Location-restricted access to data.

April 20, 2015

A few years ago I was approached by someone with an intriguing question: would it be possible to restrict access to a website based on your current location? The person who asked me was busy with a project in a neighbourhood close to where I grew up. Part of it is a national monument. The neighbourhood association wanted to revive the history of the neighbourhood by creating a web page for every house in the neighbourhood. To also restore some of the community spirit they didn't want to just set up a universally accessible website. Instead they wanted to create a page you could only visit if you were actually standing in front of the house. This would invite people to walk around in (their own) neighbourhood, visit web pages linked to certain houses, and in the process get in contact with the current inhabitants. The reason I blog about it is that they are officially launched the project (and corresponding website, last Friday. And unfortunately I couldn't be there...

I thought the question was interesting, not only because I liked the particular project, but also because there are other situations in which restricting access to content based on location is relevant. Think about highly sensitive documents that are stored in (physically) protected locations. Restricting access based on location would also make sense when working with sensitive personal data, in hospitals for instance. And by requiring physical proximity, you increase the effort that attackers need to invest to get at the information. So it might also be a useful (additional) protection layer for accessing keys, e.g. for signing documents. And with that it has some similarities with problems distance bounding protocols try to solve. Unfortunately any system providing such functionality has only a limited security level, because once the web page can be accessed legitimately, a local copy can be made and accessed at any location. That drawback disappears for highly dynamic content, a copy of which remains relevant for only a brief amount of time.

There appear to be several possible approaches to tackle this problem.

Short-lived URLs

Suppose we can use an RFID tag attached to the location (the house in this case), that can also do a little bookkeeping and a little cryptography. The bookkeeping consists of a simple counter that starts at 0 and is incremented whenever the tag is scanned. The URL of the corresponding web page is comprised of the hostname of the web server followed by the full path to the page. When scanned, the RFID tag provides the hostname in plaintext, but encrypts the path together with the counter using the public key of the web server hosting the page. The device scanning the RFID tag sends this ciphertext to the webserver, that decrypts the path and serves the corresponding page, but only if the counter included in the request is larger than the counter seen for this page.

Tamper resistance must be added to make the RFID stop working as soon as it is removed from its location. Also the smart phone must have an NFC reader to allow scanning the RFID tag and visit the web page through the temporary URL.

Authenticated GPS

An alternative approach is to use a secure way to measure as well as prove your current location. Proposals to achieve exactly that exist for Authenticated Global Navigation Satellite Systems (GNSS), that even work for civil GNNSs that do not have access to the authenticated signals that are present in most GNNSs . Note that in this application it is not enough that the user himself is assured of the location reported to him by his GNSS system. The user needs to be able to prove this to the webserver hosting the location-restricted data.

(Very) local wireless network

Another solution is to completely reverse the setup. Instead of having a globally accessible server that needs to decide whether an incoming request comes from a allowed location, we can make the server itself only accessible at the intended location using a wireless network with a very short range. By connecting to the 'access point' you get the associated page served on your device. It then becomes an engineering problem to reduce the signal strength to ensure you cannot access the web page from more than a few feet away.

The solution is probably more costly than the other ones, because you need a separate access point for each location, and a little web server integrated into it.

The actual solution...

In the end (for various reasons) the association decided to settle for a far simpler (but of course less 'secure') solution. Each house gets a QR code with an embedded URL, that people with any smart phone can scan to visit the web page corresponding to the house. This is a very cheap solution, and one that works with almost all current smart phones.

I will definitely have a look soon. My mom still lives around the corner anyway.

In case you spot any errors on this page, please notify me!
Or, leave a comment.