MASHaBLEMobileApplicationsofSecretHandshakesoverBluetoothLow-Energy

YanMichalevsky,SumanNath,Jie Liu

MOTIVATION• Privatecommunication

• Anonymousmessaging

• Secretcommunities

• Location-basedmessaging

• PrivacypreservingIoT applications

MESSAGINGAPPLICATIONS

Signal

AfterSchool

SECRETCOMMUNITIES▪ Memberswantidentifyeachother

▪ Donotwanttobediscoveredbyanyonenotinthecommunity

▪ Geo-locationprivacy

▪ Anonymousmessagingandnotificationsdissemination

“TRUSTED”CENTRALSERVER

Theserverbecomesatargetforattacks

“TRUSTED”CENTRALSERVER

Internetconnectivityisnotalwaysavailable

“TRUSTED”CENTRALSERVERAlso…GPSandcellularconsumealotofenergy

Suspendedstate Idlestate

GPS

WEWANTTO…▪ Avoidinteractionwithaserver

▪ Usephysicalproximity

▪ Minimizeenergyconsumption

BluetoothLow-Energy(LE)soundslikeapromisingsolution

THEPROBLEMWITHNEGOTIATINGTRUST

▪ Aliceiswillingtorevealitscredentialsonlytoanotherpartywithcertainclearance(needstoverifyBob’sidentityfirst)

▪ Bobisalsowillingtorevealitscredentialsonlytoanotherpartywithcertainclearance(needstoverifyAlice’sidentityfirst)

▪ Nopartyiswillingtorevealitscredentialsandprovideaproofoftheirauthenticityfirst

SECRETHANDSHAKEPROPERTIES▪ Partiesdonoknoweachother

▪ Theyperformaprocedurethatestablishestrust

▪ Ifitfails– noinformationisgainedbyeitherparty

▪ Ifitsucceeds– partiesrevealmembershipinagroup▪ Inaddition, theycanestablish respectiverolesinthatgroup

(cryptographicsecrethandshakes)

MOREAPPLICATIONS

UsingiBeacon forheadcounting

Carcontrol:Unlock,locate

HEADCOUNTING

• Exposesuserstotracking

• Revealsinformationabouttheevent/gathering

• Howdowesupportprivate/secreteventsandprovideprivacytoattendants?

CARCONTROLHowdowepreventcaranddrivertracking?

SECRETHANDSHAKEFROMPAIRINGS▪ BasedonBalfanzetal.[1]

▪ Ifhandshakesucceeds– bothpartieshaveestablishedanauthenticatedandencryptedcommunicationchannel

▪ Ifhandshakefails– noinformationisdisclosed

▪ Collusionresistant▪ Corrupted groupmemberscannot colludetoperformahandshake ofanon-

corruptedmember

▪ Compactcredentials– importantforembeddingintosmallpackets

PAIRINGSWehaveelements𝑋 ∈ G$ and𝑌 ∈ G& whereG$,G& arealgebraicgroups.

Apairing𝑒 hasthefollowingproperty

𝑒 𝑎𝑋, 𝑏𝑌 = 𝑒 𝑋, 𝑌 ,-

Wheree 𝑋,𝑌 ∈ 𝐺0

SECRETHANDSHAKEFROMPAIRINGSMastersecret

𝑡 ∈ 𝑍:

𝑃< = "p93849",𝑇<

𝑇< = 𝑡 ⋅ 𝐻(𝑃<)

𝑃C = "p12465",𝑇C

𝑇C = 𝑡 ⋅ 𝐻(𝑃C)

SECRETHANDSHAKEFROMPAIRINGSMastersecret

𝑡 ∈ 𝑍:

𝑃< = "p93849",𝑇<

𝑇< = 𝑡 ⋅ 𝐻 𝑃<

𝑃C = "p12465",𝑇C

𝑇C = 𝑡 ⋅ 𝐻(𝑃C)

SECRETHANDSHAKEFROMPAIRINGS

𝑃C = "p12465"

𝑃< = "p93849"

𝐾< = 𝑒 𝐻 𝑃C , 𝑇< = 𝑒 𝐻 𝑃C ,𝐻(𝑃<) F 𝐾C = 𝑒 𝑇C,𝐻 𝑃< = 𝑒(𝐻(𝑃C),𝐻 𝑃< )F

𝐸𝑛𝑐JK(𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒<)

𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒<,𝐸𝑛𝑐JS 𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒C

𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒C

UNLINKABLEHANDSHAKES▪ Bytrackingthepseudonymanattackercantracktheuser

▪ Naïvesolution:▪ Obtainmultiplepseudonyms frommasterparty

▪ Useadifferentpseudonym foreachhandshake

UNLINKABLESECRETHANDSHAKEMastersecret

𝑡 ∈ 𝑍:

𝑃< ∈ 𝐺,𝑇< = 𝑡 ⋅ 𝑃< 𝑃C ∈ 𝐺, 𝑇C = 𝑡 ⋅ 𝑃C

UNLINKABLESECRETHANDSHAKEMastersecret

𝑡 ∈ 𝑍:

𝑃< ∈ 𝐺,𝑇< = 𝑡 ⋅ 𝑃< 𝑃C ∈ 𝐺, 𝑇C = 𝑡 ⋅ 𝑃C

UNLINKABLESECRETHANDSHAKE

𝑠 ⋅ 𝑃C

𝑟 ⋅ 𝑃<

𝐾< = 𝑒 𝑠 ⋅ 𝑃C, 𝑟 ⋅ 𝑇< = 𝑒 𝑃C,𝑃< TUF 𝐾C = 𝑒 𝑠 ⋅ 𝑇C, 𝑟 ⋅ 𝑃< = 𝑒 𝑃C,𝑃< TUF

𝐸𝑛𝑐JK(𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒<)

𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒<,𝐸𝑛𝑐JS 𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒C

𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒C

SOMEDETAILS▪ Needtohasharbitrarystringsonto𝐺&

▪ Supported byType1orType3pairings

▪ Groupelementsizes▪ 128-bit security:256-bit groupelement size=32bytes

▪ 80-bitsecurity: 160-bitelement size=20bytes

TRACKINGPREVENTION▪ Randomdeviceaddress forBluetoothsourceaddressfield

▪ Setdynamicallyandchanged acrossdifferentconnections

BLUETOOTHLEADVERTISEMENTS▪ Scanningissupportedby

▪ Windows phone

▪ Android

▪ iOS

▪ Publishingadvertisementsissupportedon▪ Windows phone 10

▪ Possibly futureAndroid phone versions

▪ KitssuchasCypressandDialog

PAIRINGMETHODS▪ JustWorks

▪ BasicallynoMITMprotection duringpairingphase

▪ Passkeyentry▪ Proventobequiteweak[7]

▪ Out-of-Band(OOB)– credentialsprovidedbysomeothermethod

PROPOSAL:NEWPAIRINGMODEA B

Selectionofpairingmethod

PairingConfirm(Mconfirm)-𝑃V

PairingConfirm(Sconfirm)-𝑃W,𝐶ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒W

PairingRandom(Mrand)–𝑅𝑒𝑠𝑝𝑜𝑛𝑠𝑒W,𝐶ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒V

PairingRandom(Srand)𝑅𝑒𝑠𝑝𝑜𝑛𝑠𝑒V

Partiescalculatesharedkeyusingpairings– servesasSTK

BLUETOOTHLEADVERTISEMENTS▪ BluetoothLEsupportsbroadcastingadvertisements

▪ Clientscanscanandfilteradvertisementsofspecifictypes

▪ Alittlecustomdatacanbesqueezedin– 32bytes▪ OnWindows BTLEstackwecurrentlycanonlycontroltheManufacturerSpecific

Data(ADtype0xFF) – 20bytes

CHOICEOFPLATFORM▪ Easyimplementationofpairings

▪ JPBC– Javaport ofStanfordPBClibrary

▪ iOSandAndroiddidnotsupportpublishing▪ Android exposed theAPIbutdidnotsupport advertising inpractice

▪ WindowsPhone▪ Supports scanning andadvertising

▪ Possible toscanandadvertiseatthesametime

IMPLEMENTATION▪ WindowsPhoneOS10

▪ Failedattempt:portingJPBCto.NET

▪ PairingsandgroupoperationsusingStanfordPBClibrary▪ PortedtoARM+ .NETwrapper(PbcProxy)

▪ UsedMPIR library (Multi-Precision IntegersandRationals,compatiblewithGMP)

▪ Adapted randomnumber generation

▪ Communicationbetweentwophonesisbasedonalternationbetweenadvertisingandscanning

EVALUATION:FUNCTIONALITY▪ Twomobilephonesrunningourappandperforminghandshakes

▪ Experimentduration:8296sec= 2hours18sec

▪ 1handshakesevery8seconds

▪ Total1068handshakes

▪ 1025succeeded,43failed.Successrate:96%

EVALUATION:ENERGYCONSUMPTION• NokiaLumia920runningWindowsPhoneOS• Startingwith100%charge,Wi-FiandGPSoff• Modes:• Baseline• Advertising• Scanning• Advertising+handshake• Scanning+handshake

• Experimentduration:3hours

EVALUATION:ENERGYCONSUMPTION

Enables>12hoursofoperation

COMMUNICATIONOVERHEAD▪ Advertisementpacket:47bytes

▪ Eachpartysends2packets:94bytes

FUTUREWORK▪ Pairingpreprocessing

▪ Foreachhandshake usingthesamecredentialspreprocessing canbeapplied

▪ Supported byPBClibrary

▪ UseBLEspecificidentifiersashandshakepseudonyms▪ Setacustom sourcedeviceaddress

▪ Would provideadditional usablespaceforlongerpseudonyms

▪ MoreWindowsUniversalapplicationsusingPbcProxy

THANKSQuestions?

RELATEDWORK▪ Automatic TrustNegotiation (ATN)

▪ Attribute-Based Encryption (ABE)▪ Decryptionispossible ifpartyiscertifiedaspossessing certainattributesbyanauthority

▪ Secrethandshakes [1]▪ Eachpartyreceivesacertificatefromacentralauthority

▪ Hidden credentials[2]▪ Protectthemessagesusingpolicies thatrequirepossession ofmultiplecredentials

▪ Oblivious Signature-Based Envelope(OSBE)[8]▪ Allowscertificatesissuedbydifferentauthorities

▪ Secrethandshakes fromCA-oblivious encryption [9]

▪ Unlinkable secrethandshakes andkey-privategroupkeymanagementschemes [10]

REFERENCES1. Secret handshakes frompairing-based keyagreements [Balfanzetal.2003]

2. Hidden credentials [Holtetal.2003]

3. Authenticated Identity-Based Encryption [Lynn2002]

4. Howtracking customers in storeswill soonbenorm

5. Howretail storestrackyouusingyoursmartphone (andhowtostopit)

6. Apple isquietly making itsmove toownin-storedigital tracking

7. Bluetooth: WithLowEnergy comesLowSecurity [Ryan2013]

8. Oblivious Signature-Based Envelope [Lietal.2003]

9. Secret handshakes fromCA-oblivious encryption [Casteluccia etal.2004]

10. Unlinkable secret handshakes andkey-privategroupkeymanagement schemes [Jareckietal.2007]