Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi.

Published byWesley Shiers Modified over 10 years ago

Similar presentations

Presentation on theme: "Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi."— Presentation transcript:

1 Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi

2 Secure Wireless Pairing is Important Traditional solutions require user to enter or validate passwords

3 Entering or Validating Passwords is Difficult Ordinary users struggle with picking long random passwords Devices with no interfaces for entering passwords Problem Statement: Secure pairing without having the user enter or validate passwords

4 Tentative Solution:

5 Tentative Solution: Use Diffie-Hellman Key Exchange Anyone can receive/transmit Alice Bob Adversary  Man-in-the-middle attacks Full fledged man-in-the-middle attack on CDMA and 4G networks at DEFCON 19

6 Industry Approach Academic Approach Use trusted out-of-band channels e.g., camera-displays, audio, tactile or infrared channels May be infeasible due to cost or size Users simply press buttons to initiate pairing e.g., WiFi Push Button configuration, Bluetooth simple pairing Susceptible to MITM attacks Status of Secure Pairing Without Passwords Can we get the best of both worlds?

7 Tamper Evident Pairing (TEP) First in-band secure pairing protocol Protects from MITM attacks Doesn’t require out-of-band channels or passwords Formally proven to be secure Works on existing 802.11 cards and OS Implemented and evaluated on operational networks

8 Prior out-of-band systems: Assume attacker can arbitrarily tamper with wireless messages  Can’t trust messages on shared wireless channel Our approach: Understand wireless tampering and detect it  Trust un-tampered messages  Collect all messages within a time window; Pair if only one message and no tampering How do We Protect Against MITM Attacks Without Out-of-Band Channels?

9 1. Adversary alters message How Can Adversary Tamper with Wireless Messages? 2. Adversary hides that message was sent 3. Adversary prevents message from being sent Alice Bob Adversary

10 1. Adversary alters message How Can Adversary Tamper with Wireless Messages? Alice Bob Time Adversary 2. Adversary hides that message was sent 3. Adversary prevents message from being sent

11 1. Adversary alters message How Can Adversary Tamper with Wireless Messages? Alice Bob Adversary Collision! Collisions are typical in wireless networks 2. Adversary hides that message was sent 3. Adversary prevents message from being sent

12 1. Adversary alters message How Can Adversary Tamper with Wireless Messages? Alice Bob Adversary 2. Adversary hides that message was sent 3. Adversary prevents message from being sent Occupy the medium all the time Tamper Evident Message: 1.Can’t be altered without detection at receivers 2.Can’t be hidden from the receiver 3.Can’t be prevented from being sent Tamper Evident Message: 1.Can’t be altered without detection at receivers 2.Can’t be hidden from the receiver 3.Can’t be prevented from being sent

13 1. How to Protect From Altering of Messages? Time Alice’s Message Follow message by message-specific silence pattern Silence pattern = Hash of message payload Send a random packet for 1 and remain silent for 0 101000001111 Wireless property: Can’t generate silence from energy

14 Time Alice’s Message Alice’s ‘1’ bits 1. How to Protect From Altering of Messages? Wireless property: Can’t generate silence from energy Follow message by message-specific silence pattern Silence pattern = Hash of message payload Send a random packet for 1 and remain silent for 0 Changing message requires changing silence pattern

15 Time Alice’s Message 1. How to Protect From Altering of Messages? Wireless property: Can’t generate silence from energy Follow message by message-specific silence pattern Silence pattern = Hash of message payload Send a random packet for 1 and remain silent for 0 Changing message requires changing silence pattern

16 2. How to Protect From Hiding the Message? Time Alice’s Message Bob misses the message

17 Time Synchronization pkt Alice’s Message Send an unusually long packet with random content 2. How to Protect From Hiding the Message?

18 3. How Do We Ensure Message Gets Sent? Time Synchronization pkt Alice’s Message Force transmit after timeout even if medium is occupied Message can’t be altered, hidden or prevented, without being detected at receivers Message can’t be altered, hidden or prevented, without being detected at receivers

19 Issue: Unintentional Tampering Create a number of false positives Silence period Legitimate transmission 802.11 devices transmit when channel is unoccupied Time Synchronization pkt Alice’s Message

20 Issue: Unintentional Tampering Silence period Legitimate transmission 802.11 devices transmit when channel is unoccupied Time Synchronization pkt Alice’s Message Leverage CTS to reserve the wireless medium

21 CTS Reserved duration Issue: Unintentional Tampering Time Synchronization pkt 802.11 devices transmit when channel is unoccupied Alice’s Message

22 In-Band Secure Pairing Protocol Industry: User pushes buttons within 120 seconds Timeout after a period greater than 120 seconds Pair if only one message is received and no tampering Push Button reply Timeout Alice Bob request Push Button Adversary Timeout

23 In-Band Secure Pairing Protocol Industry: User pushes buttons within 120 seconds Timeout after a period greater than 120 seconds Pair if only one message is received and no tampering Push Button reply Alice Bob request Push Button reply Adversary Two replies  No pairing Timeout

24 In-Band Secure Pairing Protocol Industry: User pushes buttons within 120 seconds Timeout after a period greater than 120 seconds Pair if only one message is received and no tampering Push Button reply Alice Bob request Push Button reply Adversary Tamper Tampering detected  No pairing Timeout

25 TEP is proven secure Theorem: If the pairing devices are within radio range and the user presses the buttons, an adversary cannot convince either device to pair with it (except with negligible probability) Assumptions: Don’t confuse hash packets (‘1’) for silence (‘0’) Detect synchronization packet

26 Implementation Implemented in the 802.11 driver Used Atheros 802.11 cards and Linux

27 Minimize duration of hash bits  Use high-definition timers in kernel  40 us hash bits  128 bits hash function  Less than 5 milli seconds Set sync packet longer than any packet  Pick sync duration as 17 ms Implementation Challenges Minimum 802.11 bit rate Maximum sized IP packet = 12 ms

28 Evaluation False negatives  Proved probability of false negatives is negligible Assumptions  Don’t confuse hash packets (‘1’) for silence (‘0’)  Detect synchronization packet False positive  Empirical estimation of its probability

29 Testbed 12-locations over 21,080 square feet Every run randomly pick two nodes to perform pairing

30 Normalized Received Power Can We Distinguish Between One and Zero Bits?

31 Normalized Received Power Can We Distinguish Between One and Zero Bits? Zero bits

32 Normalized Received Power Receiver doesn’t confuse one hash bits for silence One bits Zero bits Can We Distinguish Between One and Zero Bits?

33 False Positives Mistaking cross-traffic energy as sync packet Mistaking corrupted hash bits for an attack

34 Can TEP Mistake Cross-Traffic for Sync Packet? 4 3 2 1 5 Look at SIGCOMM 2010 and MIT network Continuous Energy Duration (in milliseconds)

35 4 3 2 1 5 SIGCOMM 2010 Look at SIGCOMM 2010 and MIT network Can TEP Mistake Cross-Traffic for Sync Packet? Continuous Energy Duration (in milliseconds)

36 4 3 2 1 5 SIGCOMM 2010 MIT Look at SIGCOMM 2010 and MIT network Can TEP Mistake Cross-Traffic for Sync Packet? Much smaller than 17 ms of the sync packet Studied networks show zero probability of mistaking cross- traffic for sync packet

37 Number of attempts Can TEP Mistake Corrupted Hash Bits for Attack? Due to CTS WiFi cross-traffic doesn’t transmit during hash bits Non-WiFi devices like Bluetooth may still transmit Exp: Use Bluetooth to transfer file between Android phones

38 Number of attempts Bluetooth is not synchronized with our pairing protocol TEP works even in the presence of interference from non-WiFi devices such as Bluetooth Due to CTS WiFi cross-traffic doesn’t transmit during hash bits Non-WiFi devices like Bluetooth may still transmit Exp: Use Bluetooth to transfer file between Android phones Can TEP Mistake Corrupted Hash Bits for Attack?

39 Pairing with out-of-band channels (cameras, audio, tactile, infrared,…) Work on Integrity Codes Ensuring message integrity but still requires dedicated out-of- band wireless channels Related Work TEP is in-band Tamper evident messages – Stronger than message integrity Purely in-band pairing protocol

40 Conclusions First in-band secure pairing protocol Protects from MITM attacks Doesn’t require out-of-band channels or passwords Formally proven to be secure Works on existing 802.11 cards and OS Implemented and evaluated on operational networks

Download ppt "Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi."

Similar presentations

Problems in Ad Hoc Channel Access

Problems in Ad Hoc Channel Access
Nick Feamster CS 4251 Computer Networking II Spring 2008

Nick Feamster CS 4251 Computer Networking II Spring 2008
IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE 802.11 Networks Using a Single Wireless Card.

IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE Networks Using a Single Wireless Card.
Network security Dr.Andrew Yang.  A wireless sensor network is network a consisting of spatially distributed autonomous devices using sensors to cooperatively.

Network security Dr.Andrew Yang.  A wireless sensor network is network a consisting of spatially distributed autonomous devices using sensors to cooperatively.
Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.

Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.
Analog Network Coding Sachin Katti Shyamnath Gollakota and Dina Katabi.

Analog Network Coding Sachin Katti Shyamnath Gollakota and Dina Katabi.
Medium Access Issues David Holmer

Medium Access Issues David Holmer
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
12.1 Chapter 12 Multiple Access Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

12.1 Chapter 12 Multiple Access Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Physical Layer Security Made Fast and Channel-Independent Shyamnath Gollakota Dina Katabi.

Physical Layer Security Made Fast and Channel-Independent Shyamnath Gollakota Dina Katabi.
MIMO As a First-Class Citizen in 802.11 Kate C.-J. Lin Academia Sinica Shyamnath Gollakota and Dina Katabi MIT.

MIMO As a First-Class Citizen in Kate C.-J. Lin Academia Sinica Shyamnath Gollakota and Dina Katabi MIT.
© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.

© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
12.1 Chapter 12 Multiple Access Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

12.1 Chapter 12 Multiple Access Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Anand Patwardhan Jim.

Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Anand Patwardhan Jim.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Similar presentations

Ads by Google