asia-17-michalevsky-mashable-mobile applications of secret ...€¦ · references 1. secret...
TRANSCRIPT
MASHaBLE:MobileApplicationsofSecretHandshakesoverBluetoothLow-Energy
YanMichalevsky,Suman Nath,Jie Liu
Motivation• Privatecommunication
• Anonymousmessaging
• Secretcommunities
• Location-basedmessaging
• PrivacypreservingIoT applications
MessagingApplications
AfterSchool
YakServerknows everythingabouttheusers
Secretcommunities
• Memberswantidentifyeachother• Donotwanttobediscoveredbyanyonenotinthecommunity• Geo-locationprivacy• Anonymousmessagingandnotificationsdissemination
“Trusted”CentralServer
• Theserverbecomesatargetforattacks• Communicatingwiththeservercanrevealaffiliation
“Trusted”CentralServer
Internetconnectivityisnotalwaysavailable
“Trusted”CentralServer
Also…GPSandcellularconsumealotofenergy
Suspendedstate Idlestate
GPS
Wewantto…
• Avoidinteractionwithaserver• Usephysicalproximity• Minimizeenergyconsumption
BluetoothLow-Energy(LE)soundslikeapromisingsolution
BluetoothLE
Butfirst,thedevicesneedtotrusteachother…
Theproblemwithnegotiatingtrust
• Aliceiswillingtorevealitscredentialsonlytoanotherpartywithcertainclearance(needstoverifyBob’sidentityfirst)• Bobisalsowillingtorevealitscredentialsonlytoanotherpartywithcertainclearance(needstoverifyAlice’sidentityfirst)• Nopartyiswillingtorevealitscredentialsandprovideaproofoftheirauthenticityfirst
PropertiesofaSecretHandshake• Partiesdonoknoweachother• Theyperformaprocedurethatestablishestrust• Ifitfails– noinformationisgainedbyeitherparty• Ifitsucceeds– partiesrevealmembershipinagroup• Inaddition,theycanestablishrespectiverolesinthatgroup(cryptographicsecrethandshakes)
Moreapplicationsofsecrethandshakes
• UsingiBeaconforheadcounting• Like• Currentlyexposesusersandeventtotracking
Headcounting
• Exposesuserstotracking
• Revealsinformationabouttheevent/gathering
• Howdowesupportprivate/secreteventsandprovideprivacytoattendants?
Secrethandshakefrompairings• BasedonBalfanzetal.[1]• Ifhandshakesucceeds– bothpartieshaveestablishedanauthenticatedandencryptedcommunicationchannel• Ifhandshakefails– noinformationisdisclosed• Collusionresistant• Corruptedgroupmemberscannotcolludetoperformahandshakeofanon-corruptedmember
• Compactcredentials– importantforembeddingintosmallpackets
Pairings
Wehaveelements𝑋 ∈ G$ and𝑌 ∈ G& whereG$, G& aregroups overEllipticCurves
Apairing𝑒 hasthefollowingproperty
𝑒 𝑎𝑋, 𝑏𝑌 = 𝑒 𝑋, 𝑌 ,-
Wheree 𝑋, 𝑌 ∈ 𝐺0
Secrethandshakefrompairings
Mastersecret𝑡 ∈ 𝑍:
𝑃< = "p93849", 𝑇<
𝑇< = 𝑡 ⋅ 𝐻(𝑃<)
𝑃C = "p12465", 𝑇C
𝑇C = 𝑡 ⋅ 𝐻(𝑃C)
𝑃C = "p12465"
𝑃< = "p93849"
𝐾< = 𝑒 𝐻 𝑃C , 𝑇< = 𝑒 𝐻 𝑃C , 𝐻(𝑃<) F 𝐾C = 𝑒 𝑇C, 𝐻 𝑃< = 𝑒(𝐻(𝑃C), 𝐻 𝑃< )F
𝐸𝑛𝑐JK(𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒<)
𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒<, 𝐸𝑛𝑐JS 𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒C
𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒C
Secrethandshakefrompairings
Unlinkable Handshakes• Bytrackingthepseudonymanattackercantracktheuser• Naïvesolution:• Obtainmultiplepseudonymsfrommasterparty• Useadifferentpseudonymforeachhandshake
Unlinkable SecretHandshake
Mastersecret𝑡 ∈ 𝑍:
𝑃< ∈ 𝐺, 𝑇< = 𝑡 ⋅ 𝑃< 𝑃C ∈ 𝐺, 𝑇C = 𝑡 ⋅ 𝑃C
𝑠 ⋅ 𝑃C
𝑟 ⋅ 𝑃<
𝐾< = 𝑒 𝑠 ⋅ 𝑃C, 𝑟 ⋅ 𝑇< = 𝑒 𝑃C, 𝑃< TUF 𝐾C = 𝑒 𝑠 ⋅ 𝑇C, 𝑟 ⋅ 𝑃< = 𝑒 𝑃C, 𝑃< TUF
𝐸𝑛𝑐JK(𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒<)
𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒<, 𝐸𝑛𝑐JS 𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒C
𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒C
Unlinkable SecretHandshake
Somedetails• Needtohasharbitrarystringsonto𝐺&• SupportedbyType1orType3pairings
• Groupelementsizes• 128-bitsecurity:256-bitgroupelementsize=32bytes• 80-bitsecurity:160-bitelementsize=20bytes
Trackingprevention• Randomdeviceaddress forBluetoothsourceaddressfield• Setdynamicallyandchangedacrossdifferentconnections
Pairingmethods• JustWorks
• BasicallynoMITMprotectionduringpairingphase
• Passkeyentry• Proventobequiteweak[7]
• Out-of-Band(OOB)– credentialsprovidedbysomeothermethod
Proposal:NewpairingmodeA B
Selectionofpairingmethod
PairingConfirm(Mconfirm)- 𝑃V
PairingConfirm(Sconfirm)- 𝑃W, 𝐶ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒W
PairingRandom(Mrand)– 𝑅𝑒𝑠𝑝𝑜𝑛𝑠𝑒W, 𝐶ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒V
PairingRandom(Srand)𝑅𝑒𝑠𝑝𝑜𝑛𝑠𝑒V
Partiescalculatesharedkeyusingpairings– servesasSTK
BluetoothLEAdvertisements• Scanningissupportedby• Windowsphone• Android• iOS
• Publishingadvertisementsissupportedon• Windowsphone10• Android:GoogleNexus5xandon• KitssuchasCypressandDialog
BluetoothLEadvertisements• BluetoothLEsupportsbroadcastingadvertisements• Clientscanscanandfilteradvertisementsofspecifictypes• Alittlecustomdatacanbesqueezedin– 32bytes
• OnWindowsBTLEstackwecurrentlycanonlycontroltheManufacturerSpecificData(ADtype0xFF)– 20bytes
Choiceofplatform• Easyimplementationofpairings• JPBC– JavaportofStanfordPBClibrary
• SupportforBLEadvertisementpublishing• AndroidexposedtheAPIbutdidnotsupportadvertisinginpracticeatthetime(butNexus5Sandondo)
• WindowsPhone• Supportsscanningandadvertising• Possibletoscanandadvertiseatthesametime
Implementation• WindowsPhoneOS10• Failedattempt:portingJPBCto.NET• PairingsandgroupoperationsusingStanfordPBClibrary• PortedtoARM+ .NETwrapper(PbcProxy)• UsedMPIRlibrary (Multi-PrecisionIntegersandRationals,compatiblewithGMP)• Adaptedrandomnumbergeneration
• Communicationbetweentwophonesisbasedonalternationbetweenadvertisingandscanning
Evaluation:Functionality
• Twomobilephonesrunningourappandperforminghandshakes• Experimentduration:8296sec= 2hours18sec• 1handshakesevery8seconds• Total1068handshakes• 1025succeeded,43failed.Successrate:96%
Evaluation:EnergyConsumption• NokiaLumia920runningWindowsPhoneOS• Startingwith100%charge,Wi-FiandGPSoff• Modes:• Baseline• Advertising• Scanning• Advertising+handshake• Scanning+handshake
• Experimentduration:3hours
Evaluation:energyconsumption
Percentageofbatterydrain/hour.Enables>12hoursofoperation.
Communicationoverhead• Advertisementpacket:47bytes• Eachpartysends2packets:94bytes
Futurework• ImplementationforAndroid• NewNexusdeviceshavesufficientBLEsupport
• Pairingpreprocessing• Foreachhandshakeusingthesamecredentialspreprocessingcanbeapplied• SupportedbyPBClibrary
• UseBLEspecificidentifiersashandshakepseudonyms• Setacustomsourcedeviceaddress• Wouldprovideadditionalusablespaceforlongerpseudonyms
• MoreWindowsUniversalapplicationsusingPbcProxy
BlackHatSoundBytes
• SecretHandshakes– aprovablysecureprimitivewithusefulapplications• WecaneasilyachievebettersecurityandprivacyformobileandIoT• Evaluationshowstheapplicationisfitforpracticaluseinmobiledevices
Thanksforattending!
Questions?
Relatedwork• AutomaticTrustNegotiation(ATN)• Attribute-BasedEncryption(ABE)
• Decryptionispossibleifpartyiscertifiedaspossessingcertainattributesbyanauthority• Secrethandshakes[1]
• Eachpartyreceivesacertificatefromacentralauthority• Hiddencredentials[2]
• Protectthemessagesusingpoliciesthatrequirepossessionofmultiplecredentials• ObliviousSignature-BasedEnvelope(OSBE)[8]
• Allowscertificatesissuedbydifferentauthorities• SecrethandshakesfromCA-obliviousencryption[9]• Unlinkablesecrethandshakesandkey-privategroupkeymanagementschemes[10]
References1. Secrethandshakesfrompairing-basedkeyagreements[Balfanzetal.2003]2. Hiddencredentials[Holtetal.2003]3. AuthenticatedIdentity-BasedEncryption[Lynn2002]4. Howtrackingcustomersinstoreswillsoonbenorm5. Howretailstorestrackyouusingyoursmartphone(andhowtostopit)6. Appleisquietlymakingitsmovetoownin-storedigitaltracking7. Bluetooth:WithLowEnergycomesLowSecurity[Ryan2013]8. ObliviousSignature-BasedEnvelope[Lietal.2003]9. SecrethandshakesfromCA-obliviousencryption[Castelucciaetal.2004]10. Unlinkablesecrethandshakesandkey-privategroupkeymanagementschemes[Jareckietal.
2007]