an unlinkable communication protocol for wlan
DESCRIPTION
An Unlinkable Communication Protocol for WLAN. 2 nd Intermediate Master Thesis Presentation Björn Muntwyler 18 th March 2010 - 17 th September 2010 Advisors : Dr. Vincent Lenders & Dr. Franck Legendre Supervisor : Prof. Dr. Bernhard Plattner. Motivation. Hardened WLAN Systems: - PowerPoint PPT PresentationTRANSCRIPT
An Unlinkable Communication Protocol for WLAN2nd Intermediate Master Thesis Presentation
Björn Muntwyler
18th March 2010 - 17th September 2010
Advisors: Dr. Vincent Lenders & Dr. Franck Legendre
Supervisor: Prof. Dr. Bernhard Plattner
Motivation
Hardened WLAN Systems: Specialized High security level High privacy level High cost proprietary Hard to get (e.g. military
Systems)
Hardened SystemsHardened Systems Standard SystemsStandard Systems
Standard WLAN Systems: Standardized Low security level Low privacy level Low cost high interoperability
Ideas, Mechanisms, etc...Ideas, Mechanisms, etc...
Goal: How can we increase the „privacy“ of a given wireless communication protocol Hardening given protocols to increase „privacy“
e.g. Wifi (/+WPA), ZigBee, Bluetoothe.g. military proprietary solutions
3Departement/Institut/GruppeSonntag, 17. Oktober 2010
Who Where What
„Privacy“ is a very broad topic – there are leaks everywhere! Most effort is done above the pysical layer
Identifier-free link-layer protocol, Disposable Interface Identifiers (Data Link Layer)
IPsec (Internet/Network Layer) Transport Layer Security (Application Layer)
Attack Classification of a passive adversary
Attack: [5][6] [3][11] [3][5][6] [3][6] [16][17] [6][16][17] [29]
[3][4][10][12?][24] [1][25] [15][28][30] [28][30] [~27] [~27]
Graphical Classification:
[13][26][29]
Attack + Solution:
[1][2][7][19?][20][21][22][24][31][32]
[1][7][12?][19?][22][24][31][32]
[1][15][28][32]
[20][21][22][31][32]
[1][25][~27]
[1][2][7][20][21][22][31][32]
Passive Attacker on Privacy
Identifiers
RSSI
Packet timing Traffic shape
Identifiers Location
ToA AoARandom
-nessPacket
sizeInter-arrival
TimingSending
TimeNetwork
LayerLinkLayer
PhysicalLayer
Service disc,,Control Msgs.
TraceLinkability
Application(Traffic Analysis)
Related Work
References [*]: in appendix
4Departement/Institut/GruppeSonntag, 17. Oktober 2010
Problem Formulation
Avoid a passive attacker to know:
Who's communicating with whom?What is the content of their communication?When is someone communicating?Where - Location Privacy
Goal: How can we increase the „privacy“ of a given wireless communication protocol
Hardening given protocols to increase „privacy“Condition: Based on open standards using Software Defined Radios (SDR)
5Departement/Institut/GruppeSonntag, 17. Oktober 2010
The New Approach - PSCHP Securing the wireless communication at the pysical layer
Using the SDR for IEEE 802.15.4 (ZigBee PHY) Direct-Sequence Spread-Spectrum (DSSS)
Two Pairwise Spreading-Sequences: One code for each communication-partner and -direction
Periodic Pairwise Code-Hopping: periodically change the chip-sequence used between two nodes to avoid
the codes being compromised
Idea: Use secret codes and change them dynamically – make solution customizable through „Privacy-Parameters“
Expected Gain: Hide signal below noise level of attacker to remain undetectable Defend against cryptographic attacks on spreading sequences by
dynamicly changing those Defend against many „Privacy-Dimensions“
A
C
BK1
K2
K3
K4
6Departement/Institut/GruppeSonntag, 17. Oktober 2010
Overview Pairwise-Synchronized
Code-Hopping Protocol (PSCH-P) Periodic constraint check
Sent bytes Time since last key change
Two nodes change the chip-sequence simultaneously using the PSCH-Protocol 3-way handshake with
Diffie-Hellman key agreement
Generate new codes from this shared secret
A global chip-sequence Kglobal for administratives
Initia
lizatio
nJo
inin
g th
e N
etw
ork
PS
CH
-P
PSCH-P
→ shared secret S(passphrase, UDSSS, etc.)
7Departement/Institut/GruppeSonntag, 17. Oktober 2010
What happend since our last Intermediate Presentation!? Finished Implementation of ZigBee-PSCHP-Solution Evaluation of ZigBee-PSCH-Protocol
How much higher is the Packet Loss Rate of PSCHP compared to the Original Code?How does the Overhead behave w.r.t. „privacy“ parameters compared with the Original Code?What are the Key Exchange Times and Setup Times?What is the Attack Surface of PSCHP? How fast can an attacker break the secret codes?How much better can we get by invreasing the Spreading factor?
… work in progress ...
8Departement/Institut/GruppeSonntag, 17. Oktober 2010
How much higher is the Packet Loss Rate of PSCHP compared to the Original Code?
Only slight increase in Packet Loss At lower SNR – moderate PLR,
changing Codes more frequently
can overcome de-synchronization
of PSCHP due to Sync-Pkt-Losses At very low SNR – high PLR, the
PSCH-Protocol fails due to lost
PSCHP-packets (3-way hand
shake)
9Departement/Institut/GruppeSonntag, 17. Oktober 2010
How much higher is the Packet Loss Rate of PSCHP compared to the Original Code?
Only slight increase in Packet Loss At lower SNR – moderate PLR,
changing Codes more frequently
can overcome de-synchronization
of PSCHP due to Sync-Pkt-Losses At very low SNR – high PLR, the
PSCH-Protocol fails due to lost
PSCHP-packets (3-way hand
shake)
Conclusion:
Packet Loss Rate increases < 5 %
10Departement/Institut/GruppeSonntag, 17. Oktober 2010
How does the Overhead behave w.r.t. „privacy“ parameters compared with the Original Code?
Overhead w.r.t. Code-change
frequency (PSCHP Byte-
Constraint Values) compared to
Original Code
Min. Key-Change Time:
0.071 sec
Min. Setup-Time:
0.110 sec
( + TimerA2)
11Departement/Institut/GruppeSonntag, 17. Oktober 2010
How does the Overhead behave w.r.t. „privacy“ parameters compared with the Original Code?
Overhead w.r.t. Code-change
frequency (PSCHP Byte-
Constraint Values) compared to
Original Code
Min. Key-Change Time:
0.071 sec
Min. Setup-Time:
0.110 sec
Conclusion:
To get an overhead of less then 10% we need Byte Constraints > 1e3 Bytes
12Departement/Institut/GruppeSonntag, 17. Oktober 2010
What is the Attack Surface of PSCHP?AND How fast can an attacker break the secret codes?
Attacker capabilities and prevention methods are discussed here: Attackability of PSCHP-Solutions
Attacking M-ary Spreading-Sequences
(Paper: Cluster-based Blind Estimation
of M-ary DSSS
Signals, Wang
et. al.)
Finding weak points of PSCHP
… work in progress ...Nodes are NOTdistinguishable
Nodes aredistinguishable
Energy on Channel(assumed Detectability)
Inter-arrival TimesPacket Shape/Size
Protocol SpecificAttacks
Attack Surface
Packet Shape Packet TimingWith Angle
(multiple Antennas)Without Angle
Replay and DoSAttacks
Global Code K g lo b a l Pairwise-Codes
Attacks onSpreading-Sequences
Plain TextEncryptedPayload
Full PacketEncryption
ChangedPreamble & SFD
Plain TextEncryptedPayload
Full PacketEncryption
ChangedPreamble & SFD
Plain TextEncryptedPayload
Full PacketEncryption
ChangedPreamble & SFD
13Departement/Institut/GruppeSonntag, 17. Oktober 2010
3
How fast can an attacker break the secret codes? (IDEA)
Check region of communication
Check overhead Get area of „Privacy“
Parameters to change spreading sequenes before the attacker has collected enough data to break the codes
… work in progress ...
Pa
cke
t Lo
ss R
ate
[%
]
Signal-to-Noise Ratio (SNR) [db]
Signal-to-Noise Ratio (SNR) [db]
Distance [m]
14Departement/Institut/GruppeSonntag, 17. Oktober 2010
How much better can we get by invreasing the Spreading factor?
… work in progress ...
15Departement/Institut/GruppeSonntag, 17. Oktober 2010
Contents of Report (DRAFT) Abstract Contents & List of Figures / Tables
1. Introduction Intro into topic Define the term Privacy Overview of the Thesis
2. Related Work Privacy related Security Problems Attack Tree I Why I chose the Physical Layer Related Work on PHY (Frank Hermanns Code Hopping)
3. Background Knowledge IEEE 802.15.4 ZigBee Direct Sequence Spread Spectrum (DSSS)
16Departement/Institut/GruppeSonntag, 17. Oktober 2010
Contents of Report (DRAFT)4. Attacker Model, System Model and Privacy Requirements
5. PSCHP – The New Approach Design
Overview The PSCH-Protocol Customizable Privacy Parameters
Implementation The Original Code PSCHP State Machine Spreading Sequence Generation PSCHP messages (INI-SYNC, INI-ACK, ACK-SYNC, D-BEACON)
17Departement/Institut/GruppeSonntag, 17. Oktober 2010
Contents of Report (DRAFT)6. Evaluation of PSCHP
Not implemented stuff which could improve PSCHP Drawbacks (Overhead, Throughput, Limitations etc.) Attacking PSCHP
Attack Tree II etc.
7. Conclusion & Future Work Bibliography
Report
Paper
(+ Technical Report)
Master Thesis ?
18Departement/Institut/GruppeSonntag, 17. Oktober 2010
Contents of Report (DRAFT)6. Evaluation of PSCHP
Not implemented stuff which could improve PSCHP Drawbacks (Overhead, Throughput, Limitations etc.) Attacking PSCHP
Attack Tree II etc.
7. Conclusion & Future Work Bibliography
Report
Paper
(+ Technical Report)
Master Thesis ?!
19Departement/Institut/GruppeSonntag, 17. Oktober 2010
Plan for the last 6 Weeks
Finish stuff marked as „... work in progress ...“ Analyze influence on packet loss rate and attackability
while increasing the Spreading Factor Ajusting the Sending Power according to distance
between Sender and Receiver (Design) Writing the Report (4 weeks)
Currentweek
20Departement/Institut/GruppeSonntag, 17. Oktober 2010
21Departement/Institut/GruppeSonntag, 17. Oktober 2010
Appendix / Backup Slides
Delete old keysTimers:- TimerA1: A timeout of TimerA1 indicates the loss of the INI-ACK or the INI-SYNC packet and leads
to the retransmission of the INI-SYNC packet.- TimerB1: A timeout of TimerB1 indicates the loss of the ACK-SYNC packet and leads to the
retransmission of the INI-ACK packet.- TimerA2: A timeout of TimerA2 indicates that everything went fine and that the ACK-SYNC packet
was received by the intended node. Otherwise the INI-ACK packet would be received during the life-span of Timer A2 (due to the loss of the ACK-SYNC packet and consequentially the timeout of TimerB1 would initiate its retransmission).
- TimerB2: Thought of to postpone the deletion of the old keys and the restart of the communication-Mode with the new established keys.
Maybe no communication possible during the life-span of TimerB2 (& TimerA2) to avoid the confusion between new and old keys
while:TimerB1 ≥ TimerA1 & TimerA2 ≥ TimerB1
State = 4
State = 3
State = 1
State = 2
Ti m
erB
2
A B
INI-SYNC[g, p, A](KAB,i)
INI-ACK[B](KBA,i)
ACK-SYNC(KAB,i)
1
3
2
4
Tim
erA
1T
i mer
A2
Ti m
erB
1
t
Choose DH Params: ai+1, g, p
A = ga mod p
S i+1 = Ba mod p
Generate KA B ,i+1 and KB A ,i+1
[KA B ,i+1, KB A ,i+1] = hash64 (Si+1)
Choose DH Param: b i+1
B = gb mod p
S i+1 = Ab mod p
Generate KA B ,i+1 and KB A ,i+1
[KA B ,i+1, KB A ,i+1] = hash64
(Si+1)
State = 0old keys
State = 0new keys
22Departement/Institut/GruppeSonntag, 17. Oktober 2010
Appendix / Backup Slides
Attack Classification of a passive adversary
Attack: [5][6] [3][11] [3][5][6] [3][6] [16][17] [6][16][17] [29]
[3][4][10][12?][24] [1][25] [15][28][30] [28][30] [~27] [~27]
Graphical Classification:
[13][26][29]
Attack + Solution:
[1][2][7][19?][20][21][22][24][31][32]
[1][7][12?][19?][22][24][31][32]
[1][15][28][32]
[20][21][22][31][32]
[1][25][~27]
[1][2][7][20][21][22][31][32]
Passive Attacker on Privacy
Identifiers
RSSI
Packet timing Traffic shape
Identifiers Location
ToA AoARandom
-nessPacket
sizeInter-arrival
TimingSending
TimeNetwork
LayerLinkLayer
PhysicalLayer
Service disc,,Control Msgs.
TraceLinkability
Application(Traffic Analysis)
23Departement/Institut/GruppeSonntag, 17. Oktober 2010
Remarks: Title of Paper Author 1 Author 2 Author 3 year Journal/Conference
[1] POSSIBLE H. Wang 2007
[2] 2005 Mobile Networks and Applications 10
[3] Chattering Laptops T. Aura M. Roe 2008 PETS 2008
[4] Z. Yang 2009
[5] Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols J. Pang 2007?
[6] 802.11 User Fingerprinting J. Pang 2007
[7] Improving Wireless Privacy with an Identifier-Free Link Layer Protocol D. McCoy J. Pang 2008
[8] Tryst: the Case for Confidential Service Discovery J. Pang D. McCoy 2007
[9] Extends [7] Mechanisms to Mitigate Wireless Privacy Threats J. Pang 2009
[10] Privacy-Preserving 802.11 Access-Point Discovery T Aura 2009
[11] Attacks on Physical-layer Identification 2010
[12] Z. Yang A. Champion 2009
[13] The Robustness of Localization Algorithms to Signal Strength Attacks: A Comparative Study Y. Chen X. Li 2006 DCOSS 2006
[14] J. Deng R. Han 2006
[15] Temporal Privacy in Wireless Sensor Networks 2007 ICDCS'07
[16] Early Recognition of Encrypted Applications 2007 PAM 2007
[17] Early Application Identification 2006
[18] Multi-hop? The Evolution of Self-Organized Privacy 2008 Thesis from EPFL
[19] Multi-hop! Network coding Based Privacy Preservation against Traffic Analysis in Multi-hop Wireless Networks Y. Fan 2009
[20] Multi-hop? An Efficient Privacy-Preserving Scheme for Wireless Link Layer Security Y. Fan B. Lin 2008 IEEE GLOBECOM 2008
[21] Anonymous Communication in Ubiquitous Computing Environments M. Park J. Son 2009 Wireless Personal Communications
[22] partly Okay Who said that? Privacy at link layer 2007
[23] A Protocol for Anonymous Communication Over the Internet C. Shields B. Levine 2000 CCS'00
[24] Protecting Privacy with Protocol Stack Virtualization 2008 WPES'08
[25] Performing Traffic Analysis on a Wireless Identifier-Free Link Layer K. Bauer D. McCoy 2009
[26] Attack Detection in Wireless Localization Y. Chen R. Martin 2007
[27] Robust Statistical Methods for Securing Wireless Localization in Sensor Networks Z. Li 2005
[28] A New Security Mechanism to Perform Traffic Anonymity with Dummy Traffic Synthesis 2009 CSE
[29] Sensing motion using spectral and spatial analysis of WLAN RSSI 2007
[30] Analytical and Empirical Analysis of Countermeasures to Traffic Analysis Attacks B. Graham 2003 ICPP'03
On Effectiveness of Link Padding for Statistical Traffic Analysis Attacks B. Graham 2003 ICDCS'03
[31] Similar to [2] Location Privacy in Wireless Personal Area Networks 2006
[32] high cost !? A Framework for Location Privacy in Wireless Networks H. Wang 2005 ACM SIGCOMM
Nr.
Preserving Location Privacy in Wireless LANs T. Jiang Y. Hu MobiSys'07
similar to [1] reg. MACadd
Enhancing Location privacy in Wireless LAN Through Disposable Interface Identifiers: A Quantitative Analysis
M. Gruteser D. Grunwald
J. Lindqvist
Null Data Frame: A Double-Edged Sword in IEEE 802.11 WLANs W. Gu D. Xuan IEEE Transactions on parallel and distributed Systems vol.21
[7] builds on this
B. Greenstein R. Gummadi MobiCom'07
B. Greenstein MobiSys'08
[7] builds on this
B. Greenstein
J. Lindqvist G Danezis
B. Danev H. Luecken S. Capkun WiSec'10
??? key establish.
Link-Layer Protection in 802.11i WLANs with Dummy Authentication B. Gu WiSec'09
K. Kleisouris
Decorrelating Wireless Sensor Network Traffic To Inhabit Traffic analysis Attacks S. Mishra Elsevier Pervasive and Mobile Computing Journal
P. Kamat W. Xu W. Trappe
L. Bernaille R. Teixeira
L. Bernaille R. Teixeira K. Salamatian 2006 ACM CoNEXT
J. Freudiger
Y. Jiang H. Zhu partly presented at IEEE Infocom'09
Y. Jiang
S. Seo
F. Armknecht J. Girao A. Matos IEEE Infocom'07
like Crowds, using proxies
might have usefull stuff
J. Lindqvist J. Tapio
B. Greenstein Tapia'09
W. Trappe IEEE Infocom'07
W. Trappe Y. Zhang Proc. Of IPSN
W.Shbair A. Bashandy S. Shaheen
K Muthukrishnan M. Lijding N. Meratnia EuroSSCX. Fu R. Bettati
X. Fu R. Bettati
D. Singelée B. Preneel WiSe'06
Y. Hu
Appendix / Backup Slides