Subscribe to News
Secure Location Agent
Author : Dmerida
From TechnologicalWiki
Contents |
[edit] Indoor localisation using WSN
Wireless sensor networks (WSN) are made up of small low cost devices (sensors) with the capacity for monitoring physical phenomena that occurs around them and communicate this to a device with a greater capacity to process and analyse said information (base station). The sensor cast that can be attached to the nodes compatable with the red is extremely wide, in which it is possible to find sensors for temperature, humidity, luminosity, pressure, radiation, etc. This makes them very versatile, able to carry out extremely varied tasks, which taken together with their low cost and size makes WSNs an ideal technology for monitoring diverse environments and resources.
Because of this WSNs can be found in various environments, both interior and exterior. Among the most usual applications in the exterior are monitoring of atmospheric contamination levels and collecting of climatic details, efficient management of crops, detecting and prevention of forest fires etc. In interiors, WSNs can be used as a way to guard against home intruders, for detecting gas or water leaks, and monitoring dependent people among other things.
Another of the possibilities of WSNs is that they are able to offer localistion of resources or individuals. On the one hand they can find elements outside of the red due to the different sensors attached to the nodes, for example a presence sensor or camera. On the other hand it is also possible to find elements that belong to the red through certain characteristics of the radio signals sent between devices.
It can be supposed that in the near future, when every object in our surroundings forms a part of only one network, the Internet of Things, this form of localisation will gain more prevelance over the former. Three main methods exist depending on the characteristic observed: based on the strength of the received signal (Received Signal Strength, RSS), based on the angle of arrival of the signal (Angle of Arrival, AoA), and finally based on the time of arrival (Time of Arrival, ToA). This process is known as the observation phase.
Generally we can divide into four large groups, the solutions to localisation depending on the entity that carrys out the observation and the calculation of the position of the device. Hence we can identify solutions in which both processes are carried out by the device or by the network infrastructure, and other solutions in which the process of observation is done by the device, which sends this information to the network which in turn completes the calculation and vice versa. Figure 1 shows two basic diagrams that illustrate in a simplified way the elements that make up the system and the parts involved in each process. In Case (a) the sensor device is responsible for collecting the information received by the system as well as processing its own location based on this. Meanwhile in the other, Case (b) the postioning system is what carries out the observations and calculates the whereabouts of each device. This information can simply be stored at the place in the system where the calculation is made or can be sent to another part (or even a third party) in order that the location of the device is known.
This classification is useful because of the implications it has from a security point of view and the privacy of (or carriers of) the devices. Depending on the entity or entities involved in the observation and posterior calculations of the position, the system could become vulnerable from different angles. So, for example, if the infrastructure is limited to merely providing information on certain details which allow the devices to know their postion, as is the case of GPS, the device needs total control of its location information guaranteeing the privacy of the position of the user in the face of possible breaches of the positioning system.
Different types of attack exist that can affect the correct localisation of the device. Generally we see two types of attack, those carried out by external attackers and those carried out by internal attackers. The external attackers are those that do not form part of the infrastructure and so cannot authenticate themselves to the rest of the network; their intention is to convince a node or the positioning infrastructure that that node is in a distinct position to where it actually is. Meanwhile internal attackers are those who form a part of the system but who act in a malicious way, trying to convince the localisation system that they are to be found in a distinct position to where they really are. So, both types of attackers can attempt to supplant other nodes in order to make the positioning system believe that it is locating one node when infact it is locating another in that position. These types of attacks usually have as the final goal, gaining access to the resources that the supplanted node is authorised for or to put the blame on another device as the one to have carried out certain actions. Similarly, an attacker could pass itself off as the positioning system in an attempt to gain confidencial information from the network nodes. From the point of view of security, the attackers try to determine the position of a particular device or track said device without the proper autherisation. The possibility of tracking individuals opens the doors to undesired actions, from the sending out of personalised advertising, up to and including criminal activities such as theft and kidnapping.
It is important at this point to stress that it is the physical characteristics of the signal that ultimately determines the location of the device, by locating the source of the signal. However in order to identify the device we need to exchange additional information at logic level that uniquely describes the device. This information in the case of devices such as Bluetooth and Wi-Fi is found in the MAC address, which is no more than an identifier that corresponds solely to a network interface. This identifier stays the same forever¹, and so, is generally used to identify the origin of information packets. The use of MAC in communications makes it possible to discover which elements are communicating with the network without the nodes finding out.
[edit] Private and secure tracking scheme with WSN
The basic functionality that one expects from a location service is the position of the user within a map of the building. So the users can share their location with other users that are also in the same building or even in another one. In order to do this one possible solution is that each individual reports their position directly to the location server which keeps an updated database of the location of all registered users of the system.
Ideally when a user approaches the building; their tracking device indoor starts negotiating with the building in such a way as to establish a relationship of trust between both parties which in turn allows the user access to the basic tracking services that the building offers. Therefore the system can require the user to present certain credentials that identifies them as an authorized user of the services of the services offered in the building. When a user is not recognized by the building it can offer a limited access to the tracking services available.
The basic key to allow this scheme to function is the tracking of the sensor nodes by the nodes that make up the reference system. This tracking has to be carried out in a secure way for both the system and the user. This is where our investigation comes into play.
[edit] Programing platform
In order to demonstrate the viability of our tracking scheme we have designed a concept test using the sensor platform MICAz from Crossbow Technology. This type of device permits the creation of a network of energy saving sensors largely thanks to the radio transceiver and the micro controller within. The transceiver is a CC2420 from Texas Instruments which is compatible with IEEE 802.15.4 and Zigbee. So it is able to work at frequency band 2.4GHz and offer a data transfer rate that can reach 250 Kbps, with a transmission power that oscilates between -25 dBm and 0 dBm. The microcontroller is an Atmega128L made by Atmel. This is a RISC 8 bit architecture with a working capacity speed of up to 8 MHz, powered by two AA (3 volts), the operating frequency normally is reduced to 4 MHz². Furthermore it also provides a programmable flash memory of 128 KB, a RAM memory of 4 KB and finally an external memory of 512 KB principally concerned with the storage of measurements.
The sensor nodes use the TinyOS operating system. TinyOS is an open code operating system specifically designed to be used in wireless sensor networks. It has an architecture based on components which facilitate the integration and elimination of functions at the same time as it reduces the size of the code, which is a decisive factor in the networks for which it has been designed. Among the native functions offered can be found the network protocols; components for accessing the sensors; mechanisms for communication through the serial port of a PC and to act as station base and tools to read and write in the memory and so on. The program language used to develop the applications is NesC which is basically an extension of C language designed to incorporate the structuration concepts and the execution model of TinyOS.
[edit] System architecture
The system deployed to carry out the concept test is made up principally of two node types, the first of which are those which the users carry with them and the second are the nodes which form part of the tracking system, which from now on we will refer to either anchors or trackers. Both types of nodes are the same when it comes to the capabilities that they offer, with the exception of the component parts for the postioning system which are connected through the serial port of the computer in order to tracking data to be sent to the central server which maintains a database on the whereabouts of the systems users.
[edit] Implementing the control test
Implementing our scheme is primarily based on the use of four elements which allow the tracking of the users in a non-intrusive way whilst preserving the privacy of the location of the users, avoiding therefore that they can be tracked by outside agents, whilst authenticating the communicating parts:
- Sharing of a symmetric password: both the legitimate sensors of the system and the elements of the tracking system share a password which in the present version is loaded when the system is deployed. This password can be occasionally updated through a mechanism of password refreshing.
- ID elimination: the messages transmitted by the nodes in a network of sensors are, generally, standard IEEE 802.15.4. These contain a series of fields that serve to identify the nodes that make up the red. To prevent an attacker listening in to the communication and using it to trace an individual it is essential to eliminate this information.
- Adjustment of transmission power: limiting the strength of the beacon signals which the trackers emit allows the sensors to respond only to those signals that cme from the devices that are found within a limited range of action
- Data freshness: it is necessary to guarentee that the generated data is the latest available, in other words no enemy is capable of reproducing a new response message from an old beacon and therefore succeeding in supplanting an athentic user. This type of attack is known as a replay attack
The limitations in terms of computations, energy, and storage inherent in the nodes in a sensor network make it difficult to use original complex ciphers. For this reason in the beginning of the research into security of WSNs, public keys cryptography was considered excessively exhaustive to be used in this field, needing as it did times in excess of many dozens of seconds in order to generate the keys and verify the sign ins. Although this point of view has changed over the last few years due to the evolution of elliptic curve cryptography which has achieved the reduction in the time needed to just a few seconds. From a performance point of view it is still advisable to use symetric key cryptography because it is able to offer times in the region of macroseconds. The main set back to the algorithms of symetric keys is the management of said keys. This has influenced the choice of the symetric key algorithm AES with a block size of 128 bits and therefore the same size as the key. This implementation was developed within the European project SMEPP and has been adapted for our present needs. Furthermore, to reduce the problem of the distribution of keys it has been decided that the sensors involved in tracking to be preloaded with the key AES before deploying the system.
However it has been necessary to eliminate from the data packages any information that could be used to identify the nodes. This becomes an essential requirement because in the case of maintaining the same I.D for each system user always, an external agent could possibly follow their movements. This is one of the principal problems with technology such as Wi-Fi and Bluetooth, which in their lowest layers in the protocol stacks provide link addresses (MAC) which are unique to each device. There exists mainly two ways of solving this problem; the first is to use pseudonyms and the second is to use the same I.D for all devices. In the case of chosing to adopt a pseudonym, that is to say, an I.D that can be used instead of the real I.D, this cannot be static because it would only be a matter of time before an attacker could track it. So it is necessary that the pseudonyms are occasionally changed, which requires a mechanism of synchronisation between the various devices in order for them to communicate with each other. The second case of using an I.D common to all devices means thatt they are indistinguishable one from another. This does not allow identification at link level and in turn the routing of packets becomes impossible. However in our scheme there is no need for routing mechanisms, because the identifying part can be done at application level, the information of which is properly protected by AES.
So, in our implementation we have used a mechanism based on the adjustment of the strength of the transmission with the aim to limit the radius of the nodes which form a part of the positioning system. By reducing the range of the signals given out by the trackers only those users that are very near have access to the beacons and are able to respond. The response time should be very slightly limited which can be left up to the system administrator to decide. Obviously the waiting time for the beacon signals to arrive shouldn’t be too long for the main reason that: a long time means that a node which is in close proximity of the anchor and which has access to the beacons could repeat this informationto another node which is outside the range of the first. The remote node in turn responds to the bridging node in such a way that the anchor thinks that it too is within the vicinity of the anchor. Similarly the choice of adjusting the strength of the stream is a parameter, again, left up to the system administrator to decide, depending on the requirements of each installation. Specifically those nodes used for the concept test, which have incorporated inside the CC2420 radio chip, permit various degrees of transmission power. TinyOS offers the function (CC2420Packet.setPower) which permits the modification of the registry that controls the level of transmission for each message individualy. In our case we have used a value which offers a transmission range of around 30 centimetres.
In order to guarantee the freshness of the data sent, in this way avoiding replay attacks, it has been decided that the beacon signals sent by the sensors that make up the tracking system, contain data generated from a pseudorandom function. Specifically the beacons contain a pseudorandom number with a 32 bit length, which offers an address space sufficiently large as to avoid collisions in the long term. The nodes carried by the users, on receiving the beacons extract their content and annexes it together with their serial numbers, that are unique to each device and which are assigned before the sytem’s deployment. Finally the algorithm cipher is applied on this information and sent back to the anchor, which uses the shared key to decipher the information. In the case of a legitimate system user, the random number will correspond to that just sent to the anchor which is able to extract the device’s serial number and so identify the user.
Figure 1 shows a small example of a possible exchange of messages between the parts of the tracking system and those using the system. Specifically a complete tracking sequence is shown, in which the anchor sends a random number to a beacon which in turn is picked up by Sensor 1 and Sensor 2. These generate the reponse message, and immediately after send it to the anchor, which processes it and checks its authenticity. If found to be authentic , the sensors’ serial numbers are sent to the Tracking Server which stores the information on the whereabouts of each of these sensors. Furthermore, it is worth noting that any user can decide, in any given moment, to disable their own sensor device to avoid being tracked by the system or by other users of the same key. This adds to the privacy of the users which have control over whether they can be tracked or not.
[edit] Application within the OSAml project
The OSAml-Commons project is one endorsed by the Eureka-ITEA2 program and financed by the Plan Avanza at national level in which many leading European companies participate together with centres of investigation and universities and which have the common objective of deveolping a platform base for Ambient Intelligence applications. Ambient Intelligence can be seen as an interactive space where people and technology meet in daily life. These technologies identify our presence and are capable of responding to our needs and habits in an invisible and proactive way. However the need of privacy of the user has to be equally protected.
One of the application scenarios of the project, provided by Telefónica, concentrates on multimedia services which are location sensitive in such a way that the multimedia content follows the user whilst they move through the building. This development doesn't depend on the tracking technology used. For this the tracking server, which keeps the information on the whereabouts of the users has been disengaged from the reference systems which capture the position of user. In this way it is possible to track the same user using different technologies simultaneously.
One of the unresolved problems and one which can possibly be solved within OSAml is the area of services based on the tracking is that which allows a high level of security for the user and in turn fits in with the latest deveolpments within the project. We can consider this paper as a first step in this dirrection.
