mobile security 2010 - #4mews.sv.cmu.edu/teaching/14829/f11/files/tague_14829f11_20.pdf ·...
TRANSCRIPT
©2011 Patrick Tague
Mobile Security14-829 – Fall 2011
Patrick Tague
Class #20 – MANET Issues in Smartphones
[Some slides adapted from Jon McCune & Mike Farb]
©2011 Patrick Tague
Agenda• Smartphone MANETs and mesh networks
• Establishing trust between smartphones
• Announcement:– HW #4 is due on 11/21
©2011 Patrick Tague
Smartphone MANET Scenarios• Secure group communication
– People want to meet and exchange data securely without relying on any infrastructure
– Ex: people at airport, researchers at conference, students in class, rural users, post-disaster comms, etc.
• Secure SMS / msg exchange– Users want to keep key est.
msgs off the network
©2011 Patrick Tague
Business Cards• Exchange cards with other people in the group• Later type or scan that data into a device• Contain limited amount of data for applications
©2011 Patrick Tague
Broadcast data and we’re done?
Active Attacker
Alice
In-band channel
Out-of-band channel (e.g., cable, human visual channel +
action, business cards)
Bob
©2011 Patrick Tague
Attacker Model• Attacker’s Goals
– Add multiple identities (non-members) to the group– Remove valid members from the group
• Active Outsider– Written, displayed, or spoken information may be
overheard– Wireless messages may be overheard, intercepted, or
injected
• Active Insider– A valid member of the group
©2011 Patrick Tague
Problem Statement• Secure remote collaboration
– Communicate securely– Share files with the proper access controls– Do anything you can imagine with contact
information
• Quickly exchange information in person– Collect data from other group members (and only
group members)– Collect exactly one set of data per person
©2011 Patrick Tague
Limited Solutions Public Key Infrastructure (PKI)
– Requires expensive CA infrastructure– Key exchange still vulnerable to man-in-the-middle
attack– Disconnect between physical & digital world
• Attacker can likely acquire a certificate for any name
• PGP key signing parties– Requires well-trained users and possibly verbal
exchange of public key fingerprints– Requires n*(n-1)/2 exchanges for n people
©2011 Patrick Tague
CA Security Model• The Internet uses a centralized or hierarchical
trust model– A certificate authority attests the identity and
trustworthiness of individuals/groups by issuing a signed/certified public key
• CA claims “X is identifiable and trustworthy”• X provides signed certificate from CA to Y• CA model provides transitive trust: CA → X, X → Y => CA → Y
– Everything depends on the CA's behavior• GoDaddy.com is a registered CA, but they will issue just
about any certificate to just about anyone
©2011 Patrick Tague
MANET Trust Challenges• Biggest challenge is lack of a centralized
authority, so nobody to act as a CA
• Various approaches try to approximate the CA trust model in different distributed settings
©2011 Patrick Tague
Basic Trust Est. in MANET• In the CA trust model, trust is carried by signed
public keys, so trust and key management are the same
• In some settings, a temporary authority can issue valid keys for later use– In sensor networks, keys can be assigned to all
devices by a single authority prior to deployment– After deployment, key management is challenging,
especially since attackers can compromise sensor nodes and recover keys
– See, for example, [Eschenauer & Gligor, 2002; Tague & Poovendran, 2007]
©2011 Patrick Tague
Offline Authority• Similar to the sensor network pre-deployment
model, offline services can be used as trusted authorities for MANET key management– Challenges:
• Without pre-existing relationships, how to ensure that only valid network members can access the trusted authority?
• How to get access to the offline service?• What if the service becomes unavailable?
– Provide “trust evidence” [Eschenauer, Gligor, & Baras, 2002]
• Offline service becomes a single point-of-failure for attack.
©2011 Patrick Tague
Smartphones have Users!• Instead of completely automating the trust/key-
establishment protocols, the users can participate and serve as verifiers
Bob
Bob’s Phone
©2011 Patrick Tague
ApproachesSeeing-is-Believing, [McCune et al., S&P 2005]
SPATE, [Lin et al., MobiSys 2009]
Ho-Po Key, [Mezzour et al., CyLab TR CMU-CyLab-11-004, 2010]
KeySlinger, [Farb et al., CyLab]
©2011 Patrick Tague
ApproachesSeeing-is-Believing, [McCune et al., S&P 2005]
SPATE, [Lin et al., MobiSys 2009]
Ho-Po Key, [Mezzour et al., CyLab TR CMU-CyLab-11-004, 2010]
KeySlinger, [Farb et al., CyLab]
©2011 Patrick Tague
Seeing-Is-Believing• Modern mobile phones
– Camera (read 2D barcodes)– Display (display 2D barcodes)– Powerful CPU (perform asymmetric cryptographic
operations)• Used in concert, we have a new, visual,
location-limited channel• This visual channel can provide demonstrative
identification of communicating parties to the user
• Available in commodity devices
• This enables very strong authentication
©2011 Patrick Tague
PK Authentication with SiB
ha←SHA1(PK A)
)(visual
ah →
)(wireless
aPK → )(SHA1' APKh ←
abortahhif :)'( ≠
Alice Bob
©2011 Patrick Tague
SiB Usage
Alice Bob
Bob’s PhoneAlice’s Phone
camera…vision…
KAlice
©2011 Patrick Tague
Mutual Authentication• Both parties perform basic SiB protocol to get
authenticated public key of other party
• SiB authenticates origin of public key
• Can use freshly generated keys– Different public keys for different people– Achieve unlinkability between sessions
©2011 Patrick Tague
Device Configurations• Both devices have cameras and displays
(most powerful configuration)• SiB can be useful even if some devices are
missing a camera, a display, or both– Display but no camera
•Laptop, PDA, television, …– No display and no camera
•802.11 access point, printer, …
©2011 Patrick Tague
No Display/Camera Devices• Equipped with a long-term public key and a
barcode sticker on housing– Cannot use freshly generated public keys
• The resulting communication channel (following SiB) remains secure against active adversaries
Bob
Bob’s Phone
camera…
KPrinter
vision…
©2011 Patrick Tague
ApproachesSeeing-is-Believing, [McCune et al., S&P 2005]
SPATE, [Lin et al., MobiSys 2009]
Ho-Po Key, [Mezzour et al., CyLab TR CMU-CyLab-11-004, 2010]
KeySlinger, [Farb et al., CyLab]
©2011 Patrick Tague
SPATESmall-group PKI-less Authenticated Trust
Establishment
Pearl Amber
Red JadeViolet
Indigo
• Efficient– Member performs 3
actions• Select data• Count group size• Compare
• Simple comparison– Only 1 user needs to
pay attention
©2011 Patrick Tague
Accelerating Key Distribution
1. Selection & Counting – user indicates what data is to be shared and the size of the group
2. Collect – phone broadcasts and collects data 3. Verify – user verifies group members share the
same data4. Check Consensus – phone verifies the
members agree, and saves the data
4 main steps of SPATE (users involved in 1 & 3)
©2011 Patrick Tague
1. Selection & Counting• User enters into the phone
– Share data X with my group– The group contains N people counting myself
work… home… 6
©2011 Patrick Tague
2. Collection• Phone broadcasts data X• Phone collects N-1 sets of data
• More than N-1 sets of data results in error, the phone aborts
• Fewer than N-1 sets of data results in timeout, the phone aborts
©2011 Patrick Tague
3. Verify• Phones calculate hash of the collected data• Users compare hashes on their screens
A75...
A75...
A75...
A75...
A75...A75...
©2011 Patrick Tague
4. Consensus• After user indicates hash equality, phone
broadcasts success
• If all N phones claim success, data is considered valid and saved for later use
©2011 Patrick Tague
SPATE for the Real World• Most mobile phones lack a broadcast mechanism
– Simulated broadcast for Bluetooth
• Humans are inaccurate when comparing series of hex numbers [Uzun2007]– T-Flags to compare images
• Attackers may attempt to claim consensus– Commitments ensure the protocol only continues
after each user agrees
©2011 Patrick Tague
Bluetooth “Broadcast”• Bluetooth piconets can support up to 8 devices• Bluetooth simulates broadcast with a leader
based n-way unicast• Problem: slow to establish Bluetooth
connections
©2011 Patrick Tague
Bluetooth “Broadcast”
• Discovery is further delayed by other devices in the environment
©2011 Patrick Tague
Barcode-Assisted Bluetooth
• Time grows linearly with the number of phones (number of barcodes captured)
©2011 Patrick Tague
Helping Users Compare• T-Flags
– Computationally inexpensive– Limited to 8 maximally distinct colors (color-blind
friendly) [Glasbey 2006]– “T” to help orient users
©2011 Patrick Tague
Performance
• Majority of time is spent taking pictures of barcodes and connecting
©2011 Patrick Tague
ApproachesSeeing-is-Believing, [McCune et al., S&P 2005]
SPATE, [Lin et al., MobiSys 2009]
Ho-Po Key, [Mezzour et al., CyLab TR CMU-CyLab-11-004, 2010]
KeySlinger, [Farb et al., CyLab]
©2011 Patrick Tague
Ho-Po KeySystem instructs users to arrange in in a ring and verify only with two neighbors, allowing
the SPATE approach to scale arbitrarily
©2011 Patrick Tague
Design & Testing
©2011 Patrick Tague
ApproachesSeeing-is-Believing, [McCune et al., S&P 2005]
SPATE, [Lin et al., MobiSys 2009]
Ho-Po Key, [Mezzour et al., CyLab TR CMU-CyLab-11-004, 2010]
KeySlinger, [Farb et al., CyLab]
©2011 Patrick Tague
KeySlinger• System implementation for iOS and Android that
includes various aspects of SPATE, Ho-Po Key options for larger group sizes, etc.
©2011 Patrick Tague
Setup Phase
• Select my data.• Enter expected population.• Generate nonces, and
commitment hash tree.
©2011 Patrick Tague
Collection Phase
• Enter grouping numbers.• Commitment hashes are shared.• Nonce hash and User Data are shared.• Each user validates that SHA-1 [Nonce
Hash, User Data] = Commitment.• Each user independently computes
Group Commitment Hash.
©2011 Patrick Tague
Verification Phase (<8 Users)• User picks Group Hash phrase that
matches or indicates no match
• Answer nonce, as well as opposite hash are shared as the Signature
• To encourage actual comparison and not just click "match" without verification, require comparison and choice of matching phrases between 2 other decoy phrases
• Each phone must compute this hash consistently, or an attacker is present
©2011 Patrick Tague
Extra Verification (8+ Users)Additional step before visual
verification.
Users are assigned position numbers and asked to form a ring.
Each user validates that left and right Signatures are for Match.
When all Match, user may keep all n User Data.
©2011 Patrick Tague
Summary Cellular communication channels already broken
End to end encryption provides secrecy and integrity Secure key exchange is difficult
Easy to use secure key exchange SafeSlinger offers exciting potential
Secure contact info exchange Bootstrap secure communication General authentic key exchange mechanism API (email, SMS keys, etc.) May realize vision of PGP
©2011 Patrick Tague
What's Next?• 11/21: Enabling secure mobile disaster
communication
• Happy Thanksgiving!