mashable - michalevskymashable mobile applications of secret handshakes over bluetooth low-energy...
TRANSCRIPT
MASHaBLEMobileApplicationsofSecretHandshakesoverBluetoothLow-Energy
YanMichalevsky,SumanNath,Jie Liu
MOTIVATION• Privatecommunication
• Anonymousmessaging
• Secretcommunities
• Location-basedmessaging
• PrivacypreservingIoT applications
MESSAGINGAPPLICATIONS
Signal
AfterSchool
SECRETCOMMUNITIES▪ Memberswantidentifyeachother
▪ Donotwanttobediscoveredbyanyonenotinthecommunity
▪ Geo-locationprivacy
▪ Anonymousmessagingandnotificationsdissemination
“TRUSTED”CENTRALSERVER
Theserverbecomesatargetforattacks
“TRUSTED”CENTRALSERVER
Internetconnectivityisnotalwaysavailable
“TRUSTED”CENTRALSERVERAlso…GPSandcellularconsumealotofenergy
Suspendedstate Idlestate
GPS
WEWANTTO…▪ Avoidinteractionwithaserver
▪ Usephysicalproximity
▪ Minimizeenergyconsumption
BluetoothLow-Energy(LE)soundslikeapromisingsolution
THEPROBLEMWITHNEGOTIATINGTRUST
▪ Aliceiswillingtorevealitscredentialsonlytoanotherpartywithcertainclearance(needstoverifyBob’sidentityfirst)
▪ Bobisalsowillingtorevealitscredentialsonlytoanotherpartywithcertainclearance(needstoverifyAlice’sidentityfirst)
▪ Nopartyiswillingtorevealitscredentialsandprovideaproofoftheirauthenticityfirst
SECRETHANDSHAKEPROPERTIES▪ Partiesdonoknoweachother
▪ Theyperformaprocedurethatestablishestrust
▪ Ifitfails– noinformationisgainedbyeitherparty
▪ Ifitsucceeds– partiesrevealmembershipinagroup▪ Inaddition, theycanestablish respectiverolesinthatgroup
(cryptographicsecrethandshakes)
MOREAPPLICATIONS
UsingiBeacon forheadcounting
Carcontrol:Unlock,locate
HEADCOUNTING
• Exposesuserstotracking
• Revealsinformationabouttheevent/gathering
• Howdowesupportprivate/secreteventsandprovideprivacytoattendants?
CARCONTROLHowdowepreventcaranddrivertracking?
SECRETHANDSHAKEFROMPAIRINGS▪ BasedonBalfanzetal.[1]
▪ Ifhandshakesucceeds– bothpartieshaveestablishedanauthenticatedandencryptedcommunicationchannel
▪ Ifhandshakefails– noinformationisdisclosed
▪ Collusionresistant▪ Corrupted groupmemberscannot colludetoperformahandshake ofanon-
corruptedmember
▪ Compactcredentials– importantforembeddingintosmallpackets
PAIRINGSWehaveelements𝑋 ∈ G$ and𝑌 ∈ G& whereG$,G& arealgebraicgroups.
Apairing𝑒 hasthefollowingproperty
𝑒 𝑎𝑋, 𝑏𝑌 = 𝑒 𝑋, 𝑌 ,-
Wheree 𝑋,𝑌 ∈ 𝐺0
SECRETHANDSHAKEFROMPAIRINGSMastersecret
𝑡 ∈ 𝑍:
𝑃< = "p93849",𝑇<
𝑇< = 𝑡 ⋅ 𝐻(𝑃<)
𝑃C = "p12465",𝑇C
𝑇C = 𝑡 ⋅ 𝐻(𝑃C)
SECRETHANDSHAKEFROMPAIRINGSMastersecret
𝑡 ∈ 𝑍:
𝑃< = "p93849",𝑇<
𝑇< = 𝑡 ⋅ 𝐻 𝑃<
𝑃C = "p12465",𝑇C
𝑇C = 𝑡 ⋅ 𝐻(𝑃C)
SECRETHANDSHAKEFROMPAIRINGS
𝑃C = "p12465"
𝑃< = "p93849"
𝐾< = 𝑒 𝐻 𝑃C , 𝑇< = 𝑒 𝐻 𝑃C ,𝐻(𝑃<) F 𝐾C = 𝑒 𝑇C,𝐻 𝑃< = 𝑒(𝐻(𝑃C),𝐻 𝑃< )F
𝐸𝑛𝑐JK(𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒<)
𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒<,𝐸𝑛𝑐JS 𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒C
𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒C
UNLINKABLEHANDSHAKES▪ Bytrackingthepseudonymanattackercantracktheuser
▪ Naïvesolution:▪ Obtainmultiplepseudonyms frommasterparty
▪ Useadifferentpseudonym foreachhandshake
UNLINKABLESECRETHANDSHAKEMastersecret
𝑡 ∈ 𝑍:
𝑃< ∈ 𝐺,𝑇< = 𝑡 ⋅ 𝑃< 𝑃C ∈ 𝐺, 𝑇C = 𝑡 ⋅ 𝑃C
UNLINKABLESECRETHANDSHAKEMastersecret
𝑡 ∈ 𝑍:
𝑃< ∈ 𝐺,𝑇< = 𝑡 ⋅ 𝑃< 𝑃C ∈ 𝐺, 𝑇C = 𝑡 ⋅ 𝑃C
UNLINKABLESECRETHANDSHAKE
𝑠 ⋅ 𝑃C
𝑟 ⋅ 𝑃<
𝐾< = 𝑒 𝑠 ⋅ 𝑃C, 𝑟 ⋅ 𝑇< = 𝑒 𝑃C,𝑃< TUF 𝐾C = 𝑒 𝑠 ⋅ 𝑇C, 𝑟 ⋅ 𝑃< = 𝑒 𝑃C,𝑃< TUF
𝐸𝑛𝑐JK(𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒<)
𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒<,𝐸𝑛𝑐JS 𝑐ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒C
𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒C
SOMEDETAILS▪ Needtohasharbitrarystringsonto𝐺&
▪ Supported byType1orType3pairings
▪ Groupelementsizes▪ 128-bit security:256-bit groupelement size=32bytes
▪ 80-bitsecurity: 160-bitelement size=20bytes
TRACKINGPREVENTION▪ Randomdeviceaddress forBluetoothsourceaddressfield
▪ Setdynamicallyandchanged acrossdifferentconnections
BLUETOOTHLEADVERTISEMENTS▪ Scanningissupportedby
▪ Windows phone
▪ Android
▪ iOS
▪ Publishingadvertisementsissupportedon▪ Windows phone 10
▪ Possibly futureAndroid phone versions
▪ KitssuchasCypressandDialog
PAIRINGMETHODS▪ JustWorks
▪ BasicallynoMITMprotection duringpairingphase
▪ Passkeyentry▪ Proventobequiteweak[7]
▪ Out-of-Band(OOB)– credentialsprovidedbysomeothermethod
PROPOSAL:NEWPAIRINGMODEA B
Selectionofpairingmethod
PairingConfirm(Mconfirm)-𝑃V
PairingConfirm(Sconfirm)-𝑃W,𝐶ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒W
PairingRandom(Mrand)–𝑅𝑒𝑠𝑝𝑜𝑛𝑠𝑒W,𝐶ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒V
PairingRandom(Srand)𝑅𝑒𝑠𝑝𝑜𝑛𝑠𝑒V
Partiescalculatesharedkeyusingpairings– servesasSTK
BLUETOOTHLEADVERTISEMENTS▪ BluetoothLEsupportsbroadcastingadvertisements
▪ Clientscanscanandfilteradvertisementsofspecifictypes
▪ Alittlecustomdatacanbesqueezedin– 32bytes▪ OnWindows BTLEstackwecurrentlycanonlycontroltheManufacturerSpecific
Data(ADtype0xFF) – 20bytes
CHOICEOFPLATFORM▪ Easyimplementationofpairings
▪ JPBC– Javaport ofStanfordPBClibrary
▪ iOSandAndroiddidnotsupportpublishing▪ Android exposed theAPIbutdidnotsupport advertising inpractice
▪ WindowsPhone▪ Supports scanning andadvertising
▪ Possible toscanandadvertiseatthesametime
IMPLEMENTATION▪ WindowsPhoneOS10
▪ Failedattempt:portingJPBCto.NET
▪ PairingsandgroupoperationsusingStanfordPBClibrary▪ PortedtoARM+ .NETwrapper(PbcProxy)
▪ UsedMPIR library (Multi-Precision IntegersandRationals,compatiblewithGMP)
▪ Adapted randomnumber generation
▪ Communicationbetweentwophonesisbasedonalternationbetweenadvertisingandscanning
EVALUATION:FUNCTIONALITY▪ Twomobilephonesrunningourappandperforminghandshakes
▪ Experimentduration:8296sec= 2hours18sec
▪ 1handshakesevery8seconds
▪ Total1068handshakes
▪ 1025succeeded,43failed.Successrate:96%
EVALUATION:ENERGYCONSUMPTION• NokiaLumia920runningWindowsPhoneOS• Startingwith100%charge,Wi-FiandGPSoff• Modes:• Baseline• Advertising• Scanning• Advertising+handshake• Scanning+handshake
• Experimentduration:3hours
EVALUATION:ENERGYCONSUMPTION
Enables>12hoursofoperation
COMMUNICATIONOVERHEAD▪ Advertisementpacket:47bytes
▪ Eachpartysends2packets:94bytes
FUTUREWORK▪ Pairingpreprocessing
▪ Foreachhandshake usingthesamecredentialspreprocessing canbeapplied
▪ Supported byPBClibrary
▪ UseBLEspecificidentifiersashandshakepseudonyms▪ Setacustom sourcedeviceaddress
▪ Would provideadditional usablespaceforlongerpseudonyms
▪ MoreWindowsUniversalapplicationsusingPbcProxy
THANKSQuestions?
RELATEDWORK▪ Automatic TrustNegotiation (ATN)
▪ Attribute-Based Encryption (ABE)▪ Decryptionispossible ifpartyiscertifiedaspossessing certainattributesbyanauthority
▪ Secrethandshakes [1]▪ Eachpartyreceivesacertificatefromacentralauthority
▪ Hidden credentials[2]▪ Protectthemessagesusingpolicies thatrequirepossession ofmultiplecredentials
▪ Oblivious Signature-Based Envelope(OSBE)[8]▪ Allowscertificatesissuedbydifferentauthorities
▪ Secrethandshakes fromCA-oblivious encryption [9]
▪ Unlinkable secrethandshakes andkey-privategroupkeymanagementschemes [10]
REFERENCES1. Secret handshakes frompairing-based keyagreements [Balfanzetal.2003]
2. Hidden credentials [Holtetal.2003]
3. Authenticated Identity-Based Encryption [Lynn2002]
4. Howtracking customers in storeswill soonbenorm
5. Howretail storestrackyouusingyoursmartphone (andhowtostopit)
6. Apple isquietly making itsmove toownin-storedigital tracking
7. Bluetooth: WithLowEnergy comesLowSecurity [Ryan2013]
8. Oblivious Signature-Based Envelope [Lietal.2003]
9. Secret handshakes fromCA-oblivious encryption [Casteluccia etal.2004]
10. Unlinkable secret handshakes andkey-privategroupkeymanagement schemes [Jareckietal.2007]