Privacy, Discovery, and Authentication for the Internet of Things

TL;DR

This paper introduces lightweight, provably secure privacy-preserving protocols for service discovery and mutual authentication in IoT, addressing privacy leaks in existing protocols and enhancing privacy in systems like Apple AirDrop.

Contribution

Develops two novel protocols for private service discovery and mutual authentication that are lightweight, secure, and compatible with existing systems, improving privacy in IoT and mobile environments.

Findings

Protocols are provably secure in the Canetti-Krawczyk model.

Benchmarks show minimal overhead across various hardware platforms.

Enhanced privacy for Apple AirDrop using the proposed protocols.

Abstract

Automatic service discovery is essential to realizing the full potential of the Internet of Things (IoT). While discovery protocols like Multicast DNS, Apple AirDrop, and Bluetooth Low Energy have gained widespread adoption across both IoT and mobile devices, most of these protocols do not offer any form of privacy control for the service, and often leak sensitive information such as service type, device hostname, device owner's identity, and more in the clear. To address the need for better privacy in both the IoT and the mobile landscape, we develop two protocols for private service discovery and private mutual authentication. Our protocols provide private and authentic service advertisements, zero round-trip (0-RTT) mutual authentication, and are provably secure in the Canetti-Krawczyk key-exchange model. In contrast to alternatives, our protocols are lightweight and require minimal modification to existing key-exchange protocols. We integrate our protocols into an existing open-source distributed applications framework, and provide benchmarks on multiple hardware platforms: Intel Edisons, Raspberry Pis, smartphones, laptops, and desktops. Finally, we discuss some privacy limitations of the Apple AirDrop protocol (a peer-to-peer file sharing mechanism) and show how to improve the privacy of Apple AirDrop using our private mutual authentication protocol.