SDDR: Light-Weight, Secure Mobile Encounters
Matthew Lentz, Viktor Erdélyi, Paarijaat Aditya!Elaine Shi, Peter Druschel, Bobby Bhattacharjee
University of Maryland Max Planck Institute for Software Systems
Mobile Social Applications
Services based on user context:
1 location activity nearby peers2 3
Latitude FireChat
Foursquare Haggle
Highlight
//
Common: Centralized Service
Service
Involves a trusted third party
UI+Sensors
UI+Sensors
//
Alternate: Device-to-Device
Service
Service
Alternate: Device-to-Device
Enables tracking by adversaries
Service
Service
Alternate: Device-to-Device
Enables tracking by adversaries
Service
Service
13
5B
13
5B
Alternate: Device-to-Device
Enables tracking by adversaries
Service
Service
GIZMODO - “Brave New Garbage: London’s Trash!Cans Track You Using Your Smartphone” (2013)
Credit: http://gizmodo.com/brave-new-garbage-londons-trash-cans-track-you-using-1071610114
Randomize Addresses?
13
5B
Randomize Addresses?
?
? 47
6B
Unlinkable, but does not support recognition!
Secure Device Discovery!and Recognition
1
2
3
Secure Encounter Primitive
Strawman Protocol
System Goals and SDDR Protocol
4 Evaluation and Concurrent Work
Secure Encounters
Secure Encounters
Establish a Shared Key
Secure communication through untrusted channel!(e.g., pseudonymous email)
Secure Encounters
Establish a Shared Key
Secure communication through untrusted channel!(e.g., pseudonymous email)
Unlinkable by default { , }?
? ?
Recognition
Want to recognize each other in encounters
Encounters
{ , }?
Encounters
{ , }?
Recognition
Want to recognize each other in encounters
… while remaining unlinkable by others
Encounters
{ , }?
Encounters
{ , }?
Recognition
Want to recognize each other in encounters
Encounters
{ , }?
Encounters
{ , }?
Map ephemeral pseudonyms to long-lived identities { , }{ , }
Revocation and Scoping
#&@$!
No Longer Friends
Temporary Friends
USENIX Allow recognizability by friends using context-based constraints
Context-based Scoping
B
Only At Work
Only After 8pm
A C
Revocation and Scoping
#&@$!
No Longer Friends
Temporary Friends
USENIX Allow recognizability by friends using context-based constraints
Context-based Scoping
B
Only At Work
Only After 8pm
A C
Efficient and unilateral revocation is required
Security Properties
Discover devices while preserving user privacy
Recognize peers with prior trust relations and support efficient, unilateral revocation
Secure communication between encounter peers
Threat Model
Trust OS and apps on your phone
No PHY layer attacks considered
Participate with all nearby devices (arbitrary subset of colluding attackers)
Enabling Recognition
Agree on a shared secret “link value”
Encounters
{ , }?
Encounters
{ , }?
Enabling Recognition
Agree on a shared secret “link value”
Encounters
{ , }?
Encounters
{ , }?
= H( )
Recognition and Revocation
Advert ListenAdvert Listen
Recognition and Revocation
Advert
“I allow and to recognize me”
ListenAdvert Listen
Recognition and Revocation
Advert
“I allow and to recognize me”
Listen
“I want to recognize ”
Advert Listen
Recognition and Revocation
Advert ListenAdvert Listen
“I revoke ’s right to recognize me”
Recognition and Revocation
Advert ListenAdvert Listen
Recognition by Intersecting Sets
Advert ListenAdvert Listen
Recognition by Intersecting Sets
Advert ListenAdvertListen
U U
= =
Strawman Protocol
Advert ListenAdvert Listen
Strawman Protocol
Diffie-Hellman (DH) ExchangeGenerate
Compute
Generate
Compute
Advert ListenAdvert Listen
Strawman Protocol
Diffie-Hellman (DH) ExchangeGenerate
Compute
Generate
Compute
Private Set Intersection (PSI)
Advert ListenAdvert Listen
Strawman Protocol
Diffie-Hellman (DH) ExchangeGenerate
Compute
Generate
Compute
Private Set Intersection (PSI)
Advert ListenAdvert Listen
{ , } { , }
PSI is Prohibitively Slow
1ms
10ms
100ms
1s
10s
1 2 4 8 16 32 64 128 256
Com
puta
tion
Tim
e (lo
g sc
ale)
Size of Advert/Listen Sets (log scale)
PSI (JL10) on Samsung!Galaxy Nexus
PSI is Prohibitively Slow
1ms
10ms
100ms
1s
10s
1 2 4 8 16 32 64 128 256
Com
puta
tion
Tim
e (lo
g sc
ale)
Size of Advert/Listen Sets (log scale)
PSI (JL10) on Samsung!Galaxy Nexus
System Goals
Efficiency - Practical for resource-constrained devices
Scalability - Handle many peers (e.g., stadium)
System Goals
Efficiency - Practical for resource-constrained devices
Scalability - Handle many peers (e.g., stadium)
Need to develop secure protocols with!energy efficiency as a first order goal
Divide time into discrete epochs, across which user is unlinkable.
SDDR Protocol State
Advert Listen
SDDR Protocol State
In each epoch, generate:
DH Key Pair1 Bloom Filter2
Advert Listen
SDDR Protocol State
In each epoch, generate:
DH Key Pair1 Bloom Filter2
Probabilistic set digest for advertised link values
We use them for compactness, not security
Advert Listen
DH Key Pair1 Bloom Filter2
SDDR Protocol State
In each epoch, generate:Advert Listen
DH Key Pair1 Bloom Filter2
SDDR Protocol State
In each epoch, generate:Advert Listen
H( Public, )
DH Key Pair1 Bloom Filter2
SDDR Protocol State
In each epoch, generate:Advert Listen
H( Public, )
DH Key Pair1 Bloom Filter2
SDDR Protocol State
In each epoch, generate:Advert Listen
DH Key Pair1 Bloom Filter2
SDDR Protocol State
Random padding to global maximum size
In each epoch, generate:Advert Listen
DH Key Pair1 Bloom Filter2
SDDR Protocol State
Public
In each epoch, generate:Advert Listen
DH Key Pair1 Bloom Filter2
SDDR Protocol State
Public
In each epoch, generate:Advert Listen
Device discovery,!recognition, and!
key exchange in a !single message
SDDR ProtocolPublic Public
Advert ListenAdvert Listen
SDDR ProtocolPublic Public
Public
Advert ListenAdvert Listen
SDDR ProtocolPublic Public
Public
Advert ListenAdvert Listen
SDDR ProtocolPublic Public
Public
Advert ListenAdvert Listen
Locally Compute1
SDDR ProtocolPublic Public
Public
Advert ListenAdvert Listen
H( Public, )
Locally Compute1
2 Query
SDDR ProtocolPublic Public
Public
Advert ListenAdvert Listen
H( Public, )
Locally Compute1
2 Query
Can mitigate false positives (Details in paper)
SDDR ProtocolPublic Public
Public
Advert ListenAdvert Listen
H( Public, )
Locally Compute1
2 Query
SDDR ProtocolPublic Public
Encounters
{ , }
Advert ListenAdvert Listen
SDDR ProtocolPublic Public
Encounters
{ , }Encounters
{ , }
Advert ListenAdvert Listen
SDDR Implementation
Prototype for Android using Bluetooth 2.1
BattOr for Power Measurements
Developed/Evaluated on Samsung Galaxy Nexus
System Goals
Efficiency - Practical for resource-constrained devices
Scalability - Handle many peers (e.g., stadium)
1ms
10ms
100ms
1s
10s
1 2 4 8 16 32 64 128 256
Com
puta
tion
Tim
e (lo
g sc
ale)
Size of Advert/Listen Sets (log scale)
PSI (JL10)
SDDR vs PSI - Computation
1ms
10ms
100ms
1s
10s
1 2 4 8 16 32 64 128 256
Com
puta
tion
Tim
e (lo
g sc
ale)
Size of Advert/Listen Sets (log scale)
PSI (JL10)
SDDR vs PSI - Computation
10µs
100µs
1ms
10ms
100ms
1s
10s
1 2 4 8 16 32 64 128 256
Com
puta
tion
Tim
e (lo
g sc
ale)
Size of Advert/Listen Sets (log scale)
PSI (JL10)SDDR (Pfp = 3.03%)
1ms
10ms
100ms
1s
10s
1 2 4 8 16 32 64 128 256
Com
puta
tion
Tim
e (lo
g sc
ale)
Size of Advert/Listen Sets (log scale)
PSI (JL10)
SDDR vs PSI - Computation
10µs
100µs
1ms
10ms
100ms
1s
10s
1 2 4 8 16 32 64 128 256
Com
puta
tion
Tim
e (lo
g sc
ale)
Size of Advert/Listen Sets (log scale)
PSI (JL10)SDDR (Pfp = 3.03%)
Faster by over 4!orders of magnitude
SDDR vs PSI - Power Traces
0
500
1000
1500
2000
0 20 40 60 80 100 120
DH
+PSI
ove
r BT2
.1Po
wer
Con
sum
ed (m
W)
Time (sec)
Discovery RecognitionIncoming
Recognition
0
500
1000
1500
2000SD
DR
ove
r BT2
.1Po
wer
Con
sum
ed (m
W)
Discovery/Recognition
IncomingDiscovery/Recognition
SDDR vs PSI - Power Traces
0
500
1000
1500
2000
0 20 40 60 80 100 120
DH
+PSI
ove
r BT2
.1Po
wer
Con
sum
ed (m
W)
Time (sec)
Discovery RecognitionIncoming
Recognition
0
500
1000
1500
2000SD
DR
ove
r BT2
.1Po
wer
Con
sum
ed (m
W)
Discovery/Recognition
IncomingDiscovery/Recognition
Nearly invisible footprint within BT discovery
SDDR vs PSI - Power Traces
0
500
1000
1500
2000
0 20 40 60 80 100 120
DH
+PSI
ove
r BT2
.1Po
wer
Con
sum
ed (m
W)
Time (sec)
Discovery RecognitionIncoming
Recognition
0
500
1000
1500
2000SD
DR
ove
r BT2
.1Po
wer
Con
sum
ed (m
W)
Discovery/Recognition
IncomingDiscovery/Recognition
Nearly invisible footprint within BT discovery
Cheap, non-interactive protocol!enables low-energy implementation
SDDR Evaluation
Time to Compute Recognizability
Energy Consumption - Power Traces
Energy Consumption - Micro-benchmarks
Battery Life vs. # Nearby Devices
✓✓
EnCore - Communication PlatformAppeared in MobiSys ‘14
Supports content sharing for groups of socially meaningful
encounters
“Great discussion!” - Amy
Summary
Mobile social applications have!significant privacy challenges
www.cs.umd.edu/projects/ebn
SDDR provides secure encounter primitive runs efficiently on mobile devices
SDDR over Bluetooth 2.1
DiscoverableResponds to inquiry scan with address and beacon
InquirerPerforms inquiry scan, receiving and processing nearby devices’ beacons
CPU
BT
Change MAC address each epoch
B
BC
Top Related