1. © 2013 Marcin Nagy & N. Asokan & Jörg Ott 1 PeerShare: A System for Secure Distribution of Sensitive Data among Social Contacts Marcin Nagy, N. Asokan, Jörg Ott

2. Motivation Key management is difficult Online social networks popular (provide SSO) Observation: Social networks can be used for authentic public keys distribution (SocialKeys project) Concept: Securely distribute application-specific data to a specific set of social contacts 2

3. Example applications Exchanging public keys Sharing access point keys Detecting nearby friends ( ) Finding common friends ( ) Authenticity-only vs. authenticity+confidentiality User-specific vs. device-specific data 3

4. Requirements Threat model –Channel compromise –Unauthorized usage Impersonation Accessing restricted data 4

5. System design Device PeerShare Service PeerShare communication module Applications Social Network (SN) SN authentication protocol PeerShare master bindings database SN access protocol (eg. Facebook Graph API) PeerShare Server PeerShare protocol (server) 1.SN authentication protocol (e.g. OAuth) 2.PeerShare protocol Social Network App Bindings database PeerShare API 5

6. Security considerations Channel compromise –TLS Impersonation –User: SN user authentication (e.g. OAuth + SSO) –Server: TLS + certificate “pinning” –Application: e.g. Facebook user access token validation User access control –User specifies authorized recipients –Enforced by server and service-on-device Application access control –Only an application that has created data can access it 6

7. Minimizing trust on the PeerShare server Trusted-hardware (HSM) –On-board Credentials Application-specific server 7

8. Sample applications 8 Tethering AppnearbyPeople Technical Report ACSAC 2013 paper Technical Report ACNS 2013 paper

9. © 2013 Marcin Nagy & N. Asokan & Jörg Ott 9 Questions? Thank you!