Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University."— Presentation transcript:

1 1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University of Washington Damon McCoy University of Colorado

2 2 What is Local Service Discovery? Find a WiFi networkFind a local printerFind my friend’s PSPFind my friend’s iTunes Proceeds automatically, often without user’s knowledge Occurs before security associations are setup

3 3 Service Discovery is Widely Used Example 1: Application Protocols (OSDI 2006) Example 2: 85% devices send WiFi discovery probes (SIGCOMM 2004)

4 4 Outline Existing mechanisms and their privacy threats Solution requirements Tryst

5 5 Outline Existing mechanisms and their privacy threats –Announcement –Probing Solution requirements Tryst

6 6 Method 1: Announcement Services broadcast their existence Interested clients discover them E.G., WiFi access points (APs) announce network names

7 7 Privacy Threats: Inventory “The devices I have” –Example: cell phone pirates break into cars to steal phones that announce their presence [Cambridge Evening News 2005] “The applications I am running” –Example: Apple mDNS “announces” to hackers that they are vulnerable to a buffer overflow [CERT 2007] Phone Here! iTunes here! iChat here!

8 8 Privacy Threats: Location “The fact that my service is present” –Example: Common practice to disable WiFi annoucements to (try to) hide access points [O’Reilly 802.11 Guide] “Where my service is located” –Example: Knowledge of network name at one site can tell you where other sites are [WiGLE Wardriving Database] IR_Guest Pittsburgh Seattle Berkeley Cambridge x

9 9 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing Solution requirements Tryst

10 10 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing Solution requirements Tryst

11 11 Method 2: Probing Clients broadcast queries for familiar services Present services respond E.G., WiFi clients probe for network names they have associated with before

12 12 Privacy Threats: History “Where I have been before” –Example: Probing for network names can expose where you live [WiGLE Wardriving Database] Is “Anna, Jeff, and Mark’s Net” here?

13 13 Privacy Threats: History “Where I have been before” –Example: Probing for network names can expose where you live [WiGLE Wardriving Database] 23% of devices at SIGCOMM 2004 probed for an name that WiGLE isolates to one city All 4 known home networks located to within ~500 ft

14 14 Privacy Threats: History “Where I have been before” –Example: Even opaque names can be correlated with other databases, such as Google’s business directory Is “Juvenile Detention Classroom” here? Is “010294859” here? 010294859

15 15 Privacy Threats: Identity “Fingerprints who I am” –Example: Both WiFi and application level probes accurately identify a device [Pang, J. et al. MobiCom 2007] “IR_Guest”, “djw”, “University of Washington” “IR_Guest”, “djw”, “University of Washington” == ………..

16 16 More Threats in the Future Emerging social devices also offer “services” –Microsoft Zune: music sharing service –PSP, Nintendo DS: multiplayer gaming service Service discovery exposes social contacts

17 17 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements Tryst

18 18 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements Tryst

19 19 So … Why Use Service Discovery? Plug-and-play networking –Setup networks without configuration  Automatic (no user intervention) Infrastructure independence – Always works; no special servers required  Broadcast (only need communication medium) Key Problem: Before Security Setup  No Confidentiality

20 20 Solution Requirements Provide security during discovery –Anonymity: unlinkable discovery attempts –Authenticity: prevent masquerading Challenges –Clients and services want confidentiality –We need mutual authentication before either can learn of the other’s existence –We can’t rely on manual user action or trusted infrastructure

21 21 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements 1.Plug-and-play networking 2.Infrastructure independence 3.Anonymity 4.Authenticity Tryst

22 22 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements 1.Plug-and-play networking 2.Infrastructure independence 3.Anonymity 4.Authenticity Tryst –Access control for discovery messages provides 3 and 4

23 23 How to Provide Access Control Service Discovery Message Verify Source Identity Sender ApplicationReceiver Application Proof of Identity Identity-Hiding Encryption

24 24 K Alice Identity-hiding encryption with Alice’s public key (e.g., ElGamal) Public Key Protocol Existing theoretical public key protocol [Abadi ’04] K -1 Bob “Bob to Alice at time T” Digital signature with Bob’s private key (e.g., RSA, DSA) Service Discovery Message “Is Alice’s Laptop here?”

25 25 ??? Public Key Protocol K Bob K -1 Bob “Bob to Alice at time T” Service Discovery Message K -1 Alice Decrypt with Alice’s private key Verify with Bob’s public key Existing theoretical public key protocol [Abadi ’04]

26 26 Efficiency Problems Problem 1: Message size scales linearly with number of intended recipients –Typically OK: 90% of WiFi clients probe for fewer than 12 unique network names [OSDI 2006] Problem 2: Messages can’t be addressed  must try to decrypt every message –Public key decryption is slow –168x slower than WiFi line-rate –Receivers susceptible to denial-of-service attacks

27 27 Symmetric Key Protocol Observation 1: Common case is to rediscover known services –Can negotiate a shared symmetric key the first time –Symmetric key cryptography is fast

28 28 K Shared Identity-hiding encryption Alice and Bob’s shared key (e.g., AES) Symmetric Key Protocol K Shared “Bob to Alice at time T” Message authentication code with Alice and Bob’s shared key (e.g., HMAC-SHA1) Service Discovery Message

29 29 Symmetric Key Protocol Observation 1: Common case is to rediscover known services –Can negotiate a secret symmetric key the first time –Symmetric key cryptography is fast Observation 2: Linkability at short timescales is usually OK –Compute temporary unlinkable addresses known only to a client and a service –Messages not for me are discarded at WiFi line-rate

30 30 K Shared Symmetric Key Protocol K Shared “Bob to Alice at time T” Service Discovery Message A T = address at time T A T-1 A0A0 ATAT Hash() K Shared A T+1 Hash() K Shared …… Random hash function (e.g., HMAC-SHA1) secret

31 31 Protocol Design Summary Observation 1: Common case is to rediscover known services –Can negotiate a secret symmetric key the first time –Symmetric key cryptography is fast Observation 2: Linkability at short timescales is usually OK –Compute temporary unlinkable addresses known only to a client and a service –Messages not for me are discarded at WiFi line-rate Thus: –Prioritize symmetric key protocol –Use spare cycles for public key protocol

32 32 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements 1.Plug-and-play networking 2.Infrastructure independence 3.Anonymity 4.Authenticity Tryst –Access control for discovery messages provides 3 and 4

33 33 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements 1.Plug-and-play networking 2.Infrastructure independence 3.Anonymity 4.Authenticity Tryst –Access control for discovery messages provides 3 and 4 –Automated key establishment maintains 1 and 2

34 34 How Do I Obtain the Initial Keys? Existing key establishment is not enough –Certificates: E.G., Secure websites Neither client nor service can offer proof of identity first! –Pairing: E.G., Bluetooth peripherals Can not always physically identify service User must perform discovery before device does! Discovery is also used to find new services –Goal: Automatically expand the trust horizon –E.G., new services in trusted domains –E.G., new services trusted transitively

35 35 New Services in Trusted Domains Trusted ? x x Strawman Solution x “Discover Alice’s iPod”

36 36 ? New Services in Trusted Domains “Discover Alice’s iPod” Trusted Trusts: alice@att.com “alice.ds” “alice.laptop” “bob.zune” “bob.psp” “bob.laptop” Anonymous Identity Based Encryption “alice.ipod”

37 37 New Services Transitively Trusted “Alice’s Home” Trust Transitive Trust Alice trusts bob.laptop Alice’s secret Alice trusts “Alice’s Home” Alice’s secret Find networks that Alice trusts Attestation

38 38 Outline Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements 1.Plug-and-play networking 2.Infrastructure independence 3.Anonymity 4.Authenticity Tryst –Access control for discovery messages provides 3 and 4 –Automated key establishment maintains 1 and 2

39 39 Ongoing Work Status: –Created usable implementation of Tryst –Integrated with WiFi protocol stack on Linux Future work: –Evaluate how well key establishment mechanisms reflect real trust relationships –Design privacy policies that users can understand More information: –Tryst: The Case for Confidential Service Discovery. HotNets VI, 2007.

40 40 Summary Existing mechanisms pose privacy threats –Announcement reveals inventory and location –Probing reveals history and identity Solution requirements 1.Plug-and-play networking 2.Infrastructure independence 3.Anonymity 4.Authenticity Tryst –Access control for discovery messages provides 3 and 4 –Automated key establishment maintains 1 and 2

41 41 Backup Slides

42 42 Related Work SmokeScreen [Cox ’07] – access control for discovering friends –Similar to symmetric key protocol –Uses online social network for key exchange SSDS [Czerwinski ’00] – secure service discovery architecture –Relies on trusted infrastructure –Not meant for use in wireless environments Broadcast Encryption [e.g., Fiat ‘93] –encrypt message to many users –Making this private is an open problem JFK [Aiello ’93] – efficient Internet key exchange –No service privacy … –… or not resilient to man-in-the-middle attacks

43 43 Privacy Threats: History “Where I have been before” –Example: Probing for network names can expose where you live [WiGLE Wardriving Database] Is the network “djw” here?

Download ppt "1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University."

Similar presentations

Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Jeffrey Pang, Tadayoshi Kohno, Srinivasan Seshan, and.

Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Jeffrey Pang, Tadayoshi Kohno, Srinivasan Seshan, and.
WiFi-Reports: Improving Wireless Network Selection with Collaboration Presented By Tim McDowell.

WiFi-Reports: Improving Wireless Network Selection with Collaboration Presented By Tim McDowell.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
802.11 User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.

User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.

1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
1/40 Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols Thesis Proposal Jeffrey Pang.

1/40 Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols Thesis Proposal Jeffrey Pang.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.

Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.
802.11 User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.

User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Similar presentations

Ads by Google