January 20, 2015 Policy 501: Expenditure and Contract Signing Authorization Training.
Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model....
Transcript of Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model....
![Page 1: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/1.jpg)
Privacy, Discovery, and Authentication for the Internet of Things
David J. Wu
Stanford University
Ankur Taly
Asim Shankar
Dan Boneh
Stanford University
![Page 2: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/2.jpg)
The Internet of Things (IoT)
Lots of smart devices, but only useful if users can
discover them!
![Page 3: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/3.jpg)
Private Service Discovery
Many existing service discovery protocols: Multicast DNS (mDNS), Apple Bonjour, Bluetooth Low Energy (BLE)
A typical discovery protocol
Device owner’s name / user ID
revealed!
Device location revealed!
Screenshot taken on a public Wireless network
![Page 4: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/4.jpg)
Private Service Discovery
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Alice
Each service specifies an authorization policy
Guest
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Stranger
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
![Page 5: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/5.jpg)
Private Service Discovery
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Alice
Each service specifies an authorization policy
Guest
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Stranger
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Mutual privacy: privacy should also hold for
devices trying to discover services!
![Page 6: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/6.jpg)
Private Mutual Authentication
Bob
How to authenticate between mutually distrustful parties?
Will only reveal identity to
devices owned by Alice.
Will only reveal identity to Alice’s family members.
security system
![Page 7: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/7.jpg)
Private Mutual Authentication
Bob
In most existing mutual authentication protocols (e.g., TLS, IKE, SIGMA), one party must reveal its
identity first
security system
![Page 8: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/8.jpg)
Primary Protocol Requirements
•Mutual privacy: Identity of protocol participants are only revealed to authorized recipients
• Lightweight: privacy should be as simple as setting a flag in key-exchange (as opposed to a separate protocol – e.g., using secret handshakes [BDSSSW03])
![Page 9: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/9.jpg)
Identity and Authorization Model
Every party has a signing + verification key, and acollection of human-readable names bound to their
public keys via a certificate chain
alice/family/
bob/
alice/device/
security/
popular_corp/
prod/S1234
verification key
![Page 10: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/10.jpg)
Identity and Authorization Model
alice/
alice/family/
alice/family/
bob/
alice/family/
charlie/
alice/device/
alice/device/
security/
Every party has a signing + verification key, and acollection of human-readable names bound to their
public keys via a certificate chain
![Page 11: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/11.jpg)
Identity and Authorization Model
Authorization decisions expressed as prefix patterns
alice/family/
bob/
alice/device/
security/
Policy: alice/devices/*
Policy: alice/family/*
![Page 12: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/12.jpg)
Protocol Construction
![Page 13: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/13.jpg)
Starting Point: Diffie-Hellman Key Exchange
𝔾 : cyclic group of prime order 𝑝with generator 𝑔
𝑔𝑦
𝑔𝑥𝑦 𝑔𝑥𝑦
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝
𝑔𝑥
Shared key: KDF 𝑔𝑥 , 𝑔𝑦 , 𝑔𝑥𝑦
![Page 14: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/14.jpg)
Starting Point: Diffie-Hellman Key Exchange
𝔾 : cyclic group of prime order 𝑝with generator 𝑔
𝑔𝑦
𝑔𝑥𝑦 𝑔𝑥𝑦
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝
𝑔𝑥
Shared key: KDF 𝑔𝑥 , 𝑔𝑦 , 𝑔𝑥𝑦
![Page 15: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/15.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦 𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝𝑔𝑥
![Page 16: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/16.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦 𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝𝑔𝑥
Note: in the actual protocol, session ids are also included for replay prevention.
Bob’s signature of the ephemeral DH
exponents
message encrypted and authenticated
Bob’s certificate
![Page 17: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/17.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦 𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥, 𝑔𝑦) 𝑘
Alice’s certificate
Alice’s signature message encrypted
and authenticated
Note: in the actual protocol, session ids are also included for replay prevention.
![Page 18: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/18.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦 𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥, 𝑔𝑦) 𝑘
session key derived from 𝑔𝑥, 𝑔𝑦, 𝑔𝑥𝑦
Note: in the actual protocol, session ids are also included for replay prevention.
![Page 19: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/19.jpg)
Properties of the SIGMA-I Protocol
• Mutual authentication against active network adversaries
• Hides server’s (Bob’s) identity from a passive attacker
• Hides client’s (Alice’s) identity from an active attacker
• Bob’s identity is revealed to an active attacker!
![Page 20: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/20.jpg)
Identity Based Encryption (IBE) [Sha84, BF01, Coc01]
Public-key encryption scheme where public-keys can be arbitrary strings (identities)
IBE.Encrypt
public parameters Bob
message ciphertext
mpk id
𝑚 ct
Alice can encrypt a message to Bob without
needing to have exchanged keys with Bob
![Page 21: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/21.jpg)
Identity Based Encryption (IBE) [Sha84, BF01, Coc01]
root authority
skAlice
mskTo decrypt messages, users go to a (trusted) identity provider to obtain a decryption key for
their identity
Bob can decrypt all messages encrypted to his identity
using skBob
skBob
![Page 22: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/22.jpg)
Prefix-Based Encryption
Secret-keys and ciphertexts both associated with names
alice/devices/
security/
𝑚
alice/devices/
secret key ciphertext
+ 𝑚
Decryption succeeds if name in ciphertext is a prefix of the name in the secret key
![Page 23: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/23.jpg)
Prefix-Based Encryption
Can be leveraged for prefix-based policies
Policy: alice/devices/*
Bob encrypts his message to the identity alice/devices/. Any user with a key that begins with alice/devices/ can decrypt.
![Page 24: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/24.jpg)
Prefix-Based Encryption
Can be leveraged for prefix-based policies
Policy: alice/devices/*
Bob encrypts his message to the identity alice/devices/. Any user with a key that begins with alice/devices/ can decrypt.
Can be built directly from
IBE!
![Page 25: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/25.jpg)
Private Mutual Authentication
𝑔𝑦 , {PE. Enc(𝜋𝐵, ID𝐵)
CT𝐵
, SIG𝐵 CT𝐵, 𝑔𝑥 , 𝑔𝑦 }𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝
𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥 , 𝑔𝑦) 𝑘
Key idea: encrypt certificate using prefix-based encryption
![Page 26: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/26.jpg)
Private Mutual Authentication
𝑔𝑦 , {PE. Enc(𝜋𝐵, ID𝐵)
CT𝐵
, SIG𝐵 CT𝐵, 𝑔𝑥 , 𝑔𝑦 }𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝
𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥 , 𝑔𝑦) 𝑘
• Privacy for Alice’s identity: Alice sends her identity only after verifying Bob’s identity
• Privacy for Bob’s identity: Only users with a key that satisfies Bob’s policy can decrypt his identity
![Page 27: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/27.jpg)
Private Service Discovery
Prefix-based encryption can also be leveraged for private service discovery
See paper for details:http://arxiv.org/abs/1604.06959
![Page 28: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/28.jpg)
Implementation and Benchmarks
• Instantiated IBE scheme with Boneh-Boyen (BB2) IBE scheme (DCLXVI library)
• Integrated private mutual authentication and private service discovery protocols into the Vanadium open-source framework for building distributed applications
https://github.com/vanadium/
![Page 29: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/29.jpg)
Implementation and Benchmarks
Comparison of private mutual authentication protocol with non-private SIGMA-I protocol
Note: x86 assembly optimizations for pairing curve operations available only on desktop
Intel Edison Raspberry Pi
Nexus 5X Desktop
SIGMA-I 252.1 ms 88.0 ms 91.6 ms 5.3 ms
Private Mutual Auth. 1694.3 ms 326.1 ms 360.4 ms 9.5 ms
Slowdown 6.7x 3.7x 3.9x 1.8x
![Page 30: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/30.jpg)
Conclusions
• Existing key-exchange and service discovery protocols do not provide privacy controls
• Prefix-based encryption can be combined very naturally with existing key-exchange protocols to provide privacy + authenticity
• Overhead of resulting protocol small enough that protocols can run on many existing devices
![Page 31: Privacy, Discovery, and Authentication for the Internet of ... · Identity and Authorization Model. Every party has a signing + verification key, and a collection of human-readable](https://reader036.fdocuments.us/reader036/viewer/2022071501/611fbee9e16df6355b7b55c9/html5/thumbnails/31.jpg)
Questions?
Paper: https://arxiv.org/abs/1604.06959