Distributed Authentication in Anonymous Mobile Communities
With the recent boom in smartphones technology, online social networks are going mobile. This trend urged phone manufacturers and social networking companies to seek novel business strategies to monetize from these new "gateways" and to give the users a richer experience. A major path that is being followed in that regard is location-based services, benefiting from the devices’ capability of detecting positions and communicating with the surrounding. Numerous possibilities evolve as a result, including custom advertisements about local businesses or notifications about friends in proximity.
Nevertheless, with these services getting access to every user’s movements, shopping behavior, and communication patterns, anonymity and privacy are at the risk of being undermined. The always-on requirement of such mobile services also raises concerns about power efficiency. Furthermore, the internet connection requirement of these servicesmakes them out of reach of a large population in the world who do not have mobile internet subscriptions. From that stems the need for a new direction of systems, where, in addition to privacy, anonymity, and power-efficiency, a user is able to socialize with his surrounding wherever he goes, without connecting to a central online server. We denote such a system as a Local Community System (LCS), where people with common interests can form ad hoc groups and locally share information or subscribe to updates from their surrounding.
Despite the need of anonymity towards externals, users desire to be identified by their friends. Accordingly, there is a need for such an identification scheme that allows users to know and securely verify the senders of messages in the LCS. This system should also be resistant to adversarial behavior, especially that wireless communication occurs in broadcastmediums. Mechanisms ought to be provided to allow users to revoke unwanted members. These are the problems thatwe tackle in this thesis,with a focus on user authentication and key management in the LCS.
First, we analyze and provide the techniques suitable for identifying users and guaranteeing message integrity in the LCS, combining them with previous modules for community privacy. Then, we tackle the key renewal problem, which is sufficient for revoking users in the LCS. The major challenges thatmake this problem novel are the absence of a central revocation server, the mobility of the users, and the low-communication overhead requirement. We overcome these challenges by proposing a new revocation scheme that provides an adequate tradeoff between the different metrics. All these techniques are done with user privacy and message confidentiality in mind and were integrated into the implementation of a prototype LCS system.