csc/ece advanced network securitydiscovery.csc.ncsu.edu/courses/csc774-f11/slides/t06.2_anti... ·...

• 11/2/11

• 1

Computer Science

CSC/ECE Advanced Network Security

Topic 6.2 Recent Advances in Anti-jamming Wireless Communication

Dr. Peng Ning CSC/ECE 774 -- Adv. Net. Security 1

• Some slides were provided by Srdjan Capkun and Christina Pöpper.

Computer Science

Jamming : The prevention of radio communication by the use of radio signals (typically noise).

Jamming


• B

• J

• A

• ©D. Adamy, A First Course on Electronic Warfare

Computer Science

Jamming-resistant Communication

•  Jamming-resistant communication can be achieved by Spread-Spectrum (SS) Techniques –  Frequency Hopping Spread Spectrum (FHSS) –  Direct Sequence Spread Spectrum (DSSS)

•  SS techniques require an advantage over the attacker –  A shared secret key between the sender and receiver

•  Point-to-point / unicast communication •  Different types of attackers

–  Broadband and partial-band/narrow-band jammer –  Follower jammer (FHSS communication)


• 11/2/11

• 2

Computer Science

FHSS: Frequency Hopping Spread Spectrum

DSSS: Direct Sequence Spread Spectrum

Common anti-jamming techniques rely on pre-shared secret codes (keys) •  to achieve availability (not authentication or confidentiality)

The pre-shared secrets must be known to the sender and receiver but not to the jammer

•  PRNG

• Spreading code (PRNG seed)

•  PRNG

•  PRNG •  PRNG

• frequency

• frequency

• Hopping sequence (PRNG seed)

Spread-Spectrum (SS) Techniques


Computer Science

Broadcast Communication

•  Broadcast communication •  One sender, many receivers •  Open system -  New receivers may join -  Receivers may withdraw -  Any receiver can listen

(in contrast to multicast)

»  Examples: •  radio (audio) broadcast

(AM, FM, …) •  navigation signals: satellite-

based (GPS), terrestrial (LORAN)


• A

• B

• multicast

• D • C

• A

• B

• broadcast

• D

• C

Computer Science

Attacks on Broadcast Communication

•  For pairwise (unicast) communication we only consider external (outsider) attackers

–  A and B are mutually trusted –  Attacker uses only public information

•  Broadcast communication –  High and unknown number of receivers –  Receivers are potentially untrusted and may be colluding –  We need to consider external attackers and

internal (insider) attackers –  Group keys?


• B

• J

• A

• A

• … • B • D

• C • E

• 11/2/11

• 3

Computer Science

External Attackers on SS Techniques •  External attacker

•  Does not know the spreading code / hopping sequence •  Partial-band attacker can still jam. Example: FHSS

–  pj = Probability that the packet is jammed –  = 1 – (1 – cj /c )nj


• c = # frequency channels • cj = # channels the jammer jams • nj = jamming cycles per packet (given by min. jamming period, packet length, and jammer capabilities)

• c

• cj

• Min. jamming

Packet

• Typical computation of jamming probability

via the inverse

Computer Science

Internal Attackers on SS Techniques

•  Internal attacker –  Legitimate receiver: can decode the broadcast signal, i.e.

knows the used spreading code and its synchronization –  Can misuse the spreading code and synchronization for

jamming to disable other receivers to get the signal –  Group keys do not prevent this attack!

We need a better solution!


• A

• … • B • D

• C • E

• Key K

• K

• K • K

• K

Computer Science

• A

• B

• J • broadcast

• m, sig(m)

• D • C • Applications: alarm broadcast,

navigation signals, etc.

• Problem: BS needs to broadcast an (authenticated) message to a large number of unknown/untrusted receivers in an anti-jamming manner.

• But … •  Anti-jamming communication relies on shared secret keys •  In anti-jamming broadcast we cannot rely on shared keys (unknown/untrusted receivers) •  Public-key crypto does not help

• PKA

• PKA

• PKA

• PKA

Anti-jamming Broadcast w/o Shared Keys


• 11/2/11

• 4

Computer Science

Anti-Jamming Key Establishment

•  Problem: A and B want to establish a shared secret key in the presence of a jammer J

•  Assumptions: –  A and B do not share any secrets –  The clocks of A and B are

loosely synchronized O(s) –  Each node has a public/private key pair and a certificate binding its

identity to the public key –  CA (Certification Authority) is trusted by all nodes; it may be off-line

or unreachable by the nodes at the time of communication


CA

A B

J

(offline)

CertCA(A) CertCA(B)

Computer Science

Anti-Jamming/Key-establishment Dependency

•  Key establishment depends on jamming-resistant communication

•  Common anti-jamming techniques require a shared secret key (code)

•  Leads to an anti-jamming/ key-establishment dependency cycle


Computer Science

• (UFH)

Two Solutions: UFH and UDSSS •  Basic idea:

•  If you cannot coordinate the sender and the receiver – Don’t! •  Sender uses random hopping sequences/spreading codes unknown to the

receiver (public set) •  Two solutions:

•  Uncoordinated Frequency Hopping Spread Spectrum (UFH) •  Uncoordinated Direct Sequence Spread Spectrum (UDSSS)

•  Rationale: •  The attacker cannot predict which channels will be used (neither can the

receiver)


• 11/2/11

• 5

Computer Science

Attacker Model

Given the number of frequency channels on which the attacker inserts (ct), jams (cj), and overshadows (co), ctPt + cjPj + coPo ≤ PT


•  Attacker goal: to prevent communication! •  Attacker actions: Jam, Insert, Modify •  Attacker types: Responsive, Sweep, Random, … •  Attacker strength (channels/time to jam/sense): cs/ts, cj/tj •  Power to insert, jam, and overshadow: Pt, Pj, and Po

•  PT: total signal strength that attacker J can achieve at the receiver B

Computer Science

M := m, sig(m), …

M1 M2 Ml

…

M3

M1 M2 Ml

• m1 • m2 • ml

1.  Fragmentation

2.  Fragment linking (protects against insertion)

3.  Packet Encoding (ECC) (protects against jamming)

4.  Repeated transmission

Uncoordinated Frequency Hopping (transmitter)


Computer Science

1.  Receiving packets

2.  Packet decoding

3.  Ordering and linking

4.  Message reassembly and signature verification

M1 M2 Ml M3

M := m, sig(m), …

m3 m1

m1

• f1:

• f2:

• … M1 M2 Ml

• M1 • M1 M1 • M1 • M1 M2

• M1 • M1 Ml • …

m2

Uncoordinated Frequency Hopping (receiver)


• 11/2/11

• 6

Computer Science

• Problem: Fragments are not individually authenticated (pollution attacks)

• (I+1)l

• message size • slot size

• Signature verification at each candidate message (after reassembly)

• In the best case, I=1 … (depends on attacker’s # of channels, power …)

• but l is large; l = (>20) • Result: Attacker performs a DoS attack on the logical level instead on

the physical

Fragment linking


Computer Science

• Problem: Fragments are not individually authenticated (pollution attacks) • Solution: Cryptographically link fragments (no reliance on shared key)

to achieve message integrity

• Hash linking

• One-way Accumulators

• Short signatures

• Min 1 hash

• 1 witness

• 1 short signature

Fragment linking (Cont’d)


Computer Science

• Gain: Instead of (I+1)l signature verifications, reduction to (I+1)l hash/acum/signature verifications + (I+1) signature verifications

• Signatures and accumulators better than hash linking • Possible extensions: •  Use linking with erasure codes, e.g., Fountain codes. •  Reconstruct the message from any k fragments.

Fragment linking (Cont’d)


• 11/2/11

• 7

Computer Science

Two Solutions: UFH and UDSSS •  Basic idea:

•  If you cannot coordinate the sender and the receiver – Don’t! •  Sender uses random hopping sequences / spreading codes

unknown to the receiver (public set) •  Two solutions:

•  Uncoordinated Frequency Hopping Spread Spectrum (UFH) •  Uncoordinated Direct Sequence Spread Spectrum (UDSSS)

•  Rationale: •  The attacker cannot predict which spreading codes are used by

the sender (neither can the receiver) •  UDSSS has reduced latency compared to DSSS •  Throughput can be improved by using parallelization


Computer Science

Preliminaries: DSSS

t

spread despread

Spreading code

Spreading code

• RF message message • modulator demodulator

sender receiver

• chip

• bit

t

bit 1

Spreading code 1 -1 -1 1 -1 -1 -1 1 1 1 -1

Result (chips) 1 -1 -1 1 -1 -1 -1 1 1 1 -1

chips 1 -1 -1 1 -1 -1 -1 1 1 1 -1

Spreading code 1 -1 -1 1 -1 -1 -1 1 1 1 -1

correlation (1+1+1+1+1+1+1+1+1+1+1)/11=1

bit 1

chips -1 1 1 -1 1 1 1 -1 -1 -1 1

Spreading code 1 -1 -1 1 -1 -1 -1 1 1 1 -1

correlation (-1-1-1-1-1-1-1-1-1-1-1)/11=-1

bit -1 (0) Dr. Peng Ning 20 CSC/ECE 774 -- Adv. Net. Security

Computer Science

Uncoordinated Direct Sequence Spread Spectrum


• 11/2/11

• 8

Computer Science



Computer Science



Computer Science



• 11/2/11

• 9

Computer Science

UDSSS: Optimization


Computer Science

Advanced Network Security

DSD-DSSS: DSSS through Delayed Seed Disclosure


Computer Science

DSD-DSSS: DSSS based on Delayed Seed Disclosure •  Goal: DSSS without shared secret •  Observation

–  A receiver can wait to decode until end of transmission –  A jammer must jam the transmission before it is finished

•  Exploiting the observation –  Construct spreading code sequence using a random seed –  Spread the message using this code sequence –  Disclose the seed after the message transmission

•  It’s too late when the jammer sees the seed


• 11/2/11

• 10

Computer Science

Delayed Seed Disclosure

•  The same observation has been made in –  TREKS [Jin et al., MobiHoc09] –  RD-DSSS [Liu et al., INFOCOM 2010] –  Delayed-key UDSSS [Pöpper et al., JSAC 2010]

•  However –  TREKS: later parts of message are vulnerable; limited to

pairwise communication –  RD-DSSS and Delayed-key UDSSS

•  Delayed seed (key) vulnerable

•  We provide a novel approach for seed protection


Computer Science

DSD-DSSS – Spreading Code Sets

•  Public spreading code sets: Cp and Ce – Cp: message body – Ce: seed – Cp∩Ce=Ø – Each code has an index

29 Dr. Peng Ning CSC/ECE 774 -- Adv. Net. Security

Computer Science

Basic DSD-DSSS – Sender Side


• 11/2/11

• 11

Computer Science

Basic DSD-DSSS – Receiver Side


Computer Science

DoS Attacks against Seed Disclosure

•  Attacker may inject bogus seeds by –  Continuously drawing a code from Ce, spreading a random

bit, and transmitting

•  Receivers –  Have to try combinations of codes from Ce to recover the

seeds –  May recover many possible seeds for one transmission


Computer Science

Content-based Seed Disclosure •  Observation

–  Receivers can buffer the seed and despread later –  Jammer has to jam/inject during the seed disclosure

•  Content-based subset selection –  The later seed bits can help protect the earlier ones –  Reduce computation –  Create a pattern to filter out fake seeds

33

bit b1 b2 b3 b4 b5 b6 b7 b8 code x1 x2 x3 x4 x5 x6 x7 x8

• x

• code set • x

• x

Dr. Peng Ning CSC/ECE 774 -- Adv. Net. Security

• 11/2/11

• 12

Computer Science

Security Requirement

•  Jammer shouldn’t be able to infer what codes are used later by observing earlier codes


Example -- An undesirable situation

• Bit 1

• Bit 2

• Bit 3

• Bit 4

If jammer can derive the relationship between codes by analyzing the subset selection algorithm…

• Ideally…

Computer Science

Intuition

35

• x1 • x2 …

• x

• x

• x5

• x6

• …


• Jammer observes code x for the current bit

• … • x

• x3 • x4

Computer Science

Generation of Subsets of Cp

•  Generated with Symmetric Balance Incomplete Block Design (SBIBD)

36

• Cp • x • x

• x

# of codes: n2+n+1 # of subsets: n2+n+1 Each subset has n+1 codes Each code is in n+1 subsets Each pair of codes only exists in one subset

• x

• x • x

• x • x

• x • x • x • x


• 11/2/11

• 13

Computer Science

Content-based Code Subset Selection – Sender Side


Computer Science

Content-based Code Subset Selection – Receiver Side


Computer Science

Security Analysis

•  Jammer’s capability


• 11/2/11

• 14

Computer Science

Jamming Probability of the Seed


Analysis strategy: Derive the lower bound of jammer’s search space (see paper)

Computer Science

Effectiveness against DoS Attack

41

• 2.87 • 2

• 1.01


Expected # of Seed Candidates for Receiver

Computer Science

Prototype Implementation

•  Hardware –  USRPs with XCVR2450 daughter boards

•  Software –  GNU Radio 3.2 –  Modified spread/despread module in GNU Radio’s sample

code named “digital”


• 11/2/11

• 15

Computer Science

Selected Evaluation Result

43

Code length: 32

• DSSS: 0.25

• UDSSS: 0.35

• Subset: 0.57

• Basic DSD-DSSS: 2.22


Computer Science

Advanced Network Security

USD-FH: Frequency Hopping with Uncoordinated Seed Disclosure


Computer Science

Previous Work

•  UFH [Oakland 08] –  Exchange ECDH messages with uncoordinated FH

•  ECDH message M is split into multiple packets due to packet size constraint (hop duration × bit rate)

•  Packets are chained with hash values to prevent injection attack

•  Both sender A and receiver B do uncoordinated FH (A hops faster than B does)

•  A send M repeatedly until B collects all packets and reconstructs the message M

–  Use the established key for later FH communication 45 Dr. Peng Ning CSC/ECE 774 -- Adv. Net. Security

• 11/2/11

• 16

Computer Science

Previous Work (Cont’d)

•  BMA [MobiHoc 09] – Enhanced version of UFH – Erasure coding

•  No need to collect all packets to reconstruct the message

– One-way authenticator based on bilinear pairing •  Each packet can be verified immediately upon received

– Almost two times faster than UFH


Computer Science

Motivation

•  Both UFH and BMA are vulnerable to responsive jamming attacks –  Each packet has to contain additional fields (e.g., packet id,

hash/witness value) for message reconstruction •  Packet size cannot be too small

–  Jammer has enough time to detect and jam the packet •  Remove these fields → very small packet size → low

jamming probability –  Use uncoordinated FH to transmit a seed instead of the

packet itself –  Transmit the message as a whole part using the hopping

pattern determined by the seed •  No need of additional fields for message reconstruction


Computer Science

USD-FH: Sender Side

48

• M:

• p1 • p2 • p3 • p4 • ··· • pl-1 • pl

• split to packets

s2 • PRNG

• 3 8 2 4 … 10 13

• Hopping pattern for M

s1 • PRNG

•  1 5 9 11 … 7

• Hopping pattern for s2

• 1,s2 • 2,s2 • 3,s2 • 4,s2 • ··· • x,s2

• Nobody knows except sender


• 11/2/11

• 17

Computer Science

USD-FH: Receiver Side

49

• p1 • p2 • p3 • p4 • ··· • pl-1 • pl

• 3 8 2 4 … 10 13 •  1 5 9 11 7

• 1,s2 • 2,s2 • 3,s2 • 4,s2 • ··· • x,s2 • packets from sender:

• sender’s hopping pattern:

• 3 8 2 4 … 10 13 •  10 9 … • receiver’s hopping pattern:

• PRNG

• (x-2) × hop duration

• p1 • p2 • p3 • p4 • ··· • pl-1 • pl


Computer Science

Performance Analysis

•  Attacks – Low-level jamming attacks (targeting packet)

•  types: non-responsive, responsive •  strategies: static, random, sweep

– High-level responsive jamming attack (targeting seed)

•  catch the seed s2 and jam the message M – Hybrid jamming attack (targeting packet and seed)

•  low-level jamming + high-level responsive jamming •  most efficient jamming attack


Computer Science

Jamming Probability under Low-level Jamming Attacks


• 11/2/11

• 18

Computer Science

Observations

•  Short hop duration is preferred •  USD-FH can support short hop duration

– No id and hash chain/witness value for message reconstruction purpose

•  Low packet overhead •  Fit into short hopping slot

– Packet size is determined by the size of seed and index number


Computer Science

Evaluation Setup •  Compare UFH, BMA, and USD-FH •  Simulation using Bluetooth demo in Simulink

–  GFSK –  1 Mbps –  200 channels –  Message (2,176 bits) –  Packet

•  Reed-Solomon 15 bit -> 21 bit, tolerate 3 bits error •  UFH: message ID (34 bits), packet ID (6 bits), payload (80-640 bits),

hash (70 bits) •  BMA: message ID (34 bits), packet ID (6 bits), payload (15-570 bits),

witness(140 bits) •  USD-FH: payload (45 bits)

•  Optimize x by minimizing Thybrid using Mathematica •  5 Scenarios under hybrid jamming attack


Computer Science

Evaluation Results – Scenario 1

54

• 20 times faster than UFH • 14 times faster than BMA


• 11/2/11

• 19

Computer Science


55



Computer Science


56



Computer Science


57

• UFH and BMA stop working from cj > 10


• 11/2/11

• 20

Computer Science


58

• very powerful jammer


Computer Science

Conclusion

•  Security of wireless physical layer is necessary –  Anti-jamming wireless communication; authentication of

signal; privacy; …

•  Using wireless physical layer properties helps –  Proximity based access control; device authentication; PUE

defense; …

•  More research is needed!


csc/ece advanced network securitydiscovery.csc.ncsu.edu/courses/csc774-f11/slides/t06.2_anti... ·...

Documents