securing wireless systems - sigsac

1

Securing Wireless Systems

Panos Papadimitratos

[email protected]

ACM CCS 2009 – Tutorial: Securing Wireless Systems

mailto:[email protected]

2

Wireless Systems

• Wireless local area networks (WLANs)

Link to the Internet

Wireless

Access

Point

3

Wireless Systems (cont‟d)

• WLANs, Personal Area (PANs), Ad hoc Networks

Illustration: Ericsson, ca. 2000

4


• Radio Frequency Identification (RFID)

Readingsignal

tagged object

ID Detailedobject

information

• Wi-Fi and Bluetooth enabled devices

Back-enddatabaseID

5


• Sensor networks

Node photos: XBow

6


• Tactical ad hoc networks

– Military −Search-and-rescue

7


• Vehicular ad hoc networks (VANETs)

Illustration: C2C-CC

8


• Ad hoc networks– Limited wireless communication range

– Collaborative support of the network operation

– Peer-to-peer interactions

– Transient associations

– Openness Nodes

Links

9


• Security challenges

– Easy eavesdropping and message injection

– Each and every node can disrupt the network operation

– No monitoring facility

– Resource constraints

– Error-prone communication

– Hostile environments

– Nodes and applications tightly coupled to the user and her physical environment

10


Radio link establishment

Direct wireless communication

Multi-hop communication

Distance to other reachable devices

Device localization and own positioning

Application performance measurable in the physical world

• A set of basic elements

11

Wireless Systems Security

Anti-jamming techniques

Secure Neighbor Discovery

Secure data communication

Secure rangingDistance bounding

Secure localization and positioning

Vehicular Communications –transportation safety

• Tutorial outline

12

Anti-Jamming Techniques

© 2009 P. Papadimitratos


13

Wireless Communication (WCOM)

• Transmissions over the same channel that overlap (partially) in time:

– Interference : communication degradation

– Collision : the receiver cannot successfully decode any signal

Transmitter Receiver

Device A Device B- Wireless medium- Transmission

Transmitter

Device C

14

Preventing WCOM

Transmitter Receiver

Device A Device B- Wireless medium- Transmission

Transmitter

Jammer• Jamming: deliberate interference,

to prevent signal reception

– Over one or multiple channels

– Intermittently or continuously

– Varying transmission power

– Violation of regulations

15

Frequency

Power

Preventing WCOM (cont‟d)

Frequency

Power

Frequency

Power

Barrage jamming

Swept-spot jamming

Multi-spot jamming

16

Anti-Jamming Defense

• Robust antenna and receiver designs

– Withstand interference

• System diversity

– Multiple channels available

– Use each channel for a period of time

– Then, „jump‟ to another channel

– Assumption: the jammer is constrained

• E.g., out of n available channels, the jammer can prevent communication (jam) up to t < n channels

17

Anti-Jamming Defense (cont‟d)

• Popular technologies operate with:

– Multiple channels, e.g., IEEE 802.11a/b/g/n, IEEE 802.15.4

– Direct sequence spread spectrum, i.e., signals occupy a wide spectrum

• Resilience depends (primarily) on:

– Pre-established knowledge (channel hopping pattern, spreading codes)

– Spread spectrum communication parameters

– Jammer strength (jammer to signal ratio)

18

Anti-Jamming Defense (cont‟d)Fre

quency

Time

Transmissions

• Frequency hopping (FH): transmit over a part of the available bandwidth for a short period of time

19


• FH patterns should be hard to determine

• Adaptive FH patterns

• Bootstrapping without pre-shared information?

– Uncoordinated Frequency Hopping

• Random FH for both sender and receiver; the sender hops much faster than the receiver

• Transmission of data fragments, from which the receiver has to reconstruct the message

• Communication possible when both sender and receiver are simultaneously at the same channel

M. Strasser, C. Pöpper, S, Capkun, and M. Cagalj, “Jamming-resistant Key Establishment using Uncoordinated Frequency Hopping,” IEEE S&P 2008

20


• Bottom line: Jammer can overpower receivers

– Technology known to adversary

– Sufficiently high transmission power

– Sufficient proximity to victims

Graphic by Tektronix

21


• Numerous examples of commercially available devices

– Against WiFi, GSM, PCS, GPS, Bluetooth

• Applications in law enforcement, anti-terrorism, military operations

22


• Detect the location of the jammer and remove it (physically)

– Determine the jamming signal direction from multiple points

Jammer

23

Impact of Jamming

• Presence of jammer Wireless links downwithin its zone of influence

24

Summary

• Jamming is a long-known problem

• Various technologies to increase resilience

• Detection of jammer location and removal

• Jamming = denial of service within a region = wireless links down

– Selective and local erasure of messages across the wireless medium by an adversary

• Additional reading:

R. A. Poisel, “Modern Communications Jamming Principles and

Techniques,” Artech House, 2003

25

Secure Neighbor Discovery



26

Neighbor Discovery (ND)

• Neighbor Discovery (ND)

– A node discovers other nodes it can directly communicate with

A

B

C

D

27

Neighbor Discovery (ND) (cont‟d)

• B is neighbor of A if and only if it can receive directly from A

• Link (A,B) is up A is neighbor of B

• RA≠RB, i.e., (A,B) may be up while (B,A) is down

A

B

RA

RB

28

Neighbor Discovery (ND) (cont‟d)

• Simple, widely used solution, but not secure• Easy to attack

– Mislead B that A is its neighbor, when this is not the case

A B

“Hello, I‟m A”

B: “A is my neighbor”;“A is added in myNeighbor List”

29

Attacking ND

• Single adversary appears as multiple neighbors

M


“Hello, I‟m C”

“Hello, I‟m Z” B: Neighbor List = {A, C, …, Z}

…

30

(2) A, nA, nB, B, SigA(A, nA,nB, B), CertCA(KA,A)

Securing ND

• An attempt– Message authenticity and replay protection

• nA, nB are nonces

– Bob essentially „challenges‟ Alice to provide a „hello‟ message

A B(1) nB, B

31

Attacking ND (cont‟d)

• “Relay” or “Wormhole” Attack– Simply relay any message, without any modification

AB:

Neighbor List = {A}

M

32

Attacking ND (cont‟d)

• Long-range relay / wormhole

– The attacker relays messages across large distances

out-of-band or private channel

B: Neighbor List = {A}


“Hello, I‟m A” “Hello, I‟m A”

A

B

M1 M2

33

Attacking ND: Implications

• Routing in multihop ad hoc networks

34

Attacking ND: Implications (cont‟d)


35



36


• RFID-based access control

Z. Kfir and A. Wool, “Picking virtual pockets using relay attacks on contact-less smartcard,” SECURECOMM ‟05

• Attacker close to the access-granting RFID tag

– Relays signals from and to her accomplice, who obtains access

37

Securing Two-Party ND

• Basic ideas

– Authentication

– Node-to-node distance estimation

– x>R A: AP not neighbor

– Y<R B: AP neighbor

APA

Bx

y

R

38

Securing Two-Party ND (cont‟d)

• Use message time-of-flight to measure distance

– Distance Bounding [1]

– Temporal Packet Leashes [2]

– SECTOR [3]

• Use node location to measure distance

– Geographical Packet Leashes [2]

[1] S. Brands and D. Chaum, “Distance-bounding protocols,” EUROCRYPT „93[2] Y.-C. Hu, A. Perrig, and D. B. Johnson. “Packet leashes: A defense against wormhole attacks in wireless networks,” IEEE INFOCOM „03[3] S. Capkun, L. Buttyan, and J.-P. Hubaux, “SECTOR: Secure Tracking of Node Encounters in Multi-hop Wireless Networks,” ACM SASN „03

39

Securing Two-Party ND (cont‟d)

• Are these protocols [1,2,3] achieving secure ND?

• Can any protocol, including and similar to [1,2,3], which can measure time, solve the secure ND problem?

• Is there any provably secure ND protocol?

• Note: Measurements can be *very* accurate

None of the above protocols secures NDNo (secure) ND protocol that relies

on time measurements does

40

Traces and Events

• Trace is a set of events

A

B

C

41

S

S,P

Feasible Traces

• System execution: feasible trace

• Traces feasible with respect to:

- Setting S

- Protocol P

- Adversary AS,P,A

42

Setting S

{ A, B, C, D, E, F, G, H }

………

H

A

C

B

D

G

FE

43

Trace Feasible wrt Setting S

• Causal and timely message exchange

A

B

v – signal propagation speed

44

Trace Feasible wrt Setting S (cont‟d)

• Causal and timely message exchange

45

Local Trace

A

B

46

Protocol P

• Actions

• Local view

• Protocol

47

• Correct nodes follow the protocol

Trace Feasible wrt Protocol

48

Trace Feasible wrt Adversary

• Adversarial nodes can only relay messages

with minimum delay

• Denote the adversary as:

A

49

Neighbor Discovery Specification

1) Discovered neighbors are actual neighbors

2) It is possible to discover neighbors

Protocol P solves Neighbor Discovery for adversary A if

50

Neighbor Discovery Specification (cont‟d)

1) Discovered neighbors are actual neighbors

2) It is possible to discover neighbors

Protocol P solves Two-Party Neighbor Discovery for adversary A if

in the ND range R

…

51

T-protocol Impossibility

Theorem: No T-protocol can solve Neighbor Discovery for adversary if .

Proof (sketch):

Any T-protocol P that satisfies ND2 cannot satisfy ND1

Observation: Physical proximity does not necessarily imply correct nodes are able to communicate directly

52

Results

• T-protocol ND impossibility (general case)

• T-protocol solving ND (restricted case)

• TL-protocol solving ND (general case)

M. Poturalski, P. P., and J-P. Hubaux, “Secure Neighbor Discovery in Wireless Networks: A Formal Investigation of Possibility,” ACM ASIACCS 2008

M. Poturalski, P. P., and J-P. Hubaux, “Secure Neighbor Discovery: Is it Possible?” LCA-REPORT-2007-004, 2007

53

Protocol P CR/TL

challengemessage

responsemessage

authenticatormessage

• Challenge-Response/Time-and-Location

54

ND Properties – Revisited (cont‟d)

• Correctness:

• Availability:

TP – protocol specific duration

55

Theorem: Protocol PCR/TL satisfies the Neighbor Discovery Specification:

• Correctness (ND1)

• Availability (ND2CR/TL)Under the assumptions:

i. Any processing delay relay > 0

ii. Equality of maximum information propagation speed and wireless channel propagation speed vadv = v

Protocol P CR/TL (cont‟d)

M. Poturalski, P. P., and J.-P. Hubaux, “Towards provable secure neighbor discovery in wireless networks,” ACM CCS FMSE 2008

56

Summary

• Secure Neighbor Discovery– Prerequisite for secure networking protocols

and various applications, and system security

– Hard problem

– Proven secure solutions

– Implementation is not easy in practice

57

Additional Readings

• Overview

• Implementation

• Early works relating to SND

R. Shokri, M. Poturalski, G. Ravot, P. P., and J.-P. Hubaux, “A Low-Cost Secure Neighbor Verification Protocol for Wireless Sensor Networks,” ACM WiSec, March 2009

P. P., M. Poturalski, P. Schaller, P. Lafourcade, D. Basin, S. Capkun, and J-P. Hubaux, "Secure Neighborhood Discovery: A Fundamental Element for Mobile Ad Hoc Networking," IEEE Communications Magazine, February 2008

J. Arkko, J. Kempf, B. Zill, and P. Nikander, “SEcure Neighbor Discovery (SEND),” IETF RFC 3971, March 2005

P. P. and Z.J. Haas, “Secure Link State Routing Protocol”, IEEE WSAAN, January 2003

58

Secure Ranging / Distance Bounding



59

Ranging / Distance Bounding

• Ranging

– A: Obtains d(A,B), an estimate of dA,B, the actual A,B distance

• Distance bounding

– A: Obtains D(A,B), a bound s.t. dA,B ≤ D(A,B)

A B…

60

Attacking Ranging / DB

• Ranging: A, B exchange a sequence of messages, including own measurements (e.g., times of arrival)

• The attacker, B, provides fake inputs, to manipulate (shorten or lengthen) the d(A,B) calculated by A

• Caution

– Authentication does not solve the problem

– Computation delays could dwarf measurements

A B…

61

Attack Implications

• Manipulation of calculated distance

– Illegitimate physical space access

– Defeating a theft detection system

Safe Storage

62

Attacking Ranging / DB (cont‟d)

Verifier Prover

...

Dishonest Prover

...

Verifier

Verifier Colluding DishonestProver

...

... ...

Mafia Fraud or RelayAttack

Distance FraudAttack

Terrorist FraudAttack

63

Securing Ranging / DB (cont‟d)

• Authenticated ranging can defeat relay (mafia fraud) attacks

• To defeat the distance fraud attacks:

– Distance-related measurements based on sufficiently fast and simple actions by the honest prover

– A dishonest prover cannot perform the same action faster than an honest prover

• A dishonest prover cannot appear closer to the verifier than it actually is

64

Distance Bounding

S. Brands and D. Chaum, “Distance-bounding protocols,” Advancesin Cryptology, EUROCRYPT ‟93

(RBE)

65

Distance Bounding (cont‟d)

• Distance bounding [Brands & Chaum]

– Phase 1: Prover sends out a commitment to a random n-bit value

– Phase 2: Rapid Bit Exchange (RBE); the Verifier sends 1-bit challenges to Prover, which then XOR‟s this with the corresponding bit of the comment

• At each RBE, the verifier measures the round-trip (V-P-V) delay

– Phase 3: The Prover opens the commitment and the Verifier calculates the distance bound (the maximum of all RBE-measured delays)

• Success of attack: 1/2n

– An attacker can only guess the 1-bit responses

66


• Practical issues

– Short symbols over RF, for each 1-bit exchange

• High propagation speed

• Nanosecond time precision

– Lengthy RBE

• Increased security

• Higher delay

– Bit error(s)

• Likely across a wireless link (e.g., noise)

• Failure of the entire protocol (prob. ½ to respond correctly to a single corrupted bit)

67


G. Hancke and M. Kuhn, “An RFID Distance Bounding Protocol,” SecureComm 2005

68


(1)

(2)

(3)

Defense for terroristfraud attacks

– RBE tied to the prover identification

[BussardBagga04]

69


J. Reid, J. Nieto, T. Tang, and B. Senadji, “Detecting relay attacks with timing-based protocols,” ACM ASIACCS 2007

70


[KimAKSP08]

(1)

(2)

(3)

71

[Piramuthu07] - 7/8n

[BrandsChaum93]- Mafia-resistant, ½n

[CapkunBH03]- Mutual DB

[BussardBagga04]- Asymmetric crypto- Proof of Knowledge

[HanckeKuhn05]- Noise-tolerant, w/o noise ¾n

[ReidGNTS06]- Symmetric crypto, ¾n

[MeadowsPPChS07]

[TuPiramuthu07]- 4-RBEs, 9/16n

[KimAKSP08]- 1/2n

Bold fonts: Design for resistance to terrorist fraud attacks

[MunillaOP06]- Void challenges, 3/5n

[SingleePreneel07]- noise-tolerant, ½n

[NikovVauclair08]- Rapid Bit-chunk Exchange

[MunillaPeinado08]- [AvoineTchamkerten09]

- HK ¾n → n½n, memory cost

[SchallerSchBC09]

Summary

[CapkunHubaux06]- No RBE- Auth.ranging

72

Summary (cont‟d)

• Authenticated ranging resists external attacks (mafia frauds)

• Distance bounding resists an isolated dishonest prover (distance fraud)

• More recent protocols to defend against a colluding prover (terrorist fraud)

• Additional reading

– Attacks by external adversaries at the physical layer: Early Detect / Late Commit

J. Clulow, G. Hancke, M. Kuhn, and T. Moore, “So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks,” ESAS 2006

73

References

[AvoineTchamkerten09] G. Avoine and A. Tchamkerten, “An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and Memory Requirement,” ISC 2009

[BrandsChaum93] S. Brands and D. Chaum, “Distance-bounding protocols,” EUROCRYPT ‟93

[BussardBagga04] L. Bussard and W. Bagga, “Distance-Bounding Proof of Knowledge Protocols to Avoid Terrorist Fraud Attacks,” EUROCOM Tech. Report, RR-04-109, 2004

[CapkunBH03] S. Capkun, L. Buttyan, and J.-P. Hubaux, “SECTOR: Secure Tracking of Node Encounters in Multi-hop Wireless Networks,” SASN 2003

[CapkunHubaux06] S. Capkun and J.P. Hubaux, “Secure positioning in wireless networks,” JSAC 2006

[HanckeKuhn05] G. Hancke and M. Kuhn, “An RFID Distance Bounding Protocol,” SecureComm 2005

[KimAKSP08] C.H. Kim, G. Avoine, F. Koeune, F.-X. Standaert and O. Pereira, “The Swiss-Knife RFID Distance Bounding Protocol,” ICISC 2008

74

References (cont‟d)

[MeadowsPPChS07] C. Meadows, R. Poovendran, D. Pavlovic, L. Chang, and P. Syverson, “Distance bounding protocols: Authentication logic analysis and collusion attacks,” Sec. Loc. and Time Sync. for Wireless Sensor and Ad Hoc Networks, 2006

[MunillaOP06] J. Munilla, A. Ortiz and A. Peinado,”Distance Bounding Protocols with Void Challenges for RFID,” RFIDSec2006

[MunillaPeinado08] J. Munilla and A. Peinado, “Attacks on Singelee and Preneel'sprotocol,” ePrint, 2008

[NikovVauclair08] V. Nikov and M. Vauclair, “Yet Another Secure Distance-Bounding Protocol,” ePrint, 2008

[Piramuthu07] S. Piramuthu, “Protocols for RFID tag/reader authentication,” Decision Support Systems 2007

[ReidGNTS06] J. Reid, J. Nieto, T. Tang, and B. Senadji, “Detecting relay attacks with timing-based protocols,” ASIACCS 2007

[SchallerSchBC09] P. Schaller, B. Schmidt, D. Basin, S. Capkun, “Modeling and Verifying Physical Properties of Security Protocols for Wireless Networks,” CSF 2009

[SingleePreneel07] D. Singelee and B. Preneel, “Distance Bounding in Noisy Environments,” ESAS 2007

[TuPiramuthu07] Y.-J. Tu and S. Piramuthu, “RFID Distance Bounding Protocols,” RFID Technology 2007

75

Secure Route Discovery



76

Route Discovery

• Stage 0: Neighbor discovery

• Stage 1: Route discovery

G

F

B

C E

D

A

H Route : Sequence of nodes (and edges); for simplicity: (A, G, E)

Sourcenode

Destinationnode

Intermediatenodes

77

E

F

B

C H

G

A

D

RREP: “I am H”

RREQ: “A is looking for H”

Attacking Route Discovery

• Impersonation of the destination, for example, in any reactive routing protocol

78

Attacking Route Discovery (cont‟d)

• Disrupting distance vector routing (for example, in AODV)

E

F

B

C H

G

A

D

RREP: “Hop count = 3”

RREQ: “A is looking for H”

RREP: “Hop count = 2”

79

Attacking Route Discovery (cont‟d)

• Caution: None of these protocols (DSR, AODV) was designed with security in mind

• Many possible ways to attack the route discovery

• Outcome of attacks – Control communication

• Become part of utilized routes

• Monopolize resources

– Disrupt communication• Degrade or deny

80

Requirements

• We are interested in protocols that discover routes with the following two properties:

(1) Loop-freedom: an (S,T)-route is loop-free when it has no repetitions of nodes

(2) Freshness: an (S,T)-route is fresh with respect to a (t1,t2) interval if each of the route‟s constituent links is up at some point during the (t1,t2)

• Loop-freedom and freshness are relevant for both explicit and implicit route discovery

P. P., Z.J. Haas, and J.-P. Hubaux, "How to Specify and How to Prove Correctness of Secure Routing Protocols for MANET," BroadNets‟06

81

Secure Routing Protocol (SRP)

• Explicit basic route discovery

• Observation

– It is hard to „know‟ all nodes in the network, i.e., establish associations with all of them

– Often infeasible and very costly

– Especially in „open‟ networks

• SRP assumptions

– Secure neighbor discovery

– Hop-by-hop authentication of all control traffic

– End nodes (source, destination) „know‟ each other

• Can set up security associations

P. P. and Z.J. Haas, "Secure Routing for Mobile Ad Hoc Networks," CNDS 2002

82

SRP (cont‟d)

S V1 V3V2 T

Route Request (RREQ): S, T, QSEQ, QID, MAC(KS,T, S, T, QSEQ, QID)

1.S broadcasts RREQ;2.V1 broadcasts RREQ, {V1}; 3.V2 broadcasts RREQ, {V1, V2};4.V3 broadcasts RREQ, {V1, V2, V3};

1 2 3 4

83

SRP (cont‟d)

Route Reply (RREP): QID, {T, V3, V2, V1, S},MAC(KS,T, QID, QSEQ, T, V3, V2, V1, S)

5. T → V3 : RREP;6. V3 → V2 : RREP;7. V2 → V1 : RREP;8. V1 → S : RREP;

S V1 V3V2 T

1 2 3 4

8 7 6 5

84

Additional Readings

• Secure Explicit Routing– Link State Routing

– Reactive Route Discovery

– Ariadne

– EndAir

P. P. and Z.J. Haas, "Secure Link State Routing for Mobile Ad Hoc Networks," IEEE WSAAN, Orlando, Florida, January 2003

Y.-C. Hu, A. Perrig, and D. Johnson, ”Ariadne: A secure on-demand routing protocol for ad hoc networks,” Wireless Networks, 2005

G. Acs, L. Buttyan, and I. Vajda, “Provably secure on-demand source routing in mobile ad hoc networks,” IEE TMC, 2006

85

Additional Readings (cont‟d)

• Secure Implicit Routing

• Secure Augmented Routing– QoS-aware routing

• OverviewChapter 7, L. Buttyan and J.-P. Hubaux, “Security and Cooperation in Wireless Networks”, Cambridge Press, 2008

P. P. and Z.J. Haas, "Secure Route Discovery for QoS-Aware Routing in Ad Hoc Networks," IEEE Sarnoff Symposium, 2005

K. Sanzgiri, D. LaFlamme, B. Dahill, B. Levine, C. Shields, E. Belding-Royer, “Authenticated routing for ad hoc networks,” IEEE JSAC 2005

Y.-C. Hu, D.B. Johnson, A. Perrig, Secure efficient distance vector routing in mobile wireless ad hoc networks, IEEE WMCSA 2002

P. P. and Z.J. Haas, "Secure On-Demand Distance Vector Route Discovery in Ad Hoc Networks,“ IEEE Sarnoff Symposium, 2005

86

Attacking Routing - Revisited

• Tunneling Attack– Two colluding attackers: M1, M2

– M1 encapsulates control traffic and forwards to M2 and vice versa

– Attackers seemingly follow the protocol with respect to their neighbors

S

T

M1

M2

P. P. and Z.J. Haas, "Secure Routing for Mobile Ad Hoc Networks," CNDS 2002

87

Attacking Routing – Revisited (cont‟d)

• Multiple Colluding Attackers

– M1 and M3 are seemingly correct to their neighbors, but they „omit‟ protocol functionality when handling packets from M2

– Example: M2 relays RREQ and RREP packets without appearing in the route discovery

V‟VS

M1 M2M3

T

88

Summary

• Route discovery is vulnerable

• Secure route discovery specification– Loop freedom, Freshness

– Accuracy

• Secure basic and augmented route discovery in open, dynamic networks

• Protocols rely on different trust assumptions

• Colluding adversarial nodes can subvert any route discovery protocol; „tunneling attack‟

89

Secure Data Communication



90

Data Communication

G

F

B

C E

D

H

Message

for E

A

91

Data Communication (cont‟d)

F

B

C E

D

A

H

92

Secure Data Communication

• Goal:

– Reliable and low-delay data delivery in the presence of attackers that disrupt the data communication

• Solution:– Detect and avoid compromised and

failing routes

– Tolerate malicious and benign faults• In general, hard to distinguish in highly

dynamic networking environments

93

Data Communication (cont‟d)

• What is the impact of the adversary that „lies low‟ and disrupts only the data communication?

Attacker Strength

Relia

bili

ty

50% of the network

nodes attacking

35% message delivery

100%

94

Securing Data Communication

G

F

B

C E

D

H

Route 1

Route 2

Route 3

A

• Use multiple routes

95

1

2

m-1

m

3

1

2

n

n-2

n-3

Introduce

redundancy

to the original

message

=

Original message

Securing Data Communication (cont‟d)

• Disperse data

96

1

3

n-2

n

3

1

2

n

n-2

n-3

Reconstruct

message

if any m-out-of-n

pieces are intact

=


• Disperse data

97

G

F

B

C E

D

H

Sending

n=3

E needs

m=2

A

Received

m pieces!


• Transmit simultaneously across the routes

98

H G

F

B

C E

D

A

Route 1

Route 2

Route 3

Tell A which

pieces were

intact


• Get feedback

99


• Secure Message Transmission (SMT) protocol– Dispersion of the transmitted data

– Simultaneous usage of multiple node-disjoint routes

– Data integrity and origin authentication

– End-to-end secure and robust feedback

– Adaptation to the network conditions

• Secure Single Path (SSP) protocol– Discovery and utilization of a single route

– End–to–end security and feedback

P. P. and Z.J. Haas, "Secure Data Communication in Mobile Ad Hoc Networks," IEEE JSAC, 2006

P. P. and Z.J. Haas, “Secure Message Transmission in Mobile Ad Hoc Networks,” ACM WiSe, 2003

P. P. and Z.J. Haas, "Secure Message Transmission in Mobile Ad Hoc Networks," Ad Hoc Networks, 2003

100


Nodes 50

Fraction of Adversaries

10%, 20%, 30%, 40%, or 50% of the network nodes

Measurements 50 randomly seeded runs for each point

Security Bindings Single destination per source

Simulated time 300 sec

Mobility Random waypoint; Pause times: 0, 20, 40, 60, 100, 150, 200, 250 seconds

Load 3, 7, 15, 20 CBR flows, Data payload: 512 Bytes

Rates: 4, 10, 15, 20, 25, and 30 packets/sec

Coverage Area 1000m-by-1000m

PHY/MAC IEEE 802.11, DCF, 2 and 5.5 Mbps, 300m

Transport UDP / TCP

Tool OPNET

101


• Secure Message Transmission (SMT) protocol

• Secure Single Path (SSP) protocol

• Secure route discovery for both protocols– Explicit, basic

• Reactive, Proactive

• SRP, SLSP

• Attack pattern– Full compliance with the route discovery

– Discard in–transit data packets

102

Secure Routing OnlySecure Routing + Secure Data Communication

Attacker Strength

Relia

bili

ty

50% of the

network

nodes are

attacking

35% message

delivery

93% message

delivery

without

retransmissions


• Reliable and Real-Time Communication in Hostile Environments

103

RedundancyD

ela

y1 3.5

1.2 s

0.4 s

Average delay for 100%

message delivery

Redundancy

Relia

bili

ty

1 3.5

82%

93%

Redundancy Message delivery without

retransmissions

Bandwidth For

Security


104

Performance Evaluation (cont‟d)

Impact of Load

and SMT-TCP interaction

Throughput – no flow control Throughput - SMT-RRD with TCP

105

Performance Evaluation (cont‟d)

Impact of Load

and SMT-TCP interaction

Message delay – no flow control Message delay - SMT-RRD with TCP

106

Summary

• Secure data communication is critical

– Secure routing protocols are vulnerable

– As long as attackers can place themselves on utilized routes, they can degrade or deny communication

– The only answer is to assess whether data are delivered, and avoid non-operational routes

• Secure data communication is practical

– Low-delay, low-jitter, and highly reliable; essentially, real-time

– Flexible

– Low overhead

– End-to-end

– Effective against any data-dropping pattern

107

Additional Readings

• More on secure data communication mechanisms

• CASTOR (Continuously Adapting Secure Topology-Oblivious Routing)

– Integration route discovery and communication

– Localized routing decisions

– Outcome: Scalability and resilience

W. Galuba, P. P., M. Poturalski, K. Aberer, Z. Despotovic, and W. Kellerer, “Castor: Scalable Secure Routing for Ad hoc Networks,” EPFL Technical Report, LSIR-REPORT-2009-002, 2009

J.-P. Hubaux and P. P., “Security and Cooperation in Wireless Networks,” ACM MobiCom 2007 tutorial[slides] http://icapeople.epfl.ch/panos/Hubaux-Papadimitratos-Tutorial-Mobicom07-

camera-ready.pdf

http://icapeople.epfl.ch/panos/Hubaux-Papadimitratos-Tutorial-Mobicom07-camera-ready.pdf











108

Secure Localization



109

Localization

• Mobile computing is becoming increasingly location-based

– Location-aware devices

– Location-based services

• Two main problems

– Determine the location of a (another) device

• Could be as simple as asking a location-aware device to report its location

• Often, some infrastructure performs the task

– Determine own location

• With the help of own equipment and infrastructure

110

Localization (cont‟d)

• Device localization

– Indoor and outdoor

– Various technologies (infrared, ultrasound, RF)

– Various approaches (angle of arrival, time of arrival, signal strength, etc)

I1

I2I3A

111

Attacking Localization

• Adversary M (actually at loc(M)) misleads the infrastructure; which erroneously perceives it as M‟ (at loc(M‟))

I1

I2I3M

M‟

I1

I2I3

M

M‟

112

Securing Localization

• Multiple (at least three) verifiers run DB with the node (prover); relevant area: verifiers‟ triangle

– An isolated dishonest prover cannot fake its position inside the triangle (intuition: it cannot perpetrate a distance fraud against any of the verifiers)

S. Capkun and J.-P. Hubaux, “Secure Positioning in Wireless Networks,” IEEE JSAC 2006

I1

I2I3

M

113


• Determining own position

– Infrastructure serving as reference

– Multiple points of reference allow the node to calculate its position

• Infrastructure type can vary, e.g.:

– Wi-Fi access points

– Specialized beacons

– Global Navigation Satellite Systems (GNSS)

114


Context awareness

Navigation

Fleet and

cargo management

Sensing

Global Navigation

Satellite Systems

Graphics by Nokia

115


• Global Navigation Satellite Systems

4. Obtain own position, locV, and clock correction, tV

ρ1

ρ2

ρ3 ρ4 GPS receiver,V 1. Receive NAVi from satellite

Si at position si

2. Estimate the NAVi

propagation delays, and thus V-Si distances (pseudoranges), ρi

3. Solve a system of equations:

116

Attacking Localization (cont‟d)

• Mislead devices (and their users) about their location

– Compromise the device: hard

– Compromise the infrastructure: much harder

– Interfere with the infrastructure-to-device wireless communication

• Easy

• Jam Outage

• Overwrite legitimate transmissions with synthesized ones Control locV and tV

117


• Attacker: Record and replay, or forge, GPS signals, overwriting the legitimate GPS signals

• System: GPS receiver locks on spoofed signals

• Consequence: User is provided with a false, attacker-controlled location

118


• GPS Jammers and Simulators

• Meaconing (record and re-broadcast, a.k.a. replay)

Low-power jammer (1 W); it can affect a 35km radius

B. O‟Hanlon, B. Ledvina, M.L. Psiaki, P.M. Kintner Jr., T. E. Humphreys, “Assessing the GPS Spoofing Threat,” GPS World, January 2009

119

Securing Localization

• Authenticate navigation messages (NAV)– Public key crypto: one private-public key pair per

satellite

– Symmetric key authentication; single system key

• Need tamper-resistant storage at receivers

• Public key authentication delays can be significant

• Low NAV transmission rate;

~ 40 sec for a signature

• Caution: Need to maintain

the relative NAV arrival

timings

120

Securing Localization (cont‟d)

• Public key authentication / “Hidden markers”

- Si transmit unpredictable sequences below noise; they release an authenticated spreading code with a delay ρ

- V record the entire bandwidth and “detect” the hidden marker a posteriori, to calculate the NAV arrival times (thus the pseudo-ranges)

M. Kuhn, An Asymmetric Security Mechanism for Navigation Signals, 6th Information Hiding Workshop, 2004

121


• Replay attacks can be effective even against future systems with authentication (e.g., Galileo)

P. P. and A. Jovanovic, “Protection and Fundamental Vulnerability of Global Navigation Satellite Systems (GNSS),” IEEE IWSSC 2008

122


• One ms of replay translates into ~300m of position error

1. Jam Receiver looses its

“lock” on the satellites

2. Replay Receiver locks

on the spoofed signal

123


0 50 100 150 200 250 3000

50

100

150

200

250

300

350

Attack duration [s]

Tim

e o

ffse

t

[ms]

(b)

0 50 100 150 200 250 3000

1000

2000

3000

4000

5000

6000

7000

8000

9000

10000

Attack duration [s]

Dis

tan

ce

off

se

t [m

]

(a)

• Record NAV messages after the detection of the preamble at least the first bit

– Minimum replay delay tmin =20ms

– Replay after any tmin + treplay

124


• Assumption: the adversary covers part of the system: Receivers can operate in an unaffected area

before entering an area under attack

• Objective: Receivers detect the attack onset

– No additional complex equipment

– No system reconfiguration

– Resilience to sophisticated adversaries

• Approach: Rely on own (receiver) measurements

– Predict future values from available ones that are deemed correct

– Discrepancy between measurements and predicted values Attack

125


1. Normal mode:

Collect [Vk, Vk-1, Vk-2, …, Vk-W ]

Predict [PVk+p, …, PVk+2 , PVk+1 ]

= f (Vk, Vk-1, Vk-2, …, Vk-W)

2. Alert mode:

Collect [Vk+p, …,Vk+2 , Vk+1 ] and

Compare with [PVk+p, …, PVk+2 , PVk+1 ]

Normal modeAlert mode

3. Attack mode:If |g([Vk+j]) – h([PVk+i])| > ε, detect attack

126


• Inertial sensors

– Location Inertial Test

• Accurate and stable clocks

– Clock Offset Test

• Doppler shift

– Doppler Shift Test

P. P. and A. Jovanovic, “GNSS positioning: Attacks and Countermeasures,” IEEE MILCOM 2008

127


• Setup

– Observation and navigation data; RINEX format

– GPS functionality implemented in Matlab

– Receiver movement over 300s

– Adversary

• Static

• Mobile with velocities less than 250 km/h

• Without or with control over the transmission frequency

• Multiple radios

128


• Location Inertial Test

• Fast increasing inaccuracy of the inertial measurement unit

– To succeed with replay attack: Jam for < 1 min

0 10 20 30 40 50 60 70 80 90 1000

50

100

150

200

250

300

GNSS unavailability period [s]

Inert

ial n

avig

atio

n e

rro

r [m

]

3.456 3.458 3.46 3.462 3.464 3.466 3.468

x 106

5.29

5.3

5.31

5.32

5.33

5.34

5.35

5.36

5.37

5.38x 10

5

X coordinate [m]

Y c

oord

ina

te [

m]

Attacker-induced trajectory

Actual trajectory

129


• Clock Offset Test

• Commodity receivers: clocks drift fast (see left figure)

– To succeed with replay attack: Jam for 2 min, to make tV ~20-30 ms acceptable

• Improve clock; e.g., micro-second accuracy for 6 min

– To succeed with replay attack: Jam for hours

0 5 10 15 20 25 30-9

-8.5

-8

-7.5

-7

-6.5

-6x 10

-3

Time [30s step]

Tim

e o

ffse

t [

s]

0 50 100 150 200 250 3000

50

100

150

200

250

300

350

Attack duration [s]

Tim

e o

ffse

t

[ms]

(b)

130


• Doppler Shift Test

• Doppler Shift (DS) at the receiver depends primarily on the relative velocity of transmitter and receiver

– Satellite velocity, ~ 3km/s, dominant; Smooth DS changes

– Easy to detect a simple attacker

– Sophisticated attackers need to predict the mobility of the receiver, thus predict the DS, and adjust their transmission frequency accordingly

50 100 150 200 250 300

2300

2350

2400

2450

2500

2550

2600

2650

2700

2750

Time [s]

Fre

qu

en

cy o

ffse

t [H

z]

Doppler shift variation SV-04 time period t=300s

Doppler shift [Hz ] vs. time [s] measured

Linear approximation

Pred bnds (Linear approximation)

131


– Simple attacker: striking difference between measured and expected DS

0 50 100 150 200 250 300-1000

0

1000

2000

3000

Time [s]Fre

qu

ency o

ffset

[Hz]

SV-1

0 50 100 150 200 250 300-10000

-5000

0

Time [s]Fre

qu

ency o

ffset

[Hz]

SV-4

0 50 100 150 200 250 300

0

2000

4000

6000

Time [s]Fre

qu

ency o

ffset

[Hz]

SV-7

0 50 100 150 200 250 300

0

1000

2000

3000

Time [s]Fre

qu

ency o

ffset

[Hz]

SV-13

0 50 100 150 200 250 300

-4000

-2000

0

Time [s]Fre

qu

ency o

ffset

[Hz]

SV-20

0 50 100 150 200 250 300-1000

0

1000

2000

3000

Time [s]Fre

qu

ency o

ffset

[Hz]

SV-24

0 50 100 150 200 250 300

-4000

-2000

0

Time [s]Fre

qu

ency o

ffset

[Hz]

SV-25


132


– Sophisticated attacker: some uncertainty about the receiver‟s mobility; detectable DS differences ~ 300 Hz


0 50 100 150 200 250 3000

2000

4000

Time [s]

Fre

que

ncy o

ffset [H

z] SV-1

0 50 100 150 200 250 300-10000

-5000

0

Time [s]

Fre

que

ncy o

ffse

t [H

z]

SV-21

0 50 100 150 200 250 3000

5000

10000

Time [s]

Fre

que

ncy o

ffset [H

z] SV-7

0 50 100 150 200 250 3000

2000

4000

Time [s]

Fre

que

ncy o

ffse

t [H

z] SV-25

0 50 100 150 200 250 300-4000

-2000

0

Time [s]

Fre

que

ncy o

ffset [H

z] SV-9

0 50 100 150 200 250 3000

1000

2000

3000

Time [s]

Fre

que

ncy o

ffse

t [H

z] SV-29

0 50 100 150 200 250 300-4000

-2000

0

Time [s]

Fre

que

ncy o

ffset [H

z] SV-13

133

Summary

• Vulnerability of GNSS: Long known issue, could become a major problem

• Upcoming systems are to enhance availability (against unintentional interference) and offer security features

• Attacks at the physical layer (e.g., replay attacks) are possible even when cryptographic protection is available

• Simple non-cryptographic solutions can raise the bar even for sophisticated adversaries

134

Additional Readings

• Secure localization

R. Poovendran, C. Wang, S. Roy (Editors), “Secure Localization and Time Synchronization for Wireless Sensor and Ad Hoc Networks,” Series: Advances in Information Security , Vol. 30, Springer, 2007

• Security for GPS-based Localization

J.A. Volpe, “Vulnerability Assessment of the Transportation Infrastructure Relying on GPS,” NTSC, NAVCEN draft report, 2001

T.K. Adams, “GPS Vulnerabilities,” Military Review, 2001

L. Scott, “Anti-Spoofing and Authenticated Signal Architectures for Civil Navigation Signals,” ION-GNNS 2003

135

Complex Wireless Systems:

Secure Vehicular Communications



136

Secure and Privacy-Enhancing

V2V and V2I Single- and Multi-

hop Wireless Communication

RSUA RSUB

CABCAA

Secure Wire-line

Communication

Secure Vehicular Communications

137

Secure VC (cont‟d)

Warning:Accident at (x,y,z)

!!

Payload

Location: (xV,yV,zV)

CertCA(V,KV,AV,T)

Signature with kV

Vehicle V

Time: tV

Vehicle U

Warning:Accident at (x,y,z)

138

Secure VC (cont‟d)

Source (S) Destination (D)Forwarder 1 (F1)

Forwarder 2 (F2)

• Position-based routing

– Relaying nodes (forwarders) also send packets to the geographically closest node to the destination (location)

– Security: prevent manipulation of PBR-specific mechanisms

A. Festag, P. Papadimitratos, and T. Tielert, “Design and Performance of Secure GeoCast for Vehicular Communication,” LCA-REPORT-2009-007

139

Pseudonymous Authentication (cont‟d)

PNYM_K1

Time

Msg. 1 Sig_k1 Cert_1

PNYM_K1Msg. 3 Sig_k1 Cert_1


140

Pseudonymous Authentication (cont‟d)

PNYM_K1

Time

Msg. 1 Sig_k1 Cert_1






141

Secure VC: system overview

142

Are Secure VC Systems Practical?

• Can security protocols run, along with the VC protocol stack, on the embedded computing units?

• Are security architectures easy to manage?

• Can a secured vehicular communication system be as effective as one without security?

143

• Lesson 1: More on-board processing power

• Lesson 2: Careful use of strong security

– Communication optimizations

– Adaptation to operational requirements

• Lesson 3: Impact of security on VC-enabled applications

• Lesson 4: Security is perceived as a constraint

Are secure VC systems practical? (cont‟d)

P. P., "On the road - Reflections on the Security of Vehicular Communication Systems," IEEE ICVES, 2008

144

Communication Overhead

Communication reliability (P) as a function of the neighborhood size (N); γ: beaconing rate

145

Processing Power

2-class M/D/1 queue

Message verification delay, for short packets; α= 10, β= 0, τ= 60; HP scheme; λ for the same setup and for γ=10 beacons/sec

146

SVC and Transportation Safety

• Emergency braking

• Platoon on 100 cars on one lane– Average spacing: 20 m

– Average speed: 80 Km/h

– Wet road• Braking capability: 4 m/s2

– Driver reaction 0.75 – 1.5 s

– Pseudonym lifetime 60 s

– Emergency event at the head after 60 s

– No lane change

P. P., G. Calandriello, A. Lioy, and J.-P. Hubaux, “Impact of Vehicular Communication Security on Transportation Safety," IEEE INFOCOM MOVE 2008

G. Calandriello, P. P., J-P. Hubaux, and A. Lioy, "On the Performance of Secure Vehicular Communication Systems," LCA-REPORT-2009-006, May 2009

147

SVC and transportation safety (cont‟d)

• Hybrid scheme, 8 lane highway, 160 vehicles in range

• Crash average is 80-100% without V2V-communication

148

SVC and transportation safety (cont‟d)

Penetration rate and VC system effectiveness

149

Summary

• Addressed problems

– Identity and key management, Secure communication, Privacy enhancing technologies

• System resource and cost constraints

• Stringent operational (application) requirements beyond information technology terms

• Careful security design and overall system performance evaluation

P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger, M. Raya, Z. Ma, F. Kargl, A. Kung, and J.-P. Hubaux, “Secure Vehicular Communications: Design and Architecture,” IEEE Communications Magazine, November 2008

F. Kargl, P. Papadimitratos, L. Buttyan, M. Müter, B. Wiedersheim, E. Schoch, T.-V. Thong, G. Calandriello, A. Held, A. Kung, and J.-P. Hubaux, “Secure Vehicular Communications: Implementation, Performance, and Research Challenges,” IEEE Communications Magazine, November 2008

150

Wireless System Security

Panos Papadimitratos

[email protected]

http://people.epfl.ch/panos.papadimitratos

Summer School on Network and Information Security 2009



http://people.epfl.ch/panos.papadimitratos

securing wireless systems - sigsac

Documents