CyLab Power Point Template

1
SPATE Small-group PKI-less Authenticated Trust
Establishment
Yue-Hsun Lin, Ahren Studer, Hsu-Chun Hsiao,
Jonathan M. McCune, King-Hang Wang, Maxwell
Krohn, Phen-Lan Lin, Adrian Perrig, Hung-Min Sun,
Bo-Yin Yang MobiSys June 23, 2009
2
Setting Up Group Communication

• People meet want to communicate (securely)
  later
• Business people at the airport
• Researchers at a conference
• Students in a project group
• No commonly trusted infrastructure
• Exchange information to
• Communicate
• Share files

3
Problem Statement

• Secure remote collaboration
• Communicate securely
• Share files with the proper access controls
• Do anything you can imagine with contact
  information
• Quickly exchange information in person
• Collect data from other group members (and only
  group members)
• Collect exactly one set of data per person

4
Broadcast data and were done?
Active Attacker
Bob
Alice
5
Attacker Model

• Attackers Goals
• Add multiple identities (non-members) to the
  group
• Remove valid members from the group
• Active Outsider
• Written, displayed, or spoken information may be
  overheard
• Wireless messages may be overheard, intercepted,
  or injected
• Active Insider
• A valid member of the group

6
Business Cards

• Exchange cards with other people in the group
• Later type or scan that data into a device
• Contain limited amount of data for applications

Everyone has mobile phones. Lets use those!
7
Public-Key Based Protocols

• Public Key Infrastructure (PKI)
• Still vulnerable to the man in the middle attack
• Disconnect between physical digital world
• Attacker can likely acquire a certificate for any
  name
• PGP key signing parties
• Sequential broadcast of key and announcement of
  hash is cumbersome

7
8
Group Protocol

• Gather Authenticate n Group Securely (GAnGS
  MobiCom 08)
• Designed to scale to large groups, but
  inefficient for small groups
• Majority of users still have to compare correctly
  and acknowledge failures

!
9
Problems and Design Goals

• Small groups are most common
• Sacrifice scalability and increase speed for
  small groups
• SPATE focuses on groups of 8 or fewer
• People might ignore failures
• Ensure attacks result in DoS, rather than
  subverted communication

10
SPATESmall-group PKI-less Authenticated Trust
Establishment

• Efficient
• Member performs 3 actions
• Select data
• Count group size
• Compare
• Simple comparison
• Only 1 user needs to pay attention

Pearl
Amber
Indigo
Red
Jade
Violet
11
Accelerating Key Distribution
4 main steps of SPATE (users involved in 1 3)

• Selection Counting user indicates what data
  is to be shared and the size of the group
• Collect phone broadcasts and collects data
• Verify user verifies group members share the
  same data
• Check Consensus phone verifies the members
  agree, and saves the data

12
1. Selection Counting

• User enters into the phone
• Share data X with my group
• The group contains N people counting myself

work home
6
13
2. Collection

• Phone broadcasts data X
• Phone collects N-1 sets of data
• More than N-1 sets of data results in error, the
  phone aborts
• Fewer than N-1 sets of data results in timeout,
  the phone aborts

14
3. Verify

• Phones calculate hash of the collected data
• Users compare hashes on their screens

15
4. Consensus

• After user indicates hash equality, phone
  broadcasts success
• If all N phones claim success, data is considered
  valid and saved for later use

16
SPATE for the Real World

• Most mobile phones lack a broadcast mechanism
• Simulated broadcast for Bluetooth
• Humans are inaccurate when comparing series of
  hex numbers Uzun2007
• T-Flags to compare images
• Attackers may attempt to claim consensus
• Commitments ensure the protocol only continues
  after each user agrees

17
Bluetooth Broadcast

• Bluetooth piconets can support up to 8 devices
• Bluetooth simulates broadcast with a leader based
  n-way unicast
• Problem slow to establish Bluetooth connections

18
Bluetooth Broadcast

• Discovery is further delayed by other devices in
  the environment

19
Dont Discover, See

• Address input is faster than discovery
• Rather than type in addresses, phones display a
  barcode of the address Scott95

• Leader takes a picture of the other devices
  barcodes in turn

20
Bluetooth Broadcast

• Time grows linearly with the number of phones
  (number of barcodes captured)

21
SPATE for the Real World

• Selection Counting user indicates what data
  is to be shared and the size of the group
• Collect device broadcasts and collects data
• Verify user verifies group members share the
  same data
• Check Consensus device verifies the members
  agree and saves the data

22
Helping Users Compare

• Random Art Perrig99 computationally expensive
  (10 seconds)
• Flag Ellison03 nuanced colors on poor,
  un-oriented displays

vs.
23
Helping Users Compare

• T-Flags
• Computationally inexpensive
• Limited to 8 maximally distinct colors
  (color-blind friendly) Glasbey 2006
• T to help orient users

24
SPATE for the Real World

• Selection Counting user indicates what data
  is to be shared and the size of the group
• Collect device broadcasts and collects data
• Verify user verifies group members share the
  same data
• Check Consensus device verifies the members
  agree and saves the data

25
Reaching Group Consensus

• Include a commitment with data
• Pick a random number R
• Commitment C Hash(Rdata)
• Broadcast Cdata
• Generate T-Flag based on data and C
• Only the owner of the data knows R
• Attacker cannot guess R
• Attacker cannot reverse a one way hash function

26
Reaching Consensus in the Group

• After user compares T-Flags
• If Flags Match, broadcast R
• If Flags Differ, broadcast X
• (X ? R)
• Collect N-1 random numbers
• Verify Hash(Ridatai) Ci
• All match ? group agrees, save the data
• Any wrong ? disagreement, discard the data

27
Implementation

• Nokia N70 Phones
• Symbian OSv 8.1a

28
Performance

• Majority of time is spent taking pictures of
  barcodes and connecting

29
Comparison with GAnGS

• GAnGSs collection of data and division of the
  group cause delays

29
30
But is it Secure?

• Attackers goal is to add or remove group members
• Add additional members to the group

5
4
4
5
5
4
5
31
But is it Secure?

• Same is true when a malicious party adds multiple
  sets of data

4
5
4
5
5
5
4
5
31
32
But is it Secure?

• Delete a member (while adding an outsider)

T-Flags Differ
!
!
!
33
Group Disperses, Now What?

• Secure email
• Thunderbird plugin
• Secure, intuitive file sharing
• Access groups defined using the group as an
  event
• Setting correct access policies is not a trivial
  task Good 03
• Secure text messaging
• Why limit security to traditional applications?

34
Secure File Sharing

• Leverages sshFS
• Files are stored on one machine
• Leader designates a server to act as a central
  repository
• Server generates
• Accounts for each group member
• Folder for that specific group
• Exchanged public key allows group members access
• SCPonly stops people from running commands

35
Secure File Sharing

• Interface allows
• Renaming events
• Managing connected folders/editing access

36
Secure Text Messaging

• Secrecy
• Providers have IP over data on their network
• Authenticity
• Services allow you to spoof text messages
  http//www.fakemytext.com

37
Secure Text Messaging

• Members exchange Diffie-Hellman values to
  establish symmetric keys
• 1024b RSA signature would leave 13 characters for
  the message

Decrypted Message
Intercepted Message
38
Future Work

• More applications
• What would you want to do after meeting a group
  of people?
• User study to verify if T-Flags are easier to
  compare than alternatives
• Leverage WiFi to provide quick collection of data

39
Summary

• SPATE enables authentic face-to-face exchange
• SPATE is faster than prior mechanisms used to
  exchange data AND is secure
• T-Flags allow an efficient user-friendly
  comparison
• SPATEs use of commitments enables one diligent
  user to protect the entire group
• Examples highlight SPATEs utility in building
  secure and easy-to-use applications

40

• Thank you!
• astuder_at_cmu.edu
• Download software at
• http//amethyst.cylab.cmu.edu/SPATE/

41
Limited Entropy in T-Flags

• T-Flag contains 24 bits of entropy
• An attacker can find different data and
  commitment pairs which produce the same T-Flags
• Once an attacker knows the other values, just
  guess
• T-Flag(D1C1DACA) T-Flag(D1C1DBCB)
• 223 guesses takes less than 10 seconds
• Use commitment to hide T-Flag inputs

41
42
Limited Entropy in T-Flags

• Data commitments
• Broadcast Y hash(CiDi)
• After hear N-1 values, broadcast CiDi
• Verify CjDj Yj
• Attacker cannot know what inputs are used in
  T-Flag
• Secure hash function, prevents an attacker from
  producing multiple CxDx for a given Y

42