Link Setup Time (ms)

Details: How do sender and receiver synchronize i ?

•Discovery/binding messages: infrequent and narrow interface short term linkability is O.K.

•Data messages: only sent on established connections expect receiver to get most messages

•Performs as well as WPA and has stronger security

• Problem: Third parties can use unencrypted bits such as addresses to track and profile users. How can devices efficiently process packets without addresses?

• Idea: Sender and receiver agree on sequence of tokens beforehand; attach one token to each packet

SlyFi: obscures all transmitted bits

Mechanisms to Mitigate Wireless Privacy ThreatsJeffrey Pang <jeffpang@cs.cmu.edu>

http://www.cs.cmu.edu/~jeffpang

tcpdump

packet size histogram

802.11 header

Is Bob’s Network here?802.11 header

Bob’s Network is here

Discover

802.11 header

Proof that I’m Alice 802.11 header

Proof that I’m Bob

Authenticateand Bind

802.11 header

802.11 header Send Data

MAC address, …

MAC address, …

Is Bob’s PSP here?

Proof that I’m Bob

Bob’s PSP is here

SSID: Bob’s NetworkPassword: [_]pants

Username: AlicePublic Key: 0x123…

transmission sizes transmission sizes

300250

200

100500

120

Input transmissions

300250

200

100

120

Output transmissions

400400

400

400

400

Input transmissions

Discover

Authenticateand Bind

Send data

Probe “Alice”

Client Service

Symmetric encryption(e.g., AES w/ random IV)

Check MAC:

MAC: K’AB

KAB

K’AB

Ti

KAB

Lookup Ti in atable to get KAB

AB AB

Ti = AESK (i)AB

ABTi = AESK (i)AB

AB

Ti = AESK (i) where i = transmission #AB

Ti = AESK (i) where i = current time/5 minAB

Best security practices still expose identifiers, credentials, and packet sizes/timings to third parties, enabling attacks:• Location tracking: identifiers can be linked over time• User profiling: info can be cross-indexed with databases• Side-channel analysis: sizes/timing reveals packet contentsGreenstein, HotOS ’07; Pang, MobiCom ’07; Pang, HotNets ’07; Jiang,

MobiSys ’07; Sapanos, Usenix Security ’07; www.bluetoothtracking.org; ...

Problem: existing protocols leak informationThree essential protocol changes to prevent attacks:1.Obscure all transmitted bits during all protocol phases2.Obscure packet sizes/timing that act as side-channels3.Obscure and automate bootstrapping of keys to prevent communication with untrusted third parties

1. MobiSys ’08; 2. CMU Thesis Proposal ’08; 3. HotNets ’07

Goal: obsure everything from third parties

Unlinka

bility

Integrit

y

Authentic

ity

Efficien

cy

Confiden

tiality

802.11 WPA

MAC Pseudonyms

Encrypt Everything

SlyFi: Discovery

SlyFi: Data

DataOnly

DataOnly

DataOnly

LongTerm

LongTerm

• Problem: Packet sizes and timings reveal sensitive contents in encrypted packet streams (identity, videos…)

• Idea: Framework for masking side-channel leaks using signature-like rules for packet padding and cover traffic

Sudare: obscures side-channel leaks

Masking rules,performance constraints

Side-channel attack example

• Problem: Clients often need to communicate with new devices. How does a client know who to trust?

• Idea: Leverage transitive trust relationships and device reputation to automatically bootstrap keys

Tryst: obscures & automates bootstrapping

512 bytes

128 bytes

? bytes

? bytes

“Alice’s Home”

Trust

TransitiveTrust

Alice trustsbob.laptop

Alice’s secret

Alice trusts “Alice’s Home”

Alice’s secret

Find networks that Alice trusts

AttestationBootstrapping using transitive trust

Bootstrap BootstrapAutomatic and private

Automatic and private

AB

AB

tcpdump tcpdump

?

Tokens Ti and Tj are unlinkable if i ≠ jABAB

SlyFi protocol