1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.

Slides:

Advertisements

Similar presentations

Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Jeffrey Pang, Tadayoshi Kohno, Srinivasan Seshan, and.

Advertisements

WiFi-Reports: Improving Wireless Network Selection with Collaboration Presented By Tim McDowell.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

1/40 Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols Thesis Proposal Jeffrey Pang.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.

User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Security Management.

Computer Science Public Key Management Lecture 5.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Introduction to Public Key Cryptography

Copyright ©1997 NetDox, Inc. All Rights Reserved. CONFIDENTIAL 1 DATE HERE Julie Grace - NetDox, Inc. Emerging Internet Commerce.

Wireless and Security CSCI 5857: Encoding and Encryption.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.

Chapter 21 Distributed System Security Copyright © 2008.

Cryptography and Network Security (CS435) Part Eight (Key Management)

CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.

Network Security7-1 CIS3360: Chapter 8: Cryptography Application of Public Cryptography Cliff Zou Spring 2012 TexPoint fonts used in EMF. Read the TexPoint.

Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 Presenter: Nan Jiang Most Slides:

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Upper OSI Layers Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

1 Tryst: The Case for Confidential Service Discovery Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University of.

WLANs & Security Standards (802.11) b - up to 11 Mbps, several hundred feet g - up to 54 Mbps, backward compatible, same frequency a.

Can Ferris Bueller Still Have His Day Off? Protecting Privacy in the Wireless Era Authors: Ben Greenstein, Ramakrishna Gummadi, Jeffrey Pang, Mike Y. Chen,

Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.

1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,

Focus On Bluetooth Security Presented by Kanij Fatema Sharme.

Security & Privacy. Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different.

Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Yoshi Kohno, Jeffrey Pang, Srini Seshan, and David.

Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.

Key Management Network Systems Security Mort Anvari.

Doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 1 SlyFi: Enhancing Privacy by Concealing Link Layer Identifiers.

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Fall 2006CS 395: Computer Security1 Key Management.

Security By Meenal Mandalia. What is ? stands for Electronic Mail. much the same as a letter, only that it is exchanged in a different.

Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.

Secure Instant Messenger in Android Name: Shamik Roy Chowdhury.

Cryptography CSS 329 Lecture 13:SSL.

Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.

Computer Communication & Networks

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

Lecture 10: Network Security.

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

Presentation transcript:

1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University of Washington Damon McCoy University of Colorado

2 What is Local Service Discovery? Find a WiFi networkFind a local printerFind my friend’s PSPFind my friend’s iTunes Proceeds automatically, often without user’s knowledge Occurs before security associations are setup

3 Service Discovery is Widely Used Example 1: Application Protocols (OSDI 2006) Example 2: 85% devices send WiFi discovery probes (SIGCOMM 2004)

4 Outline Existing mechanisms and their privacy threats Solution requirements Tryst

5 Outline Existing mechanisms and their privacy threats –Announcement –Probing Solution requirements Tryst

6 Method 1: Announcement Services broadcast their existence Interested clients discover them E.G., WiFi access points (APs) announce network names

7 Privacy Threats: Inventory “The devices I have” –Example: cell phone pirates break into cars to steal phones that announce their presence [Cambridge Evening News 2005] “The applications I am running” –Example: Apple mDNS “announces” to hackers that they are vulnerable to a buffer overflow [CERT 2007] Phone Here! iTunes here! iChat here!

8 Privacy Threats: Location “The fact that my service is present” –Example: Common practice to disable WiFi annoucements to (try to) hide access points [O’Reilly Guide] “Where my service is located” –Example: Knowledge of network name at one site can tell you where other sites are [WiGLE Wardriving Database] IR_Guest Pittsburgh Seattle Berkeley Cambridge x

9 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing Solution requirements Tryst

10 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing Solution requirements Tryst

11 Method 2: Probing Clients broadcast queries for familiar services Present services respond E.G., WiFi clients probe for network names they have associated with before

12 Privacy Threats: History “Where I have been before” –Example: Probing for network names can expose where you live [WiGLE Wardriving Database] Is “Anna, Jeff, and Mark’s Net” here?

13 Privacy Threats: History “Where I have been before” –Example: Probing for network names can expose where you live [WiGLE Wardriving Database] 23% of devices at SIGCOMM 2004 probed for an name that WiGLE isolates to one city All 4 known home networks located to within ~500 ft

14 Privacy Threats: History “Where I have been before” –Example: Even opaque names can be correlated with other databases, such as Google’s business directory Is “Juvenile Detention Classroom” here? Is “ ” here?

15 Privacy Threats: Identity “Fingerprints who I am” –Example: Both WiFi and application level probes accurately identify a device [Pang, J. et al. MobiCom 2007] “IR_Guest”, “djw”, “University of Washington” “IR_Guest”, “djw”, “University of Washington” == ………..

16 More Threats in the Future Emerging social devices also offer “services” –Microsoft Zune: music sharing service –PSP, Nintendo DS: multiplayer gaming service Service discovery exposes social contacts

17 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements Tryst

18 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements Tryst

19 So … Why Use Service Discovery? Plug-and-play networking –Setup networks without configuration  Automatic (no user intervention) Infrastructure independence – Always works; no special servers required  Broadcast (only need communication medium) Key Problem: Before Security Setup  No Confidentiality

20 Solution Requirements Provide security during discovery –Anonymity: unlinkable discovery attempts –Authenticity: prevent masquerading Challenges –Clients and services want confidentiality –We need mutual authentication before either can learn of the other’s existence –We can’t rely on manual user action or trusted infrastructure

21 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements 1.Plug-and-play networking 2.Infrastructure independence 3.Anonymity 4.Authenticity Tryst

22 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements 1.Plug-and-play networking 2.Infrastructure independence 3.Anonymity 4.Authenticity Tryst –Access control for discovery messages provides 3 and 4

23 How to Provide Access Control Service Discovery Message Verify Source Identity Sender ApplicationReceiver Application Proof of Identity Identity-Hiding Encryption

24 K Alice Identity-hiding encryption with Alice’s public key (e.g., ElGamal) Public Key Protocol Existing theoretical public key protocol [Abadi ’04] K -1 Bob “Bob to Alice at time T” Digital signature with Bob’s private key (e.g., RSA, DSA) Service Discovery Message “Is Alice’s Laptop here?”

25 ??? Public Key Protocol K Bob K -1 Bob “Bob to Alice at time T” Service Discovery Message K -1 Alice Decrypt with Alice’s private key Verify with Bob’s public key Existing theoretical public key protocol [Abadi ’04]

26 Efficiency Problems Problem 1: Message size scales linearly with number of intended recipients –Typically OK: 90% of WiFi clients probe for fewer than 12 unique network names [OSDI 2006] Problem 2: Messages can’t be addressed  must try to decrypt every message –Public key decryption is slow –168x slower than WiFi line-rate –Receivers susceptible to denial-of-service attacks

27 Symmetric Key Protocol Observation 1: Common case is to rediscover known services –Can negotiate a shared symmetric key the first time –Symmetric key cryptography is fast

28 K Shared Identity-hiding encryption Alice and Bob’s shared key (e.g., AES) Symmetric Key Protocol K Shared “Bob to Alice at time T” Message authentication code with Alice and Bob’s shared key (e.g., HMAC-SHA1) Service Discovery Message

29 Symmetric Key Protocol Observation 1: Common case is to rediscover known services –Can negotiate a secret symmetric key the first time –Symmetric key cryptography is fast Observation 2: Linkability at short timescales is usually OK –Compute temporary unlinkable addresses known only to a client and a service –Messages not for me are discarded at WiFi line-rate

30 K Shared Symmetric Key Protocol K Shared “Bob to Alice at time T” Service Discovery Message A T = address at time T A T-1 A0A0 ATAT Hash() K Shared A T+1 Hash() K Shared …… Random hash function (e.g., HMAC-SHA1) secret

31 Protocol Design Summary Observation 1: Common case is to rediscover known services –Can negotiate a secret symmetric key the first time –Symmetric key cryptography is fast Observation 2: Linkability at short timescales is usually OK –Compute temporary unlinkable addresses known only to a client and a service –Messages not for me are discarded at WiFi line-rate Thus: –Prioritize symmetric key protocol –Use spare cycles for public key protocol

32 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements 1.Plug-and-play networking 2.Infrastructure independence 3.Anonymity 4.Authenticity Tryst –Access control for discovery messages provides 3 and 4

33 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements 1.Plug-and-play networking 2.Infrastructure independence 3.Anonymity 4.Authenticity Tryst –Access control for discovery messages provides 3 and 4 –Automated key establishment maintains 1 and 2

34 How Do I Obtain the Initial Keys? Existing key establishment is not enough –Certificates: E.G., Secure websites Neither client nor service can offer proof of identity first! –Pairing: E.G., Bluetooth peripherals Can not always physically identify service User must perform discovery before device does! Discovery is also used to find new services –Goal: Automatically expand the trust horizon –E.G., new services in trusted domains –E.G., new services trusted transitively

35 New Services in Trusted Domains Trusted ? x x Strawman Solution x “Discover Alice’s iPod”

36 ? New Services in Trusted Domains “Discover Alice’s iPod” Trusted Trusts: “alice.ds” “alice.laptop” “bob.zune” “bob.psp” “bob.laptop” Anonymous Identity Based Encryption “alice.ipod”

37 New Services Transitively Trusted “Alice’s Home” Trust Transitive Trust Alice trusts bob.laptop Alice’s secret Alice trusts “Alice’s Home” Alice’s secret Find networks that Alice trusts Attestation

38 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements 1.Plug-and-play networking 2.Infrastructure independence 3.Anonymity 4.Authenticity Tryst –Access control for discovery messages provides 3 and 4 –Automated key establishment maintains 1 and 2

39 Ongoing Work Status: –Created usable implementation of Tryst –Integrated with WiFi protocol stack on Linux Future work: –Evaluate how well key establishment mechanisms reflect real trust relationships –Design privacy policies that users can understand More information: –Tryst: The Case for Confidential Service Discovery. HotNets VI, 2007.

40 Summary Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements 1.Plug-and-play networking 2.Infrastructure independence 3.Anonymity 4.Authenticity Tryst –Access control for discovery messages provides 3 and 4 –Automated key establishment maintains 1 and 2

41 Backup Slides

42 Related Work SmokeScreen [Cox ’07] – access control for discovering friends –Similar to symmetric key protocol –Uses online social network for key exchange SSDS [Czerwinski ’00] – secure service discovery architecture –Relies on trusted infrastructure –Not meant for use in wireless environments Broadcast Encryption [e.g., Fiat ‘93] –encrypt message to many users –Making this private is an open problem JFK [Aiello ’93] – efficient Internet key exchange –No service privacy … –… or not resilient to man-in-the-middle attacks

43 Privacy Threats: History “Where I have been before” –Example: Probing for network names can expose where you live [WiGLE Wardriving Database] Is the network “djw” here?