Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu...
Transcript of Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu...
![Page 1: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/1.jpg)
Privacy, Discovery, and Authentication for the Internet of Things
David J. Wu
Stanford University
Ankur Taly
Asim Shankar
Dan Boneh
Stanford University
![Page 2: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/2.jpg)
The Internet of Things (IoT)
Lots of smart devices, but only useful if users can
discover them!
![Page 3: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/3.jpg)
Private Service Discovery
Many existing service discovery protocols: Multicast DNS (mDNS), Apple Bonjour, Bluetooth Low Energy (BLE)
A typical discovery protocol
Device owner’s name / user ID
revealed!
Device location revealed!
Screenshot taken on a public Wireless network
![Page 4: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/4.jpg)
Private Service Discovery
Privacy problems exist in many protocols
AirDrop protocol for peer-to-peer file sharing
broadcast: truncated hash of sender’s identity
contacts-only mode: device should only be discoverable by
users in their contacts list
![Page 5: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/5.jpg)
Private Service Discovery
Privacy problems exist in many protocols
AirDrop protocol for peer-to-peer file sharing
if broadcast containing ID of user in contact list, then start local
service and advertise over mDNS
TLS key exchange with client authentication
![Page 6: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/6.jpg)
Private Service Discovery
Privacy problems exist in many protocols
AirDrop protocol for peer-to-peer file sharing
TLS key exchange with client authentication
certificates exchanged in the clear (can be used for
tracking, fingerprinting, etc.)
![Page 7: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/7.jpg)
Private Service Discovery
Privacy problems exist in many protocols
AirDrop protocol for peer-to-peer file sharing
broadcast: truncated hash of sender’s identity no authenticity for broadcast
– can be replayed to see if particular user in target’s
contact list
![Page 8: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/8.jpg)
Private Service Discovery
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Alice
Each service specifies an authorization policy
Guest
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Stranger
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
![Page 9: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/9.jpg)
Private Service Discovery
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Alice
Each service specifies an authorization policy
Guest
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Stranger
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Mutual privacy: privacy should also hold for
devices trying to discover services!
![Page 10: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/10.jpg)
Private Mutual Authentication
Bob
How to authenticate between mutually distrustful parties?
Will only reveal identity to
devices owned by Alice.
Will only reveal identity to Alice’s family members.
security system
![Page 11: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/11.jpg)
Private Mutual Authentication
Bob
In most existing mutual authentication protocols (e.g., TLS, IKE, SIGMA), one party must reveal its
identity first
security system
![Page 12: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/12.jpg)
Primary Protocol Requirements
•Mutual privacy: Identity of protocol participants are only revealed to authorized recipients
•Authentic advertisements: Service advertisements (for discovery) should be unforgeable and authentic
• Lightweight: privacy should be as simple as setting a flag in key-exchange (as opposed to a separate protocol – e.g., using secret handshakes [BDSSSW03])
![Page 13: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/13.jpg)
Identity and Authorization Model
Every party has a signing + verification key, and acollection of human-readable names bound to their
public keys via a certificate chain
alice/family/
bob/
alice/device/
security/
popular_corp/
prod/S1234
verification key
![Page 14: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/14.jpg)
Identity and Authorization Model
alice/
alice/family/
alice/family/
bob/
alice/family/
charlie/
alice/device/
alice/device/
security/
Every party has a signing + verification key, and acollection of human-readable names bound to their
public keys via a certificate chain
![Page 15: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/15.jpg)
Identity and Authorization Model
Authorization decisions expressed as prefix patterns
alice/family/
bob/
alice/device/
security/
Policy: alice/devices/*
Policy: alice/family/*
![Page 16: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/16.jpg)
Protocol Construction
![Page 17: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/17.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦 𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝𝑔𝑥
![Page 18: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/18.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦 𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝𝑔𝑥
Note: in the actual protocol, session ids are also included for replay prevention.
Bob’s signature of the ephemeral DH
exponents
message encrypted (and MACed) under key 𝑘 =KDF(𝑔𝑥 , 𝑔𝑦 , 𝑔𝑥𝑦)
Bob’s certificate
![Page 19: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/19.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦 𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥, 𝑔𝑦) 𝑘
Alice’s certificate
Alice’s signature
message encrypted (and MACed) under key 𝑘 =KDF(𝑔𝑥 , 𝑔𝑦 , 𝑔𝑥𝑦)
Note: in the actual protocol, session ids are also included for replay prevention.
![Page 20: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/20.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦 𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥, 𝑔𝑦) 𝑘
session key derived from 𝑔𝑥, 𝑔𝑦, 𝑔𝑥𝑦
Note: in the actual protocol, session ids are also included for replay prevention.
![Page 21: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/21.jpg)
Properties of the SIGMA-I Protocol
• Mutual authentication against active network adversaries
• Hides server’s (Bob’s) identity from a passive attacker
• Hides client’s (Alice’s) identity from an active attacker
• Bob’s identity is revealed to an active attacker!
![Page 22: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/22.jpg)
Identity Based Encryption (IBE) [Sha84, BF01, Coc01]
Public-key encryption scheme where public-keys can be arbitrary strings (identities)
IBE.Encrypt
public parameters Bob
message ciphertext
mpk id
𝑚 ct
Alice can encrypt a message to Bob without
needing to have exchanged keys with Bob
![Page 23: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/23.jpg)
Identity Based Encryption (IBE) [Sha84, BF01, Coc01]
root authority
skAlice
mskTo decrypt messages, users go to a (trusted) identity provider to obtain a decryption key for
their identity
Bob can decrypt all messages encrypted to his identity
using skBob
skBob
![Page 24: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/24.jpg)
Prefix-Based Encryption
Secret-keys and ciphertexts both associated with names
alice/devices/
security/
𝑚
alice/devices/
secret key ciphertext
+ 𝑚
Decryption succeeds if name in ciphertext is a prefix of the name in the secret key
![Page 25: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/25.jpg)
Prefix-Based Encryption
Secret-keys and ciphertexts both associated with names
eve/devices/
security/
𝑚
alice/devices/
secret key ciphertext
+ ⊥
Decryption fails if name in ciphertext is not a prefix of the name in the secret key
![Page 26: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/26.jpg)
Prefix-Based Encryption
Can be leveraged for prefix-based policies
Policy: alice/devices/*
Bob encrypts his message to the identity alice/devices/. Any user with a key that begins with alice/devices/ can decrypt.
![Page 27: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/27.jpg)
Prefix-Based Encryption from IBE [LW14]
Encryption is just IBE encryption
Secret key for a name is a collection of IBE secret keys, one for each prefix:
alice/devices/
security/
alice/ alice/
devices/alice/devices/
security/
can decrypt encryptions to all prefixes of alice/devices/security
![Page 28: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/28.jpg)
Private Mutual Authentication
𝑔𝑦 , {PE. Enc(𝜋𝐵, ID𝐵)
CT𝐵
, SIG𝐵 CT𝐵, 𝑔𝑥 , 𝑔𝑦 }𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝
𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥 , 𝑔𝑦) 𝑘
Key idea: encrypt certificate using prefix-based encryption
![Page 29: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/29.jpg)
Private Mutual Authentication
𝑔𝑦 , {PE. Enc(𝜋𝐵, ID𝐵)
CT𝐵
, SIG𝐵 CT𝐵, 𝑔𝑥 , 𝑔𝑦 }𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝
𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥 , 𝑔𝑦) 𝑘
• Privacy for Alice’s identity: Alice sends her identity only after verifying Bob’s identity
• Privacy for Bob’s identity: Only users with a key that satisfies Bob’s policy can decrypt his identity
![Page 30: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/30.jpg)
Private Mutual Authentication
𝑔𝑦 , {PE. Enc(𝜋𝐵, ID𝐵)
CT𝐵
, SIG𝐵 CT𝐵, 𝑔𝑥 , 𝑔𝑦 }𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝
𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥 , 𝑔𝑦) 𝑘
• Client overhead: Alice must perform prefix-based decryption on each flow
• Server overhead: Bob must perform prefix-based encryption on each handshake, but this encrypted identity can be cached and reused
![Page 31: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/31.jpg)
Private Mutual Authentication
𝑔𝑦 , {PE. Enc(𝜋𝐵, ID𝐵)
CT𝐵
, SIG𝐵 CT𝐵, 𝑔𝑥 , 𝑔𝑦 }𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝
𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥 , 𝑔𝑦) 𝑘
Provably secure in the Canetti-Krawczyk model of key-exchange assuming Hash-DH and security of underlying
cryptographic primitives
![Page 32: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/32.jpg)
Private Service Discovery
Two pieces: service announcements and private mutual authentication
Principal design goals:• Private discovery: Only authorized clients can learn service details
• Authentic service announcements: Announcements are authenticated and unforgeable
• 0-RTT private mutual authentication: Clients can subsequently connect to service and include application data on initial flow
![Page 33: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/33.jpg)
Private Service Discovery: Broadcast
PE. Enc 𝜋𝑆, ID𝑆, 𝑔𝑠, SIG𝑆 ID𝑆, 𝑔
𝑠
Key idea: encrypt service broadcast using prefix encryption
𝑠 Rℤ𝑝
![Page 34: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/34.jpg)
Private Service Discovery: Broadcast
PE. Enc 𝜋𝑆, ID𝑆, 𝑔𝑠, SIG𝑆 ID𝑆, 𝑔
𝑠
Key idea: encrypt service broadcast using prefix encryption
𝑠 Rℤ𝑝
authorization policy
service identity
semi-static DH share (for 0-RTT authentication)
signature for authenticity
![Page 35: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/35.jpg)
𝑥 Rℤ𝑝
Private Service Discovery: Mutual Authentication
𝑔𝑥 , ID𝑆, ID𝐴, SIG𝐴 ID𝑆, ID𝐴, 𝑔𝑠, 𝑔𝑥 𝑘
![Page 36: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/36.jpg)
𝑥 Rℤ𝑝
Private Service Discovery: Mutual Authentication
𝑔𝑥 , ID𝑆, ID𝐴, SIG𝐴 ID𝑆, ID𝐴, 𝑔𝑠, 𝑔𝑥 𝑘
ephemeral DH exponent
sender and receiver identities
message encrypted (and MACed) under handshake key
𝑘 = KDF(𝑔𝑠, 𝑔𝑥, 𝑔𝑠𝑥 , C → S)
![Page 37: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/37.jpg)
𝑥 Rℤ𝑝
Private Service Discovery: Mutual Authentication
𝑔𝑥 , ID𝑆, ID𝐴, SIG𝐴 ID𝑆, ID𝐴, 𝑔𝑠, 𝑔𝑥 𝑘
application data can also be sent in the first message flow under another key derived from 𝑔𝑠, 𝑔𝑥, and 𝑔𝑠𝑥:
𝑘app = KDF(𝑔𝑠, 𝑔𝑥 , 𝑔𝑠𝑥 , app)
No forward secrecy for early application data sent during lifetime of broadcast.
![Page 38: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/38.jpg)
Private Service Discovery: Mutual Authentication
𝑔𝑥 , ID𝑆, ID𝐴, SIG𝐴 ID𝑆, ID𝐴, 𝑔𝑠, 𝑔𝑥 𝑘
𝑔𝑦 , ID𝑆, ID𝐴 𝑘′
𝑦 Rℤ𝑝
ephemeral DH exponent message encrypted (and
MACed) under handshake key𝑘′ = KDF(𝑔𝑠, 𝑔𝑥 , 𝑔𝑠𝑥 , S → C)
![Page 39: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/39.jpg)
Private Service Discovery: Mutual Authentication
𝑔𝑥 , ID𝑆, ID𝐴, SIG𝐴 ID𝑆, ID𝐴, 𝑔𝑠, 𝑔𝑥 𝑘
𝑔𝑦 , ID𝑆, ID𝐴 𝑘′
𝑦 Rℤ𝑝
final session key derived from both semi-static and ephemeral shares:
KDF 𝑔𝑠, 𝑔𝑥 , 𝑔𝑦 , 𝑔𝑠𝑥 , 𝑔𝑥𝑦
Recovers forward secrecy for session messages.
![Page 40: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/40.jpg)
Private Service Discovery: Mutual Authentication
𝑔𝑥 , ID𝑆, ID𝐴, SIG𝐴 ID𝑆, ID𝐴, 𝑔𝑠, 𝑔𝑥 𝑘
𝑔𝑦 , ID𝑆, ID𝐴 𝑘′
𝑦 Rℤ𝑝
Provably secure in an (extended) Canetti-Krawczykmodel of key-exchange assuming Hash-DH and Strong-
DH in the random oracle model and security of underlying cryptographic primitives
![Page 41: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/41.jpg)
Implementation and Benchmarks
• Instantiated IBE scheme with Boneh-Boyen (BB2) IBE scheme (DCLXVI library)
• Integrated private mutual authentication and private service discovery protocols into the Vanadium open-source framework for building distributed applications
https://github.com/vanadium/
![Page 42: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/42.jpg)
Implementation and Benchmarks
Comparison of private mutual authentication protocol with non-private SIGMA-I protocol
Note: x86 assembly optimizations for pairing curve operations available only on desktop
Intel Edison Raspberry Pi
Nexus 5X Desktop
SIGMA-I 252.1 ms 88.0 ms 91.6 ms 5.3 ms
Private Mutual Auth. 1694.3 ms 326.1 ms 360.4 ms 9.5 ms
Slowdown 6.7x 3.7x 3.9x 1.8x
![Page 43: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/43.jpg)
Implementation and Benchmarks
• For private service discovery protocol, a typical service advertisement is ≈ 820 bytes (for single policy pattern)
• Can broadcast using mDNS (supports packets of size up to 1300 bytes)
id, PE. Enc 𝜋𝑆, ID𝑆, 𝑔𝑠, SIG𝑆 ID𝑆, 𝑔
𝑠
16 bytes
500 bytes
32 bytes
64 bytes
208 bytes
![Page 44: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/44.jpg)
Implementation and Benchmarks
Processing advertisement requires 1 IBE decryption and 1 ECDSA verification:
267 ms + 11 ms = 278 ms on Nexus 5x
id, PE. Enc 𝜋𝑆, ID𝑆, 𝑔𝑠, SIG𝑆 ID𝑆, 𝑔
𝑠
16 bytes
500 bytes
32 bytes
64 bytes
208 bytes
![Page 45: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/45.jpg)
Conclusions
• Existing key-exchange and service discovery protocols do not provide privacy controls
• Prefix-based encryption can be combined very naturally with existing key-exchange protocols to provide privacy + authenticity
• Overhead of resulting protocol small enough that protocols can run on many existing devices
![Page 46: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University.](https://reader033.fdocuments.us/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/46.jpg)
Questions?