Post on 15-Jan-2016
1
Making Local Service Discovery Confidential with Tryst
Jeffrey PangCMU
Ben GreensteinIntel Research
Srinivasan SeshanCMU
David WetherallUniversity of Washington
Damon McCoyUniversity of Colorado
2
What is Local Service Discovery?Find a WiFi networkFind a local printerFind my friend’s PSPFind my friend’s iTunes
• Proceeds automatically, often without user’s knowledge• Occurs before security associations are setup
3
Service Discovery is Widely Used
• Example 1:ApplicationProtocols(OSDI 2006)
• Example 2: 85% devices send WiFi discovery probes(SIGCOMM 2004)
4
Outline
• Existing mechanisms and their privacy threats
• Solution requirements
• Tryst
5
Outline
• Existing mechanisms and their privacy threats– Announcement– Probing
• Solution requirements
• Tryst
6
Method 1: Announcement
• Services broadcast their existence• Interested clients discover them
• E.G., WiFi access points (APs) announce network names
7
Privacy Threats: Inventory
• “The devices I have”– Example: cell phone pirates
break into cars to steal phones that announce their presence [Cambridge Evening News 2005]
• “The applications I am running”– Example: Apple mDNS
“announces” to hackers that they are vulnerable to a buffer overflow[CERT 2007]
PhoneHere!
iTunes here!iChat here!
8
Privacy Threats: Location
• “The fact that my service is present”– Example: Common practice to
disable WiFi annoucements to (try to) hide access points[O’Reilly 802.11 Guide]
• “Where my service is located”– Example: Knowledge of network
name at one site can tell you where other sites are [WiGLE Wardriving Database]
IR_Guest
Pittsburgh
Seattle
Berkeley
Cambridge
x
9
Outline
• Existing mechanisms pose privacy threats– Announcement reveals inventory and location– Probing
• Solution requirements
• Tryst
10
Outline
• Existing mechanisms pose privacy threats– Announcement reveals inventory and location– Probing
• Solution requirements
• Tryst
11
Method 2: Probing
• Clients broadcast queries for familiar services• Present services respond
• E.G., WiFi clients probe for network names they have associated with before
12
Privacy Threats: History• “Where I have been before”
– Example: Probing for network names can expose where you live [WiGLE Wardriving Database]
Is “Anna, Jeff, and Mark’s Net” here?
13
Privacy Threats: History• “Where I have been before”
– Example: Probing for network names can expose where you live [WiGLE Wardriving Database]
23% of devices at SIGCOMM 2004 probed for an name that WiGLE isolates to one city
All 4 known home networks located towithin ~500 ft
14
Privacy Threats: History• “Where I have been before”
– Example: Even opaque names can be correlated with other databases, such as Google’s business directory
Is “Juvenile Detention Classroom” here?Is “010294859” here?
010294859
15
Privacy Threats: Identity
• “Fingerprints who I am”– Example: Both WiFi and application level
probes accurately identify a device[Pang, J. et al. MobiCom 2007]
“IR_Guest”, “djw”, “University of Washington”
“IR_Guest”, “djw”,“University of Washington”= =
………..
16
More Threats in the Future
• Emerging social devices also offer “services”– Microsoft Zune: music sharing service– PSP, Nintendo DS: multiplayer gaming service
• Service discovery exposes social contacts
17
Outline
• Existing mechanisms pose privacy threats– Announcement reveals inventory and location– Probing reveals history and identity
• Solution requirements
• Tryst
18
Outline
• Existing mechanisms pose privacy threats– Announcement reveals inventory and location– Probing reveals history and identity
• Solution requirements
• Tryst
19
So … Why Use Service Discovery?
• Plug-and-play networking – Setup networks without configuration
Automatic (no user intervention)
• Infrastructure independence– Always works; no special servers required
Broadcast (only need communication medium)
• Key Problem: Before Security Setup No Confidentiality
20
Solution Requirements
• Provide security during discovery– Anonymity: unlinkable discovery attempts– Authenticity: prevent masquerading
• Challenges– Clients and services want confidentiality– We need mutual authentication before either can
learn of the other’s existence– We can’t rely on manual user action or trusted
infrastructure
21
Outline
• Existing mechanisms pose privacy threats– Announcement reveals inventory and location– Probing reveals history and identity
• Solution requirements1. Plug-and-play networking2. Infrastructure independence3. Anonymity4. Authenticity
• Tryst
22
Outline
• Existing mechanisms pose privacy threats– Announcement reveals inventory and location– Probing reveals history and identity
• Solution requirements1. Plug-and-play networking2. Infrastructure independence3. Anonymity4. Authenticity
• Tryst– Access control for discovery messages provides 3 and 4
23
How to Provide Access Control
Service Discovery Message Verify Source Identity
Sender Application Receiver Application
Proof of Identity
Identity-Hiding Encryption
24
KAlice
Identity-hiding encryption with Alice’s public key (e.g., ElGamal)
Public Key Protocol
• Existing theoretical public key protocol [Abadi ’04]
K-1Bob
“Bob to Alice at time T”
Digital signature with Bob’s private key (e.g., RSA, DSA)
Service Discovery Message
“Is Alice’s Laptop here?”
25
???
Public Key Protocol
KBob
K-1Bob
“Bob to Alice at time T” Service Discovery Message
K-1Alice Decrypt with Alice’s private key
Verify with Bob’s public key
• Existing theoretical public key protocol [Abadi ’04]
26
Efficiency Problems
• Problem 1: Message size scales linearly with number of intended recipients– Typically OK: 90% of WiFi clients probe for fewer than
12 unique network names [OSDI 2006]
• Problem 2: Messages can’t be addressed must try to decrypt every message– Public key decryption is slow– 168x slower than WiFi line-rate – Receivers susceptible to denial-of-service attacks
27
Symmetric Key Protocol• Observation 1:
Common case is to rediscover known services– Can negotiate a shared symmetric key the first time– Symmetric key cryptography is fast
28
KShared
Identity-hiding encryption Alice and Bob’s shared key (e.g., AES)
Symmetric Key Protocol
KShared
“Bob to Alice at time T”
Message authentication code with Alice and Bob’s shared key(e.g., HMAC-SHA1)
Service Discovery Message
29
Symmetric Key Protocol• Observation 1:
Common case is to rediscover known services– Can negotiate a secret symmetric key the first time– Symmetric key cryptography is fast
• Observation 2: Linkability at short timescales is usually OK– Compute temporary unlinkable addresses known only
to a client and a service– Messages not for me are discarded at WiFi line-rate
30
KShared
Symmetric Key Protocol
KShared
“Bob to Alice at time T” Service Discovery Message
AT = address at time T
AT-1A0 ATHash()
KShared
AT+1Hash()
KShared
… …
Random hash function (e.g., HMAC-SHA1)
secret
31
Protocol Design Summary• Observation 1:
Common case is to rediscover known services– Can negotiate a secret symmetric key the first time– Symmetric key cryptography is fast
• Observation 2: Linkability at short timescales is usually OK– Compute temporary unlinkable addresses known only to a
client and a service– Messages not for me are discarded at WiFi line-rate
• Thus:– Prioritize symmetric key protocol– Use spare cycles for public key protocol
32
Outline
• Existing mechanisms pose privacy threats– Announcement reveals inventory and location– Probing reveals history and identity
• Solution requirements1. Plug-and-play networking2. Infrastructure independence3. Anonymity4. Authenticity
• Tryst– Access control for discovery messages provides 3 and 4
33
Outline
• Existing mechanisms pose privacy threats– Announcement reveals inventory and location– Probing reveals history and identity
• Solution requirements1. Plug-and-play networking2. Infrastructure independence3. Anonymity4. Authenticity
• Tryst– Access control for discovery messages provides 3 and 4– Automated key establishment maintains 1 and 2
34
How Do I Obtain the Initial Keys?
• Existing key establishment is not enough– Certificates: E.G., Secure websites
• Neither client nor service can offer proof of identity first!
– Pairing: E.G., Bluetooth peripherals• Can not always physically identify service • User must perform discovery before device does!
• Discovery is also used to find new services– Goal: Automatically expand the trust horizon– E.G., new services in trusted domains– E.G., new services trusted transitively
35
New Services in Trusted Domains
Trusted
?
x
xStrawman Solution
x
“Discover Alice’s iPod”
36
?
New Services in Trusted Domains
“Discover Alice’s iPod”
Trusted
Trusts: alice@att.com
“alice.ds”
“alice.laptop”
“bob.zune”
“bob.psp”“bob.laptop”
Anonymous Identity Based Encryption
“alice.ipod”
37
New Services Transitively Trusted“Alice’s Home”
Trust
TransitiveTrust
Alice trustsbob.laptop
Alice’s secret
Alice trusts “Alice’s Home”
Alice’s secret
Find networks that Alice trusts
Attestation
38
Outline
• Existing mechanisms pose privacy threats– Announcement reveals inventory and location– Probing reveals history and identity
• Solution requirements1. Plug-and-play networking2. Infrastructure independence3. Anonymity4. Authenticity
• Tryst– Access control for discovery messages provides 3 and 4– Automated key establishment maintains 1 and 2
39
Ongoing Work
• Status:– Created usable implementation of Tryst– Integrated with WiFi protocol stack on Linux
• Future work:– Evaluate how well key establishment mechanisms
reflect real trust relationships– Design privacy policies that users can understand
• More information:– Tryst: The Case for Confidential Service Discovery.
HotNets VI, 2007.
40
Summary
• Existing mechanisms pose privacy threats– Announcement reveals inventory and location– Probing reveals history and identity
• Solution requirements1. Plug-and-play networking2. Infrastructure independence3. Anonymity4. Authenticity
• Tryst– Access control for discovery messages provides 3 and 4– Automated key establishment maintains 1 and 2
41
Backup Slides
42
Related Work• SmokeScreen [Cox ’07] – access control for discovering friends
– Similar to symmetric key protocol– Uses online social network for key exchange
• SSDS [Czerwinski ’00] – secure service discovery architecture– Relies on trusted infrastructure– Not meant for use in wireless environments
• Broadcast Encryption [e.g., Fiat ‘93] –encrypt message to many users– Making this private is an open problem
• JFK [Aiello ’93] – efficient Internet key exchange– No service privacy …– … or not resilient to man-in-the-middle attacks
43
Privacy Threats: History• “Where I have been before”
– Example: Probing for network names can expose where you live [WiGLE Wardriving Database]
Is the network“djw” here?