RFC 3694 Threat Analysis of the Geopriv Protocol February 2004 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Habitat of the Geopriv Protocol . . . . . . . . . . . . . . . 3 3. Motivations of Attackers of Geopriv . . . . . . . . . . . . . 4 4. Representative Attacks on Geopriv . . . . . . . . . . . . . . 5 4.1. Protocol Attacks . . . . . . . . . . . . . . . . . . . . 5 4.1.1. Eavesdropping and/or Interception . . . . . . . 5 4.1.2. Identity Spoofing . . . . . . . . . . . . . . . 6 4.1.3. Information Gathering . . . . . . . . . . . . . 7 4.1.4. Denial of Service . . . . . . . . . . . . . . . 8 4.2. Host Attacks . . . . . . . . . . . . . . . . . . . . . . 9 4.2.1. Data Stored at Servers . . . . . . . . . . . . . 9 4.2.2. Data Stored in Devices . . . . . . . . . . . . . 9 4.2.3. Data Stored with the Viewer . . . . . . . . . . 10 4.2.4. Information Contained in Rules . . . . . . . . . 10 4.3. Usage Attacks . . . . . . . . . . . . . . . . . . . . . 11 4.3.1. Threats Posed by Overcollection . . . . . . . . 11 5. Countermeasures for Usage Violations . . . . . . . . . . . . . 12 5.1. Fair Information Practices . . . . . . . . . . . . . . . 12 6. Security Properties of the Geopriv Protocol . . . . . . . . . 13 6.1. Rules as Countermeasures . . . . . . . . . . . . . . . . 13 6.1.1. Rule Maker Should Define Rules . . . . . . . . . 13 6.1.2. Geopriv Should Have Default Rules . . . . . . . 14 6.1.3. Location Recipient Should Not Be Aware of All Rules. . . . . . . . . . . . . . . . . . . . . . 14 6.1.4. Certain Rules Should Travel With the LO . . . . 14 6.2. Protection of Identities . . . . . . . . . . . . . . . . 14 6.2.1. Short-Lived Identifiers May Protect Target's Identity . . . . . . . . . . . . . . . . . . . . 15 6.2.2. Unlinked Pseudonyms May Protect the Location Recipients' Identity . . . . . . . . . . . . . . 15 6.3. Security During Transmission of Data . . . . . . . . . . 15 6.3.1. Rules May Disallow a Certain Frequency of Requests . . . . . . . . . . . . . . . . . . . . 15 6.3.2. Mutual End-Point Authentication . . . . . . . . 16 6.3.3. Data Object Integrity & Confidentiality . . . . 16 6.3.4. Replay Protection . . . . . . . . . . . . . . . 16 7. Security Considerations . . . . . . . . . . . . . . . . . . . 16 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 9. Informative References . . . . . . . . . . . . . . . . . . . . 16 10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 17 11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 18 Danley, et al. Informational