430 likes | 598 Views
Summer Research Institute - EPFL. Mario Č agalj mario.cagalj@fesb.hr University of Split , Croatia 2 5 /6/2009. Jamming-resistant Key Establishment using Uncoordinated Frequency Hopping. Summer Research Institute - EPFL. Mario Č agalj mario.cagalj@fesb.hr
E N D
Summer Research Institute - EPFL MarioČagalj mario.cagalj@fesb.hr University of Split, Croatia 25/6/2009 Jamming-resistant Key Establishment using Uncoordinated Frequency Hopping
Summer Research Institute - EPFL MarioČagalj mario.cagalj@fesb.hr University of Split, Croatia 25/6/2009 Uncoordinated Frequency Hopping: Channel Availability Out of Thin Air
Motivation: radio channel availability XMTR RCVR JMR • Radio-jamming is ever-present threat to radio channels • This is an attack on the availability of signals • Denial-of-Service (DoS) attack • Traditional anti-jamming techniques rely on pre-shared secret codes (keys) to increase channel availability S (original signal) J (jamming signal)
Motivation: anti-jamming communication • Spread-Spectrum Techniques • FHSS (Frequency Hopping Spread Spectrum) • DSSS (Direct-SequenceSpread Spectrum) PRNG PRNG Hopping sequence (PRNG seed) must be knownto the sender and receiver but not the jammer. energy frequency PRNG PRNG Spreading code (PRNG seed) must be knownto the sender and receiver but not the jammer. energy frequency
Motivation: a new view of an old problem • Anti-jamming/secret-establishment dependency graph • How to establish the required secret code over the same channel when no secret is available in advance? • Authenticated public key-based protocols (e.g., Diffie-Hellman key establishment) also affected Secret spreading code (key) establishment in the presence of a jammer Dependency cycle Anti-jamming communication (FHSS or DSSS) Shared secret code (key)(e.g., spreading code)
Motivation: breaking circular dependency • Breaking anti-jamming circular dependency graph • Uncoordinated Frequency Hopping (UFH) Secret spreading code (key) establishment in the presence of a jammer Dependency cycle Anti-jamming communication based on UFH Shared secret code (key)(e.g., spreading code)
General information • This talk is based on the joint work with Strasser, Pöpper and Čapkun of ETHZ • “Jamming-resistant Key Establishment using Uncoordinated Frequency Hopping”, IEEE Symposium on Security and Privacy, Oakland ‘08 • This idea of uncoordinated hopping rooted in • “Wormhole-Based Antijamming Techniques in Sensor Networks”, Cagalj, Capkun and Hubaux, IEEE TMC ‘07 • Some extensions • “Efficient Uncoordinated FHSS Anti-jamming Communication”, Strasser et al, MobiHoc ‘09 • “A Coding-Theoretic Approach for Efficient Message Verification Over Insecure Channels”, Slater et al, WiSec ‘09 • “Jamming-resistant Broadcast Communication Without Shared Keys”, Popper et al, USENIX Security ‘09 (uncoordinated DSSS) • We will mainly focus on the original Oakland paper
Agenda • First part • Overview of UFH • UFH Message Transfer Protocol • Application to jamming resistant key establishment • Second part • Detailed performance analysis • Conclusion
Uncoordinated Frequency Hopping (UFH) R S • Key idea: abolish the need of a pre-shared secret by using UFH • The sender hops randomly in a set of c channels (= frequencies) • The receiver hops randomly with a longer dwell time per slot • Once in a while the receiver listens on a channel where the sender is broadcasting and a packet gets through • Equivalent to FH in jamming protection (but not in throughput) S: 8 12 2 3 23 5 65 8 32 14 7 19 52 11 41 58 62 t 36 28 1 5 11 R: t
UFH: solution overview S R • We want to establish a shared key (secret) using UFH • E.g., use the authenticated elliptic curve (ECC) Diffie-Hellman protocol • For effective protection against jamming (for FH or UFH), the time slots of the sender must be short (~100 bits) • Problem: Typical messages do not fit into such slots! e.g. auth. DH Application Protocol M := mS , sig(mS) … 12 2 3 23 5 65 8 32 14 7 S: Uncoordinated FrequencyHopping (UFH) 1 5 53 R:
UFH: message fragmentation (sender) S R • Message fragmentation in the absence of an attacker e.g. auth. DH Application Protocol M := mS , sig(mS) … Fragmentation M := mS , sig(mS) … M1 M2 M3 Ml 12 2 3 23 5 65 8 32 14 7 S: Uncoordinated FrequencyHopping (UFH) 1 5 53 R:
Attacker model • Attacker’s strategy space defined by the following actions: • Jamexistingmessages by transmittingsignals that cause the original signal tobecome unreadable by the receiver. • Insertown messages that she generatedby using known (cryptographic) functionsand keys as well as by reusing (parts of)previously overheard messages. • Modifyexistingmessages by e.g.,flipping single message bits or by entirelyovershadowing (i.e., replacing) originalmessages. f1: f2: f3: f1: f2: f3: f1: f2: f3:
Attacker model (contd.) S’s signal J’s signal S Po R Pa Signal strength at R Pj J Pt t1 t2 t3 • Attacker types: static, random, sweep, responsive… • Required signal strengths for different attacking strategies • Signal successfully received if: Pt < Paand P(J’s signal)< Pj • PT: total signal strength that attacker can achieve at the receiver • Given the number of frequency channels on which the attacker inserts (ct), jams (cj), and overshadows (co), we have: • Attacker’s strength: cs/ts, cj/tj, PT(s stands for “sensing”)
UFH: message fragmentation (sender) S R • Assume following fragmentation with an active attacker e.g. auth. DH Application Protocol M := mS , sig(mS) … Fragmentation M := mS , sig(mS) … M1 M2 M3 Ml 12 2 3 23 5 65 8 32 14 7 S: Uncoordinated FrequencyHopping (UFH) 1 5 53 R:
Naive fragmentation is harmful Sender: Packet number … … 1 2 3 l 1 1 2 3 l t Attacker: … … 10 20 30 l0 11 12 21 31 l1 t Different packets Receiver: … … 2 30 l0 11 1 2 31 l1 t Receiver sorts unique packets (fragments): 12 24 3 42 … 1 27 30 46 15 2 34 4 … … … …
Naive fragmentation leads to a simple DoS • Assume N adversarial packets successfully arrive at the receiver • Message M is divided into l fragments • Application-level signature verification at each candidate message leads to the exponential workload at the receiver 12 24 3 42 … 1 27 30 46 15 2 34 4 … … … …
Solution to the message fragmentation M := mS , sig(mS) … M1 M2 M3 Ml M1 M2 Ml … m1 m2 ml 12 24 3 42 … 1 27 30 46 15 2 34 4 … … … … • Cryptographically link individual packets • By the system model we cannot rely on a shared key > integrity • Possible approach: hash linking • End result: (N/l +1)*l hash verif. + (N/l+1) signature verif. mi :=id || i || Mi|| hi+1 hl := h(M1 ), hi := h(mi+1 ) N/l+1
UFH message transfer protocol: sender M := mS , sig(mS) … M1 M2 M3 Ml M1 M2 Ml … m1 m3 f1: m2 m1 m1 m2 ml f2: m4 m2 f3: • Message Signing & Fragmentation • Hash linking • Packet coding/interleaving • Repeated transmission using UFH mi :=id || i || Mi|| hi+1 hl := h(M1 ), hi := h(mi+1 )
UFH message transfer protocol: receiver M1 M1 M1 M1 M1 M1 M1 M2 Ml M1 M2 Ml … • Receiving packets • Bit deinterleaving/packet decoding • Ordering and linkingpackets • Message reassambly & signature verification m1 m3 f1: m2 m1 f2: m4 m2 f3: … M1 M2 M3 Ml M := mS , sig(mS) …
UFH security: overview m1 m2 m3 m4 m1 m2 m3 • UFH is resistant to packet jamming • Frequency hopping and packet repetitions in the sending process • Modified packets are identified • Using cryptographic (e.g., hash) linking • Only linear workload on the receiver’s side • Reassembled messages that fail the signature verification or have an expired timestamp are discarded m3 m2 m2 m4 f1: S m3 m1 m2 m4 m1 m3 m1 m1 R m1 f2: m2 m1 m4 J m3 m1 m3 m2 m2 f3: m3 m2 m1
Application of UFH to key establishment Key establishment in the presence of a jammer Key establishment in the presence of a jammer Dependency chain Dependency cycle Anti-jamming comm. using UFH Shared secret key(e.g., spreading code) Anti-jamming comm. (e.g., FHSS) Shared secret (key)(e.g., spreading code) Application Protocol Key Establishment Protocol establishes required for Shared secret key (spreading code) Anti-jamming comm. (e.g., FHSS or DSSS) Anti-jamming comm. based on UFH
Example: ECC-based Diffie-Hellman • Elliptic Curve Crypto. Station-to-Station DH protocol • P is the generator of a cyclic group G with prime order p • rXis a random element selected by X fromZp • TXand SigX(.) are a timestamp (for anti-replay protection) and the signature (to verify the sender and the reassembly) issued by X UHF (without a shared key) (Coordinated) Frequency Hopping (with shared key K)
2nd part: UFH performance analysis • Basic scenario: communication without an attacker • Different types and strategies by an attacker • Performances relative to coordinated frequency hopping
Communication without an attacker (A0) • Some assumptions • Hopping frequency of the receiver << the sender (we can neglect losses due to the lack of synchronization) • Unintentional interference is neglected (e.g., the number of neighbors <<the number of channels (c)) • cn and cm are the number of channels on which the sender (the receiver) simultaneously sends (receives) • Probability that a particular fragment is successfully received (one transmission) cn channels cm channels c channels
Communication without an attacker (A0) • Message is complete after all l fragments successfully received • Let Y be the number of times that the sender has to retransmit in order to transfer the message • Probability that a transfer incomplete after i (re)transmissions Receiver: i-2 i-1 i i+1 … … l 1 l 2 3 1 2 3 l 1 2 t
Communication without an attacker (A0) • The expected number of packets (fragments) that have to transmitted in order to successfully transfer the message
Jamming performance of the attacker S’s signal J’s signal S Po R Pa Signal strength at R Pj J Pt t1 t2 t3 • Required signal strengths for different attacking strategies • Signal successfully received if: Pt < Paand P(J’s signal)< Pj • PT: total signal strength that attacker can achieve at the receiver • Given the number of frequency channels on which the attacker inserts (ct), jams (cj), and overshadows (co), we have:
Jamming performance of the attacker (contd.) • Each packet (fragment) m is “error” encoded • ρin (0,1]is jamming resistance of a given packet • rcin (0,1] is a code rate • Data of length |m| is encoded into |m|/rc and more than ρ|m|/rc bits have to be erroneous for successful jamming • For bitrate R, the packet transmission time tp = |m|R/rc tp encoded packet m attacker senses attacker jams tp=ρtp
Jamming performance of the attacker (contd.) • Attacker’s strength: #channels cb effectively blocked • Probability that an ongoing packet is successfully jammed pj=cb/c • #channels (nj) that the attacker can jam during the transmission nj=tp/(ρtp + tj), where tjis the time to switch jamming channels • #channels (ns) that the attacker can scan during the transmission ns=(tp-ρtp-tj)/ts, where tsis the time to switch scanning channels • #channels (cs) on which the attacker can sense simultaneously For responsive-sweep jammers: tp encoded packet m attacker senses attacker jams ts tj tp=ρtp
Attacking strategies • Attacker’s strategy space defined by the following actions: • Jamexistingmessages by transmittingsignals that cause the original signal tobecome unreadable by the receiver. • Insertown messages that she generatedby using known (cryptographic) functionsand keys as well as by reusing (parts of)previously overheard messages. • Modifyexistingmessages by e.g.,flipping single message bits or by entirelyovershadowing (i.e., replacing) originalmessages. f1: f2: f3: f1: f2: f3: f1: f2: f3:
Communication in the presence of attacker • Probability that a particular fragment is successfully received (one transmission) • No attacker case (A0) • Jamming (AJ) • Message insertion (AI) • Message modification (overshadowing) (AM)
Optimal attacking strategy • Theorem: For all attacker types (static, random, sweep, responsive), the optimal attacker’s strategy, which minimizes the throughput of the UFH message transfer, is jamming (AJ).
UFH resource requirements • Storage at the receiver • If there is no more space for new packets, delete the oldest ones • NJ is the expected maximal time period between the first and the last packet (fragment) of a given message • During this period, the attacker can insert additional less than packets • Example: • Fragment length |mi|=40 bytes, l=10 fragments, c=200 channels, cm=cn=1, ct=50 (channels for insertion) and pj=0.8 • Results in NJ ≈30 000 packets transmitted by the sender • Finally, this results in about 7 500 packets at the receiver, that is, a required storage capacity of about 290 kbytes • This also results in about 160 signature verifications at the receiver
Comparison of UFH and coordinated hopping • Relative throughput for UFH-enabled ECC-based Station-to-Station Diffie-Hellman protocol and a Bluetooth-like FH scheme • |Sig(.)|=|PK|=512 bits, |h(.)|=112, timestamps and identities 64 bits • In total: |M|=2176 bits = 272 bytes • Packet mi consists of message id (34 bits), frame id (6 bits), the payload Mi (168 bits), and the hash value hi+1 (112 bits) • Reed-Solomon error-correcting code (8 bits into 15 bits) with a jamming ratio of 20% (ρ=0.2) • Encoded packet 320*15/8=600 bits • Data rate 1 Mbit/s, 1600 hop/s: |slot|=1Mbit/s*(1/1600)=625 bits • The number of channels c=200 • l=2176/168≈13 for UFH and l*=2176/(168+112)≈8 for FH • 100 000 simulated key establishements |mi|:=|id || i || Mi|| hi+1|=320 bits
Duration of key establishment using UFH 1 MBit/s, 1600 hops/s, c = 200256-bit prime field for EC|M| = 2176 bits, l= 13
Concluding words • We introduced the key-establishment anti-jamming circular dependency • Proposed first (and efficient) anti-jamming communication scheme that does not rely on shared secrets (Uncoordinated Frequency Hopping) • UFH has the same jamming resistance as standard FH • Presented an elaborate attacker model and derived optimal attacking strategies (responsive-sweep jamming) • Security implications • Authentication implies availability (privacy not required) Thank you for your attention!
Some interesting directions • Optimal number of channels c for cm=cn=1 • Other fragment-linking methods • Short signatures • One-way accumulators • Merkle trees • Application of packet-level erasure codes (optimal) • Applications to DSSS • Applications to anti-jamming broadcast communication (e.g., a navigation signals)