1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.

Slides:

Advertisements

Similar presentations

Key Management Nick Feamster CS 6262 Spring 2009.

Advertisements

Chapter 10 Real world security protocols

Cryptography and Network Security Chapter 14

Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Jeffrey Pang, Tadayoshi Kohno, Srinivasan Seshan, and.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.

1/40 Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols Thesis Proposal Jeffrey Pang.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan ˇCapkun Department of Computer Science, ETH Zurich Attacks on Public WLAN-based.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.

1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.

User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Security Management.

Computer Science Public Key Management Lecture 5.

Introduction to Public Key Cryptography

1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.

Public-key Cryptography Strengths and Weaknesses Matt Blumenthal.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

4/11/06Tuesday Seminar1 The State of Service Discovery Jeff Pang.

Key Management and Diffie- Hellman Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther.

Wireless Network Security Dr. John P. Abraham Professor UTPA.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Códigos y Criptografía Francisco Rodríguez Henríquez Security Attacks: Active and Passive Active Masquerade (impersonation) Replay Modification of message.

Cryptography and Network Security (CS435) Part Eight (Key Management)

CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.

Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.

Presented by: Sanketh Beerabbi University of Central Florida.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 Presenter: Nan Jiang Most Slides:

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Facilities for Secure Communication The Internet is insecure The Internet is a shared collection of networks. Unfortunately, that makes it insecure An.

Upper OSI Layers Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.

1 Tryst: The Case for Confidential Service Discovery Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University of.

WLANs & Security Standards (802.11) b - up to 11 Mbps, several hundred feet g - up to 54 Mbps, backward compatible, same frequency a.

Can Ferris Bueller Still Have His Day Off? Protecting Privacy in the Wireless Era Authors: Ben Greenstein, Ramakrishna Gummadi, Jeffrey Pang, Mike Y. Chen,

1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,

Focus On Bluetooth Security Presented by Kanij Fatema Sharme.

Security & Privacy. Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different.

Ch 13 Trustworthiness Myungchul Kim

Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Yoshi Kohno, Jeffrey Pang, Srini Seshan, and David.

Key Management Network Systems Security Mort Anvari.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 1 SlyFi: Enhancing Privacy by Concealing Link Layer Identifiers.

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Introduction to Network Systems Security Mort Anvari.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Fall 2006CS 395: Computer Security1 Key Management.

1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.

Cryptography and Network Security Chapter 13

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

Protocol ap1.0: Alice says “I am Alice”

Key Management Network Systems Security

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

Presentation transcript:

1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall

2 What is Local Service Discovery? Find an networkFind a local printer Authentication Setup encryption Find my friend’s PSPFind my friend’s iTunes Proceeds automatically, often without user’s knowledge

3 Method 1: Announcement Services broadcast their existence Interested clients discover them E.G., APs announce network names (SSIDs)

4 Privacy Threats: Inventory “The devices I have” –Example: cell phone pirates break into cars to steal phones that announce their presence [Cambridge Evening News 2005] “The applications I am running” –Example: Apple mDNS “announces” to hackers that they are vulnerable to a buffer overflow [CERT 2007] Phone Here! iTunes here! iChat here!

5 Method 2: Probing Clients broadcast queries for familiar services Present services respond E.G., clients probe for SSIDs they have associated with before

6 Privacy Threats: History “Where I have been before” –Example: Probing for SSIDs can expose where you live [WiGLE Wardriving Database] Is “Anna, Jeff, and Mark’s Net” here?

7 Privacy Threats: History “Where I have been before” –Example: Probing for SSIDs can expose where you live [WiGLE Wardriving Database] 23% of devices at SIGCOMM 2004 probed for an SSID that WiGLE isolates to one city

8 Privacy Threats: History “Where I have been before” –Example: Even opaque SSIDs can be correlated with other databases, such as Google’s business directory Is “Juvenile Detention Classroom” here? Is “ ” here?

9 Solution Requirement Security during discovery –Confidentiality: unlinkable discovery attempts –Authenticity: prevent masquerading –Departure from common practice –Clients and services want privacy from third parties Tryst –Access control for discovery messages

10 How to Provide Access Control Service Discovery Message Verify Source Identity Sender ApplicationReceiver Application Proof of Identity Identity-Hiding Encryption

11 Protocol Design Details Existing theoretical protocol [Abadi ’04] –Based on public key cryptography Problem 1: Message size scales linearly with number of intended recipients –Typically OK: 90% of clients probe for fewer than 12 unique SSIDs [OSDI 2006] Problem 2: Messages can’t be addressed  must try to decrypt every message –Decryption is 168x slower than line-rate –Opens up receivers to denial-of-service attacks

12 Protocol Design Details Observation 1: Common case is to rediscover known services –Can negotiate a secret symmetric key the first time –Symmetric key cryptography is fast Observation 2: Linkability at short timescales is usually OK –Compute temporary unlinkable addresses known only to a client and a service [similar to Cox ’07] –Messages not for me are discarded at line-rate Thus: –Prioritize symmetric key protocol –Use spare cycles for public key protocol

13 How Do I Obtain the Initial Keys? Existing key establishment is not enough –Pairing: E.G., Bluetooth peripherals Can not always physically identify service User must discover service before device discovers service! Discovery is also used to find new services –Goal: Automatically expand the trust horizon –E.G., new services in trusted domains –E.G., new services trusted transitively

14 New Services in Trusted Domains Bob Alice Trusted ? x x Strawman Solution x “Discover Alice’s iPhone”

15 ? New Services in Trusted Domains Bob “Discover Alice’s iPhone” Alice Trusted Trusts: “alice.ds” “alice.laptop” “bob.zune” “bob.psp” “bob.laptop” Anonymous Identity Based Encryption “alice.iphone”

16 Conclusion Local service discovery exposes sensitive info Tryst enables confidential service discovery Progress: –Implementation of Tryst access control –Integration with a real protocol stack Future Work: –Implement automated key establishment –Evaluate how people use Tryst in the wild

17 Questions?

18 Service Discovery is Widely Used Example 1: 85% devices send probes (SIGCOMM 2004) Example 2: Application Protocols (OSDI 2006)

19 Privacy Threats: Location “The fact that my service is present” –Example: Common practice to disable beacons to (try to) hide access points [O’Reilly Guide] “Where my service is located” –Example: Knowledge of SSID at one site can tell you where other sites are [WiGLE Wardriving Database] IR_Guest Pittsburgh Seattle Berkeley Cambridge x

20 Privacy Threats: Identity “Fingerprints who I am” –Example: Both and application level probes accurately identify a person [Our MobiCom 2007 Paper] “IR_Guest”, “djw”, “University of Washington” “IR_Guest”, “djw”, “University of Washington” == ………..

21 Privacy Threats: History “Where I have been before” –Example: Probing for SSIDs can expose where you live [SSID Lookup in WiGLE] Is the network “djw” here?

22 More Threats in the Future Emerging social devices also offer “services” –Microsoft Zune: music sharing service –PSP, Nintendo DS: multiplayer gaming service Service discovery exposes social contacts

23 Reasons for Privacy Threats Plug-and-Play  Automatic Infrastructure Independent  Broadcast Before Security Setup  No Authentication, Encryption We tackle this problem

24 New Services Transitively Trusted Alice Bob “Alice’s Home” Trust Transitive Trust Alice trusts bob.laptop Alice’s secret Alice trusts “Alice’s Home” Alice’s secret Find networks that Alice trusts Attestation