Dr Vinod Sarjerao Khandkar

The smartphone connectivity options, such as Bluetooth, generate the root of trust upon first connection or pairing. The subsequent connections use the initial root-of-trust without validation. These Trust-On-First-Usage or TOFU models are vulnerable to Man-in-the-Middle (MiTM) or impersonation attacks after pairing. Moreover, root-of-trust based on certificates or QR code-like mechanisms needs a third-party server, which may not be accessible for justifiable reasons. We propose an endpoint validation method that decouples the successive authentications from pairing by shifting the root of trust to a locally agreed shared secret between devices, e.g., via a sensor-based method. The legacy pairing provides the device discovery. Our method uses this shared secret as a Pre-Shared Key (PSK) to perform a Transport Layer Security (TLS) handshake in PSK-Only mode between intended devices. The TLS-PSK adds a minimal overhead (1 RTT) while delivering the superior benefits of the TLS protocol. We demonstrated the method on an Android smartphone over a Bluetooth connection.

The Internet is a common platform for sharing information. It is required to preserve every user’s privacy and security of information on the Internet. While data security is primarily taken care of by the TLS protocol and broader adaptation of HTTPS, FTPS, and SMPTS protocol, some fields of TLS expose the type of activity a user is performing, thus violating user privacy. One such protocol information is Server Name Indication (SNI) in the TLS ClinetHello message that goes in plaintext. Anyone intercepting the message thus identifies the service host type. We present a method named Extended TLS (ETLS) to mask the server host identity by encrypting the SNI without requiring any change in the existing protocols. In ETLS, a connection is established over two handshakes - thefirst handshake establishes a secure channel without sharing SNI information, and the second handshake shares the encrypted SNI. ETLS requires no modification in the already proven TLS encryption mechanism and retains all security benefits of the existing secure channel establishment. We demonstrate the feasibility of ETLS over live Internet with scripts that implement our methodology. Using a customized client-server and a commercial traffic shaper, we also demonstrated that the host identity is not exposed under ETLS, thus demonstrating itsprivacy-preserving property.

The Internet provides a platform for various commercial activities, and it is essential to ensure that it remains a level playing field for all the players. Several countries have enacted laws such that the Internet remains neutral by prohibiting preferential treatment of traffic of one application or content over the other. However, to enforce such regulations, one needs to detect any violations. In this work, we demonstrate a method to identify non-neutral behavior by comparing the quality of service received by different applications 'when they experience similar transmission as well as network conditions.'

The debate on "Net-neutrality" and events pointing towards its possible violations have led to the development of tools to detect deliberate traffic discrimination on the Internet. Given the complex nature of the Internet, neutrality violations are not easy to detect, and tools developed so far suffer from various limitations. In this paper, we study many challenges in developing a tool for detecting such violations. We take the validation as an application of our study of challenges in TD detection systems. As a case study, we focus on the Wehe tool and demonstrate the categorized analysis or validation of traffic differentiation detection tools. The Wehe tool is one of the most recent tools to detect neutrality violations. Despite the Wehe tool's vast utility and possible influences over policy decisions, its mechanisms are not yet fully validated by researchers other than original tool developers. Our validation uses the Wehe App, a clientserver setup mimicking the Wehe tool's end-to-end behavior and theoretical arguments. We validated the Wehe app for its methodology, traffic discrimination detection, and operational environments.

The disclosure of domestic abuse or help needed is challenging for victims due to factors such as intimidation and fear of being caught. Domestic abuse is especially pernicious as the abuser can be a powerful adversary who may have complete control over all technological means of communication within the premises. We have developed a novel sensor-based method to unobtrusively create a shared secret between the victim and the supportive friend without exchanging data over the network. The generated secret shows entropy similar to some methods used in OpenSSL.