Improving the Privacy of IEEE 802.15.4 with Dynamic and Secret Spreading Sequences Björn Muntwyler...
-
Upload
mary-norris -
Category
Documents
-
view
214 -
download
0
Transcript of Improving the Privacy of IEEE 802.15.4 with Dynamic and Secret Spreading Sequences Björn Muntwyler...
Improving the Privacy of IEEE 802.15.4 with Dynamic and Secret Spreading Sequences
Björn Muntwyler
18th March 2010 - 17th September 2010
Advisors: Dr. Vincent Lenders & Dr. Franck Legendre
Supervisor: Prof. Dr. Bernhard Plattner
ITET / TIK / CSG21 October 2010
Motivation
Hardened WLAN Systems: Specialized High security and privacy High costs Proprietary and hard to get
Standard WLAN Systems: Standardized Low security and privacy Low costs High interoperability
military proprietary solutions
Wifi (WPA)
ZigBeeBluetooth
Picture Source: http://galerie.designnation.de/bild/17750
1
ITET / TIK / CSG21 October 2010
Motivation
Goal: Hardening an open standard wireless communication protocol to increase the users „privacy“.
Conditions: Based on an open standard Using Software Defined Radios (SDR)
military proprietary solutions
Wifi (WPA)
ZigBeeBluetooth
Ideas, Mechanisms
Picture Source: http://galerie.designnation.de/bild/17750
1
ITET / TIK / CSG21 October 2010
Motivation
Goal: Hardening an open standard wireless communication protocol to increase the users „privacy“.
Conditions: Based on an open standard Using Software Defined Radios (SDR)
military proprietary solutions
Wifi (WPA)
ZigBeeBluetooth
Ideas, Mechanisms
Informational
Communication Relationships Location
Identification
Picture Source: http://galerie.designnation.de/bild/17750
1
ITET / TIK / CSG21 October 2010
Background: Direct Sequence Spread Spectrum
Information spread to a bandwidth much greater than required for transmission Spreading by modulating each information bit on a spreading sequence (chips)
Spreading sequence independent of data, higher bandwidth Narrowband signal spread to a broadband signal
Power spectrum is spread over a larger bandwidth
Benefits: anti-jamming, anti-interference, low probability of intercept, frequency reuse (e.g. CDMA)
2
ITET / TIK / CSG21 October 2010
Background: IEEE 802.15.4
Working with the SDR for IEEE 802.15.4: PHY and MAC sublayer for a LR-WPAN (e.g. used by ZigBee) Used frequency band at 2450 MHz Uses 16-ary Direct Sequence Spread Spectrum technique and O-QPSK
modulation (16 spreading sequences, not only one!)
Publicly known symbol-to-chip table
used by all the nodes
ITET / TIK / CSG21 October 2010 3
ITET / TIK / CSG21 October 2010
Background: IEEE 802.15.4
Working with the SDR for IEEE 802.15.4: PHY and MAC sublayer for a LR-WPAN (e.g. used by ZigBee) Used frequency band at 2450 MHz Uses 16-ary Direct Sequence Spread Spectrum technique and O-QPSK
modulation (16 spreading sequences, not only one!)
Publicly known symbol-to-chip table
used by all the nodes
ITET / TIK / CSG21 October 2010 3
ITET / TIK / CSG21 October 2010
Our Approach
Idea: Using secret and random symbol-to-chip table and changing it dynamically + customizable privacy solution
Obfuscating all transmitted bits at the lowest possible layer (PHY) Using low probability of intercept property of DSSS Defend against cryptographic attacks on spreading sequences by
dynamically changing them
4
Secret pairwise CodesFixed standard Code
ITET / TIK / CSG21 October 2010
Pairwise Synchronized Code Hopping Protocol (PSCHP)
Secret Code = Secret Symbol-to-Chips table Containing 16 secret, random spreading sequences, can’t determine
one spreading sequence from another.
Use two pairwise Codes for each neighboring node One for sending and one for receiving (prevent correlations btw.
request/reply)
Periodic pairwise Code Hopping Dynamically hop from one Code to the next
every b bytes or t secs Periodically renewing seed value for Code-
Generator using Elliptic-Curve Diffie-Hellman (3WHS-KA)
B
A
C
K1 K2 K3 K4
A
5
C1 C2 C3 C4
ITET / TIK / CSG21 October 2010
PSCHP Overview
Global Code Cglobal to join the network
Device Discovery using Beacon New Code-Generator-seed
using 3WHS-KA (Elliptic-Curve Diffie-Hellman)
Local Code generation Periodically checking Code
lifetime ... Sent bytes b Time since last Code Hop t
... and hop to next Code Periodically renew seed every
k Code Hops (using 3WHS-KA)
6
Com
munication
Joining the Netw
ork
ITET / TIK / CSG21 October 2010
PSCHP: Code Hops
Code identification during synchronization with preamble c Backup Codes to account for packet losses (per neighbor) Node needs to check n (c+1) ⋅ Codes to identify the matching one Depending on hardware one might need to reduce the number of
allowed neighbor associations (n) and/or the number of Backup Codes (c)
Code Generator Seed lifetime
3WHS-KA(renew seed)
3WHS-KA(renew seed)
Code lifetime
Seed 1Code 1.1 Code 1.2 Code 1.3 Code 1.4 Code 1.5 Code 1.6 Code 1.7 Code 1.8 Code 1.9
Seed 2Code 2.1
7
time
k = 9
ITET / TIK / CSG21 October 2010
Evaluation: PSCHP vs. IEEE 802.15.4
Setup: Implementation of PSCHP based on GNU Radio toolkit UCLA ZigBee Physical Layer Implementation USRP2 with the XCVR2450 transceiver
daughterboard
Key Questions: Performance loss in terms of Packet Loss by using dynamic and
random Codes vs. the nearly orthogonal Code from IEEE 802.15.4? Protocol Overhead of PSCHP compared to IEEE 802.15.4? How fast could a passive attacker corrupt the secrecy of the Codes?
8
ITET / TIK / CSG21 October 2010
Evaluation: Packet Loss
Left: Cable Right: Over the air (real world scenario)
Random Codes compared to nearly orthogonal Code from IEEE 802.15.4 standard: No minimum distance between chip-sequences of a Code
PER increase below 13 %
100%
80%
60%
40%
20%
0%-7 -6 -5 -4 -3 -2 -1 0 1 2 3
-7 -6 -5 -4 -3 -2 -1 0 1 2 3SNR [dB] SNR [dB]
100%
80%
60%
40%
20%
0%
Packet Loss [%] vs. Signal-to-Noise Ratio (SNR) [dB] Cable
IEEE 802.15.4PSCHP 2 sec lifetimePSCHP 5 sec lifetimePSCHP 20 sec lifetimePSCHP 50 sec lifetime
IEEE 802.15.4PSCHP 2 sec lifetimePSCHP 5 sec lifetimePSCHP 20 sec lifetimePSCHP 50 sec lifetime
Over the air (Real World)Packet Loss [%] vs. Signal-to-Noise Ratio (SNR) [dB]
9
ITET / TIK / CSG21 October 2010
Evaluation: Overhead and finding suitable k
k = 100 Overhead = 4.9%➔ k = 1000 Overhead = 0.5%➔
10
k: Number of Code Hops per seed (between two 3WHS)
ITET / TIK / CSG21 October 2010
Attacking the Secrecy of the Codes Worst Case Attacker (PSCHP point of view):
All Parameters assumed to be known (except the secret Code!) Assumed ability to distinguish Codes Attacker can synchronize and demodulate message
Adapted m-ary DSSS attack [Wang, ICC, 2008] Attacker Strategy:
1. Record chip stream from channelAs synchronization assumed, this results in a list of intercepted chip-sequences
2. ∃chip errors K-means Clustering to eliminate chip errors (K = 16)➔3. Collect centroids / Stop if matching true Codes
Finding theoretical bound Implemented and measure performance of attacker (cable setup) Determine how often each individual chip sequence is needed Determine required amount of chip sequences
11
ITET / TIK / CSG21 October 2010
Attacking the Secrecy of the Codes The lower the SNR (the higher the chip
error rate) the more often each individual chip sequence is required
Asymptote: (uniform distributed)
No Chip Errors each once➔
E[each Chip Seq. received once] ≅ 54
b ≤ 27 bytes Need a Code Hop every packet to
defend against Worst Case Attacker (with an average packet size of 22 bytes)
Measured required amount of Chip Sequences
vs. SNR [dB]
Measured averaged number of appearances per chip-
sequence vs. SNR [dB]
40
35
30
25
20
15
10
5
0-3.5 -3 -2.5 -2 -1.5 -1 -0.5 0 0.5 1
SNR [dB]-3.5 -3 -2.5 -2 -1.5 -1 -0.5 0 0.5 1
1200
1000
800
600
400
200
0
SNR [dB]
12
Measurements obtained over cable setup Over the air (wireless channel) might require even more bytes
ITET / TIK / CSG21 October 2010
Conclusion
Implementation of PSCHP protocol using SDR Secret and dynamically changing Codes instead of the publicly
known Code from IEEE 802.15.4 PER increase compared to IEEE 802.15.4 below 13% Protocol overhead smaller than 1% Shown that Worst Case Attacker requires 27 bytes to break the
secrecy of the Codes Working idea, acceptable tradeoff, but requires hardware adaptation Paper (14 pages, available on wiki)
Future Work: Dynamic spreading factor Randomizing inter packet timings and packet size max. entropy ➔
[Kamat, ACM TOSN, 2009]
13
ITET / TIK / CSG21 October 2010
Thank you for listening...
... any questions?
14
ITET / TIK / CSG21 October 2010
Appendix: Privacy in Wireless Communications
Privacy is a very broad topic - In my Master Thesis, the main focus is on the following four privacy dimensions:
Informational: What is the content of the communication?
Identification:Who is communicating?
Communication Relationships:Who is communicating with whom?
Location:Where are the nodes communicating?
ITET / TIK / CSG21 October 2010
Appendix: Privacy Benefits
Informational: All transmitted bits obfuscated at lowest possible layer (PHY) provides
informational privacy - can’t decode message without matching Code
Identification:No more identifiers available as all transmitted bits obfuscated
Communication Relationships:Using two pairwise keys - no correlations between requests and replies
Location:Low probability of intercept property can deliver some level of location
privacy - plus the additional missing identifiers and the fact that the Codes are changed dynamically will make localization harder
(Physical layer fingerprinting not considered - out of scope)
ITET / TIK / CSG21 October 2010
Appendix: Privacy in Wireless Communications
Many potential privacy leaks of wireless communication protocols
(considering a passive attacker)
Passive Attacker on Privacy
Identifiers
RSSI
Packet timing Traffic shape
Identifiers Location
ToA AoARandom
-nessPacket
sizeInter-arrival
TimingSending
TimeNetwork
LayerLink
LayerPhysical
LayerService disc,,Control Msgs.
TraceLinkability
Application(Traffic Analysis)
ITET / TIK / CSG21 October 2010
Appendix: IEEE 802.15.4 PPDU
Preamble for synchronizaion: find τ SFD = Start of Frame Delimiter
111001010000...0000
Preamble SFD Frame length(7 bits)
Reserved(1 bit)
PSDU
PHR PHY payloadSHR
Octets: 4 1 1 variable
ITET / TIK / CSG21 October 2010
Appendix: IEEE 802.15.4: Spreading
Entering bit stream divided into 4-bit
symbols Symbols mapped to chip sequence
according to symbol-to-chips table ➟ 16-ary Direct Sequence Spread
Spectrum
16 PN sequences, not only one!
O-QPSK modulation
ITET / TIK / CSG21 October 2010
Appendix: PSCHP Privacy Parameters
Code lifetime: b bytes and t seconds Code-lifetime-BC & Code-lifetime-TC
Number of Backup Codes c Number of Silent-Code-Hops k D-Beacon interval
ITET / TIK / CSG21 October 2010
Appendix: PSCHP ExampleINI-SYNC(C
i,0,SEND,AB)
INI-ACK(Ci,0,SEND,BA)
ACK-SYNC(Ci,0,SEND,AB)
Node A Node B
time
Code-Set:Active Codes Backup Codes (REC)Ci,0,SEND,BA;Ci,0,REC,BA Ci,1,REC,BA;...;Ci,REC,BA
Code-Set:Backup Codes (REC) Active CodesCi,1,REC,AB;...;Ci,REC,AB Ci,0,SEND,AB;Ci,0,REC,AB
ITET / TIK / CSG21 October 2010
Appendix: PSCHP ExampleINI-SYNC(C
i,0,SEND,AB)
INI-ACK(Ci,0,SEND,BA)
ACK-SYNC(Ci,0,SEND,AB)
DATA(Ci+1,0,SEND,AB)
DATA(Ci+1,0,SEND,AB)
DATA(Ci+1,0,SEND,AB)
DATA(Ci+1,1,SEND,AB)
DATA(Ci+1,1,SEND,AB)
Node A Node B
time
Code-Set:Active Codes Backup Codes (REC)Ci,0,SEND,BA;Ci,0,REC,BA Ci,1,REC,BA;...;Ci,REC,BA
Ci+1,0,SEND,BA;Ci+1,0,REC,BA Ci+1,1,REC,BA;...;Ci+1,c,REC,BA
Ci+1,0,SEND,BA;Ci+1,0,REC,BA Ci+1,1,REC,BA;...;Ci+1,c,REC,BA
Ci+1,0,SEND,BA;Ci+1,1,REC,BA Ci+1,2,REC,BA;...;Ci+1,c+1,REC,BA
Code-Set:Backup Codes (REC) Active CodesCi,1,REC,AB;...;Ci,REC,AB Ci,0,SEND,AB;Ci,0,REC,AB
Ci+1,0,SEND,AB;Ci+1,0,REC,AB
Ci+1,0,SEND,AB;Ci+1,0,REC,AB
Ci+1,0,SEND,AB;Ci+1,0,REC,AB
Ci+1,1,SEND,AB;Ci+1,0,REC,AB
Ci+1,1,SEND,AB;Ci+1,0,REC,AB
Ci+1,1,SEND,AB;Ci+1,0,REC,AB
ITET / TIK / CSG21 October 2010
Appendix: PSCHP ExampleINI-SYNC(C
i,0,SEND,AB)
INI-ACK(Ci,0,SEND,BA)
ACK-SYNC(Ci,0,SEND,AB)
DATA(Ci+1,0,SEND,AB)
DATA(Ci+1,0,SEND,AB)
DATA(Ci+1,0,SEND,AB)
DATA(Ci+1,1,SEND,AB)
DATA(Ci+1,1,SEND,AB)
DATA(Ci+1,2,SEND,AB)
DATA(Ci+1,1,SEND,AB)
DATA(Ci+1,2,SEND,AB)
DATA(Ci+1,2,SEND,AB)
DATA(Ci+1,3,SEND,AB)
Node A Node B
time
Code-Set:Active Codes Backup Codes (REC)Ci,0,SEND,BA;Ci,0,REC,BA Ci,1,REC,BA;...;Ci,REC,BA
Ci+1,0,SEND,BA;Ci+1,0,REC,BA Ci+1,1,REC,BA;...;Ci+1,c,REC,BA
Ci+1,0,SEND,BA;Ci+1,0,REC,BA Ci+1,1,REC,BA;...;Ci+1,c,REC,BA
Ci+1,0,SEND,BA;Ci+1,1,REC,BA Ci+1,2,REC,BA;...;Ci+1,c+1,REC,BA
Ci+1,0,SEND,BA;Ci+1,1,REC,BA Ci+1,2,REC,BA;...;Ci+1,c+1,REC,BA
Pac
kets
Los
t
Code-Set:Backup Codes (REC) Active CodesCi,1,REC,AB;...;Ci,REC,AB Ci,0,SEND,AB;Ci,0,REC,AB
Ci+1,0,SEND,AB;Ci+1,0,REC,AB
Ci+1,0,SEND,AB;Ci+1,0,REC,AB
Ci+1,0,SEND,AB;Ci+1,0,REC,AB
Ci+1,1,SEND,AB;Ci+1,0,REC,AB
Ci+1,1,SEND,AB;Ci+1,0,REC,AB
Ci+1,1,SEND,AB;Ci+1,0,REC,AB
Ci+1,2,SEND,AB;Ci+1,0,REC,AB
Ci+1,2,SEND,AB;Ci+1,0,REC,AB
Ci+1,2,SEND,AB;Ci+1,0,REC,AB
Ci+1,3,SEND,AB;Ci+1,0,REC,AB
Ci+1,3,SEND,AB;Ci+1,0,REC,AB
Successful decoding using Backup Code
ITET / TIK / CSG21 October 2010
Appendix: PSCHP ExampleINI-SYNC(C
i,0,SEND,AB)
INI-ACK(Ci,0,SEND,BA)
ACK-SYNC(Ci,0,SEND,AB)
DATA(Ci+1,0,SEND,AB)
DATA(Ci+1,0,SEND,AB)
DATA(Ci+1,0,SEND,AB)
DATA(Ci+1,1,SEND,AB)
DATA(Ci+1,1,SEND,AB)
DATA(Ci+1,2,SEND,AB)
DATA(Ci+1,1,SEND,AB)
DATA(Ci+1,2,SEND,AB)
DATA(Ci+1,2,SEND,AB)
DATA(Ci+1,3,SEND,AB)
DATA(Ci+1,3,SEND,AB)
Node A Node B
time
Code-Set:Active Codes Backup Codes (REC)Ci,0,SEND,BA;Ci,0,REC,BA Ci,1,REC,BA;...;Ci,REC,BA
Ci+1,0,SEND,BA;Ci+1,0,REC,BA Ci+1,1,REC,BA;...;Ci+1,c,REC,BA
Ci+1,0,SEND,BA;Ci+1,0,REC,BA Ci+1,1,REC,BA;...;Ci+1,c,REC,BA
Ci+1,0,SEND,BA;Ci+1,1,REC,BA Ci+1,2,REC,BA;...;Ci+1,c+1,REC,BA
Ci+1,0,SEND,BA;Ci+1,1,REC,BA Ci+1,2,REC,BA;...;Ci+1,c+1,REC,BA
Ci+1,0,SEND,BA;Ci+1,3,REC,BA Ci+1,4,REC,BA;...;Ci+1,c+3,REC,BAP
acke
ts L
ost
Code-Set:Backup Codes (REC) Active CodesCi,1,REC,AB;...;Ci,REC,AB Ci,0,SEND,AB;Ci,0,REC,AB
Ci+1,0,SEND,AB;Ci+1,0,REC,AB
Ci+1,0,SEND,AB;Ci+1,0,REC,AB
Ci+1,0,SEND,AB;Ci+1,0,REC,AB
Ci+1,1,SEND,AB;Ci+1,0,REC,AB
Ci+1,1,SEND,AB;Ci+1,0,REC,AB
Ci+1,1,SEND,AB;Ci+1,0,REC,AB
Ci+1,2,SEND,AB;Ci+1,0,REC,AB
Ci+1,2,SEND,AB;Ci+1,0,REC,AB
Ci+1,2,SEND,AB;Ci+1,0,REC,AB
Ci+1,3,SEND,AB;Ci+1,0,REC,AB
Ci+1,3,SEND,AB;Ci+1,0,REC,AB
ITET / TIK / CSG21 October 2010
Appendix: PSCHP ExampleINI-SYNC(C
i,0,SEND,AB)
INI-ACK(Ci,0,SEND,BA)
ACK-SYNC(Ci,0,SEND,AB)
DATA(Ci+1,0,SEND,AB)
DATA(Ci+1,0,SEND,AB)
DATA(Ci+1,0,SEND,AB)
DATA(Ci+1,1,SEND,AB)
DATA(Ci+1,1,SEND,AB)
DATA(Ci+1,2,SEND,AB)
DATA(Ci+1,1,SEND,AB)
DATA(Ci+1,2,SEND,AB)
DATA(Ci+1,2,SEND,AB)
DATA(Ci+1,3,SEND,AB)
DATA(Ci+1,3,SEND,AB)
DATA(Ci+1,k,SEND,AB)
INI-SYNC(Ci+1,k,SEND,AB)
INI-ACK(Ci+1,0,SEND,BA)
Node A Node B
time
Code-Set:Active Codes Backup Codes (REC)Ci,0,SEND,BA;Ci,0,REC,BA Ci,1,REC,BA;...;Ci,REC,BA
Ci+1,0,SEND,BA;Ci+1,0,REC,BA Ci+1,1,REC,BA;...;Ci+1,c,REC,BA
Ci+1,0,SEND,BA;Ci+1,0,REC,BA Ci+1,1,REC,BA;...;Ci+1,c,REC,BA
Ci+1,0,SEND,BA;Ci+1,1,REC,BA Ci+1,2,REC,BA;...;Ci+1,c+1,REC,BA
Ci+1,0,SEND,BA;Ci+1,1,REC,BA Ci+1,2,REC,BA;...;Ci+1,c+1,REC,BA
Ci+1,0,SEND,BA;Ci+1,3,REC,BA Ci+1,4,REC,BA;...;Ci+1,c+3,REC,BA
Ci+1,0,SEND,BA;Ci+1,k,REC,BA Ci+1,k+1,REC,BA;...;Ci+1,k+c,REC,BA
Pac
kets
Los
t
Code-Set:Backup Codes (REC) Active CodesCi,1,REC,AB;...;Ci,REC,AB Ci,0,SEND,AB;Ci,0,REC,AB
Ci+1,0,SEND,AB;Ci+1,0,REC,AB
Ci+1,0,SEND,AB;Ci+1,0,REC,AB
Ci+1,0,SEND,AB;Ci+1,0,REC,AB
Ci+1,1,SEND,AB;Ci+1,0,REC,AB
Ci+1,1,SEND,AB;Ci+1,0,REC,AB
Ci+1,1,SEND,AB;Ci+1,0,REC,AB
Ci+1,2,SEND,AB;Ci+1,0,REC,AB
Ci+1,2,SEND,AB;Ci+1,0,REC,AB
Ci+1,2,SEND,AB;Ci+1,0,REC,AB
Ci+1,3,SEND,AB;Ci+1,0,REC,AB
Ci+1,3,SEND,AB;Ci+1,0,REC,AB
Ci+1,k,SEND,AB;Ci+1,0,REC,AB
Ci+1,k,SEND,AB;Ci+1,0,REC,AB
Ci+1,k,SEND,AB;Ci+1,0,REC,AB
ITET / TIK / CSG21 October 2010
Appendix: Coupon Collectors ProblemDixie Cup Problem
How many Panini Pictures do we need to buy to get each of the m pictures at least r times
In our case m = 16 Codes Get the expectation value
according to the fomula below:
ITET / TIK / CSG21 October 2010
Appendix: Attack Tree
ITET / TIK / CSG21 October 2010
Appendix: Zero Symbol Collision
Probability of having at least twice the same zero-symbol chip sequence in the neighbor table
ITET / TIK / CSG21 October 2010
Appendix: Neighbor Table
ITET / TIK / CSG21 October 2010
Appendix: Code Generation from Seed
ITET / TIK / CSG21 October 2010
Appendix: 3WHS-KA
ITET / TIK / CSG21 October 2010
Appendix: PSCHP Packets
ITET / TIK / CSG21 October 2010
Appendix: ZigBee Layers