an unlinkable communication protocol for wlan

An Unlinkable Communication Protocol for WLAN2nd Intermediate Master Thesis Presentation

Björn Muntwyler

18th March 2010 - 17th September 2010

Advisors: Dr. Vincent Lenders & Dr. Franck Legendre

Supervisor: Prof. Dr. Bernhard Plattner

Motivation

Hardened WLAN Systems: Specialized High security level High privacy level High cost proprietary Hard to get (e.g. military

Systems)

Hardened SystemsHardened Systems Standard SystemsStandard Systems

Standard WLAN Systems: Standardized Low security level Low privacy level Low cost high interoperability

Ideas, Mechanisms, etc...Ideas, Mechanisms, etc...

Goal: How can we increase the „privacy“ of a given wireless communication protocol Hardening given protocols to increase „privacy“

e.g. Wifi (/+WPA), ZigBee, Bluetoothe.g. military proprietary solutions

3Departement/Institut/GruppeSonntag, 17. Oktober 2010

Who Where What

„Privacy“ is a very broad topic – there are leaks everywhere! Most effort is done above the pysical layer

Identifier-free link-layer protocol, Disposable Interface Identifiers (Data Link Layer)

IPsec (Internet/Network Layer) Transport Layer Security (Application Layer)

Attack Classification of a passive adversary

Attack: [5][6] [3][11] [3][5][6] [3][6] [16][17] [6][16][17] [29]

[3][4][10][12?][24] [1][25] [15][28][30] [28][30] [~27] [~27]

Graphical Classification:

[13][26][29]

Attack + Solution:

[1][2][7][19?][20][21][22][24][31][32]

[1][7][12?][19?][22][24][31][32]

[1][15][28][32]

[20][21][22][31][32]

[1][25][~27]

[1][2][7][20][21][22][31][32]

Passive Attacker on Privacy

Identifiers

RSSI

Packet timing Traffic shape

Identifiers Location

ToA AoARandom

-nessPacket

sizeInter-arrival

TimingSending

TimeNetwork

LayerLinkLayer

PhysicalLayer

Service disc,,Control Msgs.

TraceLinkability

Application(Traffic Analysis)

Related Work

References [*]: in appendix


Problem Formulation

Avoid a passive attacker to know:

Who's communicating with whom?What is the content of their communication?When is someone communicating?Where - Location Privacy

Goal: How can we increase the „privacy“ of a given wireless communication protocol

Hardening given protocols to increase „privacy“Condition: Based on open standards using Software Defined Radios (SDR)


The New Approach - PSCHP Securing the wireless communication at the pysical layer

Using the SDR for IEEE 802.15.4 (ZigBee PHY) Direct-Sequence Spread-Spectrum (DSSS)

Two Pairwise Spreading-Sequences: One code for each communication-partner and -direction

Periodic Pairwise Code-Hopping: periodically change the chip-sequence used between two nodes to avoid

the codes being compromised

Idea: Use secret codes and change them dynamically – make solution customizable through „Privacy-Parameters“

Expected Gain: Hide signal below noise level of attacker to remain undetectable Defend against cryptographic attacks on spreading sequences by

dynamicly changing those Defend against many „Privacy-Dimensions“

A

C

BK1

K2

K3

K4


Overview Pairwise-Synchronized

Code-Hopping Protocol (PSCH-P) Periodic constraint check

Sent bytes Time since last key change

Two nodes change the chip-sequence simultaneously using the PSCH-Protocol 3-way handshake with

Diffie-Hellman key agreement

Generate new codes from this shared secret

A global chip-sequence Kglobal for administratives

Initia

lizatio

nJo

inin

g th

e N

etw

ork

PS

CH

-P

PSCH-P

→ shared secret S(passphrase, UDSSS, etc.)


What happend since our last Intermediate Presentation!? Finished Implementation of ZigBee-PSCHP-Solution Evaluation of ZigBee-PSCH-Protocol

How much higher is the Packet Loss Rate of PSCHP compared to the Original Code?How does the Overhead behave w.r.t. „privacy“ parameters compared with the Original Code?What are the Key Exchange Times and Setup Times?What is the Attack Surface of PSCHP? How fast can an attacker break the secret codes?How much better can we get by invreasing the Spreading factor?

… work in progress ...


How much higher is the Packet Loss Rate of PSCHP compared to the Original Code?

Only slight increase in Packet Loss At lower SNR – moderate PLR,

changing Codes more frequently

can overcome de-synchronization

of PSCHP due to Sync-Pkt-Losses At very low SNR – high PLR, the

PSCH-Protocol fails due to lost

PSCHP-packets (3-way hand

shake)


How much higher is the Packet Loss Rate of PSCHP compared to the Original Code?

Only slight increase in Packet Loss At lower SNR – moderate PLR,

changing Codes more frequently

can overcome de-synchronization

of PSCHP due to Sync-Pkt-Losses At very low SNR – high PLR, the

PSCH-Protocol fails due to lost

PSCHP-packets (3-way hand

shake)

Conclusion:

Packet Loss Rate increases < 5 %


How does the Overhead behave w.r.t. „privacy“ parameters compared with the Original Code?

Overhead w.r.t. Code-change

frequency (PSCHP Byte-

Constraint Values) compared to

Original Code

Min. Key-Change Time:

0.071 sec

Min. Setup-Time:

0.110 sec

( + TimerA2)


How does the Overhead behave w.r.t. „privacy“ parameters compared with the Original Code?

Overhead w.r.t. Code-change

frequency (PSCHP Byte-

Constraint Values) compared to

Original Code

Min. Key-Change Time:

0.071 sec

Min. Setup-Time:

0.110 sec

Conclusion:

To get an overhead of less then 10% we need Byte Constraints > 1e3 Bytes


What is the Attack Surface of PSCHP?AND How fast can an attacker break the secret codes?

Attacker capabilities and prevention methods are discussed here: Attackability of PSCHP-Solutions

Attacking M-ary Spreading-Sequences

(Paper: Cluster-based Blind Estimation

of M-ary DSSS

Signals, Wang

et. al.)

Finding weak points of PSCHP

… work in progress ...Nodes are NOTdistinguishable

Nodes aredistinguishable

Energy on Channel(assumed Detectability)

Inter-arrival TimesPacket Shape/Size

Protocol SpecificAttacks

Attack Surface

Packet Shape Packet TimingWith Angle

(multiple Antennas)Without Angle

Replay and DoSAttacks

Global Code K g lo b a l Pairwise-Codes

Attacks onSpreading-Sequences

Plain TextEncryptedPayload

Full PacketEncryption

ChangedPreamble & SFD








3

How fast can an attacker break the secret codes? (IDEA)

Check region of communication

Check overhead Get area of „Privacy“

Parameters to change spreading sequenes before the attacker has collected enough data to break the codes


Pa

cke

t Lo

ss R

ate

[%

]

Signal-to-Noise Ratio (SNR) [db]

Signal-to-Noise Ratio (SNR) [db]

Distance [m]


How much better can we get by invreasing the Spreading factor?



Contents of Report (DRAFT) Abstract Contents & List of Figures / Tables

1. Introduction Intro into topic Define the term Privacy Overview of the Thesis

2. Related Work Privacy related Security Problems Attack Tree I Why I chose the Physical Layer Related Work on PHY (Frank Hermanns Code Hopping)

3. Background Knowledge IEEE 802.15.4 ZigBee Direct Sequence Spread Spectrum (DSSS)


Contents of Report (DRAFT)4. Attacker Model, System Model and Privacy Requirements

5. PSCHP – The New Approach Design

Overview The PSCH-Protocol Customizable Privacy Parameters

Implementation The Original Code PSCHP State Machine Spreading Sequence Generation PSCHP messages (INI-SYNC, INI-ACK, ACK-SYNC, D-BEACON)


Contents of Report (DRAFT)6. Evaluation of PSCHP

Not implemented stuff which could improve PSCHP Drawbacks (Overhead, Throughput, Limitations etc.) Attacking PSCHP

Attack Tree II etc.

7. Conclusion & Future Work Bibliography

Report

Paper

(+ Technical Report)

Master Thesis ?


Contents of Report (DRAFT)6. Evaluation of PSCHP

Not implemented stuff which could improve PSCHP Drawbacks (Overhead, Throughput, Limitations etc.) Attacking PSCHP

Attack Tree II etc.

7. Conclusion & Future Work Bibliography

Report

Paper

(+ Technical Report)

Master Thesis ?!


Plan for the last 6 Weeks

Finish stuff marked as „... work in progress ...“ Analyze influence on packet loss rate and attackability

while increasing the Spreading Factor Ajusting the Sending Power according to distance

between Sender and Receiver (Design) Writing the Report (4 weeks)

Currentweek


Appendix / Backup Slides

Delete old keysTimers:- TimerA1: A timeout of TimerA1 indicates the loss of the INI-ACK or the INI-SYNC packet and leads

to the retransmission of the INI-SYNC packet.- TimerB1: A timeout of TimerB1 indicates the loss of the ACK-SYNC packet and leads to the

retransmission of the INI-ACK packet.- TimerA2: A timeout of TimerA2 indicates that everything went fine and that the ACK-SYNC packet

was received by the intended node. Otherwise the INI-ACK packet would be received during the life-span of Timer A2 (due to the loss of the ACK-SYNC packet and consequentially the timeout of TimerB1 would initiate its retransmission).

- TimerB2: Thought of to postpone the deletion of the old keys and the restart of the communication-Mode with the new established keys.

Maybe no communication possible during the life-span of TimerB2 (& TimerA2) to avoid the confusion between new and old keys

while:TimerB1 ≥ TimerA1 & TimerA2 ≥ TimerB1

State = 4

State = 3

State = 1

State = 2

Ti m

erB

2

A B

INI-SYNC[g, p, A](KAB,i)

INI-ACK[B](KBA,i)

ACK-SYNC(KAB,i)

1

3

2

4

Tim

erA

1T

i mer

A2

Ti m

erB

1

t

Choose DH Params: ai+1, g, p

A = ga mod p

S i+1 = Ba mod p

Generate KA B ,i+1 and KB A ,i+1

[KA B ,i+1, KB A ,i+1] = hash64 (Si+1)

Choose DH Param: b i+1

B = gb mod p

S i+1 = Ab mod p

Generate KA B ,i+1 and KB A ,i+1

[KA B ,i+1, KB A ,i+1] = hash64

(Si+1)

State = 0old keys

State = 0new keys



Attack Classification of a passive adversary

Attack: [5][6] [3][11] [3][5][6] [3][6] [16][17] [6][16][17] [29]

[3][4][10][12?][24] [1][25] [15][28][30] [28][30] [~27] [~27]

Graphical Classification:

[13][26][29]

Attack + Solution:

[1][2][7][19?][20][21][22][24][31][32]

[1][7][12?][19?][22][24][31][32]

[1][15][28][32]

[20][21][22][31][32]

[1][25][~27]

[1][2][7][20][21][22][31][32]

Passive Attacker on Privacy

Identifiers

RSSI

Packet timing Traffic shape

Identifiers Location

ToA AoARandom

-nessPacket

sizeInter-arrival

TimingSending

TimeNetwork

LayerLinkLayer

PhysicalLayer

Service disc,,Control Msgs.

TraceLinkability

Application(Traffic Analysis)


Remarks: Title of Paper Author 1 Author 2 Author 3 year Journal/Conference

[1] POSSIBLE H. Wang 2007

[2] 2005 Mobile Networks and Applications 10

[3] Chattering Laptops T. Aura M. Roe 2008 PETS 2008

[4] Z. Yang 2009

[5] Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols J. Pang 2007?

[6] 802.11 User Fingerprinting J. Pang 2007

[7] Improving Wireless Privacy with an Identifier-Free Link Layer Protocol D. McCoy J. Pang 2008

[8] Tryst: the Case for Confidential Service Discovery J. Pang D. McCoy 2007

[9] Extends [7] Mechanisms to Mitigate Wireless Privacy Threats J. Pang 2009

[10] Privacy-Preserving 802.11 Access-Point Discovery T Aura 2009

[11] Attacks on Physical-layer Identification 2010

[12] Z. Yang A. Champion 2009

[13] The Robustness of Localization Algorithms to Signal Strength Attacks: A Comparative Study Y. Chen X. Li 2006 DCOSS 2006

[14] J. Deng R. Han 2006

[15] Temporal Privacy in Wireless Sensor Networks 2007 ICDCS'07

[16] Early Recognition of Encrypted Applications 2007 PAM 2007

[17] Early Application Identification 2006

[18] Multi-hop? The Evolution of Self-Organized Privacy 2008 Thesis from EPFL

[19] Multi-hop! Network coding Based Privacy Preservation against Traffic Analysis in Multi-hop Wireless Networks Y. Fan 2009

[20] Multi-hop? An Efficient Privacy-Preserving Scheme for Wireless Link Layer Security Y. Fan B. Lin 2008 IEEE GLOBECOM 2008

[21] Anonymous Communication in Ubiquitous Computing Environments M. Park J. Son 2009 Wireless Personal Communications

[22] partly Okay Who said that? Privacy at link layer 2007

[23] A Protocol for Anonymous Communication Over the Internet C. Shields B. Levine 2000 CCS'00

[24] Protecting Privacy with Protocol Stack Virtualization 2008 WPES'08

[25] Performing Traffic Analysis on a Wireless Identifier-Free Link Layer K. Bauer D. McCoy 2009

[26] Attack Detection in Wireless Localization Y. Chen R. Martin 2007

[27] Robust Statistical Methods for Securing Wireless Localization in Sensor Networks Z. Li 2005

[28] A New Security Mechanism to Perform Traffic Anonymity with Dummy Traffic Synthesis 2009 CSE

[29] Sensing motion using spectral and spatial analysis of WLAN RSSI 2007

[30] Analytical and Empirical Analysis of Countermeasures to Traffic Analysis Attacks B. Graham 2003 ICPP'03

On Effectiveness of Link Padding for Statistical Traffic Analysis Attacks B. Graham 2003 ICDCS'03

[31] Similar to [2] Location Privacy in Wireless Personal Area Networks 2006

[32] high cost !? A Framework for Location Privacy in Wireless Networks H. Wang 2005 ACM SIGCOMM

Nr.

Preserving Location Privacy in Wireless LANs T. Jiang Y. Hu MobiSys'07

similar to [1] reg. MACadd

Enhancing Location privacy in Wireless LAN Through Disposable Interface Identifiers: A Quantitative Analysis

M. Gruteser D. Grunwald

J. Lindqvist

Null Data Frame: A Double-Edged Sword in IEEE 802.11 WLANs W. Gu D. Xuan IEEE Transactions on parallel and distributed Systems vol.21

[7] builds on this

B. Greenstein R. Gummadi MobiCom'07

B. Greenstein MobiSys'08

[7] builds on this

B. Greenstein

J. Lindqvist G Danezis

B. Danev H. Luecken S. Capkun WiSec'10

??? key establish.

Link-Layer Protection in 802.11i WLANs with Dummy Authentication B. Gu WiSec'09

K. Kleisouris

Decorrelating Wireless Sensor Network Traffic To Inhabit Traffic analysis Attacks S. Mishra Elsevier Pervasive and Mobile Computing Journal

P. Kamat W. Xu W. Trappe

L. Bernaille R. Teixeira

L. Bernaille R. Teixeira K. Salamatian 2006 ACM CoNEXT

J. Freudiger

Y. Jiang H. Zhu partly presented at IEEE Infocom'09

Y. Jiang

S. Seo

F. Armknecht J. Girao A. Matos IEEE Infocom'07

like Crowds, using proxies

might have usefull stuff

J. Lindqvist J. Tapio

B. Greenstein Tapia'09

W. Trappe IEEE Infocom'07

W. Trappe Y. Zhang Proc. Of IPSN

W.Shbair A. Bashandy S. Shaheen

K Muthukrishnan M. Lijding N. Meratnia EuroSSCX. Fu R. Bettati

X. Fu R. Bettati

D. Singelée B. Preneel WiSe'06

Y. Hu


an unlinkable communication protocol for wlan

Documents

original code

privacy parameters

secret codes

synchronized code

slight increase

packet loss rate of

key changetwo nodes

key exchange times