Secure Location Verification and Stabilization Adnan Vora and Mikhail Nesterenko Kent State University r β k acceptance zone

Location Verification problem description have: protected asset ensure: access to asset only if the principal is in correct location applications: wireless network access keyless car starting secure gate opening perimeter protection and friendly force identification, etc. appeal immediate practical benefits non-traditional approach to security effective algorithmic solutions

Outline problem statement basic solution description and properties immediate applications: securing arbitrary zones extensions improving efficiency operating with non-circular signal propagation protecting against directional antennas using random sensor placement stabilization and fault-tolerance

Problem Statement stated informally in[SSW’03] actors (potentially malicious) prover(s) arbitrary protection zone a set of RF-capable verifiers problem specify: placement rules for verifiers prover  verifiers communication protocol so that the verifiers accept the correct prover only if it is inside the protection zone and reject otherwise protocol is secure if a prover anywhere outside protection zone is rejected protection zone verifiers prover assumptions prover authentication not required verifiers are trusted intra-verifier communication is reliable and secure signal propagation is perfectly omni-directional (unit-disk)

Previous Approaches use limited signal propagation speed (e.g. ultrasound) a verifier radios prover prover buzzes back verifier computes roundtrip time and calculates distance limitations uncertainties of two mediums: sound and ether (echos, varying propagation speeds) extra hardware needed: sounders and microphones requires sequential verification (and time synchronization between verifiers) RF prover .01secs=4ft sound verifiers

Outline problem statement basic solution description and properties immediate applications: securing arbitrary zones extensions improving efficiency operating with non-circular signal propagation protecting against directional antennas using random sensor placement stabilization and fault-tolerance

Basic Solution idea use broadcast nature of RF signal propagation specifics separate roles of verifiers acceptor – receives signal from prover inside protection zone rejector – receives signal from outside prover solution communication protocol: prover broadcasts signal to distance x, if no decision – increases distance by x prover is accepted if only acceptors hear from prover, rejected otherwise, informed of decision placement rules: to come x x accepted prover x acceptors rejector rejected prover

Rejection Zone rejection zone – prover (correct or malicious) is never accepted Lemma 1 [VN04] a point on a plane is in rejection zone if it is closer to the nearest rejector than the nearest acceptor Theorem 1 sensor placement is secure iff the rejectors’ Voronoi cells cover the area outside the protection zone rejection zone rejector rejector acceptor Voronoi diagram rejector rejector

Acceptance and Ambiguity Zones rejector rejector acceptance zone – correct prover is always accepted ambiguity zone – prover may (not) be accepted acceptor acceptance zone ambiguity zone rejector rejector x correct prover rejected why ambiguity zone exists malicous prover accepted Lemma 2: a point is in acceptance zone if it is x closer to the nearest acceptor than to the nearest rejector

Securing Polygons protection gap – largest distance from point in rejection zone to nearest point outside protection zone – measures how far rejection zone encroaches upon protection zone protection is complete if protection gap is zero Lemma 3 n-sided convex polygon is completely protected with n+1 verifiers Lemma 4 in this case, if the protection zone contains a circle of radius r, the acceptance zone contains an open disk of radius r-x/2 Theorem 2 An arbitrary n-sided polygonal protection zone can be completely secured with O(n) verifiers rejection zone ambiguity zone acceptance zone x/2 protection zone boundary

Securing Arbitrary Protection Zones ambiguity gap – largest distance from a point in ambiguity zone to nearest point outside protection zone Theorem 3 the number of verifiers required to secure an arbitrary-shaped protection zone of area S and perimeter P with constant ambiguity gap is in O(P+S) Proof outline: divide protection zone in squares with constant side t (number of such squares is in O(P+S)) , protect each square individually with 5 verifiers t acceptance zone x

Outline problem statement basic solution description and properties immediate applications: securing arbitrary zones extensions improving efficiency operating with non-circular signal propagation protecting against directional antennas using random sensor placement stabilization and fault-tolerance

Protecting against Directional Antennas assumption: fixed beamwidth β Theorem 5 an arbitrary shaped protection zone can be secured against malicious provers using O(r) verifiers where r is radius of inscribed circle proof outline: idea – place rejectors such that if acceptor is reached so is rejector inscribe circle with radius r place rejectors on circumference of co-centric circle of radius r-k, where k – constant, space rejectors 2k tan(β/2) apart place acceptor in the middle,  condition satisfied rejectors protection zone acceptance zone acceptor k r β 2k tan(β/2) malicious prover

Logarithmic Verification Time basic algorithm: number of verification attempts is d/x where d – protection zone diameter with more acceptors can be made logarithmic add acceptor placement rule: for every point in the acceptance zone, there exists integer i≥0, such that there are no rejectors closer to this point than x2i+1 and at least one acceptor between x2i and x2i+1 modify protocol: prover doubles its signal strength every verification attempt Theorem 5 modified protocol is correct and the maximum number of broadcasts is in O(logd)

Shrinking Ambiguity Zone basic algorithm: ambiguity zone size is proportional to x can be made arbitrarily small with additional verification attempts recall: ambiguity zone is due to discrete signal increments idea: tune signal strength if rejected modified protocol: if prover is rejected and the last signal increment is z, the prover decreases the signal strength by z/2 and rebroadcasts; if no decision, the prover increases the signal stregth by z/2 and rebroadcasts; process continues until prover accepted Theorem 6 the modified protocol is correct and the number of extra broadcast attempts is proportional log(b-a) prover a x/4 … b rejected no decision accepted

Complex Signal Propagation basic signal propagation model: unit-disk complex (more realistic) model: a ring of possible signal reception zone delineation for complex model: Lemma 6: a point is in rejection zone if it is at least y closer to nearest rejector than acceptor Lemma 7: a point is in acceptance zone if it is at least x+y closer to nearest acceptor than rejector results similar to basic model apply signal reception prover r definite never basic model prover r y definite possible never complex model

Random Verifier Placement modified problem verifiers are not aware of their location they are informed if they are inside or outside protection zone classification an outside verifier is rejector a verifier whose Voronoi neighbor is outside is rejector rest are acceptors Theorem 7 verification protocol with random placement of verifiers solves location verification problem border of protection zone rejectors boundary acceptance+ ambiguity zones

Implementation of Random Placement rejectors boundary acceptors outside verifiers inside verifers in practice radio neighborhood can be used to approximate Voronoi neighborhood need to ensure appropriate verifier density on the border of protection zone placement procedure verifiers have read-only bit signifying inside/outside placement classification procedure if verifier or its neighbors have outside bit set – verifier is rejector, acceptor otherwise

Outline problem statement basic solution description and properties immediate applications: securing arbitrary zones extensions improving efficiency operating with non-circular signal propagation protecting against directional antennas using random sensor placement stabilization and fault-tolerance

Stabilization of Random Placement observe: classification decision is local – depends only on neighborhood topology  very robust state correction – each verifier periodically checks the inside/outside bits of the neighbors and reevaluates its classification  global state stabilizes fault-contains adaptively in constant time/space/energy corrupt state

Other Extensions and Further Info distributed decision making – an acceptor only needs to contact neighboring rejectors fault-tolerant rejector sets – redundant rejector sets independently covering rejection zone provide extra security and fault-tolerance guarantees limited power provers – can be serviced with appropriately dense acceptor location details: A. Vora, M. Nesterenko "Secure Location Verification Using Radio Broadcast”, Techreport TR-KSU-CS-2004-01, http://www.cs.kent.edu/~mikhail/Research/tr-ksu-cs-2004-01.pdf