Post on 15-Jan-2016
Link Setup Time (ms)
Details: How do sender and receiver synchronize i ?
•Discovery/binding messages: infrequent and narrow interface short term linkability is O.K.
•Data messages: only sent on established connections expect receiver to get most messages
•Performs as well as WPA and has stronger security
• Problem: Third parties can use unencrypted bits such as addresses to track and profile users. How can devices efficiently process packets without addresses?
• Idea: Sender and receiver agree on sequence of tokens beforehand; attach one token to each packet
SlyFi: obscures all transmitted bits
Mechanisms to Mitigate Wireless Privacy ThreatsJeffrey Pang <jeffpang@cs.cmu.edu>
http://www.cs.cmu.edu/~jeffpang
tcpdump
packet size histogram
802.11 header
Is Bob’s Network here?802.11 header
Bob’s Network is here
Discover
802.11 header
Proof that I’m Alice 802.11 header
Proof that I’m Bob
Authenticateand Bind
802.11 header
802.11 header Send Data
MAC address, …
MAC address, …
Is Bob’s PSP here?
Proof that I’m Bob
Bob’s PSP is here
SSID: Bob’s NetworkPassword: [_]pants
Username: AlicePublic Key: 0x123…
transmission sizes transmission sizes
300250
200
100500
120
Input transmissions
300250
200
100
120
Output transmissions
400400
400
400
400
Input transmissions
Discover
Authenticateand Bind
Send data
Probe “Alice”
Client Service
Symmetric encryption(e.g., AES w/ random IV)
Check MAC:
MAC: K’AB
KAB
K’AB
Ti
KAB
Lookup Ti in atable to get KAB
AB AB
Ti = AESK (i)AB
ABTi = AESK (i)AB
AB
Ti = AESK (i) where i = transmission #AB
Ti = AESK (i) where i = current time/5 minAB
Best security practices still expose identifiers, credentials, and packet sizes/timings to third parties, enabling attacks:• Location tracking: identifiers can be linked over time• User profiling: info can be cross-indexed with databases• Side-channel analysis: sizes/timing reveals packet contentsGreenstein, HotOS ’07; Pang, MobiCom ’07; Pang, HotNets ’07; Jiang,
MobiSys ’07; Sapanos, Usenix Security ’07; www.bluetoothtracking.org; ...
Problem: existing protocols leak informationThree essential protocol changes to prevent attacks:1.Obscure all transmitted bits during all protocol phases2.Obscure packet sizes/timing that act as side-channels3.Obscure and automate bootstrapping of keys to prevent communication with untrusted third parties
1. MobiSys ’08; 2. CMU Thesis Proposal ’08; 3. HotNets ’07
Goal: obsure everything from third parties
Unlinka
bility
Integrit
y
Authentic
ity
Efficien
cy
Confiden
tiality
802.11 WPA
MAC Pseudonyms
Encrypt Everything
SlyFi: Discovery
SlyFi: Data
DataOnly
DataOnly
DataOnly
LongTerm
LongTerm
• Problem: Packet sizes and timings reveal sensitive contents in encrypted packet streams (identity, videos…)
• Idea: Framework for masking side-channel leaks using signature-like rules for packet padding and cover traffic
Sudare: obscures side-channel leaks
Masking rules,performance constraints
Side-channel attack example
• Problem: Clients often need to communicate with new devices. How does a client know who to trust?
• Idea: Leverage transitive trust relationships and device reputation to automatically bootstrap keys
Tryst: obscures & automates bootstrapping
512 bytes
128 bytes
? bytes
? bytes
“Alice’s Home”
Trust
TransitiveTrust
Alice trustsbob.laptop
Alice’s secret
Alice trusts “Alice’s Home”
Alice’s secret
Find networks that Alice trusts
AttestationBootstrapping using transitive trust
Bootstrap BootstrapAutomatic and private
Automatic and private
AB
AB
tcpdump tcpdump
?
Tokens Ti and Tj are unlinkable if i ≠ jABAB
SlyFi protocol