mobile security 2010 - #4mews.sv.cmu.edu/teaching/14829/f11/files/tague_14829f11_20.pdf ·...

©2011 Patrick Tague

Mobile Security14-829 – Fall 2011

Patrick Tague

Class #20 – MANET Issues in Smartphones

[Some slides adapted from Jon McCune & Mike Farb]


Agenda• Smartphone MANETs and mesh networks

• Establishing trust between smartphones

• Announcement:– HW #4 is due on 11/21


Smartphone MANET Scenarios• Secure group communication

– People want to meet and exchange data securely without relying on any infrastructure

– Ex: people at airport, researchers at conference, students in class, rural users, post-disaster comms, etc.

• Secure SMS / msg exchange– Users want to keep key est.

msgs off the network


Business Cards• Exchange cards with other people in the group• Later type or scan that data into a device• Contain limited amount of data for applications


Broadcast data and we’re done?

Active Attacker

Alice

In-band channel

Out-of-band channel (e.g., cable, human visual channel +

action, business cards)

Bob


Attacker Model• Attacker’s Goals

– Add multiple identities (non-members) to the group– Remove valid members from the group

• Active Outsider– Written, displayed, or spoken information may be

overheard– Wireless messages may be overheard, intercepted, or

injected

• Active Insider– A valid member of the group


Problem Statement• Secure remote collaboration

– Communicate securely– Share files with the proper access controls– Do anything you can imagine with contact

information

• Quickly exchange information in person– Collect data from other group members (and only

group members)– Collect exactly one set of data per person


Limited Solutions Public Key Infrastructure (PKI)

– Requires expensive CA infrastructure– Key exchange still vulnerable to man-in-the-middle

attack– Disconnect between physical & digital world

• Attacker can likely acquire a certificate for any name

• PGP key signing parties– Requires well-trained users and possibly verbal

exchange of public key fingerprints– Requires n*(n-1)/2 exchanges for n people


CA Security Model• The Internet uses a centralized or hierarchical

trust model– A certificate authority attests the identity and

trustworthiness of individuals/groups by issuing a signed/certified public key

• CA claims “X is identifiable and trustworthy”• X provides signed certificate from CA to Y• CA model provides transitive trust: CA → X, X → Y => CA → Y

– Everything depends on the CA's behavior• GoDaddy.com is a registered CA, but they will issue just

about any certificate to just about anyone


MANET Trust Challenges• Biggest challenge is lack of a centralized

authority, so nobody to act as a CA

• Various approaches try to approximate the CA trust model in different distributed settings


Basic Trust Est. in MANET• In the CA trust model, trust is carried by signed

public keys, so trust and key management are the same

• In some settings, a temporary authority can issue valid keys for later use– In sensor networks, keys can be assigned to all

devices by a single authority prior to deployment– After deployment, key management is challenging,

especially since attackers can compromise sensor nodes and recover keys

– See, for example, [Eschenauer & Gligor, 2002; Tague & Poovendran, 2007]


Offline Authority• Similar to the sensor network pre-deployment

model, offline services can be used as trusted authorities for MANET key management– Challenges:

• Without pre-existing relationships, how to ensure that only valid network members can access the trusted authority?

• How to get access to the offline service?• What if the service becomes unavailable?

– Provide “trust evidence” [Eschenauer, Gligor, & Baras, 2002]

• Offline service becomes a single point-of-failure for attack.


Smartphones have Users!• Instead of completely automating the trust/key-

establishment protocols, the users can participate and serve as verifiers

Bob

Bob’s Phone


ApproachesSeeing-is-Believing, [McCune et al., S&P 2005]

SPATE, [Lin et al., MobiSys 2009]

Ho-Po Key, [Mezzour et al., CyLab TR CMU-CyLab-11-004, 2010]

KeySlinger, [Farb et al., CyLab]


Seeing-Is-Believing• Modern mobile phones

– Camera (read 2D barcodes)– Display (display 2D barcodes)– Powerful CPU (perform asymmetric cryptographic

operations)• Used in concert, we have a new, visual,

location-limited channel• This visual channel can provide demonstrative

identification of communicating parties to the user

• Available in commodity devices

• This enables very strong authentication


PK Authentication with SiB

ha←SHA1(PK A)

)(visual

ah →

)(wireless

aPK → )(SHA1' APKh ←

abortahhif :)'( ≠

Alice Bob


SiB Usage

Alice Bob

Bob’s PhoneAlice’s Phone

camera…vision…

KAlice


Mutual Authentication• Both parties perform basic SiB protocol to get

authenticated public key of other party

• SiB authenticates origin of public key

• Can use freshly generated keys– Different public keys for different people– Achieve unlinkability between sessions


Device Configurations• Both devices have cameras and displays

(most powerful configuration)• SiB can be useful even if some devices are

missing a camera, a display, or both– Display but no camera

•Laptop, PDA, television, …– No display and no camera

•802.11 access point, printer, …


No Display/Camera Devices• Equipped with a long-term public key and a

barcode sticker on housing– Cannot use freshly generated public keys

• The resulting communication channel (following SiB) remains secure against active adversaries

Bob

Bob’s Phone

camera…

KPrinter

vision…


SPATESmall-group PKI-less Authenticated Trust

Establishment

Pearl Amber

Red JadeViolet

Indigo

• Efficient– Member performs 3

actions• Select data• Count group size• Compare

• Simple comparison– Only 1 user needs to

pay attention


Accelerating Key Distribution

1. Selection & Counting – user indicates what data is to be shared and the size of the group

2. Collect – phone broadcasts and collects data 3. Verify – user verifies group members share the

same data4. Check Consensus – phone verifies the

members agree, and saves the data

4 main steps of SPATE (users involved in 1 & 3)


1. Selection & Counting• User enters into the phone

– Share data X with my group– The group contains N people counting myself

work… home… 6


2. Collection• Phone broadcasts data X• Phone collects N-1 sets of data

• More than N-1 sets of data results in error, the phone aborts

• Fewer than N-1 sets of data results in timeout, the phone aborts


3. Verify• Phones calculate hash of the collected data• Users compare hashes on their screens

A75...

A75...

A75...

A75...

A75...A75...


4. Consensus• After user indicates hash equality, phone

broadcasts success

• If all N phones claim success, data is considered valid and saved for later use


SPATE for the Real World• Most mobile phones lack a broadcast mechanism

– Simulated broadcast for Bluetooth

• Humans are inaccurate when comparing series of hex numbers [Uzun2007]– T-Flags to compare images

• Attackers may attempt to claim consensus– Commitments ensure the protocol only continues

after each user agrees


Bluetooth “Broadcast”• Bluetooth piconets can support up to 8 devices• Bluetooth simulates broadcast with a leader

based n-way unicast• Problem: slow to establish Bluetooth

connections


Bluetooth “Broadcast”

• Discovery is further delayed by other devices in the environment


Barcode-Assisted Bluetooth

• Time grows linearly with the number of phones (number of barcodes captured)


Helping Users Compare• T-Flags

– Computationally inexpensive– Limited to 8 maximally distinct colors (color-blind

friendly) [Glasbey 2006]– “T” to help orient users


Performance

• Majority of time is spent taking pictures of barcodes and connecting


Ho-Po KeySystem instructs users to arrange in in a ring and verify only with two neighbors, allowing

the SPATE approach to scale arbitrarily


Design & Testing


KeySlinger• System implementation for iOS and Android that

includes various aspects of SPATE, Ho-Po Key options for larger group sizes, etc.


Setup Phase

• Select my data.• Enter expected population.• Generate nonces, and

commitment hash tree.


Collection Phase

• Enter grouping numbers.• Commitment hashes are shared.• Nonce hash and User Data are shared.• Each user validates that SHA-1 [Nonce

Hash, User Data] = Commitment.• Each user independently computes

Group Commitment Hash.


Verification Phase (<8 Users)• User picks Group Hash phrase that

matches or indicates no match

• Answer nonce, as well as opposite hash are shared as the Signature

• To encourage actual comparison and not just click "match" without verification, require comparison and choice of matching phrases between 2 other decoy phrases

• Each phone must compute this hash consistently, or an attacker is present


Extra Verification (8+ Users)Additional step before visual

verification.

Users are assigned position numbers and asked to form a ring.

Each user validates that left and right Signatures are for Match.

When all Match, user may keep all n User Data.


Summary Cellular communication channels already broken

End to end encryption provides secrecy and integrity Secure key exchange is difficult

Easy to use secure key exchange SafeSlinger offers exciting potential

Secure contact info exchange Bootstrap secure communication General authentic key exchange mechanism API (email, SMS keys, etc.) May realize vision of PGP


What's Next?• 11/21: Enabling secure mobile disaster

communication

• Happy Thanksgiving!

mobile security 2010 - #4mews.sv.cmu.edu/teaching/14829/f11/files/tague_14829f11_20.pdf ·...

Documents