Security and privacy in location-based . . .

OF THE DISSERTATION Security and Privacy in Location-Based Mobile Ad-Hoc Networks By Karim El Defrawy Doctor of Philosophy in Networked Systems University of California, Irvine, 2010 Professor Gene Tsudik, Chair In the last two decades, research in various aspects of mobile ad-hoc networks, MANETs, has been very active, motivated mainly by military, disaster relief and law enforcement scenarios. More recently, location information has become increasingly available; partially prompted by the emerging trend to incorporate locationsensing into personal handheld devices. An evolutionary natural step is to adopt such location-based operation in MANETs. This results in what we call location-based MANETs. In such settings, devices are equipped with location-sensing capabilities and rely on location information in their operation. The main distinguishing feature of the envisaged location-based MANET environment is the communication paradigm based not on permanent or semi-permanent identities, addresses or pseudonyms, but on instantaneous node locations. In some application settings, such as: military, law enforcement and search-and-rescue, node identities are not nearly as important as node locations. Such settings have certain characteristics in common. First, node location is very important: knowledge of the physical, as opposed to logical or relative topology, makes it possible to avoid wasteful communication and focus on nodes located within a specific area. Thus, the emphasis is not on the long-term node identity, but rather on current node location. Second, critical environments face security and privacy attacks. Security attacks aim to distribute false location and networkxvi ing control information, e.g., routing control messages, or impede the propagation of genuine information. The goal of privacy attacks is to track nodes as they move. Third, when the operating environment is hostile, as is the case in military and law enforcement settings, node identities must not be revealed. We use the term “hostile” to mean that communication is being monitored by adversarial entities that are not part of the MANET. The need to hide node identities becomes more pressing if we further assume that MANET nodes do not trust each other, due to a suspicious environment where nodes can be compromised. In such an environment, it is natural for node movements to be obscured, such that tracking a given node is impossible or, at least, very difficult. While we do not claim that such suspicious and hostile location-based MANET environments are commonplace, they do occur and require high security and privacy guarantees. The work in this thesis addresses a number of security and privacy issues arising in location-based MANETs. We describe in detail the envisioned model for such networks, the security and privacy requirements and goals, different adversary and attack models. We address the problem of secure privacy-preserving routing in locationbased MANETs. We design and evaluate two secure privacy-preserving locationbased routing protocols. Both protocols provide a mix of security and privacy features, including: node authentication, data integrity, anonymity and untraceability (tracking-resistance). In addition, we define and address the problem of secure distance verification in group settings – group distance bounding (GDB). GDB is a fundamental building block for secure operation of wireless networks, not just of location-based MANETs. We design and analyze a family of secure and efficient protocols for several flavors of the problem.