Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Tryst: The Case for Confidential Service Discovery Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University of.

Published byRuth Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Tryst: The Case for Confidential Service Discovery Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University of."— Presentation transcript:

1 1 Tryst: The Case for Confidential Service Discovery Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University of Washington, Intel Research Damon McCoy University of Colorado

2 2 Local service discovery (SD) Used to find: 802.11 networks consumer electronics local services other applications

3 3 How SD is done today Services send announcements and/or clients send probes (typically via unencrypted broadcast) Important properties: Plug-and-play networking –Can proceed automatically without user input Disconnected operation –Requires only communication medium between client and service iTunes “Bob” is hereIs iTunes “Bob” here? “Bob” is hereConnect to “Bob”

4 4 Problem 1: SD reveals inventory The devices I have Problem: “Phone pirates in seek and steal mission” [Cambridge Evening News 2005] The applications I am running Problem: “Apple Mac OS X mDNSResponder buffer overflow vulnerability” [CERT 2007] Phone here iTunes here exploit

5 5 Problem 2: SD reveals identity Announcements expose explicit identifiers Problem: Some services are private and want to be hidden Problem: Mobile “services” vulnerable to tracking iTunes “Intel Bob” is here Why is Bob over there? iTunes “Intel Bob” is here

6 6 Problem 3: SD reveals history Probes can reveal services you have used Problem: Network names can be correlated with location (e.g., using a wardriving database) http://www.wigle.net Is 802.11 network “djw” here?

7 7 Prove I am “Alice” (e.g., credential) Prove I am “Alice’s Network” Association succeeded Problem 4: SD is not authenticated Authentication occurs only after SD –Problem: Anyone can elicit a response, even if they are not trusted to access the service Is “Alice’s Network” here? “Alice’s Network” is here Associate Association denied

8 8 Solution requirements Desired properties: Confidentiality –Hide contents that reveals type –Hide sender –Hide intended recipients Authenticity –Offer proof of identity Challenges: –Exposing information only to trusted clients/services –Clients and services may want to hide from third parties –Plug-and-play networking, disconnected operation identityinventoryhistory Is iTunes “Bob” here? “Bob” is hereConnect to “Bob” iTunes “Bob” is here

9 9 A public key protocol Probe “Alice” ClientService Key-private encryption (e.g., ElGamal but not RSA) K Alice Check signature: Try to decrypt K -1 Alice K Bob Based on [Abadi ’04] K -1 Bob Sign: timestamp

10 10 Problems Must obtain public keys for new services/clients –May be disconnected during discovery –Don’t want to involve extra user action Must try to decrypt every message –Public key decryption is slow (>100ms on typical AP)  adds jitter to relaying of other messages –168x slower than 802.11 line-rate even on laptops  susceptible to low-rate denial-of-service attacks

11 11 Observations Must obtain public keys for new services/clients –Will have some relationship with those we trust –Can trust new services/clients in trusted domains Must try to decrypt every message

12 12 ? Tryst: key establishment Trusted Trusts: alice@mac.com “alice@mac.com/ds” “alice@mac.com/laptop” “bob@gmail.com/zune” “bob@gmail.com/psp” “bob@gmail.com/laptop” Anonymous Identity Based Encryption Encrypt(public key=“alice@mac.com/ipod”, message) Key provider preloads devices = private key

13 13 Observations Must obtain public keys for new services/clients –Will have some relationship with those we trust –Can trust new services/clients in trusted domains Must try to decrypt every message –Common case is to rediscover known services –Can negotiate a secret symmetric key the first time

14 14 Tryst: a symmetric key protocol Probe “Alice” ClientService Symmetric encryption (e.g., AES) Check MAC: MAC:K Shared timestamp Try to decrypt with each shared key K Shared1 K Shared2 K Shared3 …

15 15 Observations Must obtain public keys for new services/clients –Will have some relationship with those we trust –Can trust new services/clients in trusted domains Must try to decrypt every message –Common case is to rediscover known services –Can negotiate a secret symmetric key the first time –Linkability at short timescales is usually OK –Can use temporary unlinkable addresses

16 16 Tryst: a symmetric key protocol Probe “Alice” ClientService Symmetric encryption (e.g., AES) Check MAC: MAC: A T-1 A0A0 ATAT Hash() K Shared A T+1 Hash() K Shared …… secret K Shared ATAT ATAT Lookup A T in a table to get K Shared timestamp Try to decrypt with each shared key K Shared1 K Shared2 K Shared3 …

17 17 Ubiquitous clients and services may want privacy Service discovery exposes inventory, identity, and history Tryst helps enable confidential service discovery Outstanding challenges –Hiding other side channels (physical layer, message timing, size) –Other mechanisms to automatically establish keys –More efficient broadcast probes Conclusions

18 18 Backup Slides

19 19 Other key establishment methods Certificates (e.g., secure websites) –Neither client nor service can offer certificate first! Pairing (e.g., Bluetooth peripherals) –Can not always physically identify service –User must perform discovery before device does! Discovery is also used to find unknown services –We want to automatically expand the trust horizon –Tryst mechanisms: New services in trusted domains New services trusted transitively

20 20 PublicParams, MasterSecret = Setup () ciphertext=Encrypt (K AliceiPod, PublicParams, plaintext) plaintext=Decrypt (K -1 AliceiPod, PublicParams, ciphertext) Anonymous identity based encryption publicly publishedknown only by key provider “alice@mac.com/ipod” Extract(“alice@mac.com/ipod”, MasterSecret) = = Some assumptions over traditional public key crypto –Alice and Bob trust key provider not to reveal secret keys to third parties Can instead trust that no t of n providers collude (use threshold crypto) May also be able act as their own key providers (anonymity unproven) –Revoking my public key implies changing my identity since identity = key Can instead use temporary identities (“alice@mac.com/ipod.nov.2007”) Only need to use protocol until first discovery [Boneh & Franklin ’01]

21 21 Tryst: key establishment Trusted ? Strawman Solution x To “alice” x x

22 22 Projected probe processing delay Rough simulation based on: SIGCOMM 2004 (wifi probes) Soekris “AP” (265Mhz Geode) GnuPG crypto (~150ms/pkt)

23 23 Protocol message volume Each message encrypted for one recipient  As many messages as intended recipients –Typically OK: E.G., 90% of WiFi clients probe for fewer than 12 unique network names [OSDI 2006 WiFi trace] Future work: –Efficient protocol to broadcast probes to many recipients

24 24 Key problem: messages can be linked Consistent naming enable correlation of SD messages Opaque names prevent some problems… but not all: –Example: location can be correlated with other databases Is “Juvenile Detention Classroom” here? Is “010294859” here? 010294859

25 25 Related work SmokeScreen [Cox ‘07] – access control for discovering friends –Similar to symmetric key protocol –Uses online social network to exchange secret keys SSDS [Czerwinski ‘00] – secure service discovery architecture –Relies on trusted infrastructure –Not necessarily confidential Broadcast Encryption [Fiat ‘93] – encrypt message to many users –Making this private is an open problem JFK [Aiello ‘93] – efficient Internet key exchange –No service privacy … –… or not resilient to man-in-the-middle attacks

26 26 SD is widely used Example 1: Application Protocols (OSDI 2006) Example 2: 85% devices send WiFi discovery probes (SIGCOMM 2004)

27 27 Problem 3: SD reveals history Probes can reveal services you have used Problem: Network names can be correlated with location (e.g., using a wardriving database) 23% of devices at SIGCOMM 2004 probed for an name that WiGLE isolates to one city All 4 known home networks located to within 2 blocks

28 28 Problem 5: SD reveals location The fact that my service is present –Problem: Common practice to disable WiFi annoucements to (try to) hide access points [O’Reilly 802.11 Guide] Where my service is located –Problem: Knowledge of network name at one site can tell you where other sites are [WiGLE Wardriving Database] IR_Guest Pittsburgh Seattle Berkeley Cambridge x

29 29 Problem 6: SD reveals social contacts Emerging social devices also offer “services” –Microsoft Zune: music sharing service –PSP, Nintendo DS: multiplayer gaming service Service discovery exposes social contacts

30 30 New services transitively trusted “Alice’s Home” Trust Transitive Trust Alice trusts bob.laptop Alice’s secret Alice trusts “Alice’s Home” Alice’s secret Find networks that Alice trusts Attestation

31 31 Old Slides

32 32 ? Tryst: key establishment Trusted Trusts: alice@mac.com “alice.ds” “alice.laptop” “bob.zune” “bob.psp” “bob.laptop” Anonymous Identity Based Encryption Encrypt(params mac.com, key=“alice.ipod”, message) Provider mac.com preloads devices = params mac.com

33 33 K Alice Identity-hiding encryption with Alice’s public key (e.g., ElGamal) Public Key Protocol Existing theoretical public key protocol [Abadi ’04] K -1 Bob “Bob to Alice at time T” Digital signature with Bob’s private key (e.g., RSA, DSA) Service Discovery Message “Is Alice’s Laptop here?”

34 34 ??? Public Key Protocol K Bob K -1 Bob “Bob to Alice at time T” Service Discovery Message K -1 Alice Decrypt with Alice’s private key Verify with Bob’s public key Existing theoretical public key protocol [Abadi ’04]

35 35 K Shared Identity-hiding encryption Alice and Bob’s shared key (e.g., AES) Symmetric Key Protocol K Shared “Bob to Alice at time T” Message authentication code with Alice and Bob’s shared key (e.g., AES-CMAC) Service Discovery Message

36 36 K Shared Symmetric Key Protocol K Shared “Bob to Alice at time T” Service Discovery Message A T = address at time T A T-1 A0A0 ATAT Hash() K Shared A T+1 Hash() K Shared …… Random hash function (e.g., HMAC-SHA1) secret

Download ppt "1 Tryst: The Case for Confidential Service Discovery Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University of."

Similar presentations

Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Jeffrey Pang, Tadayoshi Kohno, Srinivasan Seshan, and.

Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Jeffrey Pang, Tadayoshi Kohno, Srinivasan Seshan, and.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography and Network Security

Cryptography and Network Security
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.

1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.

Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.
1/40 Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols Thesis Proposal Jeffrey Pang.

1/40 Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols Thesis Proposal Jeffrey Pang.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.

Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.
1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.

1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.
802.11 User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.

User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Similar presentations

Ads by Google