1. Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability is O.K. Data messages: only sent on established connections  expect receiver to get most messages Performs as well as WPA and has stronger security Problem : Third parties can use unencrypted bits such as addresses to track and profile users. How can devices efficiently process packets without addresses? Idea : Sender and receiver agree on sequence of tokens beforehand; attach one token to each packet SlyFi: obscures all transmitted bits Mechanisms to Mitigate Wireless Privacy Threats Jeffrey Pang http://www.cs.cmu.edu/~jeffpang tcpdump packet size histogram 802.11 header Is Bob’s Network here? 802.11 header Bob’s Network is here Discover 802.11 headerProof that I’m Alice 802.11 header Proof that I’m Bob Authenticate and Bind 802.11 header Send Data MAC address, … Is Bob’s PSP here? Proof that I’m Bob Bob’s PSP is here SSID: Bob’s Network Password: [_]pants Username: Alice Public Key: 0x123… transmission sizes 300 250 200 100 500 120 Input transmissions 300 250 200 100 120 Output transmissions 400  Input transmissions Discover Authenticate and Bind Send data Probe “Alice” ClientService Symmetric encryption (e.g., AES w/ random IV) Check MAC: MAC:K’ AB K AB K’ AB TiTi K AB Lookup T i in a table to get K AB AB T i = AES K (i) AB T i = AES K (i) AB T i = AES K (i) where i = transmission # AB T i = AES K (i) where i =  current time/5 min  AB Best security practices still expose identifiers, credentials, and packet sizes/timings to third parties, enabling attacks: Location tracking : identifiers can be linked over time User profiling : info can be cross-indexed with databases Side-channel analysis : sizes/timing reveals packet contents Greenstein, HotOS ’07; Pang, MobiCom ’07; Pang, HotNets ’07; Jiang, MobiSys ’07; Sapanos, Usenix Security ’07; www.bluetoothtracking.org;... Problem: existing protocols leak information Three essential protocol changes to prevent attacks: 1.Obscure all transmitted bits during all protocol phases 2.Obscure packet sizes/timing that act as side-channels 3.Obscure and automate bootstrapping of keys to prevent communication with untrusted third parties 1. MobiSys ’08; 2. CMU Thesis Proposal ’08; 3. HotNets ’07 Goal: obsure everything from third parties Unlinkability Integrity Authenticity Efficiency Confidentiality 802.11 WPA MAC Pseudonyms Encrypt Everything SlyFi : Discovery SlyFi : Data Data Only Data Only Data Only Long Term Long Term Problem : Packet sizes and timings reveal sensitive contents in encrypted packet streams (identity, videos…) Idea : Framework for masking side-channel leaks using signature-like rules for packet padding and cover traffic Sudare: obscures side-channel leaks Masking rules, performance constraints Side-channel attack example Problem : Clients often need to communicate with new devices. How does a client know who to trust? Idea : Leverage transitive trust relationships and device reputation to automatically bootstrap keys Tryst: obscures & automates bootstrapping 512 bytes 128 bytes ? bytes “Alice’s Home” Trust Transitive Trust Alice trusts bob.laptop Alice’s secret Alice trusts “Alice’s Home” Alice’s secret Find networks that Alice trusts Attestation Bootstrapping using transitive trust Bootstrap Automatic and private AB tcpdump ? Tokens T i and T j are unlinkable if i ≠ j AB SlyFi protocol