You are here: Resources > FIDIS Deliverables > HighTechID > D3.3: Study on Mobile Identity Management > 

D3.3: Study on Mobile Identity Management

Approaches for Mobile Identity Management Systems  Study on Mobile Identity Management


Freiburg Location addressing as anonymity mechanism

Location addressing is an anonymous mechanism which protects the linkability of the user’s interaction with services by the address of his mobile device. The principle of location addressing as an anonymity mechanism is in figure 5-1 demonstrated by the Freiburg Privacy Diamond (see section 3.1). Two connections are preserved: the relations between user and device and between action and location. The reason for preserving the relations between action and location is that optimisation based on the current location of the mobile device is possible. The networking infrastructure is able to optimise routing according to where messages associated to the action originate from and go to. In addition, the device can use supporting services in the vicinity of the device, like directory services, because its location does not have to be concealed. Not severing the relations between device and user has the advantage that the users can keep their personal devices. This gives them a trusted environment in which to store personal data.


Figure 5-1: Location addressing for protecting the unlinkability of a mobile user 


The relationship between user and location are hidden from the attacker by mobility of the user. The user performs actions from different locations which are inconspicuous, i.e. do not allow conclusion of the identity of the user from the location alone. Obscuring the relations between device and location is done in the same manner. To ensure that the attacker is not able to directly link user to action, a tool like an identity manager prevents personally identifying data from being included in the action. 

Because only one device can occupy a physical space at a time, it seems natural to use the location of the device as its address. Technical limitations regarding the resolution with which the location can be determined may lead to the situation where two devices have the same address. The same problem can be caused by the fact that actions are not atomic, they may take time during which the device may move. Therefore, an additional part to distinguish between devices that are seemingly at the same location is necessary. This part is chosen randomly (Zugenmaier, 2003). 

Architecture of

There are two possibilities for implementing location addressing: either as a network layer or sub layer, or within a management plane. Implementation as a separate layer is advantageous because it does not violate the principle of layering within the communication protocol stack. However, it has the major disadvantage that all entities involved in the communication at that layer must implement a location addressing layer, e.g. necessitating changes in routers or similar intermediary devices. 

The Freiburg Location Addressing Scheme (FLASCHE) implements location addressing as a management plane (Zugenmaier, 2003). Figure 5-2 gives an overview of the architecture of FLASCHE on a UNIX based system. This approach has the advantage of keeping the protocol stack mainly unchanged and necessitates alterations only at the mobile device. The examination of the protocols shows that the management plane span transport, network and data link layers. The changes to the HTTP protocol are done with the identity manager of the mobile device, which runs as a proxy at the application layer. The management plane can replace all addresses unique to the device by addresses derived from the location of the device. Addresses unique to the device are used at the network layer, i.e. the IP address and the data link layer, the Ethernet address at the media access layer. Thus, this management plane is able to access the data link and network layers and is able to set the addresses at these layers. The management plane is also be able to associate addresses to TCP connections at the transport layer and is able to determine when a connection is set up and torn down, in order to determine the lifetime of addresses. The management plane does not access connection information of the application layer, as there are too many different implementations of connection management at this layer. Determination of location is performed outside of the management plane.


Figure 5-2: Location addressing with browser and identity manager on UNIX based system 


Connection supervision is a monitor at the service access point of the transport layer. There all requests for connection set up and connection tear down of the application layer can be seen. The management plane keeps a data structure listing all active connections. Address control derives the device address to be used from the current location. The addresses of the device on the data link and network layers are changed simultaneously. If they were not changed synchronously, the network layer address or the data link layer address would enable linking of actions. A new network layer address could be linked to the network layer address previously used by the same device by correlating the data link layer addresses or vice versa. 


The anonymity mechanism FLASCHE exploits a user’s mobility to provide anonymity for an action of the mobile user under the condition that the user does not identify himself in the action, the device used to perform that action can not be uniquely identified, and the location of the user and the device does not offer any clues about the identity of the user. The mechanism is resilient to traffic analysis attacks, as they provide information about the location of the device, which by design does not have ot be kept secret. The most serious attack on location addressing is physically observing the location where the action takes place. However, proliferation of the surveillance of public places, coupled with person recognition systems, may make it generally impossible to remain anonymous outside one’s own home. In addition to recognizing the person the surveillance system may also capture the content of the screen of the mobile device.

Proof of concept implementations for all aspects of the described implementation exist, however an efficient implementation of the complete system is not yet realized. Future work also includes anonymous service discovery. 


Approaches for Mobile Identity Management Systems  fidis-wp3-del3.3.study_on_mobile_identity_management.final_04.sxw  mCrowd
22 / 36