Doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 1 SlyFi: Enhancing 802.11 Privacy by Concealing Link Layer Identifiers.

Slides:

Advertisements

Similar presentations

Secure Mobile IP Communication

Advertisements

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Jeffrey Pang, Tadayoshi Kohno, Srinivasan Seshan, and.

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL

CSE 461: Privacy Ben Greenstein Jeremy Elson TAs: Ivan and Alper.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.

Srinivasan Seshan (and many collaborators) Carnegie Mellon University 1.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

Secure Data Communication in Mobile Ad Hoc Networks Authors: Panagiotis Papadimitratos and Zygmunt J Haas Presented by Sarah Casey Authors: Panagiotis.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.

Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.

TinySec: Link Layer Security Chris Karlof, Naveen Sastry, David Wagner University of California, Berkeley Presenter: Todd Fielder.

Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein et.al. MobiSys’08 Presented by Seo Bon Keun.

SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.

15-744: Computer Networking L-23 Privacy. 2 Overview Routing privacy Web Privacy Wireless Privacy.

1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Improving the Privacy of Wireless Protocols Jeffrey Pang Carnegie Mellon University.

Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

ECE 424 Embedded Systems Design Networking Connectivity Chapter 12 Ning Weng.

8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.

Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September

A History of WEP The Ups and Downs of Wireless Security.

Version Slide 1 Format of lecture Introduction to Wireless Wireless standards Applications Hardware devices Performance issues Security issues.

Wireless Network Security Dr. John P. Abraham Professor UTPA.

COEN 351 E-Commerce Security Essentials of Cryptography.

1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.

Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.

CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.

23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.

WEP Protocol Weaknesses and Vulnerabilities

WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.

1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.

Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

Security in Mobile Ad Hoc Networks: Challenges and Solutions (IEEE Wireless Communications 2004) Hao Yang, et al. October 10 th, 2006 Jinkyu Lee.

Wireless. Wireless hosts: end system devices; may or may not be mobile Wireless links: A host connects to a base station or host through a communication.

Focus On Bluetooth Security Presented by Kanij Fatema Sharme.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.

Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.

Overview of the security weaknesses in Bluetooth Dave Singelée COSIC seminar 11/06/2003.

Anonymity - Background R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide.

Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.

Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.

Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Yoshi Kohno, Jeffrey Pang, Srini Seshan, and David.

Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.

Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.

Doc.: IEEE /376 Submission November 2000 S. Watanabe et al, Seiko Epson Corp. Slide 1 Proposal to use KPS to Enhance Security of MAC Layer Shinichiro.

Introduction to Network Systems Security Mort Anvari.

KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.

Doc.: IEEE /0098r0 Submission July 2010 Alex Reznik, et. al. (InterDigital)Slide Security Procedures Notice: This document has been.

Week #8 OBJECTIVES Chapter #5. CHAPTER 5 Making Networks Work Two Networking Models –OSI OPEN SYSTEMS INTERCONNECTION PROPOSED BY ISO –INTERNATIONAL STANDARDS.

多媒體網路安全實驗室 A Secure Privacy-Preserving Roaming Protocol Based on Hierarchical Identity-Based Encryption for mobile Networks 作者 :Zhiguo Wan,Kui Ren,Bart.

Submission doc.: IEEE /313r1 March 2016 Guido R. Hiertz, Ericsson et al.Slide 1 The benefits of Opportunistic Wireless Encryption Date:

Chapter eight: Authentication Protocols 2013 Term 2.

- Richard Bhuleskar “At the end of the day, the goals are simple: safety and security” – Jodi Rell.

Uplink Broadcast Service

WNG SC Closing Report Date: Authors: September 2008

Outline A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar. SPINS: Security protocols for sensor networks. In Proceedings of MOBICOM, 2001 Sensor.

Chapter 8 roadmap 8.1 What is network security?

Presentation transcript:

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 1 SlyFi: Enhancing Privacy by Concealing Link Layer Identifiers Date: Authors:

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 2 Our Wireless World

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 3 Tracking Example MAC: 01:34:4F:88:7A:FE MAC: 54:CC:F2:B8:77:10 MAC: 24:AB:87:11:62:99

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 4 Tracking Example 01:2F:3D:44:59:22 0A:BB:C1:99:07:01 04:50:7D:FE:F1:89 Etc. 04:50:7D:FE:F1:89 12:20:00:01:7F:e2 Etc. 4:30 PM 8:30 AM SSID=Linksys SSID=MaryJaneHome SSID=DrChoice SSID=tMobile SSID=WashingtonCSE Abortion Doctor’s Home?

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 5 Tracking Example 01:2F:3D:44:59:22 0A:BB:C1:99:07:01 04:50:7D:FE:F1:89 Etc. 04:50:7D:FE:F1:89 12:20:00:01:7F:e2 Etc. 4:30 PM 8:30 AM Is a deal brewing?

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 6 Inventorying Example Diabetes Advertisement! HIV Advertisement!

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 7 Location tracking, user profiling, inventorying, relationship profiling are a growing concern Home headerIs “djw” here? “djw” is here

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 8 Talk Argument is increasingly insufficient −Level of privacy different from what people would expect −Privacy and anonymity safeguards lagging behind cellular (e.g., GSM) −Slowing adoption in healthcare, finance, and military markets Important to standardize privacy enhancements −Can’t do within the context of the existing standard −Requires changes at multiple endpoints −Enhancements most effective when widely deployed −Will increase attractiveness of , strengthen marketplace

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 9 Technical Feasibility SlyFi demonstrates possibility of enhancing for privacy −Complete link layer solution with better privacy guarantees than 11i, 11w −We prototyped it −As efficient as today’s protocols −Same usage model as ; coexists with −Academia and industry enthusiastic, e.g., 2008 ACM Mobisys Best Paper paper: source: paper: source:

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 10 Privacy Problem with Best Practices Is Bob’s Network here? Proof that I’m Bob Bob’s Network is here MAC addr, seqno, … Many exposed bits are (or can be used as) identifiers that are linked over time Confidentiality Authenticity Integrity 10

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide Goal: Make All Bits Appear Random To Eavesdroppers Bootstrap SSID: Bob’s Network Key: 0x … Username: Alice Key: 0x348190… ? ?

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 12 Challenge: Making the protocol work when all bits are hidden Which packets are mine? 12 Filtering without Identifiers Without changing the usage model Without breaking services Without changing authentication machinery While staying just as efficient

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 13 Design Requirement: Add privacy to security without breaking anything else When A generates Message to B, she sends: PrivateMsg = F(A, B, Message) Where F has these properties: Confidentiality: Only A and B can determine Message. Authenticity: B can verify A created PrivateMsg. Integrity: B can verify Message not modified Unlinkability: Only A and B can link PrivateMsgs to same sender or receiver Efficiency:B can process PrivateMsgs as fast as he can receive them Compatibility with existing usage model Compatibility with existing authentication and other services

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 14 Solution Summary Unlinkability Integrity Authenticity Efficiency Confidentiality WPA MAC Pseudonyms Naïve Symmetric Key SlyFi: Discovery/Binding SlyFi: Data packets Only Data Payload Long Term 14 Only Data Payload Only Data Payload

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 15 Naïve approach (symmetric encryption of all bits) is slow Probe “Bob” ClientService Symmetric encryption (e.g., AES w/ random IV) Check MAC: MAC:K AB Try to decrypt with each shared key K Shared1 K Shared2 K Shared3 … 15 Different symmetric key per potential sender Can’t identify the decryption key in the packet or else it is linkable

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 16 Solution Summary Unlinkability Integrity Authenticity Efficiency Confidentiality WPA MAC Pseudonyms Naïve Symmetric Key SlyFi: Discovery/Binding SlyFi: Data packets Long Term 16 Only Data Payload Only Data Payload Only Data Payload

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 17 Symmetric key almost works, but tension between: Unlinkability: can’t expose the identity of the key Efficiency: need to identify the key to avoid trying all keys Idea: Identify the key in an unlinkable way Approach: Sender A and receiver B agree on tokens: T 1, T 2, T 3, … A attaches T i to encrypted packet for B SlyFi: An open source reference implementation 17 AB

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 18 SlyFi Probe “Bob” ClientService Symmetric encryption (e.g., AES w/ random IV) Check MAC: MAC:K AB Lookup T i in a table to get K AB AB 18 Need a shared variable, i, that changes often TiTi AB Main challenge: Sender and receiver must synchronize i without communication Main challenge: Sender and receiver must synchronize i without communication

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 19 Data Transport Synchronize i on transmission number Only sent over established connections Expect messages to be delivered Synchronize i on loose idea of time Infrequent: sent when trying to associate Narrow interface: single application, few side-channels Linkability at short timescales is OK Discovery and Binding On receipt of T i, receiver computes T i+1 Handling message loss or clock skew: – On receipt of T i save T i+1, …, T i+k in table – Tolerates k consecutive losses or skew of 5 * k minutes – No loss  compute one token per reception AB

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 20 Discovery/Binding Time SlyFi link setup has less overhead than WPA 20 Lower = Better

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 21 Data Throughput SlyFi data filtering is about as efficient as With simulated AES hardware Performs like symmetric key Higher = Better

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 22 Solution Summary Unlinkability Integrity Authenticity Efficiency Confidentiality WPA MAC Pseudonyms Naïve Symmetric Key SlyFi: Discovery/Binding SlyFi: Data packets Long Term Long Term 22 Only Data Payload Only Data Payload Only Data Payload

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 23 Other Protocol Details to Work Through Broadcast Higher-layer binding Time synchronization Roaming Coexistence with Link-layer ACKs Preventing replay attacks Location services etc. See paper for some proposals 23

doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 24 Conclusion Wireless devices are becoming personal and pervasive Best practices don’t protect users from simple attacks Long-term linking: tracking, profiling, inventorying Short-term linking: side-channel attacks We need a protocol enhancement to defend against these attacks That removes all identifying bits 24 paper: source: paper: source: