privacy, discovery, and authentication for the internet of ...for the internet of things david j. wu...
TRANSCRIPT
![Page 1: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/1.jpg)
Privacy, Discovery, and Authentication for the Internet of Things
David J. Wu
Stanford University
Ankur Taly
Asim Shankar
Dan Boneh
Stanford University
![Page 2: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/2.jpg)
The Internet of Things (IoT)
Lots of smart devices, but only useful if users can
discover them!
![Page 3: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/3.jpg)
Private Service Discovery
Many existing service discovery protocols: Multicast DNS (mDNS), Apple Bonjour, Bluetooth Low Energy (BLE)
A typical discovery protocol
Device owner’s name / user ID
revealed!
Device location revealed!
Screenshot taken on a public Wireless network
![Page 4: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/4.jpg)
Private Service Discovery
Privacy problems exist in many protocols
AirDrop protocol for peer-to-peer file sharing
broadcast: truncated hash of sender’s identity
contacts-only mode: device should only be discoverable by
users in their contacts list
![Page 5: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/5.jpg)
Private Service Discovery
Privacy problems exist in many protocols
AirDrop protocol for peer-to-peer file sharing
if broadcast containing ID of user in contact list, then start local
service and advertise over mDNS
TLS key exchange with client authentication
![Page 6: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/6.jpg)
Private Service Discovery
Privacy problems exist in many protocols
AirDrop protocol for peer-to-peer file sharing
TLS key exchange with client authentication
certificates exchanged in the clear (can be used for
tracking, fingerprinting, etc.)
![Page 7: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/7.jpg)
Private Service Discovery
Privacy problems exist in many protocols
AirDrop protocol for peer-to-peer file sharing
broadcast: truncated hash of sender’s identity no authenticity for broadcast
– can be replayed to see if particular user in target’s
contact list
![Page 8: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/8.jpg)
Private Service Discovery
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Alice
Each service specifies an authorization policy
Guest
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Stranger
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
![Page 9: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/9.jpg)
Private Service Discovery
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Alice
Each service specifies an authorization policy
Guest
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Stranger
Samsung TVGuide | Setup
Philips HueBrightness
ADT SecurityManage
Door LockManage
Mutual privacy: privacy should also hold for
devices trying to discover services!
![Page 10: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/10.jpg)
Private Mutual Authentication
Bob
How to authenticate between mutually distrustful parties?
Will only reveal identity to
devices owned by Alice.
Will only reveal identity to Alice’s family members.
security system
![Page 11: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/11.jpg)
Private Mutual Authentication
Bob
In most existing mutual authentication protocols (e.g., TLS, IKE, SIGMA), one party must reveal its
identity first
security system
![Page 12: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/12.jpg)
Primary Protocol Requirements
•Mutual privacy: Identity of protocol participants are only revealed to authorized recipients
•Authentic advertisements: Service advertisements (for discovery) should be unforgeable and authentic
• Lightweight: privacy should be as simple as setting a flag in key-exchange (as opposed to a separate protocol – e.g., using secret handshakes [BDSSSW03])
![Page 13: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/13.jpg)
Identity and Authorization Model
Every party has a signing + verification key, and acollection of human-readable names bound to their
public keys via a certificate chain
alice/family/
bob/
alice/device/
security/
popular_corp/
prod/S1234
verification key
![Page 14: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/14.jpg)
Identity and Authorization Model
alice/
alice/family/
alice/family/
bob/
alice/family/
charlie/
alice/device/
alice/device/
security/
Every party has a signing + verification key, and acollection of human-readable names bound to their
public keys via a certificate chain
![Page 15: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/15.jpg)
Identity and Authorization Model
Authorization decisions expressed as prefix patterns
alice/family/
bob/
alice/device/
security/
Policy: alice/devices/*
Policy: alice/family/*
![Page 16: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/16.jpg)
Protocol Construction
![Page 17: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/17.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦 𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝𝑔𝑥
![Page 18: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/18.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦 𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝𝑔𝑥
Note: in the actual protocol, session ids are also included for replay prevention.
Bob’s signature of the ephemeral DH
exponents
message encrypted (and MACed) under key 𝑘 =KDF(𝑔𝑥 , 𝑔𝑦 , 𝑔𝑥𝑦)
Bob’s certificate
![Page 19: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/19.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦 𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥, 𝑔𝑦) 𝑘
Alice’s certificate
Alice’s signature
message encrypted (and MACed) under key 𝑘 =KDF(𝑔𝑥 , 𝑔𝑦 , 𝑔𝑥𝑦)
Note: in the actual protocol, session ids are also included for replay prevention.
![Page 20: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/20.jpg)
Secure Key Agreement: SIGMA-I Protocol [CK01]
𝑔𝑦 , ID𝐵, SIG𝐵 ID𝐵, 𝑔𝑥, 𝑔𝑦 𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥, 𝑔𝑦) 𝑘
session key derived from 𝑔𝑥, 𝑔𝑦, 𝑔𝑥𝑦
Note: in the actual protocol, session ids are also included for replay prevention.
![Page 21: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/21.jpg)
Properties of the SIGMA-I Protocol
• Mutual authentication against active network adversaries
• Hides server’s (Bob’s) identity from a passive attacker
• Hides client’s (Alice’s) identity from an active attacker
• Bob’s identity is revealed to an active attacker!
![Page 22: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/22.jpg)
Identity Based Encryption (IBE) [Sha84, BF01, Coc01]
Public-key encryption scheme where public-keys can be arbitrary strings (identities)
IBE.Encrypt
public parameters Bob
message ciphertext
mpk id
𝑚 ct
Alice can encrypt a message to Bob without
needing to have exchanged keys with Bob
![Page 23: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/23.jpg)
Identity Based Encryption (IBE) [Sha84, BF01, Coc01]
root authority
skAlice
mskTo decrypt messages, users go to a (trusted) identity provider to obtain a decryption key for
their identity
Bob can decrypt all messages encrypted to his identity
using skBob
skBob
![Page 24: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/24.jpg)
Prefix-Based Encryption
Secret-keys and ciphertexts both associated with names
alice/devices/
security/
𝑚
alice/devices/
secret key ciphertext
+ 𝑚
Decryption succeeds if name in ciphertext is a prefix of the name in the secret key
![Page 25: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/25.jpg)
Prefix-Based Encryption
Secret-keys and ciphertexts both associated with names
eve/devices/
security/
𝑚
alice/devices/
secret key ciphertext
+ ⊥
Decryption fails if name in ciphertext is not a prefix of the name in the secret key
![Page 26: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/26.jpg)
Prefix-Based Encryption
Can be leveraged for prefix-based policies
Policy: alice/devices/*
Bob encrypts his message to the identity alice/devices/. Any user with a key that begins with alice/devices/ can decrypt.
![Page 27: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/27.jpg)
Prefix-Based Encryption from IBE [LW14]
Encryption is just IBE encryption
Secret key for a name is a collection of IBE secret keys, one for each prefix:
alice/devices/
security/
alice/ alice/
devices/alice/devices/
security/
can decrypt encryptions to all prefixes of alice/devices/security
![Page 28: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/28.jpg)
Private Mutual Authentication
𝑔𝑦 , {PE. Enc(𝜋𝐵, ID𝐵)
CT𝐵
, SIG𝐵 CT𝐵, 𝑔𝑥 , 𝑔𝑦 }𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝
𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥 , 𝑔𝑦) 𝑘
Key idea: encrypt certificate using prefix-based encryption
![Page 29: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/29.jpg)
Private Mutual Authentication
𝑔𝑦 , {PE. Enc(𝜋𝐵, ID𝐵)
CT𝐵
, SIG𝐵 CT𝐵, 𝑔𝑥 , 𝑔𝑦 }𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝
𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥 , 𝑔𝑦) 𝑘
• Privacy for Alice’s identity: Alice sends her identity only after verifying Bob’s identity
• Privacy for Bob’s identity: Only users with a key that satisfies Bob’s policy can decrypt his identity
![Page 30: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/30.jpg)
Private Mutual Authentication
𝑔𝑦 , {PE. Enc(𝜋𝐵, ID𝐵)
CT𝐵
, SIG𝐵 CT𝐵, 𝑔𝑥 , 𝑔𝑦 }𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝
𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥 , 𝑔𝑦) 𝑘
• Client overhead: Alice must perform prefix-based decryption on each flow
• Server overhead: Bob must perform prefix-based encryption on each handshake, but this encrypted identity can be cached and reused
![Page 31: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/31.jpg)
Private Mutual Authentication
𝑔𝑦 , {PE. Enc(𝜋𝐵, ID𝐵)
CT𝐵
, SIG𝐵 CT𝐵, 𝑔𝑥 , 𝑔𝑦 }𝑘
𝑥 Rℤ𝑝 𝑦
Rℤ𝑝
𝑔𝑥
ID𝐴, SIG𝐴(ID𝐴, 𝑔𝑥 , 𝑔𝑦) 𝑘
Provably secure in the Canetti-Krawczyk model of key-exchange assuming Hash-DH and security of underlying
cryptographic primitives
![Page 32: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/32.jpg)
Private Service Discovery
Two pieces: service announcements and private mutual authentication
Principal design goals:• Private discovery: Only authorized clients can learn service details
• Authentic service announcements: Announcements are authenticated and unforgeable
• 0-RTT private mutual authentication: Clients can subsequently connect to service and include application data on initial flow
![Page 33: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/33.jpg)
Private Service Discovery: Broadcast
PE. Enc 𝜋𝑆, ID𝑆, 𝑔𝑠, SIG𝑆 ID𝑆, 𝑔
𝑠
Key idea: encrypt service broadcast using prefix encryption
𝑠 Rℤ𝑝
![Page 34: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/34.jpg)
Private Service Discovery: Broadcast
PE. Enc 𝜋𝑆, ID𝑆, 𝑔𝑠, SIG𝑆 ID𝑆, 𝑔
𝑠
Key idea: encrypt service broadcast using prefix encryption
𝑠 Rℤ𝑝
authorization policy
service identity
semi-static DH share (for 0-RTT authentication)
signature for authenticity
![Page 35: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/35.jpg)
𝑥 Rℤ𝑝
Private Service Discovery: Mutual Authentication
𝑔𝑥 , ID𝑆, ID𝐴, SIG𝐴 ID𝑆, ID𝐴, 𝑔𝑠, 𝑔𝑥 𝑘
![Page 36: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/36.jpg)
𝑥 Rℤ𝑝
Private Service Discovery: Mutual Authentication
𝑔𝑥 , ID𝑆, ID𝐴, SIG𝐴 ID𝑆, ID𝐴, 𝑔𝑠, 𝑔𝑥 𝑘
ephemeral DH exponent
sender and receiver identities
message encrypted (and MACed) under handshake key
𝑘 = KDF(𝑔𝑠, 𝑔𝑥, 𝑔𝑠𝑥 , C → S)
![Page 37: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/37.jpg)
𝑥 Rℤ𝑝
Private Service Discovery: Mutual Authentication
𝑔𝑥 , ID𝑆, ID𝐴, SIG𝐴 ID𝑆, ID𝐴, 𝑔𝑠, 𝑔𝑥 𝑘
application data can also be sent in the first message flow under another key derived from 𝑔𝑠, 𝑔𝑥, and 𝑔𝑠𝑥:
𝑘app = KDF(𝑔𝑠, 𝑔𝑥 , 𝑔𝑠𝑥 , app)
No forward secrecy for early application data sent during lifetime of broadcast.
![Page 38: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/38.jpg)
Private Service Discovery: Mutual Authentication
𝑔𝑥 , ID𝑆, ID𝐴, SIG𝐴 ID𝑆, ID𝐴, 𝑔𝑠, 𝑔𝑥 𝑘
𝑔𝑦 , ID𝑆, ID𝐴 𝑘′
𝑦 Rℤ𝑝
ephemeral DH exponent message encrypted (and
MACed) under handshake key𝑘′ = KDF(𝑔𝑠, 𝑔𝑥 , 𝑔𝑠𝑥 , S → C)
![Page 39: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/39.jpg)
Private Service Discovery: Mutual Authentication
𝑔𝑥 , ID𝑆, ID𝐴, SIG𝐴 ID𝑆, ID𝐴, 𝑔𝑠, 𝑔𝑥 𝑘
𝑔𝑦 , ID𝑆, ID𝐴 𝑘′
𝑦 Rℤ𝑝
final session key derived from both semi-static and ephemeral shares:
KDF 𝑔𝑠, 𝑔𝑥 , 𝑔𝑦 , 𝑔𝑠𝑥 , 𝑔𝑥𝑦
Recovers forward secrecy for session messages.
![Page 40: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/40.jpg)
Private Service Discovery: Mutual Authentication
𝑔𝑥 , ID𝑆, ID𝐴, SIG𝐴 ID𝑆, ID𝐴, 𝑔𝑠, 𝑔𝑥 𝑘
𝑔𝑦 , ID𝑆, ID𝐴 𝑘′
𝑦 Rℤ𝑝
Provably secure in an (extended) Canetti-Krawczykmodel of key-exchange assuming Hash-DH and Strong-
DH in the random oracle model and security of underlying cryptographic primitives
![Page 41: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/41.jpg)
Implementation and Benchmarks
• Instantiated IBE scheme with Boneh-Boyen (BB2) IBE scheme (DCLXVI library)
• Integrated private mutual authentication and private service discovery protocols into the Vanadium open-source framework for building distributed applications
https://github.com/vanadium/
![Page 42: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/42.jpg)
Implementation and Benchmarks
Comparison of private mutual authentication protocol with non-private SIGMA-I protocol
Note: x86 assembly optimizations for pairing curve operations available only on desktop
Intel Edison Raspberry Pi
Nexus 5X Desktop
SIGMA-I 252.1 ms 88.0 ms 91.6 ms 5.3 ms
Private Mutual Auth. 1694.3 ms 326.1 ms 360.4 ms 9.5 ms
Slowdown 6.7x 3.7x 3.9x 1.8x
![Page 43: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/43.jpg)
Implementation and Benchmarks
• For private service discovery protocol, a typical service advertisement is ≈ 820 bytes (for single policy pattern)
• Can broadcast using mDNS (supports packets of size up to 1300 bytes)
id, PE. Enc 𝜋𝑆, ID𝑆, 𝑔𝑠, SIG𝑆 ID𝑆, 𝑔
𝑠
16 bytes
500 bytes
32 bytes
64 bytes
208 bytes
![Page 44: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/44.jpg)
Implementation and Benchmarks
Processing advertisement requires 1 IBE decryption and 1 ECDSA verification:
267 ms + 11 ms = 278 ms on Nexus 5x
id, PE. Enc 𝜋𝑆, ID𝑆, 𝑔𝑠, SIG𝑆 ID𝑆, 𝑔
𝑠
16 bytes
500 bytes
32 bytes
64 bytes
208 bytes
![Page 45: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/45.jpg)
Conclusions
• Existing key-exchange and service discovery protocols do not provide privacy controls
• Prefix-based encryption can be combined very naturally with existing key-exchange protocols to provide privacy + authenticity
• Overhead of resulting protocol small enough that protocols can run on many existing devices
![Page 46: Privacy, Discovery, and Authentication for the Internet of ...for the Internet of Things David J. Wu Stanford University Ankur Taly Google Asim Shankar Google Dan Boneh Stanford University](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8ff3963427c8570f7e719d/html5/thumbnails/46.jpg)
Questions?