Jamming-resistant Key Establishment using Uncoordinated

Frequency Hopping

Summer Research Institute - EPFL

Mario Čagalj

mario.cagalj@fesb.hr

University of Split, Croatia

25/6/2009

Summer Research Institute - EPFL

Mario Čagalj

mario.cagalj@fesb.hr

University of Split, Croatia

25/6/2009

Uncoordinated Frequency Hopping: Channel Availability Out of Thin Air

3

Motivation: radio channel availability

• Radio-jamming is ever-present threat to radio channels• This is an attack on the availability of signals

– Denial-of-Service (DoS) attack

• Traditional anti-jamming techniques rely on pre-shared secret codes (keys) to increase channel availability

RCVR

XMTR JMR

S (original signal) J (jamming signal)

4

• Spread-Spectrum Techniques– FHSS (Frequency Hopping

Spread Spectrum)

– DSSS (Direct-SequenceSpread Spectrum)

frequency

Hopping sequence (PRNG seed) must be known to the sender and receiver but not the jammer.

Spreading code (PRNG seed) must be knownto the sender and receiver but not the jammer.

frequency

energ

yenerg

y

PRNG PRNG

PRNG PRNG

Motivation: anti-jamming communication

5

Motivation: a new view of an old problem

• Anti-jamming/secret-establishment dependency graph

• How to establish the required secret code over the same channel when no secret is available in advance?– Authenticated public key-based protocols (e.g., Diffie-Hellman key

establishment) also affected

Secret spreading code (key) establishment in the presence of a jammer

Anti-jamming communication (FHSS or DSSS)

Shared secret code (key)(e.g., spreading code)

Dependency cycle

6

Motivation: breaking circular dependency

• Breaking anti-jamming circular dependency graph– Uncoordinated Frequency Hopping (UFH)

Secret spreading code (key) establishment in the presence of a jammer

Anti-jamming communication based on UFH

Shared secret code (key)(e.g., spreading code)

Dependency cycle

7

General information

• This talk is based on the joint work with Strasser, Pöpper and Čapkun of ETHZ– “Jamming-resistant Key Establishment using Uncoordinated Frequency

Hopping”, IEEE Symposium on Security and Privacy, Oakland ‘08

• This idea of uncoordinated hopping rooted in– “Wormhole-Based Antijamming Techniques in Sensor Networks”, Cagalj,

Capkun and Hubaux, IEEE TMC ‘07

• Some extensions– “Efficient Uncoordinated FHSS Anti-jamming Communication”, Strasser et al,

MobiHoc ‘09

– “A Coding-Theoretic Approach for Efficient Message Verification Over Insecure Channels”, Slater et al, WiSec ‘09

– “Jamming-resistant Broadcast Communication Without Shared Keys”, Popper et al, USENIX Security ‘09 (uncoordinated DSSS)

• We will mainly focus on the original Oakland paper

8

Agenda

• First part– Overview of UFH

– UFH Message Transfer Protocol

– Application to jamming resistant key establishment

• Second part– Detailed performance analysis

– Conclusion

9

Uncoordinated Frequency Hopping (UFH)

• Key idea: abolish the need of a pre-shared secret by using UFH– The sender hops randomly in a set of c channels (= frequencies)– The receiver hops randomly with a longer dwell time per slot– Once in a while the receiver listens on a channel where the sender

is broadcasting and a packet gets through– Equivalent to FH in jamming protection (but not in throughput)

11

11 28365

512 2 3 23 65 8 32 14 19

1

52 41 587 8 62

t

t

S R

S:

R:

hits/s 5 /cf average on

RSS

S

ff 1500Hz,f 300, c

10

UFH: solution overview

• We want to establish a shared key (secret) using UFH– E.g., use the authenticated elliptic curve (ECC) Diffie-Hellman

protocol

• For effective protection against jamming (for FH or UFH), the time slots of the sender must be short (~100 bits)– Problem: Typical messages do not fit into such slots!

Uncoordinated FrequencyHopping (UFH)

Application Protocol

5

512 2 3 23 65 8 32 14 7

1 53

e.g. auth. DH

M := mS , sig(mS) …

S:

R:

S R

11

UFH: message fragmentation (sender)

• Message fragmentation in the absence of an attacker

Uncoordinated FrequencyHopping (UFH)

Fragmentation

M1 M2 MlM3

Application Protocole.g. auth. DH

M := mS , sig(mS) …

S R

M := mS , sig(mS) …

5

512 2 3 23 65 8 32 14 7

1 53

S:

R:

12

Attacker model

• Attacker’s strategy space defined by the following actions:

– Jam existing messages by transmittingsignals that cause the original signal tobecome unreadable by the receiver.

– Insert own messages that she generatedby using known (cryptographic) functionsand keys as well as by reusing (parts of)previously overheard messages.

– Modify existing messages by e.g.,flipping single message bits or by entirelyovershadowing (i.e., replacing) originalmessages.

f1:

f2:

f3:

f1:

f2:

f3:

f1:

f2:

f3:

13

Attacker model (contd.)

• Attacker types: static, random, sweep, responsive…• Required signal strengths for different attacking strategies

– Signal successfully received if: Pt < Pa and P(J’s signal) < Pj

– PT: total signal strength that attacker can achieve at the receiver

– Given the number of frequency channels on which the attacker inserts (ct), jams (cj), and overshadows (co), we have:

• Attacker’s strength: cs/ts, cj/tj, PT (s stands for “sensing”)

RS

J

Sig

nal st

rength

at

R

Pt

Pj

Pa

Po

t1 t2 t3

S’s signal J’s signal

Toojjtt P Pc Pc Pc

14

UFH: message fragmentation (sender)

• Assume following fragmentation with an active attacker

Uncoordinated FrequencyHopping (UFH)

Fragmentation

M1 M2 MlM3

Application Protocole.g. auth. DH

M := mS , sig(mS) …

S R

M := mS , sig(mS) …

5

512 2 3 23 65 8 32 14 7

1 53

S:

R:

15

Naive fragmentation is harmful

Sender:

Receiver:

Packet number

10

t

…

Attacker:

20 30 l0 11…21 31 l1 12

1

t

…2 3 l 1 …2 3 l 1

Different packets

t

…2 30 l0 11…2 31 l1 1

12

1

15

…

24

27

2

…

3

30

34

…

42

46

4

…

…

Receiver sorts unique packets (fragments):

16

Naive fragmentation leads to a simple DoS

• Assume N adversarial packets successfully arrive at the receiver

• Message M is divided into l fragments• Application-level signature verification at each candidate

message leads to the exponential workload at the receiver

12

1

15

…

24

27

2

…

3

30

34

…

42

46

4

…

…

1l

N

l

l

l

1N

~ average on

17

Solution to the message fragmentation

• Cryptographically link individual packets– By the system model we cannot rely on a shared key > integrity– Possible approach: hash linking

• End result: (N/l +1)*l hash verif. + (N/l+1) signature verif.

mi :=id || i || Mi || hi+1

hl := h(M1 ), hi := h(mi+1 )

M := mS , sig(mS) …

M1 M2 Ml

…

M3

M1 M2 Ml

m1 m2 ml

12

1

15…

24

27

2

…3

30

34…

42

46

4

…

…N/l+1

18

UFH message transfer protocol: sender

• Message Signing & Fragmentation

• Hash linking

• Packet coding/interleaving

• Repeated transmission using UFH

mi :=id || i || Mi || hi+1

hl := h(M1 ), hi := h(mi+1 )

M := mS , sig(mS) …

M1 M2 Ml

…

M3

M1 M2 Ml

m1 m2 ml

m2

m1

m2

m3

m4

m1

f1:

f2:

f3:

19

m1

m1 m3

m4

UFH message transfer protocol: receiver

• Receiving packets

• Bit deinterleaving/packet decoding

• Ordering and linkingpackets

• Message reassambly & signature verification

m2

m2

f1:

f2:

f3:

M1M1M1

M1M1M2

M1M1Ml…

…M1 M2 Ml

M := mS , sig(mS) …

M1 M2 MlM3

20

UFH security: overview

• UFH is resistant to packet jamming – Frequency hopping and packet repetitions in the sending process

• Modified packets are identified – Using cryptographic (e.g., hash) linking– Only linear workload on the receiver’s side

• Reassembled messages that fail the signature verification or have an expired timestamp are discarded

m2 m4

m3m3

m2

m1

m1

J

Rm1m4

Sm2 m3

m2

m1

m3

m1

m1 m2 m3 m4

m1 m2 m3

m3m1m2m1m4m2m3m2m1

f1:

f2:

f3:

21

Application of UFH to key establishment

Key establishment in the presence of a jammer

Anti-jamming comm. (e.g., FHSS)

Shared secret (key)(e.g., spreading code)

Dependency cycle

Anti-jamming comm. using UFH

Shared secret key(e.g., spreading code)

Dependency chain

Key establishment in the presence of a jammer

Key Establishment Protocol

Anti-jamming comm. based on UFH

Application Protocol

Anti-jamming comm. (e.g., FHSS or DSSS)

establishes required for

Sharedsecret key(spreading

code)

22

Example: ECC-based Diffie-Hellman

• Elliptic Curve Crypto. Station-to-Station DH protocol– P is the generator of a cyclic group G with prime order p

– rX is a random element selected by X from Zp

– TX and SigX(.) are a timestamp (for anti-replay protection) and the signature (to verify the sender and the reassembly) issued by X

PrPrSig

RS

P)r ,,PK (R,Sig P,r ,T ),PK(R,Sig ,PK R,SR

P)r ,,PK (S,Sig P,r ,T ),PK(S,Sig ,PK S,pURpUS

K

KRSS

RRRRSRCAR

SSSSSSCAS

P)(rrK

P)(rrK

ZrZr

RS

UH

F (with

out a

sh

are

d ke

y)

(Coordinated) Frequency Hopping (with shared key K)

23

2nd part: UFH performance analysis

• Basic scenario: communication without an attacker • Different types and strategies by an attacker• Performances relative to coordinated frequency hopping

24

Communication without an attacker (A0)

• Some assumptions– Hopping frequency of the receiver << the sender (we can neglect

losses due to the lack of synchronization)– Unintentional interference is neglected (e.g., the number of

neighbors << the number of channels (c))

– cn and cm are the number of channels on which the sender (the receiver) simultaneously sends (receives)

• Probability that a particular fragment is successfully received (one transmission)

mm0

cnn

1c

0i

Am c

c ,1

icc

min11p

11

c channelscm channels

cn channels

25

Communication without an attacker (A0)

• Message is complete after all l fragments successfully received– Let Y be the number of times that the sender has to retransmit in

order to transfer the message– Probability that a transfer incomplete after i (re)transmissions

lii

0A

mp-1-1-1]P[Y

Receiver:

1

t

…2 3 1…2 l

i

l l 31 2

i-1i-2 i+1

26

Communication without an attacker (A0)

• The expected number of packets (fragments) that have to transmitted in order to successfully transfer the message

0

0

0

0

1

i

i

i

i

li

ili

ilii

ili

]P[Y

i]P[Y-]P[Y

]P[Y-]P[Y

]P[YpN 0Am

lii

0A

mp-1-1-1]P[Y

27

Performances without an attacker (A0)

0 500 1000 15000

0.2

0.4

0.6

0.8

1

number of message transmissions (i)

Probability that a message is successfully received

cn=c

m=1

cn=2, c

m=5

c=100l=10

liii

0A

mp-1-1]P[Y-1]P[Y

28

Jamming performance of the attacker

• Required signal strengths for different attacking strategies– Signal successfully received if: Pt < Pa and P(J’s signal) < Pj

– PT: total signal strength that attacker can achieve at the receiver

– Given the number of frequency channels on which the attacker inserts (ct), jams (cj), and overshadows (co), we have:

RS

J

Sig

nal st

rength

at

RPt

Pj

Pa

Po

t1 t2 t3

S’s signal J’s signal

Toojjtt P Pc Pc Pc

29

Jamming performance of the attacker (contd.)

• Each packet (fragment) m is “error” encoded– ρ in (0,1] is jamming resistance of a given packet

– rc in (0,1] is a code rate

– Data of length |m| is encoded into |m|/rc and more than ρ|m|/rc bits have to be erroneous for successful jamming

– For bitrate R, the packet transmission time tp = |m|R/rc

tp

tp=ρtp

encoded packet m

attacker senses

attacker jams

30

Jamming performance of the attacker (contd.)

• Attacker’s strength: #channels cb effectively blocked– Probability that an ongoing packet is successfully jammed pj=cb/c

– #channels (nj) that the attacker can jam during the transmission nj=tp/(ρtp + tj), where tj is the time to switch jamming channels

– #channels (ns) that the attacker can scan during the transmission ns=(tp-ρtp-tj)/ts, where ts is the time to switch scanning channels

– #channels (cs) on which the attacker can sense simultaneously

tp

encoded packet m

attacker senses

attacker jams

tp=ρtp tjts

cc

p ,cn cnc bjssjjb For responsive-sweep jammers:

31

Jamming probab. for different attacker types

32

Attacking strategies

• Attacker’s strategy space defined by the following actions:

– Jam existing messages by transmittingsignals that cause the original signal tobecome unreadable by the receiver.

– Insert own messages that she generatedby using known (cryptographic) functionsand keys as well as by reusing (parts of)previously overheard messages.

– Modify existing messages by e.g.,flipping single message bits or by entirelyovershadowing (i.e., replacing) originalmessages.

f1:

f2:

f3:

f1:

f2:

f3:

f1:

f2:

f3:

33

Communication in the presence of attacker

• Probability that a particular fragment is successfully received (one transmission)

– No attacker case (A0)

– Jamming (AJ)

– Message insertion (AI)

– Message modification (overshadowing) (AM)

,1ic

cmin11p n

1c

0i

Am

m0

p,1ic

cmin11p j

n1c

0i

Am

mJ

1

c

c,1

icc

min11p jn1c

0i

Am

mI

1

p,1ic

cmin11p o

n1c

0i

Am

mM

1

34

Optimal attacking strategy

• Theorem: For all attacker types (static, random, sweep, responsive), the optimal attacker’s strategy, which minimizes the throughput of the UFH message transfer, is jamming (AJ).

35

UFH performances with an attacker (AJ)

36

UFH performances with an attacker (AJ)

37

UFH performances with an attacker (AJ)

38

UFH resource requirements

• Storage at the receiver– If there is no more space for new packets, delete the oldest ones

– NJ is the expected maximal time period between the first and the last packet (fragment) of a given message

– During this period, the attacker can insert additional less than

packets

• Example:– Fragment length |mi|=40 bytes, l=10 fragments, c=200 channels,

cm=cn=1, ct=50 (channels for insertion) and pj=0.8

– Results in NJ ≈30 000 packets transmitted by the sender

– Finally, this results in about 7 500 packets at the receiver, that is, a required storage capacity of about 290 kbytes

– This also results in about 160 signature verifications at the receiver

mJt1c

0iJ cN,1ic

cminN m

39

Comparison of UFH and coordinated hopping

• Relative throughput for UFH-enabled ECC-based Station-to-Station Diffie-Hellman protocol and a Bluetooth-like FH scheme– |Sig(.)|=|PK|=512 bits, |h(.)|=112, timestamps and identities 64 bits– In total: |M|=2176 bits = 272 bytes– Packet mi consists of message id (34 bits), frame id (6 bits), the

payload Mi (168 bits), and the hash value hi+1 (112 bits)

– Reed-Solomon error-correcting code (8 bits into 15 bits) with a jamming ratio of 20% (ρ=0.2)

– Encoded packet 320*15/8=600 bits– Data rate 1 Mbit/s, 1600 hop/s: |slot|=1Mbit/s*(1/1600)=625 bits– The number of channels c=200– l=2176/168≈13 for UFH and l*=2176/(168+112)≈8 for FH– 100 000 simulated key establishements

|mi|:=|id || i || Mi || hi+1|=320 bits

40

Duration of key establishment using UFH

1 MBit/s, 1600 hops/s, c = 200256-bit prime field for EC|M| = 2176 bits, l = 13

41

Comparison of UFH and coordinated hopping

42

Concluding words

• We introduced the key-establishment anti-jamming circular dependency

• Proposed first (and efficient) anti-jamming communication scheme that does not rely on shared secrets (Uncoordinated Frequency Hopping)– UFH has the same jamming resistance as standard FH

• Presented an elaborate attacker model and derived optimal attacking strategies (responsive-sweep jamming)

• Security implications– Authentication implies availability (privacy not required)

Thank you for your attention!

43

Some interesting directions

• Optimal number of channels c for cm=cn=1

• Other fragment-linking methods– Short signatures– One-way accumulators– Merkle trees– Application of packet-level erasure codes (optimal)

• Applications to DSSS• Applications to anti-jamming broadcast communication

(e.g., a navigation signals)

bmb

m 2cc 0c

p ,

cc

1c1

p