DNS-SD Privacy and Security Requirements

In this section we analyse how the attackers described in the previous section might threaten the privacy of entities operating devices engaging in service discovery. We focus on attacks leveraging data transmitted in service discovery protocol messages.

In this section, we review common service discovery scenarios and discuss privacy threats and their privacy requirements. In all three of these common scenarios the attacker is of the type passive on-link.

Perhaps the simplest private discovery scenario involves a single client connecting to a public server through a public network. A common example would be a traveler using a publicly available printer in a business center, in an hotel, or at an airport.

( Taking notes: ( David is printing ( a document ~~~~~~~~~~~ o ___ o ___ / \ _|___|_ | | client server |* *| \_/ __ \_/ | / / Discovery +----------+ | /|\ /_/ <-----------> | +----+ | /|\ / | \__/ +--| |--+ / | \ / | |____/ / | \ / | / | \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ David adversary In that scenario, the server is public and wants to be discovered, but the client is private. The adversary will be listening to the network traffic, trying to identify the visitors' devices and their activity. Identifying devices leads to identifying people, either just for tracking people or as a preliminary to targeted attacks. The requirement in that scenario is that the discovery activity should not disclose the identity of the client.

The second private discovery scenario involves a private client connecting to a private server. A common example would be two people engaging in a collaborative application in a public place, such as for example an airport's lounge.

( Taking notes: ( David is meeting ( with Stuart ~~~~~~~~~~~ o ___ ___ o ___ / \ / \ _|___|_ | | server client | | |* *| \_/ __ __ \_/ \_/ | / / Discovery \ \ | | /|\ /_/ <-----------> \_\ /|\ /|\ / | \__/ \__/ | \ / | \ / | | \ / | \ / | | \ / | \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ David Stuart Adversary In that scenario, the collaborative application on one of the devices will act as a server, and the application on the other device will act as a client. The server wants to be discovered by the client, but has no desire to be discovered by anyone else. The adversary will be listening to network traffic, attempting to discover the identity of devices as in the first scenario, and also attempting to discover the patterns of traffic, as these patterns reveal the business and social interactions between the owners of the devices. The requirement in that scenario is that the discovery activity should not disclose the identity of either the client or the server.

The third private discovery scenario involves wearable devices. A typical example would be the watch on someone's wrist connecting to the phone in their pocket.

( Taking notes: ( David' is here. His watch is ( talking to his phone ~~~~~~~~~~~ o ___ o ___ / \ _|___|_ | | client |* *| \_/ \_/ | _/ | /|\ // /|\ / | \__/ ^ / | \ / |__ | Discovery / | \ / |\ \ v / | \ / \\_\ / \ / \ server / \ / \ / \ / \ / \ / \ / \ David Adversary This third scenario is in many ways similar to the second scenario. It involves two devices, one acting as server and the other acting as client, and it leads to the same requirement of the discovery traffic not disclosing the identity of either the client or the server. The main difference is that the devices are managed by a single owner, which can lead to different methods for establishing secure relations between the devices. There is also an added emphasis on hiding the type of devices that the person wears. In addition to tracking the identity of the owner of the devices, the adversary is interested in the characteristics of the devices, such as type, brand, and model. Identifying the type of device can lead to further attacks, from theft to device specific hacking. The combination of devices worn by the same person will also provide a "fingerprint" of the person, allowing identification.

While the discovery process illustrated in the scenarios in most likely would be based on as a means for making service information available, this document considers all kinds of means for making DNS-SD resource records available. These means comprise but are not limited to mDNS , DNS servers ( , ), e.g. using SRP , and multi-link networks. The discovery scenarios in illustrate three separate abstract privacy requirements that vary based on the use case. These are not limited to mDNS. Client identity privacy: Client identities are not leaked during service discovery or use. Multi-entity, mutual client and server identity privacy: Neither client nor server identities are leaked during service discovery or use. Single-entity, mutual client and server identity privacy: Identities of clients and servers owned and managed by the same legal person are not leaked during service discovery or use. In this section, we describe aspects of DNS-SD that make these requirements difficult to achieve in practice. Client identity privacy, if not addressed properly, can be thwarted by a passive attacker (see ). The type of passive attacker necessary depends on the means of making service information available. Information conveyed via multicast messages can be obtained by an on-link attacker, while unicast messages are only available to MITM attackers. Using multi-link service discovery solutions , external attackers have to be taken into consideration as well, e.g., when relaying multicast messages to other links. Server identity privacy can be thwarted by a passive attacker in the same way as client identity privacy. Additionally, active attackers querying for information have to be taken into consideration as well. This is mainly relevant for unicast based discovery, where listening to discovery traffic requires a MITM attacker; however, an external active attacker might be able to learn the server identity by just querying for service information, e.g. via DNS.

DNS-Based Service Discovery (DNS-SD) is defined in . It allows nodes to publish the availability of an instance of a service by inserting specific records in the DNS (, , ) or by publishing these records locally using multicast DNS (mDNS) . Available services are described using three types of records: Associates a service type in the domain with an "instance" name of this service type. Provides the node name, port number, priority and weight associated with the service instance, in conformance with . Provides a set of attribute-value pairs describing specific properties of the service instance.

In the first phase of discovery, clients obtain all PTR records associated with a service type in a given naming domain. Each PTR record contains a Service Instance Name defined in Section 4 of :

Service Instance Name = <Instance> . <Service> . <Domain> The <Instance> portion of the Service Instance Name is meant to convey enough information for users of discovery clients to easily select the desired service instance. Nodes that use DNS-SD over mDNS in a mobile environment will rely on the specificity of the instance name to identify the desired service instance. In our example of users wanting to upload pictures to a laptop in an Internet Cafe, the list of available service instances may look like:

Alice's Images . _imageStore._tcp . local Alice's Mobile Phone . _presence._tcp . local Alice's Notebook . _presence._tcp . local Bob's Notebook . _presence._tcp . local Carol's Notebook . _presence._tcp . local Alice will see the list on her phone and understand intuitively that she should pick the first item. The discovery will "just work". (Note that our examples of service names conform to the specification in section 4.1 of , but may require some character escaping when entered in conventional DNS software.) However, DNS-SD/mDNS will reveal to anybody that Alice is currently visiting the Internet Cafe. It further discloses the fact that she uses two devices, shares an image store, and uses a chat application supporting the _presence protocol on both of her devices. She might currently chat with Bob or Carol, as they are also using a _presence supporting chat application. This information is not just available to devices actively browsing for and offering services, but to anybody passively listening to the network traffic, i.e. a passive on-link attacker.

The SRV records contain the DNS name of the node publishing the service. Typical implementations construct this DNS name by concatenating the "host name" of the node with the name of the local domain. The privacy implications of this practice are reviewed in . Depending on naming practices, the host name is either a strong identifier of the device, or at a minimum a partial identifier. It enables tracking of both the device, and, by extension, the device's owner.

The TXT record's attribute-value pairs contain information on the characteristics of the corresponding service instance. This in turn reveals information about the devices that publish services. The amount of information varies widely with the particular service and its implementation: Some attributes like the paper size available in a printer, are the same on many devices, and thus only provide limited information to a tracker. Attributes that have freeform values, such as the name of a directory, may reveal much more information. Combinations of attributes have more information power than specific attributes, and can potentially be used for "fingerprinting" a specific device. Information contained in TXT records does not only breach privacy by making devices trackable, but might directly contain private information about the user. For instance the _presence service reveals the "chat status" to everyone in the same network. Users might not be aware of that. Further, TXT records often contain version information about services allowing potential attackers to identify devices running exploit-prone versions of a certain service.

The combination of information published in DNS-SD has the potential to provide a "fingerprint" of a specific device. Such information includes: List of services published by the device, which can be retrieved because the SRV records will point to the same host name. Specific attributes describing these services. Port numbers used by the services. Priority and weight attributes in the SRV records. This combination of services and attributes will often be sufficient to identify the version of the software running on a device. If a device publishes many services with rich sets of attributes, the combination may be sufficient to identify the specific device. A sometimes heard argument is that devices providing services can be identified by observing the local traffic, and that trying to hide the presence of the service is futile. However, Providing privacy at the discovery layer is of the essence for enabling automatically configured privacy-preserving network applications. Application layer protocols are not forced to leverage the offered privacy, but if device tracking is not prevented at the deeper layers, including the service discovery layer, obfuscating a certain service's protocol at the application layer is futile. Further, in the case of mDNS based discovery, even if the application layer does not protect privacy, typically services are provided via unicast which requires a MITM attacker, while identifying services based on multicast discovery messages just requires an on-link attacker. The same argument can be extended to say that the pattern of services offered by a device allows for fingerprinting the device. This may or may not be true, since we can expect that services will be designed or updated to avoid leaking fingerprints. In any case, the design of the discovery service should avoid making a bad situation worse, and should as much as possible avoid providing new fingerprinting information.

The consumers of services engage in discovery, and in doing so reveal some information such as the list of services they are interested in and the domains in which they are looking for the services. When the clients select specific instances of services, they reveal their preference for these instances. This can be benign if the service type is very common, but it could be more problematic for sensitive services, such as for example some private messaging services. One way to protect clients would be to somehow encrypt the requested service types. Of course, just as we noted in , traffic analysis can often reveal the service.

For each of the operations described above, we must also consider security threats we are concerned about.

Can we trust the information we receive? Has it been modified in flight by an adversary? Do we trust the source of the information? Is the source of information fresh, i.e., not replayed? Freshness may or may not be required depending on whether the discovery process is meant to be online. In some cases, publishing discovery information to a shared directory or registry, rather than to each online recipient through a broadcast channel, may suffice.

Confidentiality is about restricting information access to only authorized individuals. Ideally this should only be the appropriate trusted parties, though it can be challenging to define who are "the appropriate trusted parties." In some uses cases, this may mean that only mutually authenticated and trusting clients and servers can read messages sent for one another. The "Discover" operation in particular is often used to discover new entities that the device did not previously know about. It may be tricky to work out how a device can have an established trust relationship with a new entity it has never previously communicated with.

It can be tempting to use (publicly computable) hash functions to obscure sensitive identifiers. This transforms a sensitive unique identifier such as an email address into a "scrambled" but still unique identifier. Unfortunately simple solutions may be vulnerable to offline dictionary attacks.

In any protocol where the receiver of messages has to perform cryptographic operations on those messages, there is a risk of a brute-force flooding attack causing the receiver to expend excessive amounts of CPU time and, where appliciable, battery power just processing and discarding those messages. Also, amplification attacks have to be taken into consideration. Messages with larger payloads should only be sent as an answer to a query sent by a verified client.

Sender impersonation is an attack wherein messages such as service offers are forged by entities who do not possess the corresponding secret key material. These attacks may be used to learn the identity of a communicating party, actively or passively.

Deniability of sender activity, e.g., of broadcasting a discovery request, may be desirable or necessary in some use cases. This property ensures that eavesdroppers cannot prove senders issued a specific message destined for one or more peers.

Many modern devices, especially battery-powered devices, use power management techniques to conserve energy. One such technique is for a device to transfer information about itself to a proxy, which will act on behalf of the device for some functions, while the device itself goes to sleep to reduce power consumption. When the proxy determines that some action is required which only the device itself can perform, the proxy may have some way to wake the device, as implied in RFC6762 In many cases, the device may not trust the network proxy sufficiently to share all its confidential key material with the proxy. This poses challenges for combining private discovery that relies on per-query cryptographic operations, with energy-saving techniques that rely on having (somewhat untrusted) network proxies answer queries on behalf of sleeping devices.

Creating a discovery protocol that has the desired security properties may result in a design that is not efficient. To perform the necessary operations the protocol may need to send and receive a large number of network packets. This may consume an unreasonable amount of network capacity, particularly problematic when it is a shared wireless spectrum. Further it may cause an unnecessary level of power consumption which is particularly problematic on battery devices, and may result in the discovery process being slow. It is a difficult challenge to design a discovery protocol that has the property of obscuring the details of what it is doing from unauthorized observers, while also managing to do that efficiently.

One of the challenges implicit in the preceding discussions is that whenever we discuss "trusted entities" versus "untrusted entities", there needs to be some way that trust is initially established, to convert an "untrusted entity" into a "trusted entity". The purpose of this document is not to define the specific way in which trust can be established. Protocol designers may rely on a number of existing technologies, including PKI, Trust On First Use (TOFU), or using a short passphrase or PIN with cryptographic algorithms such as Secure Remote Password (SRP) or a Password Authenticated Key Exchange like J-PAKE using a Schnorr Non-interactive Zero-Knowledge Proof. Protocol designers should consider a specific usability pitfall when trust is established immediately prior to performing discovery. Users will have a tendency to "click OK" in order to achieve their task. This implicit vulnerability is avoided if the trust establishment requires active participation of the user, such as entering a password or PIN.

Trust establishment may depend on external, and optionally online, parties. Systems which have such a dependency may be attacked by interfering with communication to external dependencies. Where possible, such dependencies should be minimized. Local trust models are best for secure initialization in the presence of active attackers.