![Page 1: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/1.jpg)
MASHaBLE:MobileApplicationsofSecretHandshakesoverBluetoothLow-Energy
YanMichalevsky,Suman Nath,Jie Liu
![Page 2: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/2.jpg)
Motivation• Privatecommunication
• Anonymousmessaging
• Secretcommunities
• Location-basedmessaging
• PrivacypreservingIoT applications
![Page 3: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/3.jpg)
MessagingApplications
AfterSchool
![Page 4: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/4.jpg)
YakServerknows everythingabouttheusers
![Page 5: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/5.jpg)
Secretcommunities
• Memberswantidentifyeachother• Donotwanttobediscoveredbyanyonenotinthecommunity• Geo-locationprivacy• Anonymousmessagingandnotificationsdissemination
![Page 6: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/6.jpg)
“Trusted”CentralServer
• Theserverbecomesatargetforattacks• Communicatingwiththeservercanrevealaffiliation
![Page 7: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/7.jpg)
“Trusted”CentralServer
Internetconnectivityisnotalwaysavailable
![Page 8: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/8.jpg)
“Trusted”CentralServer
Also…GPSandcellularconsumealotofenergy
Suspendedstate Idlestate
GPS
![Page 9: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/9.jpg)
Wewantto…
• Avoidinteractionwithaserver• Usephysicalproximity• Minimizeenergyconsumption
BluetoothLow-Energy(LE)soundslikeapromisingsolution
![Page 10: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/10.jpg)
BluetoothLE
Butfirst,thedevicesneedtotrusteachother…
![Page 11: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/11.jpg)
Theproblemwithnegotiatingtrust
• Aliceiswillingtorevealitscredentialsonlytoanotherpartywithcertainclearance(needstoverifyBob’sidentityfirst)• Bobisalsowillingtorevealitscredentialsonlytoanotherpartywithcertainclearance(needstoverifyAlice’sidentityfirst)• Nopartyiswillingtorevealitscredentialsandprovideaproofoftheirauthenticityfirst
![Page 12: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/12.jpg)
PropertiesofaSecretHandshake• Partiesdonoknoweachother• Theyperformaprocedurethatestablishestrust• Ifitfails– noinformationisgainedbyeitherparty• Ifitsucceeds– partiesrevealmembershipinagroup• Inaddition,theycanestablishrespectiverolesinthatgroup(cryptographicsecrethandshakes)
![Page 13: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/13.jpg)
Moreapplicationsofsecrethandshakes
• UsingiBeaconforheadcounting• Like• Currentlyexposesusersandeventtotracking
![Page 14: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/14.jpg)
Headcounting
• Exposesuserstotracking
• Revealsinformationabouttheevent/gathering
• Howdowesupportprivate/secreteventsandprovideprivacytoattendants?
![Page 15: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/15.jpg)
Secrethandshakefrompairings• BasedonBalfanzetal.[1]• Ifhandshakesucceeds– bothpartieshaveestablishedanauthenticatedandencryptedcommunicationchannel• Ifhandshakefails– noinformationisdisclosed• Collusionresistant• Corruptedgroupmemberscannotcolludetoperformahandshakeofanon-corruptedmember
• Compactcredentials– importantforembeddingintosmallpackets
![Page 16: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/16.jpg)
Pairings
Wehaveelements𝑋 ∈ G$ and𝑌 ∈ G& whereG$, G& aregroups overEllipticCurves
Apairing𝑒 hasthefollowingproperty
𝑒 𝑎𝑋, 𝑏𝑌 = 𝑒 𝑋, 𝑌 ,-
Wheree 𝑋, 𝑌 ∈ 𝐺0
![Page 17: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/17.jpg)
Secrethandshakefrompairings
Mastersecret𝑡 ∈ 𝑍:
𝑃< = "p93849", 𝑇<
𝑇< = 𝑡 ⋅ 𝐻(𝑃<)
𝑃C = "p12465", 𝑇C
𝑇C = 𝑡 ⋅ 𝐻(𝑃C)
![Page 18: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/18.jpg)
𝑃C = "p12465"
𝑃< = "p93849"
𝐾< = 𝑒 𝐻 𝑃C , 𝑇< = 𝑒 𝐻 𝑃C , 𝐻(𝑃<) F 𝐾C = 𝑒 𝑇C, 𝐻 𝑃< = 𝑒(𝐻(𝑃C), 𝐻 𝑃< )F
𝐸𝑛𝑐JK(𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒<)
𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒<, 𝐸𝑛𝑐JS 𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒C
𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒C
Secrethandshakefrompairings
![Page 19: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/19.jpg)
Unlinkable Handshakes• Bytrackingthepseudonymanattackercantracktheuser• Naïvesolution:• Obtainmultiplepseudonymsfrommasterparty• Useadifferentpseudonymforeachhandshake
![Page 20: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/20.jpg)
Unlinkable SecretHandshake
Mastersecret𝑡 ∈ 𝑍:
𝑃< ∈ 𝐺, 𝑇< = 𝑡 ⋅ 𝑃< 𝑃C ∈ 𝐺, 𝑇C = 𝑡 ⋅ 𝑃C
![Page 21: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/21.jpg)
𝑠 ⋅ 𝑃C
𝑟 ⋅ 𝑃<
𝐾< = 𝑒 𝑠 ⋅ 𝑃C, 𝑟 ⋅ 𝑇< = 𝑒 𝑃C, 𝑃< TUF 𝐾C = 𝑒 𝑠 ⋅ 𝑇C, 𝑟 ⋅ 𝑃< = 𝑒 𝑃C, 𝑃< TUF
𝐸𝑛𝑐JK(𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒<)
𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒<, 𝐸𝑛𝑐JS 𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒C
𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒C
Unlinkable SecretHandshake
![Page 22: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/22.jpg)
Somedetails• Needtohasharbitrarystringsonto𝐺&• SupportedbyType1orType3pairings
• Groupelementsizes• 128-bitsecurity:256-bitgroupelementsize=32bytes• 80-bitsecurity:160-bitelementsize=20bytes
![Page 23: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/23.jpg)
Trackingprevention• Randomdeviceaddress forBluetoothsourceaddressfield• Setdynamicallyandchangedacrossdifferentconnections
![Page 24: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/24.jpg)
Pairingmethods• JustWorks
• BasicallynoMITMprotectionduringpairingphase
• Passkeyentry• Proventobequiteweak[7]
• Out-of-Band(OOB)– credentialsprovidedbysomeothermethod
![Page 25: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/25.jpg)
Proposal:NewpairingmodeA B
Selectionofpairingmethod
PairingConfirm(Mconfirm)- 𝑃V
PairingConfirm(Sconfirm)- 𝑃W, 𝐶ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒W
PairingRandom(Mrand)– 𝑅𝑒𝑠𝑝𝑜𝑛𝑠𝑒W, 𝐶ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒V
PairingRandom(Srand)𝑅𝑒𝑠𝑝𝑜𝑛𝑠𝑒V
Partiescalculatesharedkeyusingpairings– servesasSTK
![Page 26: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/26.jpg)
BluetoothLEAdvertisements• Scanningissupportedby• Windowsphone• Android• iOS
• Publishingadvertisementsissupportedon• Windowsphone10• Android:GoogleNexus5xandon• KitssuchasCypressandDialog
![Page 27: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/27.jpg)
BluetoothLEadvertisements• BluetoothLEsupportsbroadcastingadvertisements• Clientscanscanandfilteradvertisementsofspecifictypes• Alittlecustomdatacanbesqueezedin– 32bytes
• OnWindowsBTLEstackwecurrentlycanonlycontroltheManufacturerSpecificData(ADtype0xFF)– 20bytes
![Page 28: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/28.jpg)
Choiceofplatform• Easyimplementationofpairings• JPBC– JavaportofStanfordPBClibrary
• SupportforBLEadvertisementpublishing• AndroidexposedtheAPIbutdidnotsupportadvertisinginpracticeatthetime(butNexus5Sandondo)
• WindowsPhone• Supportsscanningandadvertising• Possibletoscanandadvertiseatthesametime
![Page 29: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/29.jpg)
Implementation• WindowsPhoneOS10• Failedattempt:portingJPBCto.NET• PairingsandgroupoperationsusingStanfordPBClibrary• PortedtoARM+ .NETwrapper(PbcProxy)• UsedMPIRlibrary (Multi-PrecisionIntegersandRationals,compatiblewithGMP)• Adaptedrandomnumbergeneration
• Communicationbetweentwophonesisbasedonalternationbetweenadvertisingandscanning
![Page 30: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/30.jpg)
![Page 31: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/31.jpg)
Evaluation:Functionality
• Twomobilephonesrunningourappandperforminghandshakes• Experimentduration:8296sec= 2hours18sec• 1handshakesevery8seconds• Total1068handshakes• 1025succeeded,43failed.Successrate:96%
![Page 32: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/32.jpg)
Evaluation:EnergyConsumption• NokiaLumia920runningWindowsPhoneOS• Startingwith100%charge,Wi-FiandGPSoff• Modes:• Baseline• Advertising• Scanning• Advertising+handshake• Scanning+handshake
• Experimentduration:3hours
![Page 33: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/33.jpg)
Evaluation:energyconsumption
Percentageofbatterydrain/hour.Enables>12hoursofoperation.
![Page 34: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/34.jpg)
Communicationoverhead• Advertisementpacket:47bytes• Eachpartysends2packets:94bytes
![Page 35: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/35.jpg)
Futurework• ImplementationforAndroid• NewNexusdeviceshavesufficientBLEsupport
• Pairingpreprocessing• Foreachhandshakeusingthesamecredentialspreprocessingcanbeapplied• SupportedbyPBClibrary
• UseBLEspecificidentifiersashandshakepseudonyms• Setacustomsourcedeviceaddress• Wouldprovideadditionalusablespaceforlongerpseudonyms
• MoreWindowsUniversalapplicationsusingPbcProxy
![Page 36: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/36.jpg)
BlackHatSoundBytes
• SecretHandshakes– aprovablysecureprimitivewithusefulapplications• WecaneasilyachievebettersecurityandprivacyformobileandIoT• Evaluationshowstheapplicationisfitforpracticaluseinmobiledevices
![Page 37: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/37.jpg)
Thanksforattending!
Questions?
![Page 38: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/38.jpg)
Relatedwork• AutomaticTrustNegotiation(ATN)• Attribute-BasedEncryption(ABE)
• Decryptionispossibleifpartyiscertifiedaspossessingcertainattributesbyanauthority• Secrethandshakes[1]
• Eachpartyreceivesacertificatefromacentralauthority• Hiddencredentials[2]
• Protectthemessagesusingpoliciesthatrequirepossessionofmultiplecredentials• ObliviousSignature-BasedEnvelope(OSBE)[8]
• Allowscertificatesissuedbydifferentauthorities• SecrethandshakesfromCA-obliviousencryption[9]• Unlinkablesecrethandshakesandkey-privategroupkeymanagementschemes[10]
![Page 39: asia-17-Michalevsky-MASHABLE-Mobile Applications of Secret ...€¦ · References 1. Secret handshakes from pairing-based key agreements [Balfanz et al. 2003] 2. Hidden credentials](https://reader033.vdocuments.net/reader033/viewer/2022050204/5f5743df13d72768463991cf/html5/thumbnails/39.jpg)
References1. Secrethandshakesfrompairing-basedkeyagreements[Balfanzetal.2003]2. Hiddencredentials[Holtetal.2003]3. AuthenticatedIdentity-BasedEncryption[Lynn2002]4. Howtrackingcustomersinstoreswillsoonbenorm5. Howretailstorestrackyouusingyoursmartphone(andhowtostopit)6. Appleisquietlymakingitsmovetoownin-storedigitaltracking7. Bluetooth:WithLowEnergycomesLowSecurity[Ryan2013]8. ObliviousSignature-BasedEnvelope[Lietal.2003]9. SecrethandshakesfromCA-obliviousencryption[Castelucciaetal.2004]10. Unlinkablesecrethandshakesandkey-privategroupkeymanagementschemes[Jareckietal.
2007]