Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Jeffrey Pang, Tadayoshi Kohno, Srinivasan Seshan, and.

Slides:



Advertisements
Similar presentations
WiFi-Reports: Improving Wireless Network Selection with Collaboration Presented By Tim McDowell.
Advertisements

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Secure In-Band Wireless Pairing Shyamnath Gollakota Nabeel Ahmed Nickolai Zeldovich Dina Katabi.
A Survey of Secure Wireless Ad Hoc Routing
User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 1 CMU 2 Intel Research Seattle.
CSE 461: Privacy Ben Greenstein Jeremy Elson TAs: Ivan and Alper.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.
Presenting: Dafna Shahaf. Infranet: Circumventing Web Censorship and Surveillance Nick Feamster, Magdalena Balazinska, Greg Harfst, Hari Balakrishnan,
Srinivasan Seshan (and many collaborators) Carnegie Mellon University 1.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Toward a Framework for Preventing Side-Channel Attacks in Wireless Networks Jeff Pang.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
1 Making Local Service Discovery Confidential with Tryst Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University.
Key Distribution in Sensor Networks (work in progress report) Adrian Perrig UC Berkeley.
IEEE Wireless Local Area Networks (WLAN’s).
User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.
Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein et.al. MobiSys’08 Presented by Seo Bon Keun.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.
1 Understanding and Mitigating the Impact of RF Interference on Networks Ramki Gummadi (MIT), David Wetherall (UW) Ben Greenstein (IRS), Srinivasan.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
15-744: Computer Networking L-23 Privacy. 2 Overview Routing privacy Web Privacy Wireless Privacy.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Improving the Privacy of Wireless Protocols Jeffrey Pang Carnegie Mellon University.
Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
ECE 424 Embedded Systems Design Networking Connectivity Chapter 12 Ning Weng.
8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.
Wireless Network Security Dr. John P. Abraham Professor UTPA.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.
Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.
WEP Protocol Weaknesses and Vulnerabilities
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
Network Security David Lazăr.
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.
User Fingerprinting Jeffrey Pang 1 Ben Greenstein 2 Ramakrishna Gummadi 3 Srinivasan Seshan 1 David Wetherall 2,4 Presenter: Nan Jiang Most Slides:
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.
1 Tryst: The Case for Confidential Service Discovery Jeffrey Pang CMU Ben Greenstein Intel Research Srinivasan Seshan CMU David Wetherall University of.
Can Ferris Bueller Still Have His Day Off? Protecting Privacy in the Wireless Era Authors: Ben Greenstein, Ramakrishna Gummadi, Jeffrey Pang, Mike Y. Chen,
Authentication. Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? “I am Alice”
Wireless. Wireless hosts: end system devices; may or may not be mobile Wireless links: A host connects to a base station or host through a communication.
Shambhu Upadhyaya 1 Ad Hoc Networks – Network Access Control Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 20)
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Anonymity - Background R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
Muhammad Mahmudul Islam Ronald Pose Carlo Kopp School of Computer Science & Software Engineering Monash University Australia.
Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Yoshi Kohno, Jeffrey Pang, Srini Seshan, and David.
Doc.: IEEE /1022r0 Submission September 2008 Greenstein (Intel) et al. Slide 1 SlyFi: Enhancing Privacy by Concealing Link Layer Identifiers.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
@Yuan Xue Case Study (Mid-term question) Bob sells BatLab Software License Alice buys BatLab Credit card information Number of.
1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 
Tightening Wireless Networks By Andrew Cohen. Question Why more and more businesses aren’t converting their wired networks into wireless networks?
Jeffrey Pang Carnegie Mellon University
Understanding the OSI Reference Model
CSE 4905 Network Security Overview
Protocol ap1.0: Alice says “I am Alice”
Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Outline A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar. SPINS: Security protocols for sensor networks. In Proceedings of MOBICOM, 2001 Sensor.
Chapter 8 roadmap 8.1 What is network security?
Presentation transcript:

Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben Greenstein, Damon McCoy, Jeffrey Pang, Tadayoshi Kohno, Srinivasan Seshan, and David Wetherall Intel Research Seattle, University of Colorado, Carnegie Mellon University, University of Washington

Our Wireless World

Best Security Practices SSID: Bob’s Network Key: 0x … Username: Alice Key: 0x348190… Bootstrap Out-of-band (e.g., password, WiFi Protected Setup) Confidentiality Authenticity Integrity 33

Bootstrap Privacy Problems Remain Is Bob’s Network here? Proof that I’m Bob Bob’s Network is here MAC addr, seqno, … Many exposed bits are (or can be used as) identifiers that are linked over time Confidentiality Authenticity Integrity 4

5 Problem: Long-Term Linking Alice Alice? Easy to identify and relate devices over time Alice’s friend?

6 Problem: Long-Term Linking Linking enables location tracking, user profiling, inventorying, relationship profiling, … [Greenstein, HotOS ’07; Jiang, MobiSys ’07; Pang, MobiCom ’07, HotNets ’07] Home headerIs “djw” here? “djw” is here

Problem: Short-Term Linking 12:34:56:78:90:ab, seqno: 1, … 12:34:56:78:90:ab, seqno: 2, … 12:34:56:78:90:ab, seqno: 3, … 12:34:56:78:90:ab, seqno: 4, … 00:00:99:99:11:11, seqno: 103, … 00:00:99:99:11:11, seqno: 104, … 00:00:99:99:11:11, seqno: 102, … Easy to isolate distinct packet streams 3-9 data streams overlap each 100 ms, on average (see paper) 7

Problem: Short-Term Linking 8 Isolated data streams are more susceptible to side- channel analysis on packet sizes and timing – Exposes keystrokes, VoIP calls, webpages, movies, … [Liberatore, CCS ‘06; Pang, MobiCom ’07; Saponas, Usenix Security ’07; Song, Usenix Security ‘01; Wright, IEEE S&P ‘08; Wright, Usenix Security ‘07] ≈ DFT transmission sizes Video compression signatures Devicefingerprints Keystroketimings

Bootstrap Fundamental Problem Many exposed bits are (or can be used as) identifiers that are linked over time Is Bob’s Network here? Proof that I’m Bob Bob’s Network is here MAC addr, seqno, … 9

10 Goal: Make All Bits Appear Random Bootstrap SSID: Bob’s Network Key: 0x … Username: Alice Key: 0x348190… ? ?

Challenge: Filtering without Identifiers Which packets are mine? 11

Talk Overview Motivation and Goals Design Requirements Straw man: MAC Pseudonyms Straw man: Encrypt Everything Solution: SlyFi 12

13 Goal: This Protocol Bootstrap SSID: Bob’s Network Key: 0x … Username: Alice Key: 0x348190…

Design Requirements When A generates Message to B, she sends: PrivateMessage = F(A, B, Message) where F has these properties: – Confidentiality: Only A and B can determine Message. – Authenticity: B can verify A created PrivateMessage. – Integrity: B can verify Message not modified. – Unlinkability: Only A and B can link PrivateMessages to same sender or receiver. – Efficiency:B can process PrivateMessages as fast as he can receive them. 14

Solution Summary Unlinkability Integrity Authenticity Efficiency Confidentiality WPA MAC Pseudonyms Public Key Symmetric Key SlyFi: Discovery/Binding SlyFi: Data packets 15 Only Data Payload Only Data Payload Only Data Payload

Straw man: MAC Pseudonyms Idea: change MAC address periodically – Per session or when idle [Gruteser ’05, Jiang ‘07] Other fields remain (e.g., in discovery/binding) – No mechanism for data authentication/encryption – Doesn’t hide network names during discovery or credentials during authentication Pseudonyms are linkable in the short-term – Same MAC must be used for each association – Data streams still vulnerable to side-channel leaks 16

Solution Summary Unlinkability Integrity Authenticity Efficiency Confidentiality WPA MAC Pseudonyms Public Key Symmetric Key SlyFi: Discovery/Binding SlyFi: Data packets Only Data Payload Long Term 17 Only Data Payload Only Data Payload

Straw man: Encrypt Everything 18 Bootstrap SSID: Bob’s Network Key: 0x … Username: Alice Key: 0x348190… Idea: Use bootstrapped keys to encrypt everything

Straw man: Public Key Protocol Probe “Bob” Key-private encryption (e.g., ElGamal) K Bob Check signature: Try to decrypt K -1 Bob K Alice Based on [Abadi ’04] K -1 Alice Sign: ClientService 19

Straw man: Symmetric Key Protocol Probe “Bob” ClientService Symmetric encryption (e.g., AES w/ random IV) Check MAC: MAC:K AB Try to decrypt with each shared key K Shared1 K Shared2 K Shared3 … 20 Different symmetric key per potential sender Can’t identify the decryption key in the packet or else it is linkable

Solution Summary Unlinkability Integrity Authenticity Efficiency Confidentiality WPA MAC Pseudonyms Public Key Protocol Symmetric Key Protocol SlyFi: Discovery/Binding SlyFi: Data packets Long Term 21 Only Data Payload Only Data Payload Only Data Payload

Symmetric key almost works, but tension between: – Unlinkability: can’t expose the identity of the key – Efficiency: need to identify the key to avoid trying all keys Idea: Identify the key in an unlinkable way Approach: – Sender A and receiver B agree on tokens: T 1, T 2, T 3, … – A attaches T i to encrypted packet for B SlyFi 22 AB

SlyFi Probe “Bob” ClientService Symmetric encryption (e.g., AES w/ random IV) Check MAC: MAC:K AB Lookup T i in a table to get K AB AB 23 Required properties: – Third parties can not link T i and T j if i ≠ j – A doesn’t reuse T i – A and B can compute T i independently Required properties: – Third parties can not link T i and T j if i ≠ j – A doesn’t reuse T i – A and B can compute T i independently AB Main challenge: Sender and receiver must synchronize i Main challenge: Sender and receiver must synchronize i

SlyFi: Data Transport Data messages: – Only sent over established connections  Expect messages to be delivered  Use implicit transmission number to synchronize i AB 24 TiTi AB T i+1 AB T i +2 AB T i +3 AB On receipt of T i, B computes next expected: T i+1 Handling message loss: – On receipt of T i save T i+1, …, T i+k in table – Tolerates k consecutive losses (k=50 is enough [Reis ‘06]) – No loss  compute one token per reception AB

SlyFi: Discovery/Binding Discovery & binding messages: – Often sent when other party is not present  Can’t expect most messages to be delivered  Can’t rely on transmission reception to synchronize i 25 Is Bob’s Network here? TiTi AB i = ? Is Bob’s Network here? T i +1 AB Is Bob’s Network here? T i +3 AB Is Bob’s Network here? T i +2 AB.. …... Nope.

SlyFi: Discovery/Binding Discovery & binding messages: – Infrequent: only sent when trying to associate – Narrow interface: single application, few side-channels  Linkability at short timescales is usually OK  Use loosely synchronized time to synchronize i AB 26 At the start of time interval i compute T i Handling clock skew: – Receiver B saves T i-s, …, T i+s in table – Tolerates clock skew of 5  s minutes AB probe beacon auth TiTi AB TiTi TiTi BA TiTi

SlyFi: Other Protocol Details Broadcast Higher-layer binding Time synchronization Roaming Coexistence with Link-layer ACKs Preventing replay attacks etc. See paper 27

SlyFi implementation: – Linux kernel module using Click Modular Router – Run on Soekris devices (similar to APs, iPods, etc.) Comparison protocols: – wifi-open: with no security – wifi-wpa: with WPA PSK/CCMP – public-key:straw man – symmetric-key:straw man – armknecht: previous header encryption proposal Performance Evaluation 28 Similar

Discovery/Binding Time SlyFi link setup has less overhead than WPA 29 Lower = Better

Data Throughput SlyFi data filtering is about as efficient as With simulated AES hardware Performs like symmetric key Higher = Better

Solution Summary Unlinkability Integrity Authenticity Efficiency Confidentiality WPA MAC Pseudonyms Public Key Symmetric Key SlyFi: Discovery/Binding SlyFi: Data packets Long Term Long Term 31 Only Data Payload Only Data Payload Only Data Payload

Conclusion Wireless devices are becoming personal and pervasive Best practices don’t protect users from simple attacks – Long-term linking: tracking, profiling, inventorying – Short-term linking: side-channel attacks SlyFi makes these attacks much more difficult to do – Removes all bits that are (or can be used as) identifiers 32

====== CONTEXT ====== 33

34 Related Work Private discovery – Public key straw man [Abadi, ‘04] – Private discovery sketch [Pang ‘07] – Privately announce existence to friends [Cox ‘07] Different application; uses hash chain Encrypted data transport headers – Must try all keys to filter [Armknecht ‘07] – Targeted at WPANs and use hash chains [Singelee ‘06] SlyFi is the first complete protocol and implementation

802.11w: Protected Management Frames Unlinkability Integrity Authenticity Efficiency Confidentiality i (WPA) MAC Pseudonyms Public Key Symmetric Key SlyFi: Discovery/Binding SlyFi: Data packets Data Payload Long Term Long Term 35 Data Payload Data Payload Unicast Frames i w

Why not GSM Pseudonyms? GSM pseudonym properties – Provider must assign new pseudonym to client to change it – Only a single application used on GSM network GSM pseudonyms not sufficient when – Both parties in discovery want to be private – May require using pseudonym when the provider is not present (e.g., during discovery) – Many applications with many side-channels – Must accommodate device heterogeneity, evolution 36

PHY Layer and Timing Signatures Charlie -> AP Alice -> AP Charlie -> AP ??? -> AP PHY layer and timing signatures remain These are not as accurate and can require uncommon or expensive hardware Obscuring these signatures is future work SlyFi raises the bar and is a necessary first step 37

Linking with Signal Strength 38 Side-channel attack accuracy degrades significantly even if attacker tries to use signal strength to link packets Side-channel attack accuracy degrades significantly even if attacker tries to use signal strength to link packets Attack: website finger-printing using [Liberatore CCS ‘06] Attacker has 5 nodes to record packets’ RSSIs Attacker uses k-means clustering to determine which packets belong to each client. Set of RSSIs is the feature vector. Experiment conservatively assumes that attacker knows k Clustering accuracy > 75% for all experiments

Why not Time for Data Transport? Data messages: – Frequent: sent often to deliver data – Wide interface: many applications, many side-channels  Linkability at short timescales is NOT usually OK  Can NOT use loosely synchronized time to synchronize i TiTi AB TiTi TiTi TiTi = = = 39

40 Future Work Private, automated bootstrapping [Greenstein, Pang] – Leverage transitive trust relationships – Leverage device reputation, measurable context Measuring/defending against PHY layer linking [McCoy] – Leverage transmit power control, directional antennas Masking remaining timing side-channels [Pang] – Perform intelligent packet padding/cover traffic

Packet Format 41 Tryst: Discovery/Binding Shroud: Data Transport TokenUnencrypted Message

Protocol Timing Diagram 42 Discover Authenticate and Bind Authenticate and Bind Send Data

Other Protocol Details 43 Broadcast – All broadcast packets routed through the AP – Use same shared key for all the clients of the AP Higher-layer binding – Clients report “pseudonym MAC address”-to-IP address bindings to AP – AP answers all ARP queries Time synchronization and roaming – Use protected broadcast to transmit timestamps, same BSSID info Coexistence with – Encapsulate SlyFi in “anonymous” frame with unused FC code – Clients first search for SlyFi AP, then fall back to non-private AP search Link-layer ACKs – If fast enough, just acknowledge last SlyFi token sent – Our software implementation uses windowed ACKs

====== TRYST EVAL ====== 44

Link Setup Failures “Encrypt everything” fails to setup many links 45

Link Setup Time vs. # Probes 46 SlyFi scales as gracefully as (no background traffic)

Link Setup Time Breakdown 47 “Try all keys” dominates symmetric key time (times are in msec, no background traffic) Using software encryption on 256 Mhz Geode processor and a

Token Computation Time 48 Token computation time is negligible (Once every 5 minutes) Using software AES, 256 Mhz Geode processor

====== SHROUD EVAL ====== 49

Data Throughput vs. Packet Size SlyFi data transport overhead is similar to WPA 50

Data Throughput vs. # Associations SlyFi throughput is independent of # associations 51 (no background traffic)

Data Transport Time Breakdown SlyFi can process messages at the line rate 52 (times are in usec) 256 Mhz Geode processor, hw times based on Atheros a/b/g card

Latency vs. Packet Size SlyFi data transport overhead is similar to WPA 53 Click bug

====== MEASUREMENTS ====== 54

Empirical Stream Interleaving 55 Many streams interleaved even at short timescales

Empirical Background Probe Rate 56 Background probes are frequent in practice

Empirical # Saved Network Names 57 Some clients probe for many network names

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.