Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 1 SlyFi: Enhancing 802.11 Privacy by Concealing Link Layer Identifiers.

Published byAlaina Bradford Modified over 8 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 1 SlyFi: Enhancing 802.11 Privacy by Concealing Link Layer Identifiers."— Presentation transcript:

1 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 1 SlyFi: Enhancing 802.11 Privacy by Concealing Link Layer Identifiers Date: 2008-09-09Authors:

2 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 2 Our Wireless World

3 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 3 Tracking Example MAC: 01:34:4F:88:7A:FE MAC: 54:CC:F2:B8:77:10 MAC: 24:AB:87:11:62:99

4 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 4 Tracking Example 01:2F:3D:44:59:22 0A:BB:C1:99:07:01 04:50:7D:FE:F1:89 Etc. 04:50:7D:FE:F1:89 12:20:00:01:7F:e2 Etc. 4:30 PM 8:30 AM SSID=Linksys SSID=MaryJaneHome SSID=DrChoice SSID=tMobile SSID=WashingtonCSE Abortion Doctor’s Home?

5 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 5 Tracking Example 01:2F:3D:44:59:22 0A:BB:C1:99:07:01 04:50:7D:FE:F1:89 Etc. 04:50:7D:FE:F1:89 12:20:00:01:7F:e2 Etc. 4:30 PM 8:30 AM Is a deal brewing?

6 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 6 Inventorying Example Diabetes Advertisement! HIV Advertisement!

7 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 7 Location tracking, user profiling, inventorying, relationship profiling are a growing concern www.bluetoothtracking.org Home www.wigle.net 802.11 headerIs “djw” here? “djw” is here

8 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 8 Talk Argument 802.11 is increasingly insufficient −Level of privacy different from what people would expect −Privacy and anonymity safeguards lagging behind cellular (e.g., GSM) −Slowing 802.11 adoption in healthcare, finance, and military markets Important to standardize privacy enhancements −Can’t do within the context of the existing standard −Requires changes at multiple endpoints −Enhancements most effective when widely deployed −Will increase attractiveness of 802.11, strengthen 802.11 marketplace

9 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 9 Technical Feasibility SlyFi demonstrates possibility of enhancing 802.11 for privacy −Complete link layer solution with better privacy guarantees than 11i, 11w −We prototyped it −As efficient as today’s protocols −Same usage model as 802.11; coexists with 802.11 −Academia and industry enthusiastic, e.g., 2008 ACM Mobisys Best Paper paper: http://www.seattle.intel-research.net/pubs/mobisys08-slyfi.pdfhttp://www.seattle.intel-research.net/pubs/mobisys08-slyfi.pdf source: http://tw.seattle.intel-research.nethttp://tw.seattle.intel-research.net paper: http://www.seattle.intel-research.net/pubs/mobisys08-slyfi.pdfhttp://www.seattle.intel-research.net/pubs/mobisys08-slyfi.pdf source: http://tw.seattle.intel-research.nethttp://tw.seattle.intel-research.net

10 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 10 Privacy Problem with Best Practices Is Bob’s Network here? Proof that I’m Bob Bob’s Network is here MAC addr, seqno, … Many exposed bits are (or can be used as) identifiers that are linked over time Confidentiality Authenticity Integrity 10

11 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 11 11 Goal: Make All Bits Appear Random To Eavesdroppers Bootstrap SSID: Bob’s Network Key: 0x2384949… Username: Alice Key: 0x348190… ? ?

12 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 12 Challenge: Making the protocol work when all bits are hidden Which packets are mine? 12 Filtering without Identifiers Without changing the usage model Without breaking services Without changing authentication machinery While staying just as efficient

13 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 13 Design Requirement: Add privacy to security without breaking anything else When A generates Message to B, she sends: PrivateMsg = F(A, B, Message) Where F has these properties: Confidentiality: Only A and B can determine Message. Authenticity: B can verify A created PrivateMsg. Integrity: B can verify Message not modified Unlinkability: Only A and B can link PrivateMsgs to same sender or receiver Efficiency:B can process PrivateMsgs as fast as he can receive them Compatibility with existing usage model Compatibility with existing authentication and other services

14 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 14 Solution Summary Unlinkability Integrity Authenticity Efficiency Confidentiality 802.11 WPA MAC Pseudonyms Naïve Symmetric Key SlyFi: Discovery/Binding SlyFi: Data packets Only Data Payload Long Term 14 Only Data Payload Only Data Payload

15 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 15 Naïve approach (symmetric encryption of all bits) is slow Probe “Bob” ClientService Symmetric encryption (e.g., AES w/ random IV) Check MAC: MAC:K AB Try to decrypt with each shared key K Shared1 K Shared2 K Shared3 … 15 Different symmetric key per potential sender Can’t identify the decryption key in the packet or else it is linkable

16 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 16 Solution Summary Unlinkability Integrity Authenticity Efficiency Confidentiality 802.11 WPA MAC Pseudonyms Naïve Symmetric Key SlyFi: Discovery/Binding SlyFi: Data packets Long Term 16 Only Data Payload Only Data Payload Only Data Payload

17 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 17 Symmetric key almost works, but tension between: Unlinkability: can’t expose the identity of the key Efficiency: need to identify the key to avoid trying all keys Idea: Identify the key in an unlinkable way Approach: Sender A and receiver B agree on tokens: T 1, T 2, T 3, … A attaches T i to encrypted packet for B SlyFi: An open source reference implementation 17 AB

18 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 18 SlyFi Probe “Bob” ClientService Symmetric encryption (e.g., AES w/ random IV) Check MAC: MAC:K AB Lookup T i in a table to get K AB AB 18 Need a shared variable, i, that changes often TiTi AB Main challenge: Sender and receiver must synchronize i without communication Main challenge: Sender and receiver must synchronize i without communication

19 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 19 Data Transport Synchronize i on transmission number Only sent over established connections Expect messages to be delivered Synchronize i on loose idea of time Infrequent: sent when trying to associate Narrow interface: single application, few side-channels Linkability at short timescales is OK Discovery and Binding On receipt of T i, receiver computes T i+1 Handling message loss or clock skew: – On receipt of T i save T i+1, …, T i+k in table – Tolerates k consecutive losses or skew of 5 * k minutes – No loss  compute one token per reception AB

20 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 20 Discovery/Binding Time SlyFi link setup has less overhead than WPA 20 Lower = Better

21 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 21 Data Throughput SlyFi data filtering is about as efficient as 802.11 21 With simulated AES hardware Performs like symmetric key Higher = Better

22 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 22 Solution Summary Unlinkability Integrity Authenticity Efficiency Confidentiality 802.11 WPA MAC Pseudonyms Naïve Symmetric Key SlyFi: Discovery/Binding SlyFi: Data packets Long Term Long Term 22 Only Data Payload Only Data Payload Only Data Payload

23 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 23 Other Protocol Details to Work Through Broadcast Higher-layer binding Time synchronization Roaming Coexistence with 802.11 Link-layer ACKs Preventing replay attacks Location services etc. See paper for some proposals 23

24 doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 24 Conclusion Wireless devices are becoming personal and pervasive Best practices don’t protect users from simple attacks Long-term linking: tracking, profiling, inventorying Short-term linking: side-channel attacks We need a protocol enhancement to defend against these attacks That removes all identifying bits 24 paper: http://www.seattle.intel-research.net/pubs/mobisys08-slyfi.pdfhttp://www.seattle.intel-research.net/pubs/mobisys08-slyfi.pdf source: http://tw.seattle.intel-research.nethttp://tw.seattle.intel-research.net paper: http://www.seattle.intel-research.net/pubs/mobisys08-slyfi.pdfhttp://www.seattle.intel-research.net/pubs/mobisys08-slyfi.pdf source: http://tw.seattle.intel-research.nethttp://tw.seattle.intel-research.net

Download ppt "Doc.: IEEE 802.11-08/1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 1 SlyFi: Enhancing 802.11 Privacy by Concealing Link Layer Identifiers."

Similar presentations

Secure Mobile IP Communication

Secure Mobile IP Communication
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Jeffrey Pang, Tadayoshi Kohno, Srinivasan Seshan, and.

Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Jeffrey Pang, Tadayoshi Kohno, Srinivasan Seshan, and.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL 6788 11.

Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL
CSE 461: Privacy Ben Greenstein Jeremy Elson TAs: Ivan and Alper.

CSE 461: Privacy Ben Greenstein Jeremy Elson TAs: Ivan and Alper.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.

1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.
Srinivasan Seshan (and many collaborators) Carnegie Mellon University 1.

Srinivasan Seshan (and many collaborators) Carnegie Mellon University 1.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Secure Data Communication in Mobile Ad Hoc Networks Authors: Panagiotis Papadimitratos and Zygmunt J Haas Presented by Sarah Casey Authors: Panagiotis.

Secure Data Communication in Mobile Ad Hoc Networks Authors: Panagiotis Papadimitratos and Zygmunt J Haas Presented by Sarah Casey Authors: Panagiotis.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.

Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.

1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.

Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.

Similar presentations

Ads by Google