g rwe n n a umC o nm rapeD tnemt fo nummoC i tac i sno dna krowteN i gn

aA l t o - DD

Secure and Usable Services 911 / aM r c i n N a g y

9102 in Opportunistic Networks

Marcin Nagy s k r o w te Ncitsi n u tr o p p O s n e i civ r e S el b a s U d n a e r u c e S

B I NBS 2-3168-06-259-879 ( p r i n t de ) SSENISUB + B I NBS 9-4168-06-259-879 ( dp f ) E MONOC Y S I NSS 9971 - 4394 ( p r i n t de ) S I NSS 9971 - 2494 ( dp f ) TRA + NGISED + ytisrevinU otlaA ytisrevinU HCRA I T TCE ERU gni reenignE laci r tcelE fo loohcS fo tcelE r laci reenignE gni nikotNda soitcinmo f tetrapeD tnemt fo nummoC i tac i sno dna krowteN i gn ECNEICS + www . a a l t o . f i T E ONHC L GO Y

EVOSSORC RE COD T RO A L +cdbgia*GMFTSH9 COD T RO A L SNOITATRESSID

SNOITATRESSID ytisrevinU otlaA

9102 seires noitacilbup ytisrevinU otlaA ytisrevinU noitacilbup seires SNOITATRESSID LAROTCOD SNOITATRESSID 911 / 9102

ni secivreS elbasU dna eruceS dna elbasU secivreS ni skrowteN citsinutroppO skrowteN

ygaN nicraM ygaN

fo rotcoD fo eerged eht rof detelpmoc noitatressid larotcod A larotcod noitatressid detelpmoc rof eht eerged fo rotcoD fo eht fo noissimrep eht htiw ,dednefed eb ot )ygolonhceT( ecneicS )ygolonhceT( ot eb ,dednefed htiw eht noissimrep fo eht cilbup a ta ,gnireenignE lacirtcelE fo loohcS ytisrevinU otlaA ytisrevinU loohcS fo lacirtcelE ,gnireenignE ta a cilbup enuJ ht42 no loohcs eht fo 1UT llah erutcel eht ta dleh noitanimaxe dleh ta eht erutcel llah 1UT fo eht loohcs no ht42 enuJ .31 ta 9102 ta .31

ytisrevinU otlaA ytisrevinU gnireenignE lacirtcelE fo loohcS fo lacirtcelE gnireenignE gnikrowteN dna snoitacinummoC fo tnemtrapeD fo snoitacinummoC dna gnikrowteN ygolonhceT gnikrowteN ygolonhceT rosseforp gnisivrepuS rosseforp dnalniF ,ytisrevinU otlaA ,ttO gröJ .gnI-.rD rosseforP .gnI-.rD gröJ ,ttO otlaA ,ytisrevinU dnalniF

rosivda sisehT rosivda dnalniF ,ytisrevinU otlaA ,nakosA .N rosseforP .N ,nakosA otlaA ,ytisrevinU dnalniF

srenimaxe yranimilerP srenimaxe nedewS ,HTK ,reggehcuB ajnoS rosseforP ajnoS ,reggehcuB ,HTK nedewS ynamreG ,giewhcsnuarB tätisrevinU ehcsinhceT ,floW sraL .gnI-.rD rosseforP .gnI-.rD sraL ,floW ehcsinhceT tätisrevinU ,giewhcsnuarB ynamreG

tnenoppO setatS detinU ,secivreS gnitupmoC dnaloR ,llaF niveK .rD niveK ,llaF dnaloR gnitupmoC ,secivreS detinU setatS

seires noitacilbup ytisrevinU otlaA ytisrevinU noitacilbup seires SNOITATRESSID LAROTCOD SNOITATRESSID 911 / 9102

© 9102 nicraM ygaN

NBSI 2-3168-06-259-879 )detnirp( NBSI 9-4168-06-259-879 )fdp( NSSI 4394-9971 )detnirp( NSSI 2494-9971 )fdp( :NBSI:NRU/if.nru//:ptth 9-4168-06-259-879

yO aifarginU yO iknisleH 9102 WAN E S CO IC L D A B R E O L dnalniF N

PrintedPrinted matter 1234 5678 4041-0619 tcartsbA otlaA 67000-IF ,00011 xoB .O.P ,ytisrevinU otlaA ,ytisrevinU .O.P xoB ,00011 67000-IF otlaA www.aalto.fi

rohtuA ygaN nicraM ygaN Name of the doctoral dissertation Secure and Usable Services in Opportunistic Networks rehsilbuP loohcS fo lacirtcelE gnireenignE tinU tnemtrapeD fo snoitacinummoC dna gnikrowteN seireS otlaA ytisrevinU noitacilbup seires LAROTCOD SNOITATRESSID 911 / 9102 hcraeser fo dleiF fo hcraeser gnikrowteN ,ygolonhcet ytiruces dettimbus tpircsunaM dettimbus 52 rebotcO 8102 etaD fo eht ecnefed 42 enuJ 9102 )etad( detnarg ecnefed cilbup rof noissimreP rof cilbup ecnefed detnarg )etad( 11 yraurbeF 9102 egaugnaL hsilgnE hpargonoM elcitrA noitatressid yassE noitatressid tcartsbA duolc fo ytiralupop gniworg eht yb detanimod neeb evah tnempoleved tenretnI fo sraey 01 tsal ehT tsal 01 sraey fo tenretnI tnempoleved evah neeb detanimod yb eht gniworg ytiralupop fo duolc laicos no desab secivres wen fo gnidliub eht elbane esehT .skrowten laicos enilno dna gnitupmoc dna enilno laicos .skrowten esehT elbane eht gnidliub fo wen secivres desab no laicos gnitupmoc duolc stfieneb eht etipseD .secivres wen gnidliub fo tsoc gnicuder eht dna noitamrofni dna eht gnicuder tsoc fo gnidliub wen .secivres etipseD eht stfieneb duolc gnitupmoc derots atad fo pihsrenwo ,ytilibaliava duolc eht fo ytissecen eht ,gnirb skrowten laicos enilno dna enilno laicos skrowten ,gnirb eht ytissecen fo eht duolc ,ytilibaliava pihsrenwo fo atad derots .secivres emos fo tnempoleved eht rof srotcaf gnikcolb eb yam atad fo ytiruces dna ,duolc eht ni eht ,duolc dna ytiruces fo atad yam eb gnikcolb srotcaf rof eht tnempoleved fo emos .secivres

dezilacol dna eruces ,evisnepxeni gnitaerc fo seitilibissop eht enimaxe ew ,noitatressid siht nI siht ,noitatressid ew enimaxe eht seitilibissop fo gnitaerc ,evisnepxeni eruces dna dezilacol si krow siht rof tniop gnitrats ehT .secivres duolc fo yltnednepedni etarepo nac taht secivres taht nac etarepo yltnednepedni fo duolc .secivres ehT gnitrats tniop rof siht krow si yltcerid etacinummoc secived elibom deirrac-namuh ,skrowten eseht nI .skrowten citsinutroppo .skrowten nI eseht ,skrowten deirrac-namuh elibom secived etacinummoc yltcerid ecneserp rieht etipseD .troppus erutcurtsarfni yna tuohtiw ygolonhcet sseleriw egnar-trohs a aiv a egnar-trohs sseleriw ygolonhcet tuohtiw yna erutcurtsarfni .troppus etipseD rieht ecneserp .ytiralupop detcepxe eht deniag ton evah skrowten citsinutroppo ,sraey fo elpuoc tsal eht rof eht tsal elpuoc fo ,sraey citsinutroppo skrowten evah ton deniag eht detcepxe .ytiralupop

na sreffo skrowten citsinutroppo ni sloot gnivreserp-ycavirp tneicfife gnidivorp taht eugra eW eugra taht gnidivorp tneicfife gnivreserp-ycavirp sloot ni citsinutroppo skrowten sreffo na -ycavirp tneicfife na tneserp ew ,suhT .stnelaviuqe duolc rieht revo secivres emos rof egatnavda rof emos secivres revo rieht duolc .stnelaviuqe ,suhT ew tneserp na tneicfife -ycavirp latot neewteb htap laicos fo htgnel dna sdneirf nommoc gnirevocsid rof locotorp gnivreserp locotorp rof gnirevocsid nommoc sdneirf dna htgnel fo laicos htap neewteb latot rotcaf tnatropmi na si pihsnoitaler laicos a fo htgnerts dna ecnetsixe eht taht eugra eW .sregnarts eW eugra taht eht ecnetsixe dna htgnerts fo a laicos pihsnoitaler si na tnatropmi rotcaf rof snoisiced lortnoc ssecca ekam dna tsurt dliub ot secivres citsinutroppo yb desu eb nac taht nac eb desu yb citsinutroppo secivres ot dliub tsurt dna ekam ssecca lortnoc snoisiced rof revocsid ot dednetxe ylisae eb nac slocotorp ruo taht etaluceps ew ,eromrehtruF .secived ybraen .secived ,eromrehtruF ew etaluceps taht ruo slocotorp nac eb ylisae dednetxe ot revocsid dezilacol erawa-yllaicos dna eruces gnidliub elbane nac hcihw ,sresu neewteb setubirtta laicos yna laicos setubirtta neewteb ,sresu hcihw nac elbane gnidliub eruces dna erawa-yllaicos dezilacol .secivres

ni tnemegagne resu gnisaercni rof smsinahcem snrecnoc noitatressid siht fo trap dnoces ehT dnoces trap fo siht noitatressid snrecnoc smsinahcem rof gnisaercni resu tnemegagne ni si skrowten citsinutroppo fo noitpoda wols eht dniheb snosaer eht fo enO .skrowten citsinutroppo .skrowten enO fo eht snosaer dniheb eht wols noitpoda fo citsinutroppo skrowten si rieht no erawtfos citsinutroppo gninnur timrep ton od smetsys gnitarepo elibom emos taht emos elibom gnitarepo smetsys od ton timrep gninnur citsinutroppo erawtfos no rieht ni tnetnoc gnitareneg dna fo gnissecca eht elbane ew ,melborp siht sserdda oT .smroftalp oT sserdda siht ,melborp ew elbane eht gnissecca fo dna gnitareneg tnetnoc ni egarots bew fo egasu esoporp ew ,eromrehtruF .sresworb bew hguorht skrowten citsinutroppo skrowten hguorht bew .sresworb ,eromrehtruF ew esoporp egasu fo bew egarots osla eW .skrowten citsinutroppo fo yticapac llarevo eht esaercni ot segassem drawrof ot seitilibapac ot drawrof segassem ot esaercni eht llarevo yticapac fo citsinutroppo .skrowten eW osla eht ni snoitacilppa bew detacitsihpos gninnur selbane taht krowemarf cireneg a tneserp a cireneg krowemarf taht selbane gninnur detacitsihpos bew snoitacilppa ni eht .tnemnorivne citsinutroppo .tnemnorivne

sesac esu rehto ni deilppa eb osla nac krow siht fo snoitubirtnoc eht woh ssucsid ew ,dne eht nI eht ,dne ew ssucsid woh eht snoitubirtnoc fo siht krow nac osla eb deilppa ni rehto esu sesac egassem ,lortnoc ygolopot ,gnituor desab-laicos rof ralucitrap ni ,skrowten citsinutroppo ni citsinutroppo ,skrowten ni ralucitrap rof desab-laicos ,gnituor ygolopot ,lortnoc egassem .gnitupmoc citsinutroppo dna ,tnemhsilbatse tsurt ,seigetarts gnidrawrof ,seigetarts tsurt ,tnemhsilbatse dna citsinutroppo .gnitupmoc

sdrowyeK citsinutroppO ,skrowten ,ytiruces ,ycavirp bew )detnirp( NBSI )detnirp( 2-3168-06-259-879 NBSI )fdp( 9-4168-06-259-879 )detnirp( NSSI )detnirp( 4394-9971 NSSI )fdp( 2494-9971 rehsilbup fo noitacoL fo rehsilbup iknisleH noitacoL fo gnitnirp iknisleH raeY 9102 segaP 881 nru :NBSI:NRU/fi.nru//:ptth 9-4168-06-259-879

Preface

This dissertation is the result of efforts that have started already in September 2011. At that time, as the fresh university graduate, I was offered a 9-month internship in the Nokia Research Center (NRC) in the Security and Networking Protocols group. In NRC, I got the chance to work on projects involving contex- tual security and how it is useful for improving usability of mobile applications. It allowed me to understand that security goes beyond cryptography and should consider many different contextual factors, which developed my interest in ap- plying contextual security in opportunistic networks. The vast majority of work have been done as part of my work in the Networking Protocols between 2012 and 2015, when I switched my main focus to running a startup company and delayed writing this thesis until “better times”. Firstly, I could thank my supervisor Professor Jörg Ott for countless things, but I am mostly grateful for his belief that you can be a good researcher and at the same time have a happy private life and even try crazy endeavours like setting up a startup company and all this during your PhD. I am sure at least one of these wouldn’t have been possible without his support, encouragement and easy-going personality. I also want to thank Professor N. Asokan who introduced me into the area of security during my internship in NRC and worked with me on the security and privacy apects of this thesis. I am also very thankful to him for the time he spent teaching me how to present research results in a clear and understandable way and for many other opportunities that he has provided. I would like to acknowledge pre-examiners of my thesis, Professor Lars Wolf and Professor Sonja Buchegger for the time they invested in reading my thesis and their insightful comments that allowed improving it. I want to thank co-authors of my papers, especially Arseny, Emilano and Teemu. Arseny was always ready to manage the most annoying parts of the projects that made it possible to reach our goal. For Emiliano I am grateful for

1 Preface bringing up interesting privacy problems and providing cryptographic expertise in solving them. Teemu was a great university roommate and an excellent research collaborator. His late push for publishing the web framework paper got this work back on track after a period of my doubt. Warm thanks to the past and present members of the Networking Protocols group Alemnew, Ermias, Fida, Maël, Roy, Saba, Shaohong, Varun for friendly joyful and supportive atmosphere. In particular I especially enjoyed the TUM seminar trips. I also thank the past and present members of the Secure Systems group Elena, Jian Liu, Hien, Long, Swapnil, Thanh and Thomas. I especially have very fond memories of summer 2014 and work with Long, Swapnil and Thanh on the implementation of SpotShare. Similarly warm thanks to former NRC colleagues, especially Asokan, Jan-Erik, Kari, Markus, Philip, Sandeep and Valtteri for lots of fruitful and interesting (not always technological) discussions that we had a chance to have and still do when we meet. It was a privilege to work in such a dynamic environment with so many inspiring people. I also have very special thanks for Shaohong and Varun for our joint efforts after work and during the weekends on establishing callstats.io, which now works as the full-blown company. In addition, I would like to give special thanks to my callstats.io colleagues Eljas and Sten for fruitful discussions on cloud computing that helped me clearly formulate research questions behind this work. I also want to warmly thank Katie for our lunch discussions and coffee that always helped me to forget (for just a moment) about ongoing work challenges and for her and her friend’s Camille help in proofreading the final manuscript. Big thanks go to my friend Wojtek for always organizing some weekend entertainment and delicious dinners. Thank you Madhu, Ricky and Sanjay for being a small piece of family here. Lastly, this work would never have been completed without support and love of the most important people in my life, my family. I want to thank for the unfailing encouragement and love to my mom Grazyna,˙ dad Stanisław, sister Ewa and my in-laws Małgorzata, Dominika, Paulina, and Michał. I would like to especially thank my dad, who believes that being a doctor is not only about having a university degree, but also representing certain life values, for his unabated push to finish this work. Most importantly, there are no words in which I could express my gratitude to my beloved wife Kornelia, who is my most faithful supporter, best advisor and inspiring coach, and during every step of this journey and my life is for me with her encouraging words and invaluable words of wisdom. This work would not have been completed without her positive (and non-negotiable) push

2 Preface for excellence in every aspect of our life. ... and I want to thank my precious baby girl, Debora, as her tiny clenched fist always reminded me to stay focus and finish the work.

Helsinki, May 9, 2019,

Marcin Nagy

3 Preface

4 Contents

Preface 1

Contents 5

List of Publications 7

Author’s Contribution 9

List of Figures 11

1. Introduction 1 1.1 Problem statement ...... 5 1.2 Contributions ...... 6 1.3 Structure of the Thesis ...... 7

2. Opportunistic networks background 9 2.1 Opportunistic network architecture ...... 10 2.2 Routing and Forwarding ...... 13 2.3 Security ...... 21 2.4 Opportunistic network applications ...... 27 2.5 Practical opportunistic network systems ...... 30 2.6 Summary ...... 34

3. Privacy enhancements in opportunistic networks 35 3.1 PeerShare: A System Secure Distribution of Sensitive Data Among Social Contacts: Publication I ...... 37 3.2 Efficient and Privacy–Preserving Common Friend–Finder Pro- tocols and Applications: Publication II ...... 42 3.3 Scalable Privacy-Preserving Estimation of Social Path Length: Publication III ...... 51 3.4 Summary ...... 60

5 Contents

4. Web technology in opportunistic networks 63 4.1 Enhancing Opportunistic Networks with Legacy Nodes: Publi- cation IV ...... 65 4.2 Bringing Modern Web Applications to Opportunistic Networks: Publication V ...... 69 4.3 Summary ...... 84

5. Summary and future work 85

References 89

Publications 103

6 List of Publications

This thesis consists of an overview and of the following publications which are referred to in the text by their Roman numerals.

I Marcin Nagy, N. Asokan, Jörg Ott. PeerShare: A System Secure Distribution of Sensitive Data Among Social Contacts. In Nordic Conference on Secure IT Systems, pp. 154–165, October 2013.

II Marcin Nagy, Emiliano De Cristofaro, Alexandra Dmitrienko, N Asokan, Ahmad-Reza Sadeghi. Do I know you? – Efficient and Privacy-Preserving Common Friend-Finder Protocols and Applications. Proceedings of the 29th Annual Computer Security Applications Conference, pp. 159–168, December 2013.

III Marcin Nagy, Thanh Bui, Emiliano De Cristofaro, N Asokan, Jörg Ott, Ahmad-Reza Sadeghi. How Far Removed Are You? Scalable Privacy-Preserving Estimation of Social Path Length with Social PaL. Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pp. 18:1– 18:12, June 2015.

IV Marcin Nagy, Teemu Kärkkäinen, Jörg Ott. Enhancing Opportunistic Net- works with Legacy Nodes. Proceedings of the 9th ACM MobiCom Workshop on Challenged Networks, pp. 1–6, September 2014.

V Marcin Nagy, Teemu Kärkkäinen, Arseny Kurnikov, Jörg Ott. Web-based Framework for Accessing Native Opportunistic Networking Applications. 2019 IEEE 20th International Symposium on "A World of Wireless, Mobile and

7 List of Publications

Multimedia Networks" (WoWMoM), June 2019.

8 Author’s Contribution

Publication I: “PeerShare: A System Secure Distribution of Sensitive Data Among Social Contacts”

I conceived the original idea together with N. Asokan as the generalization of the PeerSense project from the Nokia Research Center. I designed and implemented the whole system. I co-edited the paper with N. Asokan.

Publication II: “Do I know you? – Efficient and Privacy-Preserving Common Friend-Finder Protocols and Applications”

The idea for this paper comes from Emiliano De Cristofaro. I designed the Bloom filter based private set intersection protocol together with N. Asokan. I implemented the protocol, made performance evaluations and interpreted results. I co-edited the paper with N. Asokan and Emiliano De Cristofaro.

Publication III: “How Far Removed Are You? Scalable Privacy-Preserving Estimation of Social Path Length with Social PaL”

I came up with the idea for the paper, as the follow-up of the previous work. I designed and implemented the SoPaL discovery protocol. In addition, I also designed the overall Social PaL system. I performed analysis of fulfilment of the protocol correctness requirement and took part in analysis of the system coverage evaluation. Finally, I co-edited the paper with other authors.

9 Author’s Contribution

Publication IV: “Enhancing Opportunistic Networks with Legacy Nodes”

I conceived the original idea together with Jörg Ott. I designed and implemented the whole system. Furthermore, I did evaluation of the real-world system implementation. I co-edited the paper with Jörg Ott.

Publication V: “Web-based Framework for Accessing Native Opportunistic Networking Applications”

The idea for the paper came from multiple conversations with Jörg Ott and Teemu Kärkkäinen. I identified that the most interesting improvement in com- parison to Publication IV is enabling of web application usage in disconnected environments. During multiple conversations with Jörg Ott and Teemu Kärkkäi- nen, we came up with the idea of shipping application logic together with content. Based on these discussions, I formalized this concept to introduce the concept of transformations and adopt the MVC paradigm. I designed and implemented the whole system. Furthermore, I implemented the web version of PeopleFinder and Here & Now native applications. Finally, I co-edited the paper with other authors.

10 List of Figures

2.1 Architecture of the opportunistic network protocol stack. Fig- ure thanks to courtesy of Professor Jörg Ott...... 11 2.2 The concept of the space-time path. Node A never forms space path with node E (i.e., they never enter into contact), but it forms the space-time path with node E through node C and its mobility. Picture adapted from Borrel et al. [64]...... 14 2.3 Classification of DTN routing approaches...... 17 2.4 SCAMPI platform architecture [117]. The whole opportunistic network functionality is handled by SCAMPI router which runs within Java Virtual Machine. The router provides an API for applications to exchange data over native TCP API. HTML5 shim works on top of the native API to provide bindings for platform independent development of applications in HTML5 and JavaScript...... 32

3.1 Mobius triangle illustrating the concept of usable security sys- tems. Figure thanks to courtesy of Professor N. Asokan. .... 36 3.2 PeerShare architecture. PeerShare Service consists of the Bindings database, the PeerShare API and the PeerShare communication module. The communication module authen- ticates a user with the social network server and is responsi- ble for: (1) uploading to the PeerShare Server data that the user wants to share and (2) downloading data from the server that are shared by other social network users with the user. Downloaded data are stored in the Bindings database. The PeerShare API provides access to shared data for applications. 38

11 List of Figures

3.3 Overview of the Common Friends architecture, involving three protocols: (1) OSN user authentication protocol, (2) Common Friends capability distribution protocol, (3) Common Friends discovery protocol. User U having authenticated to an OSN (1), uploads his or her bearer capability and downloads capabilities of her friends using the Common Friends capability distribu- tion protocol (2). Users A and B run the Common Friends discovery protocol to learn about their common friends (3). . . 45 3.4 Capability distribution protocol. User U, having authen-

ticated, uploads a bearer capability cU to the server S, which

stores it. In response, S sends RU which is the list of social identifiers and capabilities belonging to every U’s friend. .... 46 3.5 Friend finding protocol. Users I and R begin with exchang-

ing their Diffie-Hellman public keys (PKI , and PKR). After

that they create new input sets (RI and (RR) by appending

public keys to every item in their respective RI and RR sets.

Finally, they input RI and (RR) to a PSI protocol. At the end of the protocol run, R learns about mutual friends she has with I.47 3.6 Diagram of Common Friends discovery protocol with Bloom Filter based PSI (BFPSI) protocol. In comparison to the friend finding protocol, “classic” PSI protocol is replaced by I sending

to R Bloom filter BFI . R on receiving it, tests presence of

every item of his or her input set in BFI . Since Bloom filter may introduce false positive, the challenge-response protocol is executed in which I must prove possession of capabilities

detected to be contained in BFI ...... 48 3.7 Comparison of BFPSI and PSI-CA protocol performance. We observe linear increase of execution time of both protocols, however, rate of increase is much lower for BFPSI. Execution time for sets of friends containing 500 contacts is well below 5 seconds for BFPSI...... 50 3.8 Coverage of Common Friends with 40% of users using the ser- vice. Black (resp., white) nodes denote users (resp., non-users) of the system. Purple/solid edges denote a direct friendship discoverable by Common Friends, while dashed lines denote existing friendships that Common Friends cannot discover. . . 52

12 List of Figures

3.9 Coverage of Social PaL with 40% of users using the service and with the addition of ersatz nodes. Black (resp. white) nodes denote users (resp. non-users) of the service. Ersatz nodes are marked in grey. Purple/solid edges here denote a direct friendship discoverable by Social PaL, whereas dashed edges denote relationships that cannot be discovered...... 54 3.10 Capability distribution protocol with ersatz nodes added. The highlighted part is the additional functionality for ersatz nodes.

For every social identifier IDE that is not stored on the server

S, S generates a capability cE, assigns to IDE and stores it. . . 55 3.11 Social PaL ’s capability distribution protocol. The highlighted part is the addition to the original Common Friends capabil-

ity distribution protocol. In addition to RU, server S returns h also the set of higher order capabilities RU, which contains capabilities OSN members that are at least 2-hops away from U. 56 3.12 Illustration of Social PaL discovery protocol. The updated part is marked in grey background. Both users A and B build their

respective BFPSI input sets IA and IB using bearer capabilities and also higher order capabilities. After learning intersection of their input sets X, they compute locally to find out the social path length between them. This process involves two phases: calculation of lengths of all existing social paths and selection of the shortest of them...... 57 3.13 Social PaL coverage for the BFS dataset. Coverage without ersatz nodes is marked in red, while with ersatz nodes in black. Coverage of 2-hop paths is marked with triangles, 3- hop paths with crosses, while 4-hop paths with squares. It is clearly visible that addition of ersatz nodes massively improves Social PaL coverage results...... 60

4.1 System model: there are likely more legacy nodes than oppor- tunistic ones. Red lines indicate communication links. The dashed arrows show sample node movement, which yields a virtual “backbone” link via node movement between two access points indicated with solid grey arrow. We can increase overall capacity of the opportunistic network by taking advantage of mobility of legacy nodes to carry messages between access points. 66

13 List of Figures

4.2 Web-based extensions to Liberouter. When the legacy de- vice with a modern web browser connects the Liberouter, it exchanges HTTP cookies and content of local storage with Liberouter over the message forwarding interface. The user of the device can see what is stored in the Liberouter storage and upload also new content using the content interface. .... 67 4.3 Scatter plot of all simulations results showing relative changes to delivery ratio and delivery delay, caused by addition of legacy nodes. L1, L5 and L10 indicates a number of legacy nodes as the multiplication of opportunistic nodes. For RWP mobility model, we see an increase in delivery probability at the cost of increased delivery delay. For the MBM model, we observe a significant increase in delivery probability without much impact on delivery delay. Finally for the OPP model, we observe decrease of delivery delay and increase of delivery probability. 69 4.4 Web application can be modeled using MVC paradigm. The model (M) is the central component of the paradigm. It is a dynamic data structure that stores and manages the applica- tion data. The view (V) provides presentation of application data based on inputs provided by the model. The controller (C) accepts inputs from the user and potentially updates from the network and transforms them into state updates for the model. 71 4.5 Overview of the Liberouter system extended for web access. The system defines two types of clients: native clients and web clients. The native clients communicate directly with each other and with the opportunistic router in the Liberouter (black arrows). The web clients communicate over HTTP links (red arrows) only with the Web App Interaction Framework, however, they through the framework they are able to exchange data with all other clients (dotted blue arrows)...... 72

14 List of Figures

4.6 Illustration of transformations work. Whenever a new mes-

sage appears, the application state Sx is updated by execu-

tion of the message added transformation Sx = madd(mx,Sx−1). Once the application state is updated all view transformations

APx,Vx,Cx are called on the updated state. Deletion of an exist- ing message causes the application state update by execution of

the message deleted transformation Sx = mdel(mk,Sx−1). If a web user wants to create a new message, the message creation

transformation mc is executed based on her input. Processed data are submitted to the framework where optionally the

message server creation msc transformation is executed. . . . . 75 4.7 Framework system components and their interactions. When a new message is available in the Liberouter storage, the DTN Communicator passes the message to the Message Processor. The Message Processor executes appropriate transformations in the sandbox and writes update app state and views into the app storage. The web server communicates only with the app storage to provide requested views for the user. When a request to send new data comes to the web server, it forwards it to the Message Generator that reads application state from the stor- age and pushes formatted message to the DTN Communicator, which publishes it to the opportunistic network...... 76 4.8 People Finder application model and transformations. . . . . 78 4.9 Comparison of People Finder native and web versions. . . . . 79 4.10 Here & Now application model and transformations...... 79 4.11 Comparison of Here & Now native and web versions...... 81 4.12 Impact of the overhead introduced by the framework (reflected in different message sizes) on the coverage for messaging (top) and photo sharing (bottom) with all three loads for the SPMBM model...... 82 4.13 Content coverage achieved for different number of access points and web nodes for text messaging (top) and photo sharing (bottom)...... 83

15 List of Figures

16 List of Abbreviations

BAB Bundle Authentication Block

CA Certificate Authority

CRL Certificate Revocation List

DoS Denial of Service

D2D Device-to-Device

DNS Domain Name System

DTN Delay Tolerant Networks

DTNRG DTN Research Group

EID Endpoint Identifier

ESB Extension Security Block

GDPR General Data Protection Regulation

HSM hardware security module

HMAC keyed-hash message authentication code

HIPAA Health Insurance Portability and Accountability Act

HTML Hyper Text Markup Language

HTTP Hypertext Transfer Protocol

IBC Identity Based Cryptography

IaaS Infrastructure as a Service

IP Internet Protocol

IRTF Internet Research Task Force

17 List of Abbreviations

MVC Model-View-Controller

OSN Online Social Network

PCB Payload Confidentiality Block

PIB Payload Integrity Block

PaaS Platform as a Service

PCI DSS Payment Card Industry Data Security Standard

PKG Private Key Generator

PSI Private Set Intersection

PKI Public Key Infrastructure

SaaS Software as a Service

SPM Social Pressure Metric

TTL Time-to-Live

TCP Transmission Control Protocol

TLS Transport Layer Security

URI Uniform Resource Identifier

3GPP Third Generation Partnership Project

18 1. Introduction

The last 10 years of the Internet development have been dominated by the adoption of the cloud computing paradigm. The revolution that started in 2006 by introduction of Amazon’s Elastic Compute Cloud [46] completely changed the way modern applications are developed. In the classic “enterprise" paradigm, a service provider runs its application on a physical server located in their premises. In the cloud computing paradigm, the service provider rents comput- ing resources from the cloud provider. This allows the service provider to reduce costs, as capital expenditure (e.g., buying servers) is transferred to operational expenditure. Furthermore, since resources are requested on demand, the barrier to entry for small companies is much lower, as they do not need to buy the expen- sive server infrastructure. Cloud computing also facilitates service development and maintenance by improving provider’s agility for resource management and simplifying service state management, because all service data are located in a centralized storage that can be accessed from different places. Cisco Global Cloud Index [33] reports that the cloud computing traffic has increased from 1.8 zettabytes annually in 2011 to 3.9 zettabytes in 2015 and expects that it is going to almost quadruple in 2020 with 14.1 zettabytes. The last 10 years have also brought a tremendous increase of popularity of online social networks (OSNs). They allow people to share content among their social contacts, and by opening social graph API, they create opportunity for emergence of a new category of apps based on the social content. For example, if a person searches for a hotel, TripAdvisor takes advantage of the Facebook Graph API [8] to prioritize reviews for the hotel so that reviews submitted by the person’s direct friends come first [32]. The second highly important aspect related to OSNs is the possibility of user authentication by means of a Single Sign-on service and OAuth protocol [105], which greatly facilitates access to data collected by OSNs and provides an excellent end-user experience. Despite the obvious benefits provided by cloud computing and OSNs, there are

1 Introduction also drawbacks that should be considered. The biggest concern of using the most popular OSNs and apps built on top of their social graph APIs is user privacy. For example, Facebook learns about the physical location of a user whenever he or she checks into some place. Similarly, whenever the user interacts with another user (e.g., by commenting on a post), Facebook learns about the user’s interests. The main concerns about cloud computing are related to service availability as well as data ownership, and security. Modern cloud providers [34] offering Infrastructure as a Service (IaaS) have a near-perfect availability. Despite very impressive availability statistics by the cloud providers, cloud providers also occasionally suffer from major outages that cause great disruptions to services that run on top of them. For example, a 4-hour outage suffered by AWS in February 2017 caused a loss of about 310 million dollars for Netflix, Salesforce, Adobe, and other companies hosting their services on AWS [25]. Services that are built taking advantage of Platform as a Service (PaaS) and Software as a Service (SaaS) cloud computing models may suffer from the fate-sharing principle if the underlying service is not available. Reasons behind PaaS and SaaS problems can be divided into two groups: technical-related and business- related. Technical reasons are usually temporal and solved within a couple of hours (e.g., 2015 DynamoDB outage [21]); however, there are also incidents in which data are irrevocably lost (e.g., 2017 GitLab database failure [17]). Business reasons are much more serious, as they usually result in the service being shut down or left running, but no longer maintained in the best case [26]. If the service is shut down, its customers usually have very little, if any, time to prepare for a migration to a new system (e.g., dotCloud bankruptcy [1]). This problem can be a very serious for complex enterprise systems, which cannot be easily migrated away from the problematic cloud service and are, in fact, in the service lock-in situation. Despite prevalent feeling that takes Internet access for granted, providing world-wide access to the Internet is still a challenge. There are some regions of the world where geographic area characteristics make it very difficult to build a reliable infrastructure. Consequently, it is not feasible for the network operator to provide the Internet access in such areas. The second challenge is purely economic. In some developing countries, the access to the fixed broadband can be as much as 40−100% of the national average salary [40]. In developed countries, cost affordability limits access to broadband for impoverished communities. Finally, there can also be some regulatory as well as social and capacity-building challenges. A very dramatic example of the regulatory problem is the decision

2 Introduction of the Russian court to shut down the Telegram messaging application after the company refused to hand over encryption keys to the authorities during a counter-terrorism investigation. As a result, the Russian media regulator tried to execute a court order which blocked more than 4 million IP addresses and caused severe disruptions in the Internet functioning in the country [44]. The social and capacity building challenges arise from lack of qualified engineers that are able to build and operate reliable Internet infrastructure. Ownership rules of data stored in the cloud are also ambiguous. Some service providers have very clearly defined terms of service in which they explicitly state that all data together with their intellectual property rights remain under user ownership and that full access to it is always granted [3]. On the other hand, there are service providers that do not guarantee infinite access to user data. For instance, Facebook Data Policy [7] states that the company keeps data as long as it is necessary, which may not be as long as the user wants. Violation of data ownership rules can be also caused by the service provider’s business decisions. For example, in 2015, Facebook, while trying to quickly boost popularity of their new Moments app, informed users that their synced photos would be deleted unless they installed Moments app [9]. This practically meant that users would lose their full data ownership. Security and privacy of data stored in the cloud is another aspect of cloud services that needs attention. In the recent years, cloud storage services were haunted by a series of high-profile sensitive data leaks (e.g., iCloud celebrity photo leak [14] or revelation of 68 million user password in Dropbox [5]), which puts doubt in security mechanisms implemented by popular cloud storage providers. Handling of personally identifiable information by cloud service providers is potentially another source of concern. Although there are no reli- able sources that document the number of service providers that are compliant with existing legal requirements like Payment Card Industry Data Security Standard (PCI DSS)[16] or Health Insurance Portability and Accountability Act (HIPAA)[13], the huge number of personal data leaks in recent years, in- cluding the most prominent Cambridge Analytica scandal [36], indicates that the problem exists. We should be able to learn about the scale of the problem if General Data Protection Regulation (GDPR)[6] penalty rules are enforced. The Ponemon Institute, together with IBM, conducts annual studies on the cost of damage that companies must pay as a result of leaking personal data. In 2017, the average cost was about 3.6 million dollars for each leak that on average involves about 24 thousand records [4].

3 Introduction

One possible solution to the above problems is to make the Internet ecosystem more decentralized. This can be achieved by developing community networks. In such networks, infrastructure is built, owned, maintained, and operated by local communities. Prominent examples of such successful deployments are guifi.net in Catalonia [39] and TakNet in Thailand [45]. The latter allowed the reduction of the per household Internet subscription cost from $28 to $5. Furthermore, community networks do not need to provide only Internet access. They can also be used for service provisioning. According to Fanou et al. [91], 65% of Google caches that serve Africa are outside of the continent. Taking this into account, together with low speed bandwidth, unreliable links, and high latency to cloud servers, we may speculate that the deployment of some services within community networks would contribute to improving end-user service experience. Moreover, a user study done by Lertsinsrubtavee et al. [124] shows that a significant amount of traffic in a community network is localized. For example, 81% of users of the instant messaging service Line have contacts only within the community network and 20% of all messages are exchanged between them. In the current Internet model, this causes a message of a few hundred bytes between two nearby people to be sent to an application server potentially in a completely different part of the world and then pushed back from the server to the message recipient, instead of simply transferring it over a local network. This motivates building localized network services. Such services are not limited to only the developing countries; they are also growing in popularity in the developed countries (e.g., NetHood project [41]). In this thesis, we explore tools for enabling sophisticated localized services. We believe that there are two main drivers motivating development of such services, namely reducing Internet access cost in rural areas and limiting content distribution to local communities that do not wish to share data with cloud providers. The tools that we propose belong to two categories. The first group of tools addresses issues related to privacy and security by proposing solutions for privacy-preserving discovery of social attributes (e.g., common friends, needs, interests, etc.) between strangers. The crucial characteristic of our solution, aside from privacy, is independence from cloud infrastructure, thus making it attractive for offline usage. We argue that such services may prove beneficial for discovering common social needs among people who do not know each other or are not willing to share such needs on the public Internet. The second group of tools addresses issues related to bringing web technology to opportunistic networks. An opportunistic network is a type of network that is infrastructure- free by design. Human-carried devices within it communicate directly via a

4 Introduction short-range wireless technology when they are in a transmission range. We argue that by bringing web applications to opportunistic networks, we can increase interest of people in these networks, leading to a creation of new applications and potentially market places.

1.1 Problem statement

In this dissertation, we approach the current dependence of modern services on the global Internet as an issue that limits availability of such services to individuals. We argue that the most fundamental limitations come from lack of robust network infrastructure in some parts of the world, little trust that some people have for uploading their data into the cloud, and insufficient mechanisms for protecting personal privacy. Consequently, we believe that opportunistic networks provide a good foun- dation for creating secure and Internet-independent services. However, there are still some barriers that prevent large-scale deployment of opportunistic net- works. Since devices in the opportunistic network communicate directly, users require the presence of nearby peers to have any communication. Consequently, there is not much of an incentive for the user to install and use an application in the opportunistic network, as after installation there is usually no content available and nobody to communicate immediately with. This leads to very high message delivery times, as a message is very often stored for a prolonged time on devices before an opportunity to forward it to a destination may arise. The other important barrier for opportunistic networks is the necessity to constantly run opportunistic software on the device in order to discover nearby peers. This has a negative impact on the device battery and discourages many users from running these services. As security of applications in the opportunistic network is not verified by a trusted authority, some users may also be reluctant to install them. To summarize, we argue that the very pressing issues that need to be addressed in building and successfully deploying these services are: (1) increas- ing the number of devices present in opportunistic networks to reduce message delivery time, (2) providing tools for enabling development of opportunistic web applications to allow for content access inside web browsers, as it removes the necessity of installing an unknown application on a device and (3) providing tools for privacy-preserving discovery protocols that can be used to unearth social attributes between local people. There are two fundamental questions that form our research problem in this thesis:

5 Introduction

1. How can we enable privacy-preserving discovery of social attributes between two people? We believe that the ability to discover specific social attributes (e.g., common interests) is useful in enabling socially-aware local services. An example of such a service is a ride sharing application in which interested users are connected only if sufficient social criteria (e.g., having common social contacts) are fulfilled. In this thesis, we look at possibilities of building protocols that allow for efficient and privacy-preserving discovery of such relationships between local people.

2. How can we increase people’s engagement in opportunistic networks? We look at the possibility of making opportunistic networks accessible to users who cannot or do not want to install opportunistic software on their devices. As the web technology is ubiquitous, we investigate whether it can be applied to running an opportunistic application as a web application in order to remove these barriers. Moreover, we study whether the web technology can be used for improving network message forwarding capabilities.

1.2 Contributions

The main contributions of this dissertation are:

• The design and implementation of a system for secure distribution of sensitive data among social contacts. The system is designed to operate without the need for permanent Internet connectivity and is used as the building block for the next contributions.

• The design of a new private set intersection cryptographic protocol based on the Bloom filter [62], which operates without the need for an Internet connection and is efficient for the mobile environment. Our first application of the protocol is discovery of common social contacts, but the protocol can also be used for any private matching operations, where input sets authenticated. Furthermore, we extend the protocol to discover the lengths of social paths between two users in the online social network graph.

• A study on the application of web browser storage features for message for- warding in the opportunistic network with the support of infrastructure nodes. We propose to use this mechanism to increase the network capacity.

6 Introduction

• The design and implementation of a web framework which enables running modern web applications in the opportunistic network with the support of infrastructure nodes. To prove the practicality of the solution, we implement web versions of People Finder and Here & Now, which is deployed to the guifi.net community network.

1.3 Structure of the Thesis

In Chapter 2, we introduce opportunistic networks, which provide our fundamen- tal networking building block and provide technical background. This chapter also includes descriptions of SCAMPI and Liberouter platforms that we build our services on. Chapter 3 contains different privacy-preserving mechanisms that were designed by us and that can be used to uncover common social features shared by strangers. In Chapter 4, we present extensions to the Liberouter platform that allows for the increase of opportunistic network capacity and de- velopment of advanced opportunistic web applications. We conclude this thesis with a discussion in Chapter 5.

7 Introduction

8 2. Opportunistic networks background

The very fundamental principle that the Internet services are built on is the end- to-end principle [161]. It assumes that application-specific features reside in the communicating end nodes of the network and that intermediary nodes act only as data forwarders. This further implies that reliable network communication between two end nodes is necessary for them to exchange data. On the other hand, Delay Tolerant Networks (DTN)s [89] operate in challenging environments where connectivity is intermittent, which may lead to broken network paths and network partitioning. As a result, the network is built to operate in situations where an instantaneous end-to-end path does not exist and the intermediary nodes forward data using deterministic or opportunistic paths. Opportunistic networks form a subset of delay tolerant networks. They are designed to rely on the direct device–to–device communication that occurs opportunistically; in other words, it is possible only when two (mobile) nodes are able to form a contact (a wireless connection) [74]. In the Internet, IP [28] is used to exchange data between endpoints. During the communication process, exchanged data is usually fragmented into multiple IP packets that are transmitted through the Internet. Packets in the Internet are transmitted over relatively stable network paths using the store-and-forward communication technique. Intermediary nodes store a received packet by putting it in a queue before it is forwarded further along the path. However, queuing time of the packet is very short, even with the presence of the bufferbloat effect [30]. On the other hand, opportunistic networks operate in environments where instantaneous data delivery between endpoints may not always be possible. To resolve this problem, the intermediary nodes may carry data for some time, until the opportunity to forward it occurs. This model of communication is called the store-carry-and-forward paradigm. The primary examples of networks with opportunistic/delay tolerant communication include sensor-based networks with intermittent connectivity, satellite networks, underwater acoustic networks, and

9 Opportunistic networks background unreliable terrestrial wireless networks [177]. Opportunistic networks are also used for communication in rural areas [82, 124] and for direct communication of nodes in close proximity like Haggle architecture [164, 146]. Having explained the basic concept behind the opportunistic network, the rest of this chapter is organized as follows. In Section 2.1, we describe the architec- ture of the opportunistic network. Section 2.2 provides an overview of routing in the opportunistic network. Section 2.3 describes security aspects of opportunistic networks. In Section 2.4, we study design requirements of opportunistic applica- tions and analyze the current state of the market of opportunistic applications. We conclude this chapter with section 2.5, describing practical opportunistic network systems with a special emphasis on SCAMPI and Liberouter platforms that we have used as the building blocks of our contributions in the thesis. This is followed by a short chapter summary.

2.1 Opportunistic network architecture

This section describes opportunistic network architecture, which is the building block of the thesis. The architecture described in this section is based on delay tolerant network architecture. It was developed by the former DTN Research Group (DTNRG), under Internet Research Task Force (IRTF). The group has published informational RFC 4828 [177], which describes the basic concept behind the architecture. Bundle Protocol and Internetworking. The basic data unit in the oppor- tunistic network is called a bundle (message) [165]. The bundle consists of the Primary Bundle Block and one or more Bundle Payload Blocks. The Primary Bundle Block contains control information used for forwarding the message in the network to the destination endpoint. The Bundle Payload Block carries application data. Nodes in the opportunistic network store and carry the bundle until the opportunity, i.e., a contact, to transfer the bundle to the next node appears. Taking into account unpredictable contact opportunities, bundles are supposed to be self-contained, which means that they do not require the presence of other bundles in order to be useful for the application. Thus, unlike in the Internet environment where multiple small IP packets are involved, a single bundle contains whole data content aggregated inside it. Figure 2.1 illustrates the protocol stack in the opportunistic network. We define three main entities in the opportunistic network. An opportunistic host is a node that runs an opportunistic application. An opportunistic router is a node that runs Bundle Protocol. Since the host must also run Bundle Protocol to send

10 Opportunistic networks background

   

   

   

   

 


 


 

 

 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  



 
 

Internet 
Internet 

Non-IP 

#1 
#2 

#3 


 
 
 

Figure 2.1 Architecture of the opportunistic network protocol stack. Figure thanks to courtesy of Professor Jörg Ott. and receive application data, it can act also as the router in the network. An opportunistic gateway is a node that interconnects regions in the network that run dissimilar protocol stacks. In addition to performing data transcoding be- tween regions, it may also enforce specific networking and security policies. The architecture enables internetworking between different network technologies by unifying communication at the Bundle Protocol layer through the convergence layer. Since bundles must be transferred reliably between two adjacent nodes, the nodes can use heterogeneous mechanisms (i.e., specific to an underlying network technology) to ensure reliable bundle transfer. This is different than in the Internet, where only the end-to-end reliability is provided by Transmission Control Protocol (TCP) [29] and hop-by-hop reliability is not available. Convergence Layers. Nodes in the opportunistic network may use various network technologies below the Bundle Protocol layer to communicate. Enabling a heterogeneous communication is possible due to the introduction of the con- vergence layer between the Bundle Protocol layer and an underlying layer. The convergence layer acts as the translator of data format between these two layers. For example, the TCP Convergence Layer [83] transforms a bundle into TCP segments and vice versa. It can be used to exchange bundles between two nodes by establishing a TCP connection between them. Opportunistic nodes and Endpoint Identifiers (EIDs). An opportunistic node is a node capable of sending and receiving bundles (i.e., running Bundle Protocol). An opportunistic endpoint is a logical set of opportunistic nodes. The architecture defines a successful bundle delivery if a minimum subset of nodes in the endpoint receives it correctly. This subset of the endpoints is called the Minimum Reception Group and it may involve a single node (unicast), a single

11 Opportunistic networks background

node in a group of nodes (anycast), or all nodes in a group (multicast/broadcast). An endpoint identifier identifies an opportunistic endpoint. An EID is a name which follows the Uniform Resource Identifier (URI) standard [59]. An opportunistic application running on a sender host uses EID to define destination of a bundle. In a receiving host, the application registers intention of receiving bundles addressed to a specific EID. In order to carry a bundle towards a destination, an EID must be interpreted. This process is called binding. For example, it may involve mapping an EID to a next-hop EID, or to an underlying layer address (e.g., IP address). In the Internet, the binding is performed before data is sent by a source node as a DNS lookup query for the IP address of a destination node. This type of behaviour is called “early binding". On the other hand, in the opportunistic network, a destination node may not be available at the moment of message sending, or may change during the message transmission. Thus, opportunistic nodes use “late binding", which means that binding of a bundle destination to a particular set of destination addresses may occur at the source node, during bundle transit, or even at a destination node. Fragmentation and Reassembly. Recall from above that in the opportunis- tic network bundles are supposed to be self-contained, which may make them considerably large. This raises the following two challenges: how to optimally utilize the short contact duration and how to forward a bundle when the amount of bytes that nodes can exchange during the contact is too small for transmission of an entire bundle. These problems are addressed by fragmentation of the bundle. In this process, the bundle is divided into multiple smaller bundles that are called fragments. The opportunistic network treats each fragment as a separate bundle. If possible, fragments of a bundle are reassembled by nodes to recreate the original bundle. Although fragmentation addresses the challenges of utilization of optimal contact duration, it can lead to other challenges in the network. From the security perspective, the authenticity of the bundle payload becomes an issue if the bundle is fragmented. This challenge is described in more detail in Section 2.3. From the network perspective, uncontrolled fragmentation can result in the creation of a large number of fragments, and the failed delivery of just a single fragment leads to the failed delivery of the whole bundle. The architecture describes two forms of fragmentation. In proactive fragmentation, the sender prepares for a small contact volume by fragmenting the bundle before the very first transmission. In reactive fragmentation, if the bundle is only partially transferred during transmission, the receiving node converts

12 Opportunistic networks background the received part of the bundle into a fragment and forwards it further as the fragment. Reliability and Custody Transfer. Due to opportunistic characteristics of a bundle transfer in the network, the architecture assumes a source node does not require any interaction with a destination node for the successful bundle transfer. This model can be compared to a mail delivery service. However, in order to provide some level of a reliable message delivery, the Bundle Protocol defines two mechanisms. First, applications having strict delivery requirements can request an end-to-end acknowledgement. Second, a node can commit to storing a bundle reliably until it can forward it to a destination/another node closer to a destination. In such a scenario, a node accepts custody of successful bundle delivery. By accepting custody of bundle delivery, the node must allocate storage space for the bundle and must not delete the bundle. The node can also delegate this responsibility to another node by means of custody transfer. In such a case, all storage resources allocated by the node are freed. The architecture does not mandate that all nodes must act as custodians.

2.2 Routing and Forwarding

Routing and forwarding are crucial concepts behind transfer of data in the network. Although these terms are very often used interchangeably, they are not synonyms. Routing is the process of selecting a path to a destination node in the network, whereas forwarding is the process of relaying data packets between two neighboring nodes in the network. Traditional routing protocols used in the Internet assume availability of an end-to-end path in the network between communicating nodes. Thus, the routing protocol is responsible only for finding a path in space (i.e., a set of hops that a message must pass in order to reach a destination node). In the opportunistic network, contacts are temporarily available for transmission. Therefore, the routing protocol cannot depend on the existence of a path in space, but rather it must find a space-time path between communicating nodes that takes into account intermittent availability of contacts. As a result, it is very challenging to set up an end-to-end path between communicating nodes, and very often the availability of such a path may not be known at the time of message sending. Figure 2.2 illustrates the difference between a space path and a space-time path. In this section, we provide a brief overview of routing challenges in DTN. Please recall from the beginning of this chapter that an opportunistic network is just a subset of DTN, so nodes in an opportunistic network face similar challenges.

13 Opportunistic networks background






























Time

tk tk+1 tk+2 tk+3 tk+3

 

  


Figure 2.2. The concept of the space-time path. Node A never forms space path with node E (i.e., they never enter into contact), but it forms the space-time path with node E through node C and its mobility. Picture adapted from Borrel et al. [64].

Furthermore, in Section 2.1 we introduced the bundle as the basic data unit in the opportunistic network, as defined by the architecture standard. However, in the rest of this thesis, we use message as a synonym for bundle, since it is a more commonly used term when describing application interactions. Availability of a stable end-to-end path between communicating nodes in the Internet allows us to consider challenges of routing and forwarding fairly separately from each other. Challenges of routing and forwarding in DTN are not limited to discovery of the next hop to which the message should be forwarded. In DTN, the only opportunity for two nodes to exchange data is when they come into contact. Finite bandwidth and unexpected interruption can prevent the node from forwarding all possible messages. Thus, it is very important to properly select the sequence in which messages should be forwarded in order to maximize the likelihood of successful delivery of messages to the destination. Furthermore, if the node comes into contact with multiple nodes simultaneously and it is impossible to simultaneously communicate with all of them due to resource constraints, the node should be able to identify which nodes it should first open connections to in order to communicate effectively. Finally, as the node stores carried messages in the buffer with finite space, management of buffer space is also a challenge. In the case when not all messages can be stored in the buffer space, the node must decide which messages can be deleted from the buffer. Consequently, challenges of routing and forwarding in DTN should be considered jointly. In the rest of this section, we provide an overview of research addressing challenges related to both forwarding and routing. We

14 Opportunistic networks background begin by discussing message forwarding strategies, buffer management, and node topology control, which concern forwarding. Finally, we conclude with the summary of most popular DTN routing protocols. Message forwarding strategies. The impact of different message forward- ing strategies on message delivery, overhead, and end-to-end delay is studied by Lindgren et al. [131]. They discuss three message forwarding strategies based on probability of message delivery by a node and one random based strategy. They conclude that not only selection of messages for forwarding is important, but also the sequence in which they are forwarded. Krifa et al. [120, 121] consider this problem jointly with the buffer management issue. They propose calculating a utility value for each message and using it to select the order in which the messages are forwarded. The solution is plugged into Epidemic routing protocol (described below), and it shows improvements in terms of message delivery and end-to-end delay. The most popular routing protocols in terms of research paper citations that consider message forwarding strategies are RAPID [54] and MaxProp [67], described later in this text. Buffer management. The impact of buffer management on performance of the Epidemic routing protocol in terms of message delivery and end-to-end delay is studied by Zhang et al. [188]. They show that the drop-front policy (i.e., the first message entered into the queue is the first message to be dropped if the queue is full) performs better than the drop-tail policy (i.e., the last received message is dropped if the queue is full). In the related work, Lindgren et al. [131] study the impact of different message queuing policies on message delivery, overhead, and end-to-end delay. They evaluate four different buffer management methods in addition to the drop-tail policy and conclude that selection of a buffer management policy impacts the performance of the routing protocol. Particularly in the context of Epidemic routing, they show that the drop-front policy achieves the highest delivery ratio, while drop-oldest policy (i.e., the message with the shortest remaining lifetime is dropped if the queue is full) achieves the lowest delivery delay. In addition, they also note that for increasing message delivery probability, it is important to ensure that a message is forwarded a sufficient number of times before a source node can drop it. In an alternative concept, Krifa et al. [120] propose an optimal buffer management policy based on global knowledge of the network state and usage of statistical learning to allow the node to gather this knowledge of the optimal algorithm. All of the above presented buffer management solutions assume that bandwidth is unlimited and messages in the buffer are of equal size. Li

15 Opportunistic networks background et al. [127] take these constraints into consideration and propose the adaptive optimal buffer management scheme. They use mechanisms described by Krifa et al. [120] to obtain global knowledge of the network state and propose a formula for evaluating utilization of each message in the buffer. Based on these two parameters, they select messages that can be discarded. Another alternative approach is proposed by Li et al. [128]. They present N-Drop, a buffer management algorithm that drops messages that were forwarded at least N-times. Bjurefors et al. [61] investigate various message dropping policies in the publish-subscribe opportunistic network. They divide the policies into two groups: based on degree of interest and based on degree of replication. They have concluded that dropping messages with the highest degree of replication yields the best message delivery results. Finally, it is is important to note that according to Zhang et al. [86], proper buffer management has a greater impact on the delivery ratio than a message forwarding strategy. Node topology control. Very little work has been done to understand how to optimize opportunistic communication in dense network segments (i.e., areas with hundreds of potential nodes to communicate with). In theory, it seems intuitive for every node to open connection to every other node in the network in order to maximize the probability of exchanging as many messages as possible. However, there comes a cost with every opened connection. The state of each con- nection must be managed by the node, and since nodes are usually constrained devices, this can cause an excessive CPU usage, which may result in quick battery depletion. More importantly, a higher number of connections increases contention for access to a shared wireless channel. Although connections are logically parallel, the underlying wireless channel is shared across all nodes, and in the given instance of time, only a single node can transmit a packet. Kärkkäinen et al. [118] study performance of message dissemination and have concluded that a full-mesh network topology does not scale beyond 10 nodes. They identify the phenomenon called request-stacking, which causes exponential growth of a number of messages that must be exchanged between all nodes in the network in order for them to get their storage synchronized. They conclude that communication can be significantly optimized by using a limited topology (i.e., a topology in which a node opens a limited number of connections to other nodes). The most optimal results are achieved in the scenario with a 1-link limited topology. Node topology control can also use social input to determine with which node

16 Opportunistic networks background

Shortest Path Random First algorithms replicaon DTN roung

Ulity based Tree algorithms Determinisc Stochasc replicaon

Space-me Others algorithms

Movement Coding Model Social control based based based protocols protocols protocols protocols

Figure 2.3. Classification of DTN routing approaches.

another node should open a connection. In Publication II and Publication III, we present privacy-preserving mechanisms for discovering common friends and the distance on the social graph between two users. These mechanisms can be used as cues for a node topology control algorithm. DTN routing protocols. The architecture of DTN does not define any spe- cific routing protocol, because characteristics of the network may vary alot between different environments. For example, in a rural network, topology can be known, but connectivity outages can be unpredictable, while in a mobile ad-hoc network all contacts are opportunistic. In general, there are two main approaches to routing in DTN: deterministic and stochastic [190]. Figure 2.3 presents various approaches to DTN routing. Deterministic routing assumes the ability to determine a space-time end-to-end path before a message is actually transmitted. Since in opportunistic networks contacts are in the majority of scenarios opportunistic, deterministic routing does not play an important role in them. For the sake of completeness, we briefly mention that, depending on the network environment, deterministic routing may involve shortest path first algorithms [112], tree algorithms [104], or space-time algorithms [136]. In the rest of this section, we concentrate only on stochastic routing. Stochastic routing can be divided into three main approaches (see Figure 2.3). The first approach includes all protocols based on a random message replication. The second approach involves all protocols that use a utility function, which is a function that evaluates how the transmission of a message increases the probability of message delivery. The utility function is used to decide whether a message should be replicated to an encountered node. The third group of

17 Opportunistic networks background approaches consists of techniques that do not involve message replication. Move- ment control protocols and model-based protocols try to make use of knowledge of node movements in the network. Thus, they have no real application in opportunistic networks, and we consider them outside the scope of this work. Coding-based protocols apply the concept of erasure coding, while social-based protocols use social network information to route messages in the network. All major routing protocols were published before 2012. While there has been con- tinuous research work in the field, there have been no major contributions since then. In the rest of this section, we provide a brief overview of the most cited DTN routing protocols. Random message replication protocols can be divided into two groups, namely a single copy replication and a multi copy replication. Single copy routing protocols are based on the concept of having just one copy of a message in the network. These protocols have been proposed for environments in which resources are very scarce [173]. Limiting to just a single copy of a message decreases usage of node energy and likelihood of network congestion. The primary example of the single message copy routing protocol is Direct Transmission. In this protocol, a node forwards a message only if a node that is a destination of the message is encountered. Another type of protocols in this group are randomized protocols in which the message is passed between two nodes with some probability. First Contact [112] is an example of such a protocol with the rule that the message is always passed between two nodes. Multi copy routing protocols are based on the concept of creating multiple copies of a message to find a route to a destination and minimize the possibility of message loss. The primary example in this group is Epidemic routing [183]. In Epidemic routing, two nodes, when entering into a contact, exchange summaries about the messages they carry. After that, messages that are not present on the node but are carried by the other node are replicated to the node and vice versa. This process may lead to an uncontrolled number of copies of the message in the network, which may lead to unwanted congestion. The second protocol example in this group is Spray- and-Wait [170, 172]. It works by initially creating and sending a limited amount of message copies (spraying), which are carried into a destination (waiting). In this protocol, unlike in Epidemic routing, the number of message copies always remains under control.

18 Opportunistic networks background

Utility-based routing protocols take advantage of previous encounters between a pair of nodes to find a node that is likely to get in contact with a destination node in the future. PRoPHET [130] is the routing protocol that calculates for each node a metric called “delivery predictability”. This metric measures how “useful” a given node is in terms of message delivery. The predictability metric is increased when an encounter between the node and the destination happens. Similarly, it is decreased if no such encounter happens for a considerable amount of time. The metric also has a transitive property which measures the likelihood of a message delivery through another node. The updated version of the protocol called PRoPHETv2 [101] was published as RFC 6693 [129]. Although utility-based routing protocols make better routing decisions than random message replication routing protocols, they suffer (especially in large networks) from a “slow-start” phase, i.e., if source and destination nodes are far apart, most nodes around the source do not have enough utility score to become message next hops. The Seek-and-Focus protocol [173] addresses this issue by merging random and utility-based approaches. It begins with a random routing to find a promising lead towards a destination, and after that it switches to a utility-based routing to deliver the message. Furthermore, Spray-and- Focus [171] is the protocol that merges the ideas of Spray-and-Wait and Seek- and-Focus. In this protocol, after the “spray” phase, utility-based routing is used (i.e., if an encountered node is more likely to meet the destination, the message is forwarded to the node). MaxProp [67] is the protocol that prioritizes the transmission of messages based on the path likelihoods to other nodes according to historical data and several other components. In addition, it tackles the congestion problem by using successful message delivery acknowledgements to delete copies of the delivered messages. RAPID [54] is the routing protocol in which routing is considered a problem of utility-driven resource allocation. It uses a utility function to find out which messages should be replicated first upon encounter with a node in order to increase their utility. A similar algorithm is also used for selecting messages that need to be deleted when congestion occurs. All previous approaches to routing in opportunistic environments were based either on sending multiple copies of the same message over different network paths, which may create significant overhead, or on using a utility function to evaluate message forwarding benefit. In the erasure coding-based approach, a message is converted into a larger set of code blocks in such a way that receiving any sufficiently large subset of created code blocks is enough to reconstruct the original message. This distributes the responsibility of forwarding a message

19 Opportunistic networks background across more nodes, while maintaining a fixed overhead [185]. Social-based routing protocols assume that there are two types of neighbors for a node: friend or stranger. They further assume that the node has more common interests and is more likely to get in contact with a friend than with a stranger. Based on these assumptions, results by Zhang et al. [189] indicate that if a friend is encountered, the node should forward the message which is the most similar to their common interests. Similarly, if a stranger is encountered, the node should forward the message which is the most distant from their common interests. SimBet [77] uses the concepts of network similarity and betweenness [95]. Similarity is the metric that quantifies how a node is capable of connecting with other nodes. Betweenness describes a node capability to facilitate interactions between nodes that it links. Since calculating these metrics requires knowledge of the whole network topology, they are computed locally using an ego network representation of the network [88] and used as input for a utility function. When a node gets in contact with another node, they exchange the summary vectors containing a list of destination nodes they are carrying together with their betweenness and similarity values for each destination. After that, the node calculates the value of the utility function for each destination in the summary vector for itself and for the other node. If the node has a higher value of the utility function for a particular destination, it requests that the other node transfers all messages to that destination. The other node deletes requested messages. Performance results show that SimBet achieves delivery results at the comparable level to Epidemic routing with much lower overhead. Another important social-based routing protocol is BUBBLE [109]. It uses knowledge of community structure and centrality of each node in the social network to make routing decisions. The message keeps being forwarded whenever a node with a higher centrality rank is encountered until it reaches the node in the community of the destination. Afterwards, the same strategy of forwarding messages to the nodes with higher centrality within the community of the destination continues until the destination node is found. BUBBLE achieves delivery results comparable to SimBet with lower overhead. Finally, PeopleRank [141] borrows the concept of the PageRank [65] algorithm to identify the most popular nodes in the network and use it for making routing decisions. The routing protocols described above do not address the problem of fair traffic distribution among nodes in the network, as only a small subset of nodes carry the majority of network traffic. Fair Routing [156] addresses this issue by applying perceived interaction strength [100] and assortativity for making routing decisions. Assortativity is a preference for nodes to attach to

20 Opportunistic networks background other nodes that are similar in some way. Fair Routing prefers forwarding a message to a node that has a better perceived interaction strength and limits communication with nodes that have limited importance in the network (i.e., have low assortativity). Bulut et al. [66] propose the solution based on Social Pressure Metric (SPM), a measure of social pressure that motivates friends to meet and share their experiences. The reciprocal of SPM is defined as the link quality, and each node defines its friendship community as a set of nodes that have a higher link quality than some threshold. The node encountering another node forwards message to it only if the encountered node belongs to a friendship community of the message destination node, and the encountered node has a better link quality with the destination node. As part of the contributions of this thesis, we have built tools that can be applied to improve both routing and forwarding in opportunistic networks. In Publication IV, we propose enhancing the opportunistic networks with web technology. Consequently, we investigate the possibility of using web storage as a mechanism for carrying messages to increase overall network capacity. In addition, Publication II and Publication III describe privacy-preserving mechanisms for discovering common friends and the distance on the social graph between two users, which can be used as cues in various forwarding problems and social-based routing protocols.

2.3 Security

The majority of communication in the Internet happens between a client and a server over TCP [29] and is secured by usage of Transport Layer Security (TLS)[160] protocol. Secure communication is initiated by the TLS handshake, which requires multiple round trips between the client and the server, and the session key is established either by the Diffie-Hellman key exchange or by client’s encryption of a random number by the server’s public key. The server (or mutual) authentication is guaranteed by means of digital certificates issued to the server (and client) by trusted Certificate Authority (CA). Finally, Certificate Revocation List (CRL) allows an entity to find out whether private keys of the other entity have been compromised. This whole mechanism assumes the existence of an end-to-end path between the client and the server as well as the availability of Public Key Infrastructure (PKI) and CA, which are not guaranteed in opportunistic networks.

21 Opportunistic networks background

Challenges of security in opportunistic networks are not limited to secure com- munication channel establishment. Since mobile nodes participate in message routing and have limited resources in terms of battery life, memory, storage capacity, and network bandwidth, they may want to control whose messages they forward (e.g., messages received only from social network friends) in order to avoid having their resources depleted. This kind of policy-based routing requires that nodes are able to authenticate the message sender as well as intermediary nodes and verify integrity of received messages. Furthermore, since messages may carry personal data, intermediate nodes should not be able to learn about the content of the message. All these requirements motivate end-to-end authen- tication, hop-by-hop authentication, and end-to-end confidentiality. End-to-end confidentiality is traditionally realized by a sender encrypting a message with a recipient-specific key. In the Internet, this is not a big issue, as the majority of communication is of client-server type, so it is enough to get the server public key via PKI. As in the opportunistic network PKI is usually not available, the only other traditional approach is to equip the sender in advance with public keys of all network recipients, which is not a scalable solution. The second security issue in opportunistic networks concerns reliable estab- lishment of trust between users. We define trust as belief that the identity of the user is authentic and his or her intentions are honest. In the Internet, validation of the user identity can be achieved by CA through PKI, whereas honesty of in- tentions can be evaluated using reputation systems or with personal experience if the identity of the person is known. In the opportunistic networks, lack of reliable access to PKI makes ensuring a valid binding between the identity and the user a challenge, which allows malicious nodes to masquerade as different node identities and generate fake node identities (a.k.a Sybil users) [84]. This can have a profound effect on service reliability, as malicious nodes may return erroneous data or affect the routing process. The third security issue in opportunistic networks is caused by message frag- mentation (described in 2.1). If a message gets fragmented either by a sender or an intermediary node, other intermediary nodes and a message recipient must be able to verify the origin and integrity of all received fragments. Although ver- ification by intermediary nodes is not strictly needed, it improves management of network bandwidth, as broken fragments can be dropped by them instead of being forwarded to the message recipient. In the traditional authentication mechanism, the sender calculates a hash over the entire message body, signs it with the private key, and attaches it to the message. This approach is not practical in opportunistic networks, because if a connection is disrupted in the

22 Opportunistic networks background middle of the message transfer: 1) it is impossible for the receiving node to verify integrity of the received part of the message, and 2) the sending node cannot just send the remaining part of the message using another network path, but rather it must either wait for the original connection recovery or send the whole message again using a different network path. Consequently, in the rest of this chapter, we report on the research work in the area of security in opportunistic networks. We begin with the description of Bundle Security Protocol, followed by the review of key and trust management, security initialization, and fragment authentication. Bundle Security Protocol. Bundle Security Protocol [93], standardized in RFC 6257, provides solutions for guaranteeing message hop-by-hop authen- tication, end-to-end authentication, and end-to-end confidentiality. It defines 4 blocks that are added to a message as extension blocks (defined in Bundle Protocol specification [165]), namely the Bundle Authentication Block (BAB), Payload Integrity Block (PIB), Payload Confidentiality Block (PCB), and the Extension Security Block (ESB). The protocol assumes that all nodes involved in the communication have all necessary keys to execute cryptographic operations and leaves the problem of key management outside of its scope. BAB ensures the integrity of a message between two adjacent nodes (hop- by-hop authentication). PIB ensures the authenticity of a message between the message sender and the destination (end-to-end authentication). If it is applied, the PIB block must be calculated before the BAB block. PCB ensures the encryption of a message between the message sender and the destination (end-to-end confidentiality). ESB provides protection for non-payload parts of a message (e.g., metadata). The standard takes advantage of ciphersuites to define how the cryptographic algorithms should be applied to process the security blocks on the receiving intermediary or destination node. Finally, the protocol defines the concepts of a security zone, a security-source, and a security-destination. This allows the division of security control over multiple network organizations and provision of security for constrained devices that may not have cryptographic capabilities natively supported. However, these use cases are beyond the scope of this thesis. Key management. Secure key distribution is essential to fulfill security re- quirements of message integrity, authenticity, and confidentiality. As mentioned in the introduction to this subsection, in the Internet it is realized through availability of PKIs. In the opportunistic networks, access to online servers for fetching public keys and checking certificate revocation list cannot be as- sumed [167].

23 Opportunistic networks background

To address this problem, Seth et al. [167] propose to use Identity Based Cryp- tography (IBC)[63] for secure key distribution in disconnected environments. They argue that IBC is well suited in such environments, as a recipient pub- lic key can be easily derived by a sender just from the recipient’s identifier (e.g., email) and system-wide parameters generated by the Private Key Gener- ator (PKG). Similarly, message recipients (both intermediary and destination nodes) can easily verify its integrity and authenticity. The problem of checking for revoking the rights of compromised nodes and malicious users is addressed by using time-based keys [90], in which a signing key is valid for a short period of time (e.g., a day). Consequently, the user identifier is concatenated with a description of the validity period and used together as the input for the key generation. The message recipient uses the identical method for deriving the appropriate public key. To verify this concept, Asokan et al. [51] study applicability of IBC for providing message integrity and authenticity as well as end-to-end confidentiality and compare it with the traditional PKI approach. They conclude that, in terms of message integrity and authenticity, IBC does not provide any significant advantage in opportunistic networks in comparison to the traditional approach, because CA can also issue short-lived certificates, while the signing keys can still remain long-lived. In such a scenario, the sender signs the message with the private key and ships the certificate with the message itself. Overhead to the message size introduced by the certificate is not significant. The recipient can verify whether the message is correctly signed and the accompanied certificate is recent enough. On the other hand, they also conclude that IBC offers some advantage in comparison to the traditional PKI approach in terms of end-to-end confidentiality. IBC enables encryption of the message without possessing the public key of the recipient. They show that a similar effect can be obtained in the traditional approach by using a dedicated key server. However, unlike in IBC, where the recipient can fetch the private key before receiving the message, in the traditional approach the recipient must have network connectivity with the key server at the time of the message reception to decrypt it. Otherwise, the decryption is postponed until the connection to the key server is available. Ur et al. [182] present a security architecture that includes physical and cryptographic mechanisms to protect Internet kiosks. Based on this concept, Ma et al. [132] propose the use of Internet kiosks as PKGs for users’ private key generation. Unfortunately, this solution does not guarantee an authenticated binding of a user to his or her claimed identifier.

24 Opportunistic networks background

In Publication I, we describe PeerShare, a system that can be used by applica- tions to securely distribute sensitive data to social contacts of a user without the need for continuous Internet access. We argue that the system can also be used to distribute public keys. Security initialization. As presented above, key management in opportunis- tic networks is a challenge. What’s more, bootstrapping opportunistic networks security remains another difficult problem. As a potential solution, Asokan et al. [51] suggest using existing mobile network infrastructure, since it is the most widely available authentication scheme. El Defrawy et al. [85] propose making use of social information like knowledge of current and previous affiliations or social contacts of peers in order to establish an initial security context between two nodes that have no security relationship. They propose the distribution of keys (either shared or private/public) within some affiliated entities (e.g., college, common friends, etc.) and use them to ensure secure communication between two nodes. Publication I proposes a similar approach in which sensitive data (e.g., shared secrets) can be securely distributed among social network contacts. Trust management. The main purpose of establishing trust between nodes is to defend against malicious nodes that can conduct Sybil and black hole attacks. In the Sybil attack [84], a malicious node creates multiple identities in the network to get a larger influence in the network. The black hole attack [159] is a type of Denial of Service (DoS) attack. In this attack, the malicious node drops the message in the network, having tricked other nodes into sending the message to it by pretending to be the message destination node or its direct neighbor. Capkun et al. [68] propose bootstrapping trust by allowing users to build certificate chains (similar to the Pretty Good Privacy system). This solution assumes unconditional transitivity of trust along the chain path. Trifunovic et al. [181] use social trust to detect Sybil attacks. They define two types of social trust. Explicit social trust is built on consciously created social ties which are calculated as a function of social graph distance (i.e., the number of hops between users) and number of interconnections. It creates trust that the identity is not a Sybil identity and validates honesty of the user’s intentions, as he or she has paired willingly. Thus, his or her misbehaviour can be easily identified. Implicit social trust takes advantage of mobility patterns to convey trust in the persistence of identities. Validation of honest intentions is not directly achieved, but persistent identity makes identification of a Sybil user easy. The resulting solution is used for building an integrated framework for the secure content

25 Opportunistic networks background dissemination PodNetSec [178], which is built on top of PodNet [135]. In another work, Trifunovic et al. [180] define environmental trust as the metric based on nodes’ familiarity to other nodes. Although this method is not as secure as social trust, it works without the necessity of user interaction. MobID [157]isa node defense system that divides encountered nodes into two networks, namely friends (i.e., honest nodes) and foes (i.e., suspicious nodes). The node using these two networks is able to determine whether an unknown node is carrying out a Sybil attack. SybilDefender [186] is another mechanism for defending against the Sybil attacks. It performs random walks within the social graphs to detect the Sybil community around the Sybil user. The similar concept of context familiarity is explored by Gupta et al. [102] to evaluate the safety of a given environment. To prevent black hole attacks, Li et al. [125] developed a reputation based framework to evaluate the competency of an encountered node to deliver a message to a destination. In their follow-up work [126], they integrated it into PRoPHET to demonstrate its effectiveness against black hole attacks. Raya et al. [158] argue that the traditional notion of trust as a relation be- tween users is not sufficient in ephemeral ad-hoc networks. They introduce the notion of data-centric trust, which is defined as trustworthiness attributed to node-reported data. They introduce the framework for data-centric trust estab- lishment, whose validity is inferred based on the Dempster-Shafer theory [168]. Publication II and Publication III propose privacy-preserving mechanisms for discovering common friends and the distance on the social graph between strangers. These mechanisms can be used as cues for trust establishment in opportunistic networks. Fragment authentication. Partridge [151] presents a secure message frag- mentation scheme, called the “toilet paper” approach. The basic idea is to checkpoint data into fragments by means of a cryptographic hash at specified intervals and include hashes together with a signature in the message. As a result, any intermediary node can authenticate the fragment given the hash and the signature. This approach is enhanced by Asokan et al. [51]. Furthermore, Partridge [151] proposes authenticating fragments using a special authenti- cation function. Unfortunately, no efficient construction of such a function is given.

26 Opportunistic networks background

2.4 Opportunistic network applications

Unlike traditional applications in the Internet, an application operating in the opportunistic network must be designed to meet certain requirements. First of all, it must be delay-tolerant (i.e., not expect an instantaneous response). Furthermore, as there is no guarantee that all messages will be delivered to the recipient, it should also be robust to work properly with only a subset of delivered messages. As messages are not guaranteed to be delivered in their sending order, the application should have only loose demands on serialization. Lack of permanent access to the network infrastructure may cause clock devices to get skewed. Thus, the application should not set very strict time synchronization requirements. Finally, protocols using handshakes (e.g., challenge-response, feature negotiation mechanisms) [89, 147] should be avoided. Consequently, Bundle Protocol described in the Section 2.1 meets these requirements. From the perspective of the facilitation of application development, messages should be self-contained, i.e., carry the entire content, the necessary context for its interpretation, and possibly required credentials. Finally, the results of protocol operations should be idempotent and dependencies between messages should be minimized. For more than a decade, researchers have been actively searching for the “killer” application that will supposedly boost user engagement in opportunistic networks. The research community tried to find an application in the following four categories: cellular network offloading, communication in challenged areas, censorship circumvention, and proximity-based applications [179]. Cellular network offloading seems to be the most natural use case in the developed countries. The main motivation behind this use case is exponential mobile traffic growth generated by the mobile customers. There are some widely cited applications proposed in this area. Balasubramanian et al. [55] and Ott et al. [150] have demonstrated how classic web browsing can be realized in the opportunistic environment. Lenders et al. [123] have designed a broadcasting solution to share and distribute multimedia content in the opportunistic network. The cellular network offloading use case was severely limited in the recent years by wide deployment of 4G mobile technology that greatly increased mobile network bandwidth, abolition of roaming charges in the European Union, and wide adoption of mobile subscription plans with flat/unlimited data volume. On the other hand, the mobile operators still struggle to provide a satisfactory user experience for large crowd events like festivals. They try to mitigate the problem by deploying smaller cells and significantly over-provisioning the in-

27 Opportunistic networks background frastructure, which is costly and does not solve the problem of unexpected traffic peaks. Trifunovic et al. [179] suggest that the operators can offload their infras- tructure by seeding content to some devices in the crowd, which can distribute it to others in the area. Surprisingly, despite obvious economical benefits, there are no such widely deployed applications. At the moment, HyCloud [78]isthe only opportunistic network prototype for mobile data offloading. Communication in challenged areas is the most natural use case for opportunis- tic networks, as they assume lack of access to network infrastructure. There are three potential reasons behind infrastructure unavailability. It can be destroyed by a natural or man-made disaster, there can be a lack of economical benefit for building and operating infrastructure in an area (e.g., sparsely inhabited region), or it may be inaccessible in an environment (e.g., high radio interference in shipyards hindering successful communication). The example of application designed for the disaster is Twimight [108]. It is the version of Twitter adapted to work in case of disastrous scenarios. Application users can “tweet” without infrastructure access, and the platform additionally allows for the dissemination of sensor data to provide essential rescue information (e.g., location of drinkable water sources). Examples of applications built for areas where it is economically infeasible to build the network infrastructure include Goose, MobiClique, and D-Book. Goose [184] is a social network service architecture for developing regions that depend on opportunistic networks and infrastructure access. It provides services for friend and resource sharing as well as for information seeking. MobiClique [152] is an opportunistic network middleware that sup- ports applications for mobile social networking, asynchronous messaging, and epidemic newsgroups. Similarly, D-Book [71] is the social network application for the opportunistic networks. Finally, as the example of an application for an environment where infrastructure will never be physically available, Ginzboorg et al. [97] describe the deployment of the opportunistic software system in the chromium mine. It involves trucks, worker’s phones, and other mobile devices to exchange data between an operator console and distant mining equipment. At the moment, very few opportunistic applications are available on the market. Spacetime Networks [20] uses SCAMPI to deliver reliable communication services in challenged environments, such as mines or underground tunnels. Uepaa! [23] is an alpine safety application used for communication within regions lacking cellular coverage. Open Garden [15] offers FireChat, a public and private message communicator working without cellular access. FireChat has proven to be useful as a communication tool during some past natural disasters (e.g., flood in Kashmir, hurricane in Mexico, etc.). Finally, goTenna [12] offers a connectivity

28 Opportunistic networks background

“box” that can be paired with a smartphone to deliver location and messaging services without cellular access. Opportunistic networks may offer a feasible alternative to the traditional Internet communication in regions where freedom of speech is violated by op- pressive institutions [49, 72, 142]. Furthermore, in developed countries, large Internet service enterprises lack free speech protection mechanisms and act as almighty censors either for business reasons, or if they are forced by govern- ments (e.g., German government compelling Facebook, Google, and Twitter to police “hate speech” on their platforms [31]). Due to the nature of opportunis- tic networks, interception or jamming of communication links is much more difficult. Furthermore, it is also much more difficult to identify an individual user, especially in crowded areas. Rangzen [92] presents an opportunistic-based mobile microblogging system with trusted message propagation guaranteed by use of social graphs and private set intersection protocols. MoP–2–MoP [166] is a decentralized privacy-preserving microblogging infrastructure based on a distributed peer–to–peer network of mobile users. It is resistant to censorship by re-randomizing encryptions when redistributing messages in the network. Finally, the already mentioned FireChat proved its usefulness during the Hong Kong protests in 2014 [10]. Proximity-based applications is another promising use case for opportunistic applications. In this use case, the application makes use of co-location of devices to provide additional services (e.g., proximity social networking) on top of locally available resources. This concept is presented in the Floating Content [148] project where each content item can be disseminated within a defined geographic area. Proximity-based applications can be realized both with and without a local infrastructure support. Liberouter is an example of proximity-based services built with the infrastructure support. Examples of potential services built without the infrastructure support include digital graffiti, collaborative sensing, regional chat, and local auction [149]. Unfortunately, until now proximity-based applications failed to succeed mostly due to the lack of an obvious business model and the presence of already available similar services which are delivered with a traditional cloud approach. Out of existing applications, we can notice Chen et al. [69], who present a collaborative music sharing system based on the jukebox concept. The main motivation for the system is to allow users to share music content (without infringing copyrights) by streaming it to a central unit (jukebox) so that others can enjoy the music as long as they are in close proximity. Ateneo On Fly [133] is a system for supporting mobile sharing applications in university campus networks. Finally, during the course of this thesis work, we

29 Opportunistic networks background have developed and successfully deployed three proximity-based applications. SpotShare [143] is an application that provides secure and privacy-preserving tethering services to nearby users. nearbyPeople [143] is an application that allows a user to discover common friends in an online social network among his or her neighbors without revealing his or her identity. Both of these applications are direct derivatives of work presented in Publication II and Publication III. Here & Now [115] is an experience sharing application that provides messaging and media content sharing services to the users in a close proximity. It had a proof–of–concept launch during Expo 2015 in Milano, and based on user feedback, it was extended to contain a web interface as part of Publication V. The new research directions in finding applications for opportunistic networks involve opportunistic mobile sensing and opportunistic mobile computing [179]. Opportunistic mobile sensing [122] aims to use widely-available sensing devices to study human behaviors and socio-economic relationships in the physical world. Opportunistic mobile computing [73] expands the concept to software and hardware sharing and remote task execution in a trusted and secure way. It is expected to provide value in pervasive health, intelligent transport systems, and crisis management [179]. Publication V provides a framework for such an environment.

2.5 Practical opportunistic network systems

Years of research in the area of opportunistic networks have resulted in the development of practical opportunistic network systems. In the first part of this section, we briefly describe the most prominent of them. The second part is dedicated to a more detailed explanation of SCAMPI and Liberouter, which constitute building blocks for this thesis. Opportunistic network platforms. The Haggle architecture [164] has laid the foundation for many system implementations [164, 174]. It offers asyn- chronous communication, data distribution, and publish-subscribe primitives for web-email and content sharing applications. The MobiClique platform [152] described in Section 2.4 is based on the Haggle architecture. The 7DS [139] is a system providing asynchronous object-based synchronization mechanisms for mobile nodes without access to the Internet. It can be used for applications like file sharing and building community bulletin boards. Helgason et al. [106] developed a platform for content sharing applications. It also provides a gate- way functionality to interact with content available in the Internet. They also propose mobile social networking, local quizzes, and sensor data relaying as

30 Opportunistic networks background applications that can be run on the platform. The Intentional Networking [107] is a communication platform that provides a unified networking interface that interconnects multiple underlying network technologies (e.g., Bluetooth, etc.). It allows applications like email or vehicular sensing systems to express intent about which underlying network technology is the best suited for the application use case. IBR-DTN [163] is a lightweight implementation of the Bundle Protocol, which is well-suited for embedded devices. Community networks. Community networks aiming at extending Internet connectivity have been deployed in many rural and urban areas. Prominent examples of networks deployed in the urban environments are Athens Wireless Metropolitan Network [35], Freifunk [37], and Funkfeur [38]. Public Access Wifi Service is a British academic project that deployed a community network in which users share a fraction of their unused home broadband bandwidth with people who are not able to afford the cost of the broadband [162]. In terms of deployment in rural areas, Ishmael et al. [110] deployed a wireless mesh network in the area of Wray near Lancaster, UK. Guifi.net [39]isa very successful large community network in a rural area of Catalonia, Spain. There are also very successful deployments of community networks in developing countries. Matthee et al. [134] present the wireless mesh network called LinkNet, which was deployed in the rural area of Macha (southern Zambia). The network provides Internet access by a satellite link. TakNet [124] is a community wireless mesh network deployed in the rural areas of northern Thailand. It uses ADSL routers to provide Internet connectivity with a cheap subscription fee. SCAMPI. SCAMPI [154, 117] is the opportunistic network platform that imple- ments the network layer middleware enabling message delivery in the store- carry-forward paradigm. The middleware can be run on any platform that supports Java Virtual Machine, including Android, Linux, Mac OS X, and Win- dows. Figure 2.4 illustrates the architecture of the SCAMPI platform. SCAMPI router provides functionality of nearby nodes (a.k.a peers) discovery, message storage and transport, geographically constrained content distribution, content search, and publish-subscribe API for applications. Discovery mechanisms include IP multicast/broadcast beaconing, TCP unicast discovery, and subnet scanning for known ports. After peers have been discovered, the link is opened between them, which is used for exchange of messages between them. The underlying design follows the opportunistic network architecture described in Section 2.1 with TCP Convergence Layer (TCPCL) used for message transport. The only currently supported routing protocol is Epidemic routing [183]. Geographically

31 Opportunistic networks background

Figure 2.4. SCAMPI platform architecture [117]. The whole opportunistic network functionality is handled by SCAMPI router which runs within Java Virtual Machine. The router provides an API for applications to exchange data over native TCP API. HTML5 shim works on top of the native API to provide bindings for platform independent development of applications in HTML5 and JavaScript. constrained content distribution is implemented based on the floating content concept [148] and added as the platform extension. The router provides a native TCP API that an application uses for exchanging messages in the publish-subscribe pattern [60]. This messaging pattern is very well suited for opportunistic networks, as the message sender (publisher) does not set specific message recipients (subscribers), but instead assigns the message into topics. Subscribers express interest in receiving messages from a particular topic and only receive messages that are of their interest. Furthermore, the API provides a structured message format that is formatted to Bundle Protocol bundles. In addition, the API allows also to add metadata to a message, which are used by the router in the content search functionality. Finally, SCAMPI provides the HTML5 shim which works on top of the native TCP API and that

32 Opportunistic networks background allows the development of native opportunistic applications using HTML and JavaScript. Liberouter. Liberouter [116] is a framework for building cheap community networks. It offers robust communication between nearby users, facilitates creation and distribution of new applications within the neighborhood, and provides limited infrastructure assistance for running services. The main moti- vation behind the architecture is to build a community network from inexpensive infrastructure components that are self-supplied by users. Liberouter design uses concepts derived from opportunistic networking. A strict opportunistic networking model is not very practical, because if the density of nearby peers is low, physical co-location is rare and necessity of continuous peer discovery may not meet battery requirements. In addition, the majority of mobile devices are optimized for communication using infrastructure networks (e.g., WiFi access points) and have poor/non-existent support for direct peer–to– peer communication. In the opportunistic approach, Liberouter relies on direct peer–wise contacts to exchange messages. However, it does not require direct device–to–device contacts, as it provides autonomous “opportunistic routers” that mobile devices can connect to exchange messages with. This solution relaxes very strict requirements on physical co-location of devices and continuous discovery. By providing infrastructure components, Liberouter is similar to a throw- box [56, 191]. However, unlike throwboxes, it does not aim to improve the performance of a routing algorithm in a one–to–one message scenario, but rather it is designed to facilitate content publishing with an open access. Liberouter is built using inexpensive components in a do-it-yourself fashion. It combines a cheap computing platform like RaspberryPi1 or Intel Edison2 with SCAMPI as the opportunistic router. Each Liberouter instance can bootstrap and provide services to nearby mobile devices. The Liberouter appears as an ordinary open WiFi hotspot. Upon connecting to it, the user can access a web portal, which can be used to download and install the mobile version of SCAMPI and other opportunistic applications. Mobile de- vices close to the Liberouter hotspot and running SCAMPI discover Liberouter automatically, connect to it, and exchange messages with SCAMPI running on Liberouter without user interaction.

1https://www.raspberrypi.org/ 2https://software.intel.com/en-us/iot/hardware/discontinued

33 Opportunistic networks background

2.6 Summary

This chapter of the thesis provides an overview of research work in the area of opportunistic networks and is aimed to provide background information for understanding the next chapters. The architecture of opportunistic networks is based on the assumption that end-to-end connectivity between communicating parties cannot be guaranteed. This also makes traditional routing and forward- ing mechanisms not applicable in opportunistic networks. Bundle Protocol is the communication protocol designed to overcome connectivity limitations in opportunistic networks. A lot of research work has been conducted in the field of DTN routing protocols. However, a lot more work needs to be done in the area of node topology control. The biggest challenges in the security of opportunistic networks stem from consequences of lack of PKI availability. These are key management, security initialization, and trust establishment. Finally, despite many years of research and holding a promise of improving global network con- nectivity, the market for opportunistic network applications is still very small, and there are very few practical deployments of opportunistic networks. This chapter concludes the background information about opportunistic net- works covered in this thesis. In the next chapter, we will discuss privacy en- hancements in opportunistic networks.

34 3. Privacy enhancements in opportunistic networks

Recall from Chapter 1 that service security and privacy is becoming a growing concern nowadays. In order for a service to be truly successful and engage many users, it most importantly must gain their trust. This makes service security an important aspect. However for the majority of services, security features rarely provide obvious product value for their users. Furthermore, security is usually considered to be difficult for developers lacking expert knowledge. This motivates building usable security mechanisms that can be easily applied by developers lacking advanced security skills. Consequently, in our work we build usable security systems, which set requirements that a system must be secure, easy to use, and inexpensive to deploy, as presented in Figure 3.1. In our opinion, these systems have an even more prominent role in opportunistic networks, as security solutions for them are less mature than in Internet services. In addition, it seems intuitive for the growth of the market of opportunistic applications to provide developers working in the opportunistic and community networks domain with cheap and easy-to-use security mechanisms. Recall from Chapter 2 that very often a user of a service or a service itself needs to make trust and/or access control decisions involving other (potentially unknown) nodes. For instance, a routing service must manage its connection topology by selecting a set of nearby nodes which it wants to open connections with. Similarly, a network tethering application must have a means of controlling which nodes can access its service. We argue that the existence and the strength of social relationships are important factors that can drive user or service decisions. An example of a practical indicator of a social relationship strength is the length of the social path between two people. Furthermore, there are other social factors like common interests that can be used for measuring the strength of a social relationship. All of these social factors can be combined to form a set of the user’s social attributes. While most existing online social networks allow users to see what they have in common with other users and discover the length

35 Privacy enhancements in opportunistic networks

Figure 3.1. Mobius triangle illustrating the concept of usable security systems. Figure thanks to courtesy of Professor N. Asokan. of the social path between them, they do it in a centralized way, thus requiring on-demand access to the Internet. Moreover, by requesting an online social network service, users reveal their location to the service and other users they have an interest in. In this chapter, we aim to contribute to the first question of the research problem that we have stated in the Introduction: How can we enable privacy-preserving discovery of social attributes between local people? We begin addressing this question in Publication I by building PeerShare,a system for secure data sharing that we use as the building block for our further work. In Publication I, we present the design and implementation of the system that can be used by an application to securely distribute sensitive data to the social contacts of a user. PeerShare provides a generic framework that enables an application to share data with different security requirements. Furthermore, by using interfaces of popular online social networks, it is designed to be usable both for end users and developers of applications. PeerShare can be used to distribute shared keys, public keys, and any other data with authenticity or confidentiality requirements to an authorized set of recipients, specified in terms of a social relationship. In Publication II, we present the Common Friends service, a framework for discovering common friends which preserves the privacy of non-mutual friends and ensures authenticity of friendships. We begin by presenting an overview of existing solutions and arguing that the problem can be reduced to secure computation of a set intersection, provided that authenticity of claimed friends is ensured. After that, we propose an efficient cryptographic protocol that incurs only a constant number of public-key operations, guarantees low communication

36 Privacy enhancements in opportunistic networks overhead, and does not depend on any access to network infrastructure. This enables using our solution in mobile and opportunistic environments. Further- more, our service is designed in such a way that developers can easily integrate it into their applications to build functionality on top of it (e.g., enforce access control decisions). In Publication III, we extend our work from Publication II by building Social PaL, a system for privacy-preserving discovery of arbitrary-length social paths between any two social network users. Similar systems proposed in the past, including Common Friends, have suffered from bootstrapping problems, as pro- tocol results depend on the number of users of the system. In this work, we have overcome this issue, showing that Social PaL is able to discover all paths of length two and a significant fraction of longer paths, even when only a small fraction of social network members are Social PaL users. We conclude this chapter with a summary in which we explain how all of these contributions can be applied to building secure and usable services in opportunistic networks.

3.1 PeerShare: A System Secure Distribution of Sensitive Data Among Social Contacts: Publication I

Motivation. Key management has been a very challenging problem in assuring a secure communication in the network. Despite years of presence of public-key technology, which intuitively simplifies key management, deployment of PKI in the Internet is limited [103], and its availability in the opportunistic network cannot be guaranteed at all. The current decade, as mentioned in Chapter 1, is also a time of tremendous increase of online social network popularity, which has created the market for applications using social graph data. The most important advantages of online social networks in the context of social graph data access are:

• the common user authentication by means of the Single Sign-on service and the OAuth protocol,

• the global availability of popular social networks wherever there is Internet connectivity and networks are not censored or blocked,

• the ability for users to express social relationships using an intuitive term (e.g., “friends", etc.)

37 Privacy enhancements in opportunistic networks

Figure 3.2. PeerShare architecture. PeerShare Service consists of the Bindings database, the PeerShare API and the PeerShare communication module. The communication module authenticates a user with the social network server and is responsible for: (1) uploading to the PeerShare Server data that the user wants to share and (2) downloading data from the server that are shared by other social network users with the user. Downloaded data are stored in the Bindings database. The PeerShare API provides access to shared data for applications.

The starting point for this work was the observation that online social net- works can be used to facilitate the distribution of authentic public keys [144]. We have generalized this concept to design a generic framework (called PeerShare) that allows the distribution of arbitrary application data (e.g., shared secret keys, public keys, other sensitive data) to a specific set of social contacts. Similar systems have also been developed by Backes et al. [52] and Jahid et al. [111]. However, those systems require users to explicitly specify social relationships and data sharing policies. Furthermore, there are other similar systems like Persona [53] and Safebook [76], but they are built on the foundation of a com- pletely new online social network. PeerShare is different from these systems, as it improves usability both for end-users as well as for application developers by making use of popular online social network tools for the user authentication and distribution of data within a desired and already existing social context. System design. The system is composed of two main components, namely PeerShare Service and PeerShare Server. Figure 3.2 provides an illustration of the system overview. The PeerShare Service encapsulates PeerShare functionality on the mobile device. It is responsible for communicating with the PeerShare Server to man-

38 Privacy enhancements in opportunistic networks age the sharing of data on the device and exposing shared data to other appli- cations via the PeerShare API. The main part of the service is the bindings database that stores data and their bindings to identities in the social network, which are obtained from the server. Security of the database is ensured by the mobile platform security, while data items are bound to social identities via social network authentication. In addition, the service has application-level data access control which ensures that only an authorized application has the permission to modify/delete an existing data item. Shared data items can also contain additional metadata that enable providing more advanced data management functionality. Metadata allow specifying ciphersuites that describe a sequence of data transformations from its original form to the shared one. Furthermore, they also support marking if a data item is device-specific (i.e., bound to a particular device) or user-specific (i.e., boundto a particular user) and if it is public or private. Finally, metadata also contain the time from when the data item is valid from and its expiry time. The PeerShare API has three main methods. addData() is used for adding a new data item. It requires specifying a sharing policy for the data item, which is enforced by the server. If an application wants to modify a data item, it uses the updateDate() method. It allows changing the value of the data item, sharing policy, or data sensitivity requirements, which state if the data item is public or private. Finally, removeData() allows deleting the data item from the system. The PeerShare Server is the trusted entity responsible for secure storage of data in the master bindings database. It maintains bindings of every data item with a social identifier of a user (e.g., Facebook user ID) that has created it. Every request to the server must include a user access token which is validated by the server via the interaction with the social network server. The second important functionality of the server is enforcement of correct data distribution. To this end, for every valid request to create/modify a data item, the server queries the social network server to retrieve and store in the database the list of social identifiers belonging to the requested sharing policy. Threat model. Based on the system description above, we need to provide protection against man-in-the-middle attacks and unauthorized usage. Preven- tion of a man-in-the-middle attack requires appropriate communication channel protection. The threat of unauthorized usage motivates the authentication of the user, mobile applications, and servers, as well as user and application access control.

39 Privacy enhancements in opportunistic networks

Discussion. We present the system security analysis demonstrating that the system design addresses the threats described above. Furthermore, we discuss means of minimizing the need for users’ trust for the PeerShare Server.

1. Channel protection. The server and the service communicate over a secure (i.e., confidential and mutually authenticated) channel. The user is authenti- cated by means of the OAuth protocol, which is implemented using the native social network SDK (e.g., Facebook SDK). The PeerShare Server is authenticated via the TLS certificate. We use a form of “certificate pinning” by embedding the TLS certificate ofthe PeerShare server into the PeerShare Service. This protects against a rogue server from masquerading as the valid PeerShare Server even if the rogue server has obtained a certificate for its TLS key pair from a trusted CA. In case there are many instances of PeerShare Servers, standard certificate pinning can be used instead [87].

2. User and application authentication. User authentication is guaranteed via a user access token. In the beginning, the PeerShare Service asks the native social network SDK for an access token associated with the user. The ac- cess token is included in every message sent from the service to the PeerShare Server. The server, on receiving a message from the service, validates the token by checking whether it is generated by a valid social network application and whether the social identifier included in the message corresponds to the user identifier encoded in the token. The first check protects the server againsta malicious social network application trying to access/modify data in the server. The second check prevents malicious service users from modifying/deleting data that are not owned by them.

3. User access control. User access control must ensure that only authorized users can obtain data from the PeerShare Server, and only a user that has created a data item has the right to modify/delete it. The former is guaranteed by ensuring that data distribution follows requested sharing policy require- ments. This is enforced by the server that learns a data sharing policy from the PeerShare Service. To determine the set of users authorized to access the data item, the server queries the social network to learn the list of user identifiers associated with the requested sharing policy. The latter is achieved on the device side. If an application wants to modify/delete a data item, the service validates in the bindings database if the user associated with the application

40 Privacy enhancements in opportunistic networks

request owns the data item.

4. Application access control. Since multiple applications on the same mo- bile device can use the PeerShare Service, there is a threat that a malicious application using the system modifies/deletes a data item owned by another application. The PeerShare Service is protected against this threat by built-in application level access control. When an application creates a new data item to be distributed using PeerShare, the service infers a platform-specific identi- fier of a calling application. For some mobile operating systems, it is possibleto retrieve this identifier using the native system API. For example, in Android, the application identifier is a tuple of package name and application signature and it can be learnt using the Binder interface. For operating systems that do not provide a native system API to retrieve the calling application identi- fier, the application must explicitly specify its identifier and ensure thatthe identifier cannot be easily guessed by a malicious application. The identifier is appended to the new data item and stored in the database. For subsequent requests to modify/delete the data item, the service obtains the identifier of the calling application again and compares it with the identifier recorded during the data item creation.

5. Minimizing the need to trust PeerShare Server In our system design, there is a single PeerShare Server that stores all sensitive data. This requires all participants to trust its security, which may be difficult to achieve. To minimize the trust in the PeerShare Server, we propose two solutions:

• Use of trusted hardware. If the server host is equipped with a hardware security module (HSM) (e.g., Trusted Platform Module), the database on the server can be encrypted by a HSM-resident key. HSM decrypts data and gives it to a process only if the server host is correctly configured (i.e., running the correct version of the PeerShare Server code). In such a configuration, to get access to shared data, an attacker must subvert the server process in runtime.

• Application-specific PeerShare Server. Our system design allows host- ing the PeerShare Server for every application. This reduces the require- ment of system participants from trusting the single instance of the PeerShare server to trusting an application-specific instance of the server.

41 Privacy enhancements in opportunistic networks

To sum up, PeerShare is the system that allows for secure and privacy preserv- ing distribution of data. It exposes the API that can be easily used by different applications and provides different levels of security guarantees. The system is usable both for end-users and application developers, because it is built on top of existing and popular social network mechanisms for user authentication and provides the feature of distributing data within a selected OSN social group. Finally, in terms of its applicability in opportunistic networks, PeerShare does not require permanent Internet connectivity, so it is feasible to apply for data dis- tribution. The most obvious application of PeerShare in opportunistic networks is a public key distribution system, which can be used to ensure a valid binding between a device and the social network identity of its owner. Additionally, since PeerShare allows specifying the time range during which a data item is valid, it is simple to provide time-bound public keys. Key revocation, which can be caused, for example, if a private key is compromised, needs to be handled by explicit deletion of a corresponding public key from PeerShare.

3.2 Efficient and Privacy–Preserving Common Friend–Finder Protocols and Applications: Publication II

Motivation. There are many real-life situations in which users/applications must make access control decisions that involve other (potentially unknown) users. Sharing rides [19] and cabs [2] are very prominent examples of such use cases. Their potential have been evaluated by Cici et al. [70] who have shown that people are willing to share rides with friends of their friends. Other examples of such use-cases include constructing distributed computing plat- forms [140], online dating services [145, 27], tethering Internet access [143], and making routing decisions in anonymous communications [113, 138]. The existence of previously established social relationships is an important factor that can enhance trust between users and potentially guide an access control decision. For instance, an access control policy may state that only friends or friends-of-friends can connect to a user’s tethered Internet access point. How- ever, the process of discovering common friends available in many popular services harms the privacy of two users and their friends, because at least one party discloses identities of his or her friends, which may lead to revealing the identity of the user and even information about his or her lifestyle and social attitudes. Consequently, in this work we try to solve the following problem: how can a user find out if he or she has common friends with someone nearby ina privacy-preserving and efficient way?

42 Privacy enhancements in opportunistic networks

System requirements. Our system must fulfill requirements with respect to privacy, authenticity, and efficiency. In terms of privacy, only common friends can be revealed to users involved in the common friends discovery protocol. Furthermore, nearby users and third party application servers cannot learn anything about identities and social contacts of users running the protocol. In terms of authenticity, users cannot make false friendship claims. In terms of efficiency, we aim to minimize the number of expensive cryptographic operations and make it applicable in mobile use case scenarios. In addition, we require that our system must be secure in the honest-but- curious model; all involved parties follow the protocol honestly, but they try to find out as much as possible about the other party inputs. Current popular approach (trusted server). The most common approach is to use a trusted server. Many popular services like Foursquare [11] or Ten- cent [22] offer discovery of common friends using this method. This approach guarantees authenticity and efficiency, but since the server learns about user’s location, interest in another user, and frequency of their interactions, it does not preserve their privacy. Furthermore, it is also not well adapted for mobile environments where social interactions are constrained to physical proximity, thus severely limiting the feasibility of many application scenarios, as users may not always be able to connect to the Internet or ready to disclose their location or interests to the service provider. Secure discovery of common friends. The problem of securely discovering common friends can be solved using the Private Set Intersection (PSI) proto- cols [94]. In this approach, there are two parties (initiator and responder) with their own private sets at the beginning of the protocol run. At the end of running the protocol, the responder learns the intersection of both sets and the initiator does not learn anything. If a list of user’ s friends is considered a set, then PSI can be used to let users only learn the friends they share by obtaining the set intersection. This approach guarantees security in the honest-but-curious model. The computational complexity of PSI is linear in the size of the input sets, which makes it inapplicable for mobile environment usage. There is also a more stringent version of PSI called the Private Set Intersection Cardinality (PSI- CA) [79], which returns only the magnitude of the set intersection. If PSI is used naively for discovery of common friends, both users insert identifiers of their friends into input sets and run the protocol. The efficiency requirement is not met, since the computational complexity is linear. Further- more, users can include identities of arbitrary people in their input sets (i.e.,

43 Privacy enhancements in opportunistic networks claiming false friendships). Thus, the requirement of authenticity is also not fulfilled. Finally, since authenticity is not guaranteed, users can also learn about not-common friends, thus violating privacy requirement. The Authorized PSI [80, 81] variant enhances PSI by ensuring that inputs are authorized by a trusted (offline) authority. These enhancements guarantee authenticity and privacy, but they are not efficient. Bearer capabilities as a proof of friendship. Our approach is to use bearer capabilities [175] (a.k.a. sparse capabilities or bearer tokens). In this method, each user distributes a time-limited randomly generated capability to his or her friends over a secure channel. Possession of a capability is proof of an existing friendship. Thus, users can insert it into the PSI protocol, which outputs only their common and authentic friends. Bearer capabilities are high-entropy objects, generated from a large space that is impractical to enumerate. As a result, there is no need to apply the full security of standard PSI techniques which are designed to work with enumerable items like names or identifiers [94]. Based on these observations, we build Common Friends, a system for efficient and privacy-preserving discovery of common friends. Common Friends system description. Figure 3.3 illustrates the Common Friends system. It includes a server S, a set of OSN servers (e.g., Facebook, LinkedIn, etc.), and a set of mobile users who are members of these OSNs. S is implemented as a social network application that stores bearer capabilities uploaded by the users of Common Friends. It also allows Common Friends users to download bearer capabilities uploaded by that user’s friends in the OSNs. Common Friends includes three protocols:

• OSN user authentication which enables the OSN server to authenticate a user

U, provide U’s OSN identifier IDU to S, and U to authorize S to access infor- mation about U’s friends in the OSN. It is realized using standard mechanisms like OAuth.

• Common Friends capability distribution protocol, which is executed periodi- cally by every user.

• Common Friends discovery protocol, which is executed between two users when they want to find common friends.

44 Privacy enhancements in opportunistic networks

Server$S$ OSN$servers$ (1)$

(1)$ Internet$

(2)$

(2)$ (3)$ B$ U$

A$ Mobile$users$

Figure 3.3. Overview of the Common Friends architecture, involving three protocols: (1) OSN user authentication protocol, (2) Common Friends capability distribution protocol, (3) Common Friends discovery protocol. User U having authenticated to an OSN (1), uploads his or her bearer capability and downloads capabilities of her friends using the Common Friends capability distribution protocol (2). Users A and B run the Common Friends discovery protocol to learn about their common friends (3).

Our threat model assumes that system users are honest-but-curious. The OSN server is trusted to properly authenticate OSN users and not to attempt masquerading for another OSN user. S is trusted to distribute capabilities only to system users that are authorized to receive them. Devices of Common Friends users are assumed to run the legitimate version of Common Friends client, but they may try to learn as much information as possible about friends of other Common Friends users with whom they interact. Capability Distribution is realized via PeerShare, presented in Publica- tion I. Figure 3.4 illustrates it. In the beginning, user U generates a random capability cU and uploads it (over a secure channel) to the PeerShare server S, which stores it together with the social network user identifier IDU . In response, the server returns the list RU {(ID j,cj) ID j friends(IDU )}, which contains = | ∈ the identifiers and corresponding capabilities of every U’s friend. The protocol is run periodically to keep RU up-to-date. Please recall from Publication I that PeerShare guarantees secure and authentic distribution of data among social contacts, thus it ensures that U cannot claim false friendships. Common Friends Discovery is illustrated in Figure 3.5. It involves two users (I and R, initiator and responder respectively) who are members of the same social network. The protocol starts with I and R exchanging their public Diffie-

Hellman keys (i.e., PKI , and PKR). The resulting Diffie-Hellman shared key

KIR is used to protect the messages exchanged later in the protocol. To avoid a man-in-the-middle attack, the Diffie-Hellman channel is cryptographically bound to the PSI instance. In order to achieve this, I (R) creates the new set RI

(RR), by appending Diffie-Hellman public keys PKI , PKR to each capability in

45 Privacy enhancements in opportunistic networks

User U! Server S! Inputs:! Input:!

pwdU, CertS! SKS!

Establish a secure connection!

using CertS (server auth) and pwdU (user auth)!

160 cU ∈R {0,1}

cU!

Store (IDU, cU)! & # ((IDj,cj ) s.t. RU ← ' $ )(IDj ∈ friends(IDU )% RU!

Figure 3.4. Capability distribution protocol. User U, having authenticated, uploads a bearer capability cU to the server S, which stores it. In response, S sends RU which is the list of social identifiers and capabilities belonging to every U’s friend.

RI (RR). The resulting sets:

RI {(c j PKI PKR) (ID j, c j) RI)}, and = || || | ∈ RR {(ck PKI PKR) (IDk, ck) RR)} = || || | ∈ are inserted into the PSI protocol executed next. At the end of the PSI protocol, R learns of common friends he or she shares with I. The traditional PSI protocol incurs O(m n) computational and communication + complexities, where m and n are sizes of set held by R and I respectively. The computational complexity is dominated by O(m n) modular exponentiations, + which are required because the protocol input is assumed to contain enumerable items. The communication complexity involves the transferring of 2n group ele- ments and m outputs of a cryptographic hash function. In terms of computation time on mobile devices, this results in the protocol execution time in the order of tens of seconds for input sizes above 200 items, whereas mobile users expect to see results within the couple of seconds at most. Because of these complexities, the system is not efficient to operate in the mobile environment. Bloom Filter based PSI (BFPSI). Recall from above that bearer capabili- ties are high-entropy objects, which are impractical to enumerate. Thus, tradi- tional PSI protocols with sophisticated cryptographic techniques do not provide additional security, and it is possible to apply more efficient set intersection algorithms with the same security properties.

46 Privacy enhancements in opportunistic networks

Initiator I Responder R Inputs: Inputs: SKI,PKI,RI SKR,PKR,RR

SKI, PKI SKR, PKR

DH-KeyExchange

PKR, KIR PKI, KIR

%' c PK PK %# %' c PK PK %# ( j I R ) ( k I R ) RI ← ( $ RR ← ( $ )%s.t. (IDj,cj ) ∈ RI &% )%s.t. (IDk,ck ) ∈ RR &%

RI RR

PSI

RR ∩ RI

Figure 3.5. Friend finding protocol. Users I and R begin with exchanging their Diffie-Hellman public keys (PKI , and PKR). After that they create new input sets (RI and (RR) by appending public keys to every item in their respective RI and RR sets. Finally, they input RI and (RR) to a PSI protocol. At the end of the protocol run, R learns about mutual friends she has with I.

The most intuitive approach for private set intersection is to ask both parties to hash each item in their respective sets (using a cryptographic hash function) and exchange them. Because hash is a one-way function, parties can only learn the set intersection by matching the received hashes with hashes computed over their own set items. This approach is only secure if set items are high entropy objects like bearer capabilities. Moreover, it removes the need for public key cryptographic operations, making it O(1) in terms of computational complexity. The communication complexity can be optimized using compression techniques like the Bloom filter [62]. Figure 3.6 illustrates the Bloom Filter based PSI (BFPSI) protocol. It works as a replacement for traditional PSI protocol within Common Friends discovery protocol. The beginning of the protocol is identical to the Common Friends protocol with traditional PSI, i.e., Diffie-Hellman key exchange and construction of RI,RR sets. After that, I inserts every element of RI into a Bloom filter BFI and sends it to R. R discovers the set of potential common friends X ′ by testing

47 Privacy enhancements in opportunistic networks

Initiator I Responder R Inputs: Inputs: SKI,PKI,RI SKR,PKR,RR

SKI, PKI SKR, PKR

DH-KeyExchange

PKR, KIR PKI, KIR

' # %' c PK PK %# % cj PKI PKR % ( k I R ) R ← (( ) $ RR ← ( $ I %s.t. (ID ,c ) ∈ R % )%s.t. (IDj,cj ) ∈ RI &% ) k k R &

∀rj ∈ RI : BFI .insert(rj ) BFI 'r ∈ R s.t. $ X! ← ( R % )BFI .contains(r)& 160 ckey ∈R {0,1} 160 rrand ∈R {0,1} MAC(ckey, x) cset ← ckey,rrand,cset {s.t. x ∈ X ' } 160 irand ∈R {0,1} rkey ← KDF(irand,rrand) (KDF(rkey,r) $ & & rset ← )∀r ∈ RI s.t. % &MAC(ckey,r) ∈ cset& * ' rset,irand rkey ← KDF(irand,rrand) %r, ∀r ∈ X$ s.t. X ← & 'MAC(rkey,r) ∈ rset}

Figure 3.6. Diagram of Common Friends discovery protocol with Bloom Filter based PSI (BFPSI) protocol. In comparison to the friend finding protocol, “classic” PSI protocol is

replaced by I sending to R Bloom filter BFI . R on receiving it, tests presence of every item of his or her input set in BFI . Since Bloom filter may introduce false positive, the challenge-response protocol is executed in which I must prove possession of capabilities detected to be contained in BFI .

the presence of every element of RR in BFI . The protocol is not completed at this stage, as the Bloom filter may introduce false positive results. Thus, itisnot suitable for making access control decisions. To solve this problem, we introduce a simple challenge-response protocol, in which R asks I to prove possession of capabilities that constitute the set X. It works as follows:

1. R constructs a challenge set cset which includes keyed-hash message authen-

tication code (HMAC)s computed for each item in X ′ using a freshly generated key ckey.

2. R sends cset, ckey, and a random coin rrand

48 Privacy enhancements in opportunistic networks

3. I constructs HMACs of its own Ri using the ckey as the key and checks their presence in cset

4. For each of these elements, I computes HMAC with the rkey as the key. rkey is obtained using a key derivation function with its own random coin irand and rrand.

5. I sends rset and irand to R

6. R computes rkey, constructs a HMAC for every element of X  using rkey, and checks if the resulting HMAC is present in rset. If it is, then the element is added to X

BFPSI security analysis. Authenticity of claimed friendships in the honest- but-curious model is guaranteed by proper distribution of bearer capabilities. If we want to go beyond the honest-but-curious model and protect scenarios in which users behave in a malicious way by sharing their capabilities with unauthorized users, it is very simple to replace the challenge-response protocol with “friendship certificates" (i.e., signatures issued on public keys of one’s friends). Such certificates can be distributed using PeerShare in the similar way as bearer capabilities are. If “friendship certificates” are applied, at the end of the friend finding protocol interaction, when R determines the X  set, it can ask I to confirm that it possesses a valid certificate for every item contained in X . However, we believe that the honest-but-curious model very well represents the mobile environment, as mobile platform security mechanisms make it difficult for users to easily extract data from their mobile devices (e.g., application specific storage). The security of the BFPSI protocol in the honest-but-curious model is reduced to the privacy-preserving computation of the set intersection. In other words, privacy results from the security of the PSI protocol that Common Friends ser- vice uses to compute the intersection of capabilities to discover common friends. The security of the PSI protocol is guaranteed because input items are taken randomly from a large space. Although security of the protocol is not comparable with traditional PSI protocols, we demonstrate that BFPSI construction does not reveal anything except for the intended output. Publication II includes the cryptographic proof of the BFPSI privacy.

49 Privacy enhancements in opportunistic networks

  
  














   

 























 


Figure 3.7. Comparison of BFPSI and PSI-CA protocol performance. We observe linear increase of execution time of both protocols, however, rate of increase is much lower for BFPSI. Execution time for sets of friends containing 500 contacts is well below 5 seconds for BFPSI.

BFPSI performance results. To prove the efficiency of BFPSI, we have done an empirical evaluation of the performance of the Common Friends service when using PSI-CA [50] and BFPSI. Our analysis includes the computational, communication, and energy consumption costs involved in the protocol. Our testing environment included a Samsung Galaxy Nexus smartphone running Android 4.2 API 17 and a Samsung Galaxy Tablet GT-P3100 running Android 4.1.2 API 16, which were connected by Bluetooth. We ran experiments over 30 times. We also made assumptions that both parties have the same number of friends which are varied in the range {100,200,300,400,500}, and the number of common friends is always 10% of the set size. As expected, Figure 3.7 shows a linear increase of the average execution time for both protocols; however, rates of increase are different. With a 5-fold increase in the set size, computation time for PSI-CA increases by several seconds, while BFPSI increases by less than half a second. In the paper, we also show that the total number of bytes exchanged is higher for PSI-CA by a factor of almost 6 in comparison to BFPSI, and power consumption by BFPSI is about three times smaller than for PSI-CA. To sum up, BFPSI clearly outperforms traditional PSI protocols like PSI- CA. It requires fewer computations (constant number of public-key operations), lower bandwidth, and power consumption. As a result, BFPSI can be used in Common Friends offering a solution feasible in the mobile environment (i.e., short execution time, low battery consumption) and opportunistic environments (i.e., lack of dependence on Internet connectivity). The Common Friends service can be used in variety of applications in opportunistic networks from access

50 Privacy enhancements in opportunistic networks control mechanisms to cues for routing services. As the example of service in the opportunistic network, we have integrated the Common Friends service into SpotShare [143] and use it as automated access control mechanism that allows users to connect to a password protected hotspot if he or she has at least one common friend with the hotspot owner.

3.3 Scalable Privacy-Preserving Estimation of Social Path Length: Publication III

Motivation. In Publication II we developed Common Friends, an efficient system for discovering common friends. As follow-up work, we have built Social PaL, a service that provides the ability to learn the social path length between two online social network users. We define social path length as the minimum number of hops in the social graph between two users. We argue that, similarly to Common Friends, such a mechanism is useful in many real-life scenarios. Discovering the social path length between users is useful in many opportunistic scenarios as well. As a potential use case, we see estimating the familiarity of a location, which can be used for context-based security [137] or routing in opportunistic networks [77]. Popular OSNs (e.g., LinkedIn) let the user find out the social path length to another user. However, these solutions suffer from the identical problems as discovery of common friends. They require users to have connectivity to the OSN server and do not preserve user privacy. Thus, there is a need for a decentralized and privacy-preserving service for the social path length estimation, in which users only learn if they have common friends (without revealing the identities of friends they do not share) and discover the length of the social paths between them (if they are more than two hops away), without learning which users are in the path. Common Friends limitations. This work is built on top of Common Friends presented in Publication II. Common Friends has two major limitations:

1. Service bootstrapping: Users A and B are able to discover their common friend C, only if C has started using the service and has uploaded her capability. Thus, Common Friends discovers only the subset of A’s and B’s common friends until all of them join the service.

2. Longer social paths: Common Friends allows users to learn if two users are friends or have any common friends. If two users have a longer social path

51 Privacy enhancements in opportunistic networks

Figure 3.8. Coverage of Common Friends with 40% of users using the service. Black (resp., white) nodes denote users (resp., non-users) of the system. Purple/solid edges denote a direct friendship discoverable by Common Friends, while dashed lines denote existing friendships that Common Friends cannot discover.

between them, Common Friends cannot detect it.

The problem of Common Friends bootstrapping is illustrated in Figure 3.8. In this simple social network, there are 27 nodes (i.e., users) and 34 edges (i.e., friendship relationships). Black dots represent Common Friends users, while white dots represent social network members that do not use Common Friends. Purple/solid edges are direct friend relationships (i.e., social paths of length 1) that are discoverable by Common Friends. With only 40% of all OSN members using Common Friends, only 7 out of 34 direct friendship relationships are discoverable (i.e., coverage of friendship discoverability is about 20%). Social PaL system requirements. On top of the system requirements of Common Friends, we define additional requirements to overcome Common Friends limitations. In the ideal scenario, any two users should be able to discover the exact length of the social path between them, even if only a fraction of OSN users are Social PaL users. To evaluate how well Social PaL meets this requirement, we use a measure of the likelihood that any two users would discover an existing social path of a given length between them and call it service coverage. We define two system functional requirements:

1. Correctness: Users A and B can detect the exact length of a social path between them if it exists.

2. Coverage Maximization: System should maximize coverage.

52 Privacy enhancements in opportunistic networks

We also define the following privacy requirements. If A and B are two users that want to discover the length of the social path between them:

1. A and B discover the set of their common friends and learn nothing about their non-mutual friends.

2. A and B do learn any additional information except for what is already available via existing OSN interfaces.

In practice, this means that Social PaL should allow two users to discover the social path length between them (if it exists) without revealing identities of users on the path. If a path between users is of length two (i.e., they have common friends), they should learn identities of the common friends and nothing else. In addition, any external party should not learn any information about users’ friends by using a secure communication channel. The threat model is assumed to be identical to the Common Friends threat model. Bootstrapping Social PaL. To overcome the problem of service bootstrap- ping, we have introduced ersatz nodes1. Recall from Publication II that in the capability distribution protocol, the server S stores bearer capability cU uploaded by a user U, together with the user’s social network identifier IDU . The pair

(IDU ,cU)isU’s user node in the social graph, which is maintained by S. The set of U’s friends F(IDU ) is the set of edges incident with the user node. In Social PaL, S creates an ersatz node for all users who have not joined the system, but who are direct friends with a user who has uploaded a bearer capability. Figure 3.9 shows how coverage increases with the addition of ersatz nodes. With only 40% of users joining the system, coverage is increased from 20% friendship discoverability to 75%. Addition of ersatz nodes requires changes in the capability distribution protocol presented in Publication II. The changes are highlighted in the blue shaded box in Figure 3.10. S having stored (IDU ,cU), computes MU = {IDE : ¬∃(IDE,cE)}, the set of social network identifiers IDE of friends of U that have not uploaded their capabilities. After that ∀IDE ∈ MU , S creates an ersatz node by:

l 1. Creating and storing an ersatz capability cE ∈R {0,1} (where l is the length of a capability) for E

1The word ersatz is originally from German and means “substitute”

53 Privacy enhancements in opportunistic networks

Figure 3.9. Coverage of Social PaL with 40% of users using the service and with the addition of ersatz nodes. Black (resp. white) nodes denote users (resp. non-users) of the service. Ersatz nodes are marked in grey. Purple/solid edges here denote a direct friendship discoverable by Social PaL, whereas dashed edges denote relationships that cannot be discovered.

2. Creating F(IDE), a set of friends of E, which in the beginning contains only

IDU

Finally, S returns RU which contains capabilities of all friends of U including capabilities of ersatz nodes. Discovering social path length with Social PaL. In Publication II, we have used the fact of possessing bearer capabilities as a proof of friendship. In Social PaL, we extend the capability distribution to include relationships beyond direct friendship (e.g., friend-of-a-friend) and use capability matching to calculate the social path length. By taking advantage of cryptographic hash functions, we generate and distribute capabilities of higher order that can be used as proof of social path existence between two users. To explain Social PaL capability distribution, we introduce the following notation:

• The hash chain hi(x) of item x (of length i) is the evaluation of a cryptographic hash function h(·) performed i times on x. When i = 0, h(x) = x. Specifically: ⎧ ⎫ ⎪ ··· ≥ ⎪ ⎨ h(h(···(h (x)) )) i 1 ⎬ i = h (x) ⎪ i times ⎪ ⎩⎪ ⎭⎪ xi= 0

k k = k • cj is a capability of k-th order and is defined as cj h (cj)

k • F (IDU ), k ≥ 1 denotes the set of social contacts that are k-hops from user U.

54 Privacy enhancements in opportunistic networks

User U Server S Inputs: Input:

pwdU, CertS SKS

Establish a secure connection

ususinging CerttS (server(server auth)auth) and pwdU (user auth) c {0,1}l U ∈R cU

Store (IDU,cU)

∀IDE ∈ friends(IDU ) s.t. ¬∃()IDE,cE

Generateand Store() IDE,cE

⎧ ⎫ ⎪()IDj,cj s.t. ⎪ RU ← ⎨ ⎬ ⎩⎪IDj ∈ friends(IDU ),⎭⎪ RU

Figure 3.10. Capability distribution protocol with ersatz nodes added. The highlighted part is

the additional functionality for ersatz nodes. For every social identifier IDE that is not stored on the server S, S generates a capability cE, assigns to IDE and stores it.

Figure 3.11 illustrates changes to the capability distribution protocol needed to support the discovery of social paths of length greater than 2. U and S act identically until creation of missing ersatz nodes. After that, S returns the h set of capabilities RU as before. However, it also returns RU, the set of higher order capabilities that are provided to U by other OSN members that are at h = least 2 hops away from U. RU consists of subsets Ci, i 2,...,n, where each subset Ci consists of a sequence of pairs in the form of i −1 and capability of i −1 i order provided by users in F (IDU ). Thus, identifiers of capabilities’ owners are removed. Formally:

h = n RU i=2 Ci,and

= − i−1 ∃ ∧ ∈ i Ci {(i 1, c j ): (IDj,cj) IDj F (IDU )}

h Having received RU and RU from S, U generates missing higher order capabil- i − ities. To this end, for every received capability cj of degree i, U hashes it n i times to generate a sequence of respective higher order capabilities:

+ i+1 n ((i 1,cj ),...,(n,cj ))

d All of these sequences compose the set of derived higher order capabilities RU. The Social PaL discovery protocol is illustrated in Figure 3.12. It involves two users, A and B, who are members of the same OSN. In the beginning, it follows the same logic as the Common Friends discovery protocol with BFPSI.

55 Privacy enhancements in opportunistic networks

User U Server S Inputs: Input:

pwdU, CertS SKS EstablishE a secure connectionn

using CerttS (server auth)auth) and pwdU (user auth) c {0,1}l U ∈R cU

Store (cU,IDU) ersatznodescreation 1 RU ← {}()IDj,cj :IDj ∈ F ()IDU ⎧ n ⎫ C ⎪∪ i ⎪ i=2 h ⎪ ⎪ RU ← ⎨ ⎧ i−1 ⎫⎬ ⎪()i −1, cj : ⎪ ⎪C = ⎨ ⎬⎪ ⎪ i i ⎪ h ⎪∃ IDj,cj ∧IDj ∈ F (IDU )⎪ RU, RU ⎩ ⎩ () ⎭⎭

Figure 3.11. Social PaL ’s capability distribution protocol. The highlighted part is the addition to the original Common Friends capability distribution protocol. In addition to h RU, server S returns also the set of higher order capabilities RU, which contains capabilities OSN members that are at least 2-hops away from U.

h d The only difference is that capabilities from all three sets (i.e., RU, RU and RU) are used to build respective input sets IA and IB. At the end of running the BFPSI discovery protocol, both parties learn the intersection of their input sets X. After that, both users execute identical computations locally (i.e., without any exchange of data) in order to calculate the social path length between them. This process involves two phases. In the first phase, the social path length input set L is calculated. This set contains the lengths of all discovered paths between A and B. In the second phase, the shortest social path length (denoted as Dist(A,B)) among all path lengths in L is returned. A (B) builds set L by performing following actions on each item x ∈ X:

i ∃ ∗ i ∈ ∧ k i = 1. Finding a capability cj such that ( ,cj) Ix h (cj) x

2. Calculating path length lx via matching capability x (which was obtained from some user, say C) and inserting it into L:

= + + + + = + + lx (i1) (i k 1) 2i k 2 Dist(A,C) Dist(C,B)

L.insert(lx)

56 Privacy enhancements in opportunistic networks

User A
User B
Inputs:
Inputs:

SKA,PKA,IA
SKB,PKB,IB
SKA, PKA
SKB, PKB

DH-KeyExchange

PKB, KAB
PKA, KAB
⎧ c PK PK s.t.⎫ ⎧ c PK PK ⎫ ⎪( j A B ) ⎪ ⎪( j A B )⎪ IA ← ⎨ ⎬ IB ← ⎨ ⎬ ,c I ⎩⎪ ()∗ j ∈ A ⎭⎪ ⎩⎪s.t. (∗,cj ) ∈ IB ⎭⎪

IA IB

BloomBl filter based PSISI

False positives removal

X X ∀x ∈ X : ∀x ∈ X : ,ci I hk ci x i k i ∃∗()j ∈ ∧ ()j = ∃∗(),cj ∈ I ∧h ()cj = x

lx = 2i + k + 2 lx = 2i + k + 2

L.insert(lx ) L.insert(lx )

Dist(A, B) = min L Dist(B, A) = min L lx ∈L lx ∈L

Figure 3.12. Illustration of Social PaL discovery protocol. The updated part is marked in grey

background. Both users A and B build their respective BFPSI input sets IA and IB using bearer capabilities and also higher order capabilities. After learning intersection of their input sets X, they compute locally to find out the social path length between them. This process involves two phases: calculation of lengths of all existing social paths and selection of the shortest of them.

Finally, A and B learn the social path length Dist between them by finding the lowest value contained in L:

Dist(A,B) = Dist(B,A) = minL lx∈L

If Dist(A,B) ≤ 2, then A and B have common friends between them. Thus, Social PaL returns identifiers of all of these common friends as in the original Common Friends service. Although it is possible for Social PaL to reveal the first hop identifiers for Dist> 2, Social PaL does not do it due to the privacy requirements described above. Social PaL privacy requirements analysis. The privacy analysis of Social PaL concerns three aspects: social path length discovery, trust in server S, and

57 Privacy enhancements in opportunistic networks authenticity of capabilities. Social PaL discovery protocol in the interactive part, where users A and B exchange data, mirrors the Common Friends discovery protocol. Thus, privacy of computing set intersection is guaranteed by the security of the underlying BFPSI protocol. If at the completion of Social PaL discovery protocol, A and B are friends with each other (or have common friends), they learn about the existence of a social path of length 1 (or 2) between them and the identities of their common friends and nothing else. If an adversary could learn about the identities of non-mutual friends, we would be able to build an adversary breaking the BFPSI discovery protocol. In a similar way, if there is no social path between A and B, the BFPSI intersection does not reveal any information. If there is a social path between A and B which is longer than 2, then the matching capabilities belong to users from whom the server S has removed their identities. Thus, A and B do not learn the identities of users building a social path between them, but rather only how many such paths exist. Every user U of Social PaL authorizes the service to get the set of U’s friends

F(IDU ). This information is stored in the server S, which uses it to maintain, distribute, and, in the case of ersatz nodes, create capabilities in order to guar- antee the authenticity of friendships. Therefore, S learns over time about the social graph of Social PaL users. On the other hand, what S learns is just a small subset of what OSN already knows, and neither S nor OSN learns any additional information, unlike in a centralized solution, where the locations of users and interactions between them are revealed to OSN. In Common Friends, we assumed that service users run the legitimate version of the client application, because modern mobile platforms provide application- private storage. As the same assumption holds also for Social PaL, it is logical to conclude that an adversary on a client device cannot steal the capabilities legitimately downloaded on the device. Social PaL functional requirements analysis. The requirement of cor- rectness is fulfilled by the following mathematical theorem ( Publication III contains proof of theorem):

Let there be a path X = {xi}, i ∈ {0,...,d}, d ≥ 0 between A and B in the social graph. If path X is discovered by the Social PaL discovery protocol, then both A and B can estimate the exact length d + 2 of path X.

We have evaluated how well Social PaL fulfills the requirement of cover- age maximization by measuring how Social PaL coverage scores for various fractions of OSN users joining the service.

58 Privacy enhancements in opportunistic networks

We performed our evaluation using three publicly available Facebook datasets created by Gjoka et al. [98, 99]. This dissertation presents only results of the BFS dataset, while the results for the other two datasets are described in Publication III. The BFS dataset is constructed using Breadth First Search (BFS) using 28 independent BFS traversals. It contains the friend list of 2.2 million users. We call this the set of sampled users. Each of these users has 310 friends on average, which includes both other sampled users and those who were part of the original dataset but that were not sampled – we call them outside users. The number of outside users is 93.8 million, whereas the average number of connections between sampled users is 53 (i.e., users are highly connected). Thus, the BFS dataset can be used to measure Social PaL coverage among well connected users. We used the following simulation procedure to evaluate Social PaL coverage. First, we randomly chose a subset of sampled users, which we name the test set; it represents the fraction of OSN users that are Social PaL users as well. Secondly, for a given social path length n ∈ {2,3,4}, we randomly picked 50,000 pairs of users from the test set, making sure that at least a single path of length n between them exists. Finally, we computed the fraction of pairs for which Social PaL discovers an existing path between them (i.e., coverage). In order to measure the effectiveness of ersatz nodes, we ran these simulations separately for Social PaL with ersatz nodes and without them. Each simulation was repeated 10 times. Figure 3.13 shows the coverage results for the BFS dataset. It is clearly visible that the addition of ersatz nodes massively improves coverage. Without ersatz nodes, coverage increases linearly as more users join Social PaL, but in general the coverage number is low. With 80% of OSN users running Social PaL, only about 40% of social paths of length 2 are discovered, whereas social paths of length 3 and 4 are discovered in less than 30% of cases. However, by addition of ersatz nodes, all social paths of length 2 are discovered, as theoretically predicted. Furthermore, with only 20% of OSN users, coverage exceeds 40% for social paths of length 3 and 4 and it exceeds 80% for 80% of OSN users. Finally, we have also noticed that coverage with ersatz nodes for social paths of length 4 is higher than for social paths of length 3, whereas without ersatz nodes it is the other way round. We have no explanation for this phenomenon.

59 Privacy enhancements in opportunistic networks





 &$ '
#(
) &$ '
#(
)
 &$ '
#(
) &$ '
#$
)
 &$ '
#$
) &$ '
#$
)






 
 
 














 

! "
#$
%


Figure 3.13. Social PaL coverage for the BFS dataset. Coverage without ersatz nodes is marked in red, while with ersatz nodes in black. Coverage of 2-hop paths is marked with triangles, 3-hop paths with crosses, while 4-hop paths with squares. It is clearly visible that addition of ersatz nodes massively improves Social PaL coverage results.

3.4 Summary

This chapter of the thesis describes results related to privacy enhancing tech- niques. Publication I describes PeerShare, a system for secure sharing of arbi- trary data among OSN social contacts. The system is designed to operate in offline environments. Thus, it can be applied in the context of opportunistic networks, with the most obvious use case being for distribution of public keys. In our work, we use it for bearer capabilities distribution in Publication II and Pub- lication III, and it can be also used for distribution of “friendship certificates” if there is a need for higher security guarantees of the BFPSI protocol. Thus, it is a building block for providing other services. Publication II and Publication III present protocols for discovering com- mon friends and computing the social path length between two strangers in a privacy-preserving manner. The novelty of these protocols stems from replacing enumerable user identifiers with bearer capabilities as protocol inputs. This allows us to replace “classic” PSI protocols that are not efficient with the BFPSI protocol, which is based on the Bloom filter. Massive performance gains and independence of Internet connectivity make these protocols usable in mobile and opportunistic network environments. In our demo paper [143], we present two applications that use these protocols. SpotShare allows a nearby person to securely access tethered Internet connec- tivity if the person has at least one common friend with you. nearbyPeople

60 Privacy enhancements in opportunistic networks allows a user to discover common friends/social path length in OSN among his or her physical neighbors without revealing his or her identity. The applications described above demonstrate the usability of Common Friends and Social PaL to deliver an end-user service on top of them. However, they can also be used as tools for building fundamental communication mechanisms in the opportunistic network. We envision that, due to their efficiency, Common Friends and Social PaL may find application in node topology control, social- based routing, or trust establishment. Furthermore, the last part of the BFPSI protocol is a simple challenge-response interaction which takes a substantial amount of the whole protocol execution time. In our work, we concentrate on ap- plying BFPSI for making access control decisions. Therefore we must eliminate possible false positive results returned by the Bloom filter. However, the protocol performance can be further improved by eliminating the challenge-response part if there is such a need at the cost of accepting false positives with low enough probability. A potential example of such a use case is an application of the BFPSI protocol for making forwarding decisions in multi copy routing protocols. Finally, it is also important to notice that Common Friends-like services can be used for privacy-preserving matching of any social attribute among users in OSN. For instance, one can build a service that uses BFPSI protocol to discover common user interests, membership in common groups, etc. The only problem that needs to be addressed for such use cases is the authenticity of inputs. In the case of Common Friends, the fact of friendship is confirmed by OSN server authority. However, for other potential use cases the authenticity mechanism must be built by a particular service provider. This chapter concludes privacy enhancements covered in this thesis. In the next chapter, we will discuss the application of web technology in opportunistic networks.

61 Privacy enhancements in opportunistic networks

62 4. Web technology in opportunistic networks

The current Internet ecosystem is very centralized, with heavy dependence on cloud services, which may create serious issues described in Chapter 1, i.e., data ownership and security, reliable cloud access, suboptimal data routing, and service lock-in situations. This makes it challenging to build and operate some services, and in some scenarios it even prevents services from being built at all (e.g., real-time video communication in Africa). This motivates the creation of a more decentralized Internet architecture. To this end, we turn to community networks (described in Chapter 1), which are built on top of opportunistic networks. Despite holding a promise to solve connectivity problems, deployment of oppor- tunistic networks is marginal, as described in sections 2.4 and 2.5. As a result, there is a very low usage of opportunistic applications among people, which makes message delivery times infeasible from the service usability perspective. In this chapter, we aim to contribute to the second question of the research problem that we stated in Chapter 1: How can we increase people’s engage- ment in opportunistic networks? We believe that there are two fundamental barriers that may prevent people from engaging in opportunistic applications:

1. Need for constantly running opportunistic software on a mobile de- vice. Reliable discovery of contacts requires constant running of opportunis- tic services in the device background. However, there are mobile operating systems (e.g., iOS) that do not allow running such services for third party applications, which practically excludes users of such operating systems. Fur- thermore, users of devices that allow running such services may be hesitant to do it, as increased CPU usage has a negative impact on device battery and may also affect overall user experience.

63 Web technology in opportunistic networks

2. Incentive and trust for installing and running opportunistic appli- cations. Installing an opportunistic application is a prerequisite for using it. Since the application author is often unknown and the user may not be convinced that he or she has enough incentive to use the application, some users may choose not to install the application at all 1.

Based on the above observations, we aim to remove these barriers by providing access to opportunistic services using web technology. As web technology is ubiquitous, and provided that it can be used for message routing, it should allow an increase in the number of devices in the system, which should effectively improve message delivery times and overall usability of opportunistic services. Furthermore, since there is no need to install anything on the device in order to use a web application, the second barrier is also removed. Finally, since web development constitutes a fairly large fraction of the whole application market, we believe that by bringing web technology to opportunistic networks, we can facilitate the development process for opportunistic applications, which can help to finally create a market for such applications. We begin addressing this question in Publication IV by doing a feasibility study of introducing web technology into opportunistic networks. Since device- to-device communication by means of web technology is not possible, we design and implement the system with support for an infrastructure network. We use this system to explore ways of engaging devices that have not (yet) installed any opportunistic software to use them as (limited) message carriers in order to improve connectivity. Finally, we report on improvements in message delivery gained from our solution. In Publication V, we extend our work from Publication IV by presenting the design and implementation of a generic framework that enables the deployment of modern web applications in an opportunistic network. We begin by designing a system model that enables seamless integration of the system presented in Publication IV with the framework. After that, we propose a conceptual model of an arbitrary web application in an opportunistic network which is based on the Model-View-Controller (MVC) paradigm and build a framework for handling web requests accordingly. Finally, we validate the feasibility of the concept by implementing the web versions of Here & Now and People Finder applications.

1As part of the MOSES project, we ran trial deployments of Here & Now during Expo 2015 in Milano and 2015 Internet Festival in Pisa. During these events, we also gathered feedback from participants about their user experience and incentive for application usage.

64 Web technology in opportunistic networks

4.1 Enhancing Opportunistic Networks with Legacy Nodes: Publication IV

Motivation. Recall from Section 2.4 that opportunistic applications must fulfill very specific requirements. Devices running opportunistic applications do not connect via the Internet to backend services; rather, they that require nearby nodes establish a network and run distributed applications locally. We can say that Metcalfe’s law seems to be even more applicable in the opportunistic network, as nodes act not only as application peers to interact with, but also as the communication infrastructure. However, there seems to be little incentive for a user to install and continuously run an opportunistic application. When the user installs the application, there is usually neither content nor other users nearby to interact with unless he or she installs the application while in a group of people. However, even in such a case, data exchange stops once the group breaks up, as message carriers are gone. To address these problems, we argue that opening content stored in an oppor- tunistic network to users who do not or cannot install opportunistic network software on their devices may generate more interest in their participation. We define these devices as legacy nodes. In addition, with legacy nodes involved in opportunistic networks, we see an opportunity to use them as message carriers to effectively improve the routing performance of opportunistic networks. System model. Our system model, which is illustrated in Figure 4.1, consists of three types of nodes: opportunistic nodes that run the opportunistic routing software, legacy nodes that do not run it, and opportunistic network access points. Opportunistic nodes are able to create communication channels (thin red lines in Figure 4.1) with other opportunistic nodes and access points, but they cannot communicate directly with legacy nodes. Legacy nodes can communicate only with access points. Our system model assumes that access points are sparsely distributed, stationary and that messages between them are exchanged using both opportunistic and legacy nodes. We use Liberouter as our building block. Recall from Section 2.5 that Liberouter provides a simple web portal which is used as the app store. We extend the web portal functionality to provide users that have modern web browsers with access to content stored in the Liberouter. Furthermore, we use the web interface to exchange messages between Liberouter and web storage available on the legacy device as a means of message forwarding. Extending Liberouter with web operations. The web-based extensions for the Liberouter are illustrated in Figure 4.2. We take advantage of the fact

65 Web technology in opportunistic networks






  

 





Figure 4.1. System model: there are likely more legacy nodes than opportunistic ones. Red lines indicate communication links. The dashed arrows show sample node movement, which yields a virtual “backbone” link via node movement between two access points indicated with solid grey arrow. We can increase overall capacity of the opportunistic network by taking advantage of mobility of legacy nodes to carry messages between access points.

that Liberouter stores messages in the file system and build mechanisms to provide access to them over the web interface. The web interface consists of two paths. The first path enables message forwarding by exchanging them between browser storage and Liberouter. The second path enables accessing content stored in the Liberouter and uploading new content. We provide message forwarding functionality using two mechanisms, namely HTTP cookies [57] and JavaScript Web Storage [24]. We use HTTP cookies to store small messages. Since the majority of browsers limit cookie storage size to a couple of kilobytes, we have done a feasibility study on using cookies for message forwarding and have concluded that it is sufficient to carry a number of short messages (e.g., Twimight tweets [108]). As a cookie name, we use the SHA-1 hash of a message with the “lrbp-” prefix. We assign the base64 encoding of the complete message as the cookie value and set the cookie expiry time to the message’s Time-to-Live (TTL). Finally, we set the scope of the cookie to the “liberouter” domain. Since all Liberouter instances advertize the same domain in their web portal, the cookies collected from one Liberouter instance can be offered to another. Our cookie exchange protocol is an Epidemic-like routing protocol. When a legacy node connects to the Liberouter, it offers all of its stored cookies. The cookie interface on the Liberouter calculates SHA-1 hashes, which constitute cookie names, for all small messages that it stores and determines the difference set between the locally stored cookies and the offered cookies. After that, the

66 Web technology in opportunistic networks

 
# 
  
# 
 

 

(
 
 
%
!$
 
   # !
%
 
(
 
(

$
)+
!$
 *
 ) *

!$
 
!
$  '

)$ *

# 

!$



%
 

 


Figure 4.2. Web-based extensions to Liberouter. When the legacy device with a modern web browser connects the Liberouter, it exchanges HTTP cookies and content of local storage with Liberouter over the message forwarding interface. The user of the device can see what is stored in the Liberouter storage and upload also new content using the content interface.

Liberouter stores the new messages that are offered by the legacy node and selects the set of cookies that are returned to the legacy node for storage. The Liberouter randomly mixes the offered cookies with its own cookies to ensure that messages carried further by the legacy node are not biased towards the Liberouter’s own content. For storing larger messages, we use JavaScript Web Storage. The mechanism of message exchange is almost identical to the cookie mechanism. The only differences are that messages are exchanged using AJAX requests instead of HTTP headers and messages are stored in the browser’s local storage. The above mechanisms increase the available network capacity, but they do not offer an incentive for the device owner to use them. Therefore, as a proof-of- concept we have developed a simple content interface module that gives read access to the content stored on the Liberouter and write access to generate their own content. The basic concept of this mechanism is to carry small scripts as message metadata that are used to generate HTML code based on other message metadata that can be rendered by the web portal. The write access is provided by a web form that allows users to upload data to the Liberouter, which turns them into a new message. Publication V presents a generic extension of this system that allows generating and accessing any content over the web interface.

67 Web technology in opportunistic networks

Concept validation. We validate system performance using the ONE simu- lator [119]. Our simulation scenarios include three mobility models, namely Ran- dom Waypoint (RWP) [114], Shortest Path Map-Based Movement (SPMBM) [119], and OPP (SPMBM-like model, but containing a fraction of access points that are mobile). We measure changes of the mean message delivery ratio and the mean delay of message delivery for a number of opportunistic nodes No by adding legacy nodes Nl where Nl ∈ {0,1,5,10} × No. The first model simulates an area of 1km2 with 8 or 16 access points spread out symmetrically in which movement of nodes is unconstrained. The second model simulates node movement on the Helsinki downtown map with 11 − 325 stationary access points as described by Pitkänen et al. [153]. The third model is similar to the second model; however, it additionally includes a fraction of opportunistic nodes which act as mobile access points. We simulate traffic by periodically generating a single message of a random size at a random node, which is aimed to be sent to another random node; a 12 second period simulates a high load, a 60 second period is for a medium load, and a 300 second period constitutes a low load. Publication IV contains all details regarding the simulation setup. Figure 4.3 summarizes in a scatter plot the relative changes to the system performance. For RWP, we can observe modest gains in delivery ratio (by about 10%) at the cost of increased delays (by 10 − 20%). SPMBM experiences a substantial gain in delivery ratio (up to about 80%); however, delivery delays remain at the same level. Finally, for OPP we achieve delivery delay reduction (up to 20%) with modest delivery ratio improvements (up to 20%). Since RWP includes only a small number of access points, and unrestricted mobility provides less contacts, inclusion of legacy nodes has low impact. On the other hand, we see a strong impact of legacy nodes for SPMBM, because of the high number of access points that create many opportunities for the exchange of messages between opportunistic and legacy nodes and increased capabilities for storing messages. Introduction of mobile access points in OPP further increases contacts between opportunistic and legacy nodes, which reduces delivery delay. However for medium and high loads, OPP exhibits message delivery results ranging from about 20% degradation to about 80% of improvement. These unusual results are obtained in scenarios where all access points are mobile, which is not very realistic. For all mobility models, we can conclude that the addition of legacy nodes has a mostly positive impact on the system performance, as long as the load coming from additional messages does not saturate the system. Finally, it is also important to note that system performance may be further improved if an

68 Web technology in opportunistic networks

1.4 RWP L1 1.2 RWP L5 RWP L10 MBM L1 1 MBM L5 MBM L10 OPP L1 0.8 OPP L5 OPP L10 0.6 Relative mean delivery delay 0.8 1 1.2 1.4 1.6 1.8 2 Relative mean delivery probability

Figure 4.3. Scatter plot of all simulations results showing relative changes to delivery ratio and delivery delay, caused by addition of legacy nodes. L1, L5 and L10 indicates a number of legacy nodes as the multiplication of opportunistic nodes. For RWP mobility model, we see an increase in delivery probability at the cost of increased delivery delay. For the MBM model, we observe a significant increase in delivery probability without much impact on delivery delay. Finally for the OPP model, we observe decrease of delivery delay and increase of delivery probability.

Epidemic-like routing protocol is replaced by a utility-based routing protocol that may be able to make better forwarding decisions. We have finally measured the performance of time needed to exchange all messages over the web interface and compared it with the native opportunistic network interface. We conclude that the web interface is significantly quicker than the native interface. The difference comes from the fact that for the native interface, the handshake protocol carried out between the Liberouter and the mobile device prior to the actual message exchange requires a number of steps at different layers for both nodes, while the web interface is unilaterally run by the Liberouter access point.

4.2 Bringing Modern Web Applications to Opportunistic Networks: Publication V

Motivation. In Publication IV we showed that legacy devices can be used to forward messages between opportunistic network access points. We also pointed out the lack of incentive for users to connect to these access points and suggested that giving access to the access point content can be a good incentive. In this work, we develop the system that enables all users with modern web browsers to access the full-range of opportunistic services. To this end, we present a generic

69 Web technology in opportunistic networks framework that enables running modern web applications in the opportunistic network. We argue that bringing modern web applications enriches the opportunistic network environment by addressing some of the limitations of native oppor- tunistic applications. First and foremost, there are mobile operating systems that do not allow running third party background services, which effectively eliminates owners of such devices from the opportunistic network environment. Furthermore, mobile operating systems have different native capabilities, which means that for each operating system a distinct code base must be maintained2. There are also security concerns that prevent some users from installing a na- tive application. They usually require broad permissions which users may be reluctant to grant. Moreover, if they are not sure about using the application, but they are just interested in trying it, the fact that it must be installed on the device can be a blocking step. Finally, web applications are very popular in the Internet, as they are easy to build, and we believe that bringing them to the opportunistic environment may open more possibilities for creating a market for opportunistic applications. System model. Web applications in the Internet are built based on a cen- tralized client-server model. In this model, application data are stored in the central server located in the cloud. The server exposes access to application data through a RESTful API. The clients run the web application’s front-end logic in a web browser as a compilation of JavaScript code, which controls the application state and renders it. The client fetches application data for presentation via the API and sends user data for storage in the server. To build web applications for the opportunistic network, we begin with con- sidering the web application model. We argue that every web application can be modeled using the Model-View-Controller (MVC) paradigm, as illustrated in Figure 4.4. Thus, we can say that the web application is built from two main parts: data which create the application state and logic which manages changes in data. If application data are self-contained and semantically meaningful, they can be easily disseminated in the opportunistic network in a similar way like the

2This assumption may change in the future with a growing adoption of react-native [42], which is a cross-platform framework that allows the development of native mobile applications both for Android and iOS in JavaScript. Statista estimates that the mobile application market is going to double between 2016 and 2020, which creates a good opportunity for the mobile cross-platform framework. On the other hand, if the cost of adaptation of minor platform-specific details turns out to be high, the cross-platform framework may not gain a significant part of the market [43].

70 Web technology in opportunistic networks

App Stores state Internet M Updates state based on data

loading Updates from network App data User input V C

Renders state Transforms state

Figure 4.4. Web application can be modeled using MVC paradigm. The model (M) is the central component of the paradigm. It is a dynamic data structure that stores and manages the application data. The view (V) provides presentation of application data based on inputs provided by the model. The controller (C) accepts inputs from the user and potentially updates from the network and transforms them into state updates for the model. native opportunistic applications work. However, data alone are useless without the logic to generate a view to present it to the user and send new data into the network in response to user actions. We address this problem by attaching the logic to each message as metadata along with the data. Since web applications can communicate only in the client-server communi- cation model, our system design, which is illustrated in Figure 4.5, builds on top of the Liberouter-based opportunistic networking system. We extend the functionality of the Liberouter devices by adding the Web App Interaction Framework, which communicates with the opportunistic router. The framework acts as a local web server to which browsers can connect. Web App Interaction Framework conceptual model. We set following functional requirements for the framework:

1. enabling the generation and presentation of arbitrary content in the web browser through the framework

2. providing interoperability between native and web opportunistic applications

We begin addressing the first requirement by turning our attention to the MVC paradigm. The application model (M) represents the application state, which is stored as data in the Liberouter. We define a transformation as a function that takes the application state and optionally some other parameters as input and provides either the updates of the application state or an HTML view. These transformations are application-specific and can be attached to the message

71 Web technology in opportunistic networks

Figure 4.5. Overview of the Liberouter system extended for web access. The system defines two types of clients: native clients and web clients. The native clients communicate directly with each other and with the opportunistic router in the Liberouter (black arrows). The web clients communicate over HTTP links (red arrows) only with the Web App Interaction Framework, however, they through the framework they are able to exchange data with all other clients (dotted blue arrows). itself as metadata. Transformations that generate an HTML view based on the application state form the application view (V). Transformations that modify the application state based on the user input that generates new content, the arrival of a new message, or the deletion of an existing message compose the application controller (C). To illustrate this concept better, let us consider a simple photo sharing application. We design its model to be an array of items where each item is an object that describes a single photo and contains: access path to a photo file, author name, creation timestamp, and a list of comments related to a photo. The application main view renders a list of thumbnail photos sorted by a photo creation timestamp. By clicking on a particular thumbnail, the user is taken to the view which renders a large size photo together with comments about it. In this view, the user may also add a new comment under the photo. From the main view, the user may also click to add a new photo, which renders a separate view for it. Finally, there is also the controller logic that handles modifications of the application state, which are caused by the arrival/deletion of photos. The controller also triggers re-rendering logic. We define four types of transformations of application view, namely application presentation, message presentation, message creation, and message response,and

72 Web technology in opportunistic networks also four types of transformations of application controller, namely message added, message deleted, message server creation, and message server response. Using the example of our photo sharing application, we explain the details of all of these transformations. In the beginning, the application does not have any data, so its state S0 is the empty set S0 = . When a new photo message m1 arrives, the application state is updated by the execution of the message added transformation Madd. This transformation takes the current application state and the newly arrived message m1 and returns the updated application state S1 = Madd(S0, m1). The same logic is applied for every new message m j that arrives. When an existing photo contained in message mk is deleted, the application state is updated by execution of the message deleted transformation

Mdel, which takes the current application state and the deleted message mk. Formally:

Si+1 = Madd(Si, m j)

S j+1 = Mdel(S j, mk) where:

Si,Si+1,S j,S j+1 - application state after i, i + 1, j and j + 1 transformations respectively

S0 = m j - j-th received message mk - k-th deleted message Please note that the number of transformations executed on the application state equals the sum of arrived and deleted messages, thus the increase of index for the application state S is decoupled from the index of message m that triggers state update. After updating the application state, the appropriate transformations are executed to update application views as well. The application presentation transformation AP takes the application state Sx as input and provides a generic application view AVx (i.e., a view across the whole application data), formally AVx = AP(Sx). For our photo sharing application, it is the main view with photo thumbnails. The message presentation transformation MP uses data contained in a particular message mk to generate a concise view MVk of it, formally MVk = MP(mk). In our photo application, this transformation corresponds to the detailed photo view.

73 Web technology in opportunistic networks

When the user of our photo application wants to add a new photo, the message creation transformation Mcr is used. It returns the view MC for the submission of new message content. The transformation does not have any input data, as we assume that no context for providing such a view is needed. Similarly, when the user wants to add a comment about the existing photo, the message response transformation Mresp is used. It takes a data describing message to which a response is made and returns the view MR for the response message submission, formally MR = Mresp(mk). Both of these views must implement logic for sending submitted data d to the framework, so that they are published in the network. When new data are received by the framework, the message server creation

Mscr or the message server response Msresp transformation is executed. These transformations take the current application state Sx and submitted data d to return a new message mk for publishing. These transformations are useful for performing a server-side operation that is not accessible in the front-end. In the example of our photo application, it can be scaling a photo to a particular size. Formally:

mk = Mscr(Sx, d)

mk = Msresp(Sx, d)

Finally, it is also possible to register custom transformations. A custom trans- formation takes the application state as input and returns arbitrary data. The purpose of custom transformations is to give the application developer an oppor- tunity to build application-specific RESTful API endpoints. Figure 4.6 illustrates how transformations are used to modify the application state and views when a new message arrives or an existing one is deleted (top) and to create a new message (bottom). Please also note that if a transformation requires a specific resource (e.g., an icon to display in the web browser), the resource must be carried inside the message as metadata as well. The requirement of interoperability between native and web opportunistic applications is easily fulfilled. The major difference between native and web ap- plications is that the logic of the native applications is pre-installed on the device, while for the web application it is shipped in the form of the transformations as message metadata. Thus, interoperability is guaranteed if the native and the web application ship the transformations with data. Since native applications do not use the transformations to interpret data, they should be ignored by them. Web App Interaction Framework architecture. The framework architec- ture, which is illustrated in Figure 4.7, consists of five main components: Mes- sage Processor, Message Generator, application state storage, web server, and

74 Web technology in opportunistic networks

  



 
 


 
'* %'"





&
"





& (* %("
'&
)* %'"
(&


 
'*%'&
(*%(&
)*)%)&

  
 
'*%'&
(*%(&



 #
'*%'&
(*%(&
)*%)&

'
(
'







 


*
 %&

*
 % "
 &



$
  















 

$














  
 





$
 
   















$





  
   








$

  












 

$

  
  
 
 



$
  
 



















$














 
 





$
 
 
















$



















  
 







$
 


  














$










  







$

 


 

Figure 4.6. Illustration of transformations work. Whenever a new message appears, the ap- plication state Sx is updated by execution of the message added transformation Sx = madd(mx,Sx−1). Once the application state is updated all view transforma- tions APx,Vx,Cx are called on the updated state. Deletion of an existing message causes the application state update by execution of the message deleted transfor-

mation Sx = mdel(mk,Sx−1). If a web user wants to create a new message, the message creation transformation mc is executed based on her input. Processed data are submitted to the framework where optionally the message server creation msc transformation is executed. sandbox. To decouple the framework from the underlying opportunistic net- work system, the framework uses DTN Communicator which tracks changes in the Liberouter storage and acts as a message adapter for the underlying opportunistic network system. The Message Processor is responsible for processing a newly arrived message (or a just deleted one) by supervising the execution of an appropriate controller transformation and writing an updated application state into the application state storage. Because of security concerns which are explained later, transfor- mations are executed within the sandbox. The web server is the user facing component of the framework. It presents application content to the user by providing a set of endpoints, exposing applica- tion data to the front-end logic, and handling requests to create new application content coming from the user. Content presentation is obtained from a view transformation executed inside an endpoint request handler. Exposure of ap- plication data is obtained by a custom transformation. Finally, for a request to create new application content, the web server, upon receiving the request from

75 Web technology in opportunistic networks the user, validates it and passes it to the Message Generator component, which creates a new message based on the submitted data and the application state and publishes it to the opportunistic network via the DTN Communicator.

$ 

 $!
!   "

 
 
! 
'$"

)!
 
)$ 
 

!

!!
'

$!

$ 
 

$ 



!!

!!
! 
 
 !

!

!!


!!

 
!



!

&
&
 


 %


$ !

$ 

Figure 4.7. Framework system components and their interactions. When a new message is available in the Liberouter storage, the DTN Communicator passes the message to the Message Processor. The Message Processor executes appropriate transformations in the sandbox and writes update app state and views into the app storage. The web server communicates only with the app storage to provide requested views for the user. When a request to send new data comes to the web server, it forwards it to the Message Generator that reads application state from the storage and pushes formatted message to the DTN Communicator, which publishes it to the opportunistic network.

Web App Interaction Framework security considerations. Security re- quirements for opportunistic web applications are different than for standard web applications. In the case of standard web applications, communication between the web browser and the server occurs over the secure communication channel. Furthermore, separation of data between different web applications is achieved by storing them in different domains and the Same-origin Policy [58]. Finally, the web server may easily authenticate all requests for data access and submission. To guarantee secure operation of the framework and opportunistic web applica- tions, we focus on secure execution of transformations and message authenticity. Out of these requirements, the first one is the most important, as an insecure execution of a malicious transformation may cause: disruption of framework

76 Web technology in opportunistic networks operation (e.g., DoS attack), unauthorized access to an application data stored in Liberouter, or unauthorized modification of the application data. Since there are also applications that do not require message authenticity (e.g., Guerilla Pics [116]), the second requirement may not be critical to secure operation of the system. Our threat model assumes an adversary that:

1. disrupts correct operation of the system by sending a transformation with a malicious code,

2. impersonates another user by sending a message that masquerades as its originator for another user.

In addition, our model assumes the presence of basic Linux platform security mechanisms and the availability of a disconnected public key distribution system via the web interface. To ensure secure execution of transformations, we execute all transformations in the sandbox, which provides file system-level isolation and system calls filtering. The file system-level isolation restricts the transformation to access only data contained inside the message and the application state. As system calls may be present in the transformation code (e.g., via system libraries), we prevent the invocation of any system call other than I/O operations on the message content handled by the transformation. These mechanisms can be implemented using chroot jail and seccomp-bpf [75]. Restricting transformation access to the file system and filtering of system calls ensures secure execution of transformations. Finally for the execution of every transformation, the sandbox enforces maximum execution time to prevent malicious transformation from taking an excessive amount of framework resources (e.g., transformations with infinite loops). The threat of a user masquerading is addressed by the mechanism of message authenticity verification. If the message is signed by its originator, the Web Cryptography API [169] can be used to verify the message signature. The Web Cryptography API can also be used to generate a user’s private and public key. The private key can be persistently stored in the web browser, while the public key can be shared with the public key distribution system. Our system assumes that the web browser is able to obtain the public key of the message originator. Sample opportunistic web applications. To verify our concept in practice, we have implemented opportunistic web versions of two already existing native

77 Web technology in opportunistic networks

Message added(state, message): Message deleted(state, message): if new personID record = state[personID] add new person record recorded_notes = record[notes] else for note in message record = state[personID] delete recorded_notes[note] append note to record if len(recorded_notes) is 0 return updated state delete record
return updated state  


 

 
 

 


Application presentation(state): Message creation(): for record in state view = new person record template view += hypelink(record[name] return view view += record[timestamp])
return view
Message presentation(person_data): Message response(person_data): view = person data[details] view = new note template for note in person_data[notes] return view view += note
return view

Figure 4.8. People Finder application model and transformations.

opportunistic applications. Both web applications provide identical functionality to their native equivalents, but their user interfaces are slightly different. Since every platform provides different functionality, it is infeasible to make identical user interfaces for different platforms. Moreover, if we intended to unify user interfaces across all platforms, we would need to handle far larger messages, as code required for providing unification would be added to the messages. People Finder is the adaptation of Google’s Person Finder application3 into the opportunistic environment. It has proven its value in various scenarios starting from the 2010 Haiti earthquake. It allows adding records about missing people and attaching notes to those records. We have implemented this appli- cation in the “classic” web technology, i.e., view transformations return static views and each user interaction causes web page reload. The model contains an array of records, where each record contains details of a single missing person (e.g., full name, age, home address, etc.). The message added transformation updates the application state by either adding a new record for an unknown person or by appending new data contained in the message (e.g., a new note) to the already existing record. The message deleted transformation removes all notes for the given record contained in the removed message, and if there are no more notes left, the whole record is deleted. The application presentation transformation returns the main view as a table with the missing person’s full name and the date they were reported missing. For each person in the table, there is a link to the detailed view of that person, which is rendered by the

3https://google.org/personfinder/global/home.html

78 Web technology in opportunistic networks

(a) People Finder native version (b) People Finder web version

Figure 4.9. Comparison of People Finder native and web versions. message presentation transformation. From that view, it is possible to add a note about the person through a modal view, which is rendered by the message response transformation. Finally, from the main view, it is possible to go to the add new missing person view, which is rendered by the message creation transformation. Figure 4.8 illustrates the application design, while Figure 4.9 shows a comparison of native and web versions of user interfaces.

Message added(state, message): Message deleted(state, message): if message_type == “photo” if message_type == “photo” thread = message[“thread ”] thread= message[“thread”] if topic not in state[“threads”] delete_photo(thread, message) add_thread(thread) if thread is empty add_photo(topic, message) delete_thread(thread) elif message_type == “profile” elif message_type == “profile” profileID = message[“profile”] profileID = message[“profile”] update_profile(profileID, message) delete_profile(profileID, message) elif message_type == “video” elif message_type == “video” add_video(thread , message) delete_video(thread, message) return updated state return updated state  
 


 





 
 

 
 
 
 
 

Application presentation(state): getAppData(state): view = load react bundle view = person data[details] return view threads = state[“threads”]
profiles = state[“profiles”] return { threads, profiles }

Figure 4.10. Here & Now application model and transformations.

79 Web technology in opportunistic networks

Here & Now is an experience sharing application. It allows users to share media content (i.e., photos, videos) among other users that are physically col- located. The assumption behind the application design is that users who are interested in the application content are in close proximity. Thus, unlike in popular social media applications, they can communicate locally without the need to use the Internet. As a result, communication is more optimal, as there is no need to send a couple hundred kilobytes to distant servers and back to the person that can be a couple meters away. Users can additionally give com- ments and “likes” about the content they see. Application content is divided into topics. We have implemented it as the single-page application using React4. The main motivation behind React comes from the challenge of managing the application state in JavaScript in the case of complex user interfaces. React provides simple and efficient mechanisms for updating the application state and triggering re-rendering logic if needed. The application model consists of two collections. The first collection contains media content (i.e., shared photos and videos), which is divided into multiple discussion threads. The second collection contains profiles of nearby users. If a message that contains media content is received, the message added transformation checks which thread the message belongs to and adds it to the proper one. If no such thread exist, it creates it. If a profile message is received, the transformation creates or updates profile data associated with the profile identifier contained in the message. The message deleted transformation performs the exact reverse operations to the message added transformation. Since this is a single-page application, we only need to implement the application presentation transformation which loads the com- piled React bundle (added as message metadata) with the front-end logic. All application views are implemented inside React. Access to application data is implemented using the getAppData custom transformation. Figure 4.10 illus- trates the application design, while Figure 4.11 shows a comparison of native and web versions of user interfaces. Here & Now was successfully deployed to the guifi.net network, as part of the DTN fronthaul evaluation for the RIFE project [18]. Finally, we also im- plemented web versions of two other opportunistic applications: Guerilla Pics, a photo sharing application, and Guerilla Boards, a messaging applica- tion [116].

4https://reactjs.org/

80 Web technology in opportunistic networks

(a) Here & Now native version (b) Here & Now web version

Figure 4.11. Comparison of Here & Now native and web versions.

System validation. The framework enables accessing and generating content in the opportunistic network via the web application at the cost of shipping application logic and additional static resources along with messages, which incurs message size overhead. Thus, we evaluate the impact of the overhead on the message delivery performance and content coverage for web applications, which is defined as a fraction of web application instances that obtain a copy of the message. We conducted our simulations using the ONE simulator. To evaluate over- head, we measured message sizes for Guerilla Pics and Guerilla Boards applications with sample contents. We selected these applications over Here & Now and People Finder because of their simplicity, as it is immaterial for the system validation which application is used, while Here & Now and People Finder require a way more complex simulation setup. Since typical message size for the native version of Guerilla Boards is about 350 bytes, the addition of the transformations code together with static media content (e.g., icons) makes the message size grow almost 50 times to about 16 kilobytes. However, if the content size of the application message is larger, the overhead becomes more reasonable. For Guerilla Pics, the native message size is typically between 65−120 kilobytes and transformations and static media content add about 7 kilobytes (5 − 10% of overhead).

81 Web technology in opportunistic networks

The comparison of original and enhanced text messages applications 1 High load original 0.8 High load enhanced Medium load original 0.6 Medium load enhanced Low load original 0.4 Low load enhanced

0.2

CDF of Node Coverage 0 0 1000 2000 3000 4000 5000 Time (s) The comparison of original and enhanced photo sharing applications 1 High load original 0.8 High load enhanced Medium load original 0.6 Medium load enhanced Low load original 0.4 Low load enhanced

0.2

CDF of Node Coverage 0 0 1000 2000 3000 4000 5000 Time (s)

Figure 4.12. Impact of the overhead introduced by the framework (reflected in different message sizes) on the coverage for messaging (top) and photo sharing (bottom) with all three loads for the SPMBM model.

The simulation setup is identical to the SPMBM scenario in Publication IV. However, this time we measure the fraction of nodes that obtain a copy of each message. As illustrated in Figure 4.12, the overhead of the framework does not have a major impact on the performance results, as the coverage does not change due to the addition of the framework-enhanced messages. These results are consistent with other past experiments, which have shown that the per-message overhead of the protocol implementations is more important in communication performance than the per-byte overhead. For example, Pöttner et al. [155] studied performance of three different implementations of DTN Bundle Protocol to conclude that network throughput increases with the size of the bundle.

82 Web technology in opportunistic networks


 

!"

! 
#"

 
$%&
' 
$%&
' 
$%&
'
 
$%&
' 
$%&
' 
$%&
'
















 



 

!"

! 
#"

 
$%&
' 
$%&
' 
$%&
'
 
$%&
' 
$%&
' 
$%&
'
















 


Figure 4.13. Content coverage achieved for different number of access points and web nodes for text messaging (top) and photo sharing (bottom).

To measure the content coverage for web applications, we run nearly the same simulation setup, but we introduce 10 − 325 access point nodes and web nodes which are defined as nodes running web application instances. In each simulation scenario we set the number of web nodes Nw to Nw ∈ {1,10}×No. The results of our simulations, which are shown in Figure 4.13, indicate remarkable increase in the visibility of content in the network. We can see that the content coverage increases with the number of available access point and web nodes. For only 10 access points and the number of web nodes equal to number of opportunistic nodes (L1), the content coverage reaches almost 40%. It increases to 60% for 325 access points and ten times more web nodes than opportunistic

83 Web technology in opportunistic networks nodes (L10), which is better than for opportunistic nodes alone (see Figure 4.12 for comparison). Since the content coverage increases with the number of web nodes available (L10 vs. L1), it is important to note that the absolute number of nodes for which content is available is much higher.

4.3 Summary

In this chapter of the thesis, we describe mechanisms for increasing people’s engagement in opportunistic networks. We identify two main barriers that potentially prevent people from engaging in opportunistic applications and make a proposal to address them by bringing the web technology to the opportunistic network ecosystem. Publication IV explores mechanisms of forwarding messages between access points in the opportunistic network using HTTP cookies and the web storage. Results of simulation scenarios, which we have explored, generally show an overall improvement of system performance, which confirms the feasibility of the concept. Motivated by the results of Publication IV, in Publication V we build Web App Interaction Framework which enables development and deployment of mod- ern web applications in the opportunistic network. We argue that by bringing web applications into the opportunistic network, we create a strong incentive for users of web devices to engage in the opportunistic systems, which can hopefully lead to building popular opportunistic web applications that will provide a real value for people. Our solution is based on shipping the application logic together with data. Our simulation results show that an increase of overall message size caused by adding logic to it does not have a serious impact on the system performance and provides a remarkable content coverage for web users.

84 5. Summary and future work

In this dissertation we focus on practical mechanisms that can remove some of the barriers for large-scale deployment of opportunistic services. We have stated the following research questions to constrain the problem:

1. How can we enable privacy-preserving discovery of social attributes between two people?

2. How can we increase people’s engagement in opportunistic networks?

To address the first question, we have started with designing and implement- ing PeerShare, a secure and privacy-preserving data distribution system which has been integrated with popular online social networks to enable sharing of data within the social context. The system is a very useful tool that we keep reusing in our further works as distribution system for public keys, Common Friends and Social PaL data. After that, we have presented Common Friends, a frame- work for the secure discovery of common friends which protects the privacy of non-common friends, ensures the authenticity of the friend’s input set, and does not require on-demand Internet connectivity. For the actual process of common friends discovery, we have designed a very efficient BFPSI protocol, which incurs a constant number of public key cryptography operations, thus being feasible in mobile usage scenario. Finally, we have presented Social PaL, a system for scalable and privacy-preserving discovery of the social path lengths between users. Unlike Common Friends, it enables the discovery of all common friends (not just the ones that are part of the system) and also the majority of social paths between users that are longer than 2. As the immediate follow-up work, we tried to provide more fine-grained information about common friends by in- corporating tie-strength into our framework [48, 96]. However, surprisingly our analysis based on a relatively small dataset has shown that the combination of

85 Summary and future work multiple communication channels for estimating tie-strengths does not provide any improvement [187]. Future work in this area would involve extending our current infrastructure to discover shared interests and common group members. In practice, our infrastructure can be extended to efficiently perform any kind of common social attribute discovery for which there is a mechanism to authenticate input sets. In case of Common Friends discovery, relationship existence is confirmed by the authority of the online social network server. For the case of common group membership discovery, the authenticity of group membership can be certified by a trusted group administrator. We generally believe that efficient mechanisms for the privacy-preserving discovery of common social attributes are very useful for discovering demanded resources that can be provided by people’s local communities who may not be willing to share them openly. Providing mechanisms for exposure of these resources may inspire people to develop new localized services on top of them [47]. To address the second question, we first identified that some mobile operating systems prevent users from running opportunistic software on their devices, thus effectively excludeing them from participation in opportunistic networks. As a result, we have turned to web technology, which is available for all modern mobile devices. We have used Liberouter as the base system on top of which we build our extensions. First, we have shown that the overall system performance, measured by the probability of message delivery, improves with the addition of mobile devices that forward messages using web interfaces. Furthermore, to create an incentive for owners of such devices to connect to various Liberouter web portals, we have developed a web framework that allows users to run mod- ern web applications which are fully compatible with their native equivalents. This gives an opportunity for owners of these devices to become full-fledged par- ticipants of the opportunistic network. We have further validated this concept by running multiple simulation scenarios to verify that message overhead incurred by the framework does not degrade overall system performance and users of only web applications get a comparable message coverage with normal users. Deploy- ment of the Here & Now web application in the guifi.net community network confirms practical aspects of our solution. Obvious future work in this area would involve adding functionality to the web framework to enable support for encrypted messages and closed communication groups in web applications. Since we already have support for message au- thentication, it seems that these features can be easily added, using PeerShare for secure key distribution. The second group of future work involves improve-

86 Summary and future work ments of user experience. Currently the web user must explicitly connect to the Liberouter access point and open a web browser to start message forwarding, which is cumbersome. In the long term future, we envision providing the full-blown opportunistic router running inside the web browser that would offer the same functionality as the native opportunistic router. Such a router would probably run a simplified version of the Bundle Protocol and can offer improved message exchange times in comparison to the native solution, as demonstrated in Publication IV. However, it is important to note that unless web browsers open some ports on their own, it will not be possible to establish direct device-to-device communication between web browsers. Although WebRTC offers direct browser-to-browser communica- tion, there is always a signaling server used for exchanging IP addresses and ports between the connecting browsers. Thus, a web based opportunistic router will not remove the need for some limited infrastructure support. We envision that contributions of this dissertation, which have been presented above, are more generic than the immediate application that we have identified. We argue that since Common Friends and Social PaL find out information about common contacts or social path length between two nodes in a very efficient way, they can be successfully applied as cues for node topology control, social based routing protocols message forwarding strategies, and trust establishment. For instance, if two nodes discover each other they have very little time to find out if it is beneficial for them to open a connection between them (topology control problem). If the connection between them is established, a hypothetical social based routing protocol may run the discovery protocol to determine its social distance to the connected node and based on it select the set of messages for exchange. With regards to message forwarding strategies, messages to be exchanged can be sorted in the sending buffer with the social distance in mind to optimize the physical message exchange. Finally, as mechanisms for establishing social trust may involve a function of social graph distance [181], Social PaL seems to be a good application for it. Web technology in the opportunistic network also has more generic applica- tions. The web framework concept assumes carrying application logic along the messages and executing the code inside the network. This resembles the well-known concepts of active networking [176] and mobile code. Nowadays we observe a newly emerging concept of opportunistic computing which allows a sin- gle device to securely utilize resources on another nearby device. Furthermore, the web framework may also find application in handling localized content inside a community network. In such a use case, there is no need for a centralized

87 Summary and future work application database since the whole communication encloses itself in a set of community routers, which can store the application content. Because application logic is attached to application messages, if a message belonging to a brand new application appears in the community network, there is no need to update the network environment, as the web framework enables seamless integration of the application with the environment. Please recall from the Introduction that ongoing exponential growth of mobile Internet and cloud computing may spur doubt as to whether deployment of opportunistic networks in the developed countries is necessary. However, it is a question of whether predicted exponential growth of mobile traffic is eco- nomically sustainable for mobile operators in the long term. We argue that opportunistic networks can operate in parallel to mobile networks and support them in handling a fraction of the mobile traffic. They can be especially useful if a significant part of communication is constrained within some geographical boundaries. A good example to support the idea that local services have market potential is the success of AirDrop, which offers a superior user experience in comparison to other file sharing services. Failure of successful deployments of opportunistic networks is caused by a lack of clear business cases as well as poor support for direct device-to-device communication and energy-efficient device discovery in existing mobile devices. As a result, direct device-to-device communication (D2D) has been rather difficult, as there is usually a need for some server (e.g., Liberouter) to facilitate communication. However, recently we also observed a big push towards D2D supported by the Third Generation Partnership Project (3GPP). Consequently, two new technologies have emerged: unlicensed spectrum Wi-Fi Aware and in-band LTE-Direct. Both of these tech- nologies promise to solve current technical limitations, although LTE-Direct still requires the assistance of a mobile network to establish a direct communication channel. The emergence of these technologies also shows that there is a growing awareness, even among mobile operators, of the profitability of proximity based services. All of this indicates that existing limitations for large-scale deploy- ments have a potential to be overcome and that the results of this work can find applications in real-world deployments in the coming future.

88 References

[1] Another PaaS bites the dust, bankruptcy ends former Docker cloud unit. https://www.cbronline.com/news/cloud/ another-paas-bites-the-dust-bankruptcy-ends-former-docker-cloud-unit-4792568/. Accessed: 22.05.2018.

[2] Bandwagon. http://www.bandwagon.io/. Accessed: 2018-06-30.

[3] Cloud Security – Who Owns The Data? https://www.bbconsult.co.uk/blog/ cloud-security-who-owns-the-data. Accessed: 22.05.2018.

[4] Cost of Data Breach Study. https://www.ibm.com/security/data-breach. Accessed: 10.04.2018.

[5] Download: 68 Million Hacked Dropbox Accounts are Just a Click Away! https://thehackernews.com/2016/10/dropbox-password-hack.html. Ac- cessed: 19.03.2018.

[6] EU General Data Protection Regulation. https://www.eugdpr.org/. Accessed: 10.04.2018.

[7] Facebook Data Policy. https://www.facebook.com/full_data_use_policy. Accessed: 04.05.2018.

[8] Facebook Graph API. https://developers.facebook.com/docs/graph-api.

[9] Facebook will delete your backed-up photos if you don’t install Mo- ments app. https://www.theguardian.com/technology/2016/jun/13/ facebook-delete-photos-moments-app. Accessed: 19.03.2018.

[10] FireChat Messaging App Gains Users During Hong Kong Protests. https://blogs.wsj.com/digits/2014/09/29/ firechat-messaging-app-gains-users-during-hong-kong-protests/. Accessed: 2018-05-20.

[11] Foursquare. https://foursquare.com/. Accessed: 2018-06-30.

[12] goTenna. https://www.gotenna.com/. Accessed: 2018-05-20.

[13] Health Insurance Portability and Accountability Act of 1996. https://www.gpo. gov/fdsys/pkg/PLAW-104publ191/html/PLAW-104publ191.htm. Accessed: 10.04.2018.

[14] iCloud leaks of celebrity photos. https://en.wikipedia.org/wiki/ICloud_ leaks_of_celebrity_photos. Accessed: 19.03.2018.

89 References

[15] Open Garden. https://www.opengarden.com/. Accessed: 2018-05-20.

[16] PCI Security Standards Council. https://www.pcisecuritystandards.org/. Accessed: 10.04.2018.

[17] Postmortem of database outage of January 31. https://about.gitlab.com/ 2017/02/10/postmortem-of-database-outage-of-january-31/. Accessed: 22.05.2018.

[18] RIFE Project: D4.3: Final Report on Technology Validation. https:// rife-project.eu/wp-content/uploads/RIFE_D4.3-final.pdf. Accessed: 19.08.2018.

[19] SideCar. https://www.side.cr/. Accessed: 2018-06-30.

[20] Spacetime Networks Oy. http://www.spacetimenetworks.com/. Accessed: 2018-05-20.

[21] Summary of the Amazon DynamoDB Service Disruption and Related Impacts in the US-East Region. https://aws.amazon.com/message/5467D2/. Accessed: 22.05.2018.

[22] Tencent. https://www.tencent.com/en-us/. Accessed: 2018-06-30.

[23] Uepaa. https://safety.uepaa.ch/de/. Accessed: 2018-05-20.

[24] W3C Web Storage. https://www.w3.org/TR/webstorage/.

[25] What cloud hosting users can take away from the 2017 AWS outage. https://www.teledata.co.uk/blog/ what-cloud-hosting-users-can-take-away-from-the-2017-aws-outage. Accessed: 09.01.2018.

[26] What happens if your PaaS passes? https://gigaom.com/2013/01/25/ what-happens-if-your-paas-passes/. Accessed: 22.05.2018.

[27] Zoosk. https://www.zoosk.com/. Accessed: 2018-06-30.

[28] Internet Protocol. RFC 791, September 1981.

[29] Transmission Control Protocol. RFC 793, September 1981.

[30] On Packet Switches With Infinite Storage. RFC 970, December 1985.

[31] BBC News: Facebook, Google and Twitter agree German hate speech deal. http: //www.bbc.com/news/world-europe-35105003, 2015. Accessed: 2018-05-20.

[32] The Rise of Social Graphs for Businesses. https://hbr.org/2015/02/ the-rise-of-social-graphs-for-businesses, 2015. Accessed: 07.01.2018.

[33] Cisco Global Cloud Index. https://newsroom.cisco.com/ press-release-content?articleId=1804748, 2016. Accessed: 07.01.2018.

[34] CloudHarmony. https://cloudharmony.com/status-1year, 2017. Accessed: 09.01.2018.

[35] Athens Wireless Metropolitan Network. http://www.awmn.net/, 2018. Accessed: 2018-05-26.

90 References

[36] Facebook–Cambridge Analytica data scandal. https://en.wikipedia.org/ wiki/Facebook%E2%80%93Cambridge_Analytica_data_scandal, 2018. Ac- cessed: 22.05.2018.

[37] Freifunk. http://freifunk.net/, 2018. Accessed: 2018-05-26.

[38] Funkfeuer. http://www.funkfeuer.at/, 2018. Accessed: 2018-05-26.

[39] guifi.net. https://guifi.net/, 2018. Accessed: 23.05.2018.

[40] How affordable is broadband? http://blogs.worldbank.org/ic4d/ how-affordable-broadband, 2018. Accessed: 22.05.2018.

[41] NetHood. http://nethood.org/, 2018. Accessed: 23.05.2018.

[42] React Native. https://facebook.github.io/react-native/, 2018. Accessed: 2018-10-13.

[43] React Native vs. Real Native Apps - Which is Better? https://hackernoon.com/ react-native-vs-real-native-apps-which-is-better-a8383d6f7ca5, 2018. Accessed: 2018-10-11.

[44] Russia’s Telegram block hits web users. https://www.bbc.co.uk/news/ technology-43797176, 2018. Accessed: 09.09.2018.

[45] TakNet – Community networking in Thailand. https://blog.apnic.net/ 2017/02/17/taknet-community-networking-thailand/, 2018. Accessed: 23.05.2018.

[46] Amazon. Announcing Amazon Elastic Compute Cloud (Amazon EC2) - beta. https://aws.amazon.com/about-aws/whats-new/2006/08/24/ announcing-amazon-elastic-compute-cloud-amazon-ec2---beta/, 2006. Accessed: 07.01.2018.

[47] Panayotis Antoniadis, Jörg Ott, and Andrea Passarella. Do It Yourself networking: an interdisciplinary approach (Dagstuhl Seminar 14042). In Dagstuhl reports, volume 4. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, 2014.

[48] Valerio Arnaboldi, Andrea Guazzini, and Andrea Passarella. Egocentric online so- cial networks: Analysis of key features and prediction of tie strength in Facebook. Computer Communications, 36(10-11):1130–1144, 2013.

[49] Simurgh Aryan, Homa Aryan, and J Alex Halderman. Internet Censorship in Iran: A First Look. In FOCI, 2013.

[50] N Asokan, Alexandra Dmitrienko, Marcin Nagy, Elena Reshetova, Ahmad-Reza Sadeghi, Thomas Schneider, and Stanislaus Stelle. CrowdShare: Secure Mobile Resource Sharing. In International Conference on Applied Cryptography and Network Security, pages 432–440. Springer, 2013.

[51] N Asokan, Kari Kostiainen, Philip Ginzboorg, Jörg Ott, and Cheng Luo. Towards Securing Disruption-Tolerant Networking. Nokia Research Center, Tech. Rep. NRC-TR-2007-007, 2007.

[52] Michael Backes, Matteo Maffei, and Kim Pecina. A Security API for Distributed Social Networks. In NDSS, volume 11, pages 35–51, 2011.

91 References

[53] Randy Baden, Adam Bender, Neil Spring, Bobby Bhattacharjee, and Daniel Starin. Persona: An Online Social Network with User-Defined Privacy. In ACM SIGCOMM Computer Communication Review, volume 39, pages 135–146. ACM, 2009.

[54] Aruna Balasubramanian, Brian Levine, and Arun Venkataramani. DTN Routing as a Resource Allocation Problem. In ACM SIGCOMM Computer Communication Review, volume 37, pages 373–384. ACM, 2007.

[55] Aruna Balasubramanian, Yun Zhou, W Bruce Croft, Brian Neil Levine, and Aruna Venkataramani. Web Search From a Bus. In Proceedings of the second ACM workshop on Challenged networks, pages 59–66. ACM, 2007.

[56] Nilanjan Banerjee, Mark D Corner, and Brian Neil Levine. An Energy-Efficient Architecture for DTN Throwboxes. In INFOCOM 2007. 26th IEEE international conference on computer communications. IEEE, pages 776–784. IEEE, 2007.

[57] Adam Barth. HTTP State Management Mechanism. RFC 6265, April 2011.

[58] Adam Barth. The Web Origin Concept. RFC 6454, December 2011.

[59] Tim Berners-Lee, Roy T. Fielding, and Larry M Masinter. Uniform Resource Identifier (URI): Generic Syntax. RFC 3986, January 2005.

[60] K. Birman and T. Joseph. Exploiting Virtual Synchrony in Distributed Systems. In Proceedings of the Eleventh ACM Symposium on Operating Systems Principles, SOSP ’87, pages 123–138, New York, NY, USA, 1987. ACM.

[61] Fredrik Bjurefors, Per Gunningberg, Christian Rohner, and Sam Tavakoli. Con- gestion Avoidance in a Data-Centric Opportunistic Network. In Proceedings of the ACM SIGCOMM workshop on Information-centric networking, pages 32–37. ACM, 2011.

[62] Burton H Bloom. Space/Time Trade-offs in Hash Coding with Allowable Errors. Communications of the ACM, 13(7):422–426, 1970.

[63] Dan Boneh and Matt Franklin. Identity-Based Encryption from the Weil Pairing. In Annual international cryptology conference, pages 213–229. Springer, 2001.

[64] Vincent Borrel, Mostafa H Ammar, and Ellen W Zegura. Understanding the Wireless and Mobile Network Space: A Routing-Centered Classification. In Proceedings of the second ACM workshop on Challenged networks, pages 11–18. ACM, 2007.

[65] Sergey Brin and Lawrence Page. The Anatomy of a Large-Scale Hypertextual Web Search Engine. Computer networks and ISDN systems, 30(1-7):107–117, 1998.

[66] Eyuphan Bulut and Boleslaw K Szymanski. Friendship Based Routing in Delay Tolerant Mobile Social Networks. In Global Telecommunications Conference (GLOBECOM 2010), 2010 IEEE, pages 1–5. IEEE, 2010.

[67] John Burgess, Brian Gallagher, David Jensen, and Brian Neil Levine. MaxProp: Routing for Vehicle-Based Disruption-Tolerant Networks. In INFOCOM 2006. 25th IEEE International Conference on Computer Communications. Proceedings, pages 1–11. IEEE, 2006.

92 References

[68] Srdjan Capkun, Levente Buttyán, and J-P Hubaux. Self-Organized Public-Key Management for Mobile Ad Hoc Networks. IEEE Transactions on mobile comput- ing, 2(1):52–64, 2003.

[69] Zhaofei Chen, Emre A Yavuz, and Gunnar Karlsson. What a Juke! A Collaborative Music Sharing System. In World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2012 IEEE International Symposium on a, pages 1–6. IEEE, 2012.

[70] Blerim Cici, Athina Markopoulou, Enrique Frias-Martinez, and Nikolaos Laoutaris. Assessing the Potential of Ride-Sharing Using Mobile and Social Data. In Proceedings of the 2014 ACM International Joint Conference on Perva- sive and Ubiquitous Computing, pages 201–211. ACM, 2014.

[71] Russell J Clark, Evan Zasoski, Jon Olson, Mostafa Ammar, and Ellen Zegura. D-Book: A Mobile Social Networking Application for Delay Tolerant Networks. In Proceedings of the third ACM workshop on Challenged networks, pages 113–116. ACM, 2008.

[72] Richard Clayton, Steven J Murdoch, and Robert NM Watson. Ignoring the Great Firewall of China. In International Workshop on Privacy Enhancing Technologies, pages 20–35. Springer, 2006.

[73] Marco Conti, Silvia Giordano, Martin May, and Andrea Passarella. From oppor- tunistic networks to opportunistic computing. IEEE Communications Magazine, 48(9), 2010.

[74] Marco Conti and Mohan Kumar. Opportunities in opportunistic computing. Computer, 43(1), 2010.

[75] Jonathan Corbet. Seccomp and sandboxing. http://lwn.net/Articles/ 332974/. Accessed: 20.08.2018.

[76] Leucio Antonio Cutillo, Refik Molva, and Thorsten Strufe. Safebook: a Privacy Preserving Online Social Network Leveraging on Real-Life Trust. IEEE Commu- nications Magazine, 47(12), 2009.

[77] Elizabeth M Daly and Mads Haahr. Social Network Analysis for Routing in Dis- connected Delay-Tolerant MANETs. In Proceedings of the 8th ACM international symposium on Mobile ad hoc networking and computing, pages 32–40. ACM, 2007.

[78] Jiri Danihelka, Domenico Giustiniano, and Theus Hossmann. HyCloud: A system for device-to-device content distribution controlled by the cloud. In World of Wire- less, Mobile and Multimedia Networks (WoWMoM), 2014 IEEE 15th International Symposium on a, pages 1–5. IEEE, 2014.

[79] Emiliano De Cristofaro, Paolo Gasti, and Gene Tsudik. Fast and Private Compu- tation of Cardinality of Set Intersection and Union. In International Conference on Cryptology and Network Security, pages 218–231. Springer, 2012.

[80] Emiliano De Cristofaro, Jihye Kim, and Gene Tsudik. Linear-Complexity Private Set Intersection Protocols Secure in Malicious Model. In International Conference on the Theory and Application of Cryptology and Information Security, pages 213–231. Springer, 2010.

93 References

[81] Emiliano De Cristofaro and Gene Tsudik. Practical Private Set Intersection Protocols. In International Conference on Financial Cryptography and Data Security, pages 143–159. Springer, 2010.

[82] Michael Demmer and Kevin Fall. DTLSR: Delay Tolerant Routing for Developing Regions. In Proceedings of the 2007 workshop on Networked systems for developing regions, page 5. ACM, 2007.

[83] Michael Demmer, Jörg Ott, and Simon Perreault. Delay-Tolerant Networking TCP Convergence-Layer Protocol. RFC 7242, June 2014.

[84] John R Douceur. The Sybil Attack. In International workshop on peer-to-peer systems, pages 251–260. Springer, 2002.

[85] Karim El Defrawy, John Solis, and Gene Tsudik. Leveraging Social Contacts for Message Confidentiality in Delay Tolerant Networks. In Computer Software and Applications Conference, 2009. COMPSAC’09. 33rd Annual IEEE International, volume 1, pages 271–279. IEEE, 2009.

[86] Vijay Erramilli and Mark Crovella. Forwarding in opportunistic networks with resource constraints. In Proceedings of the third ACM workshop on Challenged networks, pages 41–48. ACM, 2008.

[87] Chris Evans, Chris Palmer, and Ryan Sleevi. Public Key Pinning Extension for HTTP. RFC 7469, April 2015.

[88] Martin Everett and Stephen P Borgatti. Ego network betweenness. Social networks, 27(1):31–38, 2005.

[89] Kevin Fall. A Delay-Tolerant Network Architecture for Challenged Internets. In Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, pages 27–34. ACM, 2003.

[90] Kevin Fall. Identity based cryptosystem for secure delay tolerant networking. Manuscript, 2003.

[91] Rodérick Fanou, Gareth Tyson, Pierre Francois, and Arjuna Sathiaseelan. Push- ing the Frontier: Exploring the African Web Ecosystem. In Proceedings of the 25th International Conference on World Wide Web, pages 435–445. International World Wide Web Conferences Steering Committee, 2016.

[92] Giulia Fanti, Yahel Ben David, Sebastian Benthall, Eric Brewer, and Scott Shenker. Rangzen: Circumventing Government-Imposed Communication Black- outs. University of California, Berkeley, Tech. Rep. UCB/EECS-2013-128, 2013.

[93] Stephen Farrell, Howard Weiss, Susan Symington, and Peter Lovell. Bundle Security Protocol Specification. RFC 6257, May 2011.

[94] Michael J Freedman, Kobbi Nissim, and Benny Pinkas. Efficient Private Match- ing and Set Intersection. In International conference on the theory and applica- tions of cryptographic techniques, pages 1–19. Springer, 2004.

[95] Linton C Freeman. A Set of Measures of Centrality Based on Betweenness. Sociometry, pages 35–41, 1977.

[96] Eric Gilbert. Predicting Tie Strength in a New Medium. In Proceedings of the ACM 2012 conference on Computer Supported Cooperative Work, pages 1047–1056. ACM, 2012.

94 References

[97] Philip Ginzboorg, Teemu Kärkkäinen, Aki Ruotsalainen, Mikael Andersson, and Jörg Ott. DTN Communication in a Mine. In 2nd Extreme Workshop on Communications (Sept. 2010), 2010.

[98] Minas Gjoka, Maciej Kurant, Carter T Butts, and Athina Markopoulou. Walking in Facebook: A Case Study of Unbiased Sampling of OSNs. In Infocom, 2010 Proceedings IEEE, pages 1–9. Ieee, 2010.

[99] Minas Gjoka, Maciej Kurant, Carter T Butts, and Athina Markopoulou. Practical Recommendations on Crawling Online Social Networks. IEEE Journal on Selected Areas in Communications, 29(9):1872–1892, 2011.

[100] Mark S Granovetter. The Strength of Weak Ties. In Social networks, pages 347–367. Elsevier, 1977.

[101] Samo Grasic, Elwyn Davies, Anders Lindgren, and Avri Doria. The Evolution of a DTN Routing Protocol – PRoPHETv2. In Proceedings of the 6th ACM workshop on Challenged networks, pages 27–30. ACM, 2011.

[102] Aditi Gupta, Markus Miettinen, N Asokan, and Marcin Nagy. Intuitive secu- rity policy configuration in mobile devices using context profiling. In Privacy, Security, Risk and Trust (PASSAT), 2012 International Conference on and 2012 International Confernece on Social Computing (SocialCom), pages 471–480. IEEE, 2012.

[103] Peter Gutmann. PKI: It’s Not Dead, Just Resting. Computer, 35(8):41–49, 2002.

[104] Radu Handorean, Christopher Gill, and Gruia-Catalin Roman. Accommodat- ing Transient Connectivity in Ad Hoc and Mobile Settings. In International Conference on Pervasive Computing, pages 305–322. Springer, 2004.

[105] Dick Hardt. The OAuth 2.0 Authorization Framework. RFC 6749, October 2012.

[106] Ólafur R. Helgason, Emre A. Yavuz, Sylvia T. Kouyoumdjieva, Ljubica Pajevic, and Gunnar Karlsson. A Mobile Peer-to-Peer System for Opportunistic Content- Centric Networking. In Proc. of ACM MobiHeld, 2010.

[107] Brett D. Higgins, Azarias Reda, Timur Alperovich, Jason Flinn, T.J. Giuli, Brian Noble, and David Watson. Intentional Networking: Opportunistic Exploitation of Mobile Network Diversity. In Proc. of ACM MobiCom, 2010.

[108] Theus Hossmann, Franck Legendre, Paolo Carta, Per Gunningberg, and Christian Rohner. Twitter in Disaster Mode: Opportunistic Communication and Distribu- tion of Sensor Data in Emergencies. In Proceedings of the 3rd Extreme Conference on Communication: The Amazon Expedition, page 1. ACM, 2011.

[109] Pan Hui, Jon Crowcroft, and Eiko Yoneki. BUBBLE Rap: Social-based For- warding in Delay Tolerant Networks. IEEE Transactions on Mobile Computing, 10(11):1576–1589, 2011.

[110] Johnathan Ishmael, Sara Bury, Dimitrios Pezaros, and Nicholas Race. Deploying Rural Community Wireless Mesh Networks. IEEE Internet Computing, 12(4), 2008.

[111] Sonia Jahid, Shirin Nilizadeh, Prateek Mittal, Nikita Borisov, and Apu Kapadia. DECENT: A Decentralized Architecture for Enforcing Privacy in Online Social Networks. In Pervasive Computing and Communications Workshops (PERCOM Workshops), 2012 IEEE International Conference on, pages 326–332. IEEE, 2012.

95 References

[112] Sushant Jain, Kevin Fall, and Rabin Patra. Routing in a Delay Tolerant Network, volume 34. ACM, 2004.

[113] Aaron M Johnson, Paul Syverson, Roger Dingledine, and Nick Mathewson. Trust- based Anonymous Communication: Adversary Models and Routing Algorithms. In Proceedings of the 18th ACM conference on Computer and communications security, pages 175–186. ACM, 2011.

[114] David B Johnson and David A Maltz. Dynamic source routing in ad hoc wireless networks. In Mobile computing, pages 153–181. Springer, 1996.

[115] Teemu Kärkkäinen, Paul Houghton, Lorenzo Valerio, Andrea Passarella, and Jörg Ott. Here&now: Data-centric local social interactions through opportunistic networks. In Proceedings of the Eleventh ACM Workshop on Challenged Networks, pages 37–38. ACM, 2016.

[116] Teemu Kärkkäinen and Jörg Ott. Liberouter: Towards Autonomous Neighborhood Networking. In Wireless On-demand Network Systems and Services (WONS), 2014 11th Annual Conference on, pages 162–169. IEEE, 2014.

[117] Teemu Kärkkäinen, Mikko Pitkänen, Paul Houghton, and Jörg Ott. SCAMPI Application Platform. In Proceedings of the seventh ACM international workshop on Challenged networks, pages 83–86. ACM, 2012.

[118] Teemu Kärkkäinen, Mika Välimaa, Shourov Kumar Roy, Esa Hyytiä, and Jörg Ott. Practical opportunistic content dissemination performance in dense network segments. Computer Communications, 123:65–80, 2018.

[119] Ari Keränen, Jörg Ott, and Teemu Kärkkäinen. The ONE Simulator for DTN Protocol Evaluation. In Proceedings of the 2nd international conference on sim- ulation tools and techniques, page 55. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), 2009.

[120] Amir Krifa, Chadi Barakat, and Thrasyvoulos Spyropoulos. Optimal Buffer Management Policies for Delay Tolerant Networks. In Sensor, Mesh and Ad Hoc Communications and Networks, 2008. SECON’08. 5th Annual IEEE Communica- tions Society Conference on, pages 260–268. IEEE, 2008.

[121] Amir Krifa, Chadi Barakat, and Thrasyvoulos Spyropoulos. Message Drop and Scheduling in DTNs: Theory and Practice. IEEE Transactions on Mobile Com- puting, 11(9):1470–1483, 2012.

[122] Nicholas D Lane, Emiliano Miluzzo, Hong Lu, Daniel Peebles, Tanzeem Choud- hury, and Andrew T Campbell. A Survey of Mobile Phone Sensing. IEEE Com- munications magazine, 48(9), 2010.

[123] Vincent Lenders, Gunnar Karlsson, and Martin May. Wireless Ad Hoc Podcasting. In Sensor, Mesh and Ad Hoc Communications and Networks, 2007. SECON’07. 4th Annual IEEE Communications Society Conference on, pages 273–283. IEEE, 2007.

[124] Adisorn Lertsinsrubtavee, Liang Wang, Arjuna Sathiaseelan, Jon Crowcroft, Nunthaphat Weshsuwannarugs, Apinun Tunpan, and Kanchana Kanchanasut. Understanding Internet Usage and Network Locality in a Rural Community Wire- less Mesh Network. In Proceedings of the Asian Internet Engineering Conference, pages 17–24. ACM, 2015.

96 References

[125] Na Li and Sajal K Das. RADON: reputation-assisted data forwarding in oppor- tunistic networks. In Proceedings of the Second International Workshop on Mobile Opportunistic Networking, pages 8–14. ACM, 2010.

[126] Na Li and Sajal K Das. A trust-based framework for data forwarding in oppor- tunistic networks. Ad Hoc Networks, 11(4):1497–1509, 2013.

[127] Yong Li, Mengjiong Qian, Depeng Jin, Li Su, and Lieguang Zeng. Adaptive Optimal Buffer Management Policies for Realistic DTN. In Global Telecommuni- cations Conference, 2009. GLOBECOM 2009. IEEE, pages 1–5. IEEE, 2009.

[128] Yun Li, Ling Zhao, Zhanjun Liu, and Qilie Liu. N-Drop: congestion control strategy under epidemic routing in DTN. In Proceedings of the 2009 international conference on wireless communications and mobile computing: connecting the world wirelessly, pages 457–460. ACM, 2009.

[129] Anders Lindgren, Avri Doria, Elwyn B. Davies, and Samo Grasic. Probabilistic Routing Protocol for Intermittently Connected Networks. RFC 6693, August 2012.

[130] Anders Lindgren, Avri Doria, and Olov Schelen. Probabilistic Routing in Intermit- tently Connected Networks. In Service assurance with partial and intermittent resources, pages 239–254. Springer, 2004.

[131] Anders Lindgren and Kaustubh S Phanse. Evaluation of Queueing Policies and Forwarding Strategies for Routing in Intermittently Connected Networks. In Communication System Software and Middleware, 2006. Comsware 2006. First International Conference on, pages 1–10. IEEE, 2006.

[132] Di Ma and Gene Tsudik. Security and Privacy in Emerging Wireless Networks. IEEE Wireless Communications, 17(5), 2010.

[133] Daniele Mansella, Laura Galluccio, Alessandro Leonardi, Giacomo Morabito, Antonio Panto, and Francesco Scoto. Ateneo on fly: a system for supporting mobile sharing applications in campus scenarios. In Proceedings of the Second International Workshop on Mobile Opportunistic Networking, pages 188–190. ACM, 2010.

[134] KW Matthee, Gregory Mweemba, Adrian V Pais, Gertjan Van Stam, and Marijn Rijken. Bringing connectivity to rural Zambia using a collaborative approach. In Information and Communication Technologies and Development, 2007. ICTD 2007. International Conference on, pages 1–12. IEEE, 2007.

[135] Martin May, Gunnar Karlsson, O Helgason, and Vincent Lenders. A System Architecture for Delay-Tolerant Content Distribution. In IEEE Conference on Wireless Rural and Emergency Communications (WreCom)(October 2007), 2007.

[136] Shashidhar Merugu, Mostafa Hamed Ammar, and Ellen W Zegura. Routing in Space and Time in Networks with Predictable Mobility. Technical report, Georgia Institute of Technology, 2004.

[137] Markus Miettinen, Stephan Heuser, Wiebke Kronz, Ahmad-Reza Sadeghi, and N Asokan. ConXsense -– Automated Context Classification for Context–Aware Access Control. In Proceedings of the 9th ACM symposium on Information, computer and communications security, pages 293–304. ACM, 2014.

97 References

[138] Prateek Mittal, Matthew Wright, and Nikita Borisov. Pisces: Anonymous Com- munication Using Social Networks. arXiv preprint arXiv:1208.6326, 2012.

[139] Arezu Moghadam, Suman Srinivasan, and Henning Schulzrinne. 7DS - A Modular Platform to Develop Mobile Disruption-tolerant Applications. In Proc. of IEEE NGMAST, 2008.

[140] Abedelaziz Mohaisen, Huy Tran, Abhishek Chandra, and Yongdae Kim. Trust- worthy Distributed Computing on Social Networks. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pages 155–160. ACM, 2013.

[141] Abderrahmen Mtibaa, Martin May, Christophe Diot, and Mostafa Ammar. Peo- pleRank: Social Opportunistic Forwarding. In Infocom, 2010 Proceedings IEEE, pages 1–5. IEEE, 2010.

[142] Zubair Nabi. The Anatomy of Web Censorship in Pakistan. In FOCI, 2013.

[143] Marcin Nagy, Thanh Bui, Swapnil Udar, N Asokan, and Jörg Ott. SpotShare and nearbyPeople: applications of the Social PaL framework. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, page 31. ACM, 2015.

[144] Arvind Narayanan. SocialKeys: Transparent cryptography via key distribution over social networks. In The IAB Workshop on Internet Privacy, 2010.

[145] Gregory Norcie, Emiliano De Cristofaro, and Victoria Bellotti. Bootstrapping Trust in Online Dating: Social Verification of Online Dating Profiles. In Interna- tional Conference on Financial Cryptography and Data Security, pages 149–163. Springer, 2013.

[146] Erik Nordström, Per Gunningberg, and Christian Rohner. A Search-based Net- work Architecture for Mobile Devices. Department of Information Technology, Uppsala University, Tech. Rep, 3, 2009.

[147] Jörg Ott. 404 Not Found? — A Quest For DTN Applications. In Proceedings of the third ACM international workshop on Mobile Opportunistic Networks, pages 3–4. ACM, 2012.

[148] Jörg Ott, Esa Hyytiä, Pasi Lassila, Tobias Vaegs, and Jussi Kangasharju. Floating Content: Information Sharing in Urban Areas. In Pervasive Computing and Communications (PerCom), 2011 IEEE International Conference on, pages 136– 146. IEEE, 2011.

[149] Jörg Ott and Jussi Kangasharju. Opportunistic Content Sharing Applications. In Proceedings of the 1st ACM workshop on Emerging Name-Oriented Mobile Networking Design-Architecture, Algorithms, and Applications, pages 19–24. ACM, 2012.

[150] Jörg Ott and Dirk Kutscher. Bundling the Web: HTTP over DTN. Proceedings of WNEPT, 2006.

[151] Craig Partridge. Authentication For Fragments. In Proc. ACM SIGCOMM HotNets-IV workshop, 2005.

98 References

[152] Anna-Kaisa Pietiläinen, Earl Oliver, Jason LeBrun, George Varghese, and Christophe Diot. MobiClique: Middleware for Mobile Social Networking. In Proceedings of the 2nd ACM workshop on Online social networks, pages 49–54. ACM, 2009.

[153] Mikko Pitkänen, Teemu Kärkkäinen, and Jörg Ott. Opportunistic Web Access via WLAN Hotspots. In Pervasive Computing and Communications (PerCom), 2010 IEEE International Conference on, pages 20–30. IEEE, 2010.

[154] Mikko Pitkänen, Teemu Kärkkäinen, Jörg Ott, Marco Conti, Andrea Passarella, Silvia Giordano, Daniele Puccinelli, Franck Legendre, Sacha Trifunovic, Karin Hummel, et al. SCAMPI: Service Platform for Social Aware Mobile and Pervasive Computing. In Proceedings of the first edition of the MCC workshop on Mobile cloud computing, pages 7–12. ACM, 2012.

[155] Wolf-Bastian Pöttner, Johannes Morgenroth, Sebastian Schildt, and Lars Wolf. Performance Comparison of DTN Bundle Protocol Implementations. In Pro- ceedings of the 6th ACM workshop on Challenged networks, pages 61–64. ACM, 2011.

[156] Josep M Pujol, A Lopez Toledo, and Pablo Rodriguez. Fair Routing in Delay Tolerant Networks. In INFOCOM 2009, IEEE, pages 837–845. IEEE, 2009.

[157] Daniele Quercia and Stephen Hailes. Sybil Attacks Against Mobile Users: Friends and Foes to the Rescue. In INFOCOM, 2010 Proceedings IEEE, pages 1–5. IEEE, 2010.

[158] Maxim Raya, Panagiotis Papadimitratos, Virgil D Gligor, and J-P Hubaux. On Data-Centric Trust Establishment in Ephemeral Ad Hoc Networks. In INFOCOM 2008. The 27th Conference on Computer Communications. IEEE, pages 1238–1246. IEEE, 2008.

[159] David R Raymond and Scott F Midkiff. Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses. IEEE Pervasive Computing, 7(1), 2008.

[160] Eric Rescorla and Tim Dierks. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, August 2008.

[161] J. H. Saltzer, D. P. Reed, and D. D. Clark. End-To-End Arguments in System Design. ACM Trans. Comput. Syst., 2(4):277–288, November 1984.

[162] Arjuna Sathiaseelan, Richard Mortier, Murray Goulden, Christian Greiffenhagen, Milena Radenkovic, Jon Crowcroft, and Derek McAuley. A feasibility study of an in-the-wild experimental public access WiFi network. In Proceedings of the Fifth ACM Symposium on Computing for Development, pages 33–42. ACM, 2014.

[163] Sebastian Schildt, Johannes Morgenroth, Wolf-Bastian Pöttner, and Lars Wolf. IBR-DTN: A lightweight, modular and highly portable Bundle Protocol imple- mentation. Electronic Communications of the EASST, 37, 2011.

[164] James Scott, Jon Crowcroft, Pan Hui, and Christophe Diot. Haggle: a Networking Architecture Designed AroundMobile Users. In WONS 2006: Third Annual Conference on Wireless On-demand Network Systems and Services, pages 78–86, 2006.

[165] Keith Scott and Scott C. Burleigh. Bundle Protocol Specification. RFC 5050, November 2007.

99 References

[166] Marius Senftleben, Mihai Bucicoiu, Erik Tews, Frederik Armknecht, Stefan Katzenbeisser, and Ahmad-Reza Sadeghi. Mop-2-mop–Mobile private microblog- ging. In International Conference on Financial Cryptography and Data Security, pages 384–396. Springer, 2014.

[167] Aaditeshwar Seth and Srinivasan Keshav. Practical Security for Disconnected Nodes. In Secure Network Protocols, 2005.(NPSec). 1st IEEE ICNP Workshop on, pages 31–36. IEEE, 2005.

[168] Glenn Shafer. A mathematical theory of evidence, volume 42. Princeton university press, 1976.

[169] Ryan Sleevi and Mark Watson. Web Cryptography API. http://www.w3.org/ TR/WebCryptoAPI/.

[170] Thrasyvoulos Spyropoulos, Konstantinos Psounis, and Cauligi S Raghavendra. Spray and Wait: An Efficient Routing Scheme for Intermittently Connected Mobile Networks. In Proceedings of the 2005 ACM SIGCOMM workshop on Delay-tolerant networking, pages 252–259. ACM, 2005.

[171] Thrasyvoulos Spyropoulos, Konstantinos Psounis, and Cauligi S Raghavendra. Spray and Focus: Efficient Mobility-Assisted Routing for Heterogeneous and Correlated Mobility. In Pervasive Computing and Communications Workshops, 2007. PerCom Workshops’ 07. Fifth Annual IEEE International Conference on, pages 79–85. IEEE, 2007.

[172] Thrasyvoulos Spyropoulos, Konstantinos Psounis, and Cauligi S Raghavendra. Efficient Routing in Intermittently Connected Mobile Networks: The Multiple- Copy Case. IEEE/ACM Transactions on Networking (ToN), 16(1):77–90, 2008.

[173] Thrasyvoulos Spyropoulos, Konstantinos Psounis, and Cauligi S Raghavendra. Efficient Routing in Intermittently Connected Mobile Networks: The Single-Copy Case. IEEE/ACM Transactions on Networking (ToN), 16(1):63–76, 2008.

[174] Jing Su, James Scott, Pan Hui, Jon Crowcroft, Eyal de Lara, Christophe Diot, Ashvin Goel, Meng How Lim, and Eben Upton. Haggle: Seamless Networking for Mobile Applications. In Proc. of UbiComp, 2007.

[175] Andrew S Tanenbaum, Sape J Mullender, and R van Renesse. Using Sparse Capabilities in a Distributed Operating System. 1986.

[176] David L Tennenhouse and David J Wetherall. Towards an Active Network Architecture. ACM SIGCOMM Computer Communication Review, 26(2):5–17, 1996.

[177] Leigh Torgerson, Scott C. Burleigh, Howard Weiss, Adrian J. Hooke, Kevin Fall, Dr. Vinton G. Cerf, Keith Scott, and Robert C. Durst. Delay-Tolerant Networking Architecture. RFC 4838, April 2007.

[178] Sacha Trifunovic, C Anastasiades, B Distl, and F Legendre. PodNetSec: Secure Opportunistic Content Dissemination. In Proc. ACM Mobisys, page 1, 2010.

[179] Sacha Trifunovic, Sylvia T Kouyoumdjieva, Bernhard Distl, Ljubica Pajevic, Gunnar Karlsson, and Bernhard Plattner. A Decade of Research in Opportunistic Networks – Challenges, Relevance, and Future Directions. IEEE Communications Magazine, 55(1):168–173, 2017.

100 References

[180] Sacha Trifunovic and Franck Legendre. Trust in Opportunistic Networks. Com- puter Engineering and Networks Laboratory, pages 1–12, 2009.

[181] Sacha Trifunovic, Franck Legendre, and Carlos Anastasiades. Social Trust in Opportunistic Networks. In INFOCOM IEEE Conference on Computer Communi- cations Workshops, 2010, pages 1–6. IEEE, 2010.

[182] Sumair Ur Rahman, Urs Hengartner, Usman Ismail, and Srinivasan Keshav. Practical Security for Rural Internet Kiosks. In Proceedings of the second ACM SIGCOMM workshop on Networked systems for developing regions, pages 13–18. ACM, 2008.

[183] Amin Vahdat, David Becker, et al. Epidemic Routing for Partially-Connected Ad Hoc Networks. 2000.

[184] Narseo Vallina-Rodriguez, Pan Hui, and Jon Crowcroft. Has anyone seen my Goose? In Computational Science and Engineering, 2009. CSE’09. International Conference on, volume 4, pages 1048–1053. IEEE, 2009.

[185] Yong Wang, Sushant Jain, Margaret Martonosi, and Kevin Fall. Erasure-Coding Based Routing for Opportunistic Networks. In Proceedings of the 2005 ACM SIGCOMM workshop on Delay-tolerant networking, pages 229–236. ACM, 2005.

[186] Wei Wei, Fengyuan Xu, Chiu C Tan, and Qun Li. SybilDefender: Defend Against Sybil Attacks in Large Social Networks. In INFOCOM, 2012 Proceedings IEEE, pages 1951–1959. IEEE, 2012.

[187] Narges Yousefnezhad, Marcin Nagy, and N Asokan. On improving tie strength estimates by aggregating multiple communication channels. In IFIP Networking Conference (IFIP Networking) and Workshops, 2016, pages 530–535. IEEE, 2016.

[188] Xiaolan Zhang, Giovanni Neglia, Jim Kurose, and Don Towsley. Performance modeling of epidemic routing. Computer Networks, 51(10):2867–2891, 2007.

[189] Yang Zhang and Jing Zhao. Social network analysis on data diffusion in delay tolerant networks. In Proceedings of the tenth ACM international symposium on Mobile ad hoc networking and computing, pages 345–346. ACM, 2009.

[190] Zhensheng Zhang. Routing in intermittently connected mobile ad hoc networks and delay tolerant networks: overview and challenges. IEEE Communications Surveys & Tutorials, 8(1):24–37, 2006.

[191] Wenrui Zhao, Yang Chen, Mostafa Ammar, Mark Corner, Brian Levine, and Ellen Zegura. Capacity Enhancement using Throwboxes in DTNs. In Mobile Adhoc and Sensor Systems (MASS), 2006 IEEE International Conference on, pages 31–40. IEEE, 2006.

101 g rwe n n a umC o nm rapeD tnemt fo nummoC i tac i sno dna krowteN i gn

aA l t o - DD

Secure and Usable Services 911 / aM r c i n N a g y

9102 in Opportunistic Networks

Marcin Nagy s k r o w te Ncitsi n u tr o p p O s n e i civ r e S el b a s U d n a e r u c e S

B I NBS 2-3168-06-259-879 ( p r i n t de ) SSENISUB + B I NBS 9-4168-06-259-879 ( dp f ) E MONOC Y S I NSS 9971 - 4394 ( p r i n t de ) S I NSS 9971 - 2494 ( dp f ) TRA + NGISED + ytisrevinU otlaA ytisrevinU HCRA I T TCE ERU n engE airteE o loohcS fo tcelE r laci reenignE gni nikotNda soitcinmo f tetrapeD tnemt fo nummoC i tac i sno dna krowteN i gn ECNEICS + www . a a l t o . f i T E ONHC L GO Y

EVOSSORC RE COD T RO A L +cdbgia*GMFTSH9 COD T RO A L SNOITATRESSID

SNOITATRESSID ytisrevinU otlaA

9102