View
215
Download
0
Category
Tags:
Preview:
Citation preview
Jamming-resistant Key Establishment using Uncoordinated
Frequency Hopping
Summer Research Institute - EPFL
Mario Čagalj
mario.cagalj@fesb.hr
University of Split, Croatia
25/6/2009
Summer Research Institute - EPFL
Mario Čagalj
mario.cagalj@fesb.hr
University of Split, Croatia
25/6/2009
Uncoordinated Frequency Hopping: Channel Availability Out of Thin Air
3
Motivation: radio channel availability
• Radio-jamming is ever-present threat to radio channels• This is an attack on the availability of signals
– Denial-of-Service (DoS) attack
• Traditional anti-jamming techniques rely on pre-shared secret codes (keys) to increase channel availability
RCVR
XMTR JMR
S (original signal) J (jamming signal)
4
• Spread-Spectrum Techniques– FHSS (Frequency Hopping
Spread Spectrum)
– DSSS (Direct-SequenceSpread Spectrum)
frequency
Hopping sequence (PRNG seed) must be known to the sender and receiver but not the jammer.
Spreading code (PRNG seed) must be knownto the sender and receiver but not the jammer.
frequency
energ
yenerg
y
PRNG PRNG
PRNG PRNG
Motivation: anti-jamming communication
5
Motivation: a new view of an old problem
• Anti-jamming/secret-establishment dependency graph
• How to establish the required secret code over the same channel when no secret is available in advance?– Authenticated public key-based protocols (e.g., Diffie-Hellman key
establishment) also affected
Secret spreading code (key) establishment in the presence of a jammer
Anti-jamming communication (FHSS or DSSS)
Shared secret code (key)(e.g., spreading code)
Dependency cycle
6
Motivation: breaking circular dependency
• Breaking anti-jamming circular dependency graph– Uncoordinated Frequency Hopping (UFH)
Secret spreading code (key) establishment in the presence of a jammer
Anti-jamming communication based on UFH
Shared secret code (key)(e.g., spreading code)
Dependency cycle
7
General information
• This talk is based on the joint work with Strasser, Pöpper and Čapkun of ETHZ– “Jamming-resistant Key Establishment using Uncoordinated Frequency
Hopping”, IEEE Symposium on Security and Privacy, Oakland ‘08
• This idea of uncoordinated hopping rooted in– “Wormhole-Based Antijamming Techniques in Sensor Networks”, Cagalj,
Capkun and Hubaux, IEEE TMC ‘07
• Some extensions– “Efficient Uncoordinated FHSS Anti-jamming Communication”, Strasser et al,
MobiHoc ‘09
– “A Coding-Theoretic Approach for Efficient Message Verification Over Insecure Channels”, Slater et al, WiSec ‘09
– “Jamming-resistant Broadcast Communication Without Shared Keys”, Popper et al, USENIX Security ‘09 (uncoordinated DSSS)
• We will mainly focus on the original Oakland paper
8
Agenda
• First part– Overview of UFH
– UFH Message Transfer Protocol
– Application to jamming resistant key establishment
• Second part– Detailed performance analysis
– Conclusion
9
Uncoordinated Frequency Hopping (UFH)
• Key idea: abolish the need of a pre-shared secret by using UFH– The sender hops randomly in a set of c channels (= frequencies)– The receiver hops randomly with a longer dwell time per slot– Once in a while the receiver listens on a channel where the sender
is broadcasting and a packet gets through– Equivalent to FH in jamming protection (but not in throughput)
11
11 28365
512 2 3 23 65 8 32 14 19
1
52 41 587 8 62
t
t
S R
S:
R:
hits/s 5 /cf average on
RSS
S
ff 1500Hz,f 300, c
10
UFH: solution overview
• We want to establish a shared key (secret) using UFH– E.g., use the authenticated elliptic curve (ECC) Diffie-Hellman
protocol
• For effective protection against jamming (for FH or UFH), the time slots of the sender must be short (~100 bits)– Problem: Typical messages do not fit into such slots!
Uncoordinated FrequencyHopping (UFH)
Application Protocol
5
512 2 3 23 65 8 32 14 7
1 53
e.g. auth. DH
M := mS , sig(mS) …
S:
R:
S R
11
UFH: message fragmentation (sender)
• Message fragmentation in the absence of an attacker
Uncoordinated FrequencyHopping (UFH)
Fragmentation
M1 M2 MlM3
Application Protocole.g. auth. DH
M := mS , sig(mS) …
S R
M := mS , sig(mS) …
5
512 2 3 23 65 8 32 14 7
1 53
S:
R:
12
Attacker model
• Attacker’s strategy space defined by the following actions:
– Jam existing messages by transmittingsignals that cause the original signal tobecome unreadable by the receiver.
– Insert own messages that she generatedby using known (cryptographic) functionsand keys as well as by reusing (parts of)previously overheard messages.
– Modify existing messages by e.g.,flipping single message bits or by entirelyovershadowing (i.e., replacing) originalmessages.
f1:
f2:
f3:
f1:
f2:
f3:
f1:
f2:
f3:
13
Attacker model (contd.)
• Attacker types: static, random, sweep, responsive…• Required signal strengths for different attacking strategies
– Signal successfully received if: Pt < Pa and P(J’s signal) < Pj
– PT: total signal strength that attacker can achieve at the receiver
– Given the number of frequency channels on which the attacker inserts (ct), jams (cj), and overshadows (co), we have:
• Attacker’s strength: cs/ts, cj/tj, PT (s stands for “sensing”)
RS
J
Sig
nal st
rength
at
R
Pt
Pj
Pa
Po
t1 t2 t3
S’s signal J’s signal
Toojjtt P Pc Pc Pc
14
UFH: message fragmentation (sender)
• Assume following fragmentation with an active attacker
Uncoordinated FrequencyHopping (UFH)
Fragmentation
M1 M2 MlM3
Application Protocole.g. auth. DH
M := mS , sig(mS) …
S R
M := mS , sig(mS) …
5
512 2 3 23 65 8 32 14 7
1 53
S:
R:
15
Naive fragmentation is harmful
Sender:
Receiver:
Packet number
10
t
…
Attacker:
20 30 l0 11…21 31 l1 12
1
t
…2 3 l 1 …2 3 l 1
Different packets
t
…2 30 l0 11…2 31 l1 1
12
1
15
…
24
27
2
…
3
30
34
…
42
46
4
…
…
Receiver sorts unique packets (fragments):
16
Naive fragmentation leads to a simple DoS
• Assume N adversarial packets successfully arrive at the receiver
• Message M is divided into l fragments• Application-level signature verification at each candidate
message leads to the exponential workload at the receiver
12
1
15
…
24
27
2
…
3
30
34
…
42
46
4
…
…
1l
N
l
l
l
1N
~ average on
17
Solution to the message fragmentation
• Cryptographically link individual packets– By the system model we cannot rely on a shared key > integrity– Possible approach: hash linking
• End result: (N/l +1)*l hash verif. + (N/l+1) signature verif.
mi :=id || i || Mi || hi+1
hl := h(M1 ), hi := h(mi+1 )
M := mS , sig(mS) …
M1 M2 Ml
…
M3
M1 M2 Ml
m1 m2 ml
12
1
15…
24
27
2
…3
30
34…
42
46
4
…
…N/l+1
18
UFH message transfer protocol: sender
• Message Signing & Fragmentation
• Hash linking
• Packet coding/interleaving
• Repeated transmission using UFH
mi :=id || i || Mi || hi+1
hl := h(M1 ), hi := h(mi+1 )
M := mS , sig(mS) …
M1 M2 Ml
…
M3
M1 M2 Ml
m1 m2 ml
m2
m1
m2
m3
m4
m1
f1:
f2:
f3:
19
m1
m1 m3
m4
UFH message transfer protocol: receiver
• Receiving packets
• Bit deinterleaving/packet decoding
• Ordering and linkingpackets
• Message reassambly & signature verification
m2
m2
f1:
f2:
f3:
M1M1M1
M1M1M2
M1M1Ml…
…M1 M2 Ml
M := mS , sig(mS) …
M1 M2 MlM3
20
UFH security: overview
• UFH is resistant to packet jamming – Frequency hopping and packet repetitions in the sending process
• Modified packets are identified – Using cryptographic (e.g., hash) linking– Only linear workload on the receiver’s side
• Reassembled messages that fail the signature verification or have an expired timestamp are discarded
m2 m4
m3m3
m2
m1
m1
J
Rm1m4
Sm2 m3
m2
m1
m3
m1
m1 m2 m3 m4
m1 m2 m3
m3m1m2m1m4m2m3m2m1
f1:
f2:
f3:
21
Application of UFH to key establishment
Key establishment in the presence of a jammer
Anti-jamming comm. (e.g., FHSS)
Shared secret (key)(e.g., spreading code)
Dependency cycle
Anti-jamming comm. using UFH
Shared secret key(e.g., spreading code)
Dependency chain
Key establishment in the presence of a jammer
Key Establishment Protocol
Anti-jamming comm. based on UFH
Application Protocol
Anti-jamming comm. (e.g., FHSS or DSSS)
establishes required for
Sharedsecret key(spreading
code)
22
Example: ECC-based Diffie-Hellman
• Elliptic Curve Crypto. Station-to-Station DH protocol– P is the generator of a cyclic group G with prime order p
– rX is a random element selected by X from Zp
– TX and SigX(.) are a timestamp (for anti-replay protection) and the signature (to verify the sender and the reassembly) issued by X
PrPrSig
RS
P)r ,,PK (R,Sig P,r ,T ),PK(R,Sig ,PK R,SR
P)r ,,PK (S,Sig P,r ,T ),PK(S,Sig ,PK S,pURpUS
K
KRSS
RRRRSRCAR
SSSSSSCAS
P)(rrK
P)(rrK
ZrZr
RS
UH
F (with
out a
sh
are
d ke
y)
(Coordinated) Frequency Hopping (with shared key K)
23
2nd part: UFH performance analysis
• Basic scenario: communication without an attacker • Different types and strategies by an attacker• Performances relative to coordinated frequency hopping
24
Communication without an attacker (A0)
• Some assumptions– Hopping frequency of the receiver << the sender (we can neglect
losses due to the lack of synchronization)– Unintentional interference is neglected (e.g., the number of
neighbors << the number of channels (c))
– cn and cm are the number of channels on which the sender (the receiver) simultaneously sends (receives)
• Probability that a particular fragment is successfully received (one transmission)
mm0
cnn
1c
0i
Am c
c ,1
icc
min11p
11
c channelscm channels
cn channels
25
Communication without an attacker (A0)
• Message is complete after all l fragments successfully received– Let Y be the number of times that the sender has to retransmit in
order to transfer the message– Probability that a transfer incomplete after i (re)transmissions
lii
0A
mp-1-1-1]P[Y
Receiver:
1
t
…2 3 1…2 l
i
l l 31 2
i-1i-2 i+1
26
Communication without an attacker (A0)
• The expected number of packets (fragments) that have to transmitted in order to successfully transfer the message
0
0
0
0
1
i
i
i
i
li
ili
ilii
ili
]P[Y
i]P[Y-]P[Y
]P[Y-]P[Y
]P[YpN 0Am
lii
0A
mp-1-1-1]P[Y
27
Performances without an attacker (A0)
0 500 1000 15000
0.2
0.4
0.6
0.8
1
number of message transmissions (i)
Probability that a message is successfully received
cn=c
m=1
cn=2, c
m=5
c=100l=10
liii
0A
mp-1-1]P[Y-1]P[Y
28
Jamming performance of the attacker
• Required signal strengths for different attacking strategies– Signal successfully received if: Pt < Pa and P(J’s signal) < Pj
– PT: total signal strength that attacker can achieve at the receiver
– Given the number of frequency channels on which the attacker inserts (ct), jams (cj), and overshadows (co), we have:
RS
J
Sig
nal st
rength
at
RPt
Pj
Pa
Po
t1 t2 t3
S’s signal J’s signal
Toojjtt P Pc Pc Pc
29
Jamming performance of the attacker (contd.)
• Each packet (fragment) m is “error” encoded– ρ in (0,1] is jamming resistance of a given packet
– rc in (0,1] is a code rate
– Data of length |m| is encoded into |m|/rc and more than ρ|m|/rc bits have to be erroneous for successful jamming
– For bitrate R, the packet transmission time tp = |m|R/rc
tp
tp=ρtp
encoded packet m
attacker senses
attacker jams
30
Jamming performance of the attacker (contd.)
• Attacker’s strength: #channels cb effectively blocked– Probability that an ongoing packet is successfully jammed pj=cb/c
– #channels (nj) that the attacker can jam during the transmission nj=tp/(ρtp + tj), where tj is the time to switch jamming channels
– #channels (ns) that the attacker can scan during the transmission ns=(tp-ρtp-tj)/ts, where ts is the time to switch scanning channels
– #channels (cs) on which the attacker can sense simultaneously
tp
encoded packet m
attacker senses
attacker jams
tp=ρtp tjts
cc
p ,cn cnc bjssjjb For responsive-sweep jammers:
31
Jamming probab. for different attacker types
32
Attacking strategies
• Attacker’s strategy space defined by the following actions:
– Jam existing messages by transmittingsignals that cause the original signal tobecome unreadable by the receiver.
– Insert own messages that she generatedby using known (cryptographic) functionsand keys as well as by reusing (parts of)previously overheard messages.
– Modify existing messages by e.g.,flipping single message bits or by entirelyovershadowing (i.e., replacing) originalmessages.
f1:
f2:
f3:
f1:
f2:
f3:
f1:
f2:
f3:
33
Communication in the presence of attacker
• Probability that a particular fragment is successfully received (one transmission)
– No attacker case (A0)
– Jamming (AJ)
– Message insertion (AI)
– Message modification (overshadowing) (AM)
,1ic
cmin11p n
1c
0i
Am
m0
p,1ic
cmin11p j
n1c
0i
Am
mJ
1
c
c,1
icc
min11p jn1c
0i
Am
mI
1
p,1ic
cmin11p o
n1c
0i
Am
mM
1
34
Optimal attacking strategy
• Theorem: For all attacker types (static, random, sweep, responsive), the optimal attacker’s strategy, which minimizes the throughput of the UFH message transfer, is jamming (AJ).
35
UFH performances with an attacker (AJ)
36
UFH performances with an attacker (AJ)
37
UFH performances with an attacker (AJ)
38
UFH resource requirements
• Storage at the receiver– If there is no more space for new packets, delete the oldest ones
– NJ is the expected maximal time period between the first and the last packet (fragment) of a given message
– During this period, the attacker can insert additional less than
packets
• Example:– Fragment length |mi|=40 bytes, l=10 fragments, c=200 channels,
cm=cn=1, ct=50 (channels for insertion) and pj=0.8
– Results in NJ ≈30 000 packets transmitted by the sender
– Finally, this results in about 7 500 packets at the receiver, that is, a required storage capacity of about 290 kbytes
– This also results in about 160 signature verifications at the receiver
mJt1c
0iJ cN,1ic
cminN m
39
Comparison of UFH and coordinated hopping
• Relative throughput for UFH-enabled ECC-based Station-to-Station Diffie-Hellman protocol and a Bluetooth-like FH scheme– |Sig(.)|=|PK|=512 bits, |h(.)|=112, timestamps and identities 64 bits– In total: |M|=2176 bits = 272 bytes– Packet mi consists of message id (34 bits), frame id (6 bits), the
payload Mi (168 bits), and the hash value hi+1 (112 bits)
– Reed-Solomon error-correcting code (8 bits into 15 bits) with a jamming ratio of 20% (ρ=0.2)
– Encoded packet 320*15/8=600 bits– Data rate 1 Mbit/s, 1600 hop/s: |slot|=1Mbit/s*(1/1600)=625 bits– The number of channels c=200– l=2176/168≈13 for UFH and l*=2176/(168+112)≈8 for FH– 100 000 simulated key establishements
|mi|:=|id || i || Mi || hi+1|=320 bits
40
Duration of key establishment using UFH
1 MBit/s, 1600 hops/s, c = 200256-bit prime field for EC|M| = 2176 bits, l = 13
41
Comparison of UFH and coordinated hopping
42
Concluding words
• We introduced the key-establishment anti-jamming circular dependency
• Proposed first (and efficient) anti-jamming communication scheme that does not rely on shared secrets (Uncoordinated Frequency Hopping)– UFH has the same jamming resistance as standard FH
• Presented an elaborate attacker model and derived optimal attacking strategies (responsive-sweep jamming)
• Security implications– Authentication implies availability (privacy not required)
Thank you for your attention!
43
Some interesting directions
• Optimal number of channels c for cm=cn=1
• Other fragment-linking methods– Short signatures– One-way accumulators– Merkle trees– Application of packet-level erasure codes (optimal)
• Applications to DSSS• Applications to anti-jamming broadcast communication
(e.g., a navigation signals)
bmb
m 2cc 0c
p ,
cc
1c1
p
Recommended