informa
/
Risk
Quick Hits

'MULE' Prototype Uses Location For Authentication

CMU research creates Mobile User Location-Specific Encryption
Researchers at Carnegie Mellon University (CMU) have built a location-based encryption model aimed at protecting data in lost or stolen laptops with little or no user interaction and IT administrative overhead.

The so-called Mobile User Location-Specific Encryption (MULE) method encrypts only sensitive files on the user's laptop. "Our goal is to remove user effort associated with encryption technology while achieving the same or better security compared to traditional password-based approaches," the CMU researchers say in a paper about MULE.

They tested a plug-and-play scenario representing the user's home, and a corporate scenario representing his office, using special encryption key derivation protocols for each of the two sites. These protocols automatically help authenticate the user in the trusted locations: "For example, with MULE, a user can securely store encrypted copies of bank records and tax returns on a laptop, and automatically gain access when opening those files in the home office," CMU CyLab technical director Adrian Perrig and CMU graduate student Ahren Studer write in their paper on MULE. "After a thief steals the laptop, the only way to recover the files is to break into the user's home."

In the corporate site, the IT administrator would remove the stolen laptop's identification from a whitelist of laptops if it were stolen, the researchers say.

The key exchange process relies on Webcams installed within the laptops with Trusted Platform Modules (TPMs). A Trusted Location Device provides the location-specific information and responds to a machine that wants to derive the encryption key to access a file. The researchers deployed their MULE prototype on an HP laptop running Ubuntu for the user machine, and a Dell Optiplex as the TLD, with an infrared LED, which handles the transmission of data.

The researchers found that it takes less than five seconds for the decryption process with MULE.

"Users and corporate IT personnel want security solutions that simply work and want to avoid any schemes that require additional effort or administrative overhead," the CMU researchers wrote in their paper (PDF). They say MULE requires "zero" user effort and limited IT administration.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5