (2011) the number has increased to a total of 32 satellites. Not all of them may be operational at the same time but usually there are a minimum of 24 orbiting around the Earth at any given moment. 4.3.1.2. Structure The GPS is a system which involves a number of components which work and communicate together and in order to achieve its goal of determining location. These components are grouped in 3 categories (also called segments); space segment, control segment and user segment. Space Segment The space segment consist of a group of 32 time synchronized satellites (also known as space vehicles SV) orbiting around the Earth and transmitting signals to receivers on the ground. This group of satellites is situated at around 20,163 kilometers from the surface of the Earth, orbiting with a speed of about 3.87 km/s which results into 2 complete rotations each day for every satellite. The space containing the satellites has been divided into 6 orbital planes with a minimum of 4 satellites in each plane. This enables a number of 6 to 12 satellites to usually be visible in the sky at any given time which is very important since a minimum of 4 is needed by receivers in order to get a fairly accurate location reading. On board of every satellite there is an atomic clock which enables each to maintain a very accurate clock time. This is very important for location calculations as we are going to see in the next section. All of the operation of the satellites and their maintenance in this segment is taken care by the US Air Force. They have control and make sure that everything is fully functional. Control Segment This segment is also controlled and operated by the US Air Force. It consists of a Master Control Station MCS (with a backup) and a number of other control stations situated in different locations inside USA. 52

The purpose of these stations is to track and monitor the paths of the satellites orbiting the Earth and sending information updates to them. These updates help to make sure that the atomic clocks on all the satellites are synchronized to the same time value with very high accuracy (within nanoseconds of each other). In addition the updates help to adjust the ephemeris (section x.x.x) values on each satellite as a response to slight changes in orbital planes of each satellite due to the gravitational pull of the moon, Sun and other external forces. User Segment This is the segment that is open to everyone and consists of a variety of GPS receiver devices. These devices are usually made up of a CPU which executes the instructions (algorithm) to calculate location, an antenna which captures the signals transmitted from satellites, a reliable internal clock to maintain an accurate time reading and usually some kind of interface to connect with other components and provide the obtained location data. Receivers come in all shapes and sizes. They can be standalone devices usually with a screen to display location results or they can be embedded (in a form of chips) in other devices such as smartphones, watches etc. They also vary in their sensitivity and are usually categorized depending on how many satellites (the number of channels) they monitor at the same time.

Figure 11: A GPS device

4.3.1.3 How it works Fundamentally, GPS uses the basic positioning technique of trilateration in calculating the location coordinates of a receiver. To achieve this, a GPS receiver needs two crucial pieces of information: 1) the distance between itself and at least 4 satellites and 2) the precise position coordinates of those satellites. To calculate the distance a receiver uses the time (delay) it took for the signals to travel from a satellite to a receiver. Initially (lets say time to) a satellite will start to transmit a signal with a unique digital pattern. At the same time a receiver which is in built to be aware of this pattern, will start to generate the same pattern too. After a certain amount of time the signal generated by the satellite will reach the receiver. When the two patterns are eventually matched together, the pattern from the satellite signal will be behind the one in the receiver for a certain length. This length will be equivalent to the time it took the signal to travel between the two points. Since the speed of the signals (which are radio waves) is known and the time it took is also known, the distance travelled can be calculated. Assuming the signals travelled in a straight line this distance will then be the distance between the satellite and the receiver. This same process occurs for all 4 satellites signal that are normally used in the calculations. These calculations also 53

assume that the clocks on the satellite(s) and the receiver have been precisely synchronized to have the exact the time with very high accuracy. For the second piece of information, since each satellite was initially programmed with its location and the orbital path is known and predictable, every single one of them will be aware of their location at all times. Each satellite will send this information in the signal transmitted to the receiver. This information will be in two categories, one known as Almanac and the other Ephemeris. Almanac is the approximate range position that is used to guide and assist the receiver in searching for a satellite. This is stored and used again in future fixes. Ephemeris on the other hand is the precise position of the satellite at that time and is the value used in the location calculations. With the distance and position of all four satellites determined, the receiver then uses the trilateration technique to calculate its own position. The final result will be its longitude and latitude coordinates and in addition usually also its altitude. As an additional step to ensure the correctness and accuracy of the location result, GPS has to take into account and correct for the errors that may skew the results. For instance deliberate noise from the environment, various propagation delays caused by the ionosphere and troposphere and so on. We are going to look into what these errors are and what are the strategies used to counter them in a future section. Signals transmission GPS satellites transmit signals at two frequencies; 1.57542 GHz called the L1 signal and 1.2276 called the L2 signal. There are transmissions on 3 other frequencies L1, L2 and L3 but these are reserved for other special uses. For instance L3 is used for nuclear detonation detection by the United States Nuclear Detonation Detection System (USNDS) and L4 is used for studies that will assist for additional ionosphere correction. Each GPS satellite transmits its message data by encoding it with a unique high-rate pseudo random code which is recognized by receivers on Earth. There are two types of this code. One is known as the C/A code (coarse and acquisition code) and the other the P code (precise code). P code as the name suggests is precise and only used for military purposes. The code can also be encrypted so that it is used only by military equipment with the proper decryption key. It can also be encoded on both L1 and L2 signals. C/A code on the other hand is less precise and more complex than P code. It is one that is available for civilian use and it can only be encoded on L1 signals.

54

Figure below shows how a GPS signal is constructed by encoding the data onto the carrier signal.

Figure 12: GPS Signal Construction

Signal Message Format Each message broadcast by a GPS satellite is composed of 30-second frames, each frame containing 1500 bits of data. Furthermore a frame is divided into 5 parts (sub-frames) containing 300 bits of information (6 seconds) each. Finally each sub-frame is also divided into 10 words of 30 bits (0.6 seconds) in length. TLM Telemetry: This is the part that is sent at the beginning of each frame. It is made up of 30 bits of information and is used for data synchronization and for satellite maintenance. Its value for a particular satellite usually doesnt change for long periods of time HOW Handover word: This also is made up of 30 bits and comes next after TLM. It is used to indicate time at the beginning of a frame (using TOW time of week) Ephemeris: communicates the precise orbit location of a satellite. It is contained in each frame sent out by a satellite and usually it takes a receiver 30 seconds to acquire this value. Almanac: This value is spread out over frames of a message. It contains the status and coarse location (general range) information for all satellites. It may take a receiver about 13 minutes to get the whole Almanac thus it is usually cached once it has been obtained. In addition it also contains some information related to error correction.

4.3.1.4 Errors Even though location estimates obtained from GPS Technology are pretty accurate, there are still a number of different phenomena which can introduce errors in location calculations. These problems need to be taken into account in order to improve location results and prevent inaccurate information altogether. GPS signals do not travel in a constant speed when they are broadcast by the satellites. Different parts of the atmosphere slow the signals down as they pass through. This causes delay in time measurements which eventually introduces errors in distance calculations. This also depends on where you are on Earth. 55

For instance delay by the ionosphere can cause location errors of 5 15 meters (2.3 when you are at the Zenith) and the troposphere can cause errors of 20 28 meters. Signals from GPS satellites also bounce off large objects such as mountains and tall buildings. This problem is known as the Multipath problem. The result of this effect is that signals take much longer to reach the receivers. As a consequence satellites appear to farther than they really are. Another source of error is caused by incorrectness in clock readings. From time to time the atomic clocks on the satellites experience system noise and drift errors. The effects of this are usually very small (in centimeters) but they tend to build up after some time. However, the GPS signals usually contain some data which correct for these errors by estimating the accuracy of the clocks. In addition, the receivers may also suffer from clock errors. But since all the calculations will be based on the incorrect time setting of the clock all the distances deduced will be proportionally incorrect. As a result the trilateration process wont result in a single point of intersection. The receiver can fix this by adjusting the distances until a single point is obtained which will the correct location. In order to correct these errors and produce more accurate results, GPS technology uses a tactic known as Differential GPS (DGPS). The idea is to use stationary base stations with known locations to assist in location determination. Since these stations are situated in multiple places and they already know their location coordinates, they can calculate the errors and inaccuracies experienced at those different locations. Having obtained this error information, the stations can then transmit signals containing this data to all nearby receivers which support DGPS capability. With this information DPGS receivers can correct for random errors caused by all mentioned phenomena and consequently produce more accurate results than normal receivers which do not take this into account. 4.3.2 Assisted GPS (A-GPS) GPS technology works really well, only when receivers have a clear view of sky where they can capture satellite signals easily without any obstruction. This becomes a problem especially in large cities or forests where signals are blocked by tall buildings and trees. In addition it takes a lot of time (relatively at least) for receivers to obtain the location fix for the first time. The bandwidth of GPS satellites is very limited therefore it takes some time (12.5 minutes) for a GPS receiver to receive the whole almanac and ephemeris. This is where Assisted GPS comes in to help. Assisted GPS (A-GPS) is an improvement over normal GPS technology which helps to overcome these limitations. Basically it is a technique that enhances the performance and operation of GPS receivers with the help of additional servers (assistance servers). For example, additional servers in GSM networks can be deployed to assist GPS equipped cell phones in obtaining location fixes quickly. These servers can enhance GPS receivers in two major ways: 1) By providing computational (processing) assistance Mobile Station Assisted (MSA) and 2) By supplying essential signal data Mobile Station Based (MSB) 56

MSA: Since servers have greater hardware capabilities and a better understanding of the local environmental conditions and errors, they can assist GPS receivers by computing locations faster and with more accuracy on their behalf. After receiving satellite signals, a receiver sends this information to a server where the location is calculated and sent back to the receiver. In essence a receiver is offloading the computation burden to a much more capable entity. MSB: With this approach an assistance server is providing a receiver with additional information which helps it to acquire satellites transmissions quicker and more easily. This is especially useful in situations where receivers are blocked from view. This information includes (i) precise clock information which can be used as a time reference for receivers to correct their internal clocks, (ii) GPS satellite orbit information such as almanac, ephemeris, initial positions and time estimates which can help receivers lock to satellites quickly and (iii) information about the environmental conditions to build up a local model which can help to correct for ionospheric and tropospheric induced errors. An assistance server collects all this information and sends it to a receiver which then calculates its location much easier.

Figure 13: Assisted GPS

A-GPS offers the following advantages to the location determination process in GPS: Improvement in positioning time: a receiver which takes advantage of A-GPS assistance can obtain a location fix in a shorter amount of time than a standalone receiver. This is because the AGPS server provides additional essential information for location information which would otherwise take a receiver much longer to capture it all

57

Increase in positioning success rate: An A-GPS receiver achieves a much higher location request success rate since it depends on servers which have a much better view of the sky at all times. As such the success of location requests is not affected by obstructions from objects such as tall buildings or trees. Reduction of positioning error: Since A-GPS servers measure the effects of ionospheric and tropospheric delays plus other external factors; they can improve the accuracy of location fixes obtained by receivers. They perform the same functions as base stations in DGPS. Improvement in receiver battery consumption: By offloading some of the work (either location computation processing or satellite signal capturing) to an external server, A-GPS allows a receiver to use less power and conserve its battery. This is especially advantageous in multipurpose devices which are equipped with GPS chips such as mobile phones. Reduction in receiver cost: Because A-GPS receivers do not perform all the functions necessary to obtain a location fix; they can be made simple in terms of hardware and consequently become much cheaper. For example if computation is done on a server, a receiver may not necessarily need a CPU or much memory.

58

Table below shows a comparison between GPS and A-GPS

A-GPS
Usage: Stands for: Source of triangulation information: Speed: Mobile phones Assisted Global Positioning System Radio signals from satellites and assistance servers e.g. mobile network cell sites A-GPS devices determine location coordinates faster because they have better connectivity with cell sites than directly with satellites. Location determined via A-GPS are slightly less accurate than GPS

GPS
Cars, planes, ships/boats Global Positioning System Radio signals from GPS satellites

GPS devices may take several minutes to determine their location because it takes longer to establish connectivity with 4 satellites. GPS devices can determine location coordinates to within 1 meter accuracy GPS devices communicate directly with satellites for free. There is no cost of operation once the device is paid for.

Reliability:

Cost:

It costs money to use A-GPS devices on an ongoing basis because they use mobile network resources.

Table 3: Comparison between GPS and A-GPS

4.3.3 Galileo 4.3.3.1 Overview Galileo is another global positioning system made up of a collection of satellites that provide precise location services by transmitting signals to receivers situated on Earth and in air. It is the equivalent of GPS that is being built by the European Union (as a joint initiative of the European Space Agency & European Commission). The project which is still under way is expected to be completed and become fully operational in 2013. The main impetus behind building Galileo (another global positioning system) has been to have an independent system that is under civilian control and with guaranteed access to accurate positioning services. GPS is under the control of the US Government. Even though access has been opened up to 59

everyone, the US still has ultimate control. There is no guarantee of continuous access or quality of service. In addition the most precise signals of the system are limited to use only by the US military. Galileo will eliminate this dependency on GPS. It also promises to improve positioning accuracy to within one meter and to guarantee access under all but most extreme conditions. This will make it suitable for safety-critical scenarios where reliable access is needed and for applications where location accuracy is important such as the case presented in this thesis, location-based security. 4.3.3.2 How it works In terms of technology Galileo is very much similar to GPS. It uses the same principal of trilateration to calculate the location of objects on Earth. Satellites transmit signals containing PN codes as in GPS. These signals also contain positioning information such as Almanac and Ephemeris that is used to determine the location of receivers. The total number of satellites planned will also be roughly the same as GPS. Each satellite will be equipped with 4 atomic clocks providing high accuracy timing signals which will eventually lead to precise location measurements. In addition, Galileo will also use the same calibration and compensation techniques to correct for errors as in GPS. 4.3.3.3 Services One distinguishing factor between Galileo and GPS will be the concept of service levels. Despite its many advantages, GPS still suffers from reliability issues. Sometimes (e.g. in big cities, inside buildings etc) it is very difficult to get a good signal fix and accuracy can diminish to a great extent. Galileo will solve this problem by providing different levels of location services with different levels of guarantees and performance. Applications requiring high accuracy and high reliability for example search and rescue services will be provided with a higher level of service than application with less demanding requirements. Galileo will offer five main services [42]: Open access navigation: will be free to access by everyone; will provide simple positioning service with accuracy up to 1 meter. Commercial navigation: will provide guaranteed access to paying service providers; as a result signals will be encrypted; and will provide high accuracy at the centimeter scale. Safety of life navigation: will provide open access to services where guaranteed accuracy is paramount. To ensure accuracy integrity messages that warn for errors will be included. Public regulated navigation: will mainly be used by Government entities and will ensure availability even in times of crisis; signals will be encrypted to prevent access from other entities. Search and rescue: will be used to pick up distress signals and determine the location in case of emergencies; will also allow feedback messages to be returned to the source of the signals.

60

4.3.4 Others There are many other satellite-based global positioning systems that are operational or being developed: GLONASS by the Russians [115], COMPASS (aka Beidou-2) [116] by China and Indian Regional Navigational Satellite System (IRNSS). We are not going to into much of their details in this thesis but in principle they rely on the same mathematical and technological concepts as GPS and Galileo to provide accurate location services.

4.4 3G-based (Cellular Telephone Network) Positioning

4.4.1 Overview Mobile phone based positioning systems take advantage of various mobile network technologies to offer positioning services to users through their mobile phones. Due to the popularity of mobile technology and the rise in mobile phone usage, mobile networks are spreading to every corner of the globe. The result is an extensive network of stationary base stations that transit signals and communicate with mobile devices. This offers an opportunity to build a location positioning service on top of this network. All the basic positioning techniques that have been discussed can also be employed here. Cellular telephone network based positioning technologies can be divided into 4 major categories: Mobile based: In this approach, location is solely determined by the mobile device and then reported back through the network. The disadvantage is that location information cannot be verified with certainty. The mobile device is under the control of a user and thus can potentially be manipulated to report any value the user wants. In addition, this approach forces the increase in complexity of the mobile devices since all location calculations are pushed to the device side. Network based: Location is determined by the mobile network. Using one or more base stations, the network performs all the measurements necessary for location determination. These measurements are then usually sent to a location center where finally the location of the device is calculated. The device doesnt have to do anything. Mobile assisted: With this approach, a mobile device performs all measurements (from signals of incoming base stations) and sends the values to the network. The network then calculates the position of the device based on these measurements. The location remains in the network and is not stored on the device.

61

Network assisted: This is opposite to mobile assisted positioning. Here, the network provides the assisting measurements and the final location calculations are done on the mobile device. These measurements can either be provided in a pull-based or push-based manner.

In the next section we are going to look at some specific standard technologies that are used to provide positioning services in cellular networks. 4.4.2 Cell-ID Cell-ID is a standard positioning technique that is used to determine the location of mobile devices based on the base station to which they are associated [43]. It is a technique that is based on principle method of proximity sensing. In cellular networks, base stations (BS) usually broadcast information about themselves to the cells they serve. They broadcast their signature and identity; Cell IDs. For example, in GSM network this information is carried by the broadcast control channel (BCCH), in cdma2000 and IS-95 networks, the pilot + sync channels provide this information [44]. In the network, the mobile device will associate itself with the base station with the strongest broadcast signal. In most cases this will be the base station nearest to the device (There are cases of course where this is not so, as described by Trevisani and Vitaletti [44]). Since every BS is broadcasting information about the cell, the mobile device will be able to determine the cell in which it is contained (cell ID). Using this information plus the map of cell coverage of the network, the device can then estimate its own location. The disadvantage of this method is that it doesnt produce very accurate results. In research that was done by Trevisani [44], the accuracy observed was not very good and varied from location to location; 800m in New York and 500m in Italy. In general, the accuracy depended on cell coverage. In urban areas where cells tend to much smaller, the location estimates where more accurate than in rural areas where cells cover much larger areas. In addition, variations in radio signals would also affect accuracy as it would cause mobile devices to sometimes associate themselves with BSs that are farther than the nearest one. Improvements can be made by using extra information such as round trip time (in CDMA networks) or timing advancement (in TDMA networks). 4.4.3 U-TDOA Uplink Time Difference of Arrival (U-TDOA) is another standard cellular-based positioning technique that measures and uses the differences in signal arrival times from mobile devices, to calculate their positions. It is based on multilateration techniques. All the calculations to determine the location are done by the network rather than the mobile device. A mobile device will send out random access bursts to multiple base stations by performing asynchronous handovers. These signals will be detected by BSs or special Location measurement units (LMU) that have been deployed in a cellular network. By measuring the difference in signal TOA between two BSs or LMUs, a hyperbola containing the location of the 62

mobile device can then be constructed. Using the same principle with other pairs of BSs, additional hyperbolas can also be traced. Finally, as described in the multilateration section, the intersection of these hyperbolas will determine the location of the device. Since calculations are based on time differences, correct timing is very important for achieving accurate results. As a result this method works best in areas with few obstacles such as buildings (e.g. rural areas), which can interfere with cellular signals and cause random time delays. 4.4.4 E-OTD Enhanced Observed Time Difference (E-OTD) was one of the earliest standards for location determination in cellular networks. As the name suggests, this technique depends on TDOA measurements in order to determine the location of a mobile device. In principle it uses the methods as UTDOA except that it is not only the network that is involved and the mobile device also participates in implementing some of the functionalities. The mobile device will first make TDOA measurements from multiple BSs (usually up to 8) and then use trilateration techniques to estimate the location of the device. In addition to timing measurements, the device also makes additional location measurements to calculate the synchronization difference between clocks in different base stations in order to improve accuracy and precision of results. The use of this additional information is why the process is called enhanced. With this technique it is possible to achieve location accuracy of 50 - 400 meters. Accuracy suffers especially in rural areas where there are usually less BSs in the vicinity of a mobile device at any given location. In addition, due to the nature of calculations involved, the process can relatively take a long time (up to 5 minutes) to obtain the location. Also, software changes are usually needed in order to make a mobile device work in this system. 4.4.5 A-FLT Advance Forward Link Trilateration is another TDOA based positioning standard technique employed in cellular networks. It is similar to E-OTD except that it is used in IS-95 based cellular networks. It uses pilot signals from the associated base station and other nearby stations to compute intersecting TDOA hyperbolas and estimate the location of the mobile device. Its advantage over other TDOA based methods is that, IS-95 base stations are already time synchronized using GPS. As a result accurate results can be obtained without having to employ other extra measures. Research done by Nissani and Shperling [45] has shown that with A-FLT an accuracy of 48m can be obtained 67% of the time and 130m in 90% of the time. Due to these facts, this method is usually also used in combination with A-GPS. 4.4.6 Mobile Assisted GPS Many mobile phones/smartphones built nowadays contain GPS chipsets in their hardware. This allows them to act as receivers and take advantage of the high accurate positioning service offered by GPS. However, this in itself introduces many problems. For example, a clear view of the sky is needed in order to get a fix; the initial time to obtain to obtain a fix can be quite long and so on. The solution to this is AGPS. It has become one of the standard cellular based positioning techniques where the mobile network provides assisting information to mobile devices equipped with GPS receivers. A-GPS has already been described in section 4.3.2 and everything discussed (technology, advantages and disadvantages) also apply here in this context. 63

Location Technology Cell ID Cell ID+SS Cell ID+TA/RTT AOA TOA E-OTD

Category 300m20km 250m12km 200m11km 100m200m 50m-200m 50m-125m

Accuracy 300m20km 250m12km 200m11km 100m200m 50m-200m 50m-125m

Cost Low Moderate Moderate Moderate Low High

TTFF Fast Fast Fast Moderate Moderate Moderate

Coverage Moderate High High Good(Multi path issues) Good(Multi path issues) Good(Multi path issues) Good(Multi path issues) Good

Wireless Standard GSM GSM GSM GSM GSM GSM

Hand set Req. None None None None None Softw are Mod Softw are Mod None

Network Req. None Hardware Mod Software Mod HW and SW Mod HW and SW Mod Additional HW and SW (LMU) Additional HW and SW (LMU) Additional HW and SW (LMU) HW and SW Mod Minor Modificati ons Additional HW and SW Additional HW and SW

OTDOA

20m-200m

20m-200m

High

Moderate

WCDMA

UTDOA

<50m

<50m

High

Moderate

Multiple

EFLT/AFLT GPS

30m-350m 30m-80m

30m-350m 30m-80m

Moderate Low

Moderate Slow

Good(Multi path issues) Moderate (urban) High (rural/subur ban) Variable

CDMA All

A-GPS

5m-50m

5m-50m

Moderate

Moderate

CDMA

RF Fingerprinting

10m (indoor and outdoor

10m (indoor and outdoor

Moderate

Moderate

Good

Multiple

Softw are Mod Additi onal HW and SW Additi onal HW and SW None

Table 4: Comparison of 3G-based positioning methods

64

4.5 Wi-Fi based Positioning

4.5.1 Overview Wi-Fi based location positioning is a localization technology that utilises 802.11 wireless networks to provide location positioning services to wireless devices. It is a technology that has been gaining popularity in recent years due to the proliferation of Wi-Fi networks and its ability to work indoors. Nowadays especially in urban areas, Wi-Fi networks can be found everywhere in homes, schools, offices, public areas, restaurants, shopping malls and so on. These networks, consisting of wireless access points (AP), transmit signals which can be used to provide positioning services. Each access point periodically broadcasts beacons containing some information about the access point such as Basic Service Set Identification (BSSID), signal strength and others. Using this information, a database of wireless access point locations can be built and used as reference to later determine the location of Wi-Fi equipped device. The wide availability of Wi-Fi networks makes this approach viable for two main reasons; first, since the Wi-Fi infrastructure is already there, it is easy to setup and implement a location system since no extra effort is needed. In addition all sorts of Wi-Fi equipped receivers or devices containing Wi-Fi receivers also already exist. Secondly, due to the aforementioned reasons, it is also less expensive to roll out and implement this system. Many users already possess devices with these capabilities and do not have to incur any extra costs. 4.5.2 Wi-Fi based positioning systems A large number of Wi-Fi based location technologies have been developed since Wi-Fi networks started appearing regularly in homes. As mentioned one of the few reasons have been the ability to work indoors. Other positioning systems such as GPS suffer in these kinds of conditions [46]. One of the earliest approaches in Wi-Fi signal based positioning was known as RADAR [117]. It was developed in 1998-2000 by Microsoft to provide positioning service inside buildings. It works by measuring and processing signal strengths from Wi-Fi routers. In a particular location, it compares the observed signal strength (fingerprint) to the ones in the in a pre-recorded database and finds the location coordinates of the closest matching fingerprint. [47] In 2000, Ekahau [118] patented a technology that enabled to deploy an indoor location system over any existing Wi-Fi architecture. Known as Ekahau real time location system (RTLS), the system can work on generation of the 802.11 standard, offering up to room level accuracy. In 2003, Skyhook Wireless was one of the first commercial companies to rollout a positioning service that used Wi-Fi and not GPS [48]. With its XPS technology (previously WPS), it leverages millions of Wi-Fi access point information to accurately provide location service in dense urban areas and indoor environments. Skyhook builds a database of this information by deploying a fleet of drivers to survey streets and highways in tens of thousands of cities around the world, scanning for access points and recording their precise geographic coordinates with special equipment [51]. The system is able to provide locations with accuracy of about 10 meters. Since that time it has been offering the service to developers 65

and OEMs (Original Equipment Manufacturers) through its software development kit (SDK). In 2008, the system was integrated into Apple IOS devices to provide Wi-Fi based positioning services. In 2007, in order to improve its location based services, Google began building its own Wi-Fi location database using its StreetView Cars and Android phones. While driving around cities taking pictures for its StreetView service, Google was also collecting Wi-Fi information and building a location database in the same manner as Skyhook. This system was then integrated into the Android platform to provide location services to its Android smartphones. In addition, these smartphones were also leveraged to constantly update and improve the database. [52] Beginning in April 2010, Apple ceased using Skyhook and also began building up their own Wi-Fi based system for use on their devices (iPhones and iPods) [119]. 4.5.3 How it works Every access point in accordance to the 802.11 standard periodically transmits beacon frames to announce their presence to nearby Wi-Fi enabled devices. These frames contain unique information about an access point such as its BSSID, RSSI value, ESSID and transmission channel. This information is broadcast in an area with 100 meter radius around the access point. At any given point the set of these characteristic values observed from nearby access points will be unique. By mapping these values to location coordinates, one can then build a positioning service that translate observed Wi-Fi signal values to location estimates with an accuracy of 100m and less. The first step in building a wide area Wi-Fi based positioning system is to accumulating a large database of APs with their related information mapped to known locations. For example this database can store BSSID, GPS coordinates and RSSI values of a large number of APs. There are two main approaches that can be used to achieve this: War-driving (3rd party driven) and Crowd-sourcing (user-generated) . With the war-driving approach, a single entity (company) is responsible for building up the database. It can do this by employing people who move around (in vehicles, bicycles or on foot), scanning for Wi-Fi broadcasts and storing values together with location coordinates. A good example of a company using this approach is SkyHook. It employs a fleet of drivers that drive around cities with cars equipped with Wi-Fi and GPS gear, collecting this information. Google, in part of also uses this approach using its StreetView cars. This is a huge undertaking and it usually takes a lot of time and money to come up with a large database that has wide coverage. Also, the database tends to be static. Changes and errors take a lot of time to updated and corrected respectively.

66

Figure 14: Google Street view car

With the crowd-sourcing approach, a database is built by leveraging users of the system, feeding back the information through for example their mobile devices. A client installed on users devices (usually with user consent) collects information about GPS coordinates and AP signals observed at that point. This way with a large number of users, a database containing this information is slowly built as usage continues. It is more of a dynamic approach. The database is self-correcting. If changes or errors occur they can be detected and corrected quickly. Google, Apple and Navizon are examples of companies using this approach (Google actually uses a hybrid approach combining with the previous approach as already mentioned). For example, users of iPhones and Android smartphones with location services enabled [49][50], participate in building up the location databases for Apple and Google respectively. At different location point this information is anonymously collected and sent back and continue to improve the system. After a database has been created, different positioning methods can then be used to estimate location. These methods are based on the same basic positioning techniques that have already been discussed. They can be classified into the following types: Trilateration Three or more access points are used as points of references. The received signal strength indication (RSSI) or TDOA of signal transmissions to these APs is used to deduce the distances and eventually estimate the location of the Wi-Fi device. Examples: RADAR (MS Research) [117], AirLocation (Hitachi) [120] Triangulation Two or more APs are used as directional reference points. Location estimation is based on a triangle formed by the Wi-Fi equipped device and the two known APs, with two angles and one side known. Using its antenna the device measures the angles of Wi-Fi signals from the two APs and performs the calculations to determine location.

67

Proximity The position of the most powerful AP detected is considered to be the position of the Wi-Fi device. It is determined by measuring RSSIDs from all detected APs and choosing the one with the highest value. Since the transmission range of a typical Wi-Fi AP is 100m, a device could be located anywhere in a circle of 100m radius around the AP.

Scene Analysis Location is determined by comparing observed Wi-Fi characteristics with pre-recorded ones at a given location. First, Wi-Fi properties at different locations are recorded to build up what is known as a radio map. Later, during location determination, a Wi-Fi device at a particular location will measure the properties at that point and compare them to the map using Monte Carlo methods such as Bayesian and particle filter. Based on the comparison result, a device can then estimate its location.

4.6 Hybrid and Other Positioning Technologies

4.6.1 IP-Based This is another class of positioning techniques in which the location of entities (most commonly Internet nodes) is determined based on the IP addresses that have been assigned to them. Research [76] has shown that IP address assignments are relatively stable over a period of multiple days and that these addresses are usually cluttered in a small geographic area. There is a correlation between IP addresses of hosts and their geographic locations. As such IP addresses can be used to determine the location of Internet clients. There are many tools and third party services that use IP-based positioning techniques to provide location services [77][78]. They typically build large databases that map IP addresses to physical geographic locations. There are several specific IP-based techniques that can be used to construct such databases [79]: Including the location information of hosts in the Domain Name System (DNS) records. RFC 1876 [80] proposes this scheme where a new type of record Resource Record (RR) for DNS, which can store the location information of hosts is defined. Tools such as NetGeo [81] use this kind of technique to determine the location of hosts. Querying the WHOIS database in order to determine the location of the organization to which an IP address belongs to. Many tools such as IP2LL [82] take advantage of this information to estimate the location of hosts. Using traceroute to determine the network path and map this information to geographic locations. The output from the traceroute tool usually contains a list of routers with their DNS names showing the path from the source to the target IP address. This information can be used to

68

estimate and determine the location of the final host. Tools such VisualRoute [83], Neotrace [84], and GTrace [85] employ this kind of technique. Building a large table by exhaustively recording ranges of IP addresses and their corresponding geographic locations. Many location services such as EdgeScape [86] that use this approach have close relationships with ISPs throughout the Internet and use proprietary algorithms to build these types of tables.

Despite the existence of many positioning tools and services that depend on IP-based technologies, this type of approach still does not provide reliable and precise location estimates. Many of these services in most cases can only offer coarse grained positions up to the city level. In addition, the existence of proxies breaks generally interferes with this approach and leads to incorrect results and estimations.

4.7 Comparison of Positioning Techniques

As described in this chapter there are different categories of location positioning technologies that can be used to obtain the location of objects. These categories differ in many ways and aspects e.g. how accurate they are, their coverage local or global, if they can work everywhere - indoors and outdoors and so on. Each technology has its own advantages and disadvantages that may or may not be suitable in different scenarios.

69

Table below from [88] shows an overview of these technologies and how they compare to each other:
Accuracy Range Performance Wi-Fi 1 3m 30m GPS 5m Country Wide Indoor: Poor Urban: Can be problematic in some urban areas with tall buildings Suburban: Good Rural: Can be a problem in dense forest, jungle, deep valleys and canyons None 3G/2G 100m 5000m Country Wide Indoor: Poor but can be better than GPS Urban: Good Suburban: Good Rural: Depends on mobile coverage A-GPS 5m Country Wide Indoor: Poor Urban: Can be problematic in some urban areas with tall buildings Suburban: Good Rural: Can be a problem in dense forest, jungle, deep valleys and canyons None

Indoor: Fair Urban: Fair Suburban: Fair Rural: Poor

Wireless Organizational Hardware Type Central Location device/server required Location client device hardware Location fix speed Positioning Relative Cost Line of Sight requirement Location methods commonly used

Access Points

None

Yes

No

No

No

Tags/Phones/Laptops 10-15 Seconds Probalistic Low Not Required Single AP-Signal Strength, Biangulation, Triangulation, RF Fingerprinting, Angle of arrival (AOA), Time Difference on Arrival

Phones/GPS Devices >1 Minute Deterministic Low Required Triangulation, Angle of Arrival (AOA), Time Difference on Arrival

Phones <1 Minute Deterministic Low Not Required Triangulation, Angle of Arrival (AOA), Time Difference on Arrival

Phones <1 Minute Deterministic Low Required Triangulation, Angle of Arrival (AOA), Time Difference on Arrival (TDOA)

Table 5: Comparison of Location Positioning Techniques

4.8 Summary
This chapter has introduced and described in detail different location positioning techniques that exist and are used to locate people and objects. The basic fundamental principles of location positioning were examined. All different kinds of location positioning technologies depend on these fundamental principles. The chapter has broken down these technologies into four main categories; Satellite-based, 3G-based, Wi-Fi-based and Hybrid techniques. Each category has been examined in terms of how it works, its advantages and disadvantages and finally how they compare amongst one another.

70

5 Smartphone Technology
5.1 Introduction
5.1.1 Overview One of the capabilities of a typical smartphone is the ability to determine and provide accurate location coordinates of the device and consequently the user. This has been made possible by a number of location sensors and positioning technologies built on these devices. In this chapter, we are going to look in general at smartphone technologies to understand better the capabilities (hardware and software) and various aspects of the inbuilt location services. This way, we can find out what the technology has to offer and the potential of the platform for building a location-based security system on top of it. The term smartphone doesnt have an exact agreed upon standard definition. There is no clear set of characteristics that can be used to define what device can be classified as a smartphone and what device cant. A device considered to be a smartphone by one group of people may not qualify as such by another. However, in general it is agreed that a smartphone is something that can do more than a normal mobile phone. That is the reason for the term smart. It has more computational capabilities than mobile phones. It combines the functions of a mobile phone and that of personal digital assistant (PDA) enabling it to perform more advanced functions. A typical smartphone nowadays possesses a high resolution touchscreen display, digital camera and a full web browser to mention a few. 5.1.2 Emergence of smartphone technology The first device considered by many to be a smartphone, was called the Simon introduced by IBM in 1992. This device had an array of features such as a calendar, address book, calculator, email client and a couple of simple games. It had a touch screen display that could also be used with a stylus.

Figure 15: IBM Simon First smartphone

71

In 1996, Nokia launched the Nokia 9000 which was combination between a phone and a PDA. The device had a clamshell design with a high resolution display and a physical keyboard. It was a smartphone particularly aimed for business users. It was based on the GEOS V3.0 which was one the first operating systems to be used a mobile device. The Nokia 9000 was then followed by the 9210, 9300 and 9500. Between 1997 and 2000, Ericsson came out with two phones that were the first to be marketed as smartphones. The first named Penelope was a concept phone and only a few of them were actually sold. This was followed by the R380 which was the first to use the Symbian operating system. The R380 possessed both phone and PDA capabilities and had a touch screen that could be covered by physical keyboard for easy call making. Beginning in 2002, smartphone slowly started to gain popularity. An array of smartphones with all sorts of features started coming out; The Palm Treo, P800 from Sony Ericsson and the first Blackberry. Some of the features included the ability to play media (MP3) files, color touchscreens and wireless email access. The smartphone market really exploded and hit the main stream in 2007 with the launch of the Apple iPhone. Sporting its iOS operating system, the device came with the ability to install third party application through its App Store. This enabled the device to perform many advanced functions that were not possible to do on a phone before and made it more useful. It came with a large touch screen supporting multi-touch functionality and a variety of other hardware and software capabilities [121]. Since then the iPhone has been iterated in a yearly basis, each time with more features and improvements. In 2008, Google introduced the Android mobile operating system for smartphones [122]. This was another big change in the smartphone market. Android took a completely different approach from previous smartphone OSs and was developed as an open-source product. Anyone could download, modify and use it in any way they saw fit. The HTC Dream (T-Mobile G1) was the first smartphone to come out with Android. Since then thousands of devices have followed and the OS has been rapidly gaining popularity. Many more big companies such as Microsoft, Samsung, HTC, Nokia, Motorola and others have also come out with smartphones at different points in time. Innovation in the smartphone market is occurring at a very fast pace. With high competition among these companies, new and better smartphones are released almost every other week. These smartphones have faster processors, better hardware sensors and more software capabilities. They have access to high speed cellular connectivity for voice and data. One can now perform many functions with smartphones such as

72

making purchases, video streaming, banking, location tracking and much more. If history is an indication, then much more improvements should be expected in the near future. In the next few sections, we are going to look into some of the features of smartphones (particularly location related) that enable them to good choice for a location-based authentication and access control system.

5.2 Smartphone usage and popularity

The smartphone platform has been growing tremendously in recent years. More and more of these devices have been getting into peoples hands. Research studies by various groups show strong sales of smartphones and increase in usage particularly in developed countries. A smartphone based system thus has the potential to useful and effective to a lot of people. According to Gartner Research [53], in the second quarter of 2011 smartphone sales grew by 74% compared to the second quarter of 2010. These smartphones accouter for 25% of the total of 428.7 million devices that were sold in that quarter [54]. According to their analysts consumers are choosing and buying more smartphones at the expense of feature phones. A survey published in July 2011 by the Pew Internet Project [55] showed that in the US about 35% of adults own smartphones. Many of these users carry these devices with them everywhere and use them all the time for all sorts of functions such as email, internet access and others [56]. Similarly, many other research and studies show the same general trend. Nielsen [57] says as if July 2011, 40% of US mobile users own smartphones [60], IMS Research [58] predicts that the global smartphone sales will reach 420 million in 2011 (28% of all mobile devices) [61] and IDC [59] says smartphone sales will reach 472 million all over the world in the same year [62]. Even in developing countries smartphones are gaining traction and will soon become a dominant platform. For example, in Kenya the Huawei IDEOS smartphone became the top selling phone after it was introduced. The smartphone has all the typical features including GPS location capabilities [63].

5.3 Smartphone hardware

5.3.1 Smartphone classes Smartphones can generally be divided into two categories based on the processor they possess: Low-end (standard device): has a single core processor with speeds between 500-719 MHz. These are usually very cheap and basic with low to medium performance. 73

 High-end (performance device): has single or dual core processor with speeds above 720 MHz. These are more powerful and expensive with all sorts of additional features. 5.3.2 Hardware components A standard modern smartphone nowadays has a lot of hardware components and features incorporated in a small package. There are a huge number of hardware options that is also constantly changing. We are going to highlight only a few important features that can be found in a typical device. CPU/Processor Processors in most of the modern smartphones are based on the ARM architecture due to its simplicity and low power consumption. The architecture is licensable and is used by many different chip manufacturers. Another category of smartphones are based on x86 design architecture. These are usually almost exclusively produced by Intel. Graphics Processor High-end smartphones usually also possess a separate graphics processor to support multimedia applications and other graphical intensive applications that may be performed on the phone. Two main chips are usually used; PowerVR SGX or Broadcom Adreno. Memory A smartphone usually possesses different types of memory. First, there is RAM. Similar to computer, this acts a temporary storage and enables the phone to perform multi-task functions. Then there is more permanent storage known as flash storage. This is used to permanently store the mobile OS, applications and data. It can either be inbuilt with the phone (flash storage) or removable media such as MicroSD or MiniSD memory cards. Smartphones can be divided into different classes depending on memory type and size:
Basic Device 128 MB Less than 8 GB Up to 32 GB Standard Device 256 MB 8 GB to 16 GB 32 GB Performance Device 512 MB 16 GB to 32 GB Up to 64 GB

RAM Inbuilt Storage Removable Storage

Table 6: Smartphone classes

Screen There are different types of smartphone screen technology, size, resolution and pixel density. Table below highlights the different available options:

74

Screen Technology

Screen Size Resolution Pixel Density

Basic Screen TFT TCD (Transflective Thin Film Transistor Liquid Crystal Display) Less than 3 inches 480 x 320 pixels Less than 200 pixels/inch

Standard Screen IPS LCD (In-Plane Switching Liquid Crystal Display) 3 3.5 inches 800 x 480 pixels 200 250 pixels/inch

Performance Screen Super AMOLED (Super Active-Matrix Organic Emitting Diode) Bigger than 3.5 inches 960 x 640 pixels or more More than 250 pixels/inch

Table 7: Smartphone Screen Types

Battery Most smartphones are equipped with rechargeable lithium-ion batteries. There is a constant need for more capacity from these batteries to satisfy the ever increasing number of sensors in a smartphone e.g. GPS, Wi-Fi, 4G etc. Low-end smartphones: have around 1400mAH lithium-ion batteries providing up to 146 hours of standby High-end smartphones: have 1500mAH or more lithium-ion batteries providing up to 500 hours of standby Digital Camera A camera is also becoming a standard in smartphones nowadays. It comes with features such as autofocus, LED flash and the ability to also shoot videos. The range of resolution is usually from 1.5 megapixels up to 8 megapixels in the high-end devices. Input Devices There are two major ways of interacting with a smartphone: 1) using touch (or stylus) through a touch screen display and 2) using a physical QWERTY style keyboard or trackball. In addition, more recently some smartphones come with the ability to be controlled using voice commands. Wireless Chips and Sensors A smartphone possesses a variety of built-in chips for different wireless technologies and hardware sensors that can detect different characteristics of the physical environment. Some of these components include: Bluetooth: most smartphones have built-in Bluetooth chips that enable wireless transfer of data between devices at relatively short distances. Additionally, Bluetooth can be used to transfer data between a smartphone and other accessories such as headsets, speakers or with other digital devices such as a PC. Currently, there are two major version of the Bluetooth protocol used in most smartphones. Bluetooth 2.1 and Bluetooth 3.0. The major differences between these versions are in range and data speeds. Bluetooth 2.1 works on a very short range and supports low data transmissions while Bluetooth 3.0 works across a much larger distance and supports much faster data speeds (up to 24mbps through a 801.11 link). 75

 Wi-Fi: Wi-Fi chips enable smartphones to connect to 802.11 networks and perform different tasks such as surfing, download applications and data, send email and others. In addition, more recently this ability has been used to provide positioning services in situations where GPS is not available or cant be used optimally. There is support for different versions of the 802.11 protocol (a/b/g/n), each differing in range and speed. Wireless broadband: Wireless broadband chips enable smartphones to perform their main purpose; connecting to a mobile network in order to make calls and send SMS. There are different generation of mobile network technologies that are supported; 3G, 3.5G (HSPA+) and more recently 4G (LTE and WiMax). With each new generation, faster data speeds are being provided. These wireless technologies can also be leveraged to provide coarse location services whenever other mechanisms fail to deliver. For instance, via Cell-ID databases. GPS/A-GPS: Almost every smartphone comes with a built-in GPS receiver. This allows smartphones to get access to reliable and accurate positioning service. However, due to the performance and power constraints of these devices, the usual practice is to support the A-GPS (Assisted GPS) system. This system allows smartphones to receive assistance from positioning servers (usually in the network) by offloading some of the location processing to them and save precious device resources. 3-Axis Accelerometer: Accelerometers help to track the position of a smartphone. Usually they are used to change views between landscape and portrait depending on how the device is being held. Generally, they are also used to detect motion in many other applications. For instance, in racing games it can be used to steer by tilting the device side to side. This capability has even been exploited for improving location services as demonstrated in the research done by Bolliger et al [123]. Gyroscope: This is another sensor increasingly included in smartphones that enables more accurate and precise detection of movement in 3D space. Currently, its popular use is for facilitating more precise gaming controls. Digital Compass: Built-in digital compasses provide heading and orientation relative to the surface of the earth. They have become quite useful in smartphones for Location based services such as mapping services. Proximity Sensor: Proximity Sensors can detect the presence of nearby objects without the need of physical contact. In smartphones they are used to detect the head of a user and turn off the screen when the user places the phone on the ear in order to make a call. NFC: Currently only a few smartphones possess built-in NFC chips. In the future this may change as the technology is included more and more in new smartphones. NFC (Near field communication) is another wireless technology that enables wireless exchanges between devices in very close proximity to each other (usually not more than a few centimeters from each other) One of its main use up to now has been to exchange payment information during financial transactions e.g. Google Wallet. However,

76

in the future the technology could potentially be used in more applications. For instance, ticketing, ID cards etc. With all these sensors and chips, a smartphone becomes a powerful device to capture all sorts of contextual information that can play an important role in security protocols and decisions.

Figure 16: Smartphone Components

5.4 Smartphone software platforms

Smartphones come with full-fledged mobile operating systems that provide a platform on which third party applications can be installed. Through application programming interfaces (API), these mobile operating systems provide services that allow third party applications to take advantage of the different hardware capabilities to provide useful functionality. There are a number of different smartphone operating systems available for a wide range of devices. We are going to briefly look at the major ones, describing their main features and some of their advantages and disadvantages: 5.4.1 iOS This is the mobile/smartphone operating system for the popular iPhone (plus iPod and iPad). As of August of 2011 the latest version is 4.3.5 (with version 5 in beta and coming soon). Initially when iOS came out with the first iPhone, it didnt provide the ability to install third party applications. This changed with the 2nd generation iPhone launch, where third party applications (called iPhone apps) could be 77

installed through a market the App Store. Since then more than 425,000 applications and games have been developed for the platform. The iOS platform is a closed system. Only applications that have been approved by Apple and submitted to the App Store can be installed on the iPhone (unless the phone is jail broken). iOS is one of the more mature platforms built on the XNU kernel similar to the one used in Mac OS X. Applications are built using the Objective-C language. It provides a rich set of APIs for building applications that can perform different functionality. This includes features such as: Cocoa Touch which provides support for multi-touch events, accelerometer detection, camera features etc. Multimedia support through packages such as OpenAL, OpenGL ES, Quartz, Core Animation etc. Core services such as networking (through BSD sockets), database (through Embedded SQLite), Core Location, Threading etc. Core Location in particular, is a framework that provides the ability to detect the devices location using a combination of cellular tower triangulation, Wi-Fi and GPS. One of the advantages of iOS is that it is a mature and robust platform. It has a proven track record with hundreds of thousands of applications already developed for it. One can expect to get good performance and features from applications developed and running on the platform. On the other hand however, one of the disadvantages is the restrictiveness of the platform. It is not very easy to get an application on peoples devices. Before this can happen the application has to go through a lengthy evaluation process by Apple where it might even get rejected. 5.4.2 Android Android is an open source mobile/smartphone operating system developed by Google. The current version as of September 2011 is 2.3 aka Gingerbread (There is also version 3.0 aka Honeycomb specifically for Tablets). Android is a completely free system and as such it can be used and customized by anyone. Many big smartphone manufacturers such as Samsung, HTC and Motorola have adopted and used it in a wide range of their devices. As a result it has been one of the fastest growing mobile platforms with 850,000 activations per day [124]. The Android platform is based on the open Linux kernel. On top of the kernel it consists of stack of software components which include native libraries (written in C/C++), the Android Runtime, application framework and a number of core applications running on top of the framework. The Android runtime consists of core java libraries and a special Java virtual machine known as Dalvik. Applications in Android are developed in Java and compiled to run on Dalvik which is optimized for use in mobile

78

devices. The platform also provides a rich set of API features which allow applications to take full advantage of smartphone capabilities. These include: Connectivity through various wireless technologies such as GSM, EDGE, CDMA, UMTS, Bluetooth, Wi-Fi, WiMax , NFC and LTE An open application framework allowing easy reuse and replacement of components Web browser based on the open source WebKit engine Support for a large portion of the Java Library Storage through the SQLite database Multitasking support Camera, GPS, compass, and accelerometer support and much more One of the unique advantages of Android is its openness and its design which allows all applications to have an equal footing in the system. The platform does not distinguish between the core applications in the phone and third party applications. All have the same access to the smartphone resources and core applications can easily be replaced. For instance, the SMS messaging app that comes with a phone can be completely replaced by another developed by an independent developer. This customizability allows powerful and innovative applications to be built on top of the platform. Other advantages include cost which is free thus allowing easy entry into the platform, the use of Java - which is a well-known language that is already established with strong support therefore reducing the learning curve and finally another advantage is its support for all kinds of hardware platforms and devices. One of the main disadvantages of Android however, is fragmentation. There are different versions of the software that exist in the wide range of devices available. While some devices have the newest version of the platform, some still possess or come out with old versions. This increases the complexity of developing for the platform since some features may not work on all versions. In order to support all devices a developer has to deal with a lot of issues and constraints. 5.4.3 Windows Phone 7 This is one of the other major mobile operating system. It is developed by Microsoft and replaced its predecessor platform which was known as Windows mobile. It is a cross between iOS and Android in terms of its openness. Even though the platform is developed and controlled by Microsoft, other device manufacturers can obtain a license to use it in their devices. The platform is still relatively new (it was released in October 2010) but it is slowly gaining traction especially after the partnership agreement between Microsoft and Nokia [125]. Similar to previous described mobile platforms, Windows Phone 7 also provides an extensive list of features and APIs that allow access to a variety of smartphone resources. Some of these features include a new user interface design with unique features known as Metro; runtime frameworks Silverlight and XNA for rapid development of safe and secure applications, access to a variety of sensors - multi-touch

79

input, accelerometer, compass, gyroscope, and microphone; Isolated data storage per application; access to devices location or location related events and so on [126]. Windows Phone 7 platform benefits from its string integration with the Microsoft ecosystem. Applications are developed in C# using Visual Studio Tools which many developers are already familiar with. The platform is also easily linked with back end systems from Microsoft such as Exchange, making it viable option in enterprise environments. On the other hand Windows Phone 7 suffers from a number of disadvantages. One is its immaturity. The OS is still very new compared to others and lacks some important features. Improvements are continuously implemented but it still needs time to catch up in terms of number of applications and market share. Another problem similar to iOS is the lack of openness. The platform is totally controlled by Microsoft. Every application has to be approved and no customization or changes can be done on the platform except by Microsoft themselves 5.4.4 Symbian Symbian is a mobile operating system that was developed and maintained by Nokia until April 2011 when it was released under a new proprietary shared source license model. Currently the operating system is maintained by Accenture [127]. It is used mostly in Nokia and Sony Ericsson smartphones. It also allows the installation of third party application. Thousands of application can be found through various markets. The OS however is focused more on phone functionality such as texting, dialing, voice control and so on rather than on other features typical in smartphones. After Nokias abandonment, the number of device with Symbian has diminished and the platform has been declining with many developers planning to shift to other platforms. 5.4.5 BlackBerry OS This is another proprietary mobile operating system developed by Research in Motion (RIM). It is developed and specifically used by RIMs popular line of smartphones BlackBerry. As of August 2011 the current version is BlackBerry OS 7.0. The BlackBerry platform is known for having great support and features for corporate email. It can support up to 10 private and corporate email accounts with instant push messaging feature. There is also support for third party applications through the BlackBerry App World. The OS is menu driven and input is largely controlled with a track pad or trackball. A few devices also allow touch input. The software features a robust browser, map applications and a wide range of media capabilities. The API largely allows access to most features with a few needing digital signatures before they can be accessed. Even though the platform still has a substantial market share especially in the enterprise, the overall percentage has been decreasing rapidly each year. Other platforms have surpassed it in features and popularity.

80

Figure 17: Smartphone OSs market share Jan 2012 [87]

5.5 Location in smartphones

According to a number of studies done by various Internet groups such as the Pew Internet and American Life Project [64][65], location related services has been one of the popular and major use of smartphones. There has been a sharp rise in the number of location-based applications (i.e. Fandango, Foursquare, Yelp etc.) providing all sorts of services from helping people finding nearby points of interests to connecting people in interesting ways through social networks. This among other reasons can partly be attributed to the improvements in reliability and accuracy of location technologies included in smartphones. In the next subsection(s) we are going to look at some of these location technologies available and their potential in providing are reliable service. 5.5.1 Skyhook Location Service Skyhook is a commercial service that provides location services to individual developers and companies. It provides the location services in two major ways: (i) through a software development kit (the Core Engine SDK) that can be separately downloaded onto a device or (ii) by device manufacturers including the SDK in their operating systems. Skyhooks technology as previously discussed in section 4.5.2 obtains its location through a combination of cell tower information, Wi-Fi signals and GPS. The SDK is available for a wide range of platforms both for the desktop and mobile environments. Once installed, the Core Engine SDK collects raw data 81

from each location source and sends this information in the background to special location servers which return a single location estimate [51]. The SDK exposes this information through a location API that can be queried to obtain all sorts of location related information. The following location information can be obtained through the Core Engine API: longitude coordinates, latitude coordinates, altitude above sea level, location timestamp, bearing, physical street address, speed, number of cell-towers used in positioning, number of access points used in positioning and the calculated error estimate of the location results. 5.5.2 Navizon Location Service Navizon is another commercial service launched in 2005 that provides a location API in smartphones using its downloadable SDK. It supports smartphone platforms such as Android, BlackBerry, Symbian, iPhone (jailbroken devices only) and in past years the now defunct Windows mobile platform. In addition to the basic positioning service, the API also provides some additional location-related features such as Geofencing creating a virtual fence around a particular location, MobirFindr the ability to detect the location of a device using SMS and much more. Similarly to Skyhook, Navizon location technology also works by using a combination Cell-ID, Wi-Fi and GPS signals in order to provide location in all kinds of settings, indoors and outdoors. It uses a collaborative approach (crowd-sourcing) to build its location database. More than 900,000 users worldwide with GPS devices containing Navizon, participate in building and improving the location database by detecting new Wi-Fi access points and Cell Towers and sending this information back to Navizon servers. More user participation is usually incentivized by using a system of rewards and competitions. As a result its coverage s increasing continuously throughout the world as more users collect and upload the information [66]. Navizon provides two versions of its API: (1) GPS Only API and (2) GPS Optional API. GPS Only API as the name suggests uses GPS to provide location and can be used with GPS-equipped devices only. This option is free of charge. On the other hand GPS Optional API in addition to GPS can also be used with Wi-Fi and cellular-enabled devices to provide location in situation where GPS might fail. This option comes with a little bit of cost per device. The API in general provides the standard set of location information: latitude, longitude, location accuracy and time of location fix. As mentioned above the API also provides three additional features: local search, buddy tracker and geo-tags [67]. 5.5.3 Android Location API Android, one of the major smartphone platforms, also provides APIs for location services. The Android Location API is a framework that provides location positioning services to applications built for the Android smartphone platform. It basically enables android applications to determine the location and bearing of a mobile device and to register for location updates. The service is free to use by any application installed on an Android smartphone device. 82

The Android Location API technology relies on the hybrid approach of combining cell tower, Wi-Fi and GPS signal information to estimate the position of a smartphone device. In 2008, using its StreetView cars, Google started to build its database of Wi-Fi access points and mobile cell towers locations that can be used to provide positioning services to Wi-Fi enabled devices and to supplement the GPS system in situations that might not be optimal. In addition, Google also uses the crowd sourcing approach through its Android users with GPS smartphones to continuously build and improve the accuracy of its locaton database. Android location framework provides its services mainly through a collection of classes found in the android.location package. Through the LocationManager API which is the central component in the package, applications can obtain located-related information of the underlying device. This information includes [68][69]: Location coordinates - Latitide and Longitude of a device Device bearing the direction of travel in degrees East of True North Accuracy of location obtained (in meters) Location altitude distance of device above sea level Device Speed if device is moving (in meters/sec) Location provider the underlying technology sourcethat was used to estimates the location result Time the time of location fix Approximate distances between locations Geofencing alerts when the device enters a certain location Geocoding transforming between geo-coordinates (latitude and longitude) and physical addresses

In addition to the location API that provides basic positioning services, Android also provides other location-related services and APIs such as Google Maps (mapping capabilities) and Google Latitude (location checking, tracking etc.) that facilitate building of rich-feature applications on top of the location service. 5.5.4 Apple Location API Apple also provides its own location services through APIs on its various devices running the iOS platform - iPods, iPhones and iPads. Different applications can thus be built and installed on these devices and through the API utilize the underlying hardware to determine the location coordinates of a particular device. The underlying location technology as all other previously described APIs and services also depends on a combination of cellular, Wi-Fi and GPS information. In fact prior to April 2010, the Apple location API depended on Skyhooks positioning technology. Since then, Apple has started building their own Wi-Fi and cellular database with the help of millions of users possessing iOS devices. Depending on the hardware capabilities of the device, different sources for location estimates can be used. For example, on iPhones since they possess GPS chips, location is usually obtained using GPS technology. On the other hand on iPods and iPads, Wi-Fi and cellular signals provide the source for location estimates. 83

The Apple location API (through the core location framework) provides free access to the following location-related pieces of information and capabilities [70]: Standard geographic coordinates latitude and longitude Magnetic heading the heading relative to magnetic North (in degrees) True heading the heading relative to true North Heading accuracy - The maximum deviation between the estimated heading and the true geomagnetic heading Altitude Speed Vertical and Horizontal accuracy the accuracy of altitude and location respectively Location timestamp Distance measurements between two points

5.6 Smartphone location accuracy

The accuracy and reliability of location estimates obtained from smartphones, is an important factor to consider when designing a location-based security system based on smartphones. Since in such a system location is the central piece of information on which security decisions are based, the location sensing technologies built into smartphones should be able to produce estimates that are as accurate and consistent as possible for the purposes of the security system. If the proper level of accuracy and reliability cannot be achieved then whole system would fail or be useless. For instance, if a smartphone wrongly reports location X instead of location Y (which is the actual location), then any security privileges restricted to location X would be granted even though that is not the true location of the user. Problems may also arise if the precision of the location results is not good enough. If the technology is not able to distinguish between two nearby locations A and B that belong to two different protection domains, then security privileges of one will be confused with the other. For example, if the location granularity (precision) is limited to cities and location security is applied in terms of buildings, then two adjacent buildings locations would be indistinguishable in the security context. As described in previous sections, smartphone technology especially in the location area has progressed tremendously in the last few years. GPS/A-GPS is now a common feature in most smartphones. Many different companies are building large worldwide Wi-Fi and Cell ID databases. A variety of techniques are also continuously invented and used to improve location estimates. The result is that, it is now possible to obtain an accurate and reliable location coordinates using a smartphone. This fact is evidenced by two main factors. One is the explosion in location-based smartphone applications. Applications such as Foursquare, Gowalla, Google Maps and Latitude, Yelp and others have been made possible due to the improvement of location technologies in smartphones. For example, with Foursquare which is a social networking application that uses location information and allows users to report this to their friends, it is now possible for users to check-in into different locations/venues and earn points. This type of 84

functionality is possible and works because location values reported by smartphones are becoming more accurate and reliable. The second factor is the result from various studies that have been performed to measure the accuracy of location data in smartphones. Von Watzdorf and Michahelles [71] analyzed location information from smartphones in order to find out how accurate the data was. Their study was based on data set consisting of 2289 locations collected from a marketed iPhone application (installed on iPhone, iPod and iPad) collected over a period between April 2011 and August 2011. The results showed that with a combination of Cell-ID, Wi-Fi and GPS, precise location estimates below 100m could be achieved in about 75% of the cases. Due to the additional use of Cell-ID, wider coverage could also be achieved but with less accuracy. Other studies and measurements from vendors and manufacturers provide similar results. Table below shows the accuracy and reliability levels obtained from technology contained in a mobile device [71]

Platform iPhone 3G iPhone 3GS iPod Touch 2G iPod Touch 3G iPad

Overall Locates 492 1406 167 127 97

Failed Locates 122 331 98 53 30

Successful Locates 370 1075 69 74 67

Coverage (Share of Successful Locates) 75.20% 76.46% 41.32% 58.27% 69.07%

Average Accuracy per Location 655 582 108 174 129

Employed Location Technology WLAN, GPS, Cell-ID WLAN, GPS, Cell-ID WLAN WLAN WLAN

Table 8: Location coverage, average accuracy, and technology for different smartphone devices [71]

Figure 18: Average location accuracy from 100 meters to 3 kilometers [71]

In conclusion, smartphone location technology has a reached a stage where it can satisfactory be used to implement a location based security system. High accuracy and reliability with wide coverage is possible. With the availability of inbuilt GPS chips, location in most conditions can be calculated with high 85

accuracy and precision to within meters. It is possible to detect if a user is in or near one building and not the other. With Wi-Fi technology, location can be accurately obtained even in indoors settings. It is possible to reliably determine if a person is in one room and not the other. Additionally, Cell-ID technology can provide a backup solution with wide coverage in worst case scenarios where other technology is not available.

5.7 Summary
This chapter has provided an overview of existing smartphone technologies; the hardware and software capabilities. It has shown the rise in popularity and usage of smartphones. Different types of smartphone platforms and the features they possess have been described. The chapter has also examined various location positioning services that have been built on top of these smartphone platforms. It has described what kinds of technologies they use and what kind of location information they can. Lastly, the chapter has discussed about the accuracy of location obtained from smartphones and if it is feasible to use it for positioning purposes.

86

6 LBAAS Design and Implementation

6.1 Introduction
In this chapter we are going to introduce our proposed solution for the problem that has outlined. We are going to define what our system is, describe its design and components, outline the security protocols and communication between the different components and finally present the prototype that has been implemented to demonstrate the system.

6.2 LBAAS What is it? Why smartphone? Why Android?

In order to tackle the common problem of authentication and access control especially in this Internet age, we suggest the introduction of location factor using smartphones as an additional authentication factor. We propose our system known as Location-based Authentication and Access Control mechanism using Smartphones LBAAS. With this system authentication and access control decisions can be made taking into account the location of the requesting entities. This information provides an extra measure to account for (an additional protection layer) on top of other commonly used authentication factors such as username/passwords and tokens. The result is a mechanism that is an enhanced authentication and access control system compared to most existing mechanisms used on the Internet. The use of smartphones as location generating clients gives us the following advantages; No specialized extra infrastructure is needed to be setup in order to implement the system. There is already a widely established mobile wireless infrastructure that smartphones use. There is no need of having specialized devices that can provide location coordinates of users. Smartphones already possess a variety of technologies that can be used for this purpose. In addition it is more convenient for users to use a single device that they may already own. Smartphones already have stable platforms on which secure applications and services can easily be built on. Smartphones can now generate location results that can be accurate up to within a few meters [71] in all kinds of situations and scenarios compared to other devices which may work only in limited situations e.g. indoors vs. outdoors.

For the prototype implementation we have chosen Android as our reference platform. The concepts and design of the system can be implemented and should work similarly in other platforms. However, we have decided to use Android for a few reasons including the following;

87

It is an open-source platform. This allows for easy modification and greater control of all the features and functions. If extra features that are lacking are needed it easy to extend the platform to provide them. It is one of the leading smartphone platforms in terms of numbers [128]. There are millions of Android devices and each day more and more activated [124] by users. It is free and easy to develop and deploy applications on the Android platform without any restrictions or complicated approval. It uses Java as a development language which is mature, well supported and cross-platform.

6.3 System Design

6.3.1 Architecture and components Our proposed solution comprises six components, which are combination of various Servers and related applications: Location-based ID (LBID) Server stores location information and provides registration and verification services handling reliable user identification and location data; Certificate Authority (CA) Server provides certification of all system participants, issues their certificates, manages and distributes certificates; Authentication Server provides accurate location-based authentication service for all participants; Authorization Server stores and manages authorization policies and enforces location-based authorization service for all system participants, based on those policies; Service Provider (SP) Server provides various mobile services, whose use is based on locationbased policies; and Location-based Client (LBC) Application an application running on users mobile device, capable to collect location information from trusted Location Providers (LP) and providing user interface to register, store and verify location data.

The architecture and components are shown in Figure below. System setup is performed by system administrators, establishing location-based authorization policies and certifying all system components. Initiation of the system is performed by merchants who register their locations. The system is then used by users that use LBC interacting with LBID Server and Authorization Server. After valid and successful registration of their current location, user submit access request to Authentication Server, which interacts with LBID Server and Authorization Server to evaluate the request based on the information registered in LBID Server and on authorization policies registered and stored in the Authorization Server. The result is sent to the targeted SP Server, which decides accordingly to either allow or deny access request.

88

One of the most important concerns of location-based services is security and privacy of the location information. In order to protect location information, we use cryptographic techniques, based on Public Key Infrastructure (PKI) and certificate mechanisms. The details of certification issuance and distribution in a mobile environment (mPKI) are not described in this paper. It is assumed that every entity has already received certificate from the CA Server. All certificates are issued by CA Server in a standard way. However, certificates of users/LBC have special extension containing clients location, which is obtained from LBID Server. In that way, the correctness of location data sent from LBC to LBID Server can be verified. All the messages exchanged between all components are digitally signed by message initiator.

CA

Policy Establishme

Authentication Server Location Registration

LBID Server

Authorization Server

Access Result

SP Servers

A gMerchant e

LBC

LBC

LBC

Figure 19: LBAAS Architecture

6.3.2 Location verification One of the most crucial steps in a location-based authentication and authorization mechanism is the verification of the location claim provided by the user. The security of the whole systems can either succeed or fail depending on the effectiveness of this step. The decision whether a user is authenticated or not depends on the validity of his/her presented location. When a user authenticates to the system he/she presents his/her location, which has been captured and calculated by the location sensing client. The verification algorithm then has the responsibility to check this location claim, verify its validity, compare it to specified authorized locations and make a decision whether the user is authenticated or not. The goal of this process is to prevent location spoofing and make sure that the clients are really in the locations that they claim to be at. 89

There are several ways in which the location provided by a smartphone can be spoofed in order to fool a location-based security system [129]. These attacks can happen on different levels of the smartphone platform stack. As such they can be categorized as follows: Spoofing on the hardware level This is done via the location (GPS) module. An attacker can directly hack into the GPS hardware or module or simulate it in software and modify it to provide fake location signals to the smartphone operating system and consequently to the location based client. In this way, the signals are intercepted at the lowest possible level before they reach the client and as a result it ends up deducing an incorrect location. Spoofing on the OS level This is done by intercepting and modifying the location APIs in the smartphone operating system so that they report a fake location to the client application. This can be achieved by modifying or running a modified version of an operating system which has been programmed to report the locations that an attacker desires. This kind of an attack is possible in open source type of smartphone OSs where the source code is accessible and can be modified. Spoofing on the application level This kind of spoofing happens directly on the location client application by modifying its source code or by intercepting and modifying the final location result that is sent to the location-based server. A fake or modified copy of the location client application can be installed in the smartphone and report spoofed locations to the server. In addition, the location results from a valid client can also be intercepted in transit and modified to desired values before they reach the server. Another interesting attack [130] that targets location services in smartphones works by simulating certain environmental parameters i.e. access points, cell towers in order to fool the location modules that depend on this information to deduce the location of a device. This kind of attack however is not reliable and requires a lot of effort to carry out especially in a global scale. A number of different techniques can be used for location verification in order to mitigate the mentioned methods of location spoofing. One is distance bounding [131]. This kind of technique takes advantage of the physical limitations of wireless technologies to deduce and verify the location of a particular client. For example, a nearby Wi-Fi access point can collaborate with the location client in a smartphone to verify that the phone is in a location that it claims to be in. Another approach is to use IP addresses to geo-locate the client that is communicating with the server. Some research has shown that IP addresses can be used to roughly deduce the general location of a client [132]. These IP addresses are issued by mobile network operator (MNO) and cannot be easily changed by the client. Therefore, it is more difficult to spoof these IP addresses, which makes the approach more secure. This approach also has some disadvantages, including the frequent changing of client IP addresses, the level of accuracy of the location 90

estimates and the use of proxies/gateways which may hide true locations of clients. Another location verification technique is based on network latency measurements [133]. By comparing the latency (roundtrip) time to a client with other known reference points, a locating server can use this technique to verify the location of a particular client. All of these approaches individually have their strengths and weaknesses. Our location verification mechanism solves these problems by employing a hybrid approach. It combines different techniques and takes advantage of their strengths in order to verify the location of sufficiently with enough confidence. The approach can be considered as a strength-in-depth method, in which different individual methods complement each other and act as a layer of verification steps, where if one method is fooled the others can detect and prevent spoofing. The location verification mechanism takes into account the following parameters: 1. Two sets of location coordinates from two different location sources; 2. IP address of the client (smartphone); 3. MAC (Media Access Control) address of a nearby access point with the strongest signal. 6.3.2.1 Registration During the registration process the location information of the user is collected by the LBC running in the smartphone, sent to the server and stored in the database. This information includes the latitude (LAT), longitude (LNG) and accuracy (in a certain unit of measurement e.g. meters) as obtained from the location API of the smartphone. As shown in Figure 4, it represents the exact location and a range that the user wants to signify as an authorized location, from which access can be granted.

Figure 20: Representation of location information stored in database

In addition, the MAC address of the strongest nearby Wi-Fi access point is detected and stored in the database as an additional parameter. This value is obtained by comparing the RSSI (Received signal strength indicator) of all detected Wi-Fi signals and choosing the one with the highest signal strength. All of these values are then stored in the database as part of the user registration information. Figure 5 below shows an example of location database scheme.

91

6.3.2.2 Authentication and authorization During the authentication and authorization stage, the location of the user is detected and verified by the LBID server using the following mechanism: Step 1: In most of the major smartphone platforms there is usually more than one source (APIs) for obtaining location. For example, on Android there is the normal Android Location API, Skyhook, etc. This is the same for iOS, Blackberry and others. Based on this, our location verification utilizes two sets of location coordinates (LAT, LNG and accuracy) that are obtained from two different location APIs. In this way, the reliability and accuracy of the location is ensured since the result does not depend only on one source. These two location coordinates are then compared to see if the location areas they represent overlap. In normal circumstances these two areas should always overlap, as shown in the left part of the following Figure 6. If there is no overlap at all between these two location areas, as shown in the right part of the following Figure 6, it is a good indication that one or both of the sources of location are not correct and may have been compromised through one of the methods described previously.

Figure 21: Step 1 of the location verification mechanism

If there is no overlap location, the verification fails and the process stops. If the two results overlap, the process continues to step 2. Step 2: The public IP address of the client as observed by the server is recorded and used to estimate the location coordinates (LAT, LNG and accuracy) of the user using IP2Location service [16]. The result of this is then compared with both sets of coordinates from Step 1 to see if location areas are contained within the area represented by the coordinates from Step 2. Both location areas, described in Step 1 should be contained within the location area that is calculated based on the IP address, as shown in Figure 7. The location area obtained from IP address is usually of lesser granularity which covers a bigger area and should contain both locations described in Step 1, which are more precise with smaller areas. If both locations coordinates are not contained within the larger range of area from the IP address then it is good indication that one or both of the location coordinates from Step 1 are inaccurate and may have been spoofed. 92

Figure 22: Step 2 of the location verification mechanism

Therefore, the location verification process fails and stops if both locations from Step 1 are not contained in location from Step 2. If this check is successful the process continues to the final Step 3. Step 3: The MAC address of the access point, with the strongest detected Wi-Fi signal is captured and compared to the one saved during the registration process. If the two values do not match the verification process fails and stops. On the other hand if the values match, the verification process succeeds and becomes completed. These three steps provide a series of checks to ensure that users location as detected and reported by the LBC is correct and has not been spoofed or tampered with. After all the steps have been completed successfully, there is a high confidence in the validity of the location reported by the user. The most accurate location result from Step 1 the one with the highest accuracy (small range) represents the location of the user and thus is used to make further location-based authorization decisions depending on the authorized location registered by the user.

6.4 Security Protocols

All users must be registered before accessing resources or services. In that process users identity data, location data, and authorization policy entries must all be registered. Therefore, we structured the use of our system in three phases: 1. Registration; 2. Authentication; and 3. Authorization. Registration is performed only once, after joining the system. Authentication is performed at the beginning of each session, based on principles of single signon protocol. And, authorization is enforces for every request. In our system two types of location information are used: static location information and dynamic location information. Static location refers to the fixed location captured at the time of registration and stored in the database for future comparison during authentication and authorization. This information usually remains the same until it is explicitly changed by a user. Dynamic location refers to the location information captured every time authentication and authorization protocols are performed, at the time when user requests some mobile service. This information changes based on the users movement and the current location. 93

6.4.1 Registration Protocol Registration is performed only initially for new users. In this phase, user registration data, together with his/her current location is collected and stored in the LBID Server. Before the process begins, LBC must be downloaded and installed on the mobile device. It comes preloaded with the trusted Root CA certificate. During its activation, as the first step, user specifies his/her PIN. Then, users identity information e.g. username, mobile number etc. are entered and sent to the LBID Server. After that, LBC generates a key pair, and sends certificate request to the CA Server. In the reply, it receives and stores locally two certificates: its own certificate, and the certificate of the LBID Server. The preconfigured Root CA certificate is used to validate the two received certificates. PIN is used as local authentication credential and at the same time as a seed to generate local secret key, used to encrypt LBCs private key and all other locallystored data. After registration of identity data and obtaining his/her certificate, as the final step in this process, user registers his/her location. For that, he/she first sends locationregistration request to the LBID Server. The request is signed by the user and accompanied by users certificate. Upon receipt and successful validation of users certificate and the request, LBID Server generates a random number, associated with the received information, and sends it back to the user. User then activates location-registration function of the LBC and enters the received random number. The LBC captures users current static location and sends it together with the random number to the LBID Server. The location information is encrypted using LBID Servers public key extracted from its certificate. When LBID Server receives the data, it first matches the received location information with the previously received users registration request by using the included random number. LBID Server decrypts users location information using its private key and stores users location information together with users identification data. After completion of both steps, users registration information (identification and static location data) is stored in the database and results are sent back to the LBC which then presents a confirmation message to the user. Figure below shows the overview of the registration process.

94

Figure 23: LBAAS Registration Protocol

User (and SP) then can update their authorization entries in the authorization policy based on their location parameters. The policy is stored at the Authorization Server. Thus, our solution provides location-based authorization in addition to the standard rolebased authorization. For example, user may register in a policy location-based rule enforcing that the payment with the amount higher than $100 must be done from his/her home location. The registration and updates of policy entries works as follows: user (or SP administrator) enters policy rule using LBC. The rule contains mainly three fields: a. Subject the entity that accesses the resources b. Object the resources to be accessed c. Action the way that the subject accesses the object For example, subject is the user, object is transaction amount, and action is to pay. After entering data for a policy rule, the LBC sends data together with users location data, determined in that moment to the Authorization Server. Authorization Server stores the information in form of a new rule in the authorization policy.

95

6.4.2 Authentication and authorization protocol This is the second phase when the actual location-based authentication process is performed. The protocol is performed every time when the user requests some service from the system. The process begins when the user tries to access the protected resource (e.g. login into her account). The process is initiated by user sending a service request to the SP Server. SP Server directs service request to the Authentication Server to authenticate the user. The Authentication Server sends an authentication challenge to the user. The user then responds to the challenge by providing his/her security credentials back to the Authentication Server for the authentication purpose, which can be any existing mechanism depending on the implementation of the particular system. For example, it can be a username/password, one-time password (OTP) or certificate-based challenge/response authentication. Upon successful verification of user credentials, Authentication Server sends a location verification request to the LBC running on users smart phone. The LBC prompts the user to enter PIN. User responds by entering the PIN in order to authorize a location response. LBC then determines users location and sends it back to the Authentication Server within location response message. The location information is signed by LBCs private key and encrypted by LBID Servers public key. After that, the Authentication Server delivers users location information to the LBID Server. LBID Server decrypts the message using its private key and verifies users digital signature. If the verification is OK, it compares users location information with the location data stored in its database during registration and sends back verification result with users location information to the Authentication Server. If the authentication succeeds, Authentication Server sends authorization request, comprising users access request and users verified location information, to the Authorization Server. Authorization Server verifies users access request by comparing subject, object, action and users location with entries stored in the authorization policy and sends authorization result to the SP Server. Finally, the SP Server decides whether to approve users service request based on the authorization result. Figure 3 shows the sequence of steps involved in the location-based authentication and authorization protocol.

96

Figure 24: LBAAS Authentication and Authorization Protocol

6.5 Prototype implementation

6.5.1 Mobile marketing application (m-Market) A prototype of the described solution was implemented in order to demonstrate and test the functionality of the design. The implementation is working as an add-on service to the SAFE System [72], which provides comprehensive protections for large-scale mobile financial transactions. In order to enhance security features of the system, we added to it location-based authentication and authorization mechanism. Our authentication and authorization mechanism was implemented and tested using our mobile marketing application (m-Market). m-Market is a smart phone application that enables merchants and customers to exchange promotions, coupons and gift cards (collectively called mVouchers) in a mobile environment. Using their mobile phones, merchants can upload and offer these vouchers in a virtual market to customers, who can search, select, download and store them using their mobile phones. The m-Market application consists of two applications (clients): m-Merchant and m-Wallet, used by the merchant and customer respectively, and two servers: SAFE Payment Server and SAFE Mobile Marketing Server.

97

When a merchant wants to upload mobile voucher, he/she activates m-Merchant application on the mobile phone by first entering his/her secret PIN. Then he/she chooses what type of voucher should be uploaded, enters all the relevant details and then uploads the voucher to the Mobile Marketing Server. Likewise, when the customer wants to download a particular voucher, he/she first starts m-Wallet application by entering his/her PIN. Then, a list of vouchers available on the Mobile Marketing Server is obtained and displayed on his/her phone. The customer can select the voucher he/she wants and download it into his/her device. Depending on a voucher, a customer may be required to pay (e.g. for a gift card) before he/she can download the voucher to his/her mobile phone. In this case, payment information will be prompted and entered in the Wallet application and then processed by the SAFE Payment Server. Finally, after successful completion of the payment process, the voucher is downloaded into the device. Our authentication and authorization mechanism was used in this scenario to improve the existing security of the application in a non-obtrusive way. In terms of authentication, now in addition to the PIN, the geographic location of the user is taken into account before the m-Wallet application could be successfully opened on the mobile phone. In terms of authorization, our mechanism enables the merchant to associate location-based access rules with vouchers that are uploaded to the Mobile Marketing Server. 6.5.2 LBID Server The LBID Server was implemented using Apache, Server PHP scripts and MySQL Database Server. A set of PHP scripts was used to implement location verification process during authentication and for the location-based access control decision and enforcement process during authorization. The MySQL database was used to: 1) store the location coordinates (credentials) set by the user where successful authentication can occur and 2) to store the location access policies as set by the merchants(s). Apache Web Server acted as the communication proxy for the LBID Server. In this way communication between the LBID Server and other components of the system are securely performed through the HTTPS protocol. 6.5.3 Authentication The LBC was developed in Java and added as an extension of the m-Wallet application. During initiation phase a user can register a set of locations from which the application could be used. That set of locations coordinates are then uploaded and stored in the LBID Server database to be used as credentials later to verify users location. Later, user may change the registered location by the procedure similar to changing password. Figure below shows the panel for registration of user location.

98

Figure 25: Location Registration in m-Wallet

When mWallet is started, the user as before is asked to enter his/her secret PIN as shown in Figure below, which was set during the initialization of the application. If an invalid PIN is entered, the application will not start and will display incorrect PIN message to the user. If a valid PIN is entered, a call is made to the location registration module.

Figure 26: Local Authentication in m-Wallet

Using a combination of GPS, Wi-Fi and Cell Tower ID, the location module determines the geographic coordinates of the user with the best accuracy achievable at that time. These coordinates are then sent to the Mobile Marketing Server, which passes them to the LBID Server. The LBID Server checks and 99

verifies the coordinates against the set of locations registered earlier by the user as shown in Figure 6. Upon successful verification, the authentication result is sent back to the m-Wallet application, which opens and allows the user to continue using the application as shown in Figure 8. If location of the user cannot be sufficiently verified by the LBID Server, the application will not start and the appropriate message will be displayed to the user, as shown in Figure 7.

Figure 27: Location Verification in m-Wallet

Figure 28: Unauthenticated Location Alert in m-Wallet

Figure 29: Opening mWallet after successful Authentication

100

6.5.4 Authorization 6.5.4.1 Location Policy Rules Using m-Merchant application, during uploading of a voucher a merchant may also specify locationbased rules that should be associated with the particular voucher. For example, Figure 9 shows a screenshot of the m-Merchant application where a merchant enters location restrictions for the coupon he/she is about to upload to the Mobile Marketing Server. He/she has set the location policy rule to her current location. In that case the m-coupon about to be uploaded can only be viewed and downloaded by a customer form that location. If, for instance, a restaurant is at that location, then only customers that visit the restaurant can get a coupon. Details of the coupon, together with the location policy rule, are then sent to the Mobile Marketing Server.

Figure 30: Upload Coupons with Location Policies in m-Merchant

Location policies that are set by the merchant are stored in a MySQL database, as shown in Figure below

.
Figure 31: Database Schema of Authorization Policy

101

6.5.4.2 Location Policy Enforcement Location policy enforcement is performed by the m-Wallet when a customer wants to download a voucher. After the customer has been successfully authenticated by the m-Wallet, he/she can fetch a list of vouchers available on the Mobile Marketing Server. When a particular voucher is chosen for the download, the location module is activated and the location of the user is determined. The location is sent to the LBID Server, where users location coordinates are compared to the corresponding access policy rules, set by the merchant. Depending on the access decision made by the LBID Server, the customer is then permitted or denied to download the voucher to the device. For instance, Figure 11 shows an attempt by a customer to download the previously uploaded coupon at another unauthorized location i.e. in another restaurant.

Figure 32: Authorization Enforcement Result in m-Wallet

6.6 Summary
This has introduced the proposed system known as LBAAS which is a location-based security system that uses smartphones to detect location. Its design architecture and components were described. The mechanism that ensures the validity of location results was outlined. The security protocols involved registration, authentication and authorization were explained. Lastly, a prototype implementation that demonstrates the functionality of the proposed system was shown and described.

102

7 Evaluation and Discussion

7.1 Security Analysis
7.1.1 Threats against authentication and authorization 7.1.2 LBAAS security evaluation In this section we will provide an analysis of our protocol in order evaluate and assess its security against different possible attacks. We compare it with other popular authentication and authorization systems and show that it represents an improvement over the other protocols. In addition, we will also consider nonsecurity factors, such as user-friendliness and cost of the comparison. Table below shows the comparison of our protocol against a set of other chosen protocols. We have chosen the following protocols for comparison with our own design: (1) username/password combination; (2) token-based system (using the mobile phone as the token), such as proposed by Hallsteinsen et al. [73]; (3) One-time password (OTP) schemes which are becoming a popular alternative for multi-factor authentication, which are commonly used by some online services [74][75] and (4) Biometric-based schemes, such as fingerprint and voice scanners, considered to provide a higher level of security.

103

Username/Password Vulnerable to this attack if a poor password is chosen Vulnerable unless strong encryption is used Can be performed unless end to end security is used If passwords are simple or somehow become disclosed, impersonation is trivial and not easily detectable

Token-based Not vulnerable Vulnerable unless strong encryption is used Can be performed unless end to end security is used Relatively difficult since token has to be physically compromised and stolen. This is easier to detect. Not possible since a token is used If a token is stolen, security of the can be compromised Not very convenient since usually it requires a user to carry an additional separate device Requires additional device which might be expensive

OTP Not vulnerable Vulnerable unless strong encryption is used Can be performed unless end to end security is used Relatively difficult unless the source (seed) is compromised and the sequence of passwords can be predicted Prevented since passwords are used only once The source which generates OTPs can be stolen to compromise the system Not very userfriendly since it requires the user generate a random each time she wants access Varies depending on the mechanism used. Initial setup and synchronization of passwords may introduce some significant management costs

Biometric-based Not vulnerable Vulnerable unless strong encryption is used Can be performed unless end to end security is used Relatively easy for instance fingerprints and voice can easily be captured through various techniques If biometric information is captured it can be replayed Biometric features cannot be stolen, but their measurements can be copied Easy to use. However some technology such as iris scanners can be a little intimidating to some people Special scanners which are usually expensive are requires

Location-based using smart phones Not vulnerable Not vulnerable strong encryption is used for communication through TLS Prevented through the use of TLS Very difficult since password has to be compromised, smart phone has to be stolen, and attacker has to be at the authorized location Not possible since possession of a mobile phone is needed Even if a smart phone is stolen it cant be used unless in the authorized location Easy to use. It does not require any additional device besides a mobile phone. Location determination works transparently

Password Guessing

Eavesdropping

Man-in-the- middle attacks (MITM)

Impersonation

Replay attacks

If captured they can be replayed Can be stolen without easy detection

Theft

User-friendliness

Easy to use, but once the number of systems increase it becomes a problem

Cost

Inexpensive to implement

The only cost is for GPS-enabled smart phone

Table 9: Security evaluation of LBAAS compared to other common mechanisms

104

7.2 Limitations
7.2.1 Security limitations The location-based solution proposed and implemented in this thesis assumes and protects against a random attack model. It works best in situations where the attacker is opportunistic. In other cases (e.g. targeted attacks) the solution is limited. For example, if a user forgets or loses her smartphone somewhere (outside authorized locations) then an attacker who finds the smartphone wont be able to use to authenticate successfully to the protected system. On the other hand, with a targeted attack it is more difficult to protect against. An attacker who is targeting a specific user can learn enough about her to be able to guess the locations in which authentication is successful. Another security-related limitation is concerned with users privacy. Some issues involved have already been pointed out in Chapter 3. However, it is good to point out again that there is risk and potential for the violation of users privacy with a system like this. Location is a very sensitive piece of information. Every time a user authenticates her location has to be detected and verified. Therefore after an extended period of time the whereabouts of the user can be collected and tracked. In a future section we are going to examine some of the measures that can be taken to improve on this. 7.2.2 Performance limitations In the best case scenario using a smartphone the location of the user can be detected up to within a few meters of her actual location [71]. In worst case scenarios this difference can become up to a few kilometers (when it has to rely on Cell-ID triangulation). It depends on the availability of GPS, Wi-Fi and Cell signals. In many cases where all three signals are available and can be detected, the location of the user can be obtained with sufficient resolution for security purposes. In other situations where GPS and/or Wi-Fi is not available (e.g. indoors and in remote areas) the location resolution may not be enough to securely distinguish between authorized and unauthorized locations. However, the effects of this limitation will continue to diminish as inbuilt GPS chips improve and Wi-Fi infrastructure continues to spread worldwide.

7.3 Summary
In this chapter a security evaluation of the proposed system has been examined. The system has been compared with other popular mechanisms against some of the most common attacks against authentication and access control systems. Some potential issues that may limit the effectiveness of the proposed solutions have also been highlighted.

105

8 Conclusions and Future work

8.1 Conclusions
Throughout the course of this research thesis we have seen and described how the different technologies built into smartphones is capable of providing reliable and accurate location positions of users who possess them. Smartphones can function as a location source in a location-based security system. They can provide reliability and accuracy. Smartphones possess multiple components hardware and software that can provide location. They do not depend solely on one type of scheme. We have seen for example how technologies such as Cell-ID triangulation, Wi-Fi signals and GPS can in combination be used to estimate location. As such the research shows that smartphones offer a reliable source of location which is important in a location-based security system. They provide a source than can work in all kinds of scenarios and situations indoors, outdoors, etc. These location-related technologies built into smartphones have become quite good in producing accurate results. And they keep on improving each time. We have seen and demonstrated how accurate these results can become. It is possible to sufficiently distinguish the locations of two areas that might of relevance in security-related decisions. For example, a company that wants to restrict access depending on the locations of its different branches, a user who wants to be able to access his bank account using his phone only from his home or office and so on. As such it can be concluded that smartphones can be used as a device to provide accurate location positions to be used in making important security decisions. The smartphone platform is already one that has matured and is quite popular. We have seen evidence of this from the statistics of various studies and from the proliferation of various applications and services targeted to smartphones. They provide a stable platform on which additional systems can be built on. The prototype (Location-based client) in this thesis was implemented and tested on an Android phone. The results of this implementation have shown that security built based on smartphones can easily be achieved without much additional cost or a need for a new infrastructure. Most people already own a smartphone and know how to use them. There is no need to carry an extra device just for performing location-based authentication. These smartphones also already have security libraries and components that can easily be used to create secure applications. In addition it is also more convenient for users to carry just one device perform multiple functions (including the location-based authentication and access control) rather than having multiple different devices that may become very difficult to manage as the number of protected services increase. Last but not least the architecture of the proposed system has shown a great level of flexibility in implementation and integration with existing authentication and access control systems. It can easily be introduced as an add-on on top of existing security systems. This can allow for easy deployment. It is also beneficial security-wise as it can provide an additional layer of protection on top of other mechanisms that may already be there.

106

8.2 Future work

The work in this thesis was just a first step in exploring the possibility of using smartphones in security systems particularly location-based security systems. Most of the previous location-based authentication and access control systems have relied on specialized devices to generate and supply location coordinates. None have attempted to use smartphones as an alternative. As such there is still opportunity to do much more in the direction of this approach. The following are some of the enhancements that could be pursued to extend and improve on work done here; Focus on the privacy issues that arise from the use of a location-based security system such as this. For example, implementing the system according to specifications such as GEOPRIV [134] which ensures that location information is represented and transmitted in a privacy-protected manner. Integration of the Location-based client with secure components available in smartphones such as smart cards. For example, the smart card API [135] in the Android platform which allows for the development of more secure application clients. This can enhance the security of the location client in generating and storing sensitive information and prevent malicious modification of the client code. Use of additional sensors such as NFC, Bluetooth etc. in obtaining the location of users. The location can be determined by detecting the proximity of the smartphone to other NFC or Bluetooth sensors. This can improve the system especially in indoor situations such as in a large company compound, where the location of different rooms (fitted with these sensors) can be distinguished more efficiently and accurately. Refinement of the location verification algorithm. This still remains as a big challenge. How to make sure that the location produced from the client is correct and has not been modified (spoofed). This research work has proposed a very simple mechanism which works in the simple attack model that was specified. In order to be acceptable for broader use a more robust mechanism has to be designed in order to prevent all kinds of attacks.

107

REFERENCES
[1] Bishop, M., 2005. Introduction to computer security, Boston: Addison-Wesley. [2] Kaufman, C., 2002. Network security: private communication in a public world 2nd ed., Upper Saddle River N.J.: Prentice Hall PTR. [3] Anon, authentication - definition of authentication by the Free Online Dictionary, Thesaurus and Encyclopedia. Available at: http://www.thefreedictionary.com/authentication [Accessed August 8, 2011]. [4] Yung, M., 2008. On the Evolution of User Authentication: Non-bilateral Factors. In D. Pei et al., eds. Information Security and Cryptology. Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 5-10. Available at: http://www.springerlink.com/index/10.1007/978-3-540-79499-8_2 [Accessed August 9, 2011]. [5] D. Denning and P. MacDoran , "Location-Based Authentication: Grounding Cyberspace for Better Security," Computer Fraud and Security [6] Brainard, J. et al., 2006. Fourth-factor authentication. In Proceedings of the 13th ACM conference on Computer and communications security - CCS 06. the 13th ACM conference. Alexandria, Virginia, USA, p. 168. Available at: http://portal.acm.org/citation.cfm?doid=1180405.1180427 [Accessed August 10, 2011]. [7] Grawemeyer, B. & Johnson, H., 2011. Using and managing multiple passwords: A week to a view. Interacting with Computers, 23(3), pp.256-267. studies about passwords. Will provide some diagrams [8] Huang, C.-Y., Ma, S.-P. & Chen, K.-T., 2011. Using one-time passwords to prevent password phishing attacks. Journal of Network and Computer Applications, 34(4), pp.1292-1301. [10] Anon, About Smart Cards: Introduction: Primer - Smart Card Alliance. http://www.smartcardalliance.org/pages/smart-cards-intro-primer [Accessed August 15, 2011]. [11] Anon, BBC News - Fingerprint technology to help feed Indias http://www.bbc.co.uk/news/business-13965768 [Accessed August 15, 2011]. poorest. Available at:

Available

at:

[12] Reeder, R. & Schechter, S., 2011. When the Password Doesnt Work: Secondary Authentication for Websites. IEEE Security & Privacy Magazine, 9(2), pp.43-49. [13] Anon, [1104.3722v1] Investigating the Distribution http://arxiv.org/abs/1104.3722v1 [Accessed August 15, 2011]. of Password Choices. Available at:

[14] Travieso, C.M. et al., 2011. Bimodal biometric verification based on face and lips. Neurocomputing, 74(14-15), pp.2407-2410. [15] Miller, B., 1994. Vital signs of identity [biometrics]. IEEE Spectrum, 31(2), pp.22-30.

108

[16] OGorman, L., 2003. Comparing passwords, tokens, and biometrics for user authentication. Proceedings of the IEEE, 91(12), pp.2021-2040. [17] L. OGorman, Seven issues with human authentication technologies, in Proc. IEEE Workshop Automatic Identification Advanced Technologies, 2002, pp. 185186. [18] Anon, Official Google Blog: Advanced sign-in security for your Google account. Available at: http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html [Accessed August 16, 2011]. [19] Anon, A New Suite of Safety Tools. Available https://blog.facebook.com/blog.php?post=10150153272607131 [Accessed August 16, 2011]. [20] Anon, RSA SecurID. Available at: http://www.rsa.com/node.aspx?id=1156 [Accessed August 16, 2011]. [21] Anderson, R., 2008. Security engineering: a guide to building dependable distributed systems 2nd ed., Indianapolis IN: Wiley Pub, pp.51-71. [22] Benantar, M., 2006. Access control systems: security, identity management and trust models, New York NY: Springer. [23] Denning, D. & Macdoran, P., 1996. Location-based authentication: Grounding cyberspace for better security. Computer Fraud & Security, 1996(2), pp.12-16. [24] Duckham, M., Kulik, L.: Location Privacy and Location-Aware Computing. In: Drummond, J., et al. (eds.) Dynamic & Mobile GIS: Investigating Change in Space and Time, CRC Press, Boca Raton (2006) [25] Domnitcheva, S. Location modeling: State of the art and challenges. In Workshop on Location Modeling for Ubiquitous Computing (2001) [26] Leonhardt, U. Supporting Location-Awareness in Open Distributed Systems. PhD thesis, Imperial College of Science, Technology and Medicine, University of London, 1998 [27] Decker, M., 2008. Requirements for a location-based access control model. In ACM Press, p. 346. Available at: http://portal.acm.org/citation.cfm?doid=1497185.1497259 [Accessed October 21, 2011]. [28] Ray, I. & Kumar, M., 2006. Towards a location-based mandatory access control model. Computers & Security, 25, pp.36-44. [29] Cleeff, A. van, Pieters, W. & Wieringa, R., 2010. Benefits of Location-Based Access Control: A Literature Study. In IEEE, pp. 739-746. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5724911 [Accessed October 24, 2011]. [30] Damiani, M.L., Bertino, E. & Perlasca, P., 2007. Data security in location-aware applications: an approach based on RBAC. International Journal of Information and Computer Security, 1, p.5. at:

109

[31] F. Hansen and V. Oleshchuk, "SRBAC: A spatial role-based access control model for mobile systems," in Proc. of the 7th Nordic Workshop on Secure IT Systems, pp. 129-141, 2003. [32] Chandran, S.M. & Joshi, J.B.D., 2005. LoT-RBAC: A Location and Time-Based RBAC Model. In A. H. H. Ngu et al., eds. Web Information Systems Engineering WISE 2005. Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 361-375. Available at: http://www.springerlink.com/index/10.1007/11581062_27 [Accessed October 24, 2011]. [33] Looi, M., Enhanced Authentication Services for Internet Systems Using Mobile Networks, Piscataway N.J.: Institute of Electrical and Electronics Engineers?; IEEE Service Center, 2000. [34] Han, K. and K. Kim, Enhancing Privacy and Authentication for Location-based Service using Trusted Authority, in Proceedings of the 2nd Joint Workshop on Information Security (JWIS2007), Waseda University, Tokyo Japan, Aug.6-7, 2007, http://citeseerx.ksu.edu.sa/viewdoc/summary?doi=10.1.1.101.6304. [35] YounSun Gho, L. Bao, M.T. Goodrich, "LAAC: A Location-Aware Access Control Protocol", Mobiquitous, Third Annual International Conference on Mobile and Ubiquitous Systems, Networking, and Services, pp.1-7, 2006. [36] Zhang, H., He, Y. & Shi, Z., A Formal Model for Access Control with supporting Spatial Context, Science in China Series F: Information Sciences, 50(3), pp.419-439, 2007. [37] Ray, I., Kumar, M. & Yu, L., LRBAC: A Location-Aware Role-Based Access Control Model, in A. Bagchi & V. Atluri, (eds.) Information Systems Security. Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 147-161, 2006 http://www.springerlink.com/index/10.1007/11961635_10. [38] Jansen, W. & Korolev, V., A Location-Based Mechanism for Mobile Device Security, in WRI World Congress on Computer Science and Information Engineering, Los Angeles, California USA, pp. 99-104, 2009 http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5171142. [39] Takamizawa, H. & Kaijiri, K., A Web Authentication System using Location Information from Mobile Telephones, Proceedings of the IASTED International Conference Web-based Education (WBE 2009). [40] Ardagna, C.A. et al., 2009. Access Control in Location-Based Services. In C. Bettini et al., eds. Privacy in Location-Based Applications. Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 106-126. Available at: http://www.springerlink.com/index/10.1007/978-3-642-03511-1_5 [Accessed September 5, 2011]. [41] Zhang, H., He, Y. & Shi, Z., 2007. A formal model for access control with supporting spatial context. Science in China Series F: Information Sciences, 50(3), pp.419-439. [42] Anon, BBC News Q&A: Europes Galileo project. http://news.bbc.co.uk/2/hi/science/nature/4555276.stm#facts [Accessed September 23, 2011]. Available at:

[43] Krishnamurthy, P., Tipper, D. & Joshi, J., Position Location Technologies for Wireless Systems. Available at: www.sis.pitt.edu/~jjoshi/Location_Wireless_Chapter.pdf.

110

[44] Trevisani, E. & Vitaletti, A., Cell-ID Location Technique, Limits and Benefits: An Experimental Study. In IEEE, pp. 51-60. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber = 1377314 [Accessed September 24, 2011]. [45] Nissani, D.N. & Shperling, I., Cellular CDMA (IS-95) location, A-FLT (assisted forward link triangulation) proof-of-concept interim results. In IEEE, pp. 179-182. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=924362 [Accessed September 26, 2011]. [46] Geistert, J., WLAN Positioning. Available at: http://www.snet.tu-berlin.de/fileadmin/fg220/courses/SS11/snetproject/wlan-positioning_geistert.pdf [Accessed September 9, 2011]. [47] Willaredt, J., Wi-Fi and Cell-ID based positioning - Protocols, Standards and Solutions. Available at: http://www.snet.tu-berlin.de/fileadmin/fg220/courses/WS1011/snet-project/wifi-cellid-positioning_willaredt.pdf [Accessed September 9, 2011]. [48] Wortham, J., 2009. Cellphone Locator System Needs No Satellite. The New York Times. Available at: http://www.nytimes.com/2009/06/01/technology/start-ups/01locate.html [Accessed September 27, 2011]. [49] Anon, Google Says It Collects Location Data on Phones for Location Services - NYTimes.com. Available at: http://bits.blogs.nytimes.com/2011/04/22/google-says-it-collects-location-data-on-phones-for-location-services/ [Accessed September 27, 2011]. [50] Anon, Apples iPhones and Googles Androids Send Cellphone Location - WSJ.com. Available at: http://online.wsj.com/article/SB10001424052748703983704576277101723453610.html [Accessed September 27, 2011]. [51] Anon, Skyhook: How It Works > Overview. Available at: http://www.skyhookwireless.com/howitworks/ [Accessed September 28, 2011]. [52] Anon, Google mobile apps collect Wi-Fi location data | Relevant Results - CNET News. Available at: http://news.cnet.com/8301-30684_3-20009223-265.html [Accessed September 28, 2011]. [53] Anon, About Gartner. Available at: http://www.gartner.com/technology/about.jsp [Accessed September 30, 2011]. [54] Anon, Gartner Says Sales of Mobile Devices in Second Quarter of 2011 Grew 16.5 Percent Year-on-Year; Smartphone Sales Grew 74 Percent. Available at: http://www.gartner.com/it/page.jsp?id= 1764714 [Accessed September 19, 2011]. [55] Anon, About Us | Pew Research Centers Internet & American Life Project. Available at: http://pewinternet.org/About-Us.aspx [Accessed September 30, 2011]. [56] Smith, A., 2011. Smartphone Adoption and Usage, Pew Internet Project. Available http://pewinternet.org/Reports/2011/Smartphones/Summary.aspx [Accessed September 10, 2011]. [57] Anon, Nielsen | About Us | What Consumers Watch http://www.nielsen.com/us/en/about-us.html [Accessed September 29, 2011]. and Buy. Available at:

at:

111

[58] Anon, IMS Research - Electronics market research & consultancy. http://imsresearch.com/about/company-profile.php [Accessed September 29, 2011].

Available

at:

[59] Anon, About IDC. Available at: http://www.idc.com/about/about.jsp?t=1317334006333 [Accessed September 29, 2011]. [60] Anon, 40 Percent of U.S. Mobile Users Own Smartphones; 40 Percent are Android | Nielsen Wire. Available at: http://blog.nielsen.com/nielsenwire/online_mobile/40-percent-of-u-s-mobile-users-own-smartphones-40percent-are-android/ [Accessed September 19, 2011]. [61] Anon, IMS Research - Electronics market research & consultancy. Available at: http://imsresearch.com/pressrelease/Global_Smartphones_Sales_Will_Top_420_Million_Devices_in_2011_Taking_28_Percent_of_all_Hands ets_According_to_IMS_Research [Accessed September 19, 2011]. [62] Anon, IDC Press Release prUS22871611. http://www.idc.com/getdoc.jsp?containerId=prUS22871611 [Accessed September 29, 2011]. Available at:

[63] Anon, Huawei Africa. Available at: http://www.huawei.com/africa/en/catalog.do?id= 761#self [Accessed September 30, 2011]. [64] Zickuhr, K. & Smith, A., 2011. Geosocial and location-based services on smartphones | Pew Internet & American Life Project. Available at: http://www.pewinternet.org/Reports/2011/Location/Report/Smartphones.aspx [Accessed October 5, 2011]. [65] Anon, Location Based Services: Why smartphone apps will pay off for advertisers, carriers, application providers. Available at: http://blog.compete.com/2009/06/02/location-based-services-applications-carriersadvertisers/ [Accessed October 5, 2011]. [66] Anon, Coverage | Navizon Blog. Available at: http://www.navizon.com/blog/?page_id=13 [Accessed October 10, 2011]. [67] Anon, 2007. Bringing WiFi and Cellular positioning to mobile devices and to the Web. Available at: http://www.navizon.com/Navizon_wifi_gps_and_cell_tower_positioning.pdf. [68] Anon, Obtaining User Location | Android Developers. Available at: http://developer.android.com/guide/topics/location/obtaining-user-location.html [Accessed October 10, 2011]. [69] Anon, Location | Android Developers. Available http://developer.android.com/reference/android/location/Location.html [Accessed October 10, 2011]. at:

[70] Anon, Core Location Framework Reference. Available at: http://developer.apple.com/library/ios/#documentation/CoreLocation/Reference/CoreLocation_Framework/_index .html [Accessed October 10, 2011]. [71] von Watzdorf, S. & Michahelles, F., 2010. Accuracy of positioning data on smartphones. In ACM Press, pp. 14. Available at: http://portal.acm.org/citation.cfm?doid=1899662.1899664 [Accessed October 11, 2011].

112

[72] Zhang, F., Secure Applications for Financial Environments (SAFE) System, Licentiate thesis, Royal Institute of Technology, Stockholm, Sweden, June 2010. [73] Hallsteinsen, S., Jorstad, I., Thanh, D.V., Using Mobile Phone as a Security Token for Unified Authentication, in Second International Conference on Systems and Networks Communications (ICSNC), Cap Eterel, France, pp. 68-68, 2007 http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=4300040. [74] Anon, Official Google Blog: Advanced Sign-in Security for your Google Account, http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html. [75] Anon, A New Suite of Safety Tools (1). https://blog.facebook.com/blog.php?post=10150153272607131. [76] Han, D. & Seshan, S., 2011. A Case for World-wide Network Measurement using Smartphones and Open Marketplaces, Pittsburgh, PA 15213: School of Computer Science, Carnegie Mellon University. [77] Anon, IP Address Geolocation to Identify Website Visitors Geographical Location. Available at: http://www.ip2location.com/ [Accessed October 31, 2011]. [78] Anon, IP2Geo.net - Lookup IP address to Country, State, http://www.ip2geo.net/ip2location/lookup.php [Accessed October 31, 2011]. City, ISP. Available at:

[79] Padmanabhan, V.N. & Subramanian, L., 2001. An investigation of geographic mapping techniques for internet hosts. In ACM Press, pp. 173-185. Available at: http://portal.acm.org/citation.cfm?doid= 383059.383073 [Accessed October 31, 2011]. [80]Anon, Available at: http://www.ietf.org/rfc/rfc1876.txt [Accessed October 31, 2011]. [81] Anon, NetGeo - The Internet Geographic Database. Available at: http://www.caida.org/tools/utilities/netgeo/ [Accessed October 31, 2011]. [82] Anon, IP2LL. Available at: http://thegestalt.org/simon/ip2ll/ [Accessed October 31, 2011]. [83] Anon, VisualRoute - Traceroute and Reverse trace - Traceroute and Network diagnostic tools. Available at: http://www.visualroute.com/ [Accessed October 31, 2011]. [84] Anon, NetworkingFiles NeoTrace. Available at: http://www.networkingfiles.com/neotrace/ [Accessed October 31, 2011]. [85] Anon, GTrace - A Graphical Traceroute. Available at: http://www.caida.org/tools/visualization/gtrace/ [Accessed October 31, 2011]. [86] Anon, Akamai EdgeScape: Customize Web Content with Geointelligence. Available http://www.akamai.com/html/technology/products/edgescape.html [Accessed October 31, 2011]. at:

113

[87]

http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=9&qpcustomb=1 http://www.ja.net/documents/development/network-access/locationawareness/investigations/A1-overview-of-location-technologies.pdf

Operating

system

market

share

[WWW

Document],

2012.

URL

[88] Cope, A., Jorgenson, M., 2012. Overview of Location Technologies [WWW Document]. URL

[89] Florencio, D., Herley, C., 2007. A large-scale study of web password habits. ACM Press, p. 657. [90] Too Many People Reuse Logins, Study Finds | PCWorld [WWW Document], 2012. . URL http://www.pcworld.com/article/188763/too_many_people_reuse_logins_study_finds.html [91] PasswordResearch.com Study - SafeNet/Rainbow Technologies Password Usage Survey [WWW Document], 2012. . URL http://passwordresearch.com/stats/study17.html [92] Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., 2010. Encountering stronger password requirements. ACM Press, p. 1. [93] Messerges, T., Dabbish, E., Sloan, R., n.d. Investigations of power analysis attacks on smartcards, in: Investigations of Power Analysis Attacks on Smartcards. Presented at the In USENIX Workshop on Smartcard Technology. [94] Hagai, B.-E., n.d. Known Attacks Against Smartcards. [95] Patrick, A., 2008. Acceptance of Biometrics: Things That Matter That We Are Ignoring. [96] MythBusters beat fingerprint security system, 2007. . [97] Kizza, J., n.d. Computer Network Security. Springer., p. 236 [98] Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):12781308, 1975. [99] Samarati, P., Vimercati, S.C., n.d. Access Control: Policies, Models, and Mechanisms, in: Focardi, R., Gorrieri, R. (Eds.), Foundations of Security Analysis and Design. Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 137 196. [100] PlayStation Network hacked, data stolen: how badly is Sony hurt? [WWW Document], 2012. . Ars Technica. URL http://arstechnica.com/gaming/news/2011/04/sonys-black-eye-is-a-problem-not-a-legal-one.ars [101] Hackers controlled Nasa computers, 2012. . BBC. [102] Identity of Zuckerbergs hacker unknown, Facebook fixes bug, n.d. TechSpot.

114

[103] Finkle, J., Shalal-Esa, A., 2011. Exclusive: Hackers breached U.S. defense contractors. Reuters. [104] Ardagna, C.A., Cremonini, M., Damiani, E., di Vimercati, S.D.C., Samarati, P., 2006. Supporting locationbased conditions in access control policies, in: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security - ASIACCS 06. Presented at the the 2006 ACM Symposium, Taipei, Taiwan, p. 212. [105] Junglas, I.A., Spitzmuller, C., n.d. A Research Model for Studying Privacy Concerns Pertaining to LocationBased Services. IEEE, p. 180b180b. [106] Zhou, T., 2011. The impact of privacy concern on user adoption of location-based services. Industrial Management & Data Systems 111, 212226. [107] Helft, M., Obrien, K.J., 2011. Apples Data Practices Draw More Scrutiny. The New York Times. [108] Apple Sued Over iPhone Tracking, n.d. PCMAG. [109] On Locational Privacy, and How to Avoid Losing it Forever [WWW Document], 2012. . URL https://www.eff.org/wp/locational-privacy [110] Pingley, A., Yu, W., Zhang, N., Fu, X., Zhao, W., 2009. CAP: A Context-Aware Privacy Protection System for Location-Based Services. IEEE, pp. 4957. [111] Chow, C.-Y., Mokbel, M.F., 2009. Privacy in location-based services. SIGSPATIAL Special 1, 2327. [112] In-Depth Look: Location Privacy Act of 2011 | North Carolina Journal of Law and Technology [WWW Document], 2012. . URL http://www.ncjolt.org/blog/2011/10/10/depth-look-location-privacy-act-2011 [113] Wall, J.H., Bevly, D.M., "Characterization of Inertial Sensor Measurements for Navigation Performance Analysis," Proceedings of the 19th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2006), Fort Worth, TX, September 2006, pp. 2678-2685 [114] CURRENT GPS CONSTELLATION http://tycho.usno.navy.mil/gpscurr.html [WWW Document], 2012. . URL

[115] Information analytical centre of GLONASS and GPS controlling [WWW Document], 2012. . URL http://www.glonass-ianc.rsa.ru/en/ [116] BeiDou-2 [WWW Document], 2012. . URL http://www.beidou.gov.cn/ [117] Willaredt, J., n.d. Wi-Fi and Cell-ID based positioning - Protocols, Standards and Solutions. [118] Real Time Location System (RTLS) Overview | Ekahau [WWW Document], 2012. . URL http://www.ekahau.com/products/real-time-location-system/overview.html

115

[119] TechCrunch | In April, Apple Ditched Google And Skyhook In Favor Of Its Own Location Databases, n.d. TechCrunch. [120] Wireless LAN Positioning Systems: Hitachi in Singapore [WWW Document], 2012. . URL http://www.hitachi.com.sg/products/business/it/wireless_lan_pos_systs/index.html [121] Apple - Press Info - Apple Reinvents the Phone with iPhone [WWW Document], 2012. . URL http://www.apple.com/pr/library/2007/01/09Apple-Reinvents-the-Phone-with-iPhone.html [122] T-Mobile, Google and HTC introduce first Android phone | Macworld [WWW Document], 2012. URL http://www.macworld.com/article/1135695/android_g1.html [123] Bolliger, P., Partridge, K., Chu, M., Langheinrich, M., 2009. Improving Location Fingerprinting through Motion Detection and Asynchronous Interval Labeling, in: Choudhury, T., Quigley, A., Strang, T., Suginuma, K. (Eds.), Location and Context Awareness. Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 3751. [124] Andy Rubin: 850k Android activations a day, 300m total devices, 12m tablets, n.d. The Verge. [125] Nokia and Microsoft form alliance, 2011. . BBC. [126] Application Platform Overview for Windows Phone http://msdn.microsoft.com/en-us/library/ff402531(v=VS.92).aspx [WWW Document], 2012. . URL

[127] Nokia and Accenture finalize Symbian software development and support services outsourcing agreement Nokia Press [WWW Document], 2012. . URL http://press.nokia.com/2011/06/22/nokia-and-accenture-finalizesymbian-software-development-and-support-services-outsourcing-agreement/ [128] In U.S. Market, New Smartphone Buyers Increasingly Embracing Android | Nielsen Wire [WWW Document], 2012. . URL http://blog.nielsen.com/nielsenwire/online_mobile/in-u-s-market-new-smartphone-buyersincreasingly-embracing-android/ [129] He, W., Liu, X., and Ren, M. Location Cheating: A Security Challenge to Location-based Social Network Services. In Proceedings of CoRR. 2011. [130] Anon, Location Spoofing Attacks on the iPhone and iPod. Available at: http://www.syssec.ch/press/locationspoofing-attacks-on-the-iphone-and-ipod [Accessed November 15, 2011]. [131] J. Chiang, J. Haas, and Y. Hu, Secure and precise location verification using distance bounding and simultaneous multilateration, in Proceedings of the second ACM conference on Wireless network security. ACM, 2009, pp. 181192. [132] M. Balakrishnan, I. Mohomed, and V. Ramasubramanian, Wheres that phone?: geolocating IP addresses on 3G networks, in Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference. ACM, 2009, pp. 294300

116

[133] KATZ-BASSET, E.,JOHN,J., KRISHNAMURTHY,A., WETHERALL, D., ANDERSON, T., AND CHAWATHE, Y. Towards IP geolocation using delay and topology mesurements. In Proceedings of the ACM SIGCOMM Internet Measurement Conference (October 2006). [134] Geographic Location/Privacy (geopriv) https://datatracker.ietf.org/wg/geopriv/charter/ Charter [WWW Document], 2012. . URL

[135] SmartcardAPI - seek-for-android - How to use the SmartCard API in Android - Secure Element Evaluation Kit for the Android platform - the SmartCard API - Google Project Hosting [WWW Document], 2012. . URL http://code.google.com/p/seek-for-android/wiki/SmartcardAPI

117

TRITA-ICT-EX-2012:244

www.kth.se