Privacy, Discovery, and Authentication for the Internet of Things
Authors: D. Wu, A. Taly, A. Shankar, and D. Boneh
Abstract:
Automatic service discovery is essential to realizing the full potential of
the Internet of Things (IoT). While discovery protocols like Multicast DNS,
Apple AirDrop, and Bluetooth Low Energy have gained widespread adoption across
both IoT and mobile devices, most of these protocols do not offer any form of privacy control
for the service, and often leak sensitive information such as service type,
device hostname, device owner's identity, and more in the clear.
To address the need for better privacy in both the IoT and the mobile landscape,
we develop two protocols for private service discovery and private mutual
authentication. Our protocols provide private and authentic service
advertisements, zero round-trip (0-RTT) mutual authentication, and are
provably secure in the Canetti-Krawczyk key-exchange model. In contrast to
alternatives, our protocols are lightweight and require minimal modification
to existing key-exchange protocols. We integrate our protocols into an
existing open-source distributed applications framework, and provide
benchmarks on multiple hardware platforms: Intel Edisons, Raspberry Pis, smartphones,
laptops, and desktops. Finally, we discuss some privacy limitations of the Apple
AirDrop protocol (a peer-to-peer file sharing mechanism) and show how to
improve the privacy of Apple AirDrop using our private mutual authentication
protocol.
Reference:
In proceedings of ESORICS 2016, pp. 301-319.
Full paper: pdf