Authenticated Out-of-Band Communication Over Social Links Anirudh Ramachandran and Nick Feamster School of Computer Science, Georgia Tech {avr,feamster}@cc.gatech.edu ABSTRACT networks do not allow automated registrations, and creat- Many existing host-based applications rely on their own au- ing new social links (e.g., adding another user to your list of thentication mechanisms and peer discovery services. Al- acquaintances) requires authorization from the other party. though social networking sites already provide mechanisms Many newer social networking sites such as Facebook [10] for users both to discover other users (e.g., by logging on to have even stricter requirements for joining a social circle the social network Web site) and to communicate securely (e.g., to be part of the Georgia Tech group, the user must with each other (e.g., using instant messages within the so- possess a gatech.edu email address). cial networking site), today’s applications have no way to Despite the rise in popularity of social networks and the exploit the relationships and trust that are inherent in these inherent information they contain about trust between their networks. This paper proposes Authenticatr, a framework users, these networks remain balkanized and largely sepa- that allows applications to use the authentication and peer rate from many applications that could benefit from richer discovery mechanisms inherent in social networking sites to social context. For example, consider a user who wishes bootstrap their own authenticated communication channels. to share files with a set of trusted friends who are mem- We describe motivating applications, detail the interface bers of the user’s network at a secure social networking site that Authenticatr exposes to applications, and discuss prac- (e.g., Facebook). The filesharing application, however, is tical considerations and security threats. unaware of this relationship, and must treat all friends as untrusted users on the Internet; thus, the user must either manually set up and distribute passwords to all friends, or Categories and Subject Descriptors settle for an unsecured service. The filesharing application C.2.0 [Computer Communication Networks]: Security would benefit from the ability to utilize the secure social link and protection; C.2.4 [Computer Communication Net- to “bootstrap” its own authentication service. Many web- works]: Distributed Applications based applications can also benefit from a common social context: users today must create isolated social networks for each Web-based application (e.g., a user who has ac- General Terms counts on a bookmark sharing application and a Web-based Design, Security, Flexibility feed reader cannot unify his friends on both applications); if Web applications could tap into a common “social substrate” to find friend relationships, collaboration and sharing could Keywords 1 be made seamless . social networks, authentication, security This paper presents Authenticatr, a system that uses so- cial links between users—which already exist within the con- 1. INTRODUCTION texts of various social networking Web sites—as a substrate for establishing authenticated out-of-band communication Social networking is experiencing explosive growth, both between applications that these users run (i.e., for appli- in terms of communities targeted by these networks and cations unrelated to the social network). Much like Web overall user participation in each of these networks [1, 2]. services that allow users to authenticate themselves using Online communities such as Usenet and IRC have existed credentials from other social networking sites [3] or univer- for decades, but the recent wave of social networking Web sal login mechanisms such OpenID [12], Authenticatr pro- sites are notable for requiring stricter authentication proce- vides applications a generalized view of authentication in- dures for registering and creating social connections: Most terfaces; applications, therefore, can treat all social network instances in the same way. Authenticatr also enables these applications to communicate using the social network’s se- cure messaging capabilities, which applications can use to Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to 1 republish, to post on servers or to redistribute to lists, requires prior specific Google’s Social Graph project [7] addresses a similar goal, permission and/or a fee. using social annotations in hyperlinks as the underlying so- WOSN’08, August 18, 2008, Seattle, Washington, USA. cial network. This service, however, uses publicly available Copyright 2008 ACM 978-1-60558-182-8/08/08 ...$5.00. information and cannot be used for secure communication. 61 perform challenge-response or establish cryptographic keys network and a friend (or group of friends) to share files with; before initiating direct communication2. Authenticatr will exchange session keys with peer programs, This paper makes the following contributions. First, we establish ports, verify logins, etc. using the social network. present the design of Authenticatr, a framework that lever- Backup routing and censorship avoidance. Routing ages the relationships inherent in today’s social networks failures often cause some parts of the Internet to become dis- to build authenticated out-of-band communication channels connected; BGP convergence delays cause these disruptions for other networked applications. Second, we describe the to affect availability. Censorship poses reachability problems Authenticatr API, which applications can use to build such of a different sort: Users may be denied access to certain authenticated channels. Finally, we describe how develop- Web sites on the Internet. Authenticatr allows these users ers can use this API to build applications for performing to locate a friend’s host (using the social network) and route a variety of tasks ranging from file-sharing to network trou- through it to avoid the failure or the censor (previous work bleshooting. We also outline various practical considerations has proposed a similar mechanism that applies only to cen- for Authenticatr and discuss an agenda for future research. sorship [9]). Routing through a trusted friend’s computer The rest of the paper is organized as follows. Section 2 de- would also be preferable to using an anonymous proxy of scribes motivating applications for Authenticatr. Section 3 unknown provenance. presents Authenticatr’s design and API, and Section 4 ex- plains how applications can use Authenticatr to construct Collaborative measurement and troubleshooting. authenticated channels. Section 5 describes various practi- Collecting measurements from end-users is cumbersome be- cal considerations and potential security threats. Section 6 cause most users are unwilling (or unable) to operate mea- outlines related work, and Section 7 concludes with a sum- surement software; moreover, there is no way a researcher mary and research agenda. can signal a set of end-user machines to begin measurement (due to DHCP reallocation, machines being turned off, etc.). Such applications can also benefit from Authenticatr: when- 2. MOTIVATING APPLICATIONS ever a researcher requires a measurement, she can issue a re- Authenticatr provides an authenticated out-of-band com- quest to all end-user measurement applications (authorized munication channel for many other applications, including through a social channel, such as all subscribers of a cer- overlay routing, troubleshooting, root-cause analysis for net- tain Facebook application) to conduct a measurement (e.g., worked applications, censorship avoidance, and authentica- “traceroute to slashdot.org”). tion for content sharing (e.g., blogs, photo albums, posted news items). Current authentication and access control for 3. DESIGN these types of applications are either application-specific or too complex for typical users to establish and configure. This section presents the design of Authenticatr. We out- In contrast, social links are easy for users to establish and line design goals, present Authenticatr’s design and API, and verify. Social links also embody exactly the type of authen- describe how multiple processes can communicate using the tication that is required by many applications: To share same social authentication channel. We are in the process a set of photos, a news posting, or some other content only of implementing Authenticatr. with friends, a user can specify access control in terms of ex- 3.1 Design Goals isting relationships on social networks (e.g., “my friends on Facebook”). Authenticatr extends the same authentication Authenticatr attempts to satisfy the following goals: mechanisms to host-based applications, allowing the user to, • Simplicity. The Application Programming Interface for example, configure her computer to “Allow my friends on (API) that Authenticatr presents is similar to the Facebook to route traffic through me”. In this section, we Berkeley sockets API, both in terms of the functions Au- detail a few example applications that can benefit from and the data types handled by the API. Simple API thenticatr ’s authentication mechanisms. calls are easier to compose and build upon. As a result, Secure email. Although strong end-to-end encryption the primitives provided by Authenticatr are