asia-17-michalevsky-mashable-mobile applications of secret ...€¦ · references 1. secret...

MASHaBLE:MobileApplicationsofSecretHandshakesoverBluetoothLow-Energy

YanMichalevsky,Suman Nath,Jie Liu

Motivation• Privatecommunication

• Anonymousmessaging

• Secretcommunities

• Location-basedmessaging

• PrivacypreservingIoT applications

MessagingApplications

AfterSchool

YakServerknows everythingabouttheusers

Secretcommunities

• Memberswantidentifyeachother• Donotwanttobediscoveredbyanyonenotinthecommunity• Geo-locationprivacy• Anonymousmessagingandnotificationsdissemination

“Trusted”CentralServer

• Theserverbecomesatargetforattacks• Communicatingwiththeservercanrevealaffiliation

“Trusted”CentralServer

Internetconnectivityisnotalwaysavailable

“Trusted”CentralServer

Also…GPSandcellularconsumealotofenergy

Suspendedstate Idlestate

GPS

Wewantto…

• Avoidinteractionwithaserver• Usephysicalproximity• Minimizeenergyconsumption

BluetoothLow-Energy(LE)soundslikeapromisingsolution

BluetoothLE

Butfirst,thedevicesneedtotrusteachother…

Theproblemwithnegotiatingtrust

• Aliceiswillingtorevealitscredentialsonlytoanotherpartywithcertainclearance(needstoverifyBob’sidentityfirst)• Bobisalsowillingtorevealitscredentialsonlytoanotherpartywithcertainclearance(needstoverifyAlice’sidentityfirst)• Nopartyiswillingtorevealitscredentialsandprovideaproofoftheirauthenticityfirst

PropertiesofaSecretHandshake• Partiesdonoknoweachother• Theyperformaprocedurethatestablishestrust• Ifitfails– noinformationisgainedbyeitherparty• Ifitsucceeds– partiesrevealmembershipinagroup• Inaddition,theycanestablishrespectiverolesinthatgroup(cryptographicsecrethandshakes)

Moreapplicationsofsecrethandshakes

• UsingiBeaconforheadcounting• Like• Currentlyexposesusersandeventtotracking

Headcounting

• Exposesuserstotracking

• Revealsinformationabouttheevent/gathering

• Howdowesupportprivate/secreteventsandprovideprivacytoattendants?

Secrethandshakefrompairings• BasedonBalfanzetal.[1]• Ifhandshakesucceeds– bothpartieshaveestablishedanauthenticatedandencryptedcommunicationchannel• Ifhandshakefails– noinformationisdisclosed• Collusionresistant• Corruptedgroupmemberscannotcolludetoperformahandshakeofanon-corruptedmember

• Compactcredentials– importantforembeddingintosmallpackets

Pairings

Wehaveelements𝑋 ∈ G$ and𝑌 ∈ G& whereG$, G& aregroups overEllipticCurves

Apairing𝑒 hasthefollowingproperty

𝑒 𝑎𝑋, 𝑏𝑌 = 𝑒 𝑋, 𝑌 ,-

Wheree 𝑋, 𝑌 ∈ 𝐺0

Secrethandshakefrompairings

Mastersecret𝑡 ∈ 𝑍:

𝑃< = "p93849", 𝑇<

𝑇< = 𝑡 ⋅ 𝐻(𝑃<)

𝑃C = "p12465", 𝑇C

𝑇C = 𝑡 ⋅ 𝐻(𝑃C)

𝑃C = "p12465"

𝑃< = "p93849"

𝐾< = 𝑒 𝐻 𝑃C , 𝑇< = 𝑒 𝐻 𝑃C , 𝐻(𝑃<) F 𝐾C = 𝑒 𝑇C, 𝐻 𝑃< = 𝑒(𝐻(𝑃C), 𝐻 𝑃< )F

𝐸𝑛𝑐JK(𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒<)

𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒<, 𝐸𝑛𝑐JS 𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒C

𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒C

Secrethandshakefrompairings

Unlinkable Handshakes• Bytrackingthepseudonymanattackercantracktheuser• Naïvesolution:• Obtainmultiplepseudonymsfrommasterparty• Useadifferentpseudonymforeachhandshake

Unlinkable SecretHandshake

Mastersecret𝑡 ∈ 𝑍:

𝑃< ∈ 𝐺, 𝑇< = 𝑡 ⋅ 𝑃< 𝑃C ∈ 𝐺, 𝑇C = 𝑡 ⋅ 𝑃C

𝑠 ⋅ 𝑃C

𝑟 ⋅ 𝑃<

𝐾< = 𝑒 𝑠 ⋅ 𝑃C, 𝑟 ⋅ 𝑇< = 𝑒 𝑃C, 𝑃< TUF 𝐾C = 𝑒 𝑠 ⋅ 𝑇C, 𝑟 ⋅ 𝑃< = 𝑒 𝑃C, 𝑃< TUF

𝐸𝑛𝑐JK(𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒<)

𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒<, 𝐸𝑛𝑐JS 𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒C

𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒C

Unlinkable SecretHandshake

Somedetails• Needtohasharbitrarystringsonto𝐺&• SupportedbyType1orType3pairings

• Groupelementsizes• 128-bitsecurity:256-bitgroupelementsize=32bytes• 80-bitsecurity:160-bitelementsize=20bytes

Trackingprevention• Randomdeviceaddress forBluetoothsourceaddressfield• Setdynamicallyandchangedacrossdifferentconnections

Pairingmethods• JustWorks

• BasicallynoMITMprotectionduringpairingphase

• Passkeyentry• Proventobequiteweak[7]

• Out-of-Band(OOB)– credentialsprovidedbysomeothermethod

Proposal:NewpairingmodeA B

Selectionofpairingmethod

PairingConfirm(Mconfirm)- 𝑃V

PairingConfirm(Sconfirm)- 𝑃W, 𝐶ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒W

PairingRandom(Mrand)– 𝑅𝑒𝑠𝑝𝑜𝑛𝑠𝑒W, 𝐶ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒V

PairingRandom(Srand)𝑅𝑒𝑠𝑝𝑜𝑛𝑠𝑒V

Partiescalculatesharedkeyusingpairings– servesasSTK

BluetoothLEAdvertisements• Scanningissupportedby• Windowsphone• Android• iOS

• Publishingadvertisementsissupportedon• Windowsphone10• Android:GoogleNexus5xandon• KitssuchasCypressandDialog

BluetoothLEadvertisements• BluetoothLEsupportsbroadcastingadvertisements• Clientscanscanandfilteradvertisementsofspecifictypes• Alittlecustomdatacanbesqueezedin– 32bytes

• OnWindowsBTLEstackwecurrentlycanonlycontroltheManufacturerSpecificData(ADtype0xFF)– 20bytes

Choiceofplatform• Easyimplementationofpairings• JPBC– JavaportofStanfordPBClibrary

• SupportforBLEadvertisementpublishing• AndroidexposedtheAPIbutdidnotsupportadvertisinginpracticeatthetime(butNexus5Sandondo)

• WindowsPhone• Supportsscanningandadvertising• Possibletoscanandadvertiseatthesametime

Implementation• WindowsPhoneOS10• Failedattempt:portingJPBCto.NET• PairingsandgroupoperationsusingStanfordPBClibrary• PortedtoARM+ .NETwrapper(PbcProxy)• UsedMPIRlibrary (Multi-PrecisionIntegersandRationals,compatiblewithGMP)• Adaptedrandomnumbergeneration

• Communicationbetweentwophonesisbasedonalternationbetweenadvertisingandscanning

Evaluation:Functionality

• Twomobilephonesrunningourappandperforminghandshakes• Experimentduration:8296sec= 2hours18sec• 1handshakesevery8seconds• Total1068handshakes• 1025succeeded,43failed.Successrate:96%

Evaluation:EnergyConsumption• NokiaLumia920runningWindowsPhoneOS• Startingwith100%charge,Wi-FiandGPSoff• Modes:• Baseline• Advertising• Scanning• Advertising+handshake• Scanning+handshake

• Experimentduration:3hours

Evaluation:energyconsumption

Percentageofbatterydrain/hour.Enables>12hoursofoperation.

Communicationoverhead• Advertisementpacket:47bytes• Eachpartysends2packets:94bytes

Futurework• ImplementationforAndroid• NewNexusdeviceshavesufficientBLEsupport

• Pairingpreprocessing• Foreachhandshakeusingthesamecredentialspreprocessingcanbeapplied• SupportedbyPBClibrary

• UseBLEspecificidentifiersashandshakepseudonyms• Setacustomsourcedeviceaddress• Wouldprovideadditionalusablespaceforlongerpseudonyms

• MoreWindowsUniversalapplicationsusingPbcProxy

BlackHatSoundBytes

• SecretHandshakes– aprovablysecureprimitivewithusefulapplications• WecaneasilyachievebettersecurityandprivacyformobileandIoT• Evaluationshowstheapplicationisfitforpracticaluseinmobiledevices

Thanksforattending!

Questions?

Relatedwork• AutomaticTrustNegotiation(ATN)• Attribute-BasedEncryption(ABE)

• Decryptionispossibleifpartyiscertifiedaspossessingcertainattributesbyanauthority• Secrethandshakes[1]

• Eachpartyreceivesacertificatefromacentralauthority• Hiddencredentials[2]

• Protectthemessagesusingpoliciesthatrequirepossessionofmultiplecredentials• ObliviousSignature-BasedEnvelope(OSBE)[8]

• Allowscertificatesissuedbydifferentauthorities• SecrethandshakesfromCA-obliviousencryption[9]• Unlinkablesecrethandshakesandkey-privategroupkeymanagementschemes[10]

References1. Secrethandshakesfrompairing-basedkeyagreements[Balfanzetal.2003]2. Hiddencredentials[Holtetal.2003]3. AuthenticatedIdentity-BasedEncryption[Lynn2002]4. Howtrackingcustomersinstoreswillsoonbenorm5. Howretailstorestrackyouusingyoursmartphone(andhowtostopit)6. Appleisquietlymakingitsmovetoownin-storedigitaltracking7. Bluetooth:WithLowEnergycomesLowSecurity[Ryan2013]8. ObliviousSignature-BasedEnvelope[Lietal.2003]9. SecrethandshakesfromCA-obliviousencryption[Castelucciaetal.2004]10. Unlinkablesecrethandshakesandkey-privategroupkeymanagementschemes[Jareckietal.

2007]