GeoVault: Secure Location Tracking

Electrical and Computer Engineering

GeoVault:Secure Location Tracking

Final Project Review

Nathan Franz

Emily Nelson

Thomas Petr

Shanka Wijesundara

2Electrical and Computer Engineering

System Overview

GeoVault

EmailCell Phone Computer

3rd Party Server

Google Maps API

HTTPS HTTPS

Database

DatabaseDatabase

Access Controls

Resolution

OAuth

Map Queries

Map Queries

Notifications

Stored Location Data

Location Data

Location Data

Login Credentails


System Overview

• Location data is transmitted from either cell phone or computer to the GeoVault Server.

• The server is where the resolution and access settings are stored and can be applied to the updated location.

• The location is transmitted from the server to the distributed database and then to the specific node by secret sharing.

• The data can also be transmitted from the server to a third party via OAuth.

• Emails are sent from the server to the user via emial.• The users device directly interfaces with the google map

API to display their location on a map.


Feedback From CDR

• Network was complicated

– Lots of secret sharing

• Trying to cover military and civilian has too many conflicts

• Demo should include threats

• Limitations in existing system


Timing of Secret Sharing

• Not as fast as other encryption methods – Chosen because of its threshold scheme.

Threshold Time (us)

3 135

4 212

5 308

6 423

7 549

8 693

9 858

10 1054


Political Boundaries

• Used U.S. Census Data• Region selected by most overlapping area of accuracy circle• Able to see down to

– Country– State– County (Massachusetts only for now)– Town (Massachusetts only for now)


OAuth

• Tokens are used to grant a third party website temporary access to GeoVault.

• They regulate– What the third party has access to – How long they have access

GeoVault Twitter

OAuth

Location Data


Motivation for Attacks

Impersonation Snooping Denial of Service

CSRF

• Fool others to think a user is in different location

• Fool that users followers

• Obtaining information to blackmail/gain competitive advantage

• Tracking trends for marketing purposes

• Spouses spying on each other

• Denying service to GeoVault to encourage user to go to a similar website

• Trick user to update their location

• Update their website unknowingly, increase network traffic and thus advertising prices will go up


Attacks & Countermeasures

Snooping Impersonation CSRF Man in the Middle

Denial of Service

• Encryption

• Distributed

Database

• Secret

Sharing

• Idle Timeouts

• Difficult to

statistically

determine

position

• Idle Timeout

Delays

• Unrealistic

Travel Check

• Session Id

number

check

• HTTPS • CAPTCHA’s

• Failed login

attempt delay


Demo


Division of Labor

Emily (CSE) Frontend Implementation, Threat Modeling, Documentation

Tom (CSE) Multiparty Computation, Django, Backend implementation, Project Manager, OAuth

Nate (EE) HTML5, CAPTCHAs, Idle Time outs, Failed Login Delay, Update Delay, OAuth

Shanka (EE) Django, Backend Implementation, Political Boundaries, CSRF


Thank you!

GeoVault

EmailCell Phone Computer

3rd Party Server

Google Maps API

HTTPS HTTPS

Database

DatabaseDatabase

Access Controls

Resolution

OAuth

Map Queries

Map Queries

Notifications

Stored Location Data

Location Data

Location Data

Login Credentails


Snooping

Database

Database

Database

Encryption

Idle Timeouts

Distributed Database

Secret Sharing

Passwords


Impersonation

Idle Time Outs

Unrealistic Travel check

Passwords


DDOS

CAPTCHA’s

Failed Login Attempt Delay

Update Delay


Cross Site Request Forgery Protection

Session ID Verification

GeoVault

Malicious Website


Man in the Middle Attack

HTTPS

GeoVault: Secure Location Tracking

Documents

geovault server

updated location

party website temporary

access settings

system overviewlocation

existing system

timing of secret sharingnot

threshold scheme