Link Setup Time (ms)

1. Find networks that Alice trusts Transitive Trust Alice’s secret Alice’s secret Alice trusts “Alice’s Home” Alice trusts bob.laptop Ti = AESK (i) Ti = AESK (i) Ti = AESK (i) where i = current time/5 min Ti = AESK (i) where i = transmission # AB AB AB AB Mechanisms to Mitigate Wireless Privacy Threats Jeffrey Pang <jeffpang@cs.cmu.edu> http://www.cs.cmu.edu/~jeffpang Authenticity Integrity 100 250 Confidentiality Unlinkability 500 300 Efficiency 200 tcpdump 120 Username: Alice Public Key: 0x123… SSID: Bob’s Network Password: [_]pants Data Only Data Only Data Only transmission sizes transmission sizes 802.11 WPA KAB 802.11 header Is Bob’s Network here? 802.11 header Bob’s Network is here Long Term MAC Pseudonyms Lookup Tiin a table to get KAB Encrypt Everything Problem: existing protocols leak information Goal: obsure everything from third parties Long Term SlyFi: Discovery MAC address, … SlyFi: Data MAC address, … Best security practices still expose identifiers, credentials, and packet sizes/timings to third parties, enabling attacks: • Location tracking: identifiers can be linked over time • User profiling: info can be cross-indexed with databases • Side-channel analysis: sizes/timing reveals packet contents Greenstein, HotOS ’07; Pang, MobiCom ’07; Pang, HotNets ’07; Jiang, MobiSys ’07; Sapanos, Usenix Security ’07; www.bluetoothtracking.org; ... Three essential protocol changes to prevent attacks: Obscure all transmitted bits during all protocol phases Obscure packet sizes/timing that act as side-channels Obscure and automate bootstrapping of keys to prevent communication with untrusted third parties 1. MobiSys ’08; 2. CMU Thesis Proposal ’08; 3. HotNets ’07 packet size histogram Bootstrap Bootstrap Automatic and private Automatic and private Discover Discover Is Bob’s PSP here? ? Bob’s PSP is here tcpdump tcpdump Authenticate and Bind Authenticate and Bind 802.11 header Proof that I’m Alice 802.11 header Proof that I’m Bob Proof that I’m Bob Send data Send Data 802.11 header ? bytes 512 bytes 802.11 header ? bytes 128 bytes SlyFi: obscures all transmitted bits • Problem: Third parties can use unencrypted bits such as addresses to track and profile users. How can devices efficiently process packets without addresses? • Idea: Sender and receiver agree on sequence of tokens beforehand; attach one token to each packet • Details: How do sender and receiver synchronize i? • Discovery/binding messages: infrequent and narrow interface  short term linkability is O.K. • Data messages: only sent on established connections  expect receiver to get most messages • Performs as well as WPA and has stronger security AB SlyFi protocol Client Service AB Check MAC: K’AB Probe “Alice” MAC: K’AB KAB Link Setup Time (ms) AB Ti AB Symmetric encryption (e.g., AES w/ random IV) AB AB AB AB Tokens Ti and Tj are unlinkable if i ≠ j Sudare: obscures side-channel leaks Tryst: obscures & automates bootstrapping • Problem: Packet sizes and timings reveal sensitive contents in encrypted packet streams (identity, videos…) • Idea: Framework for masking side-channel leaks using signature-like rules for packet padding and cover traffic • Problem: Clients often need to communicate with new devices. How does a client know who to trust? • Idea: Leverage transitive trust relationships and device reputation to automatically bootstrap keys Side-channel attack example “Alice’s Home” Trust Masking rules, performance constraints 400 400 100 250 400 300 400 400 200 120 Output transmissions  Input transmissions Attestation Bootstrapping using transitive trust Input transmissions