Fun_People Archive
22 Apr
Denning/MacDoran's `Location-based User Authentication'

Content-Type: text/plain
Mime-Version: 1.0 (NeXT Mail 3.3 v118.2)
From: Peter Langston <psl>
Date: Mon, 22 Apr 96 14:44:02 -0700
To: Fun_People
Subject: Denning/MacDoran's `Location-based User Authentication'

Forwarded-by: Keith Bostic <>

Location-based System Delivers User Authentication Breakthrough

By Dorothy E. Denning and Peter F. MacDoran
Copyright(c), 1996 - Computer Security Institute - All Rights Reserved

Existing user authentication mechanisms are based on information the user
knows (e.g., password or PIN), possession of a device (e.g, access token
or crypto- card), or information derived from a personal characteristic
(biometrics). None of these methods are foolproof. Passwords and PINs are
often vulnerable to guessing, interception or brute force search. Devices
can be stolen. Biometrics can be vulnerable to interception and replay.

A new approach to authentication utilizes space geodetic methods to form a
time-dependent location signature that is virtually impossible to forge.
The signature is used to determine the location (latitude, longitude and
height) of a user attempting to access a system, and to reject access if
the site is not approved for that user. With location-based controls, a
hacker in Russia would be unableto log into a funds transfer system in the
United States while pretending to come from a bank in Argentina.

Location-based authentication can be used to control access to sensitive
systems, transactions or information. It would be a strong deterrent to
many potential intruders, who now hide behind the anonymity afforded by
their remote locations and fraudulent use of conventional authentication
methods. If the fraudulent actors were required to reveal their location in
order to gain access, their anonymity would be significantly eroded and
their chances of getting caught would increase.

Authentication through geodetic location has other benefits. It can be
continuous, thereby protecting against channel hijacking. It can be
transparent to the user. Unlike most other types of authentication
information, a user's location can serve as a common authenticator for all
systems the user accesses. These features make location-based
authentication a good technique to use in conjunction with single log-on.
Another benefit is there is no secret information to protect either at the
host or user end. If a user's authentication device is stolen, use of the
device will not compromise the system but only reveal the thief's location.
A further benefit of geodetic-derived location signatures is that they
provide a mechanism for implementing an electronic notary function. The
notary could attach a location signature to a document as proof that the
document existed at a
particular location and instant in time.

The use of geographic location can supplement or complement other methods
of authentication, which are still useful when users at the same site have
separate accounts and privileges. Its added value is a high level of
assurance against intrusion from any unapproved location regardless of
whether the other methods have been compromised. In critical environments,
for example, military command and control, telephone switching, air traffic
control, and banking, this extra assurance could be extremely important in
order to avoid a potential catastrophe with reverberations far beyond the
individual system cracked.

How it works

International Series Research (Boulder, CO) has developed a technology
for achieving location-based authentication. Called CyberLocator, the
technology makes use of the microwave signals transmitted by the
twenty-four satellite constellation of the Global Positioning System
(GPS).  Because the signals are everywhere unique and constantly changing
with the orbital motion of the satellites, they can be used to create a
location signature that is unique to a particular place and time. The
signature, which is computed by a special GPS sensor connected to a small
antenna, is formed from bandwidth compressed raw observations of all the
GPS satellites in view. As currently implemented, the location signature
changes every five milliseconds. However, there are options to create a
new signature every few microseconds.

When attempting to gain access to a host server, the remote client is
challenged to supply its current location signature. The signature is then
configured into packets and transferred to the host. The host, which is
also equipped with a GPS sensor, processes the client signature and its own
simultaneously acquired satellite signals to verify the client's location
to within an acceptable threshold (a few meters to centimeters, if

For two-way authentication, the reverse process would be performed. In the
current implementation, location signatures are 20,000 bytes. For
continuous authentication, an additional 20 bytes per second are
transferred. Re- authorization can be performed every few seconds or
longer. The location signature is virtually impossible to forge at the
required accuracy. This is because the GPS observations at any given time
are essentially unpredictable to high precision due to subtle satellite
orbit perturbations, which are unknowable in real-time, and intentional
signal instabilities  (dithering) imposed by the U.S. Department of Defense
selective availability (SA) security policy. Further, because a signature
is invalid after five milliseconds, the attacker cannot spoof the location
by replaying an intercepted signature, particularly when it is bound to the
message (e.g., through a checksum or digital signature). Continuous
authentication provides further protection against such attacks.

Conventional (code correlating and differential) GPS receivers are not
suitable for location authentication because they compute latitude,
longitude and height directly from the GPS signals. Thus, anyone can report
an arbitrary set of coordinates and there is no way of knowing if the
coordinates were actually calculated by a GPS receiver at that location. A
hacker could intercept the coordinates transmitted by a legitimate user and
then replay those coordinates in order to gain entry. Typical code
correlating receivers, available to civilian users, are also limited to 100
meter accuracy. The CyberLocator sensors achieve meter (or better) accuracy
by employing differential GPS techniques at the host, which has access to
its own GPS signals as well as those of the client. DGPS methods attenuate
the satellite orbit errors and cancel SA dithering effects.

Where it works

Location-based authentication is ideal for protecting fixed sites. If a
company operates separate facilities, it could be used to restrict access
or sensitive transactions to clients located at those sites. For example, a
small (7 cm x 7 cm) GPS antenna might be placed on the rooftop of each
facility and connected by cable to a location signature sensor within the
building. The sensor, which would be connected to the site's local area
network, would authenticate the location of all users attempting to enter
the protected network. Whenever a user ventured outside the network, the
sensor would supply the site's location signature. Alternatively, rather
than using a single sensor, each user could be given a separate device,
programmed to provide a unique signature for that user. Location-based
authentication could facilitate telecommuting by countering the
vulnerabilities associated with remote access over dial-in lines and
Internet connections. All that would be needed is a reasonably
unobstructed view of the sky at the employee's home or remote office.
Related application environments include home banking, remote medical
diagnosis and remote process control. Although it is desirable for an
antenna to be positioned with full view of the sky, this is not always
necessary. If the location and environment are known in advance, then the
antenna can be placed on a window with only a limited view of the sky. The
environment would be taken into account when the signals are processed at
the host.

For remote authentication to succeed, the client and host must be within
2,000 to 3,000 kilometers of each other so that their GPS sensors pick up
signals from some of the same satellites. By utilizing a few regionally
deployed location signature sensors (LSS), this reach can be extended to a
global basis. For example, suppose that a bank in Munich needs to conduct a
transaction with a bank in New York and that a London-based LSS provides a
bridge into Europe. Upon receiving the location signatures from London and
Munich, the New York bank can verify the location of the Munich bank
relative to the London LSS and the London LSS relative to its own location
in New

The technology is also applicable to mobile computing. In many situations,
it would be possible to know the general vicinity where an employee is
expected to be present and to use that information as a basis for
authentication. Even if the location cannot be known in advance, the mere
fact that remote users make their locations available will substantially
enhance their authenticity. In his new book, The Road Ahead, Bill Gates
predicts that wallet PCs, networked to the information highway, will have
built-in GPS receivers as navigational assistants. With the CyberLocator
technology, these PC receivers can also perform authentication while being
a factor of ten less expensive than conventional code correlating receivers
(most of the processing is executed in the host rather than
the remote units), which only achieve 100 meter accuracy, and a factor of a
hundred less expensive than conventional DGPS receivers. Location-based
authentication is a powerful new tool that can provide a new dimension of
network security never before possible. The CyberLocator technology is
currently operational in a portable demonstration.

Dorothy E. Denning is professor of computer science at Georgetown
University (Washington, D.C.) and consultant to ISR. She can be reached at
202-687-5703 or Peter F. MacDoran is president
and CEO of International Series Research, Inc. (Boulder, CO). He can be
reached at 303-447- 0300 or

prev [=] prev © 1996 Peter Langston []