Download - Secure In-Band Wireless Pairing
![Page 1: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/1.jpg)
Secure In-Band Wireless Pairing
Shyamnath Gollakota
Nabeel AhmedNickolai Zeldovich
Dina Katabi
![Page 2: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/2.jpg)
Secure Wireless Pairing is Important
Traditional solutions require user to enter or validate passwords
![Page 3: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/3.jpg)
Entering or Validating Passwords is Difficult
• Ordinary users struggle with picking long random passwords
• Devices with no interfaces for entering passwords
Problem Statement: Secure pairing without having the user enter or validate passwords
![Page 4: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/4.jpg)
Tentative Solution:
![Page 5: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/5.jpg)
Tentative Solution: Use Diffie-Hellman Key Exchange
• Anyone can receive/transmit
Alice Bob
Adversary
Man-in-the-middle attacks
Full fledged man-in-the-middle attack on CDMA and 4G networks at DEFCON 19
![Page 6: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/6.jpg)
Industry Approach Academic Approach
• Use trusted out-of-band channels
• e.g., camera-displays, audio,
tactile or infrared channels
May be infeasible due to cost or size
• Users simply press buttons to initiate pairing
• e.g., WiFi Push Button
configuration, Bluetooth simple pairing
Susceptible to MITM attacks
Status of Secure Pairing Without Passwords
Can we get the best of both worlds?
![Page 7: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/7.jpg)
Tamper Evident Pairing (TEP)
• First in-band secure pairing protocol• Protects from MITM attacks• Doesn’t require out-of-band channels or passwords
• Formally proven to be secure
• Works on existing 802.11 cards and OS
• Implemented and evaluated on operational networks
![Page 8: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/8.jpg)
• Prior out-of-band systems: Assume attacker can arbitrarily tamper with wireless messages
Can’t trust messages on shared wireless channel
• Our approach: Understand wireless tampering and detect it Trust un-tampered messagesCollect all messages within a time window; Pair if only one
message and no tampering
How do We Protect Against MITM Attacks Without Out-of-Band Channels?
![Page 9: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/9.jpg)
1. Adversary alters message
How Can Adversary Tamper with Wireless Messages?
2. Adversary hides that message was sent
3. Adversary prevents message from being sent
Alice Bob
Adversary
![Page 10: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/10.jpg)
1. Adversary alters message
How Can Adversary Tamper with Wireless Messages?
Alice Bob
TimeAdversary
2. Adversary hides that message was sent
3. Adversary prevents message from being sent
![Page 11: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/11.jpg)
1. Adversary alters message
How Can Adversary Tamper with Wireless Messages?
Alice Bob
Adversary
Collision!
Collisions are typical in wireless networks
2. Adversary hides that message was sent
3. Adversary prevents message from being sent
![Page 12: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/12.jpg)
1. Adversary alters message
How Can Adversary Tamper with Wireless Messages?
Alice Bob
Adversary
2. Adversary hides that message was sent
3. Adversary prevents message from being sent
Occupy the medium all the time
Tamper Evident Message:1. Can’t be altered without detection at receivers2. Can’t be hidden from the receiver3. Can’t be prevented from being sent
![Page 13: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/13.jpg)
1. How to Protect From Altering of Messages?
Time
Alice’s Message
Follow message by message-specific silence pattern• Silence pattern = Hash of message payload• Send a random packet for 1 and remain silent for 0
101000001111
Wireless property: Can’t generate silence from energy
![Page 14: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/14.jpg)
Time
Alice’s Message
Alice’s ‘1’ bits
1. How to Protect From Altering of Messages? Wireless property: Can’t generate silence from energy
Follow message by message-specific silence pattern• Silence pattern = Hash of message payload• Send a random packet for 1 and remain silent for 0
Changing message requires changing silence pattern
![Page 15: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/15.jpg)
Time
Alice’s Message
1. How to Protect From Altering of Messages? Wireless property: Can’t generate silence from energy
Follow message by message-specific silence pattern• Silence pattern = Hash of message payload• Send a random packet for 1 and remain silent for 0
Changing message requires changing silence pattern
![Page 16: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/16.jpg)
2. How to Protect From Hiding the Message?
Time
Alice’s Message
Bob misses the message
![Page 17: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/17.jpg)
TimeSynchronization pkt
Alice’s Message
Send an unusually long packet with random content
2. How to Protect From Hiding the Message?
![Page 18: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/18.jpg)
3. How Do We Ensure Message Gets Sent?
TimeSynchronization pkt
Alice’s Message
Force transmit after timeout even if medium is occupied
Message can’t be altered, hidden or prevented, without being detected at receivers
![Page 19: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/19.jpg)
Issue: Unintentional Tampering
Create a number of false positives
Silence period
Legitimate transmission
• 802.11 devices transmit when channel is unoccupied
TimeSynchronization pkt
Alice’s Message
![Page 20: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/20.jpg)
Issue: Unintentional Tampering
Silence period
Legitimate transmission
• 802.11 devices transmit when channel is unoccupied
TimeSynchronization pkt
Alice’s Message
Leverage CTS to reserve the wireless medium
![Page 21: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/21.jpg)
Leverage CTS to reserve the wireless medium
CTS
Reserved duration
Issue: Unintentional Tampering
TimeSynchronization pkt
• 802.11 devices transmit when channel is unoccupied
Alice’s Message
![Page 22: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/22.jpg)
In-Band Secure Pairing Protocol• Industry: User pushes buttons within 120 seconds• Timeout after a period greater than 120 seconds• Pair if only one message is received and no tampering
Push Button
reply
Timeout
Alice
Bob
request
Push Button
Adversary
Timeout
![Page 23: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/23.jpg)
In-Band Secure Pairing Protocol• Industry: User pushes buttons within 120 seconds• Timeout after a period greater than 120 seconds• Pair if only one message is received and no tampering
Push Button
reply
Alice
Bob
request
Push Button
reply
Adversary
Two replies No pairingTimeout
Timeout
![Page 24: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/24.jpg)
In-Band Secure Pairing Protocol• Industry: User pushes buttons within 120 seconds• Timeout after a period greater than 120 seconds• Pair if only one message is received and no tampering
Push Button
reply
Alice
Bob
request
Push Button
reply
Adversary
Tamper
Tampering detected No pairingTimeout
Timeout
![Page 25: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/25.jpg)
TEP is proven secure
Theorem: If the pairing devices are within radio range and the user presses the buttons, an adversary cannot convince either device to pair with it (except with negligible probability)
Assumptions:
• Don’t confuse hash packets (‘1’) for silence (‘0’)
• Detect synchronization packet
![Page 26: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/26.jpg)
Implementation
• Implemented in the 802.11 driver
• Used Atheros 802.11 cards and Linux
![Page 27: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/27.jpg)
• Minimize duration of hash bits Use high-definition timers in kernel 40 us hash bits 128 bits hash function Less than 5 milli seconds
• Set sync packet longer than any packet Pick sync duration as 17 ms
Implementation Challenges
Minimum 802.11 bit rateMaximum sized IP packet
= 12 ms
![Page 28: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/28.jpg)
Evaluation
• False negatives
Proved probability of false negatives is negligible
Assumptions
Don’t confuse hash packets (‘1’) for silence (‘0’)
Detect synchronization packet
• False positive
Empirical estimation of its probability
![Page 29: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/29.jpg)
Testbed
• 12-locations over 21,080 square feet
• Every run randomly pick two nodes to perform pairing
![Page 30: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/30.jpg)
Normalized Received Power
CDF
over
all
loca
tions
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
Can We Distinguish Between One and Zero Bits?
![Page 31: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/31.jpg)
Normalized Received Power
CDF
over
all
loca
tions
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
Can We Distinguish Between One and Zero Bits?
Zero bits
![Page 32: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/32.jpg)
Normalized Received Power
CDF
over
all
loca
tions
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
Receiver doesn’t confuse one hash bits for silence
One bitsZero bits
Can We Distinguish Between One and Zero Bits?
![Page 33: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/33.jpg)
False Positives
• Mistaking cross-traffic energy as sync packet
• Mistaking corrupted hash bits for an attack
![Page 34: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/34.jpg)
Can TEP Mistake Cross-Traffic for Sync Packet?
CDF
-0.001 0 0.001 0.002 0.003 0.004 0.0050
0.2
0.4
0.6
0.8
1
4321 5
• Look at SIGCOMM 2010 and MIT network
Continuous Energy Duration (in milliseconds)
![Page 35: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/35.jpg)
CDF
-0.001 0 0.001 0.002 0.003 0.004 0.0050
0.2
0.4
0.6
0.8
1
4321 5
SIGCOMM 2010
• Look at SIGCOMM 2010 and MIT network
Can TEP Mistake Cross-Traffic for Sync Packet?
Continuous Energy Duration (in milliseconds)
![Page 36: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/36.jpg)
CDF
-0.001 0 0.001 0.002 0.003 0.004 0.0050
0.2
0.4
0.6
0.8
1
Continuous Energy Duration (in milliseconds)4321 5
SIGCOMM 2010
MIT
• Look at SIGCOMM 2010 and MIT network
Can TEP Mistake Cross-Traffic for Sync Packet?
Much smaller than 17 ms of the sync packetStudied networks show zero probability of mistaking cross-
traffic for sync packet
![Page 37: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/37.jpg)
CDF
Number of attempts1 2 3 4
0
0.2
0.4
0.6
0.8
1
Can TEP Mistake Corrupted Hash Bits for Attack?• Due to CTS WiFi cross-traffic doesn’t transmit during hash bits• Non-WiFi devices like Bluetooth may still transmit• Exp: Use Bluetooth to transfer file between Android phones
![Page 38: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/38.jpg)
CDF
Number of attempts
Bluetooth is not synchronized with our pairing protocol
1 2 3 40
0.2
0.4
0.6
0.8
1
TEP works even in the presence of interference from non-WiFi devices such as Bluetooth
• Due to CTS WiFi cross-traffic doesn’t transmit during hash bits• Non-WiFi devices like Bluetooth may still transmit• Exp: Use Bluetooth to transfer file between Android phones
Can TEP Mistake Corrupted Hash Bits for Attack?
![Page 39: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/39.jpg)
• Pairing with out-of-band channels (cameras, audio, tactile, infrared,…)
• Work on Integrity Codes Ensuring message integrity but still requires dedicated out-of-
band wireless channels
Related Work
• TEP is in-band
• Tamper evident messages – Stronger than message integrity• Purely in-band pairing protocol
![Page 40: Secure In-Band Wireless Pairing](https://reader035.vdocuments.mx/reader035/viewer/2022062315/56815df0550346895dcc1e62/html5/thumbnails/40.jpg)
Conclusions
• First in-band secure pairing protocol• Protects from MITM attacks• Doesn’t require out-of-band channels or passwords
• Formally proven to be secure
• Works on existing 802.11 cards and OS
• Implemented and evaluated on operational networks