comp 4905 honours project report - school of computer ... · fhss (frequency hopping spread...
TRANSCRIPT
COMP 4905 Honours Project Report Dongchao Chen
COMP 4905 Honours Project Report
Uncoordinated FHSS Anti-Jamming Communication
Dongchao Chen (100672581) Supervisor: Evangelos Kranakis
School of Computer Science Carleton University
2010.04.15
COMP 4905 Honours Project Report Dongchao Chen
ii
Abstract
Wireless communications are often susceptible to the jamming attack in which the
jammer maliciously injects packets into the wireless channels or specific layers (MAC,
link, network) causing erroneous message reception and reducing throughput. Numerous
protocols have been proposed for anti-jamming communication, and one of them is the
FHSS (Frequency Hopping Spread Spectrum) protocol, which takes advantages of prior
shared secret keys/codes between the communication partners to make the transmission
unpredictable for the adversary. However, this traditional anti-jamming technique is
becoming impractical when wireless communication is now vastly demanded in
commercial implementations. In 2008, Strasser, Popper, Capkun and Cagalj proposed the
first possible scheme (i.e., UFH scheme) in the world that broke the anti-jamming/key
establishment circular dependency. The main objective of this project is to get better
comprehension about UFH model and its related coding theory, at the same time to apply
the original UFH scheme as a performance benchmark to explore the improved efficiency
of the BMA and Merkleleaf schemes, specifically in the communication time, sender
complexity and receiver complexity both in the presence and absence of attackers, and
finally prove that BMA is better than Merkleleaf scheme.
COMP 4905 Honours Project Report Dongchao Chen
iii
Acknowledgements
This is my final project during my undergraduate studies for the Bachelor of Computer
Science in Carleton University. Firstly I am enormously grateful to Professor Evangelos
Kranakis for his help and conduct of this project. I wish to thank Undergraduate Advisor
Joni Campbell who always gives me sensible and wise advisement during my academic
study. Finally I would like to thanks Carleton University Computer Science Department
and Carleton Coop office. I strongly believed that studying computer science in Carleton
University is a wise decision that I made in my life. I have successfully accomplished
both academic studies and coop work terms. I have learned a lot during these years and
now I am ready to take what I learned to face new challenges in the future.
COMP 4905 Honours Project Report Dongchao Chen
iv
Table of Contents
1. Introduction ............................................................................................ 1
1.1 FHSS and the Problem ............................................................................ 1
1.2 Survey of UFH-based Schemes ................................................................ 3
1.3 Motivation ............................................................................................... 4
1.4 Project Overview ..................................................................................... 5
1.5 Outline .................................................................................................... 6
2. Background ............................................................................................. 7
2.1 ECC-based public key cryptography ...................................................... 7
2.2 Jammer Types ......................................................................................... 7
2.3 Verifiable Message Coding Techniques ................................................... 9
2.3.1 Erasure Coding .......................................................................................................... 9
2.3.2 Merkle trees ............................................................................................................. 10
2.3.3 One-Way Accumulators ........................................................................................... 10
3. System and Attacker Models ................................................................. 12
3.1 System Model ........................................................................................ 13
3.2 Attacker Model ..................................................................................... 15
3.2.1 Attacker Assumptions ............................................................................................... 15
3.2.2 Attacker Strategy Selection ...................................................................................... 16
4. Uncoordinated Frequency Hopping Model ........................................... 18
4.1 Idea of UFH Model................................................................................ 18
4.2 Hash-Linked Scheme ............................................................................ 19
4.2.1 Hash-Linked Scheme................................................................................................ 20
4.2.2 Security Analysis of the Hash-Linked Scheme ......................................................... 22
4.2.3 Performance Analysis of the Hash-Linked Scheme ................................................. 24
5. Improved UFH-based Schemes ............................................................. 24
5.1 BMA Scheme ......................................................................................... 24
5.1.1 How BMA Scheme Works ........................................................................................ 25
5.1.2 Security Analysis of the BMA Scheme ..................................................................... 26
5.1.3 Performance Analysis of the BMA Scheme .............................................................. 27
5.2 Merkleleaf Scheme ................................................................................ 27
5.2.1 How Merkleleaf Scheme Works ............................................................................... 28
5.2.2 Security Analysis of the Merkleleaf Scheme ............................................................ 29
5.2.3 Performance Analysis of the Merkleleaf Scheme..................................................... 29
5.3 BMA and Merkleleaf Comparison ........................................................ 30
6. Conclusions ........................................................................................... 31
6.1 Review Goals ......................................................................................... 31
6.2 Unsolved Problems ................................................................................ 32
6.3 Future work .......................................................................................... 32
COMP 4905 Honours Project Report Dongchao Chen
v
7. References ............................................................................................. 33
Appendix-A Acronyms ............................................................................................ 34
COMP 4905 Honours Project Report Dongchao Chen
vi
List of Figures
Figure 1 Anti-jamming/secret –establishment dependency graph
Figure-2: Required signal strengths
Figure-3: Attacker Insert Strategy
Figure-4: Attacker Modify Strategy
Figure-5: Attacker Jam Strategy
Figure-6: Break the shared key dependency
Figure-7: UFH Example
Figure-8: hash linking
Figure-9: UFH Security Aspects
Figure-10: Merkleleaf Scheme
COMP 4905 Honours Project Report Dongchao Chen
vii
List of Tables
Table 1: A summary of notation used in the report
COMP 4905 Honours Project Report Dongchao Chen
1
1. Introduction
Since RF (radio frequency) is essentially an open medium, wireless communications are
often susceptible to jamming. There are two typical jamming attacks for wireless
networks, namely, denial-of-service (DoS) attacks and pollution attacks [1] (pp.1). In
DoS attacks, a jammer can prevent legitimate users from accessing information and
services by targeting specific layers (MAC, link, network) of the system. Alternatively, in
pollution attack, an adversary can reduce system throughput with erroneous messages
reception via injecting polluted packets into the wireless channels [1] (pp.1). Numerous
protocols have been proposed for anti-jamming communication and one of the well-
known anti-jamming techniques is FHSS (Frequency-hopping spread spectrum). This
section first introduces the basic idea of FHSS technique with its defect, and then
illustrates the motivation of this project after a survey of new proposed schemes that are
based on the UFH (Uncoordinated Frequency-hopping) model which add additional
benefits that are not feasible in FHSS scheme. The remaining portion of this section lists
the goals for this project and the remainder structure of this paper.
1.1 FHSS and the Problem
Spread-spectrum radio communication technique is a favor for military usage as “it
resists jamming and is hard for an enemy to intercept” [2]. One of its implementations is
FHSS (Frequency-hopping spread spectrum). The signals in FHSS are distributed over a
wide range of frequencies. During the transmission, these signals hop from frequency to
frequency over that wide band and then get collected onto their original frequency at the
COMP 4905 Honours Project Report Dongchao Chen
2
receiver side. Since the specific order in which frequencies are occupied is a function of a
code sequence, and the rate of hopping from one frequency to another is determined by
the message rate, therefore it is so inconspicuous as to be transparent, which guarantees
the anti-jamming feature of the FHSS system [2]. The typical usage of FHSS system
requires both sender and receiver share the secret keys/codes prior to the start of the
communication. That prior shared secret is used to produce a “cryptographically-secure,
pseudorandom frequencies sequence” [2] for communication, and thus the current used
frequency will be unpredictable for an adversary at any given time. Then if an attacker
still would like to destroy the communication, he/she has to flood all possible frequencies
to guarantee that every part of the message is polluted, which requires enormous amount
of time and power than authorized users. This asymmetry in both time and power usage
for attackers and legitimate users secure the anti-jamming system [3] (pp.1).
However, this traditional anti-jamming technique is becoming impractical when wireless
communication is now vastly demanded in commercial implementations. That is, the
secret keys/codes could not be given to all potential users, and if so the system using
FHSS would no longer be secret [3] (pp.1). For example, we would not share the secret
keys among GPS (Global Positioning System) users as there are 6.5 billion potential
users in the world, therefore the existed FHSS technique cannot be implemented on the
GPS and thus these systems are not protected from jamming. Nevertheless many airlines
now deploying the GPSs for navigation and even during the landing, then if an attacker
jams the system, there will be a catastrophe for the airplane [3] (pp.1). Consequently, it is
significantly important to have a new protocol which can be used to protect wireless
COMP 4905 Honours Project Report Dongchao Chen
3
communication from jamming without prior shared secret keys/codes. This problem was
first addressed by Baird, Bahn, Collins, Carlisle and Butler in 2007 as one of the United
States Air Force research topics [3] (pp.1). In 2008, Strasser, Popper, Capkun and Cagalj
proposed the first possible scheme (i.e., UFH scheme) in the world which broke this
circular dependency and they named this problem as the anti-jamming/key establishment
circular dependency problem (See Figure 1) [4](pp.1-2) [5](pp.21).
Figure 1 Anti-jamming/secret –establishment dependency graph
1.2 Survey of UFH-based Schemes
The initial verification protocol in the UFH model that proposed by Strasser, Popper,
Capkun and Cagalj is Hash-Linked Scheme, which applies the hash-linked chain
structure to transfer message packets with the limitation that “all packets of a message
must be received before the message can be reassembled” [4] (pp.6). As in principle,
forward error correction techniques (i.e., erasure and fountain codes) allow for
reassembling a message when only a subset of all packets is received and the
COMP 4905 Honours Project Report Dongchao Chen
4
decentralized property of one-way accumulators can individually verify packet signature,
Strasser, Popper and Capkun proposed a set of new verifiable message protocols based on
Erasure codes, cryptographic accumulators, and short signatures techniques, which
improve the efficiency of the original UFH model - “reducing the UFH communication
latency up to one-half (i.e., increase UFH throughput up to two times)” [6] (pp.2). Slater,
Tague, Poovendran and Matt also researched the original UFH model that was proposed
by Strasser, Popper, Capkun and Cagalj, and created three new approaches (Hashcluster
scheme, Merkleleaf scheme and witnesscode scheme) based on the coding theory to
improve the efficiency of original UFH verification protocol [1] (pp.1).
1.3 Motivation
Researching anti-jamming techniques is motivated by the increasing demands of security
requirements of wireless communication. Current anti-jamming solutions – ‘spread-
spectrum’ techniques (i.e., FHSS) cannot protect wireless communication as the secret
keys/codes are not scalable to large systems. The most typical example is the civilian
GPS application, which requires distributing all potential 6.5 billion users all over the
world, including these adversaries. Thus there is no way to use that secret key to protect
such a signal that is actually meant to the public [3] (pp.2). Since we cannot prevent
civilian GPS from jamming while we are still using them for airplane navigation and
landing, then if an attacker jams the airplane flight control system, we know what will be
happened. The increasing usage of ad-hoc networks in sensitive and mission-critical roles
demands more advanced techniques to against jamming and other malicious attacks [7].
COMP 4905 Honours Project Report Dongchao Chen
5
The proposed UFH model by Strasser, Popper, Capkun and Cagalj gives us a hope to
prevent our wireless systems from jamming with less cost. We could first implement the
UFH scheme to establish the secret key between sender and receiver(s) and then use this
secret key to support later coordinated frequency hopping communication [5] (pp.7).
Nevertheless, original UFH model is not efficient on message coding, thus forward error
correction and packet verification techniques should be implemented to reduce
redundancy. The self motivation for this paper is to get an incisive comprehension for
these schemes and get prepared for the future research on wireless jamming topics.
1.4 Project Overview
Original UFH communication performance can be improved/optimized (i.e., how higher
throughput and lower transmission latency can be achieved) by a proper choice and
parameterization of the Message Coding, Packet Coding and Frequency Channel
Selection [6] (pp.3). In the seminal work of Strasser, Popper and Capkun, the BMA
scheme (“erasure coding combined with a one-way authenticator based on bilinear
maps”) [6] (pp.6) performs the best among the new proposed protocols. Meanwhile, the
independent work of Slater, Tague, Poovendran and Matt also came to the same
conclusion, that is, Witnesscode scheme (similar to BMA) is the best scheme among their
three new proposed protocols (Hashcluster scheme, Merkleleaf scheme and witnesscode
scheme) [1] (pp.9). The main objective of this project is to get better comprehension
about UFH model and its related coding theory, at the same time to apply the original
UFH scheme as a performance benchmark to explore the improved efficiency of the
BMA and Merkleleaf schemes, specifically in the communication time, sender
COMP 4905 Honours Project Report Dongchao Chen
6
complexity and receiver complexity both in the presence and absence of attackers, and
finally prove that BMA is better than Merkleleaf scheme.
1.5 Outline
The remainder of the paper is organized as follows. Section 2 describes basic concepts
and terminology related to UFH model and new proposed schemes. Section 3 specifies
the UFH model system settings and attacker models. The UFH model and original
scheme is explained in Section 4. Section 5 analyses the new proposed BMA scheme and
Merkleleaf scheme. Section 6 concludes the project with future work.
COMP 4905 Honours Project Report Dongchao Chen
7
2. Background
This report includes numerous wireless network security terminologies, techniques, data-
structure implementations related to UFH model and these new proposed schemes (e.g.,
BMA, Merkleleaf). This section gives you a background review for these topics
2.1 ECC-based public key cryptography
Elliptic curve cryptography (ECC) based public key cryptography algorithms are used for
digital certificates – “an electronic credentials that are used to verify the identities of
individuals and devices” [9]. Compared to another two main signature algorithms (RSA
and DSA), ECC-based signature algorithms provides added size and performance
advantages. Here are a few of them:
• ECDSA (Elliptic Curve Digital Signature Algorithm)
• ECPVS (Elliptic Curve Pintsov Vanstone Signatures)
• ECQV (Elliptic Curve Qu Vanstone)
• ECNR (Elliptic Curve Nyberg Rueppel)
2.2 Jammer Types
Jammer is “an entity who is purposefully trying to interfere with the physical
transmission and reception of wireless communication” [11] (pp.47). There are many
possible attack strategies for a jammer to perform in order to interfere with other wireless
communications. Nevertheless, based on the consequence of these attack philosophies,
we can classify them as the subsequent types of jammers [10] [11] (pp.47-48):
COMP 4905 Honours Project Report Dongchao Chen
8
• Constant (Static) jammer
A constant (static) jammer continually sends random bits on the same channels
even when these channels are not idle. This type of jammer can effectively
prevent legitimate traffic from getting hold of channel and sending packets.
• Deceptive jammer
A deceptive jammer constantly injects the same packets to the channel without
any gap between subsequent packet transmissions, thus the receiver believes that
there is a legitimate packet and will be duped to remain in the receiving state and
waiting for the remaining packets.
• Sweep jammer
A sweep jammer electronically sweeps a narrow frequency band of available
channels of the wireless communication system.
• Random jammer
As its name says, a random jammer alternates between jamming and sleeping and
can operate as a constant jammer, deceptive jammer or sweep jammer.
• Reactive (Responsive) jammer
This kind of jammer stays quiet when no traffic in channels, whenever the jammer
senses activity on the channels, it perform attacks.
COMP 4905 Honours Project Report Dongchao Chen
9
2.3 Verifiable Message Coding Techniques
In order to improve the throughput/latency of UFH-based communication, one possible
way is to deploy the correct messaging coding. This section illustrates the erasure coding
Merkle trees and cryptographic accumulators.
2.3.1 Erasure Coding
Erasure coding theory supports the message reassembly even if only a subset of all
fragments is available. Optimal erasure codes can encode a message M into k fragments
of m bits such that any subset of k fragments can be used to reconstruct M. Near optimal
erasure codes are more efficient than optimal codes in terms of coding complexity and
memory usage, however it requires a bigger fragment size of |M| / (k-ε) for the
reconstruction of message M [6] (pp.3). “The constant ε is a code parameter that can
usually be reduced at the expense of a higher coding complexity [6] (pp.3)”. To simply
the erasure coding representation, we can use (a,b) to represent that (perfect) erasure
code, where a is data symbols and (b-a) is other coding symbols. In order to recover the
original message, a total of a symbols need to be received [1] (pp.3).
One of the perfect erasure coding examples is Reed-Solomon coding, which requires
O(b2) operations to decode, where b is the size of message [13]. Near-optimal erasure
coding such as Toronto coding [14], Raptor coding [15], or LT coding [16] only need
linear-time operation (O(b)), but they require a+ ε symbol receptions [6] (pp.3).
The most significant defect of erasure coding is it can only correct for missing symbols in
known locations, any malicious insertion or modification (i.e., pollution attack) will
COMP 4905 Honours Project Report Dongchao Chen
10
result in decoding errors [1] (pp.3). Therefore, erasure coding should be combined with
verification techniques (e.g. Merkle trees, One-Way Accumulators, etc.).
2.3.2 Merkle trees
A Merkle tree or a Merkle hash tree is a binary tree with cryptographically secure hash
values, which contains no more than 2k hashes for a collection of k fragments. We can
use Merkle tree to efficiently verify the message fragments since the leaf nodes of the
tree are given by the hash values of their respective fragments. One important property of
Merkle tree is the neighboring children are hashed together to form their parent nodes,
which is repeated until reach the root node. The hash value of the root is assigned by the
originator. Then to determine the validation of the message, the only required procedure
is to check whether the root received marches the corresponding hash value of the
message. If result is not matching, the receiver can determine erroneous fragments
through a binary search of the Merkle tree [1] (pp.4).
2.3.3 One-Way Accumulators
One-Way Accumulator is a decentralized alternative solution to digital signatures, which
is used to verify if a group of packets share the same origin. This verification step does
not require knowledge of the sender’s public key, and therefore allow the verification to
take place prior to message authentication [1] (pp.4).
An accumulator is a two – to – one collision-resistant hash function h(u,x), mapping from
COMP 4905 Honours Project Report Dongchao Chen
11
U x X to U. with the property quasi-commutativity: ℎ�ℎ��, ���, ��� = ℎ�ℎ��, ���, ��� for
all ��, �� ∈ � “The implication of quasi-commutativity is that given an arbitrary starting
value u and a set X of fragments, the result of sequentially hashing all fragments x ∈ � is
the same regardless of the order they hash of the set � ”[1] (pp.4).
A witness w can be generated for a fragment x which could be used to verify x ∈ �, with
� being the set if fragments originated from the specific source. For instance, to get the
witness � for a fragment�� ∈ �, the sender picks a random u and computes
� = ℎ��, � − ��� = ℎ�… �ℎ� ℎ��, ���, ���� … , ���,
accumulating all messages in � except for��. This is repeated for all of the remaining
messages in �, resulting in k(k-1) hash operations [1] (pp.4). In order to verify whether
two fragments �� and �� belong to the same set �, the receiver only needs to verifies
ℎ� �, ��� = ℎ� � , ���.
COMP 4905 Honours Project Report Dongchao Chen
12
3. System and Attacker Models
As all new proposed schemes that are analyzed in this report are based on the original
Uncoordinated Frequency Hopping (UFH) model, this report utilizes the same
communication framework that proposed by Strasser, Popper, Capkun and Cagalj in [4]
(pp.3 - 4).
The notation used throughout this report is summarized in Table 1.
Table 1: A summary of notation used in the report
Symbol Definition
A specific sender who sends the communication signal to receiver
B specific receiver who gets the communication signal from sender
c number of orthogonal communication channels
cn number of channels on which a node can send
cm number of channels on which a node can receive on
fA the hopping frequency of the sender A
fB the hopping frequency of the receiver B (fB << fA)
Pa the strength of the signal arriving at a receiver
Pt the minimal required signal strength for receiver B
Pj the minimal required strength of the attacker’s signal for jamming
Po the minimal required strength of the attacker’s signal for overshadowing
PT the maximal strength of the attacker’s signal
(PK, SK) public/private key pair
p probability of successful jamming
M message that sender wants to transfer to the receiver
M’ the set of all fragments
m message length (bits)
k number of message fragments
COMP 4905 Honours Project Report Dongchao Chen
13
l number of message fragments used to reconstruct message M (l ≤ k)
ε a code parameter that can usually be reduced at the expense of a higher coding compliexity
V number of sender’s (valid) packet receptions
Z number of total packet receptions
t normalized time, average packet reception time
h(.) hash function
Hk Kth harmonic number, Hk =∑ �
�����
(a,b) erasure code mapping a data to b coded packets
q probability of sending a header packet (Merkle)
w witness (distillation codes / one-way accumulator)
3.1 System Model
To simplify the analyses of schemes, we assume that there are only two nodes in the
system and both of them reside within each other’s power range and initially unknown of
each other. Both nodes can always get the signals from each other. The goal of each node
is try to establish communication connection with detected node in its communication
neighborhood [4] (pp.3).
Each node has the following equipments [4] (pp.3):
• Processing and storage units
• Clock which is assume to be loosely synchronized in the order of seconds with
other notes’ clocks in the same communication neighborhood
• A radio transceiver used to perform frequency hopping communication,
COMP 4905 Honours Project Report Dongchao Chen
14
Each node can send message fragments on cn number of channels while simultaneously
receive signals on cm number of channels with the help of node’s transceiver, which
permits each node to hop within a given set C (|C| = c) of available frequency channels
[1](pp.3) [4](pp.3) . We denote by Pa as the strength of the signal arriving at a receiver
and Pt as the minimal required signal strength for receiver B to get the message.
The whole system model has the subsequent assumptions [1](pp.3) [4](pp.3, 8):
• Equipped with processing and storage units, the node is able to store data and
efficiently perform ECC-based public key cryptography.
• The radio transceiver of the node does not leak information about its active
reception channels.
• Each node has the ability to send and receive signals on or more frequencies
simultaneously, and assume that the time required to switch between channels is
zero. Therefore, receiver always listens on the correct channel.
• Assume that the number of channels c is sufficient large such that the chance of
collisions between the sender’s messages and receiver’s replies is negligible.
• Assume that the sender A splits its available power uniformly over its cn send
channels, thus the sender A transmits with the same signal strength on all
channels
• Assume that the number of nodes in the neighborhood of the receiver that use the
same channels is low (i.e. << c) and that the impact of unintentional interference
could be negligible, therefore the reception of each packet is independent of the
others.
COMP 4905 Honours Project Report Dongchao Chen
15
• Each node does not have knowledge of other nodes’ public keys.
• Each node has a public/private key pair (PK, SK) and a valid public-key-
certificate that is issued by a trusted Certification Authority (CA). Thus, each
node can authenticate key establishment message from valid parties.
3.2 Attacker Model
This section illustrates the attacker model for analyzing the UFH-based schemes.
3.2.1 Attacker Assumptions
In our system, the attacker(s) could be omnipresent with limited computation ability and
therefore the adversary could constantly jam up to a fraction p of the c channels, that is,
jams each packet with probability p and p < 1 [1] (pp.3).
The attacker’s capabilities in our system are only restricted by his/her transceiver, that is,
we only consider the signal strengths at the receiver. Related physical parameters such as
“node distances, node characteristics (e.g., their antenna gains), and environmental
influences” will not be considered [4] (pp.4). For a given Pa - the strength of the signal
arriving from node A to receiver B, we denote by Pj (Po) as the minimal required strength
of the attacker’s signal at B in order to jam (overshadow) the original signal sent from A
to B. We have Pt < Pa and Pj < Po and thus for receiver B to successfully get original
signal from node A, then the strength of the attacker’s signal at receiver B is less then Pj.
In the Figure-2, at time slot t1, since J’s signal is less than minimal required jam strength
Pj, then receiver B successfully get message from node A; at time slot t2, since J’s signal
is larger than Pj and smaller than the overshadow signal strength Po, the message from
COMP 4905 Honours Project Report Dongchao Chen
16
node A to receiver B is jammed while B still gets some valid message packets from node
A; the worst case happens in time slot t3, J’s signal is larger than Po, the message from
node A to receiver B is completely overshadowed by attacker’s message [4] (pp.4).
Figure-2: Required signal strengths
We denote by PT to represent the maximal strength of the attacker’s signal at receiver B.
3.2.2 Attacker Strategy Selection
There are two common attack types for an adversary, either performing Denial-of-Service
(DoS) attack which preventing communication parties from exchanging any useful
information, or inserting a large number of malicious packets into communication
channels (i.e. pollution attack) [1] (pp.3). In the original UFH scheme paper, Strasser,
Popper, Capkun and Cagalj abstracted attackers’ strategies as below [4] (pp.3-4):
• AI - The attacker can insert malicious messages (see Figure-3) into packets.
These message could be generated by using public keys and cryptographic
functions or the previous messages which can cause the overheard for receivers.
COMP 4905 Honours Project Report Dongchao Chen
17
Figure-3: Attacker Insert Strategy
• AM – The attacker can modify the message (see Figure-4) by either flipping bits in
the message or “entirely overshadowing original messages” [4] (pp.4).
Figure-4: Attacker Modify Strategy
• AJ – The attacker can jam message (see Figure-5) by transmitting signals that
cause the receiver could not get sender’s signal. Research showed that the portion
of a message which could be jammed by at attacker depends on the used coding
scheme and at most 15% of the original message size could be unreadable to the
receiver [8].
Figure-5: Attacker Jam Strategy
• AI,M,J – Mixed actions including all above behaviors.
COMP 4905 Honours Project Report Dongchao Chen
18
To simply the analyses, we assume that the adversary prefers to solely jamming in the
system as Strasser, Popper, Capkun and Cagalj proved that the optimal strategy for the
attacker in the UFH is jamming [4] (pp.11).
4. Uncoordinated Frequency Hopping Model
The Uncoordinated Frequency Hopping (UFH) model that proposed by Strasser, Popper,
Capkun and Cagalj breaks shared key dependency in the jamming environment (see
Figure-6). This section first introduces the idea of the UFH model and then illustrates the
first verification protocol in the UFH model – the Hash-Linked Scheme with related
analyses.
Figure-6: Break the shared key dependency
4.1 Idea of UFH Model
The idea of uncoordinated frequency hopping strategy is based on the research paper
“Wormhold-Based Anti-Jamming Techniques in Sensor Networks” by Cagalj, Capkun
and Hubaux, that is, the adversary cannot jam all frequency channels on which the nodes
communicate at the same time, thus the conversation parties can still send and receive
COMP 4905 Honours Project Report Dongchao Chen
19
messages through the remaining channels [12] (pp.21-22). Compared to the coordinated
frequency hopping, the senders and receivers in the UFH model transmit and listen on
randomly selected channels instead of utilizing the shared secret channel sequence. And
it is obvious that for long periods of time, the consultation parties will have chances that
sending and listening on the same frequency channel at the same time [4] (pp.2). An
example is illustrated in the Fingure-7 below, when the sender and receiver
simultaneously on the same frequency channel, then the packet sent on this frequency is
successfully transmitted over the channel (e.g., 5 and 11).
Figure-7: UFH Example
Though the throughput of the UFH model is considerably lower than the traditional
frequency hopping protocol, the probability that a transmitted fragment of message get
jammed by a adversary is the same, since for each transmitted packet, the jammer needs
to guess the transmission frequency [4] (pp.5).
4.2 Hash-Linked Scheme
This section first explains the procedures of the Hash-Linked Scheme, then illustrates the
security properties of the UFH and evaluates the performance under different Attacker
Strategies.
COMP 4905 Honours Project Report Dongchao Chen
20
4.2.1 Hash-Linked Scheme
Let M denote the message (m bits length) that the sender wants to transfer to the receiver.
Due to the nature of the uncoordinated frequency hopping, the sender cannot send this
message just in one transmission slot, therefore this message will be split into k pieces of
fragments and each fragment will be repeatedly send to the receiver until receiver gets all
fragments of the message. In the hash-linked protocol, the message fragmentation and
transmission is performed by the sender and receiver reassembles arrived message
fragments [4] (pp.5).
• Fragmentation
The sender splits the message M into k pieces fragments and then encapsulates each
fragment into a packet (See Fingure-8) which comprises “a message identifier (id), the
fragment number (i), the fragment itself (mi) and the hash value of the next packet
(h(mi+1)) [4] (pp.5)”. Here the h(.) is a collision-resistant hash function (A hash function
that is hard to find the two inputs that hash to the same output.), which guarantees the
uniqueness of each packet. Each packet links to the next fragment and the last packet
links to the first fragment, which results in an unbreakable hash-linked cyclic that
disables the attacker’s ability to insert or modify packets in the message. In order to
against non-responsive jamming attack, the sender should also use the coding and
interleaving schemes on the packet [4] (pp.10).
COMP 4905 Honours Project Report Dongchao Chen
21
Figure-8: hash linking
• Transmission
The sender repeats sending the sequence of packets on randomly selected channels; at the
same time the sender listens on all incoming channels and immediately reassembles the
received packets. The sender will stop sending message packets until it gets an expected
reply from receiver or the protocol aborts the execution due to the limited abilities or
running out of the time [4] (pp.5).
• Reassembly
The receiver reassembles the received message packets by identifying the message
identifiers and also comparing the hash values of packets. After enough repetitions, the
receiver should get all k packets and reassemble all these packets into the hash-linked
chain [4] (pp.5). At that time, the receiver can process the message in the packets. The
maximum verification computation for receiver is equal to Z hash operations in the
worst-case, where Z is the total number of packet receptions. And “the maximum number
of message authentications at the receiver is Z/K, corresponding to the case when all
packets are distinct and form complete hash chains [1] (pp.3)”.The biggest limitation of
COMP 4905 Honours Project Report Dongchao Chen
22
hash-linked scheme is the receiver can reassemble the message until it receives all
message packets [4] (pp.7). Section 5 introduces two improved UFH-based protocols
which allow a message can be reassembled when only part of all packets is available.
4.2.2 Security Analysis of the Hash-Linked Scheme
The security properties of the hash-linked scheme are promised by the usage of hash-
linking and the chain structure. As each packet of the message is linked to its successor
by the hash value of that successor, then the attacker is prevented from inserting
malicious packets after valid packets. Let’s say there are two packets A and B in the
message. Packet A knows the hash value of packet B. So when the receiver gets both
packet A and B, the only case that packet A will connect to the packet B is the hash value
in the packet A is equal to the hash value of packet B. That means if an adversary wants
the receiver to accept the fake packet B’ , that packet B’ must has the same hash value of
packet B, which means to find a collision in the collision-resistant hash function. That is
an infeasible task for a computationally bounded attacker [4] (pp.6). Additionally, as the
last packet is linked to the first fragment of the message, the attacker is prevented from
inserting additional header packets to the same chain. More precisely, without the linked
chain structure, the attacker can create an additional header packet p1’ (p1’ = id|1|M1’|h2)
according to the original header packet p1 = id|1|M1|h2, where M1’ is accepted as a
genuine head fragment for the chain started by h2. In the hash-linked chain structure, the
adversary has to find the fragment M1’ such that h(M1’) = h(M1). Nevertheless, to get
such a fragment M1’ is impossible for the attacker since we could not find a collision in
the collision-resistant hash function [4] (pp.6). Therefore, with linked packet chain, the
only possible attack strategy for the adversary is “to introduce the entire replayed or self-
COMP 4905 Honours Project Report Dongchao Chen
23
constructed chains [4](pp.6)”, otherwise the receiver will drop all these packets when he
checks the hash-linked chain. To eliminate the attacks of introduction of entire replayed
or self-constructed message, we have to use the protocols that running on top of the UFH
hash-linked scheme, for instance, performing key establishment.
In a summary, the security aspects of the UFH protocol are promised by (see Figure-9):
1. Frequency hopping and packet repetitions in the sending process resist the packet
jamming in the UFH.
2. Cryptographic (e.g., hash) linking identifies the modified packets in linear workload
3. Reassembled message that fail the signature verification or have an expired
timestamp are discarded.
Figure-9: UFH Security Aspects
COMP 4905 Honours Project Report Dongchao Chen
24
4.2.3 Performance Analysis of the Hash-Linked Scheme
In the hash-linked scheme, the message fragmentation is trivial. With the implementation
of structure of hash-linked chain, “the number of messages that receiver must reassemble
and verify remains linear in the number of packets (fragments) that the receiver receives”
[6] (pp.2). Since in section 3.2.2, we set Strategy Jamming AJ as attacker strategy in our
system, the worst probability that a particular packet is successfully received is:
Resulting in an expected number of required packet transmissions of NJ = N(pmAJ ) [4]
(pp.11).
Of all introduced static, sweep, random, responsive, and hybrid jammers, responsive-
sweep jammers are the most efficient [4] (pp.10).
5. Improved UFH-based Schemes
This section analyses the BMA and Merkleleaf schemes.
5.1 BMA Scheme
BMA scheme is an improved message coding scheme which utilizes the erasure coding
combined with the one-way authenticator based on bilinear maps. This section first
explains the procedures of the BMA scheme, and then illustrates the security properties
of this scheme with related performance analyses.
( ) p1,1ic
cmin11p j
n1c
0i
Am
mJ
−
−−∏−=
−
=
COMP 4905 Honours Project Report Dongchao Chen
25
5.1.1 How BMA Scheme Works
Define a set of packets M’ as being verifiable with respect to an erasure code ���, �, ��
and a message M if at least � of the packets in M’ can be verified as belonging to the
message M[6] (pp.3). Due to the nature of the uncoordinated frequency hopping, the
sender cannot send this message just in one transmission slot, therefore this message will
be split into k pieces of fragments and each fragment will be repeatedly send to the
receiver until receiver gets all fragments of the message. In the BMA Scheme, the
message fragmentation and transmission is performed by the sender and receiver
reassembles arrived message fragments [6] (pp.4).
• Fragmentation
The sender computes for each fragment �� generated by an erasure code ���, �, ��, and
then calculate witness value �= ��… ����… �� !, ��� … , ��"��, ��#�� … , ��� where !
is the message id and M’ is the set of all fragments. Finally each fragment �� is
encapsulated into the packet which comprises “a message identifier (id), the fragment
numbers (i), the number of required fragments � and the witness �” [6] (pp.4),
• Transmission
The sender repeats sending the sequence of packets on randomly selected channels; at the
same time the sender listens on all incoming channels and immediately reassembles the
received packets. The sender will stop sending message packets until it gets an expected
reply from receiver or the protocol aborts the execution due to the limited abilities or
running out of the time.
COMP 4905 Honours Project Report Dongchao Chen
26
• Reassembly
The receiver reassembles the received message packets by computing the accumulator
$ = �� � , ���, due to the quasi-commutative property of the one-way accumulator, the
value of accumulator y is exactly the same for all fragment/witness pairs of the same
message. Therefore, verifying whether a packet belongs to the same message is linear
that involves the computation of the accumulator and then comparing the calculated
accumulator value with other already received packets. Since BMA scheme implements
the erasure coding, receiver can start reassembling the packet(s) as soon as it is received.
5.1.2 Security Analysis of the BMA Scheme
The security properties of the BMA scheme are promised by the usage of cryptographic
one-way accumulator. Due to the quasi-commutative property of the one-way
accumulator, the accumulator y is identical for all fragment/witness pairs of the same
message. Meanwhile, an accumulator is a two-to-one collision-resistant hash function,
thus it is impossible for a computationally bounded attacker to find a collision value �′
such that �� � , ��� = �� �′, ��′� [6] (pp.5).
In a nutshell, the security aspects of the BMA Scheme are promised by:
1. Frequency hopping and packet repetitions in the sending process resist the packet
jamming in the BMA
2. Cryptographic one-way accumulator identifies the modified packets in linear
workload
3. Reassembled message that fail the signature verification or have an expired
timestamp are discarded.
COMP 4905 Honours Project Report Dongchao Chen
27
5.1.3 Performance Analysis of the BMA Scheme
In the BMA scheme, both the message fragmentation and reassembly is linear. Since in
section 3.2.2, we set Strategy Jamming AJ as attacker strategy in our system, the worst
probability that a particular packet is successfully received for BMA scheme is the same
as UFH model:
Resulting in an expected number of required packet transmissions of NJ = N(pmAJ ) [4]
(pp.11). The reason why this expected packet transmissions value is the same as in the
BMA scheme, uncoordinated frequency hopping is still used. However, since BMA
deploys the erasure codes combined with one-way accumulator, when the receiver get �
packets, he/she could use erasure coding to get all the message, which is definitely faster
than the original UFH scheme. A Java simulation test showed that compared to the
original UFH scheme, “BMA reduces the UFH communication latency up to one-half
(i.e., increases the throughput up to two times)” [6] (pp.6).
5.2 Merkleleaf Scheme
Merkleleaf scheme uses erasure coding to reduce the average number of packet
receptions required to reconstruct the message, which reduces the communication time
without impacting receiver or sender complexity. This section first explains how
Merkleleaf works, and then illustrates the security properties of this scheme with related
performance analyses.
( ) p1,1ic
cmin11p j
n1c
0i
Am
mJ
−
−−∏−=
−
=
COMP 4905 Honours Project Report Dongchao Chen
28
5.2.1 How Merkleleaf Scheme Works
The Merkleleaf scheme increases the communication efficiency via the usage of erasure
codes and the implementation of Merkleleaf data structure with the origin design of UFH
model (See Figure-10). Initially, each packet is divided into two separated parts, namely,
header and body. The header part of each package store the specific hash for
corresponded data on the merkleleaf tree, and these header packets implement the UFH
scheme (e.g., hash-linked chain) to transfer them to the receiver. Once the receiver
receives all header packages, whenever the body fragment gets received by receiver,
he/she can easily implement related hash to get the data value. Also this scheme deploys
the erasure coding, then the receiver could get the whole message when he/she gets all a
Data Fragment [1] (pp.5).
Figure-10: Merkleleaf Scheme
COMP 4905 Honours Project Report Dongchao Chen
29
5.2.2 Security Analysis of the Merkleleaf Scheme
The security of header packets is guaranteed by the original UFH hash-linked chain.
Through erasure coding is susceptible to the pollution attacks (i.e., inserting malicious
packets), the implementation of data structure merkleleaf tree promises the erasure
coding can always know its location.
To conclude, the security aspects of the Merkleleaf Scheme are promised by:
1. Frequency hopping and packet repetitions in the sending process resist the packet
jamming in the Merkleleaf Scheme.
2. Cryptographic (e.g., hash) linking identifies the modified packets in linear workload
and erasure coding speeds up the packet reassembly process.
3. Reassembled message that fail the signature verification or have an expired
timestamp are discarded.
5.2.3 Performance Analysis of the Merkleleaf Scheme
In the Merkleleaf scheme, both the message fragmentation and reassembly is linear.
Since in section 3.2.2, we set Strategy Jamming AJ as attacker strategy in our system, the
worst probability that a particular packet is successfully received for Merkleleaf scheme
is the same as UFH model:
Resulting in an expected number of required packet transmissions of NJ = N(pmAJ ) [4]
(pp.11). The reason why this expected packet transmissions value is the same as in the B
Merkleleaf scheme, uncoordinated frequency hopping is still used. However, since
( ) p1,1ic
cmin11p j
n1c
0i
Am
mJ
−
−−∏−=
−
=
COMP 4905 Honours Project Report Dongchao Chen
30
Merkleleaf deploys the erasure codes combined with merkleleaf tree data structure, after
receiver gets all the header packets, he/she only needs a packets to use erasure coding
technique to get all the message, which is definitely faster than the original UFH scheme.
5.3 BMA and Merkleleaf Comparison
If we could like to know which scheme is more efficient between BMA and Merkleleaf,
the answer will be obvious and there is no need for simulation. We propose a new
scheme named S that uses erasure coding with Merkle tree based space-eddicient one-
way accumulator. Since Merkleleaf scheme uses original UFH model to send the header
packets to receivers, then the new scheme S is definitely more efficient than Merkleleaf
scheme. As Strasser, Popper and Capkun have already proved that “the one-way
accumulator based on bilinear maps that implements in BMA scheme uses strictly less
overhead per packet than a Merkle tree based accumulator” [6] (pp.4,6)., then BMA
scheme is definitely more efficient than Merkleleaf scheme. Further investigation into
how better the BMA scheme is compared to Merkleleaf scheme could be left as future
work.
COMP 4905 Honours Project Report Dongchao Chen
31
6. Conclusions
Wireless communications are often susceptible to jamming. This paper first introduces
the general anti-jamming technique: FHSS (Frequency-hopping spread spectrum) and
then takes GPS application as an example to illustrate why people expect new protocol
that can be used to protect wireless communication from jamming without prior shared
secret keys/codes. Brief background information related to UFH and these new proposed
schemes are explained in Section 2. Details of UFH model (system and attacker models)
and hash-linked scheme are covered in Section 3 and 4. In section 5, this paper has been
proved that BMA scheme is better than Merkleleaf scheme with related analyses. The
following sections summaries the goals that reached and any missing work of this project
and finally talk about the future.
6.1 Review Goals
During this project, I got a better comprehension of Uncoordinated FHSS communication
techniques, not only understanding the original UFH model (system and attacker models)
but also get a chance to learn these coding theory (i.e., erasure codes, fountain codes,
cryptographic accumulator, etc.). It is important to realize that to get an optimal UFH-
based scheme, we should deploy correct message coding, packet coding and set the right
frequency channel set. I fully comprehend the strategies of BMA scheme and Merkleleaf
scheme and understood the related coding theory implemented in BMA and Merkleleaf.
I proved that BMA is better than Merkleleaf, however, I did not use simulation to get this
result. Also I do try the Octave programming for algorithm simulation. Therefore, I met
all the goals that set in the project proposal.
COMP 4905 Honours Project Report Dongchao Chen
32
6.2 Unsolved Problems
In fact, this topic is really challenge, which requires you to have a lot of knowledge about
networks, network security, electronics, wireless communication, etc. During the
research, I met problems about network security coding, algorithms that I could not fully
understand in this period. I took the notes and decided to think about them later.
6.3 Future work
The possible future work for improving UFH-based protocols could be develop some
Eclipse plug-in to support related simulation of UFH-based schemes. Anti-jamming is an
interesting and critical topic in the network security society, I plan to continue study it
after I graduate.
COMP 4905 Honours Project Report Dongchao Chen
33
7. References [1] David Slater, Patrick Tague, Radha Poovendran, and Brian J. Matt. A Coding Theoretic Approach for Efficient Message Verification Over Insecure Channels. In Proceedings of the ACM Conference on Wireless Network Security (Wise) 2009 pp.1 - 9. [2] The ABCs of Spread Spectrum – A Tutorial, http://www.sss-mag.com/ss.html#tutorial Retrieved February 10, 2010. [3] Leemon C. Baird, William L.Bahn, Michael D. Collins, Martin C. Carlisle, and Sean C. Butler. Keyless Jam Resistance, In Proceedings of the IEEE Information Assurance and Security Workshop (IAW), 2007 pp.1 [4] Matrio Strasser, Christina Popper, Srdjan Capkun, and Mario Cagalj. Jamming- resistant Key Establishment using Uncoordinated Frequenct Hopping. In Proceedings of the IEEE Symposium on Security and Privacy (2008) pp.1 - 14. [5] Mario Cagalj, Jamming-resistant Key Establishment using Uncoordinated Frequency Hopping – Summer Research Institute – EPFL. Slide 1 - 43. Retrieved November 10, 2009. http://www.fesb.hr/~mcagalj/presentations/CagaljUFH09.ppt [6] Matrio Strasser, Christina Popper and Srdjan Capkun. Efficient Uncoordinated FHSS Anti-jamming Communication. In proceedings of the tenth ACM international symposium on Mobile and hoc networking and computing (2009) pp.1-14 [7] A.D. Wood and J.A. Stankovic, “Denial of service in sensor networks”, Computer, vol.35, no.10, pp54-62,2002 [8] G. Lin and G. Noubir. On link layer denial of service in data wirless lans: Research articles. Wireless Communications &Mobile CComputing, 5(3), 2005. [9] An introduction to the Uses of ECC-based Certificates, http://www.certicom.com/index.php/an-introduction-to-the-uses-of-ecc-based-certificates Retrieved February 10, 2010. [10] R.A. Poisel. Modern Communications Jamming Principles and Techniques. Artech House Publishers, 2006. [11] W.Xu, W. Trappe, Y.Zhang, and T. Wood. Feasibility of launching and detecting jamming attacks in wireless networks. In Proc. of the 6th ACM International Symposium on Mobile Ad Hoc Networking and Computing, 2005 pp46-57 [12] Mario Cagalj, Srdjan Capkun and Jean-Pierre Hubaux. Wormholde-Based Anti- Jamming Techniques in Sensor Networks. In Proceedings of IEEE TMC (2007). pp. 21~28. [13] R.M.Roth. Introduction to Coding Theory. Cambridge University Press, 2006 [14] J.W.Byers, M.Luby, M. Mitzebnacher, and A.Rege. A digital fountain approach to reliable distribution of bulk data. ACM SIGCOMN Computer Communication Review, 28(4):56-67, 1998 [15] A.Shokrollahi. Raptor codes. IEEE/ACM Transactions on Networking (TON), 14:2551-2567, 2006 [16] M.Luby. LT codes, In Proc. of the 43rd Annual IEEE Symposium on Foundations of Computer Science (FOCS’02), pages 150-159, May 1997.
COMP 4905 Honours Project Report Dongchao Chen
34
Appendix-A Acronyms CA Certification Authority
DoS Denial-of-Service
DSA Digital Signature Algorithm
ECC Elliptic curve cryptography
ECDSA Elliptic Curve Digital Signature Algorithm
ECPVS Elliptic Curve Pintsov Vanstone Signatures
ECQV Elliptic Curve Qu Vanstone
ECNR Elliptic Curve Nyberg Rueppel
FHSS Frequency Hopping Spread Spectrum
MAC Media Access Control
RF Radio Frequency\
RSA Rivest, Shamir, Adleman
UFH Uncoordinated Frequency Hopping