Uploads Contact
/
Login Upload
Deniable Liaisons Abhinav Narain Nick Feamster Alex C Deniable Liaisons Abhinav Narain Nick Feamster Alex C

Deniable Liaisons Abhinav Narain Nick Feamster Alex C - PDF document

briana-ranney
briana-ranney . @briana-ranney
Follow
428 views
Uploaded On 2015-05-27
About Share Download

Deniable Liaisons Abhinav Narain Nick Feamster Alex C - PPT Presentation

Snoeren Georgia Tech UC San Diego nabhinavfeamster ccgatechedu snoerencsucsdedu Abstract People sometimes need to communicate directly with one another while concealing the communication itself Existing systems can allow users to achieve this level ID: 75606

Snoeren Georgia Tech

Share:

Link:

Embed:

Download Presentation from below link

Download Pdf The PPT/PDF document "Deniable Liaisons Abhinav Narain Nick Fe..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

astheyrequirethesendertoretransmittheoriginalframe;yet,inourcase,theyprovideanopportunitytohidecommunications.DenaLicreatesspuriouscorruptframesbyinjectingcovertmessagesintoframescarryingcovertrafcdirectedtowardinnocuousdestinations.Sincetheseframesareindeedcorrupt,theywillnotbeforwardedbytheaccesspointtotheirapparentdestination.Instead,othernodesintheWiFinetworkthatoverheartheframeandpossestheappropriatesecretkeycanextractanddecrypttheinjectedpayload.DenaLiisconceptuallysimple,andachievinganonymityandcon-dentialityiseasyenough—anyreasonableencryptiontechniquewillsufce.Thechallengesentaildesigningthecommunicationschannelsothattheresultingstreamofcorruptedframesisdeniable,whichrequiresbothunderstanding(andmodeling)thepropertiesofbiterrorsinan802.11wirelesscommunicationschannelandappro-priatelymodelingtheattacker.Todoso,webuildonpreviousworkthatstudiesbit-errorcharacteristicsinthewirelessmedium,andper-formourownmeasurementstounderstandtheseerrorcharacteristicsinvarioussettingsandfordifferentencodings.Wedevelopamodi-ed802.11wirelessdriverthatmodulatesthecovertmessageoverastreamofcovertrafcinsuchawaythattheresultingsequenceofcorruptedframesmimicstheexistingpatternofcorruptioninthewirelesschannel.DenaLitrafcmatchesnaturallyoccurringwire-lesscorruptionbothintermsofthefrequencyofcorruptedframesandthebitpositionswithintheframesthatarecorrupted.DenaLiprovidesdeniabilityinasettingwhereanadversarycanobservewirelesscommunicationsinthelocalarea,butcannotgetveryclosetothesuspectedsender.Anadversarywhoobservestrans-missionssufcientlyclosetothesendercouldinferthepresenceofahiddenmessagechannelduetothe(relatively)highlevelofpacketcorruptionnearthepointoftransmission.Weenvisionthatintypicalcasesanadversarywouldnotbetargetinganindividualsenderbutwouldratheronlybeinapositiontomonitoragroupofusers(e.g.,inthemidstofalargergroup,perhapsclosetotheaccesspoint).Inthesecases,wedemonstratethroughempiricalmeasurementsthatdistinguishingDenaLitransmissionsfromnat-urallyoccurringcorruptedwirelessframescanbemadearbitrarilydifcultformessageratesthatcaneasilysupporttheexchangeofshortcovertmessages.Weshowthroughextensivecontrolledexper-imentswithrealwirelesschipsetsthatwhenwecloselymatchtheframeerrorrateandbiterrordistributionsoftheexistingwirelesschannel,DenaLiachievesabiterrordistributionpatternthatisindis-tinguishablefromnaturallyoccurringerrors.Toachievethislevelofdeniability,throughputisquitelow(sufcientforexchangingonlysmallmessagesor“tweets”),butthesendercan,ofcourse,acceptlessdeniabilityinexchangeforhigherthroughput,atradeoffthatweexploreinourevaluation.Trafcthattheuserisalreadysendingaspartofnormalcommunicationcanprovidethenecessarycovertrafc,whichmeansthatDenaLidoesnotneedtocreateadditionalcovertrafcbutcanratherhideitsmessagesintheuser'sexistingtrafc.Ourworkpresentsseveralcontributions.First,werecognizethattheincreasingneedforanonymous,deniablecommunicationsinsettingswherepartiesarephysicallyclosetooneanothercallsforanewclassofcommunicationstools.Second,weobservethatinthesesettings,theubiquityofotherWiFicommunication(andthecorrespondingwirelessframecorruption)canserveasusefulcovertoconcealcommunications.Third,wedenethenotionofdeniabilityinthiscontextanddesignamodulationschemethatachievesdeniabilitybymatchingthecorruptionpropertiesofthedeniablemessagestothatofthecovertrafc.Finally,weimplementandevaluateaprototypesystembasedonthisdesign.Therestofthepaperproceedsasfollows.Section2surveysrelatedworkinanonymouscommunication,detectionofcovertchannels,andwirelesserrorsandcorruption.Section3denesourexpectedusagescenarioandoutlinesourbasicapproach,threatmodel,anddesigngoals.Section4describesthedesignoftheDenaLicommunicationchannelindetail.Section5describesourprototypeimplementationsandexplainsthechangeswemadetothewirelessdrivertoenableDenaLi.WeevaluateDenaLiinSection6,discusslimitationsandfutureworkinSection7,andconcludeinSection8.2RelatedWorkWerstsurveyrelatedworkonrelatedanonymousanddeniablecommunicationssystems.Wethendiscussvariousstudiesofwire-lessinterferenceandchannelpropertiestodesignDenaLi.2.1AnonymousCommunicationsDenaLi'sdesignisinspiredbyRivest'sproposalforchafngandwinnowing,wherebyasenderdisguisestherealmessageintendedfortherecipientbyincludingadditional“chaff”onthesamechan-nel[22].Withknowledgeofasharedsecret,therecipientcanidentifyanddiscardthechaff,leavingonlythemessageinquestion.UnlikeRivest,however,wefurtherencryptthemessagetomakeiteasiertoefcientlyinjectintothechaffwithoutdisturbingthestatisticalpropertiesoftheaggregate.DenaLiistherstsystemtoprovideapoint-to-pointdeniablecommunicationchannelinaWiFinetworkusingcommodityhard-ware.Previousworkhassketchedsystemsthatusecorruptedwire-lessframestocreateacovertchannelover802.11frames[19,25]butnopreviousworkhasmovedbeyondpaperdesigns.Calhounetal.designedandsimulatedacovertchannelbaseduponvaryingthelinkrate[2].Thisworkispurelysimulation-basedanddevelopsneitheraworkingprototypenoracommunicationprotocolforex-changingmessages.Noneofthepreviousworkanalyzesdeniabilityinthepresenceofanadversarythatcanmonitorchannelquality.Manyexistinganonymouscommunicationssystemsaimtopro-videvariouslevelsofanonymityinthewidearea.OneofthemostwidelyusedanonymouscommunicationssystemsisTor[7],whichallowscommunicatingpartiestoestablishanonymouscommuni-cationschannelsviaalayeredencryptiontechniquecalledonionrouting[10].UsersofTorestablishcircuitstocommunicatewitheachotheranonymouslyinthewide-area.Torprovidesanonymitybutnotdeniability,inthesensethatusersofTorcanconcealwhotheyaretalkingto,butnotthefactthattheyarecommunicatingusingTor(infact,Torisblockedinmanycountriesoutright).De-naLi'sfocusisdifferentthanTor's:itaimstoenableanonymousanddeniablecommunicationinsettingswherethecommunicatingpartiesarephysicallyclosetooneanother.DenaLibearssimilaritytoothercensorshipcircumventionsys-temsthataimtoachievedeniabilityandcovertnessinadditiontocondentialityandanonymity.TwosuchsystemsthatoperatefromendsystemsareInfranet[9]andCollage[1].Thesesystemsal-lowparticipantstoestablishcommunicationsunderthecoverofinnocuousWebtrafc:thecensoronlyseesWebrequeststhatarestatisticallyindistinguishablefromnormaluserbehavior,thuspro-vidingtheuserwithanimportantdegreeofdeniability,inadditiontocondentiality.OtherrecentsystemssuchasTelex[28],Cirri-pede[13],andDecoyRouting[15]aimtoachievesimilarlevelsofdeniabilitybydeployinginfrastructureinthecoreofthenetwork Figure4:Stepsinvolvedinexchangingmessagesusingcorruptedframes.framewherethemessageshouldbeinserted;and(3)computesanHMACoverthemessageciphertext.Thesendertheninsertsbitscorrespondingtothehiddenmessagelength,theHMAC,andthehiddenmessageitselfasablockintothecorruptedframe.WedescribetheprocessofcomputingtheframeoffsetandtheHMACbelow.Inadditiontothesessionkey,thesenderusestheTCPsequencenumberandacknowledgmentnumberassaltstocomputetheframeoffsetforthehiddenmessage.Doingsohelpsrandomizetheoffset,sothattheinsertedbitsarenotalwaysinthesamelocationinthecorruptedframe;randomizingtheoffsetmakesitdifcultforanadversarywhoiseavesdroppingtoascertainthepresenceofahiddenmessage,sincethelocationofthecorruptedbitsthatcontainthehiddenmessagewillbedifferentforeachpacket.Weconsideredusingapseudo-randomnumbergeneratorwithaninitialseedtoallowthesenderandreceivertocomputethisoffset;theproblemindoingsoisthatifanycorruptedframecontainingahiddenmessageislost,reordered,oritselfcorrupted,thereceiverandsenderwilllosesynchronization.Instead,DenaLiusestheoutputofapubliccryptographichashfunctionthatusestheTCPsequencenumber,acknowledgmentnumber,andsharedsecret(or,inthecaseoftheinitialkeyexchange,thereceiver'spublickey)astheinputforcomputingtheoffset.Thus,alloftheinformationthatthereceiverneedstoextractthehiddenmessagefromtheframeispresentintheframeitself.Unlesstheadversaryhasthesharedsecret,itcannotdeterminetheoffsetofthearticiallycorruptedburstsequence.Becausetheinjectedframeiscorrupt(i.e.,itslayer-twochecksumisinvalid),thereceivernolongerhasaninherentwaytodeterminetheintegrityoftheframe—or,morespecically,theembeddedDenaLimessagewithin—itreceives.Inlieuofthe(nowcorrupted)framechecksum,aDenaLisenderalsoincludesanHMACcomputedoverthehiddenmessagecontentsthatiskeyedonthesessionkey,theTCPsequencenumber,andtheacknowledgment.Themessage'sHMACisprependedtothehiddenmessagebeforetheresultingbitsareinsertedintotheframe.Theastutereadermightobservetwonuancesaboutthewaythatthesenderembedsthemessageintoacorruptedframe.First,themessagelengthisincluded“intheclear”.Includingthemessage Figure5:Checkingtheintegrityofreceivedhiddenmessages.lengthintheclearisnecessarybecausethenumberofbitscorre-spondingtothehiddenmessagevaries(bothbydesigntomakedetectionmoredifcult,andasanaturalresultoftheoriginalmes-sagesizes).Becauseboththevalueofthemessagelengthandtheoffsetwithintheframewherethebitsindicatingthemessagelengthvaryper-frame,recognizingapatternwouldbedifcult.Asendercould,ofcourse,introducemoreentropyintothemessagelengthvaluebyrandomizingtheblocksizeforeachblockthatitinjectsintoacorruptedframe,makingitessentiallyimpossibletoidentifythepresenceofthemessagelengthvalue,attheexpenseofchannelthroughput.Second,allofthecorruptedbitsareinjectedintotheframeasasingleblockratherthaninterspersedatrandombitlocationsthrough-putthepacket.Previousworkhasestablishedthatwirelessbiterrorstendtooccurascorruptedblocks[12],notasindividualcorruptedbits.Additionally,becausetheDenaLisenderinjectsciphertextintootherciphertext(i.e.,theSSLstreamthatservesasthechaff),interspersingtheblockthroughputthepacketdoesnotincreasecovertness:Becauseboththehiddenmessageandthechaffareen-crypted,theadversarycanseethattheframeiscorrupted,buthasnostraightforwardwayofdeterminingthebitpositionscorrespondingtothecorruption,unlesshehasthecorrespondinguncorruptedver-sionoftheframe.InjectinganencryptedmessageintoSSLpayloadmakesthelikelihoodofeverybittobecorruptedtobe0:5.ReceivinganddecodingToreceivethehiddenmessage,there-ceiverpollsthewirelessmediumforallthecorruptedframesandattemptstodecodeanddecryptthebitsineachcorruptedframethatarelocatedattheappropriateoffset,whichiscomputedasafunctionofboththesessionkeyandtheTCPsequencenumberandacknowledgmentnumbersinthepacketheader.Thereceivercanapplythesamefunctiontodeterminetheappropriateoffsetofthemessageinthecorruptedframetoextracttheciphertextanddecryptittorecoverthesessionkey,whichwillbeusedtoencryptfuturemessagesandasaninputforcomputingtheframeoffsets.Uponhearingacorruptedframeinthewirelessmedium,thereceiverextractsthegrainfromthechaffbycomputingtheoffsetwherethehiddenmessageisexpected(asafunctionofthekeyandtheTCPsequenceandacknowledgmentnumberscontainedintheframe)oneverycorruptedframe,extractingthebitsthatshould Figure6:Processingofan802.11wirelessframeatthehost,andthetwomodicationsthatwemaketoenableDenaLi:(1)settingthenumberofretransmissionstozerothroughtheSoftMACimplementation;(2)disablingtheframechecksumcomputationtoallowtheinterfacetotransmitthecorruptedframe.(andtheadversary)arelocated.Althoughtheinstantaneousframeerrorratecannotbemodeledpreciselybecausethetypeandfre-quencyofeventsthatcauseinterferenceorframelossareinherentlyrandom,wecancalculatetherateofcorruptionoftheframesinalivecaptureofacollectedpackettraceandattempttomimicthatdistribution.DenaLiusersmaintainstatisticsregardingthepacketerrorrateofnormalframessothattheycaninjectcorruptedframesinawaythatmimicsthenaturallyoccurringpacketcorruptioninthecurrentenvironment.Inchannelsthataresubjecttocorruptionratesthatarehigherormorevariable,DenaLiparticipantscaninjecthiddenmessageswithhigherfrequency.WeexploretherelationshipbetweentheamountofnoiseinthechannelandthethroughputthatwecanachievelaterinSection6.3.Thebiterrordistributionisthedistributionofthebiterrorsinspecicpositionswithinacorruptedframe.Anadversarywhocap-turestheframesmayanalyzethecorruptedframestocomparetheerrorpatterns.Wemodifythecontentsoftheintentionallycorruptedframeinsuchamannerthatitisdifculttodifferentiateactuallycorruptedbitsfromthecraftedcorruptedframe.Ourgoalistoinjectbiterrorsintopacketsinsuchawaythattheresultingdistributionofbiterrorsresemblesabit-errorpatternthatwouldresultfromthecor-ruptionofoneormoresymbolsinanencodedwirelesspacket.Theexactbit-errorpatternisdifculttomodelbecausethesepatternsdependonhowthesendermodulatespackets.Inlieuofconductingadditionalexperimentsonbiterrorratesourselves,wefollowtheassumptionsfromtheMaranellostudy[12],whichsuggeststhatthebiterrorsinaframeoccurinchunks,duetothelossofsyn-chronizationbetweenthesenderandreceiverortheburstynatureofinterferenceinthewirelesschannel,unlikeuniformcorruptionofbitsinthewholeframe.Inourevaluation,weuseDenaLitocorruptspecicbiterrorpatternsinsuchawaythatmimicstheseobserveddistributions.Wealsonotethatthefartherthatthesenderisfromtheadversary,themorelikelythattheadversarywillobservenaturallyoccurringframecorruption,whichshouldmakeitmoredifculttodistinguishnaturallyoccurringcorruptionfromarticialcorruption.6.2SecurityGoalThesecurityofDenaLirequiresthat:(1)sendingahiddenmes-sageusingDenaLicreatesaperturbationofthewirelesschannel'spacketerrorrateandbiterrordistributionthatisstatisticallyindistin-guishablefromifaDenaLimessagehadnotbeensent(deniability);(2)theadversarycannotrecoverthemessages(condentiality).AsthecondentialityofDenaLireliesonthestrengthofexistingen-cryptiontechnologies,wefocusondeningandevaluatingDenaLi'sdeniabilityproperties.Consideranadversarywhoobservesthepropertiesofthewirelesschannelfromaparticularlocation.Theadversarycanempiricallymeasureboththepacketerrorrateforasequenceofframes,andthebiterrordistributionswithineachcorruptedframe.SupposethattheadversaryhastwopackettracesPandP0,wherePisapackettracewithoutDenaLicommunicationandP0isatracewithDenaLicommunication.DeniabilitysaysthattheadversarycannotdeterminewhichtracehasDenaLicommunicationwithprobabilitygreaterthan1=2+e.Iftheadversarycancorrectlydetectthepres-enceofacovertchannelwithprobabilitygreaterthan1=2+e,thentheadversarywins.Similarly,supposealsothattheadversaryrunsamaximumlike-lihooddetectorbasedonobservationsofbiterrordistributionsincorruptedframestodetectthepresenceofaDenaLichannelbasedondeviationsintherespectivedistributions.Accordingtothedef-initionofdeniabilityabove,ifeiszero,thebestthresholdthatanadversarycoulddesignwouldbeunabletodistinguishthetwodistributionsofbiterrorpatternsdrawnfromPandP0.Theepa-rametermeasurestheextenttowhichthetwodistributionsdonotoverlap.Wequantifythedegreetowhichthetwodistributionsdonotoverlap(whichcorrespondstotheprobabilitythattheadver-sarysucceeds)usingthePearsoncorrelationcoefcientbetweenthetwodistributions[24].eissimplyhalftimesoneminusthecorrelationcoefcient.Formally,wedenotethebiterrordistribu-tionfrompackettraceP0asf0(x),wherexisthebitpositioninthepacket;similarly,thenormalbiterrordistributionfrompackettracePisf(x).Foreachofthedistributionsthatareparameterizedbyframeerrorrateandbytesinjectedperframe,wecomparethetwodistributionsasfollows:e=1=2�cov(f(x);f0(x)) 2sf(x)sf0(x)Notethatwecanmakeearbitrarilysmall:IfDenaLiinjectsnobitsfromthehiddenmessage,thenaturallyoccurringbiterrordistribu-tionisunperturbed,andthetwodistributionsareindistinguishable,bothbydenitionandbyconstruction.Suchachannel,ofcourse,isuselessbecauseitsthroughputiszero.Increasingthethroughputofthehiddenchannelbyinjectingadditionalcorruptedframesandintroducingbiterrorsthatdeviatefromthenaturallyoccurringbiterrorsperturbstheunderlyingdistribution.Thus,thereisatradeoffbetweenthedegreetowhichthebiterrordistributionisperturbed(i.e.,thenumberofbitsfromthehiddenmessagethatweinjectintoanycorruptedframe)andtheresultingthroughput.Thepacketerrorratealsohasanaturallyoccurringvaluethatvariesovertime.SupposethatforagiventimeintervaliinpackettraceP,theadversaryobservesapacketerrorratefi.Then,theadversarycanobserveadistributionF=ff1;f2;:::;fngandacor-respondingdistributionF0forpackettraceP0.WesaythatthepacketerrorrateinducedbyrunningDenaLiachievesdeniabilityiftheadversarycannotsucceedindistinguishingFandF0withaprobabilitygreaterthan1=2+e.Bydeningeaccordingtothe (a)Thebit-errordistributionfromtheperspectiveoftheDenaLisender,givena23KBmessageanda70-byteTUNMTU. (b)Naturalbiterrordistribution. (c)ThebiterrordistributionaftertheDenaLiperturbationfrom(a)isadded.Figure7:Bit-errordistributioninaninjectedDenaLiframeatthesender,andbiterrordistributionsasviewedatamonitor,withandwithoutinjectedDenaLiframes.distancebetweenthesetwodistributions,wecandeterminethenum-berofcorruptedpacketsthataDenaLisendercaninjectsubjecttoanupperboundone.Inprinciple,aDenaLisendercandetecttheaveragepacketerrorrateforsometimeintervalandtransmitcorruptedpacketsinawaythattracksthispacketerrorratewithinsomeboundofe.Forthepurposesofourevaluation,wehavexedthepacketerrorrate,butinpracticeitmightvary.Becausepacketcorruptionisalocalphenomenonthatiserraticandunpredictable,ne-grainedcontroloverthisstatisticmaynotbenecessaryorusefulinpractice.6.3EvaluatingDeniabilityvs.ThroughputInthissection,weevaluatethetradeoffbetweendeniabilityandthroughputoftheDenaLichannelusingourprototypeimplementa-tion.Werstdescribetheexperimentalsetupandthenpresenttheresults.6.3.1ExperimentalsetupWedesignanexperimentwithasender,areceiver,andasingleadversary.Eachdeviceisalaptop,wherethesenderandreceiverareconguredasdescribedinSection5.ThesendergeneratescovertrafcbybrowsingGmailoverasecureHTTPconnection.Theadversaryisathirdlaptopwithawirelessinterfacecardcongured

Related Contents


Aggregate Dynamics for Dense Crowd Simulation Rahul Narain Abhinav Golas Sean Curtis Ming
Aggregate Dynamics for Dense Crowd Simulation Rahul Narain Abhinav Golas Sean Curtis Ming PDF document
469 views
Les liaisons
Les liaisons PDF document
445 views
On Minimal Assumptions for Sender-Deniable Public Key Encry
On Minimal Assumptions for Sender-Deniable Public Key Encry PDF document
391 views
On Minimal Assumptions for Sender-Deniable Public Key Encryption
On Minimal Assumptions for Sender-Deniable Public Key Encryption PDF document
361 views
Outsourcings Pvt. Ltd.
Outsourcings Pvt. Ltd. PDF document
367 views
Making Sense of Internet Censorship A New Frontier for Internet Measurement Sam Burnett
Making Sense of Internet Censorship A New Frontier for Internet Measurement Sam Burnett PDF document
627 views
YALSA Liaisons 1 The Role & Tasks of Liaisons in YALSA Board Liaison D
YALSA Liaisons 1 The Role & Tasks of Liaisons in YALSA Board Liaison D PDF document
399 views
Les liaisons intermoléculaires
Les liaisons intermoléculaires PDF document
400 views
Les liaisons intermoléculaires
Les liaisons intermoléculaires PDF document
415 views
Effects of contention on message latencies in large superco
Effects of contention on message latencies in large superco PDF document
369 views
A Case Study of Communication Optimizations on 3D Mesh Inte
A Case Study of Communication Optimizations on 3D Mesh Inte PDF document
438 views
Datadriven Visual Similarity for Crossdomain Image Matching Abhinav Shrivastava Carnegie
Datadriven Visual Similarity for Crossdomain Image Matching Abhinav Shrivastava Carnegie PDF document
620 views
Next Show more