1 / 24

SlyFi: Enhancing 802.11 Privacy by Concealing Link Layer Identifiers

SlyFi: Enhancing 802.11 Privacy by Concealing Link Layer Identifiers. Authors:. Date: 2008-09-09. Our Wireless World. Tracking Example. tcpdump. tcpdump. MAC: 24:AB:87:11:62:99. MAC: 01:34:4F:88:7A:FE. MAC: 54:CC:F2:B8:77:10. SSID=Linksys SSID=MaryJaneHome SSID=DrChoice.

kiley
Download Presentation

SlyFi: Enhancing 802.11 Privacy by Concealing Link Layer Identifiers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SlyFi: Enhancing 802.11 Privacy by Concealing Link Layer Identifiers • Authors: • Date: 2008-09-09 Greenstein (Intel) et al.

  2. Our Wireless World Greenstein (Intel) et al.

  3. Tracking Example tcpdump tcpdump MAC: 24:AB:87:11:62:99 MAC: 01:34:4F:88:7A:FE MAC: 54:CC:F2:B8:77:10 Greenstein (Intel) et al.

  4. SSID=Linksys SSID=MaryJaneHome SSID=DrChoice SSID=DrChoice SSID=tMobile SSID=WashingtonCSE Tracking Example tcpdump tcpdump 01:2F:3D:44:59:22 0A:BB:C1:99:07:01 04:50:7D:FE:F1:89 Etc. 04:50:7D:FE:F1:89 12:20:00:01:7F:e2 Etc. 8:30 AM 4:30 PM Abortion Doctor’s Home? Greenstein (Intel) et al.

  5. Tracking Example tcpdump tcpdump 01:2F:3D:44:59:22 0A:BB:C1:99:07:01 04:50:7D:FE:F1:89 Etc. 04:50:7D:FE:F1:89 12:20:00:01:7F:e2 Etc. 8:30 AM 4:30 PM Is a deal brewing? Greenstein (Intel) et al.

  6. Inventorying Example HIV Advertisement! Diabetes Advertisement! Greenstein (Intel) et al.

  7. Location tracking, user profiling, inventorying, relationship profiling are a growing concern “djw” is here 802.11 header Is “djw” here? www.bluetoothtracking.org Home www.wigle.net Greenstein (Intel) et al.

  8. Talk Argument • 802.11 is increasingly insufficient • Level of privacy different from what people would expect • Privacy and anonymity safeguards lagging behind cellular (e.g., GSM) • Slowing 802.11 adoption in healthcare, finance, and military markets • Important to standardize privacy enhancements • Can’t do within the context of the existing standard • Requires changes at multiple endpoints • Enhancements most effective when widely deployed • Will increase attractiveness of 802.11, strengthen 802.11 marketplace Greenstein (Intel) et al.

  9. Technical Feasibility • SlyFi demonstrates possibility of enhancing 802.11 for privacy • Complete link layer solution with better privacy guarantees than 11i, 11w • We prototyped it • As efficient as today’s protocols • Same usage model as 802.11; coexists with 802.11 • Academia and industry enthusiastic, e.g., 2008 ACM Mobisys Best Paper • paper:http://www.seattle.intel-research.net/pubs/mobisys08-slyfi.pdf • source:http://tw.seattle.intel-research.net Greenstein (Intel) et al.

  10. Privacy Problem with Best Practices Many exposed bits are (or can be used as) identifiers that are linked over time tcpdump Is Bob’s Network here? Bob’s Network is here Proof that I’m Bob MAC addr, seqno, … • Confidentiality • Authenticity • Integrity MAC addr, seqno, … 10 Greenstein (Intel) et al.

  11. Goal: Make All Bits Appear Random To Eavesdroppers Bootstrap tcpdump SSID: Bob’s Network Key: 0x2384949… Username: Alice Key: 0x348190… Discover ? Authenticate and Bind Send Data 11 Greenstein (Intel) et al.

  12. Challenge: Making the protocol work when all bits are hidden Which packets are mine? Which packets are mine? Filtering without Identifiers Without changing the usage model Without breaking services Without changing authentication machinery While staying just as efficient 12 Greenstein (Intel) et al.

  13. Design Requirement:Add privacy to security without breaking anything else • When A generates Message to B, she sends:PrivateMsg = F(A, B, Message) • Where F has these properties: • Confidentiality: Only A and B can determine Message. • Authenticity: B can verify A created PrivateMsg. • Integrity: B can verify Messagenot modified • Unlinkability: Only A and B can link PrivateMsgsto same sender or receiver • Efficiency: B can process PrivateMsgsas fast as he can receive them • Compatibility with existing usage model • Compatibility with existing authentication and other services A→B Header… Unencrypted payload Greenstein (Intel) et al.

  14. Solution Summary Confidentiality Authenticity Unlinkability Integrity Efficiency Only Data Payload Only Data Payload Only Data Payload 802.11 WPA Long Term MAC Pseudonyms Naïve Symmetric Key SlyFi: Discovery/Binding SlyFi: Data packets 14 Greenstein (Intel) et al.

  15. Naïve approach (symmetric encryption of all bits) is slow KShared1 KShared2 KShared3 … Try to decrypt with each shared key Client Service Check MAC: KAB Can’t identify the decryption key in the packet or else it is linkable Probe “Bob” MAC: KAB KAB Symmetric encryption(e.g., AES w/ random IV) Different symmetric key per potential sender 15 Greenstein (Intel) et al.

  16. Solution Summary Confidentiality Authenticity Unlinkability Integrity Efficiency Only Data Payload Only Data Payload Only Data Payload 802.11 WPA Long Term MAC Pseudonyms Naïve Symmetric Key SlyFi: Discovery/Binding SlyFi: Data packets 16 Greenstein (Intel) et al.

  17. Symmetric key almost works, but tension between: Unlinkability: can’t expose the identity of the key Efficiency: need to identify the key to avoid trying all keys Idea: Identify the key in an unlinkable way Approach: Sender A and receiver B agree on tokens: T1 , T2 , T3 , … A attaches Ti to encrypted packet for B SlyFi: An open source reference implementation AB AB AB AB 17 Greenstein (Intel) et al.

  18. SlyFi AB Ti KAB Ti = AESK (i) Ti = AESK (i) AB AB Lookup Tiin a table to get KAB Client Service Need a shared variable, i, that changes often Check MAC: KAB Probe “Bob” Main challenge: Sender and receiver must synchronize i without communication MAC: KAB KAB AB Symmetric encryption (e.g., AES w/ random IV) AB AB 18 Greenstein (Intel) et al.

  19. Synchronize i on transmission number Only sent over established connections Expect messages to be delivered Synchronize i on loose idea of time Infrequent: sent when trying to associate Narrow interface: single application, few side-channels Linkability at short timescales is OK Data Transport Discovery and Binding AB AB • On receipt of Ti , receiver computes Ti+1 • Handling message loss or clock skew: • On receipt of Ti save Ti+1, … , Ti+k in table • Tolerates k consecutive losses or skew of 5 * k minutes • No loss  compute one token per reception AB AB AB Greenstein (Intel) et al.

  20. Discovery/Binding Time Lower = Better • SlyFi link setup has less overhead than WPA 20 Greenstein (Intel) et al.

  21. Data Throughput Higher = Better With simulated AES hardware Performs like symmetric key • SlyFi data filtering is about as efficient as 802.11 21 Greenstein (Intel) et al.

  22. Solution Summary Confidentiality Authenticity Unlinkability Integrity Efficiency Only Data Payload Only Data Payload Only Data Payload 802.11 WPA Long Term MAC Pseudonyms Naïve Symmetric Key Long Term SlyFi: Discovery/Binding SlyFi: Data packets 22 Greenstein (Intel) et al.

  23. Other Protocol Details to Work Through Broadcast Higher-layer binding Time synchronization Roaming Coexistence with 802.11 Link-layer ACKs Preventing replay attacks Location services etc. See paper for some proposals 23 Greenstein (Intel) et al.

  24. Conclusion • Wireless devices are becoming personal and pervasive • Best practices don’t protect users from simple attacks • Long-term linking: tracking, profiling, inventorying • Short-term linking: side-channel attacks • We need a protocol enhancement to defend against these attacks • That removes all identifying bits • paper:http://www.seattle.intel-research.net/pubs/mobisys08-slyfi.pdf • source:http://tw.seattle.intel-research.net 24 Greenstein (Intel) et al.

More Related