Summer Research Institute - EPFL

1
Summer Research Institute - EPFL
Jamming-resistant Key Establishment using
Uncoordinated Frequency Hopping

• Mario Cagalj
• mario.cagalj_at_fesb.hr
• University of Split, Croatia
• 25/6/2009

2
Summer Research Institute - EPFL
Uncoordinated Frequency Hopping Channel
Availability Out of Thin Air

• Mario Cagalj
• mario.cagalj_at_fesb.hr
• University of Split, Croatia
• 25/6/2009

3
Motivation radio channel availability

• Radio-jamming is ever-present threat to radio
  channels
• This is an attack on the availability of signals
• Denial-of-Service (DoS) attack
• Traditional anti-jamming techniques rely on
  pre-shared secret codes (keys) to increase
  channel availability

S (original signal)
J (jamming signal)
4
Motivation anti-jamming communication

• Spread-Spectrum Techniques
• FHSS (Frequency Hopping Spread Spectrum)
• DSSS (Direct-SequenceSpread Spectrum)

PRNG
PRNG
Hopping sequence (PRNG seed) must be known to the
sender and receiver but not the jammer.
energy
frequency
PRNG
PRNG
Spreading code (PRNG seed) must be knownto the
sender and receiver but not the jammer.
energy
frequency
5
Motivation a new view of an old problem

• Anti-jamming/secret-establishment dependency
  graph
• How to establish the required secret code over
  the same channel when no secret is available in
  advance?
• Authenticated public key-based protocols (e.g.,
  Diffie-Hellman key establishment) also affected

Secret spreading code (key) establishment in the
presence of a jammer
Dependency cycle
Anti-jamming communication (FHSS or DSSS)
Shared secret code (key)(e.g., spreading code)
6
Motivation breaking circular dependency

• Breaking anti-jamming circular dependency graph
• Uncoordinated Frequency Hopping (UFH)

Secret spreading code (key) establishment in the
presence of a jammer
Dependency cycle
Anti-jamming communication based on UFH
Shared secret code (key)(e.g., spreading code)
7
General information

• This talk is based on the joint work with
  Strasser, Pöpper and Capkun of ETHZ
• Jamming-resistant Key Establishment using
  Uncoordinated Frequency Hopping, IEEE Symposium
  on Security and Privacy, Oakland 08
• This idea of uncoordinated hopping rooted in
• Wormhole-Based Antijamming Techniques in Sensor
  Networks, Cagalj, Capkun and Hubaux, IEEE TMC
  07
• Some extensions
• Efficient Uncoordinated FHSS Anti-jamming
  Communication, Strasser et al, MobiHoc 09
• A Coding-Theoretic Approach for Efficient
  Message Verification Over Insecure Channels,
  Slater et al, WiSec 09
• Jamming-resistant Broadcast Communication
  Without Shared Keys, Popper et al, USENIX
  Security 09 (uncoordinated DSSS)
• We will mainly focus on the original Oakland paper

8
Agenda

• First part
• Overview of UFH
• UFH Message Transfer Protocol
• Application to jamming resistant key
  establishment
• Second part
• Detailed performance analysis
• Conclusion

9
Uncoordinated Frequency Hopping (UFH)

• Key idea abolish the need of a pre-shared secret
  by using UFH
• The sender hops randomly in a set of c channels
  ( frequencies)
• The receiver hops randomly with a longer dwell
  time per slot
• Once in a while the receiver listens on a channel
  where the sender is broadcasting and a packet
  gets through
• Equivalent to FH in jamming protection (but not
  in throughput)

S
11
5
12
2
3
23
65
8
32
14
19
52
41
58
7
8
62
t
11
28
36
5
1
R
t
10
UFH solution overview

• We want to establish a shared key (secret) using
  UFH
• E.g., use the authenticated elliptic curve (ECC)
  Diffie-Hellman protocol
• For effective protection against jamming (for FH
  or UFH), the time slots of the sender must be
  short (100 bits)
• Problem Typical messages do not fit into such
  slots!

e.g. auth. DH
Application Protocol
M mS , sig(mS)
5
12
2
3
23
65
8
32
14
7
S
Uncoordinated FrequencyHopping (UFH)
5
1
53
R
11
UFH message fragmentation (sender)

• Message fragmentation in the absence of an
  attacker

e.g. auth. DH
Application Protocol
M mS , sig(mS)
Fragmentation
M mS , sig(mS)
M1
M2
Ml
M3
5
12
2
3
23
65
8
32
14
7
S
Uncoordinated FrequencyHopping (UFH)
5
1
53
R
12
Attacker model

• Attackers strategy space defined by the
  following actions
• Jam existing messages by transmittingsignals
  that cause the original signal tobecome
  unreadable by the receiver.
• Insert own messages that she generatedby using
  known (cryptographic) functionsand keys as well
  as by reusing (parts of)previously overheard
  messages.
• Modify existing messages by e.g.,flipping single
  message bits or by entirelyovershadowing (i.e.,
  replacing) originalmessages.

f1
f2
f3
f1
f2
f3
f1
f2
f3
13
Attacker model (contd.)

• Attacker types static, random, sweep,
  responsive
• Required signal strengths for different attacking
  strategies
• Signal successfully received if Pt lt Pa and
  P(Js signal) lt Pj
• PT total signal strength that attacker can
  achieve at the receiver
• Given the number of frequency channels on which
  the attacker inserts (ct), jams (cj), and
  overshadows (co), we have
• Attackers strength cs/ts, cj/tj, PT (s stands
  for sensing)

14
UFH message fragmentation (sender)

• Assume following fragmentation with an active
  attacker

e.g. auth. DH
Application Protocol
M mS , sig(mS)
Fragmentation
M mS , sig(mS)
M1
M2
Ml
M3
5
12
2
3
23
65
8
32
14
7
S
Uncoordinated FrequencyHopping (UFH)
5
1
53
R
15
Naive fragmentation is harmful
Sender
Packet number


1
2
3
l
1
2
3
l
1
t
Attacker


10
20
30
l0
11
12
21
31
l1
t
Different packets
Receiver


2
30
l0
11
2
31
l1
1
t
Receiver sorts unique packets (fragments)
12
24
3
42

1
27
30
46
15
2
34
4




16
Naive fragmentation leads to a simple DoS

• Assume N adversarial packets successfully arrive
  at the receiver
• Message M is divided into l fragments
• Application-level signature verification at each
  candidate message leads to the exponential
  workload at the receiver

12
24
3
42

1
27
30
46
15
2
34
4




17
Solution to the message fragmentation

• Cryptographically link individual packets
• By the system model we cannot rely on a shared
  key gt integrity
• Possible approach hash linking
• End result (N/l 1)l hash verif. (N/l1)
  signature verif.

mi id i Mi hi1 hl h(M1 ), hi
h(mi1 )
N/l1
18
UFH message transfer protocol sender

• Message Signing Fragmentation
• Hash linking
• Packet coding/interleaving
• Repeated transmission using UFH

mi id i Mi hi1 hl h(M1 ), hi
h(mi1 )
19
UFH message transfer protocol receiver

• Receiving packets
• Bit deinterleaving/packet decoding
• Ordering and linkingpackets
• Message reassambly signature verification

m1
m3
f1
m1
m2
f2
m4
m2
f3

M1
M2
Ml
M3
M mS , sig(mS)
20
UFH security overview

• UFH is resistant to packet jamming
• Frequency hopping and packet repetitions in the
  sending process
• Modified packets are identified
• Using cryptographic (e.g., hash) linking
• Only linear workload on the receivers side
• Reassembled messages that fail the signature
  verification or have an expired timestamp are
  discarded

m2
m4
m2
m3
f1
S
m3
m1
R
m1
m4
m2
m3
m1
m1
m1
f2
m2
m1
J
m4
m3
m3
m1
m2
m2
f3
m3
m2
m1
21
Application of UFH to key establishment
Key Establishment Protocol
Application Protocol
establishes
required for
Shared secret key (spreading code)
Anti-jamming comm. based on UFH
Anti-jamming comm. (e.g., FHSS or DSSS)
22
Example ECC-based Diffie-Hellman

• Elliptic Curve Crypto. Station-to-Station DH
  protocol
• P is the generator of a cyclic group G with prime
  order p
• rX is a random element selected by X from Zp
• TX and SigX(.) are a timestamp (for anti-replay
  protection) and the signature (to verify the
  sender and the reassembly) issued by X

UHF (without a shared key)
(Coordinated) Frequency Hopping (with shared
key K)
23
2nd part UFH performance analysis

• Basic scenario communication without an attacker
  
• Different types and strategies by an attacker
• Performances relative to coordinated frequency
  hopping

24
Communication without an attacker (A0)

• Some assumptions
• Hopping frequency of the receiver ltlt the sender
  (we can neglect losses due to the lack of
  synchronization)
• Unintentional interference is neglected (e.g.,
  the number of neighbors ltlt the number of channels
  (c))
• cn and cm are the number of channels on which the
  sender (the receiver) simultaneously sends
  (receives)
• Probability that a particular fragment is
  successfully received (one transmission)

cn channels
cm channels
c channels
25
Communication without an attacker (A0)

• Message is complete after all l fragments
  successfully received
• Let Y be the number of times that the sender has
  to retransmit in order to transfer the message
• Probability that a transfer incomplete after i
  (re)transmissions

Receiver
i
i-1
i-2
i1


l
1
2
3
l
1
1
2
l
3
2
t
26
Communication without an attacker (A0)

• The expected number of packets (fragments) that
  have to transmitted in order to successfully
  transfer the message

27
Performances without an attacker (A0)
28
Jamming performance of the attacker

• Required signal strengths for different attacking
  strategies
• Signal successfully received if Pt lt Pa and
  P(Js signal) lt Pj
• PT total signal strength that attacker can
  achieve at the receiver
• Given the number of frequency channels on which
  the attacker inserts (ct), jams (cj), and
  overshadows (co), we have

29
Jamming performance of the attacker (contd.)

• Each packet (fragment) m is error encoded
• ? in (0,1 is jamming resistance of a given
  packet
• rc in (0,1 is a code rate
• Data of length m is encoded into m/rc and
  more than ?m/rc bits have to be erroneous for
  successful jamming
• For bitrate R, the packet transmission time tp
  mR/rc

tp
encoded packet m
attacker senses
attacker jams
tp?tp
30
Jamming performance of the attacker (contd.)

• Attackers strength channels cb effectively
  blocked
• Probability that an ongoing packet is
  successfully jammed pjcb/c
• channels (nj) that the attacker can jam during
  the transmission njtp/(?tp tj), where tj is
  the time to switch jamming channels
• channels (ns) that the attacker can scan during
  the transmission ns(tp-?tp-tj)/ts, where ts is
  the time to switch scanning channels
• channels (cs) on which the attacker can sense
  simultaneously

For responsive-sweep jammers
tp
encoded packet m
attacker senses
attacker jams
tj
ts
tp?tp
31
Jamming probab. for different attacker types
32
Attacking strategies

• Attackers strategy space defined by the
  following actions
• Jam existing messages by transmittingsignals
  that cause the original signal tobecome
  unreadable by the receiver.
• Insert own messages that she generatedby using
  known (cryptographic) functionsand keys as well
  as by reusing (parts of)previously overheard
  messages.
• Modify existing messages by e.g.,flipping single
  message bits or by entirelyovershadowing (i.e.,
  replacing) originalmessages.

f1
f2
f3
f1
f2
f3
f1
f2
f3
33
Communication in the presence of attacker

• Probability that a particular fragment is
  successfully received (one transmission)
• No attacker case (A0)
• Jamming (AJ)
• Message insertion (AI)
• Message modification (overshadowing) (AM)

34
Optimal attacking strategy

• Theorem For all attacker types (static, random,
  sweep, responsive), the optimal attackers
  strategy, which minimizes the throughput of the
  UFH message transfer, is jamming (AJ).

35
UFH performances with an attacker (AJ)
36
UFH performances with an attacker (AJ)
37
UFH performances with an attacker (AJ)
38
UFH resource requirements

• Storage at the receiver
• If there is no more space for new packets, delete
  the oldest ones
• NJ is the expected maximal time period between
  the first and the last packet (fragment) of a
  given message
• During this period, the attacker can insert
  additional less than packets
• Example
• Fragment length mi40 bytes, l10 fragments,
  c200 channels, cmcn1, ct50 (channels for
  insertion) and pj0.8
• Results in NJ 30 000 packets transmitted by the
  sender
• Finally, this results in about 7 500 packets at
  the receiver, that is, a required storage
  capacity of about 290 kbytes
• This also results in about 160 signature
  verifications at the receiver

39
Comparison of UFH and coordinated hopping

• Relative throughput for UFH-enabled ECC-based
  Station-to-Station Diffie-Hellman protocol and a
  Bluetooth-like FH scheme
• Sig(.)PK512 bits, h(.)112, timestamps
  and identities 64 bits
• In total M2176 bits 272 bytes
• Packet mi consists of message id (34 bits), frame
  id (6 bits), the payload Mi (168 bits), and the
  hash value hi1 (112 bits)
• Reed-Solomon error-correcting code (8 bits into
  15 bits) with a jamming ratio of 20 (?0.2)
• Encoded packet 32015/8600 bits
• Data rate 1 Mbit/s, 1600 hop/s
  slot1Mbit/s(1/1600)625 bits
• The number of channels c200
• l2176/16813 for UFH and l2176/(168112)8 for
  FH
• 100 000 simulated key establishements

miid i Mi hi1320 bits
40
Duration of key establishment using UFH
1 MBit/s, 1600 hops/s, c 200256-bit prime
field for ECM 2176 bits, l 13
41
Comparison of UFH and coordinated hopping
42
Concluding words

• We introduced the key-establishment anti-jamming
  circular dependency
• Proposed first (and efficient) anti-jamming
  communication scheme that does not rely on shared
  secrets (Uncoordinated Frequency Hopping)
• UFH has the same jamming resistance as standard
  FH
• Presented an elaborate attacker model and derived
  optimal attacking strategies (responsive-sweep
  jamming)
• Security implications
• Authentication implies availability (privacy not
  required)

Thank you for your attention!
43
Some interesting directions

• Optimal number of channels c for cmcn1
• Other fragment-linking methods
• Short signatures
• One-way accumulators
• Merkle trees
• Application of packet-level erasure codes
  (optimal)
• Applications to DSSS
• Applications to anti-jamming broadcast
  communication (e.g., a navigation signals)