Spatial Replay Protection for
Proximity Services
Security and privacy aspects
FREDRIK LINDBLOM
K T H R O Y A L I N S T I T U T E O F T E C H N O L O G Y I N F O R M A T I O N A N D C O M M U N I C A T I O N T E C H N O L O G Y
DEGREE PROJECT IN INFORMATION TECHNOLOGY, SECOND LEVEL STOCKHOLM, SWEDEN 2016
Spatial Replay Protection for
Proximity Services
Security and privacy aspects
Fredrik Lindblom
2016-08-09
Master’s Thesis
Examiner
Gerald Q. Maguire Jr.
Academic adviser
Anders Västberg
Industrial supervisor
Noamen Ben Henda
Abstract | i
Abstract
Proximity Services is a new feature in the 3rd Generation Partnership Project (3GPP) standard for mobile communication. This features gives the opportunity to provide services locally if the targets are sufficiently close. However, in the current version of the proposed specification, there is no protection against a malicious user tunneling messages to a remote location to give the impression of proximity.
This thesis proposes solutions to protect against such a spatial replay attack and evaluates these solutions based on how the user’s integrity is preserved, their complexity, and the added overhead. It is not obvious today what the consequences of a spatial replay attack are and how serious such an attack could be. However, once the feature is deployed and people start using it, it could prove to be a major vulnerability.
The methods presented in this thesis could be used to prevent spatial replay in 3GPP or similar standards proximity services. The chosen method is a geographical packet leash based on a poly-cylindrical grid for which only a certain amount of Least Significant Bits of the grid cell identifier is included in the initial Discovery Message and the rest could be used in the calculation of the Message Authentication Code.
Keywords
Sammanfattning | iii
Sammanfattning
Proximity Services är en ny funktion inom 3rd Generation Partnership Project (3GPP) standard för mobil kommunikation. Den möjliggör att erbjuda tjänster lokalt om de tänkta användarna är tillräckligt nära. I den nuvarande versionen av specifikationen så finns det dock inget som hindrar en tredje part med onda avsikter från att tunnla meddelanden från den ursprungliga platsen till en annan som inte är i närheten för att ge intrycket till mottagaren att sändaren finns nära.
Det här examensarbetet föreslår lösningar för att begränsa nämnda attack och utvärderar dem efter hur de påverkar användarnas platssekretess, lösningens komplexitet och den overhead de innebär. Det är idag inte uppenbart på vilket sätt den nämnda attacken skulle kunna påverka användarna och hur allvarliga konsekvenserna kan bli, men när standarden är implementerad och eventuella användare tillkommer så skulle det kunna visa sig innebära en stor risk.
Lösningarna som presenteras i det här examensarbetet skulle kunna användas för att begränsa den här typen av attacker inom 3GPPs standard eller liknande baserade på närhet. Den metoden som har valts är ett ’geographical packet leash’ baserat på ett polycylindriskt rutnät för vilket endast en bestämd mängd minst signifikanta bitar är inkluderade i ett inledande Discovery Message medans resten kan användas i beräkningen av Message Authentication Code.
Nyckelord
Acknowledgments | v
Acknowledgments
I would like to thank my industrial supervisor, Noamen Ben Henda, for continuously supporting me through this thesis and giving me valuable advice. I would also like to thank Ericsson for providing me with the opportunity of doing this thesis.
Professor Gerald Q. Maguire Jr. has also been of great support and provided guidance which I am thankful for.
Stockholm, July 2016 Fredrik Lindblom
Table of contents | vii
Table of contents
Abstract ... i
Keywords ... i
Sammanfattning ... iii
Nyckelord ... iii
Acknowledgments ... v
Table of contents ... vii
List of Figures ... xi
List of Tables ... xiii
List of acronyms and abbreviations ... xv
1
Introduction ... 1
1.1
Background ... 1
1.2
Problem definition ... 1
1.3
Purpose ... 2
1.4
Goals ... 2
1.5
Research Methodology ... 2
1.6
Delimitations ... 2
1.7
Structure of the thesis ... 3
2
Background ... 5
2.1
Location Based Services ... 5
2.1.1
Use cases ... 5
2.1.2
Locating methods ... 6
2.1.3
Location Coding ... 7
2.2
Proximity services ... 8
2.2.1
Architecture and interfaces ... 9
2.2.2
Use cases ... 10
2.2.3
Identifiers and subscriptions ... 10
2.2.4
Discovery models ... 11
2.2.5
Direct Communication ... 16
2.2.6
Security Aspects ... 17
2.3
Location privacy ... 18
2.3.1
Legislation concerning Location Privacy ... 18
2.3.2
User studies ... 18
2.3.3
Risks with reduced location privacy ... 19
2.3.4
Location Privacy Protection Mechanisms ... 19
2.3.5
Location privacy attacks ... 22
2.3.6
Location privacy quantification ... 22
2.4
Security ... 23
2.4.1
Cryptographic primitives ... 23
2.4.2
Replay attacks ... 25
2.4.3
Replay attack prevention ... 25
2.4.4
Spatial replay ... 25
2.5
Related work ... 26
viii | Table of contents
2.5.2
TETRA ... 27
2.5.3
Wireless sensor networks and Ad hoc networks ... 27
2.6
Summary ... 28
3
Methodology ... 29
3.1
Research Process ... 29
3.2
Attacker and trust model ... 29
3.3
Evaluation framework ... 29
4
Risk, requirements of a solution and applicable methods31
4.1
Open Discovery ... 31
4.2
Restricted Discovery ... 32
4.3
Public Safety use ... 32
4.4
Applicable security methods ... 32
4.5
Applicable location privacy methods ... 34
5
Possible solutions to prevent spatial replay in ProSe ... 35
5.1
Permissions/network based ... 35
5.1.1
Permissions ... 35
5.1.2
Tracking areas ... 35
5.1.3
SLP ... 36
5.1.4
Dynamic metadata ... 36
5.1.5
Match Report ... 37
5.2
Monitoring discovery messages ... 37
5.2.1
Detection of multiple usage of announced code ... 37
5.2.2
Device radio fingerprinting ... 37
5.3
Changes to discovery messages ... 38
5.3.1
Temporal packet leash ... 38
5.3.2
Explicit ... 39
5.3.3
Implicit and mixed ... 40
6
Analysis ... 49
6.1
Network-based approaches ... 49
6.2
Discovery message based ... 51
7
Conclusions and Future work ... 55
7.1
Conclusions ... 55
7.2
Limitations ... 55
7.3
Future work ... 55
7.4
Reflections ... 56
References ... 57
Appendix A: Calculations ... 63
Expected value for aligned rectangles ... 63
Expected value for non-aligned rectangles ... 65
Expected value for hexagons... 66
Appendix B: Code ... 68
Monte Carlo method implicit solution aligned rectangles ... 68
Monte Carlo method implicit solution non-aligned rectangles ... 70
Monte Carlo method implicit solution hexagons ... 71
Table of contents | ix
Monte Carlo method location privacy random rectangle ... 74
Monte Carlo method location privacy random circle ... 75
List of Figures | xi
List of Figures
Figure 1-1:
Spatial replay by 3rd party... 2
Figure 2-1:
Architecture of ProSe ... 9
Figure 2-2:
Sequence diagram of ProSe Open Discovery ... 12
Figure 2-3:
Sequence diagram of Restricted Discovery Model B ... 14
Figure 5-1:
A group of aligned rectangles ... 41
Figure 5-2:
Poly-cylindrical grid ... 42
Figure 5-3:
Relation between LSB and inaccuracy ... 43
Figure 5-4:
A group of non-aligned rectangles ...44
Figure 5-5:
Hexagon-based grid ... 45
Figure 5-6:
Border region of hexagon-based grid ...46
Figure 5-7:
HEALPix projection ...46
Figure 5-8:
HEALPix cell numbering ... 47
Figure 5-9:
Hierarchical Triangular Mesh ... 47
Figure 6-1:
Comparison of expected value for the number MAC
calculations necessary ... 51
Figure 6-2:
Location privacy for different location obfuscation
techniques ... 53
Figure 7-1:
Area parts for expected value calculation for aligned
rectangles ... 63
Figure 7-2:
Calculation of the edge using symmetry ...64
Figure 7-3:
Area parts for expected value calculation for
non-aligned rectangles ... 65
Figure 7-4:
Calculation of AE using symmetry ...66
List of Tables | xiii
List of Tables
Table 2-1:
Elements of ProSe architecture ... 9
Table 2-2:
ProSe Reference Points ... 10
Table 2-3:
ProSe IDs and their purposes ...11
Table 5-1:
Non-zero longitude bits in grid coding ... 42
Table 5-2:
Size distortion in a poly-cylindrical grid ... 43
Table 5-3:
Tolerable inaccuracy given a certain number of LSB ...44
Table 5-4:
HEALPix grid cell areas ...46
Table 5-5:
HTM grid cell areas... 48
Table 6-1:
Table of update frequency and resulting maximum
distance ...49
Table 6-2:
Summary of network based solutions ... 50
List of acronyms and abbreviations | xv
List of acronyms and abbreviations
3GPP 3rd Generation Partnership Project ALUID Application Layer User ID
AP Access Point
A-GPS Assisted-Global Positioning System BLE Bluetooth Low Energy
DNS Domain Name System
DUCK Discovery User Confidentiality Key DUSK Discovery User Scrambling Key ECGI E-UTRAN Cell Global Identifier EPC Evolved Packet Core
EPUID EPC ProSe User ID
ETSI European Telecommunications Standards Institute FCC (United States) Federal Communications Commission GAD Universal Geographical Area Description
GNSS Global Navigation Satellite System GPS Global Positioning System
GSM Global System for Mobile Communications HPLMN Home Public Land Mobile Network HSS Home Subscriber Server
HTM Hierarchical Triangular Mesh
IERS International Earth Rotation and Reference Systems LBS Location Based Services
LPPM Location Privacy Protection Mechanism MAC Message Authentication Code
MCC Mobile Country Code MIC Message Integrity Code
MIMO Multiple Input-Multiple Output MME Mobility Management Entity MNC Mobile Network Code
OTDOA Observed Time Difference Of Arrival PDUID ProSe Discovery UE ID
PFID ProSe Function ID
PLMN Public Land Mobile Network ProSe Proximity Services
RFPM Radio Frequency Pattern Matching RPAUID Restricted ProSe Application User ID SLP SUPL Location Platform
SUPL Secure User Plane Location TETRA Terrestrial Trunked Radio UE User Equipment
UMTS Universal Mobile Telecommunications System UTC Coordinated Universal Time
U-TDOA Uplink-Time Difference of Arrival WLAN Wireless Local Area Network WLLID WLAN Link Layer ID
Introduction | 1
1 Introduction
This chapter describes the specific problem that this thesis addresses, the context of the problem, the goals of this thesis project, and outlines the structure of the thesis.
1.1 Background
Devices capable of locating themselves are becoming something everyone has. In 2013, more than a billion smartphones were shipped and over 40% of the worlds mobile phones had support for one or more Global Navigation Satellite System (GNSS)[1]. As a result, services based on location are becoming more and more common. A user’s location is considered by most people to be a part of their personal privacy, but still there are many applications (apps) that have user agreements which allow the app to share the user’s location with third parties. However, the location data that can be retrieved by the network operator are protected by law in a number of countries (such as Sweden and Finland) and must not be disclosed without either a court order or the user’s written permission, see Section 2.3.1.
A local form of Location Based Services (LBS) is the proposed 3GPP standard Proximity Services (ProSe) (see Section 2.2). Proximity Services enables User Equipment (UE) within a maximum range of 500 meters to find and, if desired and close enough, to communicate directly with each other. This feature does not depend on UEs utilizing the same network operator, being connected to the same cell, or for Public Safety UEs to even be within any network’s coverage. Each UE broadcasts its presence and the type of services it offers, hence when a UE hears such a broadcast these UEs can communicate directly with each other.
1.2 Problem definition
In the current version of the proposed ProSe standard, the only limitation on how far apart UEs can be is the 16 second time period during which the ProSe messages are valid and that the messages can reach the other UE. Normally, each UE’s range would be limited to roughly 500 meters due to the maximum allowed emitted signal strength. However, as shown in Figure 1-1 an attacker UE_1 could tunnel messages from UE_A over the Internet to UE_2, tricking UE_B into believing that UE_A is nearby. This is referred to as a spatial replay attack.
The exact consequences of such an attack are hard to foresee, but the incorrect assumption by the services of the UE’s being in proximity could pose a threat to some services in the future or simply result in inconvenient situations for the users.
As with LBS in general, there are also issues concerning the user’s privacy. There are multiple Location Privacy Protection Mechanisms today that could be implemented (see Section 2.3.4). However, LBS has only recently begun to be widely deployed, therefore some of the privacy protection mechanisms might not be applicable, while others are infeasible. Since a LBS is based on the location of the UE, increased location privacy could reduce the quality of the service or even prevent it from working at all. While at the same time, insufficient location privacy might lead to users not utilizing any forms of LBS.
2 Fi
1
T an b V w1
T 1. 2 31
T p go1
T th an o | Introduction igure 1-1:.3 Purpo
The results fr nd other stan e vulnerable Vehicle-to-Ev The prop while using Pr.4 Goals
The primary g . Present ex . If necessa . Evaluate complexit.5 Resea
This thesis ha potential solu oal above)..6 Delim
This thesis wi hat could be nd personal nly on an ev Spatial replose
rom this thes ndards that e to replay at verything (V2 osed solution roSe or it mi
s
goals of this t xisting soluti ary design on the all solut ty.arch Meth
as adopted t utions for pre
mitations
ill not inclu implemente integrity asp valuation of lay by 3rd party sis could be use location ttacks. An ex 2X) commun ns should pr ight minimiz thesis projec ions to preve ne or more ne tions based
hodology
the design s eventing repl de an actual ed. The evalu pects related potential so y implemente for a similar xample of su nication [2]. rotect the us ze the exposu ct are: ent replay attew solutions on provided cience resea lay attacks ac l implementa uation of the d to location olutions in th d in the stan r purpose, as uch a standa ser’s integrity ure of the use
tacks, s to prevent r d security, lo arch method ccording to a ation, but ra ese methods and spatial r he context of
ndard for Pro s systems us rd is the 3G y by not reve er’s location. replay attacks ocation priva , as the focu a stated set o ather only de will mainly replay. More f ProSe. The oximity Serv sing these sta GPP-LTE bas ealing their e s, and acy, added o us is on the of metrics (as escribe poten be limited t eover, the the erefore, the g vices by 3GP andards coul ed system fo exact locatio overhead, an evaluation o s per the thir
ntial solution o the securit esis will focu goal is not t PP ld or on nd of rd ns ty us to
Introduction | 3
develop generic protection methods (although the proposed solutions may be applicable to other standards), but rather to develop solutions for ProSe (or identify aspects of ProSe that need modifications).
1.7 Structure of the thesis
Chapter 2 presents relevant background information and related work. Chapter 3 describes the methodology to be used in this thesis project. Chapter 4 evaluates some current vulnerabilities and existing solutions. Chapter 5 proposes some new solutions. Chapter 6 presents the analysis of the solutions presented in Chapter 5. The thesis concludes with some conclusions, suggestions for future work, and some reflections about the thesis in a larger context.
Background | 5
2 Background
This chapter presents the background necessary for the reader to understand what a location based service is (Section 2.1) and what a proximity service is (Section 2.2) and some of the problems that can arise concerning location privacy (Section 2.3). Mechanisms to protect the user’s location privacy are presented in Section 2.3.4. Section 2.4 describes the concept of spatial replay. Section 2.5 presents a survey of related work. Section 2.6 gives a summary of this chapter.
2.1 Location Based Services
There is no common definition of what a Location Based Service (LBS) is. However, the definition most relevant to this thesis is given by 3GPP in [3], where an LBS is defined as a “service provided either by teleoperator or a 3rd party service provider that utilizes the available location information of the terminal” [3]. Additionally, there are other definitions, such as that given by Jochen Schiller and Agnès Voisard: “services that integrate a mobile device's location or position with other information so as to provide added value to the user” [4]. In most sources LBS is used interchangeably with location service, while 3GPP distinguishes between a location service and a
location based service. 3GPP uses the term location services to refer to “a network provided
enabling technology consisting of standardized service capabilities which enable the provision of location based applications” [5]. In other words, 3GPP defines location services as ways to localize a target in order to be able to provide location data to a 3rd party; for example, to emergency services
to aid with emergency calls. In this thesis the term “location services” will not be used to avoid ambiguity.
Fundamental to any LBS is that it must be possible to locate the device to which or for which a location based service is to be provided. Methods for providing this location as input to the LBS are described in Section 2.1.2 along with some information about their accuracy. However, before presenting the details of the operation of a LBS, Section 2.1.1 describes how a LBS might be used. Finally, Section 2.1.3 describes how locations can be encoded.
2.1.1 Use cases
LBS can be used for many different purposes and a lot of purposes are probably yet to come. In [6] Axel Küpper gives a thorough introduction to LBS, and describes many use cases for them. He classifies LBS as either reactive or proactive, with the difference between them being that a reactive services has to be explicitly activated by the user while a proactive is activated by certain conditions (such as being in a specific location).
An example of a reactive LBS would be a service returning nearby points of interest, such as a restaurant or an automatic teller machine. According to Axel Küpper this is the most widespread LBS so far. Another use case could be a parent activating a tracker on their child’s mobile phone when they need to locate their child.
An LBS giving information about nearby points of interest could also be made proactive. An example of such a proactive LBS would be one that waits for the user, e.g. a tourist, to enter a new area and give information to this user about what is available in this new area. Another proactive LBS could be made for car travelers to provide updates about the traffic conditions of the highway ahead of them or of a roadway that they are approaching. The LBS could alert the user if they are approaching a traffic jam or an area with construction work.
6 T P re al p F a E 2 In “G C sy st lo if n d w O p D in d re re b o 2 O ce co d ge ap (W * T sh | Background 2.1.2 Loc There are ma Positioning S equire that t lso methods urposes, e.g. Implemen Federal Comm public safety Emergency Ca GNS .1.2.1 n addition to Globalnaya China’s Beido ystems rely trength indo The time ock. If it has f less the lock need renewal decode the da with at least 4 Aaron Ca Openmoko N ower consum Dream [11]. To reduce n poor satell data of the sa
educe the tim eceived signa
een investig rders of mag CEL .1.2.2
One of the sim ellular base s omplemente depending on eospatial loc pproach can WLAN) acce
This requires both hift due to the rela
cating metho ny ways to o System (GPS the UE has a based on ha . Wi-Fi). ntation of lo munications y answering alling System SS / A-GPS o the United Navigazionn ou. Currentl on satellite ors and radio
required to a been more th k can quickly l. To achieve ata needed to 4 satellites to arroll and G Neo Freerunn mption have e the time to lite signal co atellites and me needed fo als to both p gated to offlo gnitude less w LL ID / Medi mplest metho station or us ed with Pub n the mobile c cation of th n be used wi ss points if th h synchronization ative motion betwe
ds obtain a locat ) and other a suitable rec ardware alrea cating metho Commission point the loc ms (in FCC 99 State Gover naya Sputnik ly, only GPS signal recep o shadows ca achieve a GP han 30 secon y be regained e a GPS lock o calculate a o accurately d Gernot Heise ner to be ar e been made lock on to s onditions Ass also precise or decoding. rovide a mor oad the entir was achieved ia Access an ods of determ se the CELL blic Land M communicat hese cellular ith Media Ac heir location
n with the pseudo een the receiver an
tion as input global navig ceiver to rece ady present i ods in cellula n’s (FCC) dec cation of a ph 9-27 [7], FCC rnment’s GPS kovaya Siste S and GLON ption, all of aused by bui PS lock* with nds since the d. If the last k is more tim position [9] determine x, er measured round 143 m e, e.g. 370 m atellites duri sisted-GPS (A e time, if nee Remote com re accurate l re calculatio d for a single nd Control a mining a pho IDs of severa obile Netwo tion standard base statio ccess and Co n is known. o-random sequenc nd the satellite). t to a LBS. Th gation satell eive signals f n many mob ar phones wa cisions to req hone making C 96-52 [8], S system, the ema” (GLON NASS are fu the systems ldings and v h a satellite d e last lock, th t lock was les me and ener . Additionall y, z, and tim d the GPS mW. Other m W for a Nok
ing a cold sta A-GPS) can eded by the r mputing reso ocation and ns to the clo location upd address one’s locatio al nearby ba ork (PLMN) d used. This i ons to estim ontrol addre ce and adjustmen he most obv ite systems from multipl bile phones (s as heavily dr quire operato g an emergen and others))
ere are other NASS), Europ
ully operatio s generally s egetation ou epend on wh hen the receiv ss than a sec rgy consumin
ly, the receiv me. module’s po measuremen kia N95 [10] art and to pr be utilized. A receiver, from urces can als reduce the lo oud. In [9] a date. n is to use th se stations. T ID and po information mate the pho esses of Wire nt of the receiver’s vious method (GNSSs). Th ple satellites, such as recei riven by the ors to be able ncy call (see ). r GNSSs, suc ope’s Galileo onal globally suffer from l utdoors.
hen the recei ver has to sta cond ago, the ng than the ver needs to a ower consum nts of mobile ] and 230 m rovide better A-GPS can s m the cellula so assist in p oad on the U an energy co he CELL ID The informa ossibly other can be comb one’s positio eless Local A s frequency (beca d is the Globa hese method but there ar ivers for othe
United State e to provide t Enhanced 91 ch as Russia system, an y. Since thes lack of signa
iver last had art over, whil e lock will no effort to jus achieve a loc mption in a e phone GP mW for a HT r location dat supply orbita ar network t processing th UE. It has als onsumption
of the neares tion has to b r informatio bined with th on. The sam Area Networ
ause to the Doppl
al ds re er es to 11 a’s nd se al a le ot st ck an PS TC ta al to he so 3 st be on he me rk ler
p ad ID su n u p th O 2 U re U u re ti w lo an th m L (W ze M eq th [1 p a le th b T This can arty service. ddress) are s Ds, then the upply the ty needed for a s used by Goog rivacy. In co hat does no OpenCellID [1 Net .1.2.3 Uplink-Time eceived by at UE and the ne unknown. Th equires the t ime differenc which the sig
ocation is com ny special ha Observed he location i method to add 2.1.3 Loc Location iden WGS) 84. Th ero longitud Meridian (nea quatorial pla he angle from 3GPP use 17] different olygon, and latitude and evel. It can a he range that To define yte is used to The latitude c be done bot Google offer sent to them e user's locat ype of radio signal to reac gle [12]. More ontrast, Intel ot require s 14]. twork time o Difference o t least four n etwork node his freedom time differen ce of arrival gnal could ha mputed base ardware in th d Time Differ is calculated dress various cation Coding ntifiers can b he origin of t de is the In arly the same ane and a rad m the radius es WGS 84 a Universal G ellipsoid arc d a longitude also have an t are part of t e shape type, o encode an u coding is give th locally by rs a service in m and looked tion is estim used (if ava ch the base s eover, when l’s Privacy O ending data of arrival bas of Arrival (U network node s to be synch from synchr ce of arrival from any tw ave originate ed upon the i he UE other t rence Of Arri d by the UE s practical is g be based on the coordina nternational e as the Gree dius from th to the refere as its referen Geographical c. An ellipsoid . A point can uncertainty c the uncertain 1 byte is use uncertainty c en in Equatio the UE or, r n which the d up in datab mated and re ailable). It is station for GS data is share Observant Lo a to a third sed U-TDOA) is b es. The advan hronized in ti ronization of l to the differ wo of the nod ed. By creati intersection than its abili rival (OTDOA E, rather tha ssues, such as different ref ate system is Earth Rota enwich merid he earth’s mid ence meridian nce system fo l Area Descr d point is a p n also have an circle or ellip nty of the loc ed and then l circle and 4 b on 2-1 and th ≤ 2 360X rather than t unique IDs ( bases. If the turned. In a s also possib SM CELLIDs ed with a thi cation System d party [13] based on a k ntage of this ime, hence th f clocks is d rent nodes w des gives a h ing consider of three hype ity to commu A) is based o an the netwo s being too cl ferences. GPS at the earth’ ation and R dian). Latitu dpoint to its n. or location c ription (GAD point on the n altitude tha psoid. The ci cation. atitude and l bytes to enco he longitude X< + 1 to store all n (CELLID or M y have locat addition to C ble to send s, but this inf
rd party the m (POLS) is ] and free d nown signal method is th he actual tim due to the fa when calculat hyperbola of ring pairs of erbolas. This unicate with t on the same ork. There a lose to one o S is based on ’s center of m Reference Sy de is defined surface, whi coding. In 3G D) shapes are surface of an at is the dista ircle or ellips longitude is e ode an uncert coding in Eq necessary da Media Acces tion informa CELLIDs, on signal stren formation is result is red s an early im databases e l sent from t hat it does n me the signal
act that this ting the UE’s f locations of f different no s method doe the network principle, bu are many va of the networ n World Geo mass and the ystems (IER d as the angl hile longitude GPP docume e defined: el n ellipsoid. It ance over th soid defines encoded as 3 rtainty ellipso quation 2-2. Background | ata, by a thir ss and Contro
tion for thes ne should als ngth and tim currently no duced locatio mplementatio exist, such a the UE that i ot require th is sent can b method onl s location. Th f the UE from odes the UE es not requir [15]. ut in this cas ariants of thi rk node [16]. odetic System e definition o RS) Referenc e between th e is defined a ent TS 23.03 llipsoid poin t is defined b e nominal se points withi 3 bytes each. oid. 2-| 7 rd ol se so me ot on on as is he be ly he m E’s re se is m of ce he as 32 nt, by ea in 1 -1
8 | Background
≤2
90 < + 1
2-2
N is the coded number and X the latitude/longitude it encodes. For the latitude, when N=223-1,
the range also includes N+1. The latitude is coded with 24 bits of which 1 is a sign bit and the longitude is coded in 2’s complement in 24 bits.
The standard also provides a means of encoding velocities and bearings, but does not define encodings for acceleration.
2.2 Proximity services
One of the major driving forces for the introduction of proximity services is the desire to merge the currently separate commercial cellular networks and the (dedicated) public safety networks (such as Terrestrial Trunked Radio (TETRA) and P25). This is driven both due to the cost of maintaining dedicated public safety networks and the realization that the public safety networks have fallen far behind the capabilities of the commercial cellular networks. As a result, commercial subscribers with camera equipped smartphones have broadband streaming of multimedia, while public safety systems offer at most hundreds of kilobits per second greatly hampering public safety officials.
Proximity services offer two features that are important for public safety activities: (1) discovery of and direct communication with nearby UEs and (2) group calls. Today proximity services (ProSe) is currently in the process of being standardized by 3GPP. ProSe is sometimes referred to as Proximity-based Services and different terms even coexist within the same 3GPP work group.
Figure 2-1 shows the ProSe architecture as presented in [18]. In this figure, both UE A and UE B are subscribed to the same PLMN and neither UE is roaming*. When the UEs are subscribed to
different PLMNs, then another interface called PC6 is added between the ProSe functions in the different PLMNs. Each PLMN has its own instance of everything, i.e., Home Subscriber Server (HSS) and Secure User Plane Location (SUPL) & Location Platform (SLP). Details of this architecture are given in the next subsection.
The other driving force for ProSe is Qualcomm’s LTE Direct [19] which has been incorporated as a part of ProSe. This technology allows for a UE to find other nearby UEs. As a result, the ProSe specification includes many different ways to find nearby UEs to interact with, multiple methods of communication once a connection has been established, and extra features for Public Safety use (and other specialized use cases). The goal of these different ways, methods, and features is to provide convenient features for the user, to reduce the load on the network, and to efficiently utilize the available frequency spectrum.
Fi T A F Ta N P P P S H S M E igure 2-1: 2.2.1 Arc The central Application S Figure 2-1 are able 2-1: Network node ProSe Applica ProSe Functio ProSe Applica erver HSS LP MME E-UTRAN Architectur chitecture and parts of the Server, and th e list in Table Elements of e ation The app on The part requ ation The Pro (RP perm The auth Han Rec mai and Evo Evo with re of ProSe d interfaces e architectu he ProSe Ap e 2-1, while a f ProSe architect D e ProSe Ap plication uses e ProSe Func ts of the netw uesting to us e ProSe Appl Se Discover PAUID)) as mission info e HSS is a horization an ndles the use ceives subsc intains a list d forwards in olved Univer olved Packet h the UEs. ure relevant pplication on
all of the ProS
ture
Description
pplication is s the 3GPP A ction handle work like wit se ProSe. lication Serve ry UE ID well as m rmation for r central dat nd authentic er locations f cription info t of Remote nformation to rsal Terrestr t Core. It co
for this the n the UE. The Se reference
n
the applic API to use the
es the comm th the HSS to er is respons and Restric metadata for restricted dis tabase of su cation for Evolved P ormation fr UEs connec o the SGW. rial Access N onsists of eN
esis are the ese elements points are lis
cation runni e features in munication w
o provide aut
sible for stori cted ProSe r application scovery. ubscriber in Packet Core ( rom the HS ted to ProSe Network is t NodeBs that e ProSe Fun s and the oth sted in Table ing on the ProSe. with non-Pro uthentication ing lists of ID Application ns. It also nformation. (EPC)-based SS related e UE-to-Netw the access p t communica Background | nction, ProS hers shown i e 2-2. UE. This oSe specific of the UEs Ds (such as n User ID maintains It handles Discovery. to ProSe, work Relay part of the ate directly | 9 Se in
10 | Background
Table 2-2: ProSe Reference Points Interface Purpose
PC1 Reference point between the ProSe application running on the UE and the ProSe Application Server to define signaling requirements.
PC2 Reference point between the ProSe application and the ProSe Function. Used for defining interactions between them.
PC3 Reference point between the UE and the ProSe Function and used to define their interactions.
PC4a Reference point between the HSS and the ProSe Function. Used for providing subscription information.
PC4b Reference point between the SLP and and the ProSe Function. Used to handle the location of users in EPC-level ProSe Discovery.
PC5 This interface provides both the control and user plane for ProSe Direct Discovery, Direct Communication, and UE-to-Network Relay.
PC6 Used for communication by ProSe Functions in different PLMNs when not roaming. E.g. by ProSe Functions for EPC-level ProSe Discovery.
PC7 Reference point between the ProSe Function in VPLMN and in Home Public Land Mobile Network (HPLMN).
S6a In ProSe, this interface is used to download subscription information to MME during E-UTRAN attach procedure and to inform the MME of subscription information changes in the HSS.
2.2.2 Use cases
In the 3GPP feasibility study [20] several use cases are given for every part of the standard. An example of Open Discovery occurs when the user is looking for a restaurant and walks within the proximity range of a restaurant utilizing the service. In this case the user will be notified about this restaurant’s existence. When trying to find parking near the restaurant an application using ProSe could assist the user in finding a nearby parking spot and paying for parking.
An example of Restricted Discovery occurs when the user is trying to find a friend or colleague. To protect the user’s privacy, this discovery should be limited to users who are actually friends or colleagues. This restriction is realized by requiring that such a discovery be permitted. Another use case occurs when two users have an active data session with each other via the network, but are in proximity of each other. In this case the session is moved to a ProSe communication path, thus reducing the communication delay and shifting the load off of the core network. This session can then be moved back to the core network when the UEs are no longer in proximity.
2.2.3 Identifiers and subscriptions
The permissions to use different features in ProSe are stored in the user profile subscription information in the HSS. The following permissions (sub-permissions have been omitted) are available to all UEs: ProSe Direct Discovery, EPC-level ProSe Discovery, and EPC-support WLAN Direct Discovery and Communication. There are additional permissions exclusive for public Safety users: ProSe Direct Communication, one-to-one and one-to-many, ProSe UE acting as
U an T Ta T A A P P P R A T an n m co 2 In th se UE-to-Netwo nd revoked a There are man
able 2-3: Type of ID Application Application ProSe Query ProSe Respo ProSe Restr Restricted P Application 2.2.4 Dis The method o nd [21]. Ther network node messages for ommunicatio Ope .2.4.1 n Open Disc he ProSe Dir equence diag rk Relay, an any time and ny different t ProSe IDs a n ID n Code y Code onse Code ricted Code ProSe n User ID covery mode of discoverin re are two ki e is used or Open Disco on link betwe en Discover covery two ro rect Discove gram of ProS nd Remote U d each permis types of iden
and their purpo Ac e RP els ng nearby UE inds of discov r not. In Di overy and Re
een the UEs,
ry
oles are defin ry models, t Se Open Disc
UE access to ssion can als ntifiers (IDs) oses cronym PAUID Es in ProSe very (EPC-le irect Discove estricted Dis , instead the ned: Announ the UEs mus covery is show UE-to-Netw so be restricte , some of the Purpose A unique The cod Discovery The code Discovery The code Query Co Restricted The code Discovery A RPAU Applicatio identity to is called Pro evel and Dire ery the PC5 scovery. In E network han ncing UE and st first reque wn in Figure work Relay. P ed to a specif ese are listed
e identifier of e broadcast y. e broadcast y Model B. used as a r ode matches d Discovery M e broadcast y Model A. UID is ma on server to o hide it from oSe Discovery ect Discovery interface is EPC-level dis ndles the disc
d Monitoring est permissio 2-2. Permissions fic PLMN. d in Table 2-3 f an applicati t on PC-5 on PC-5 in response whe the discove Model B. on PC-5 in apped by t o the applic m the 3GPP n ry and is des y) differing in s used to se scovery ther covery. g UE. Before on to use the Background | 1 can be adde 3. on. in Open Restricted en a ProSe ery filter in Restricted the ProSe cation user network cribed in [18 n whether an end discover e is no direc e using any o e service. Th 11 ed 8] ny ry ct of he
12 Fi D ad su fu ch a th th se m re F co U D 2 | Background igure 2-2: In the an Discovery En dditional dat ubscription i unctionality hecks are pa Discovery K he ProSe Fun he UE clock ending disco The Moni monitor (look elevant perm Function that ontacted to r UE is authori Discovery Filt Sequence d nnounce requ ntry ID are ta items (the information and then ch assed, then th Key, an Appli nction, and t and the UTC overy messag itoring UE se k for) certain mission(s), bu t correspond retrieve the A ized to monit
ter valid for a
diagram of Pro
uest for Open sent over th ese are less re of the UE to hecks if the he ProSe Fun ication Code, the max offse C-based coun ges containin ends a simila n Application ut the PLMN ds to the Ap Application tor these Ap a certain tim
oSe Open Disco
n Discovery, he PC3 inte elevant to th o determine UE is allow nction return , the current et. The max o
nter associat ng the receive ar message t n IDs. A che N ID is used pplication Co Codes and a plication IDs me correspond overy a ProSe App erface to the his thesis). Th if this subsc wed to use th ns a Discover t Coordinated offset is the m ted with the ed Applicatio o its ProSe f eck is done w to restrict th ode, if other an Applicatio s in this PLM ding to the A plication ID, e ProSe Fun he ProSe Fun criber is allo he requested ry Response t d Universal T maximum al discovery sl on Code over function, but with the HSS he UE to its c than the cu on Mask for MN, then the Application M , the UE ide nction amon nction querie owed to use t d Applicatio to the reque Time (UTC)-llowed differ lot. The UE r the PC5 inte t specifies tha S to see if th current PLM urrent ProSe the Applicat e ProSe funct Mask. ntity, and th ng with som es the HSS fo the requeste n ID. If bot sting UE wit -based time a rence betwee
can now star erface. at it wishes t is UE has th MN. The ProS e Function, i tion ID. If th tion returns he me or ed th th at en rt to he Se is he a
M se R b m of an cu lo T 2 R an O M R 2 M A A ad S C W fe p th th M th ID o 2 In D B re D D w The disco Monitoring U ent. The app Report contai ased time o message. The ProS f the Announ n acknowled urrent UTC-b The Moni ooking for an These actions Res .2.4.2 Restricted Dis nnounces “I Open Discove Model B is on Restricted Dis .2.4.2.1 Dis Model A for Announcing Application U ddition to t ecurity Para Code-Receivin What the par
eatures in Se When the ermission to he HSS that he Restricted Monitoring U his discovery Ds (PDUIDs ptionally the .2.4.2.2 Dis n Model B, Discoverer an B. The Disco equest type Discoveree. A Discovery Ent whether this overy messag UE and if it fi plication ma ins the Appli of the match e Function s ncing UE to dgement to t based time, a itoring UE n nd can now s differ depen stricted Disc scovery exist am here” an ery. In Mod nly supporte scovery is tha scovery Mode Restricted D UE, when User ID (RP the data sen ameters in th ng Security rameters inc ection 2.2.6 s e Discovery F o discover th this UE has d Code receiv UE are sent to y is authorize s) of the two e ProSe Func scovery Mode the actors a nd Discovere overee starts to be for R As in Model A try ID. As in UE is autho ges sent by inds an Appl ask allows b ication Code h as observe sends the MA get the MAC the Monitori a timer for w now knows it proceed with nding on whe covery t in two diffe nd provides s el B, a UE i ed for Restri at in Restrict el A Discovery is it sends the PAUID) and nt for Open he message. Parameters clude is not hould be am Filter match e other UE i s permission
ved from the o the ProSe A ed, then the o UEs. A dis ction of the A
el B
are not calle ee. Figure 2-3
s with a Disco Restricted D A, the reques n the case for orized to us
the announc lication Code both full and e that matche ed at the M
AC and the ti C verified. If
ing UE of th when the mat t is in ProSe h whatever a ether the UE erent models some inform instead quer icted Discov ted Discover very similar e request to when the P Discovery, For the Mon from the Pr
really clear mong them.
hes the Appli is sent to the to use Restr e Monitoring Application ProSe Appli scovery ackn Announcing U ed Announci 3 shows the covery Reque Discovery, D st contains th r Discovery M se the reque cing UE ove e matching th d partial ma ed the Disco onitoring UE
ime value fro the MAC is v e passed aut tch needs to b e range of an action it inte E is a public s s: Model A an mation about ries asking “ very. The diff ry permission r to Open Di o announce, ProSe functio the ProSe F nitoring UE, oSe Function r, but the ne cation Code e ProSe Func ricted Discov g UE. The Ta Server corre ication Serve nowledgemen UE is also sen ing UE and sequence di est similar to iscovery Mo he UE’s RPA Model A, the sted discove er PC5 can n he Discovery tches of App very Filter, t E, and the M om the Moni valid, then th thentication be refreshed n UE with th ends when in afety UE or n nd B. Model itself. This is “Who is ther ference betw n is needed to iscovery. The , also includ on gives per Function also , the same ch n when give ecessary info of a discove ction. The Pr very and find arget RPAUID esponding to er sends back nt is sent to nt a discover Monitoring iagram of Re o the one in M odel A, and AUID, UE ide e ProSe Func ery model an now be mon y Filter, a Ma plication cod the UE Ident MAC from itoring UE to he ProSe Fun check of the d, and the Ap he Applicatio n proximity
not (see Sect
A is when o s the model re?” or “Are ween Open D o discover th e differences des its Rest rmission to o includes C change applie en permissio ormation for ery message, roSe Functio ds the target D and the R the Applica k the ProSe o the monito ry acknowled UE anymor estricted Dis Model A, but that it wan entity, Appli ction checks nd whether Background | 1 nitored by th atch Report i des. A Matc tity, the UTC
the discover o the HPLMN nction return e message, it plication ID. on code it wa of such a UE tion 2.2.5.1). one of the UE supported fo e you there? Discovery an he other UE. s are that th tricted ProS announce, i Code-Sendin es; it receive n to monito r the securit a request fo n checks wit t RPAUID fo RPAUID of th tion ID and Discovery U oring UE an dgement.
re, but rathe scovery Mode t specifies th nts to be th cation ID an with the HS access to th 13 he is ch C-ry N ns ts . as E. Es or ”. nd he Se in ng es r. ty or th or he if UE nd er el he he nd SS he
14 A th A P Fi 4 | Background Application c he ownership Application fo PDUID. igure 2-3: orrespondin p of the supp or the specif Sequence d g to the App plied RPAUID fied Applicat diagram of Res plication ID i D and match tion ID is qu stricted Discov is authorized h it with its c ueried to ver very Model B d. If the ProS correspondin rify this own
Se Function ng PDUID, th nership and t
cannot verif hen the ProS to receive th fy Se he
an R (i m T D R P h S R C b R R h U an d ac A ta 2 ei p an w li R U re U m as D p After all t nd a ProSe Q Receiving Sec instead of an monitoring th The Disco The request i Discovery Mo RPAUIDs and Dependin ProSe Functio has them. If i erver deman RPAUIDs the A Discove Code. The Dis e a Discover
When the Response Filt Response Cod have the RPA UE, its own id The ProSe nd then find does not alre ctually belo Application ID arget RPAUI Dire .2.4.3 Discovery ither be oth rocedures ar A Public nd/or B) and within any ge In Model ink layer ID Relay UE ID s UEs to discov elay). Howev UE-ID as wel multiple grou s the E-UTRA To find o Discoverer In roviding info the checks ha Query Code curity Param n Applicatio he PC5 interf overer issues s checked by odel B; if so, d the RPAUID ng on the HP on of the oth it does not t nds it. Then e requesting R ery Response scovery Resp er and it is n e Discoverer ter, the Disco de, the Disco AUID of the dentity, Appl e Function c ds the target R eady have th ng to the s D. An acknow ID. ect Discove y for Public S her Public Sa re different fr Safety UE is d radio param ographical re A, a UE-to-for the relay should be un ver it (in Mod
ver, UEs can ll as Discove ups. A UE-to-RAN Cell Glob
other group m nfo providing
ormation abo
ave been per associated w meters and Co on Mask), an face for ProS
s a Discovery y the HSS to , then the Pr Ds which the PLMN of the her PLMN for
trust the que n the ProSe RPAUID is a e Filter is the ponse Filter a now ready to r has sent a overee answe overer sends Discoveree. lication ID an hecks wheth RPAUID from he correspon specific UEs wledgement ry for Public Safety UEs su afety UEs or rom that for s provisioned meters for us egion for wh
Network rela y and a Rela nique for eve del A), not th n announce ery Group ID -Network rel bal Identifier members in g information
out the user
rformed, the with a Discov ode-Sending nd the ProSe e Query Cod y Request as o verify whet roSe Applica e requesting e target PDU r a ProSe Qu erying PLMN Function c allowed to dis en created by and the ProS send its ProS a ProSe Que ers with its D
a Match Re The Match nd ProSe Res her the Disco
m the ProSe nding PDUID s, then it ca is then sent c Safety use upport both r UE-to-Net non-Public S d with autho se when not hich it has rad
ay announce ay Service Co ery Relay Ser
he other way to discover D. Multiple a lay can also s r (ECGI) of th Model B, th n about the d or group th e ProSe Func very Query F Security Par e Response des matching s well, but sp ther the subs ation Server RPAUID is a UID, either th uery Code an N or the pol can check w scover. y the ProSe F Se Query Cod Se Query Cod ery Code th Discovery Re equest to the Request con sponse Code verer UE is a e Response C Ds for the R an query th to the Disco e model A and work relays. Safety UEs. orization pol served by a dio paramete es its presen ode to indica rvice Code it y around (i.e nearby grou announceme send a messa he cell it is se he discoverer discoverer, a at is targeted ction allocate Filter. The UE rameters and Code. The U the Discover pecifies it wa scriber is aut is queried to allowed to di he current Pr d a ProSe Re icy for the s with the ProS
Function base de are sent to de over the P at matches esponse Code ProSe Func ntains the R e. authorized to Code. Optiona RPAUIDs or he ProSe Ap overer with th d model B an . It is a rest licies (if it is E-UTRAN. I ers, then it is ce with a Pro ate what serv uses. Relays ., UEs canno up members ents can be s age containin erved by. r UE sends o a Discovery G d. If the Targ es a ProSe R E is then sen d a Discovery UE is now r ry Query Filt ants to be th thorized to u o get the PD iscover. roSe Functio esponse Cod specific ProS Se Function ed on the Pr o the UE that PC5 interface a Discovere e. Upon rece ction if it doe RPAUID of th o use Restric ally, if the Pr wants to ve pplication Se he Applicatio nd the discov tricted disco s allowed to If a UE canno s not allowed oSe Relay U vices it prov s only annou ot solicit a U by announc sent if the U ng extra infor out a messa Group ID, an
get Info mat
Background | 1 esponse Cod nt both Code y Query Filte ready to star ter. he Discovere use Restricte DUIDs for th on queries th e or it alread Se Applicatio n as to whic oSe Respons t requested t e. ee’s Discover eiving a ProS es not alread he Discovere cted Discover roSe Functio erify that the erver for th on ID and th very target ca overy, but th use model A ot locate itse d to transmit. E ID that is vides. A ProS nce and allow E-to-Networ cing its ProS UE belongs t rmation, suc ge containin nd Target Inf ches a nearb 15 de e-er rt r. ed he he dy on ch se to ry Se dy ee ry on ey he he an he A elf . a Se w rk Se to ch ng fo by
16 U co th D R co E in 2 P re co ot th d in 2 P o re re sh o co in ID co th 2 O (W m P A 6 | Background
UE, this this ontaining its he Discovere If the UE Discoverer In Relay UE ID. ontaining Pr In additio ECGI of the nformation is EPC .2.4.4 ProSe also off
eport their ommunicate ther. 2.2.5 Dire In ProSe he UE is allo directly even w nstead. Pub .2.5.1 Public Safety ne-to-many. In one-to esources are esource and hare a secret In one-to r a public/ ommunicatio ntegrity prot Ds of the us oncurrently. If a user i he relay. EPC .2.5.2 One alternativ Wi-Fi P2P). meters [22]. T ProSe Functio Assistance In other UE (a s ProSe UE-I ee. E instead w nfo, Relay Se . Relays can roSe Relay U on to the po cell the rela s required by C-level ProS fers a form o location to es with the A ect Commun there are tw wed to use. P when they ar blic Safety u y users can e . o-many com e allocated. S filters out m t that is used -one commu /private key on between tect the comm
sers, which
is communic
C-support fo
ve for WLAN According t The EPC can on decides to formation to Discoveree) ID, Discovery wants to dis rvice Code in n then answe E ID and Dis ossibility of a ay is served b y the applicat Se Discovery f discovery r the ProSe Application S nication wo different k Public Safety re not within use either use PC mmunication, Since there is messages with to derive a g unication, the y pair. This two UEs is munication. enables a U cating throug or WLAN Dir N Direct Com to the Wi-Fi n assist in se o trigger the o the UEs to ) answers wit y Group ID, scover nearb ndicating wh er with a UE scoveree Info a message w by, the UE ation. ry resembling p Function. T Server to det kinds of Dir y UEs are allo n any networ C5 or a UE-, the UE is s no connect h the correct group securit e UE is confi s form of c s established A connectio UE to have gh a UE-to-n rect Commu mmunication i Alliance W etting up a W establishme enable them th a Group M and Discove by UE-to-Ne hat services t E-to-Network o.
with extra inf can also req
present LBS. The ProSe termine whic ect Commun owed to use rk’s coverage -to-network s configured tion, the UE ProSe Layer ty key for enc igured with a communicat d, lower lay on is identifie multiple on etwork relay unication is Wi-Fi Dir Wi-Fi Direct WLAN direct ent of a WLA m to set up th Member Disc eree Info pro
etwork relay the UE are in k Relay Disc formation in quest the EC In EPC-level Function de ch UEs are a nication depe the spectrum e. Other users relay to com with group starts listen r-2 Group-ID cryption of a a long term k ion is conn yer keys are
ed by the co e-to-one com
y, it can reque
rect, also kno has a maxim t group base AN direct gro his commun covery Resp oviding infor ys the UE a nterested in covery Respo n Model A c CGI from the
l ProSe Disco etermines p allowed to d ending on w m for PC5 to rs have to use mmunicate o p informatio ning to the sp D. All membe all messages.
key that can nection-base e derived to ombination o
mmunication
est the servin
own as Wi-Fi mum range ed on Wi-Fi oup, it sends nication. If th onse messag rmation abou announces it and its ProS onse messag ontaining th e relay if thi overy the UE roximity an discovery eac what spectrum communicat e Wi-Fi Direc one-to-one o on and radi pecified radi ers of a grou be symmetri d and whe encrypt an of the Layer-n liLayer-nks activ ng ECGI from i Peer-to-Pee of up to 20 Direct. If th the necessar he UE accept ge ut ts Se ge he is Es nd ch m te ct or io io up ic en nd -2 ve m er 00 he ry ts
th n A F p D D C R 2 In C A an a F co sp A F 2 S re p th m 2 T m ar cr M th th th he informati number. If WLAN Assistance Inf 2.2.6 Sec For a discove rivacy. Secti Discovery, wh Discovery. Th Code-Sending Restricted Dis Mes .2.6.1 n Open Disco Code (MAC) Application C nd the least maximum v Function in O In Restri onditions are pecific const Application C In Restric Function. If th Scr .2.6.2 crambling ca emoving the erformed if t To calcula he UTC-base message and t Con .2.6.3 There is also message. This re allowed to Message-reating an en MAC and XO he message a he receiver. T hat are to be on, it sends Direct Comm formation w curity Aspect ery message s ion 2.2.6.1 d hile Section he ProSe Fun g Security P scovery. ssage Authe overy the UE (see Section Code, and a U 4 bits of the valid time fo Open Discove cted Discove e met (see Se tant, a UTC-Code the ProS cted Discove he Discovere rambling an be used t e relationship the UE was s ate the scram ed counter w the resulting nfidentiality the possibi s could be us o discover th specific conf ncrypted_bit ORing the ou are obfuscate The MAC is c obfuscated. back a respo munication w as already pa ts sent over PC describes me 2.2.6.2 and nction decide Parameters entication C E gets a Disco n 2.4.1.2). A UTC-based c counter are r the messag ery. ery the UE ection 2.2.6.3 -based count Se Restricted ery, the MAC er UE was sup to avoid trac p between d supplied a Di mbling bit se with the 4 la g bit sequenc lity to provi sed if it is des e Discoveree fidentiality i ts_mask and utput with th ed after the o calculated w This is done
onse that can
was the goal assed as a pa C5, there are echanisms ap d 2.2.6.3 des es which typ and Code-Code overy Key th specific con counter. The included in t ge of 16 seco gets a Disc 3). As in Ope ter with the d Code is use C may be ch pplied the D cking of a UE discovery me iscovery Use equence from ast significan ce are than X ide message sired to obfu e or if multip is the last st d a Discovery he message. operation. Th with the DUC
e in such a wa
n include par
l of EPC-leve art of the Pro
multiple pr pplicable to scribe mech pes of protect Receiving S hat is used to nstant is use e UTC-based the discovery onds). The M covery User en Discovery e same prope d. hecked by ei DUIK, then it E over time. essages sent r Scrambling m the DUSK, nt bits set to XORed togeth -specific con uscate part of le UEs use th tep to protec y User Confid The encrypt his mask is n K, a UTC-ba ay that only t rameters for el ProSe Disc ximity Alert. otection mec both Open anisms appl tion should b Security Par calculate th ed for every d counter has y message in MACs are alw
Integrity Ke y the MAC is erties, and th
ther the Dis performs the Scrambling by the same g Key (DUSK a MAC is us o zero and th her. nfidentiality f the discover he same DUS ct the messa dentiality Key ted_bits_ma needed to all ased counter, the non-encr r the group, e covery, then . chanisms for Discovery a licable only be used whe rameters to he Message A message typ s a resolutio n plain text (h ways checked ey (DUIK) u calculated w then instead scoverer UE he MAC check prevents th e UE. Scram K). sed that is ca he DUSK as for part of ery message f SK. age. This is p y (DUCK) by ask specifies low for parti , and parts o rypted bits in Background | 1 e.g. a channe the necessar r security an nd Restricte to Restricte n it sends th the UEs i Authenticatio pe, the ProS on of 1 secon hence there i d by the ProS
unless certai with the key, of the ProS or the ProS k. is tracking b mbling can b alculated from the key. Th the discover from UEs tha
performed b y calculating which bits i al matches b of the messag n the resultin 17 el ry nd ed ed he in on Se nd is Se in a Se Se by be m he ry at by a in by ge ng
18 | Background
message are needed when calculating the bit sequence used for the obfuscation, hence the receiver can deobfuscate the message upon arrival.
According to the specification, a MAC is not needed when only one ProSe Code is protected by a DUSK that is matched by the receiver or if message-specific confidentiality is used and the receiving UE does not have the DUCK [21].
2.3 Location privacy
According to the Oxford Dictionaries, privacy is “a state in which one is not observed or disturbed by other people” [2]. Location privacy is therefore the ability to conceal one’s location from others or avoid revealing one’s location.
There are many reasons to implement techniques to protect the user’s privacy. One of these reasons is to fulfill legislative requirements. Another reason is to satisfy users concerned about their privacy. Yet another reason is to protect the creators of services from bad publicity in case of misuse. A location can be combined with other data and depending on the context a certain combination can be a threat to the users’ privacy or not in need of protection. A location can have an ID linked to it that can either be a pseudonym or correspond to a specific person. In addition to an ID, there can also be a time indicating when the user resided at the location.
2.3.1 Legislation concerning Location Privacy
The process of creating new laws is a slow process, hence relatively little legislation is currently in place to protect users’ location privacy. In most countries there are laws protecting the user’s location information that is obtained by their mobile network operator, such as the Swedish law
Personuppgiftslag (1998:204) [23] and the EU directive EUR-Lex-31995L0046-EN [24].
In the US there are states with laws to protect user privacy, but so far there is no clear protection of location information on a federal level. There are bills such as the GPS Act, Online Communications and Geolocation Protection Act, and Location Privacy Protection Act that are being considered [25].
However, despite laws to protect users’ privacy, many apps include user agreements giving the creators the right to violate it. Jinyan Zang et al. [26] tested 110 popular free apps for Android and iOS and found that 47% of the iOS apps and 33% of the Android apps send location information to third parties. Hazim Almuhimedi et al. conducted a study of the use of a permission manager and an app to give statistics of other apps’ permission usage. They found that 98% of the users ended up reassessing their apps permissions and an example of statistics from one of the user was that the participant’s apps used the device’s location 5398 times with 10 different apps during 14 days [27].
2.3.2 User studies
Many studies have been done about how valuable users think their location information is to them. The users have been offered money or the chance to win something if they give up location data for a certain time. In [28], George Danezis, Stephen Lewis, and Ross Anderson reported that the median price users demanded for a month of their location information was 10£, while in [29] Dan Cvrcek, et al. used more participants and reported a median of 20£ using a similar method. Both studies were done using an auction where the users could offer their location data to a possibly privacy violating study. Participants did not know the study was on how valuable they thought their own location data was. John Krumm offered the participants the chance to win a mp3-player worth
U w lo th se lo p as J ri o th le re b h lo yo so M o p p li 2 S of m fu sh eq p re in ar US$200 to gi want their loc Another s ocation-awar he participa ervices. A study ocation-track erceived intr s intrusive as 2.3.3 Ris anice Y. Tsa isk that was b
ne of the ris he most harm east probable eveal the loc
y the govern Other risk harm were be ot of indirect our location ocial enginee 2.3.4 Loc Marius Wernk n what prot reserving me arty is availa imit the choic Spa .3.4.1 patial obfusc f the user. I midpoint and unction is un hifting the c quivalent wi rivacy. If coordin emoving som n a predictab rea is guaran ive up a mon cation data sh study done b re services th ants were ge by Louise B king services rusiveness on s location-tra ks with redu ai et. al. stud believed to b ks that were m was to be e. Some of th cation of one’ nment. ks were men eing spied on t risks relate when you a ering or theft cation Privac ke, et al. [34 tection the echanism (LP able or not ef ce of LPPM a atial obfusca cation occurs In [35], C. A d radius in w niform over t center, and r ith the other
nates with a me of the leas ble direction nteed to cont nth of locatio hared with 3 by Eija Kaas hey could be l enerally not Barkhuus an s showed th n their priva acking servic ced location ied the risks be most likely e expected to stalked. Ho he other risk ’s home, bein ntioned and t n by your bo d to location are not home t of potential cy Protection ] briefly desc mechanisms PPMs) is the ffectively det are what asp
ation
s when the p A. Ardagna e which the use
the area. Th reducing the rs. The three a certain res st significant . However, t tain the user’
on data and o 3rd parties [30 sinen [31] re located whil t concerned nd Anind D hat how use acy. It was al ces. privacy s concerning y was to be b o cause the le owever, this w ks that were e ng found by those conside oss and revea n privacy suc e or to locate lly sensitive d
Mechanism cribe and eva s gives. A b e requiremen termines whi pects (ID, loca
precision of th et al. describ er is located he obfuscatio e radius. The e methods wi solution are t digits, this e this area is sh ’s real locatio only 20% of t 0]. vealed that u e using these about priva Dey [32] abou eful participa so shown th g location pri bothered with east harm. W was one of t expected to p someone yo
ered the mos aling activitie ch as the pos e targets (e.g data). s aluate a num big differenc nt for a truste ich kinds of L ation, and/o he location i be the locat with a proba n techniques eir results a ith appropri e used and t effectively en haped like a on originally the 97 partic users did no e services. Th acy issues r ut both loca ants found at location-a ivacy by con h ads based o What was bel
the scenarios potentially ca u do not wan st likely or ex es you partic ssibility for b g. identifying mber of the ex ce between d ed third party LPPMs can b r time) the m s reduced to tion as a cir ability of 1 an s considered re that any ate paramete the location nlarges the ra square, rath given by the cipants they ot realize tha his study also related to lo ation-aware the services aware service nducting surv on location, b lieved to pot s that were b ause a lot of nt to see, or xpected to ca cipate in. Th burglars to kn g a defense c xisting mech different loc y. Whether a be used. Othe mechanism is protect the rcular area w nd the proba d are enlargin of these me ers give the
n precision i adius and sh her than a ci e more exact Background | 1 asked did no at when usin o showed tha ocation-awar services an s affected th es did not fee
veys [33]. Th but it was als tentially caus believed to b harm were t being tracke
ause the mos here are also now based o contractor fo hanisms base cation-privac a trusted thir er factors tha s to protect. exact locatio with a certai ability densit ng the radiu ethods can b same relativ s reduced b ifts the cente ircle. The new
coordinates. 19 ot ng at re nd he el he so se be to ed st a on or ed cy rd at on in ty s, be ve by er w .
