Identifying Close Friends on the Internet Randy Baden Bobby - - PowerPoint PPT Presentation

identifying close friends on the internet
SMART_READER_LITE
LIVE PREVIEW

Identifying Close Friends on the Internet Randy Baden Bobby - - PowerPoint PPT Presentation

Jan 31, 2023 888 likes •1.14k views

Identifying Close Friends on the Internet Randy Baden Bobby Bhattacharjee Neil Spring from HotNets09 Problem Security and privacy are only as good as the user's ability to identify with whom they wish to communicate Consequences of

slide-1
SLIDE 1

Identifying Close Friends

  • n the Internet

Randy Baden Bobby Bhattacharjee Neil Spring from HotNets09

slide-2
SLIDE 2

Problem

  • Security and privacy are only as good as the

user's ability to identify with whom they wish to communicate

  • Consequences of compromised friend edges:

spam, phishing, viruses, privacy leaks, identity theft

  • Correctly identifying online social network (OSN)

users is difficult

  • Impersonation is easy [Bilge, et al., WWW '09]
  • Scale and context is unlike well-studied settings
slide-3
SLIDE 3

Impersonation

  • Copy public information from a different social

network to create an impostor account

  • Clone public information on the same social

network

  • Most users will not notice that there are two

identical accounts, even if they have already added the friend

  • Optionally, first infiltrate the user's social circle to

invade privacy, then also clone private information

slide-4
SLIDE 4

Solution

  • Public key infrastructure (PKI)
  • Usually: a centralized, trusted certificate authority

publishes public keys for the actors in the system

  • No central authority can verify the identity of every

user of an OSN

  • Decentralized identity verification
  • Users responsible for verifying the identities of their

neighbors in the social graph

  • Advantage: OSN users have social knowledge
slide-5
SLIDE 5

Exclusive Shared Knowledge

  • Ask a question that only the friend can answer
  • Some real examples
  • Which celebrity do I always get confused with Sean

Penn?

  • How much did we spend on drinks last night?

(nearest dollar, no $)

slide-6
SLIDE 6

Exclusive Shared Knowledge

  • Ask a question that only the friend can answer
  • Some real examples
  • Which celebrity do I always get confused with Sean

Penn?

– Liam Neeson

  • How much did we spend on drinks last night?

(nearest dollar, no $)

slide-7
SLIDE 7

Exclusive Shared Knowledge

  • Ask a question that only the friend can answer
  • Some real examples
  • Which celebrity do I always get confused with Sean

Penn?

– Liam Neeson

  • How much did we spend on drinks last night?

(nearest dollar, no $)

– 104

slide-8
SLIDE 8

Challenges

  • Designing a protocol to resist known attacks
  • Evaluate security of shared knowledge
slide-9
SLIDE 9

Asker Impersonation

When didst we first assemble? 1963 1963 Iron Man incorrectly believes that Loki is Thor Iron Man Thor Loki Consequence: verification is one-way; the asker identifies the askee

slide-10
SLIDE 10

Askee Impersonation

What was Henry Pym's wife's name? Uhh... Janet? Janet Impostor guesses the correct answer Iron Man Thor Loki Consequences: answer space should be large; protocol should not reveal information

slide-11
SLIDE 11

Protocol

  • Desired Properties
  • One-way verification: at end, asker learns/confirms

the askee's public key

  • Zero-knowledge proof of possession of shared

knowledge

  • Interactive: immune to offline dictionary attacks
  • Existing protocol: SPEKE [Jablon, Sigcomm96]
  • Establishes a secure channel based on a shared

passphrase

  • Can be applied over an OSN as a browser extension
slide-12
SLIDE 12

Can Users Ask Good Questions?

A user study and a Facebook game

slide-13
SLIDE 13

Rules

  • Users are rewarded for forming “bonds”
  • Users are punished for having their bonds

broken

  • Users are rewarded for breaking bonds
  • Crowdsourced security penetration testing

Asker Askee Impostor Bond Made +1 per bond +1 per bond

  • Bond Broken
  • 2 per bond
  • 1 per bond

+1 per impostor

slide-14
SLIDE 14

Data Collection

  • April – June 2009
  • 171 registered participants
  • 70 did not ask, answer, or try to break bonds
  • 92 asked or answered at least once
  • 9 only tried to break bonds
  • Results consider only the 101 active

participants

slide-15
SLIDE 15

Friend Graph

slide-16
SLIDE 16

Bond Graph

slide-17
SLIDE 17

Ability To Ask

slide-18
SLIDE 18

Break Attempts

Friend Stranger All Unsuccessful 50% 44% 94% Successful 5% 1% 6% All 55% 45% 100%

slide-19
SLIDE 19

Web of Trust

slide-20
SLIDE 20

Web of Trust

slide-21
SLIDE 21

Conclusion

  • Users can
  • Use exclusive shared knowledge to identify one-

hop neighbors in a social network

  • Sign and publish identifications to identify multi-hop

neighbors and confirm verifications

– 80% of broken bonds in the experiment also had a good

path

  • Enables a social PKI, useful for secure systems
  • Bond Breaker is just part of the big picture
slide-22
SLIDE 22

Identifying Close Friends

  • n the Internet

Randy Baden Bobby Bhattacharjee Neil Spring from HotNets09

slide-23
SLIDE 23

Persona

  • Distributed and decentralized OSN
  • Users choose where to store their data
  • Users store data encrypted with ABE

– Key distribution mechanisms to use ABE, public key

crypto, and symmetric key crypto in ways that support OSN communication patterns

– Built on assumption that there's a social PKI

  • Users need not trust third parties with data
  • Can still provide content-agnostic applications,

which includes most core OSN applications