640 likes | 656 Views
CMPE 252A : Computer Networks. Chen Qian Computer Engineering UCSC Baskin Engineering Lecture 10. Some slides from Brent Waters and Saiyu Qi. Internet of Things (IoT). What is Internet of Things.
E N D
CMPE 252A : Computer Networks Chen Qian Computer Engineering UCSC Baskin Engineering Lecture 10 Some slides from Brent Waters and Saiyu Qi
What is Internet of Things • The Internet of Things (IoT) is the network of physical objects—devices, vehicles, buildings and other items embedded with electronics, software, sensors, and network connectivity—that enables these objects to collect and exchange data.
Driving Forces of IoT • Sensor Technology – Tiny, Cheap, Variety • Cheap Miniature Computers • Low Power Connectivity • Capable Mobile Devices • Power of the Cloud
Instant and Robust Authentication and Key Agreement among Mobile Devices Wei Xi1, Chen Qian2, Jinsong Han1, Kun Zhao1 Sheng Zhong3, Xiang-Yang Li4, Jizhong Zhao1
Overview PartⅢ PartⅡ PartⅠ The Dancing Signals Motivation Experiment Results • Background • State-of-the-art • Observation • TDS design • Analysis and discussion • Experiment setup • Performance evaluation 02 ACM CCS 2016 – The Dancing Signals (TDS)
Background 03 ACM CCS 2016 – The Dancing Signals (TDS)
State-of-the-art KinWrite: Handwriting-Based Authentication Using Kinect NDSS’13 Authenticating Privately over Public Wi-Fi Hotspots CCS’15 Heart-to-Heart (H2H): Authentication for Implanted Medical Devices CCS’13 Checksum Gestures: Continuous Gestures as an Out-of-Band Channel for Secure Pairing UbiComp'15 2015 2011 2016 2013 2014 ProxiMate: proximity-based secure pairing using ambient wireless signals MobiSys'11 PhotoProof: Cryptographic Image Authentication for Any Set of Permissible Transformations S&P'16 Authentication Using Pulse-Response Biometrics NDSS’14 Commitment-based device pairing with synchronized drawing PerCom’14 Good Neighbor: Ad hoc Pairing of Nearby Wireless Devices by Multiple Antennas NDSS’11 04 ACM CCS 2016 – The Dancing Signals (TDS)
Limitation of Proximate • λ/2 is only in theory. In practice they need about λ/10 to extract workable keys. • For WiFi, λ = 12.5cm. λ/10 = 1.25cm which is not practical. • So they use TV signals eventually, where λ/10 = 34cm • Or FM signals. • Bit generation rate is slow (1-2 bit/sec)
Proximate-based Pairing Use a public WiFi source for secure pairing text Sept2013 • Use this source to generate a secret key at Alice and Bob • If KAlice = KBob, then Alice & Bob know they are in proximity • Use the key for encrypting all further communication 05 ACM CCS 2016 – The Dancing Signals (TDS)
Observation Multiple Subcarriers Decorrelates inspaceandtime In OFDM, a channel is orthogonally divided into multiple subcarriers. • Space: Over distances of ∼ λ/2 (= 6 cm @ 2.4 GHz) • Time: Over one coherence time Tc (∼ 100s of msec @ 2.4 GHz) 06 ACM CCS 2016 – The Dancing Signals (TDS)
Opportunities & challenges 1 Multiplesubcarriers Sensitivetoenvironment 2 3 Rapidspatialdecorrelation 4 Highcorrelationamongsubcarriers 07 ACM CCS 2016 – The Dancing Signals (TDS)
Main idea Alice Bob • Itisdifficulttoextractidenticalkeyfromsimilarchannel. • ItismucheasiertoextractsimilarfeaturesbetweenAliceandBob. • Whynotusethesimilarfeaturestoencipheranddecipherinformation? 08 ACM CCS 2016 – The Dancing Signals (TDS)
Use similarCSItoshareinformationamongusersnearby • Without human intervention • Good performance in safety and efficiency / Our Goal 09 ACM CCS 2016 – The Dancing Signals (TDS)
Must be the key symmetrically identical ? Main idea Bob Alice Eve Similar, but not identical Quite different… 0 1 0 1 0 1 Alice want to secretly send “0” Bob get “0” with 95%confidence Eve get “1”with only 50% confidence 10 ACM CCS 2016 – The Dancing Signals (TDS)
1.Channel sampling 2.S-box Generation TDSWorking Process S-box includes a number of blocks. Each block contains a number of samples and represents a bit 0 or 1 Alice sends a message to other devices and ask them (including Alice) to start listening to a same public WiFi source. 5.Information reconciliation 3.Key generation Alice and Bob need to ensure that they obtain a same key and correct the mismatch bits, which are very few in TDS. Alice may use any key generation method to determine a strong secret key with high randomness and entropy. 5 2 3 1 4 4.Key delivery Alice select a block from every pair to represent whether this bit is 0 or 1. Bob only needs to decide whether the ith block is more similar to his ith 0-block or his ith1-block. 11 ACM CCS 2016 – The Dancing Signals (TDS)
CSI correlations The adjacent subcarriers have very strong CSI correlation, and the correlation oscillates with increasing the difference of two subcarriers’ indexes. Subcarrier pairs {2, 4} and {7, 9} will have a similar difference, S2 − S4 ≈ S7 − S9. 12 ACM CCS 2016 – The Dancing Signals (TDS)
Group allocation 13 ACM CCS 2016 – The Dancing Signals (TDS)
Feature extraction 0 1 0 1 We use the second value in each group as the feature, which are very different between G0 and G1. 14 ACM CCS 2016 – The Dancing Signals (TDS)
Distributions of S-box Distributions of singular value Distributions of differences of singular value Their distributions are distinct, although there is still a large overlapped area. Their distributions are almost identical. 15 ACM CCS 2016 – The Dancing Signals (TDS)
Max Weight Matching Kuhn-Munkres Algorithm Singular Value of Group1 Singular Value of Group 2 16 ACM CCS 2016 – The Dancing Signals (TDS)
Security of TDS text Authenticity Confidentiality The authenticity is protected because Alice will only run information reconciliation for a fixed number of rounds for every other device. Hence only if the bit error rate is smaller than a reasonable threshold, e.g., 7%, Eve can get the key obtained by Alice. The singular values of 0-blocks and 1-blocks have identical distributions. Hence given two singular values, the eavesdropper still cannot improve its guess on this bit. 17 ACM CCS 2016 – The Dancing Signals (TDS)
Stability of TDS text FeatureExtraction Pairing TDS extracts the feature of block based on SVD. TDSuses the second or third singular values to represent the signal features and discards the singular value smaller than theforthsingularvaluewhich is mainly relevant to noises. TDS uses KM based feature mapping algorithm to find an optimal strategy of making the difference of feature values for each 0/1 pair larger than a certain threshold θ. 18 ACM CCS 2016 – The Dancing Signals (TDS)
Efficiencyof TDS text Information delivery rate Multi-user key agreement In our system, we set n = 4 in mobile scenarios and n = 6 in static scenarios, and their delivery rate is 6/4 and 4/6 . That is, each sample can confidentially deliver 1.5 bits and 0.67 bit in mobile scenarios and static scenarios, respectively. Instead of using a public wireless source, Alice and Bob ping each other to generate symmetric random channel variations. Other legitimate de- vices are located near Alice and Bob within authentication distance to hear the communication between Alice and Bob. This model can double the authentication space to support key agreement for more users. 19 ACM CCS 2016 – The Dancing Signals (TDS)
Experimentsetup • As the AP, Peter broadcasts beacons every 50ms. • Alice broadcasts Timing Synchronization Function (TSF) timestamp to synchronize all legitimate devices within 25 microseconds. Antennas of Alice, Bob and Calvin are located in less than 5cm distance, while Eve is deployed at least 25cm away from Alice. Linux 802.11n CSI Tool & Intel 5300 NIC 20 ACM CCS 2016 – The Dancing Signals (TDS)
Distribution of S-box Featuredistribution of0and1 Distribution ofdifferencesbetween 0and1 The distributions in different scenarios are slightly different. In the same scenario, 0andIhave extremely similar distributions. The differences for original 0/1 pair are nearly a linear distribution. There are about 9% pairs with the differences less than 10. We introduce a filtered perfect matching method to filter the pairs with small differentiation. 21 ACM CCS 2016 – The Dancing Signals (TDS)
Authentication distance • Even if the distance of two device antennas is 1cm, the bit error rate of ProxiMate is about 5%-10%. • For TDS, when the distance is less than 3cm, the mismatch rate of TDS is 0 for outdoor environments and < 0.015 for indoor environments. When the distance is 5cm, the mismatch rate of TDS is still smaller than 7%. Fair price with extra services Past project maintenance up to 1 month Authenticateddistance-5cm@ 2.4 GHz Safedistance–12.5cm@ 2.4 GHz 24 ACM CCS 2016 – The Dancing Signals (TDS)
Predictable channel attack 23 ACM CCS 2016 – The Dancing Signals (TDS)
Performance comparison Comparison Bit error rate Informationreconciliationcounts TDS has no mismatched bit, while other methods may cause around 2% to 4% mismatched bits. Since there are no mismatched bit, TDS only uses 4 times pass check to guarantee the consistency of transmitted secret bits. 25 ACM CCS 2016 – The Dancing Signals (TDS)
Performance comparison Entropy Secret bit generationrate TDS and KEEP have the highest entropy in all methods, and CGC has the lowest. Bit generation rate of TDS is slower than previous results. It is because in this set of experiments, Alice and Bob do not listen to a public WiFi but use the communication among them for sampling. This is the only model that the other protocols can work but TDS is not restricted to it. 24 ACM CCS 2016 – The Dancing Signals (TDS)
Conclusion • TDS uses substitution-based confidential bits delivery instead of quantization-based key extraction. We propose a similarity-based symmetric encryptionprotocoltoachievefast D2D authenticationusingCSI. • It can be used to transmit any information, including self-generated session keys • The proposed similarity-based block feature matching mechanism significantly improves fault tolerance and increases the authentication distance from 0.1λ to 0.5λ, approaching the distance upper bound for small-scale fading. • TDS only takes a couple of seconds to make devices agree on a 256-bit secret key with high entropy. 26 ACM CCS 2016 – The Dancing Signals (TDS)
Scalable Data Access Control in RFID-EnabledSupply Chain Saiyu Qi1,2, Yuanqing Zheng2, Mo Li2, Yunhao Liu3 , Jinli Qiu4 HKUST1 Nanyang Technological University2 Tsinghua University3 Xi’an Jiaotong University4
Introduction of RFID technique Basic components of RFID: • RFID Tag: • low cost • limited storage ability • support wireless communication • RFID Reader: • moderate-ability • retrieve tag carried data via wireless channel • Database: • Connect with reader • store detailed tag data • tag identification/authentication The global forecast of RFID hardware, middleware and IT market --------Source from DolceraWiki
RFID-enabled supply chain 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 shared among supply chain participants
Motivation • The product data derived by RFID tags is usually sensitive • An instance: pedigree of drugs • created for each tagged drug in a pharmaceutical supply chain • be useful to verify if a drug is fake • often contains counterfeit certificate , time of delivery and manufactures suffer malicious accesses by drug counterfeiters and competitive manufacturers
The goal of this paper • Secure sharing of RFID-derived product data • A scalable data access control system for RFID-Enabled Supply Chain • an item-level data access control mechanism • an item-level privilege revocation mechanism • Advantages: • data access control in item-level • scalable to large amount of tagged products
System model product data is sensitive and may be compromised A participant only needs to contact the provider to retrieve the data of others idxi, <Enc(wit, Ki)>sig We aim to provide item-level access policy for product data defined by participants
Item-level data access control: a strawman method Not scalable to support large-scale tagged products Some participants are unknown in advance
Item-level data access control: our idea Consider a tagged product flowing through the supply chain… • Submit policy enforced encryption: • encryption associated with an access policy • Policy definition: • two types of attributes: role attribute (etc, USA, Retailer) and tag attribute (used as tag ID) • logical expression over role attributesAND tag attribute • e.g., (‘retailer’ AND (‘USA’ OR ‘France’)AND‘TagAtt’)
Item-level data access control: our idea • Decryption condition of policy enforced encryption: • a credential with satisfiable role attributes and a credential with the tag attribute • Distributed credential management: • role attributes /credentials ------a key authority • tag attributes/credentials------corresponding tags (only participants within the supply chain can acquire!) • A participant can acquire: • one credential with a set of role attributes to describe itself from the key authority • credentials of tag attributes from tags
Item-level data access control: an example role attributes published by key authority tag attribute from tag credential issuing of role attributes within the supply chain but unsatisfiable role attributes outside the supply chain Location: USA Location: France Location: USA Obligation: retailer Obligation: producer Obligation: retailer TagAtt TagAtt
Item-level data access control: advantage • Advantages: • define an access policy with role attributes (acquired from the key authority) and tag attributes (acquired from tags)---do not need knowing other participants in advance • participants acquire credentials from key authority and tags --- item-level key issuing is avoided
Item-level data access control:implementation • Policy enforced encryption: • Double encryption pattern: Ciphertext Policy-Attribute Based Encryption (CP-ABE) [Bethencourt, et al., SP '07] and Updatable Encryption (UE) scheme Symmetric encrypt the ABE encryption ABE encrypt the data Precisely enforce our desired policy: ABE to enforce role attribute part Updatable encryption to enforce tag attribute part Product data Policy enforced encryption ABE encryption • Two types of credentials: • Credentials with role attributes: ABE private keys • Credentials with tag attributes: UE private keys
Ciphertext-Policy,Attribute-Based Encryption Brent Waters SRI International John Bethencourt CMU Amit Sahai UCLA
Remote File Storage:Interesting Challenges • Scalability • Reliability • … But we also want security
Remote File Storage:Server Mediated Access Control • Good: • Flexible access policies • Bad: • Data vulnerable to compromise • Must trust security of server Sarah: IT department, backup manager ? Access control list: Kevin, Dave, and anyone in IT department