SURFING THE INTERNET. Google – универсальная поисковая система.
Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar...
Transcript of Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar...
![Page 1: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/1.jpg)
Privacy, Discovery, and Authentication for the Internet of Things
David J. Wu
Stanford University
Ankur Taly
Asim Shankar
Dan Boneh
Stanford University
![Page 2: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/2.jpg)
The Internet of Things (IoT)
Lots of smart devices, but only useful if users can
discover them!
![Page 3: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/3.jpg)
Private Service Discovery
Many existing service discovery protocols: Multicast DNS (mDNS), Apple Bonjour, Bluetooth Low Energy (BLE)
A typical discovery protocol
Device owner’s name / user ID
revealed!
Device location revealed!
Screenshot taken on a public Wireless network
![Page 4: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/4.jpg)
Private Service Discovery
Nanny CamMonitor| Setup
Philips HueBrightness
ADT SecurityManage
Door LockUnlock | Manage
AliceEach service specifies an
authorization policy Stranger
Nanny CamMonitor| Setup
Philips HueBrightness
ADT SecurityManage
Door LockUnlock | Manage
Nanny CamMonitor| Setup
Philips HueBrightness
ADT SecurityManage
Door LockUnlock | Manage
Cleaning ServiceTechnician
Nanny CamMonitor| Setup
Philips HueBrightness
ADT SecurityManage
Door LockUnlock | Manage
![Page 5: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/5.jpg)
Private Service Discovery
Nanny CamMonitor| Setup
Philips HueBrightness
ADT SecurityManage
Door LockUnlock | Manage
AliceEach service specifies an
authorization policy Stranger
Nanny CamMonitor| Setup
Philips HueBrightness
ADT SecurityManage
Door LockUnlock | Manage
Nanny CamMonitor| Setup
Philips HueBrightness
ADT SecurityManage
Door LockUnlock | Manage
Cleaning ServiceTechnician
Nanny CamMonitor| Setup
Philips HueBrightness
ADT SecurityManage
Door LockUnlock | Manage
Mutual privacy: privacy should also hold for devices trying to discover services!
![Page 6: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/6.jpg)
Private Mutual Authentication
Bob
How to authenticate between mutually distrustful parties?
Will only reveal identity to
devices owned by Alice.
Will only reveal identity to Alice’s family members.
security system
![Page 7: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/7.jpg)
Private Mutual Authentication
Bob
In most existing mutual authentication protocols (e.g., TLS, IKE, SIGMA), one party must reveal its
identity first
security system
![Page 8: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/8.jpg)
Primary Protocol Requirements
•Mutual privacy: Identity of protocol participants are only revealed to authorized recipients
• Lightweight: privacy should be as simple as setting a flag in key-exchange (as opposed to a separate protocol – e.g., using secret handshakes [BDSSSW03])
![Page 9: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/9.jpg)
Identity and Authorization Model
Every party has a signing + verification key, and acollection of human-readable names bound to their
public keys via a certificate chain
alice/family/
bob/
alice/device/
security/
popular_corp/
prod/S1234
verification key
![Page 10: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/10.jpg)
Identity and Authorization Model
alice/
alice/family/
alice/family/
bob/
alice/family/
charlie/
alice/device/
alice/device/
security/
Every party has a signing + verification key, and acollection of human-readable names bound to their
public keys via a certificate chain
![Page 11: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/11.jpg)
Identity and Authorization Model
Authorization decisions expressed as prefix patterns
alice/family/
bob/
alice/device/
security/
Policy: alice/devices/*
Policy: alice/family/*
![Page 12: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/12.jpg)
Protocol Construction
![Page 13: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/13.jpg)
Starting Point: Diffie-Hellman Key Exchange
𝔾 : cyclic group of prime order 𝑝with generator 𝑔
𝑔𝑦
𝑔𝑥𝑦 𝑔𝑥𝑦
𝑥՚Rℤ𝑝 𝑦՚
Rℤ𝑝
𝑔𝑥
Shared key: KDF 𝑔𝑥 , 𝑔𝑦 , 𝑔𝑥𝑦
![Page 14: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/14.jpg)
Starting Point: Diffie-Hellman Key Exchange
𝔾 : cyclic group of prime order 𝑝with generator 𝑔
𝑔𝑦
𝑔𝑥𝑦 𝑔𝑥𝑦
𝑥՚Rℤ𝑝 𝑦՚
Rℤ𝑝
𝑔𝑥
Shared key: KDF 𝑔𝑥 , 𝑔𝑦 , 𝑔𝑥𝑦
![Page 15: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/15.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦
𝑘
𝑥՚Rℤ𝑝 𝑦՚
Rℤ𝑝𝑔𝑥
![Page 16: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/16.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦
𝑘
𝑥՚Rℤ𝑝 𝑦՚
Rℤ𝑝𝑔𝑥
Note: in the actual protocol, session ids are also included for replay prevention.
Bob’s signature of the ephemeral DH
exponents
message encrypted and authenticated
Bob’s certificate
![Page 17: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/17.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦
𝑘
𝑥՚Rℤ𝑝 𝑦՚
Rℤ𝑝𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥, 𝑔𝑦) 𝑘
Alice’s certificate
Alice’s signature
message encrypted and authenticated
Note: in the actual protocol, session ids are also included for replay prevention.
![Page 18: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/18.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦
𝑘
𝑥՚Rℤ𝑝 𝑦՚
Rℤ𝑝𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥, 𝑔𝑦) 𝑘
session key derived from 𝑔𝑥, 𝑔𝑦, 𝑔𝑥𝑦
Note: in the actual protocol, session ids are also included for replay prevention.
![Page 19: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/19.jpg)
Properties of the SIGMA-I Protocol
• Mutual authentication against active network adversaries
• Hides server’s (Bob’s) identity from a passive attacker
• Hides client’s (Alice’s) identity from an active attacker
• Bob’s identity is revealed to an active attacker!
Chicken-and-egg problem: neither party wants to “go first” in the key exchange.
![Page 20: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/20.jpg)
Prefix-Based Encryption
Public-key encryption scheme where ciphertexts are associated with a policy
PE.Encrypt
public parameters alice/devices/*
message ciphertext
mpk policy
𝑚 ct
Bob can encrypt a message with respect to
a particular policy
![Page 21: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/21.jpg)
Prefix-Based Encryption
root authority
skalice
mskTo decrypt messages, users go to a (trusted) identity provider to obtain a decryption key for
their identity
Bob can decrypt all messages with policies satisfied by his
identity
sk Τalice Τfamily bob
![Page 22: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/22.jpg)
Prefix-Based Encryption
Ciphertexts associated with policies and keys associated with identities
alice/devices/
security/
𝑚
alice/devices/*
secret key ciphertext
+ 𝑚
Decryption succeeds if policy is satisfied
![Page 23: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/23.jpg)
Prefix-Based Encryption
Ciphertexts associated with policies and keys associated with identities
alice/devices/
security/
𝑚
eve/devices/*
secret key ciphertext
+ ⊥
Decryption fails if policy not satisfied
![Page 24: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/24.jpg)
Prefix-Based Encryption
Can be leveraged for prefix-based policies
Policy: alice/devices/*
Bob encrypts his message to the policy alice/devices/*. Any user
with an identity that begins with alice/devices/ can decrypt.
![Page 25: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/25.jpg)
Prefix-Based Encryption
Can be leveraged for prefix-based policies
Policy: alice/devices/*
Bob encrypts his message to the policy alice/devices/*. Any user
with an identity that begins with alice/devices/ can decrypt.
Can be built from identity-based
encryption
![Page 26: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/26.jpg)
Private Mutual Authentication
𝑔𝑦 , {PE. Enc(𝜋𝐵, ID𝐵)
CT𝐵
, SIG𝐵 CT𝐵, 𝑔𝑥 , 𝑔𝑦 }𝑘
𝑥՚Rℤ𝑝 𝑦՚
Rℤ𝑝
𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥 , 𝑔𝑦) 𝑘
Key idea: encrypt certificate using prefix-based encryption
![Page 27: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/27.jpg)
Private Mutual Authentication
𝑔𝑦 , {PE. Enc(𝜋𝐵, ID𝐵)
CT𝐵
, SIG𝐵 CT𝐵, 𝑔𝑥 , 𝑔𝑦 }𝑘
𝑥՚Rℤ𝑝 𝑦՚
Rℤ𝑝
𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥 , 𝑔𝑦) 𝑘
• Privacy for Alice’s identity: Alice sends her identity only after verifying Bob’s identity
• Privacy for Bob’s identity: Only users with a key that satisfies Bob’s policy can decrypt his identity
![Page 28: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/28.jpg)
Private Service Discovery
Prefix-based encryption can also be leveraged for private service discovery
See paper for details:http://arxiv.org/abs/1604.06959
![Page 29: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/29.jpg)
Implementation and Benchmarks
• Integrated private mutual authentication and private service discovery protocols into the Vanadium open-source framework for building distributed applications
https://github.com/vanadium/
![Page 30: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/30.jpg)
Implementation and Benchmarks
Comparison of private mutual authentication protocol with non-private SIGMA-I protocol
Note: x86 assembly optimizations for pairing curve operations available only on desktop
Intel Edison Raspberry Pi
Nexus 5X Desktop
SIGMA-I 252.1 ms 88.0 ms 91.6 ms 5.3 ms
Private Mutual Auth. 1694.3 ms 326.1 ms 360.4 ms 9.5 ms
Slowdown 6.7x 3.7x 3.9x 1.8x
![Page 31: Privacy, Discovery, and Authentication for the Internet of ... · Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University. The Internet of Things (IoT) Lots of smart devices,](https://reader034.fdocuments.in/reader034/viewer/2022051511/60172b47c245a948f9315842/html5/thumbnails/31.jpg)
Conclusions
• Existing key-exchange and service discovery protocols do not provide privacy controls
• Prefix-based encryption can be combined very naturally with existing key-exchange protocols to provide privacy + authenticity
• Overhead of resulting protocol small enough that protocols can run on many existing devices
Thank you!https://arxiv.org/abs/1604.06959