Network Working Group                                          M. Danley
Request for Comments: 3694                                   D. Mulligan
Category: Informational Samuelson Law, Technology & Public Policy Clinic
                                                               J. Morris
                                       Center for Democracy & Technology
                                                             J. Peterson
                                                                 NeuStar
                                                           February 2004
        
Network Working Group                                          M. Danley
Request for Comments: 3694                                   D. Mulligan
Category: Informational Samuelson Law, Technology & Public Policy Clinic
                                                               J. Morris
                                       Center for Democracy & Technology
                                                             J. Peterson
                                                                 NeuStar
                                                           February 2004
        

Threat Analysis of the Geopriv Protocol

Geopriv协议的威胁分析

Status of this Memo

本备忘录的状况

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2004). All Rights Reserved.

版权所有(C)互联网协会(2004年)。版权所有。

Abstract

摘要

This document provides some analysis of threats against the Geopriv protocol architecture. It focuses on protocol threats, threats that result from the storage of data by entities in the architecture, and threats posed by the abuse of information yielded by Geopriv. Some security properties that meet these threats are enumerated as a reference for Geopriv requirements.

本文档对Geopriv协议体系结构面临的威胁进行了一些分析。它重点关注协议威胁、体系结构中实体存储数据造成的威胁以及滥用Geopriv生成的信息造成的威胁。满足这些威胁的一些安全属性被列举出来作为Geopriv要求的参考。

Table of Contents

目录

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Habitat of the Geopriv Protocol  . . . . . . . . . . . . . . .  3
   3.  Motivations of Attackers of Geopriv  . . . . . . . . . . . . .  4
   4.  Representative Attacks on Geopriv  . . . . . . . . . . . . . .  5
       4.1.  Protocol Attacks . . . . . . . . . . . . . . . . . . . .  5
             4.1.1.  Eavesdropping and/or Interception  . . . . . . .  5
             4.1.2.  Identity Spoofing  . . . . . . . . . . . . . . .  6
             4.1.3.  Information Gathering  . . . . . . . . . . . . .  7
             4.1.4.  Denial of Service  . . . . . . . . . . . . . . .  8
       4.2.  Host Attacks . . . . . . . . . . . . . . . . . . . . . .  9
             4.2.1.  Data Stored at Servers . . . . . . . . . . . . .  9
             4.2.2.  Data Stored in Devices . . . . . . . . . . . . .  9
             4.2.3.  Data Stored with the Viewer  . . . . . . . . . . 10
             4.2.4.  Information Contained in Rules . . . . . . . . . 10
       4.3.  Usage Attacks  . . . . . . . . . . . . . . . . . . . . . 11
             4.3.1.  Threats Posed by Overcollection  . . . . . . . . 11
   5.  Countermeasures for Usage Violations . . . . . . . . . . . . . 12
       5.1.  Fair Information Practices . . . . . . . . . . . . . . . 12
   6.  Security Properties of the Geopriv Protocol  . . . . . . . . . 13
       6.1.  Rules as Countermeasures . . . . . . . . . . . . . . . . 13
             6.1.1.  Rule Maker Should Define Rules . . . . . . . . . 13
             6.1.2.  Geopriv Should Have Default Rules  . . . . . . . 14
             6.1.3.  Location Recipient Should Not Be Aware of All
                     Rules. . . . . . . . . . . . . . . . . . . . . . 14
             6.1.4.  Certain Rules Should Travel With the LO  . . . . 14
       6.2.  Protection of Identities . . . . . . . . . . . . . . . . 14
             6.2.1.  Short-Lived Identifiers May Protect Target's
                     Identity . . . . . . . . . . . . . . . . . . . . 15
             6.2.2.  Unlinked Pseudonyms May Protect the Location
                     Recipients' Identity . . . . . . . . . . . . . . 15
       6.3.  Security During Transmission of Data . . . . . . . . . . 15
             6.3.1.  Rules May Disallow a Certain Frequency of
                     Requests . . . . . . . . . . . . . . . . . . . . 15
             6.3.2.  Mutual End-Point Authentication  . . . . . . . . 16
             6.3.3.  Data Object Integrity & Confidentiality  . . . . 16
             6.3.4.  Replay Protection  . . . . . . . . . . . . . . . 16
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 16
   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 16
   9.  Informative References . . . . . . . . . . . . . . . . . . . . 16
   10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 17
   11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 18
        
   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Habitat of the Geopriv Protocol  . . . . . . . . . . . . . . .  3
   3.  Motivations of Attackers of Geopriv  . . . . . . . . . . . . .  4
   4.  Representative Attacks on Geopriv  . . . . . . . . . . . . . .  5
       4.1.  Protocol Attacks . . . . . . . . . . . . . . . . . . . .  5
             4.1.1.  Eavesdropping and/or Interception  . . . . . . .  5
             4.1.2.  Identity Spoofing  . . . . . . . . . . . . . . .  6
             4.1.3.  Information Gathering  . . . . . . . . . . . . .  7
             4.1.4.  Denial of Service  . . . . . . . . . . . . . . .  8
       4.2.  Host Attacks . . . . . . . . . . . . . . . . . . . . . .  9
             4.2.1.  Data Stored at Servers . . . . . . . . . . . . .  9
             4.2.2.  Data Stored in Devices . . . . . . . . . . . . .  9
             4.2.3.  Data Stored with the Viewer  . . . . . . . . . . 10
             4.2.4.  Information Contained in Rules . . . . . . . . . 10
       4.3.  Usage Attacks  . . . . . . . . . . . . . . . . . . . . . 11
             4.3.1.  Threats Posed by Overcollection  . . . . . . . . 11
   5.  Countermeasures for Usage Violations . . . . . . . . . . . . . 12
       5.1.  Fair Information Practices . . . . . . . . . . . . . . . 12
   6.  Security Properties of the Geopriv Protocol  . . . . . . . . . 13
       6.1.  Rules as Countermeasures . . . . . . . . . . . . . . . . 13
             6.1.1.  Rule Maker Should Define Rules . . . . . . . . . 13
             6.1.2.  Geopriv Should Have Default Rules  . . . . . . . 14
             6.1.3.  Location Recipient Should Not Be Aware of All
                     Rules. . . . . . . . . . . . . . . . . . . . . . 14
             6.1.4.  Certain Rules Should Travel With the LO  . . . . 14
       6.2.  Protection of Identities . . . . . . . . . . . . . . . . 14
             6.2.1.  Short-Lived Identifiers May Protect Target's
                     Identity . . . . . . . . . . . . . . . . . . . . 15
             6.2.2.  Unlinked Pseudonyms May Protect the Location
                     Recipients' Identity . . . . . . . . . . . . . . 15
       6.3.  Security During Transmission of Data . . . . . . . . . . 15
             6.3.1.  Rules May Disallow a Certain Frequency of
                     Requests . . . . . . . . . . . . . . . . . . . . 15
             6.3.2.  Mutual End-Point Authentication  . . . . . . . . 16
             6.3.3.  Data Object Integrity & Confidentiality  . . . . 16
             6.3.4.  Replay Protection  . . . . . . . . . . . . . . . 16
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 16
   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 16
   9.  Informative References . . . . . . . . . . . . . . . . . . . . 16
   10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 17
   11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 18
        
1. Introduction
1. 介绍

The proliferation of location-based services that integrate tracking and navigation capabilities gives rise to significant privacy and security concerns. Such services allow users to identify their own location as well as determine the location of others. In certain peer-to-peer exchanges, device identification takes place automatically within a defined location perimeter, informing peer devices of a given user's identity and availability. Additionally, records of location exchanges can reveal significant information about the habits, whereabouts, and associations of individual users.

集成了跟踪和导航功能的基于位置的服务的激增引起了重大的隐私和安全问题。这类服务允许用户识别自己的位置以及确定其他人的位置。在某些点对点交换中,设备识别在定义的位置周界内自动进行,通知对等设备给定用户的身份和可用性。此外,位置交换记录可以揭示有关个人用户习惯、行踪和关联的重要信息。

The Geopriv requirements allow the Location Object (LO) to support a wide variety of uses of Location Information (LI); the Geopriv object itself is intended to be technology-neutral, allowing a wide variety of devices to provide LI in the form of an LO. Geopriv also requires that many classes of Viewers be capable of requesting LI from a Location Server. The Geopriv requirements account for circumstances in which the Target has a contractual relationship with the entities that transmit and receive LI and those in which no contract exists. Requiring the Geopriv object to support any technology, Target-Viewer relationship, or underlying legal framework governing LI, complicates the protection of privacy and the security of LI.

Geopriv要求允许位置对象(LO)支持位置信息(LI)的多种用途;Geopriv对象本身是技术中立的,允许多种设备以LO的形式提供LI。Geopriv还要求许多类别的查看器能够从位置服务器请求LI。Geopriv要求考虑了目标公司与传输和接收LI的实体以及不存在合同的实体之间存在合同关系的情况。要求Geopriv对象支持任何技术、目标-观众关系或管理LI的潜在法律框架,使隐私保护和LI的安全变得复杂。

This document analyzes threats to LI in transmission and storage. The possibility that the LI will be compromised by these threats varies depending on the circumstances. A server selling location information to potential marketers poses a distinctly lower risk than an outside individual intercepting a Target's present location to commit a physical attack. It is important that these threats are considered as we work towards defining the LO.

本文档分析传输和存储过程中对LI的威胁。LI受到这些威胁的可能性因情况而异。与外部个人拦截目标当前位置进行物理攻击相比,向潜在营销人员出售位置信息的服务器所带来的风险明显更低。在我们努力确定LO时,考虑这些威胁是很重要的。

Some of the threats discussed in this document may be outside the scope of the Geopriv charter, e.g., threats arising from failure to meet contractual obligations. Nevertheless, a comprehensive discussion of threats is necessary to identify desirable security properties and counter-measures that will improve the security of the LO, and thereby better protect LI.

本文件中讨论的一些威胁可能超出Geopriv章程的范围,例如,因未能履行合同义务而产生的威胁。尽管如此,有必要对威胁进行全面讨论,以确定理想的安全属性和对策,从而提高LO的安全性,从而更好地保护LI。

2. Habitat of the Geopriv Protocol
2. Geopriv议定书的生境

The Geopriv architecture will be deployed in the open Internet - in a security environment in which potential attackers can inspect packets on the wire, spoof Internet addresses, and launch large-scale denial-of-service attacks. In some architectures, portions of Geopriv traffic (especially traffic between the Location Generator and an initial Location Server) may occur over managed networks that do not interface with the public Internet.

Geopriv体系结构将部署在开放式互联网中——在一个安全环境中,潜在攻击者可以检查网络上的数据包,伪造互联网地址,并发起大规模拒绝服务攻击。在某些体系结构中,Geopriv流量的一部分(特别是位置生成器和初始位置服务器之间的流量)可能会通过不与公共互联网接口的受管网络发生。

The protocol itself assumes interaction between a number of logical roles, many of which will commonly be implemented in distributed network devices (for a full list of Geopriv roles and entities with definitions, see [1]). The endpoints of the common Geopriv transactions are the Location Generator (the source of location information from the perspective of the network) and the Location Recipient. Both a Location Generator and a Location Recipient may have a relationship with a Location Server; the Location Generator publishes data to a Location Server (which may provide a grooming/ filtration function for location information), and the Location Recipient requests and/or receives information from the Location Server. This provides two points where Geopriv information could require protection across the wire. Rules can also be passed over the network from a Rule Holder to a Location Server; this provides another point where the architecture requires security.

协议本身假设了多个逻辑角色之间的交互,其中许多角色通常在分布式网络设备中实现(有关Geopriv角色和实体的完整列表及其定义,请参见[1])。通用Geopriv事务的端点是位置生成器(从网络的角度来看,位置信息的来源)和位置接收者。位置生成器和位置接收者两者都可以与位置服务器具有关系;位置生成器将数据发布到位置服务器(可为位置信息提供整理/过滤功能),位置接收者从位置服务器请求和/或接收信息。这提供了两个点,Geopriv信息可能需要跨导线进行保护。规则也可以通过网络从规则持有者传递到位置服务器;这提供了架构需要安全性的另一点。

It is important to note that Location Generators and Location Recipients may be implemented on low-cost devices for which strong cryptographic security is currently prohibitively expensive computationally.

需要注意的是,位置生成器和位置接收者可以在低成本设备上实现,对于这些设备,强加密安全性目前在计算上非常昂贵。

3. Motivations of Attackers of Geopriv
3. Geopriv攻击者的动机

The most obvious motivation for an attacker of Geopriv is to learn the location of a subject who wishes to keep their position private, or even for authorized Viewers to ascertain location information with a greater degree of precision than the Rule Maker desires. However, there are several other potential motivations that cause concern. Attackers might also wish to prevent a Target's location from being distributed, or to modify or corrupt location information in order to misrepresent the location of the Target, or to redirect the Target's location information to a third party that is not authorized to know this information. Attackers may want to identify the associates of a Target, or learn the habit or routines of a Target. Attackers might want to learn the identity of all of the parties that are in a certain location. Finally, some attackers may simply want to halt the operation of an entire Geopriv system through denial-of-service attacks.

Geopriv攻击者最明显的动机是了解希望保持其位置隐私的主体的位置,甚至授权观众以比规则制定者期望的更高的精度确定位置信息。然而,还有其他一些潜在动机引起关注。攻击者还可能希望阻止分发目标的位置,或修改或损坏位置信息,以歪曲目标的位置,或将目标的位置信息重定向给无权了解此信息的第三方。攻击者可能想要识别目标的相关人员,或了解目标的习惯或常规。攻击者可能希望了解位于某个位置的所有参与方的身份。最后,一些攻击者可能只是想通过拒绝服务攻击停止整个Geopriv系统的运行。

There is also a class of attackers who may be authorized as legitimate participants in a Geopriv protocol exchange but who abuse location information. This includes the distribution or accumulation of location information outside the parameters of agreements between the principals, possibly for commercial purposes or as an act of unlawful surveillance.

还有一类攻击者可能被授权为Geopriv协议交换的合法参与者,但他们滥用位置信息。这包括可能出于商业目的或作为非法监视行为,在委托人之间的协议参数之外分发或积累位置信息。

4. Representative Attacks on Geopriv
4. 对Geopriv的典型袭击
4.1. Protocol Attacks
4.1. 协议攻击
4.1.1. Eavesdropping and/or Interception
4.1.1. 窃听和/或拦截

Imagine a location-based computer game, based on traditional hide-and-seek, in which a centralized server provides hints as to the location of the 'hider' to a set of 'seekers'. Seekers are given access to very coarse location data, whereas a single referee is given access to unfiltered and precise location information of the hider. Each seeker has a wireless device (in the Geopriv architecture, a Location Recipient) that feeds them coarse positioning data from the Location Server. The hider carries a device (a Location Generator employing GPS) that transmits location information to the Location Server.

想象一个基于传统游戏捉迷藏的基于位置的电脑游戏,其中一个集中式服务器提供关于“隐藏者”的位置给一组“寻求者”的提示。搜索者可以访问非常粗略的位置数据,而单个裁判可以访问隐藏者未经过滤的精确位置信息。每个导引头都有一个无线设备(在Geopriv体系结构中,是一个位置接收者),用于从位置服务器向其提供粗略的定位数据。隐藏器携带一个设备(使用GPS的位置生成器),该设备将位置信息传输到位置服务器。

If one of the seekers wished to cheat by attacking the Geopriv protocol, there are a number of ways they could mount such an attack in order to learn the precise location of the hider. They might eavesdrop on one of two network connections - either the connection between the Location Generator and the Location Server, or the connection between the Location Server and the referee's Location Recipient (which receives precise information). They might also attempt to impersonate the referee to the Location Server, in order to receive unfiltered Location Information. Alternatively, they could impersonate the Location Server to the Location Generator carried by the hider, which would also give them access to precise location information. Finally, the cheater could attempt to act as the Rule Maker, whereby providing Rules to the Location Server would enable the cheater's Location Recipient access to uncoarsened location information.

如果其中一名搜索者希望通过攻击Geopriv协议进行欺骗,他们可以通过多种方式发起此类攻击,以了解隐藏点的精确位置。他们可能窃听两个网络连接中的一个-位置生成器和位置服务器之间的连接,或者位置服务器和裁判位置接收者(接收精确信息)之间的连接。他们还可能试图向位置服务器模拟裁判,以便接收未过滤的位置信息。或者,他们可以将位置服务器模拟为隐藏器携带的位置生成器,这也将使他们能够访问精确的位置信息。最后,作弊者可以尝试充当规则制定者,通过向位置服务器提供规则,作弊者的位置接收者可以访问未封存的位置信息。

From these threats, we can derive a need for several security properties of the architecture.

从这些威胁中,我们可以得出对体系结构的几个安全属性的需求。

o Confidentiality is required on both the connection between the Location Generator and the Location Server, as well as the connection between the Location Server and any given Location Recipient.

o 位置生成器和位置服务器之间的连接以及位置服务器和任何给定位置收件人之间的连接都需要保密。

o Location Servers must be capable of authenticating and authorizing Location Recipients to prevent impersonation.

o 位置服务器必须能够对位置收件人进行身份验证和授权,以防止模拟。

o Similarly, Location Generators must be capable of authenticating and authorizing Location Servers in order to prevent impersonation.

o 类似地,位置生成器必须能够对位置服务器进行身份验证和授权,以防止模拟。

o Finally, the Location Server must be able to authenticate Rule Makers, to make sure that unauthorized parties cannot change rules.

o 最后,位置服务器必须能够对规则制定者进行身份验证,以确保未经授权的方不能更改规则。

4.1.2. Identity Spoofing
4.1.2. 身份欺骗

Consider a case in which the same boss employs two rivals. One goes on a business trip to Cleveland. Both rivals carry devices that are tracked by a Location Generator (such as cell phones which the cell carrier can triangulate), and both rivals allow their boss access to their (coarse) location information. The rival that remained home wants to hack the Geopriv protocol to make it appear that the traveling rival is actually goofing off in South Beach rather than attending a dull technology conference in Cleveland. How would such an attack be mounted?

考虑一个案例,在同一个老板雇用了两个竞争对手。一个人去克利夫兰出差。两个竞争对手都携带位置生成器跟踪的设备(如手机,手机运营商可以三角定位),两个竞争对手都允许他们的老板访问他们(粗略的)位置信息。留在家里的竞争对手想要破解Geopriv协议,使其看起来旅行中的竞争对手实际上是在南部海滩游手好闲,而不是参加在克利夫兰举行的枯燥的技术会议。如何发动这样的攻击?

The attacker might attempt to spoof network traffic from the Location Generator to the Location Server (especially if, through some other means such as a denial-of-service attack, the Location Generator became unable to issue its own reports). The goal of the attacker may be to provide falsified location information appropriate for someone in Miami, or perhaps even to replay a genuine location object from a previous visit of the rival to Miami. The attacker might also try to spoof traffic from the Location Server to the boss' Location Recipient.

攻击者可能试图欺骗从位置生成器到位置服务器的网络流量(特别是如果通过拒绝服务攻击等其他手段,位置生成器无法发布自己的报告)。攻击者的目标可能是提供适合迈阿密某个人的伪造位置信息,甚至可能是重放对手之前访问迈阿密时的真实位置对象。攻击者还可能试图将流量从位置服务器欺骗到boss的位置收件人。

From these threats we can derive a need for several security properties of the architecture.

从这些威胁中,我们可以得出对体系结构的几个安全属性的需求。

o There is a need for the Location Server to authenticate Location Generators.

o 位置服务器需要对位置生成器进行身份验证。

o Location Recipients must be capable of authenticating Location Servers.

o 位置收件人必须能够验证位置服务器。

o Location information must be protected from replay attacks.

o 必须保护位置信息免受重播攻击。

Identity spoofing may create additional threats when the protocol is attacked. In many circumstances, the identity of the Viewer is the basis for controlling whether LI is revealed and, if so, how that LI is filtered. If the identity of that entity is compromised, privacy is threatened. Anyone inside or outside the transaction that is capable of impersonating an authorized entity can gain access to confidential information, or initiate false transmissions in the authorized entity's name. The ability to spoof the identity of the Location Recipient, for example, would create the risk of an unauthorized entity accessing both the identity and the location of the Target at the moment the LO was sent.

当协议受到攻击时,身份欺骗可能会产生额外的威胁。在许多情况下,查看者的身份是控制LI是否被显示以及(如果是)LI如何被过滤的基础。如果该实体的身份被泄露,隐私将受到威胁。交易内部或外部能够模拟授权实体的任何人都可以访问机密信息,或以授权实体的名义发起虚假传输。例如,欺骗位置接收者身份的能力将产生未经授权实体在发送LO时访问目标身份和位置的风险。

4.1.3. Information Gathering
4.1.3. 信息收集

Eavesdropping and interception can also create traffic analysis threats as the interceptor collects more data over time. Traffic analysis threats are leveraged by an eavesdropper to determine, from the very fact of a network transmission, the relationship between the various entities involved. If an employer sends the location of an employee to a customer, an eavesdropper could determine that these three entities are somehow interacting with one another. If eavesdropping continues over time, the collection of interactions would involve the employer, employees, and all of their customers. Such a log of information would reveal that the employer and employee frequently were associated with one another, and would reveal which clients more frequently dealt with the pair. Thus, the traffic analysis threat creates the risk of eavesdroppers determining the Target's associates.

窃听和拦截也会造成流量分析威胁,因为拦截器会随着时间的推移收集更多数据。窃听者利用流量分析威胁,从网络传输的事实出发,确定所涉及的各种实体之间的关系。如果雇主将员工的位置发送给客户,窃听者可能会确定这三个实体以某种方式相互作用。如果窃听持续一段时间,那么收集互动将涉及雇主、雇员及其所有客户。这样的信息日志将显示雇主和雇员经常相互联系,并将显示哪些客户更频繁地与这对人打交道。因此,流量分析威胁产生了窃听者确定目标关联的风险。

Traffic analysis might also allow an eavesdropper to ascertain the identity or characteristics of targets in a particular location. By observing transmissions between Location Generators in a particular location and Location Servers (perhaps by eavesdropping on a wireless or wireline LAN scoped to the location in question), and then possibly following the data to various Location Recipients, an attacker may be able to learn the associates, including the employer, of targets in that location, and perhaps to extrapolate further identity information.

流量分析还可以让窃听者确定特定位置目标的身份或特征。通过观察特定位置的位置生成器和位置服务器之间的传输(可能通过窃听位于所述位置范围内的无线或有线LAN),然后可能跟踪数据到各个位置接收者,攻击者可以了解相关人员,包括雇主,可能是为了推断出更多的身份信息。

If the eavesdropper is able to intercept not only an encrypted LO, but the plaintext LI itself, other threats are raised. Let's return to the above example of the employer requesting an employee's location information. In this instance, the interception of one such past transaction may reveal the identities and/or locations of all three parties involved, in addition to revealing their association. In circumstances where there is a log of this data, however, analysis could reveal any regular route that the employee may travel in visiting customers, a general area that the employee works in, the identities and location of the employee's entire customer base, and information about how the entities relate.

如果窃听者不仅能截获加密的LO,还能截获明文LI本身,则会产生其他威胁。让我们回到上面的雇主请求雇员位置信息的例子。在这种情况下,截获一笔此类过去交易可能会披露所有三方当事人的身份和/或位置,以及他们的关联。但是,在有此数据日志的情况下,分析可能会揭示员工拜访客户的任何常规路线、员工工作的一般区域、员工整个客户群的身份和位置,以及有关实体关系的信息。

Threats based on traffic analysis are difficult to meet with protocol security measures, but they are important to note.

基于流量分析的威胁很难通过协议安全措施应对,但需要注意。

From these threats we can derive a need for several security properties of the architecture.

从这些威胁中,我们可以得出对体系结构的几个安全属性的需求。

o The Rule Maker must be able to define Rules regarding the use of their LI.

o 规则制定者必须能够定义有关其LI使用的规则。

o The connection between the Location Generator and Location Server, as well as the connection between the Location Server and Location Recipient must remain confidential.

o 位置生成器和位置服务器之间的连接以及位置服务器和位置收件人之间的连接必须保密。

o Location Servers must be capable of authenticating Location Recipients to prevent impersonation.

o 位置服务器必须能够验证位置收件人以防止模拟。

o Location Servers must be able to authenticate Rule Makers to ensure that unauthorized entities cannot change rules.

o 位置服务器必须能够对规则制定者进行身份验证,以确保未经授权的实体不能更改规则。

4.1.4. Denial of Service
4.1.4. 拒绝服务

Parties who wish to deprive entire networks of Geopriv service, rather than just targeting particular users, would probably focus their efforts on the Location Server. Since in many scenarios the Location Server plays the central role of managing access to location information for many devices, it is in such architectures a natural single point of failure.

希望剥夺整个网络Geopriv服务的各方,而不仅仅是针对特定用户,可能会将精力集中在位置服务器上。由于在许多场景中,位置服务器在管理对许多设备的位置信息的访问方面起着核心作用,因此在这种体系结构中,它是一个自然的单点故障。

The Geopriv protocol appears to have some opportunities for amplification attacks. When the Location Generator publishes location information, the Location Server acts as an exploder, potentially delivering this information to numerous targets. If the Location Generator were to provide very rapid updates of position (as many as link speed could accommodate, especially in high-bandwidth wireless environments), then were the Location Server to proxy information to Seekers at a similar rate, this could become problematic when large numbers of Seekers are tracking the same user.

Geopriv协议似乎有一些放大攻击的机会。当位置生成器发布位置信息时,位置服务器充当爆炸器,可能将此信息传递给多个目标。如果位置生成器提供非常快速的位置更新(链接速度可以容纳的数量,特别是在高带宽无线环境中),那么如果位置服务器以类似的速率向搜索者代理信息,当大量搜索者跟踪同一用户时,这可能会成为问题。

Also note that most operations associated with the Location Server probably require cryptographic authentication. Cryptographic operations entail a computational expense on the part of the Location Server. This could provide an attractive means for attackers to flood the Location Server with dummied Geopriv information that is spoofed to appear to come from a Location Generator, Location Recipient, or the Rule Maker. Because the Location Server has to expend resources to verify credentials presented by these Geopriv messages, floods of Geopriv information could have greater impact than denial-of-service attacks based on generic packet flooding.

还请注意,与位置服务器关联的大多数操作可能需要加密身份验证。加密操作需要位置服务器的计算开销。这可能为攻击者提供一种很有吸引力的手段,使其向位置服务器发送伪造的Geopriv信息,这些信息被伪造为来自位置生成器、位置接收者或规则制定者。由于位置服务器必须花费资源来验证这些Geopriv消息提供的凭据,因此Geopriv信息的泛滥可能比基于通用数据包泛滥的拒绝服务攻击具有更大的影响。

From these threats we can derive a need for several security properties of the architecture.

从这些威胁中,我们可以得出对体系结构的几个安全属性的需求。

o Location Servers must use stateless authentication challenges and similar measures to ensure that authentication attempts will not unnecessarily consume system resources.

o 位置服务器必须使用无状态身份验证挑战和类似措施,以确保身份验证尝试不会不必要地消耗系统资源。

o The Rule Maker must be able to provision policies that limit the rate at which Location Information is sent to prevent amplification attacks.

o 规则制定者必须能够设置限制位置信息发送速率的策略,以防止放大攻击。

4.2. Host Attacks
4.2. 主机攻击
4.2.1. Data Stored at Servers
4.2.1. 存储在服务器上的数据

LI maintained at a server is subject to many potential risks. First, there may be accidental misuse of LI by the server. Whether by negligence, carelessness, or lack of knowledge, the server may accidentally release LI to the wrong Location Recipients, or fail to properly filter the LI that is sent out. Second, the server may intentionally misuse LI. A server may decide to sell a "profile" it has compiled of a Target or Location Recipient despite provisions to the contrary in the Rule Maker's Rule. Alternatively, an individual working for the server may, for personal gain, misuse access to the server to obtain LI. Third, even with the most secure and trusted server, there is the risk that someone outside the system will hack into it in order to retrieve LI. Last, there is always the potential that someone would use the legal system to subpoena an individual's records from a Server. Such a process would likely result in the revelation of the Target's location information without notice to the Target or the Target's consent.

在服务器上维护的LI面临许多潜在风险。首先,服务器可能会意外误用LI。无论是由于疏忽、粗心还是缺乏知识,服务器都可能意外地将LI释放到错误的收件人位置,或者无法正确过滤发送的LI。其次,服务器可能故意误用LI。尽管规则制定者的规则中有相反的规定,服务器可能会决定出售其编译的目标或位置收件人的“配置文件”。或者,为服务器工作的个人可能出于个人利益而滥用对服务器的访问以获取LI。第三,即使使用最安全、最可信的服务器,系统外的人也有可能侵入该服务器以检索LI。最后,总有可能有人利用法律系统从服务器上传唤个人记录。这样的过程可能会导致在不通知目标或未经目标同意的情况下披露目标的位置信息。

Data stored at the server may reveal the Target's present location if the data is used or intercepted at or near the moment of transmission. If a Target requests a map from their present location to a nearby store, and the Location Server sends that information to the wrong Location Recipient, the Viewer could know the identity of the Target, the Target's current location, and the location where the Target might be headed.

如果在传输瞬间或附近使用或截获数据,则存储在服务器上的数据可能会显示目标的当前位置。如果目标请求从其当前位置到附近商店的地图,并且位置服务器将该信息发送到错误的位置收件人,则查看者可能知道目标的身份、目标的当前位置以及目标可能要前往的位置。

Data stored at the Location Server can also create many of the traffic analysis threats discussed in Section 4.1 above. If access is gained not only to the fact of the LO transmission, but also to the LI transmitted, anyone with access to that information can put together a history of where that Target has been, for how long, and with whom.

存储在位置服务器上的数据还可能产生上文第4.1节中讨论的许多流量分析威胁。如果不仅可以访问LO传输的事实,还可以访问LI传输的事实,任何能够访问该信息的人都可以整理出该目标的位置、时间以及与谁的历史。

4.2.2. Data Stored in Devices
4.2.2. 存储在设备中的数据

Because Geopriv is required to work with any given type of technology or Device, it is difficult to determine the particular threat potential of individual devices. For example, any device that maintains a log of location requests sent, or LOs received, would

由于Geopriv需要与任何给定类型的技术或设备一起工作,因此很难确定单个设备的特定潜在威胁。例如,任何维护发送或接收的位置请求日志的设备都将

pose a similar threat to the information maintained at a Location Server, discussed above. A court subpoena or warrant for an individual's device could additionally reveal a similar log.

如上所述,对位置服务器上维护的信息造成类似的威胁。法庭传唤或个人设备搜查令可能会进一步披露类似的记录。

Additionally, depending on the device, there is always the potential for data to be compromised in some way. For a Device with a screen, there is always the potential that another individual will have the opportunity to view the Device display without the user's knowledge. A Device that provides verbal feedback (i.e., to give directions to the blind) creates additional potential for LI to be compromised. If the Target/Viewer is sitting in a public place and requests directions from the Target's home to another location, anyone who can hear the Device output may be able to determine the Target's identity, their residence, and possibly the location to which they are headed.

此外,根据设备的不同,数据总是有可能以某种方式被破坏。对于带有屏幕的设备,始终存在另一个人有机会在用户不知情的情况下查看设备显示的可能性。提供口头反馈(即向盲人发出指示)的设备会为LI造成额外的潜在危害。如果目标/观众坐在公共场所并请求从目标家到另一个位置的指示,任何能听到设备输出的人都可能能够确定目标的身份、住所,以及可能的目的地。

In addition, if the device retained location information and the Device were lost or stolen, someone other than the Rule Maker could potentially access information regarding who LI was sent to and when, as well as potentially the location of the Target during each transaction. Such information could enable an entity to determine significant private information based on who the owner of the Device has associated with in the past, as well as each location where the Target has been and for how long.

此外,如果设备保留了位置信息,并且设备丢失或被盗,则规则制定者以外的其他人可能会访问有关LI发送给谁、发送时间以及每次交易期间目标位置的信息。此类信息可使实体能够基于设备所有者过去与谁有关联以及目标所在的每个位置和时间来确定重要的私有信息。

4.2.3. Data Stored with the Viewer
4.2.3. 与查看器一起存储的数据

The threats posed here are similar to those discussed above in relation to Location Servers and Devices. The main purpose of separating out threats posed by data stored at the Viewer is to show that, depending on the complexity of the transaction and the other entities involved, data storage at various points in the transaction can bring rise to the same types of privacy risks.

这里所构成的威胁与上面讨论的位置服务器和设备的威胁类似。区分存储在查看器中的数据构成的威胁的主要目的是表明,根据交易的复杂性和涉及的其他实体,交易中不同点的数据存储可能会带来相同类型的隐私风险。

4.2.4. Information Contained in Rules
4.2.4. 规则中包含的信息

In many instances, the Rules a Rule Maker creates will reveal information either about the Rule Maker or the Target. A rule that degrades all information sent out by approximately 25 miles might tell an interceptor how to determine the Target's true location. A Rule that states, "Tell my boss what room I'm in when I'm in the building, but when I'm outside the building between 9 a.m. and 5 p.m. tell him I'm in the building," would reveal a lot more information than most employees would desire. Any boss who was the Location Recipient who received LI that specified "in the building" would then realize that the employee was elsewhere.

在许多情况下,规则制定者创建的规则将显示关于规则制定者或目标的信息。一条将所有发出的信息降级约25英里的规则可能会告诉拦截器如何确定目标的真实位置。一条规定:“当我在大楼里的时候,告诉我的老板我在哪个房间,但当我在大楼外面的时候,在上午9点到下午5点之间,告诉他我在大楼里。”这条规定所透露的信息比大多数员工所希望的要多得多。任何接收到李某的地点接收者的老板如果指明“在大楼里”,就会意识到该员工在别处。

In addition, if an entity had access to a log of data at the Location Server or at a Device, knowledge of the content of Rules would enable a sort of "decoding" of the location information of the device to something more accurate. Thus, my boss could not only tell where I am at this minute, but could tell how many times over the last year I had been outside the building between 9 a.m. and 5 p.m.

此外,如果实体能够访问位置服务器或设备上的数据日志,那么了解规则的内容将能够对设备的位置信息进行某种更准确的“解码”。因此,我的老板不仅能告诉我此刻在哪里,还能告诉我在过去的一年中,我在上午9点到下午5点之间走出大楼有多少次。

The Rules themselves may also reveal information about the Target. A rule such as the one above would clearly reveal the employment relationship between the two individuals, as well as the fact that the employee was hiding something from the employer.

规则本身也可能揭示有关目标的信息。上述规则将清楚地揭示这两个人之间的雇佣关系,以及雇员对雇主隐瞒某些事情的事实。

In combination with other information, the location information may enable the identification of the Target.

结合其他信息,位置信息可以使得能够识别目标。

4.3. Usage Attacks
4.3. 使用攻击
4.3.1. Threats Posed by Overcollection
4.3.1. 过度收集造成的威胁

Weak or absent default privacy rules would also compromise LI. Without default Rules for LOs, it is likely that a large number of Devices would reveal LI by default. Privacy rules should control the collection, use, disclosure, and retention of Location Information. These rules must comply with fair information practices - these practices are further discussed in Section 5.1.

薄弱或缺乏默认隐私规则也会损害LI。如果没有服务水平的默认规则,大量设备可能会默认显示LI。隐私规则应控制位置信息的收集、使用、披露和保留。这些规则必须符合公平信息惯例——这些惯例将在第5.1节中进一步讨论。

While technically savvy Device users may create privacy rules to protect their LI, many individuals will lack the skill or motivation to do so. Thus, left to their own devices many individuals would likely be left without privacy rules for their LI. This in turn would leave these users' LI entirely vulnerable to various attacks. Default rules are necessary to address this problem.

虽然精通技术的设备用户可能会制定隐私规则来保护他们的LI,但许多人缺乏这样做的技能或动机。因此,如果让许多人使用自己的设备,他们的LI很可能没有隐私规则。这反过来会使这些用户的LI完全容易受到各种攻击。默认规则是解决此问题所必需的。

Without default rules, for example, a device might signal out to anyone nearby at regular intervals, respond to anyone nearby who queried it, or send signals out to unknown entities.

例如,在没有默认规则的情况下,设备可能会定期向附近的任何人发出信号,对附近查询它的任何人作出响应,或向未知实体发送信号。

The lack of a default rule of "Do not re-distribute," would allow the Location Server to pass the Target's location information on to others. Lack of a default rule limiting the retention of LI could increase the risk posed by inappropriate use and access to stored data.

缺少默认的“不重新分发”规则将允许位置服务器将目标的位置信息传递给其他人。缺少限制LI保留的默认规则可能会增加不当使用和访问存储数据所带来的风险。

While defining default privacy rules is beyond the scope of this document, default rules are necessary to limit the privacy risks posed by the use of services and devices using LI.

虽然定义默认隐私规则超出了本文档的范围,但有必要使用默认规则来限制使用LI的服务和设备所带来的隐私风险。

5. Countermeasures for Usage Violations
5. 违反使用规定的对策
5.1. Fair Information Practices
5.1. 公平信息做法

Principles of fair information practices require entities that handle personal information to meet certain obligations with respect to its collection, use, maintenance and security, and give individuals whose personal information is collected certain due process-like rights in the handling of their information. Fair information practices are designed to prevent specific threats posed by the collection of personal information about individuals. For this reason, fair information practices are "countermeasures" that should be reflected in technical systems that handle personal information and the Rules that govern their use. A brief discussion of fair information practices may be beneficial in formulating requirements for the LO.

公平信息实践原则要求处理个人信息的实体履行其收集、使用、维护和安全方面的某些义务,并给予收集个人信息的个人某些正当程序权利,如处理其信息的权利。公平信息做法旨在防止收集个人信息造成的特定威胁。因此,公平信息做法是一种“对策”,应该反映在处理个人信息的技术系统和管理个人信息使用的规则中。简要讨论公平信息实践可能有助于制定LO的要求。

There are seven main principles of fair information practices:

公平信息做法有七项主要原则:

1. Openness: The existence of a record-keeping system for personal information must be known, along with a description of the main purpose and uses of the data. Thus, any entity that collects LI should inform individuals that this information is being collected and inform them about what the LI is being used for. Openness is designed to prevent the creation of secret systems.

1. 公开性:必须了解个人信息记录保存系统的存在,并说明数据的主要用途和用途。因此,任何收集LI的实体都应告知个人正在收集该信息,并告知他们LI的用途。公开是为了防止秘密系统的产生。

2. Individual Participation: Individuals should have a right to view all information collected about them, and to be able to correct or remove data that is not timely, accurate, relevant, or complete. The practice of individual participation acknowledges that sometimes information that is collected may be inaccurate or inappropriate.

2. 个人参与:个人应有权查看收集到的所有信息,并能够纠正或删除不及时、准确、相关或不完整的数据。个人参与的做法承认,有时收集的信息可能不准确或不适当。

3. Collection Limitation: Data should be collected by lawful and fair means and should be collected, where appropriate, with the knowledge or consent of the subject. Data collection should be minimized to that which is necessary to support the transaction. Placing limits on collection helps protect individuals from the dangers of overcollection - both in terms of collecting too much information, or of collecting information for too long of a time period.

3. 收集限制:应通过合法和公平的方式收集数据,并在适当情况下,在主体知情或同意的情况下收集数据。数据收集应尽量减少到支持事务所必需的程度。限制收集有助于保护个人免受过度收集的危险——无论是收集过多的信息,还是收集时间过长的信息。

4. Data Quality: Personal data should be relevant to the purposes for which it is collected and used; personal information should be accurate, complete, and timely. The requirement of data quality is designed to prevent particular kinds of harms that can flow from the use (appropriate or inappropriate) of personal information.

4. 数据质量:个人数据应与收集和使用目的相关;个人信息应准确、完整、及时。数据质量要求旨在防止个人信息的使用(适当或不适当)可能造成的特定伤害。

5. Finality: There should be limits to the use and disclosure of personal data: data should be used only for purposes specified at the time of collection; data should not be otherwise used or disclosed without the consent of the data subject or other legal authority. A consumer who provides LI to a business in order to receive directions, for example, does not provide that information for any other purpose. The business should then only use that LI to provide directions, and not for other purposes.

5. 最后:个人数据的使用和披露应有限制:数据只能用于收集时指定的目的;未经数据主体或其他法律机构同意,不得以其他方式使用或披露数据。例如,向企业提供LI以接收指示的消费者不会出于任何其他目的提供该信息。然后,企业应仅将该LI用于提供方向,而不是用于其他目的。

6. Security: Personal Data should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification, or disclosure. While some security measures may take place outside of the LO (i.e., limiting employee access to Location Servers), other measures may be done through the LO or LO applications.

6. 安全性:个人数据应受到合理的安全保障措施的保护,以防止丢失、未经授权的访问、破坏、使用、修改或披露等风险。虽然一些安全措施可能在LO之外实施(即限制员工访问位置服务器),但其他措施可能通过LO或LO应用程序实施。

7. Accountability: Record keepers should be accountable for complying with fair information practices. It will typically be easier for an individual to enforce these practices if they are explicitly written - either in the Rules written by the Rule Maker, or in contracts between the individual and a trusted entity.

7. 责任:记录保管人应负责遵守公平信息惯例。如果这些实践是明确地写在规则制定者编写的规则中,或者写在个人与受信任实体之间的合同中,那么个人通常更容易实施这些实践。

6. Security Properties of the Geopriv Protocol
6. Geopriv协议的安全属性

The countermeasures suggested below reflect the threats discussed in this document. There is thus some overlap between the proposed security properties listed below, and the requirements in [1].

以下建议的对策反映了本文件中讨论的威胁。因此,下文列出的拟议安全属性与[1]中的要求之间存在一些重叠。

6.1. Rules as Countermeasures
6.1. 作为反措施的规则

The sections below are designed to illustrate that in many instances threats to LI can be limited through clear, unavoidable rules determined by Rule Makers.

以下各节旨在说明,在许多情况下,通过规则制定者确定的明确、不可避免的规则,可以限制对LI的威胁。

6.1.1. Rule Maker Should Define Rules
6.1.1. 规则制定者应该定义规则

The Rule Maker for a given Device will generally be either the user of, or owner of, the Device. In certain circumstances, the Rule Maker may be both of these entities. Depending on the device, the Rule Maker may or may not be the individual most closely aligned with the Target. For instance, a child carrying a cell phone may be the Target, but the parent of that child would likely be the Rule Maker for the Device. Giving the Rule Maker control is a potential opportunity to buttress the consent component of the collection limitation and finality principles discussed above.

给定设备的规则制定者通常是设备的用户或所有者。在某些情况下,规则制定者可能是这两个实体。根据设备的不同,规则制定者可能是也可能不是与目标最接近的个人。例如,携带手机的儿童可能是目标,但该儿童的父母可能是该设备的规则制定者。给予规则制定者控制权是支持上述收集限制和最终性原则的同意部分的一个潜在机会。

6.1.2. Geopriv Should Have Default Rules
6.1.2. Geopriv应具有默认规则

Because some Rule Makers may not be informed about the role Rules play in the disclosure of their LI, Geopriv should include default Rules. The Rule Maker is, of course, always free to change his or her Rules to provide more or less protection. To protect privacy and physical safety, default Rules should, at a minimum, limit disclosure and retention of LI.

由于某些规则制定者可能不知道规则在披露其LI中所起的作用,Geopriv应包括默认规则。当然,规则制定者总是可以自由地更改其规则,以提供或多或少的保护。为了保护隐私和人身安全,默认规则至少应限制LI的披露和保留。

Default Rules are also necessary for so-called "dumb" Location Generators (LG). If a LG is unable to determine the Rules set by the Rule Maker before publishing the LO on to a Location Server, it is important that some default Rules protect that LO in transit, and ensure that the LO is eventually only sent to authorized Location Recipients. These default LG Rules would help prevent many of the threats discussed in this document. The Rule Maker should be able to determine the content of these default Rules at any time.

对于所谓的“哑”位置生成器(LG),默认规则也是必需的。如果LG在将LO发布到位置服务器之前无法确定规则制定者设置的规则,则某些默认规则必须保护传输中的LO,并确保LO最终仅发送给授权的位置收件人。这些默认LG规则将有助于防止本文档中讨论的许多威胁。规则制定者应该能够随时确定这些默认规则的内容。

6.1.3. Location Recipient Should Not Be Aware of All Rules
6.1.3. 位置收件人不应了解所有规则

A Viewer should not be aware of the full Rules defined by the Rule Maker. The Viewer will only need to be aware of those Rules it must obey (i.e., those regarding its use and retention of the LI). Other Rules, such as those specifying the accuracy or filtering of the LI, or rules that do not cover the given interaction should not be revealed to the Viewer. This countermeasure is consistent with the minimization component of the collection limitation principle and ensures that the Rule Maker reveals only what he intends to reveal.

查看者不应该知道规则制定者定义的完整规则。观众只需了解其必须遵守的规则(即,有关LI的使用和保留的规则)。其他规则,如指定LI的准确性或过滤的规则,或不涵盖给定交互的规则,不应透露给观众。此对策与收集限制原则的最小化部分一致,并确保规则制定者仅披露其打算披露的内容。

6.1.4. Certain Rules Should Travel With the LO
6.1.4. 某些规则应该与LO一起使用

Security of LI at the device level is a bit complicated, as the Rule Maker has no real control over what is done with the LI once it arrives at the Location Recipient. If certain Rules travel with the LO, the Rule Maker can encourage Viewer compliance with its Rules. Potentially, a Rule could travel with the LO indicating when it was time to purge the data, preventing the compilation of a "log" of the Target's LI on any Device involved in the transmission of the LO. Allowing Rules to travel with the LO has the potential to limit the opportunity for traffic analysis attacks.

LI在设备级别的安全性有点复杂,因为规则制定者无法真正控制LI到达接收者位置后的处理。如果某些规则随LO移动,则规则制定者可以鼓励观众遵守其规则。规则可能与LO一起移动,指示何时清除数据,从而阻止在涉及LO传输的任何设备上编译目标LI的“日志”。允许规则与LO一起运行有可能限制流量分析攻击的机会。

6.2. Protection of Identities
6.2. 身份保护

Identities are an extremely important component of the LO. While, in many instances, some form of identification of the Target, Rule Maker, and Viewer will be necessary for authentication, there are various methods to separate these authentication "credentials" from the true identity of these devices. These countermeasures are

身份是LO的一个极其重要的组成部分。虽然在许多情况下,身份验证需要对目标、规则制定者和查看者进行某种形式的标识,但有多种方法将这些身份验证“凭证”与这些设备的真实身份区分开来。这些对策是

particularly useful in that compromise of a log of LI, no matter where the source, is less threatening to privacy when the Target's identity is stripped.

特别有用的是,无论来源在哪里,当目标的身份被剥夺时,对隐私的威胁更小。

6.2.1. Short-Lived Identifiers May Protect Target's Identity
6.2.1. 短期标识符可以保护目标的身份

Short-Lived identifiers would allow the using protocol to hide the true identity of the Rule Maker and the Target from Location Servers or Location Recipients. These identifiers would still allow authentication, ensuring that only appropriate Location Recipients received the LO. At the same time, however, making these identifiers short-lived helps prevent any association of a true identity of a Target with particular habits and associates.

短期标识符将允许使用协议对位置服务器或位置接收者隐藏规则制定者和目标的真实身份。这些标识符仍然允许身份验证,确保只有适当的位置收件人收到LO。然而,同时,使这些标识短期化有助于防止目标的真实身份与特定习惯和伙伴的任何关联。

6.2.2. Unlinked Pseudonyms May Protect the Location Recipients' Identity

6.2.2. 未链接的笔名可以保护位置收件人的身份

Unlinked pseudonyms would protect the identity of the Location Recipients in much the same manner as short-lived identifiers would protect the Target's identity. When using both, any record that a Location Server had of a transaction would have two "credentials" associated with an LI transmission: one linked to the Target and one linked to the Location Recipient. These credentials would allow the Location Server to authenticate the transmission without ever acquiring knowledge of the true identities of the individuals associated with each side of the transaction.

未链接的笔名将保护位置接收者的身份,就像短期标识符保护目标的身份一样。使用这两种方法时,位置服务器拥有的任何事务记录都将具有两个与LI传输相关联的“凭据”:一个链接到目标,另一个链接到位置收件人。这些凭证将允许位置服务器对传输进行身份验证,而无需了解与交易各方关联的个人的真实身份。

6.3. Security During Transmission of Data
6.3. 数据传输期间的安全性

The attacks described in this document motivate the following security properties for the connections between the Location Generator and Location Server, the Location Server and Rule Maker, and the Location Server and Location Recipient:

本文档中描述的攻击激发了位置生成器和位置服务器、位置服务器和规则生成器以及位置服务器和位置收件人之间连接的以下安全属性:

6.3.1. Rules May Disallow a Certain Frequency of Requests
6.3.1. 规则可能不允许特定频率的请求

The Rule Maker might be able to set a Rule that disallows a certain number of requests made within a specific period of time. This type of arrangement would allow the Rule Maker to somewhat prevent attackers from detecting patterns in randomly coarsened data. To an "untrusted" Location Recipient, for example, to whom the Rule Maker only wants to reveal LI that is coarsened to the level of a city, only one request might be honored every 2 hours. This would prevent Location Recipients from sending repeated requests to gain more accurate presence information.

规则制定者可以设置一个规则,禁止在特定时间段内提出一定数量的请求。这种类型的安排将允许规则制定者在一定程度上防止攻击者在随机粗化的数据中检测模式。例如,对于一个“不受信任”的位置接收者,规则制定者只想向其透露被粗化为城市级别的李,每2小时只能满足一个请求。这将防止位置收件人发送重复请求以获得更准确的状态信息。

Similarly, thresholds on notifications of location information can help to combat amplification attacks.

类似地,位置信息通知的阈值有助于打击放大攻击。

6.3.2. Mutual End-Point Authentication
6.3.2. 相互端点认证

Authentication is crucial to the security of LI during transmission. The Location Server must be capable of authenticating Location Recipients to prevent impersonation. Location Generators must be capable of authenticating Location Servers to ensure that raw location information is not sent to improper entities. Additionally, Location Servers must be able to authenticate Rule Makers to ensure that unauthorized entities cannot change Rules.

在传输过程中,身份验证对LI的安全性至关重要。位置服务器必须能够验证位置收件人以防止模拟。位置生成器必须能够验证位置服务器,以确保原始位置信息不会发送到不正确的实体。此外,位置服务器必须能够对规则制定者进行身份验证,以确保未经授权的实体不能更改规则。

6.3.3. Data Object Integrity & Confidentiality
6.3.3. 数据对象完整性和机密性

The LO must maintain integrity at all points of communication between Location Servers and Location Recipients. Confidentiality is required on both the connection between the Location Generator and the Location Server, as well as on the connection between the Location Server and any given Location Recipient. Confidentiality of Rules sent over the network to the Location Server is of comparable importance.

LO必须在位置服务器和位置收件人之间的所有通信点保持完整性。位置生成器和位置服务器之间的连接以及位置服务器和任何给定位置收件人之间的连接都需要保密。通过网络发送到位置服务器的规则的保密性同样重要。

6.3.4. Replay Protection
6.3.4. 重播保护

Replay protection prevents an attacker from capturing a particular piece of location information and replaying it at a later time in order to convince Viewers of an erroneous location for the target. Both Location Recipients and Location Servers, depending on their capabilities, may need replay protection.

重播保护可防止攻击者捕获特定位置信息并在以后重播,以使查看者确信目标位置错误。位置收件人和位置服务器都可能需要重播保护,具体取决于它们的功能。

7. Security Considerations
7. 安全考虑

This informational document characterizes potential security threats targeting the Geopriv architecture.

本信息性文件描述了针对Geopriv体系结构的潜在安全威胁。

8. IANA Considerations
8. IANA考虑

This document introduces no additional considerations for IANA.

本文件不介绍IANA的其他注意事项。

9. Informative References
9. 资料性引用

[1] Cuellar, J., Morris, J., Mulligan, D., Peterson, J. and J. Polk, "Geopriv Requirements", RFC 3693, January 2004.

[1] Cuellar,J.,Morris,J.,Mulligan,D.,Peterson,J.和J.Polk,“地质驱动要求”,RFC 3693,2004年1月。

10. Authors' Addresses
10. 作者地址

Michelle Engelhardt Danley Samuelson Law, Technology & Public Policy Clinic Boalt Hall School of Law University of California Berkeley, CA 94720 USA

米歇尔恩格哈特丹利萨缪尔森定律,技术与公共政策诊所博尔特厅法学院加利福尼亚大学伯克利,CA 94720美国

   EMail: mre213@nyu.edu
   URI:   http://www.law.berkeley.edu/cenpro/samuelson/
        
   EMail: mre213@nyu.edu
   URI:   http://www.law.berkeley.edu/cenpro/samuelson/
        

Deirdre Mulligan Samuelson Law, Technology & Public Policy Clinic Boalt Hall School of Law University of California Berkeley, CA 94720 USA

Derdul-Muligang-萨缪尔森定律,技术与公共政策诊所,博尔特学院法学院,加利福尼亚大学,伯克利,CA 94720美国

   EMail: dmulligan@law.berkeley.edu
   URI:   http://www.law.berkeley.edu/cenpro/samuelson/
        
   EMail: dmulligan@law.berkeley.edu
   URI:   http://www.law.berkeley.edu/cenpro/samuelson/
        

John B. Morris, Jr. Center for Democracy & Technology 1634 I Street NW Suite 1100 Washington, DC 20006 USA

小约翰·B·莫里斯民主与技术中心美国华盛顿特区西北I街1634号1100室20006

   EMail: jmorris@cdt.org
   URI:   http://www.cdt.org
        
   EMail: jmorris@cdt.org
   URI:   http://www.cdt.org
        

Jon Peterson NeuStar, Inc. 1800 Sutter St Suite 570 Concord, CA 94520 USA

美国加利福尼亚州康科德市萨特街1800号570室Jon Peterson NeuStar,Inc.94520

   Phone: +1 925/363-8720
   EMail: jon.peterson@neustar.biz
   URI:   http://www.neustar.biz/
        
   Phone: +1 925/363-8720
   EMail: jon.peterson@neustar.biz
   URI:   http://www.neustar.biz/
        
11. Full Copyright Statement
11. 完整版权声明

Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78 and except as set forth therein, the authors retain all their rights.

版权所有(C)互联网协会(2004年)。本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。