Location-based System Delivers User Authentication Breakthrough By Dorothy E. Denning and Peter F. MacDoran Copyright(c), 1996 - Computer Security Institute - All Rights Reserved Top - Help Existing user authentication mechanisms are based on information the user knows (e.g., password or PIN), possession of a device (e.g, access token or crypto- card), or information derived from a personal characteristic (biometrics). None of these methods are foolproof. Passwords and PINs are often vulnerable to guessing, interception or brute force search. Devices can be stolen. Biometrics can be vulnerable to interception and replay. A new approach to authentication utilizes space geodetic methods to form a time- dependent location signature that is virtually impossible to forge. The signature is used to determine the location (latitude, longitude and height) of a user attempting to access a system, and to reject access if the site is not approved for that user. With location-based controls, a hacker in Russia would be unableto log into a funds transfer system in the United States while pretending to come from a bank in Argentina. Location-based authentication can be used to control access to sensitive systems, transactions or information. It would be a strong deterrent to many potential intruders, who now hide behind the anonymity afforded by their remote locations and fraudulent use of conventional authentication methods. If the fraudulent actors were required to reveal their location in order to gain access, their anonymity would be significantly eroded and their chances of getting caught would increase. Authentication through geodetic location has other benefits. It can be continuous, thereby protecting against channel hijacking. It can be transparent to the user. Unlike most other types of authentication information, a user's location can serve as a common authenticator for all systems the user accesses. These features make location-based authentication a good technique to use in conjunction with single log-on. Another benefit is there is no secret information to protect either at the host or user end. If a user's authentication device is stolen, use of the device will not compromise the system but only reveal the thief's location. A further benefit of geodetic-derived location signatures is that they provide a mechanism for implementing an electronic notary function. The notary could attach a location signature to a document as proof that the document existed at a particular location and instant in time. The use of geographic location can supplement or complement other methods of authentication, which are still useful when users at the same site have separate accounts and privileges. Its added value is a high level of assurance against intrusion from any unapproved location regardless of whether the other methods have been compromised. In critical environments, for example, military command and control, telephone switching, air traffic control, and banking, this extra assurance could be extremely important in order to avoid a potential catastrophe with reverberations far beyond the individual system cracked. How it works International Series Research (Boulder, CO) has developed a technology for achieving location-based authentication. Called CyberLocator, the technology makes use of the microwave signals transmitted by the twenty-four satellite constellation of the Global Positioning System (GPS). Because the signals are everywhere unique and constantly changing with the orbital motion of the satellites, they can be used to create a location signature that is unique to a particular place and time. The signature, which is computed by a special GPS sensor connected to a small antenna, is formed from bandwidth compressed raw observations of all the GPS satellites in view. As currently implemented, the location signature changes every five milliseconds. However, there are options to create a new signature every few microseconds. When attempting to gain access to a host server, the remote client is challenged to supply its current location signature. The signature is then configured into packets and transferred to the host. The host, which is also equipped with a GPS sensor, processes the client signature and its own simultaneously acquired satellite signals to verify the client's location to within an acceptable threshold (a few meters to centimeters, if required). For two-way authentication, the reverse process would be performed. In the current implementation, location signatures are 20,000 bytes. For continuous authentication, an additional 20 bytes per second are transferred. Re- authorization can be performed every few seconds or longer. The location signature is virtually impossible to forge at the required accuracy. This is because the GPS observations at any given time are essentially unpredictable to high precision due to subtle satellite orbit perturbations, which are unknowable in real-time, and intentional signal instabilities (dithering) imposed by the U.S. Department of Defense selective availability (SA) security policy. Further, because a signature is invalid after five milliseconds, the attacker cannot spoof the location by replaying an intercepted signature, particularly when it is bound to the message (e.g., through a checksum or digital signature). Continuous authentication provides further protection against such attacks. Conventional (code correlating and differential) GPS receivers are not suitable for location authentication because they compute latitude, longitude and height directly from the GPS signals. Thus, anyone can report an arbitrary set of coordinates and there is no way of knowing if the coordinates were actually calculated by a GPS receiver at that location. A hacker could intercept the coordinates transmitted by a legitimate user and then replay those coordinates in order to gain entry. Typical code correlating receivers, available to civilian users, are also limited to 100 meter accuracy. The CyberLocator sensors achieve meter (or better) accuracy by employing differential GPS techniques at the host, which has access to its own GPS signals as well as those of the client. DGPS methods attenuate the satellite orbit errors and cancel SA dithering effects. Where it works Location-based authentication is ideal for protecting fixed sites. If a company operates separate facilities, it could be used to restrict access or sensitive transactions to clients located at those sites. For example, a small (7 cm x 7 cm) GPS antenna might be placed on the rooftop of each facility and connected by cable to a location signature sensor within the building. The sensor, which would be connected to the site's local area network, would authenticate the location of all users attempting to enter the protected network. Whenever a user ventured outside the network, the sensor would supply the site's location signature. Alternatively, rather than using a single sensor, each user could be given a separate device, programmed to provide a unique signature for that user. Location-based authentication could facilitate telecommuting by countering the vulnerabilities associated with remote access over dial-in lines and Internet connections. All that would be needed is a reasonably unobstructed view of the sky at the employee's home or remote office. Related application environments include home banking, remote medical diagnosis and remote process control. Although it is desirable for an antenna to be positioned with full view of the sky, this is not always necessary. If the location and environment are known in advance, then the antenna can be placed on a window with only a limited view of the sky. The environment would be taken into account when the signals are processed at the host. For remote authentication to succeed, the client and host must be within 2,000 to 3,000 kilometers of each other so that their GPS sensors pick up signals from some of the same satellites. By utilizing a few regionally deployed location signature sensors (LSS), this reach can be extended to a global basis. For example, suppose that a bank in Munich needs to conduct a transaction with a bank in New York and that a London-based LSS provides a bridge into Europe. Upon receiving the location signatures from London and Munich, the New York bank can verify the location of the Munich bank relative to the London LSS and the London LSS relative to its own location in New York. The technology is also applicable to mobile computing. In many situations, it would be possible to know the general vicinity where an employee is expected to be present and to use that information as a basis for authentication. Even if the location cannot be known in advance, the mere fact that remote users make their locations available will substantially enhance their authenticity. In his new book, The Road Ahead, Bill Gates predicts that wallet PCs, networked to the information highway, will have built-in GPS receivers as navigational assistants. With the CyberLocator technology, these PC receivers can also perform authentication while being a factor of ten less expensive than conventional code correlating receivers (most of the processing is executed in the host rather than the remote units), which only achieve 100 meter accuracy, and a factor of a hundred less expensive than conventional DGPS receivers. Location-based authentication is a powerful new tool that can provide a new dimension of network security never before possible. The CyberLocator technology is currently operational in a portable demonstration. Dorothy E. Denning is professor of computer science at Georgetown University (Washington, D.C.) and consultant to ISR. She can be reached at 202-687-5703 or denning@cs.georgetown.edu. Peter F. MacDoran is president and CEO of International Series Research, Inc. (Boulder, CO). He can be reached at 303-447- 0300 or pmacdorn@isrinc.com. $0$AD