comp 4905 honours project report - school of computer ... · fhss (frequency hopping spread...

COMP 4905 Honours Project Report Dongchao Chen

COMP 4905 Honours Project Report

Uncoordinated FHSS Anti-Jamming Communication

Dongchao Chen (100672581) Supervisor: Evangelos Kranakis

School of Computer Science Carleton University

2010.04.15


ii

Abstract

Wireless communications are often susceptible to the jamming attack in which the

jammer maliciously injects packets into the wireless channels or specific layers (MAC,

link, network) causing erroneous message reception and reducing throughput. Numerous

protocols have been proposed for anti-jamming communication, and one of them is the

FHSS (Frequency Hopping Spread Spectrum) protocol, which takes advantages of prior

shared secret keys/codes between the communication partners to make the transmission

unpredictable for the adversary. However, this traditional anti-jamming technique is

becoming impractical when wireless communication is now vastly demanded in

commercial implementations. In 2008, Strasser, Popper, Capkun and Cagalj proposed the

first possible scheme (i.e., UFH scheme) in the world that broke the anti-jamming/key

establishment circular dependency. The main objective of this project is to get better

comprehension about UFH model and its related coding theory, at the same time to apply

the original UFH scheme as a performance benchmark to explore the improved efficiency

of the BMA and Merkleleaf schemes, specifically in the communication time, sender

complexity and receiver complexity both in the presence and absence of attackers, and

finally prove that BMA is better than Merkleleaf scheme.


iii

Acknowledgements

This is my final project during my undergraduate studies for the Bachelor of Computer

Science in Carleton University. Firstly I am enormously grateful to Professor Evangelos

Kranakis for his help and conduct of this project. I wish to thank Undergraduate Advisor

Joni Campbell who always gives me sensible and wise advisement during my academic

study. Finally I would like to thanks Carleton University Computer Science Department

and Carleton Coop office. I strongly believed that studying computer science in Carleton

University is a wise decision that I made in my life. I have successfully accomplished

both academic studies and coop work terms. I have learned a lot during these years and

now I am ready to take what I learned to face new challenges in the future.


iv

Table of Contents

1. Introduction ............................................................................................ 1

1.1 FHSS and the Problem ............................................................................ 1

1.2 Survey of UFH-based Schemes ................................................................ 3

1.3 Motivation ............................................................................................... 4

1.4 Project Overview ..................................................................................... 5

1.5 Outline .................................................................................................... 6

2. Background ............................................................................................. 7

2.1 ECC-based public key cryptography ...................................................... 7

2.2 Jammer Types ......................................................................................... 7

2.3 Verifiable Message Coding Techniques ................................................... 9

2.3.1 Erasure Coding .......................................................................................................... 9

2.3.2 Merkle trees ............................................................................................................. 10

2.3.3 One-Way Accumulators ........................................................................................... 10

3. System and Attacker Models ................................................................. 12

3.1 System Model ........................................................................................ 13

3.2 Attacker Model ..................................................................................... 15

3.2.1 Attacker Assumptions ............................................................................................... 15

3.2.2 Attacker Strategy Selection ...................................................................................... 16

4. Uncoordinated Frequency Hopping Model ........................................... 18

4.1 Idea of UFH Model................................................................................ 18

4.2 Hash-Linked Scheme ............................................................................ 19

4.2.1 Hash-Linked Scheme................................................................................................ 20

4.2.2 Security Analysis of the Hash-Linked Scheme ......................................................... 22

4.2.3 Performance Analysis of the Hash-Linked Scheme ................................................. 24

5. Improved UFH-based Schemes ............................................................. 24

5.1 BMA Scheme ......................................................................................... 24

5.1.1 How BMA Scheme Works ........................................................................................ 25

5.1.2 Security Analysis of the BMA Scheme ..................................................................... 26

5.1.3 Performance Analysis of the BMA Scheme .............................................................. 27

5.2 Merkleleaf Scheme ................................................................................ 27

5.2.1 How Merkleleaf Scheme Works ............................................................................... 28

5.2.2 Security Analysis of the Merkleleaf Scheme ............................................................ 29

5.2.3 Performance Analysis of the Merkleleaf Scheme..................................................... 29

5.3 BMA and Merkleleaf Comparison ........................................................ 30

6. Conclusions ........................................................................................... 31

6.1 Review Goals ......................................................................................... 31

6.2 Unsolved Problems ................................................................................ 32

6.3 Future work .......................................................................................... 32


v

7. References ............................................................................................. 33

Appendix-A Acronyms ............................................................................................ 34


vi

List of Figures

Figure 1 Anti-jamming/secret –establishment dependency graph

Figure-2: Required signal strengths

Figure-3: Attacker Insert Strategy

Figure-4: Attacker Modify Strategy

Figure-5: Attacker Jam Strategy

Figure-6: Break the shared key dependency

Figure-7: UFH Example

Figure-8: hash linking

Figure-9: UFH Security Aspects

Figure-10: Merkleleaf Scheme


vii

List of Tables

Table 1: A summary of notation used in the report


1

1. Introduction

Since RF (radio frequency) is essentially an open medium, wireless communications are

often susceptible to jamming. There are two typical jamming attacks for wireless

networks, namely, denial-of-service (DoS) attacks and pollution attacks [1] (pp.1). In

DoS attacks, a jammer can prevent legitimate users from accessing information and

services by targeting specific layers (MAC, link, network) of the system. Alternatively, in

pollution attack, an adversary can reduce system throughput with erroneous messages

reception via injecting polluted packets into the wireless channels [1] (pp.1). Numerous

protocols have been proposed for anti-jamming communication and one of the well-

known anti-jamming techniques is FHSS (Frequency-hopping spread spectrum). This

section first introduces the basic idea of FHSS technique with its defect, and then

illustrates the motivation of this project after a survey of new proposed schemes that are

based on the UFH (Uncoordinated Frequency-hopping) model which add additional

benefits that are not feasible in FHSS scheme. The remaining portion of this section lists

the goals for this project and the remainder structure of this paper.

1.1 FHSS and the Problem

Spread-spectrum radio communication technique is a favor for military usage as “it

resists jamming and is hard for an enemy to intercept” [2]. One of its implementations is

FHSS (Frequency-hopping spread spectrum). The signals in FHSS are distributed over a

wide range of frequencies. During the transmission, these signals hop from frequency to

frequency over that wide band and then get collected onto their original frequency at the


2

receiver side. Since the specific order in which frequencies are occupied is a function of a

code sequence, and the rate of hopping from one frequency to another is determined by

the message rate, therefore it is so inconspicuous as to be transparent, which guarantees

the anti-jamming feature of the FHSS system [2]. The typical usage of FHSS system

requires both sender and receiver share the secret keys/codes prior to the start of the

communication. That prior shared secret is used to produce a “cryptographically-secure,

pseudorandom frequencies sequence” [2] for communication, and thus the current used

frequency will be unpredictable for an adversary at any given time. Then if an attacker

still would like to destroy the communication, he/she has to flood all possible frequencies

to guarantee that every part of the message is polluted, which requires enormous amount

of time and power than authorized users. This asymmetry in both time and power usage

for attackers and legitimate users secure the anti-jamming system [3] (pp.1).

However, this traditional anti-jamming technique is becoming impractical when wireless

communication is now vastly demanded in commercial implementations. That is, the

secret keys/codes could not be given to all potential users, and if so the system using

FHSS would no longer be secret [3] (pp.1). For example, we would not share the secret

keys among GPS (Global Positioning System) users as there are 6.5 billion potential

users in the world, therefore the existed FHSS technique cannot be implemented on the

GPS and thus these systems are not protected from jamming. Nevertheless many airlines

now deploying the GPSs for navigation and even during the landing, then if an attacker

jams the system, there will be a catastrophe for the airplane [3] (pp.1). Consequently, it is

significantly important to have a new protocol which can be used to protect wireless


3

communication from jamming without prior shared secret keys/codes. This problem was

first addressed by Baird, Bahn, Collins, Carlisle and Butler in 2007 as one of the United

States Air Force research topics [3] (pp.1). In 2008, Strasser, Popper, Capkun and Cagalj

proposed the first possible scheme (i.e., UFH scheme) in the world which broke this

circular dependency and they named this problem as the anti-jamming/key establishment

circular dependency problem (See Figure 1) [4](pp.1-2) [5](pp.21).

Figure 1 Anti-jamming/secret –establishment dependency graph

1.2 Survey of UFH-based Schemes

The initial verification protocol in the UFH model that proposed by Strasser, Popper,

Capkun and Cagalj is Hash-Linked Scheme, which applies the hash-linked chain

structure to transfer message packets with the limitation that “all packets of a message

must be received before the message can be reassembled” [4] (pp.6). As in principle,

forward error correction techniques (i.e., erasure and fountain codes) allow for

reassembling a message when only a subset of all packets is received and the


4

decentralized property of one-way accumulators can individually verify packet signature,

Strasser, Popper and Capkun proposed a set of new verifiable message protocols based on

Erasure codes, cryptographic accumulators, and short signatures techniques, which

improve the efficiency of the original UFH model - “reducing the UFH communication

latency up to one-half (i.e., increase UFH throughput up to two times)” [6] (pp.2). Slater,

Tague, Poovendran and Matt also researched the original UFH model that was proposed

by Strasser, Popper, Capkun and Cagalj, and created three new approaches (Hashcluster

scheme, Merkleleaf scheme and witnesscode scheme) based on the coding theory to

improve the efficiency of original UFH verification protocol [1] (pp.1).

1.3 Motivation

Researching anti-jamming techniques is motivated by the increasing demands of security

requirements of wireless communication. Current anti-jamming solutions – ‘spread-

spectrum’ techniques (i.e., FHSS) cannot protect wireless communication as the secret

keys/codes are not scalable to large systems. The most typical example is the civilian

GPS application, which requires distributing all potential 6.5 billion users all over the

world, including these adversaries. Thus there is no way to use that secret key to protect

such a signal that is actually meant to the public [3] (pp.2). Since we cannot prevent

civilian GPS from jamming while we are still using them for airplane navigation and

landing, then if an attacker jams the airplane flight control system, we know what will be

happened. The increasing usage of ad-hoc networks in sensitive and mission-critical roles

demands more advanced techniques to against jamming and other malicious attacks [7].


5

The proposed UFH model by Strasser, Popper, Capkun and Cagalj gives us a hope to

prevent our wireless systems from jamming with less cost. We could first implement the

UFH scheme to establish the secret key between sender and receiver(s) and then use this

secret key to support later coordinated frequency hopping communication [5] (pp.7).

Nevertheless, original UFH model is not efficient on message coding, thus forward error

correction and packet verification techniques should be implemented to reduce

redundancy. The self motivation for this paper is to get an incisive comprehension for

these schemes and get prepared for the future research on wireless jamming topics.

1.4 Project Overview

Original UFH communication performance can be improved/optimized (i.e., how higher

throughput and lower transmission latency can be achieved) by a proper choice and

parameterization of the Message Coding, Packet Coding and Frequency Channel

Selection [6] (pp.3). In the seminal work of Strasser, Popper and Capkun, the BMA

scheme (“erasure coding combined with a one-way authenticator based on bilinear

maps”) [6] (pp.6) performs the best among the new proposed protocols. Meanwhile, the

independent work of Slater, Tague, Poovendran and Matt also came to the same

conclusion, that is, Witnesscode scheme (similar to BMA) is the best scheme among their

three new proposed protocols (Hashcluster scheme, Merkleleaf scheme and witnesscode

scheme) [1] (pp.9). The main objective of this project is to get better comprehension

about UFH model and its related coding theory, at the same time to apply the original

UFH scheme as a performance benchmark to explore the improved efficiency of the

BMA and Merkleleaf schemes, specifically in the communication time, sender


6

complexity and receiver complexity both in the presence and absence of attackers, and

finally prove that BMA is better than Merkleleaf scheme.

1.5 Outline

The remainder of the paper is organized as follows. Section 2 describes basic concepts

and terminology related to UFH model and new proposed schemes. Section 3 specifies

the UFH model system settings and attacker models. The UFH model and original

scheme is explained in Section 4. Section 5 analyses the new proposed BMA scheme and

Merkleleaf scheme. Section 6 concludes the project with future work.


7

2. Background

This report includes numerous wireless network security terminologies, techniques, data-

structure implementations related to UFH model and these new proposed schemes (e.g.,

BMA, Merkleleaf). This section gives you a background review for these topics

2.1 ECC-based public key cryptography

Elliptic curve cryptography (ECC) based public key cryptography algorithms are used for

digital certificates – “an electronic credentials that are used to verify the identities of

individuals and devices” [9]. Compared to another two main signature algorithms (RSA

and DSA), ECC-based signature algorithms provides added size and performance

advantages. Here are a few of them:

• ECDSA (Elliptic Curve Digital Signature Algorithm)

• ECPVS (Elliptic Curve Pintsov Vanstone Signatures)

• ECQV (Elliptic Curve Qu Vanstone)

• ECNR (Elliptic Curve Nyberg Rueppel)

2.2 Jammer Types

Jammer is “an entity who is purposefully trying to interfere with the physical

transmission and reception of wireless communication” [11] (pp.47). There are many

possible attack strategies for a jammer to perform in order to interfere with other wireless

communications. Nevertheless, based on the consequence of these attack philosophies,

we can classify them as the subsequent types of jammers [10] [11] (pp.47-48):


8

• Constant (Static) jammer

A constant (static) jammer continually sends random bits on the same channels

even when these channels are not idle. This type of jammer can effectively

prevent legitimate traffic from getting hold of channel and sending packets.

• Deceptive jammer

A deceptive jammer constantly injects the same packets to the channel without

any gap between subsequent packet transmissions, thus the receiver believes that

there is a legitimate packet and will be duped to remain in the receiving state and

waiting for the remaining packets.

• Sweep jammer

A sweep jammer electronically sweeps a narrow frequency band of available

channels of the wireless communication system.

• Random jammer

As its name says, a random jammer alternates between jamming and sleeping and

can operate as a constant jammer, deceptive jammer or sweep jammer.

• Reactive (Responsive) jammer

This kind of jammer stays quiet when no traffic in channels, whenever the jammer

senses activity on the channels, it perform attacks.


9

2.3 Verifiable Message Coding Techniques

In order to improve the throughput/latency of UFH-based communication, one possible

way is to deploy the correct messaging coding. This section illustrates the erasure coding

Merkle trees and cryptographic accumulators.

2.3.1 Erasure Coding

Erasure coding theory supports the message reassembly even if only a subset of all

fragments is available. Optimal erasure codes can encode a message M into k fragments

of m bits such that any subset of k fragments can be used to reconstruct M. Near optimal

erasure codes are more efficient than optimal codes in terms of coding complexity and

memory usage, however it requires a bigger fragment size of |M| / (k-ε) for the

reconstruction of message M [6] (pp.3). “The constant ε is a code parameter that can

usually be reduced at the expense of a higher coding complexity [6] (pp.3)”. To simply

the erasure coding representation, we can use (a,b) to represent that (perfect) erasure

code, where a is data symbols and (b-a) is other coding symbols. In order to recover the

original message, a total of a symbols need to be received [1] (pp.3).

One of the perfect erasure coding examples is Reed-Solomon coding, which requires

O(b2) operations to decode, where b is the size of message [13]. Near-optimal erasure

coding such as Toronto coding [14], Raptor coding [15], or LT coding [16] only need

linear-time operation (O(b)), but they require a+ ε symbol receptions [6] (pp.3).

The most significant defect of erasure coding is it can only correct for missing symbols in

known locations, any malicious insertion or modification (i.e., pollution attack) will


10

result in decoding errors [1] (pp.3). Therefore, erasure coding should be combined with

verification techniques (e.g. Merkle trees, One-Way Accumulators, etc.).

2.3.2 Merkle trees

A Merkle tree or a Merkle hash tree is a binary tree with cryptographically secure hash

values, which contains no more than 2k hashes for a collection of k fragments. We can

use Merkle tree to efficiently verify the message fragments since the leaf nodes of the

tree are given by the hash values of their respective fragments. One important property of

Merkle tree is the neighboring children are hashed together to form their parent nodes,

which is repeated until reach the root node. The hash value of the root is assigned by the

originator. Then to determine the validation of the message, the only required procedure

is to check whether the root received marches the corresponding hash value of the

message. If result is not matching, the receiver can determine erroneous fragments

through a binary search of the Merkle tree [1] (pp.4).

2.3.3 One-Way Accumulators

One-Way Accumulator is a decentralized alternative solution to digital signatures, which

is used to verify if a group of packets share the same origin. This verification step does

not require knowledge of the sender’s public key, and therefore allow the verification to

take place prior to message authentication [1] (pp.4).

An accumulator is a two – to – one collision-resistant hash function h(u,x), mapping from


11

U x X to U. with the property quasi-commutativity: ℎ�ℎ��, ��, �� = ℎ�ℎ��, ��, �� for

all ��, �� ∈ � “The implication of quasi-commutativity is that given an arbitrary starting

value u and a set X of fragments, the result of sequentially hashing all fragments x ∈ � is

the same regardless of the order they hash of the set � ”[1] (pp.4).

A witness w can be generated for a fragment x which could be used to verify x ∈ �, with

� being the set if fragments originated from the specific source. For instance, to get the

witness � for a fragment�� ∈ �, the sender picks a random u and computes

� = ℎ��, � − �� = ℎ�… �ℎ� ℎ��, ��, �� … , ��,

accumulating all messages in � except for��. This is repeated for all of the remaining

messages in �, resulting in k(k-1) hash operations [1] (pp.4). In order to verify whether

two fragments �� and �� belong to the same set �, the receiver only needs to verifies

ℎ� �, �� = ℎ� � , ��.


12

3. System and Attacker Models

As all new proposed schemes that are analyzed in this report are based on the original

Uncoordinated Frequency Hopping (UFH) model, this report utilizes the same

communication framework that proposed by Strasser, Popper, Capkun and Cagalj in [4]

(pp.3 - 4).

The notation used throughout this report is summarized in Table 1.

Table 1: A summary of notation used in the report

Symbol Definition

A specific sender who sends the communication signal to receiver

B specific receiver who gets the communication signal from sender

c number of orthogonal communication channels

cn number of channels on which a node can send

cm number of channels on which a node can receive on

fA the hopping frequency of the sender A

fB the hopping frequency of the receiver B (fB << fA)

Pa the strength of the signal arriving at a receiver

Pt the minimal required signal strength for receiver B

Pj the minimal required strength of the attacker’s signal for jamming

Po the minimal required strength of the attacker’s signal for overshadowing

PT the maximal strength of the attacker’s signal

(PK, SK) public/private key pair

p probability of successful jamming

M message that sender wants to transfer to the receiver

M’ the set of all fragments

m message length (bits)

k number of message fragments


13

l number of message fragments used to reconstruct message M (l ≤ k)

ε a code parameter that can usually be reduced at the expense of a higher coding compliexity

V number of sender’s (valid) packet receptions

Z number of total packet receptions

t normalized time, average packet reception time

h(.) hash function

Hk Kth harmonic number, Hk =∑ �

��

(a,b) erasure code mapping a data to b coded packets

q probability of sending a header packet (Merkle)

w witness (distillation codes / one-way accumulator)

3.1 System Model

To simplify the analyses of schemes, we assume that there are only two nodes in the

system and both of them reside within each other’s power range and initially unknown of

each other. Both nodes can always get the signals from each other. The goal of each node

is try to establish communication connection with detected node in its communication

neighborhood [4] (pp.3).

Each node has the following equipments [4] (pp.3):

• Processing and storage units

• Clock which is assume to be loosely synchronized in the order of seconds with

other notes’ clocks in the same communication neighborhood

• A radio transceiver used to perform frequency hopping communication,


14

Each node can send message fragments on cn number of channels while simultaneously

receive signals on cm number of channels with the help of node’s transceiver, which

permits each node to hop within a given set C (|C| = c) of available frequency channels

[1](pp.3) [4](pp.3) . We denote by Pa as the strength of the signal arriving at a receiver

and Pt as the minimal required signal strength for receiver B to get the message.

The whole system model has the subsequent assumptions [1](pp.3) [4](pp.3, 8):

• Equipped with processing and storage units, the node is able to store data and

efficiently perform ECC-based public key cryptography.

• The radio transceiver of the node does not leak information about its active

reception channels.

• Each node has the ability to send and receive signals on or more frequencies

simultaneously, and assume that the time required to switch between channels is

zero. Therefore, receiver always listens on the correct channel.

• Assume that the number of channels c is sufficient large such that the chance of

collisions between the sender’s messages and receiver’s replies is negligible.

• Assume that the sender A splits its available power uniformly over its cn send

channels, thus the sender A transmits with the same signal strength on all

channels

• Assume that the number of nodes in the neighborhood of the receiver that use the

same channels is low (i.e. << c) and that the impact of unintentional interference

could be negligible, therefore the reception of each packet is independent of the

others.


15

• Each node does not have knowledge of other nodes’ public keys.

• Each node has a public/private key pair (PK, SK) and a valid public-key-

certificate that is issued by a trusted Certification Authority (CA). Thus, each

node can authenticate key establishment message from valid parties.

3.2 Attacker Model

This section illustrates the attacker model for analyzing the UFH-based schemes.

3.2.1 Attacker Assumptions

In our system, the attacker(s) could be omnipresent with limited computation ability and

therefore the adversary could constantly jam up to a fraction p of the c channels, that is,

jams each packet with probability p and p < 1 [1] (pp.3).

The attacker’s capabilities in our system are only restricted by his/her transceiver, that is,

we only consider the signal strengths at the receiver. Related physical parameters such as

“node distances, node characteristics (e.g., their antenna gains), and environmental

influences” will not be considered [4] (pp.4). For a given Pa - the strength of the signal

arriving from node A to receiver B, we denote by Pj (Po) as the minimal required strength

of the attacker’s signal at B in order to jam (overshadow) the original signal sent from A

to B. We have Pt < Pa and Pj < Po and thus for receiver B to successfully get original

signal from node A, then the strength of the attacker’s signal at receiver B is less then Pj.

In the Figure-2, at time slot t1, since J’s signal is less than minimal required jam strength

Pj, then receiver B successfully get message from node A; at time slot t2, since J’s signal

is larger than Pj and smaller than the overshadow signal strength Po, the message from


16

node A to receiver B is jammed while B still gets some valid message packets from node

A; the worst case happens in time slot t3, J’s signal is larger than Po, the message from

node A to receiver B is completely overshadowed by attacker’s message [4] (pp.4).

Figure-2: Required signal strengths

We denote by PT to represent the maximal strength of the attacker’s signal at receiver B.

3.2.2 Attacker Strategy Selection

There are two common attack types for an adversary, either performing Denial-of-Service

(DoS) attack which preventing communication parties from exchanging any useful

information, or inserting a large number of malicious packets into communication

channels (i.e. pollution attack) [1] (pp.3). In the original UFH scheme paper, Strasser,

Popper, Capkun and Cagalj abstracted attackers’ strategies as below [4] (pp.3-4):

• AI - The attacker can insert malicious messages (see Figure-3) into packets.

These message could be generated by using public keys and cryptographic

functions or the previous messages which can cause the overheard for receivers.


17

Figure-3: Attacker Insert Strategy

• AM – The attacker can modify the message (see Figure-4) by either flipping bits in

the message or “entirely overshadowing original messages” [4] (pp.4).

Figure-4: Attacker Modify Strategy

• AJ – The attacker can jam message (see Figure-5) by transmitting signals that

cause the receiver could not get sender’s signal. Research showed that the portion

of a message which could be jammed by at attacker depends on the used coding

scheme and at most 15% of the original message size could be unreadable to the

receiver [8].

Figure-5: Attacker Jam Strategy

• AI,M,J – Mixed actions including all above behaviors.


18

To simply the analyses, we assume that the adversary prefers to solely jamming in the

system as Strasser, Popper, Capkun and Cagalj proved that the optimal strategy for the

attacker in the UFH is jamming [4] (pp.11).

4. Uncoordinated Frequency Hopping Model

The Uncoordinated Frequency Hopping (UFH) model that proposed by Strasser, Popper,

Capkun and Cagalj breaks shared key dependency in the jamming environment (see

Figure-6). This section first introduces the idea of the UFH model and then illustrates the

first verification protocol in the UFH model – the Hash-Linked Scheme with related

analyses.

Figure-6: Break the shared key dependency

4.1 Idea of UFH Model

The idea of uncoordinated frequency hopping strategy is based on the research paper

“Wormhold-Based Anti-Jamming Techniques in Sensor Networks” by Cagalj, Capkun

and Hubaux, that is, the adversary cannot jam all frequency channels on which the nodes

communicate at the same time, thus the conversation parties can still send and receive


19

messages through the remaining channels [12] (pp.21-22). Compared to the coordinated

frequency hopping, the senders and receivers in the UFH model transmit and listen on

randomly selected channels instead of utilizing the shared secret channel sequence. And

it is obvious that for long periods of time, the consultation parties will have chances that

sending and listening on the same frequency channel at the same time [4] (pp.2). An

example is illustrated in the Fingure-7 below, when the sender and receiver

simultaneously on the same frequency channel, then the packet sent on this frequency is

successfully transmitted over the channel (e.g., 5 and 11).

Figure-7: UFH Example

Though the throughput of the UFH model is considerably lower than the traditional

frequency hopping protocol, the probability that a transmitted fragment of message get

jammed by a adversary is the same, since for each transmitted packet, the jammer needs

to guess the transmission frequency [4] (pp.5).

4.2 Hash-Linked Scheme

This section first explains the procedures of the Hash-Linked Scheme, then illustrates the

security properties of the UFH and evaluates the performance under different Attacker

Strategies.


20

4.2.1 Hash-Linked Scheme

Let M denote the message (m bits length) that the sender wants to transfer to the receiver.

Due to the nature of the uncoordinated frequency hopping, the sender cannot send this

message just in one transmission slot, therefore this message will be split into k pieces of

fragments and each fragment will be repeatedly send to the receiver until receiver gets all

fragments of the message. In the hash-linked protocol, the message fragmentation and

transmission is performed by the sender and receiver reassembles arrived message

fragments [4] (pp.5).

• Fragmentation

The sender splits the message M into k pieces fragments and then encapsulates each

fragment into a packet (See Fingure-8) which comprises “a message identifier (id), the

fragment number (i), the fragment itself (mi) and the hash value of the next packet

(h(mi+1)) [4] (pp.5)”. Here the h(.) is a collision-resistant hash function (A hash function

that is hard to find the two inputs that hash to the same output.), which guarantees the

uniqueness of each packet. Each packet links to the next fragment and the last packet

links to the first fragment, which results in an unbreakable hash-linked cyclic that

disables the attacker’s ability to insert or modify packets in the message. In order to

against non-responsive jamming attack, the sender should also use the coding and

interleaving schemes on the packet [4] (pp.10).


21

Figure-8: hash linking

• Transmission

The sender repeats sending the sequence of packets on randomly selected channels; at the

same time the sender listens on all incoming channels and immediately reassembles the

received packets. The sender will stop sending message packets until it gets an expected

reply from receiver or the protocol aborts the execution due to the limited abilities or

running out of the time [4] (pp.5).

• Reassembly

The receiver reassembles the received message packets by identifying the message

identifiers and also comparing the hash values of packets. After enough repetitions, the

receiver should get all k packets and reassemble all these packets into the hash-linked

chain [4] (pp.5). At that time, the receiver can process the message in the packets. The

maximum verification computation for receiver is equal to Z hash operations in the

worst-case, where Z is the total number of packet receptions. And “the maximum number

of message authentications at the receiver is Z/K, corresponding to the case when all

packets are distinct and form complete hash chains [1] (pp.3)”.The biggest limitation of


22

hash-linked scheme is the receiver can reassemble the message until it receives all

message packets [4] (pp.7). Section 5 introduces two improved UFH-based protocols

which allow a message can be reassembled when only part of all packets is available.

4.2.2 Security Analysis of the Hash-Linked Scheme

The security properties of the hash-linked scheme are promised by the usage of hash-

linking and the chain structure. As each packet of the message is linked to its successor

by the hash value of that successor, then the attacker is prevented from inserting

malicious packets after valid packets. Let’s say there are two packets A and B in the

message. Packet A knows the hash value of packet B. So when the receiver gets both

packet A and B, the only case that packet A will connect to the packet B is the hash value

in the packet A is equal to the hash value of packet B. That means if an adversary wants

the receiver to accept the fake packet B’ , that packet B’ must has the same hash value of

packet B, which means to find a collision in the collision-resistant hash function. That is

an infeasible task for a computationally bounded attacker [4] (pp.6). Additionally, as the

last packet is linked to the first fragment of the message, the attacker is prevented from

inserting additional header packets to the same chain. More precisely, without the linked

chain structure, the attacker can create an additional header packet p1’ (p1’ = id|1|M1’|h2)

according to the original header packet p1 = id|1|M1|h2, where M1’ is accepted as a

genuine head fragment for the chain started by h2. In the hash-linked chain structure, the

adversary has to find the fragment M1’ such that h(M1’) = h(M1). Nevertheless, to get

such a fragment M1’ is impossible for the attacker since we could not find a collision in

the collision-resistant hash function [4] (pp.6). Therefore, with linked packet chain, the

only possible attack strategy for the adversary is “to introduce the entire replayed or self-


23

constructed chains [4](pp.6)”, otherwise the receiver will drop all these packets when he

checks the hash-linked chain. To eliminate the attacks of introduction of entire replayed

or self-constructed message, we have to use the protocols that running on top of the UFH

hash-linked scheme, for instance, performing key establishment.

In a summary, the security aspects of the UFH protocol are promised by (see Figure-9):

1. Frequency hopping and packet repetitions in the sending process resist the packet

jamming in the UFH.

2. Cryptographic (e.g., hash) linking identifies the modified packets in linear workload

3. Reassembled message that fail the signature verification or have an expired

timestamp are discarded.

Figure-9: UFH Security Aspects


24

4.2.3 Performance Analysis of the Hash-Linked Scheme

In the hash-linked scheme, the message fragmentation is trivial. With the implementation

of structure of hash-linked chain, “the number of messages that receiver must reassemble

and verify remains linear in the number of packets (fragments) that the receiver receives”

[6] (pp.2). Since in section 3.2.2, we set Strategy Jamming AJ as attacker strategy in our

system, the worst probability that a particular packet is successfully received is:

Resulting in an expected number of required packet transmissions of NJ = N(pmAJ ) [4]

(pp.11).

Of all introduced static, sweep, random, responsive, and hybrid jammers, responsive-

sweep jammers are the most efficient [4] (pp.10).

5. Improved UFH-based Schemes

This section analyses the BMA and Merkleleaf schemes.

5.1 BMA Scheme

BMA scheme is an improved message coding scheme which utilizes the erasure coding

combined with the one-way authenticator based on bilinear maps. This section first

explains the procedures of the BMA scheme, and then illustrates the security properties

of this scheme with related performance analyses.

( ) p1,1ic

cmin11p j

n1c

0i

Am

mJ

−

−−∏−=

−

=


25

5.1.1 How BMA Scheme Works

Define a set of packets M’ as being verifiable with respect to an erasure code ��, �, ��

and a message M if at least � of the packets in M’ can be verified as belonging to the

message M[6] (pp.3). Due to the nature of the uncoordinated frequency hopping, the

sender cannot send this message just in one transmission slot, therefore this message will

be split into k pieces of fragments and each fragment will be repeatedly send to the

receiver until receiver gets all fragments of the message. In the BMA Scheme, the

message fragmentation and transmission is performed by the sender and receiver

reassembles arrived message fragments [6] (pp.4).

• Fragmentation

The sender computes for each fragment �� generated by an erasure code ��, �, ��, and

then calculate witness value �= ��… ��… �� !, �� … , ��"��, ��#�� … , �� where !

is the message id and M’ is the set of all fragments. Finally each fragment �� is

encapsulated into the packet which comprises “a message identifier (id), the fragment

numbers (i), the number of required fragments � and the witness �” [6] (pp.4),

• Transmission

The sender repeats sending the sequence of packets on randomly selected channels; at the

same time the sender listens on all incoming channels and immediately reassembles the

received packets. The sender will stop sending message packets until it gets an expected

reply from receiver or the protocol aborts the execution due to the limited abilities or

running out of the time.


26

• Reassembly

The receiver reassembles the received message packets by computing the accumulator

$ = �� , ��, due to the quasi-commutative property of the one-way accumulator, the

value of accumulator y is exactly the same for all fragment/witness pairs of the same

message. Therefore, verifying whether a packet belongs to the same message is linear

that involves the computation of the accumulator and then comparing the calculated

accumulator value with other already received packets. Since BMA scheme implements

the erasure coding, receiver can start reassembling the packet(s) as soon as it is received.

5.1.2 Security Analysis of the BMA Scheme

The security properties of the BMA scheme are promised by the usage of cryptographic

one-way accumulator. Due to the quasi-commutative property of the one-way

accumulator, the accumulator y is identical for all fragment/witness pairs of the same

message. Meanwhile, an accumulator is a two-to-one collision-resistant hash function,

thus it is impossible for a computationally bounded attacker to find a collision value �′

such that �� , �� = �� ′, ��′� [6] (pp.5).

In a nutshell, the security aspects of the BMA Scheme are promised by:


jamming in the BMA

2. Cryptographic one-way accumulator identifies the modified packets in linear

workload




27

5.1.3 Performance Analysis of the BMA Scheme

In the BMA scheme, both the message fragmentation and reassembly is linear. Since in

section 3.2.2, we set Strategy Jamming AJ as attacker strategy in our system, the worst

probability that a particular packet is successfully received for BMA scheme is the same

as UFH model:


(pp.11). The reason why this expected packet transmissions value is the same as in the

BMA scheme, uncoordinated frequency hopping is still used. However, since BMA

deploys the erasure codes combined with one-way accumulator, when the receiver get �

packets, he/she could use erasure coding to get all the message, which is definitely faster

than the original UFH scheme. A Java simulation test showed that compared to the

original UFH scheme, “BMA reduces the UFH communication latency up to one-half

(i.e., increases the throughput up to two times)” [6] (pp.6).

5.2 Merkleleaf Scheme

Merkleleaf scheme uses erasure coding to reduce the average number of packet

receptions required to reconstruct the message, which reduces the communication time

without impacting receiver or sender complexity. This section first explains how

Merkleleaf works, and then illustrates the security properties of this scheme with related

performance analyses.

( ) p1,1ic

cmin11p j

n1c

0i

Am

mJ

−

−−∏−=

−

=


28

5.2.1 How Merkleleaf Scheme Works

The Merkleleaf scheme increases the communication efficiency via the usage of erasure

codes and the implementation of Merkleleaf data structure with the origin design of UFH

model (See Figure-10). Initially, each packet is divided into two separated parts, namely,

header and body. The header part of each package store the specific hash for

corresponded data on the merkleleaf tree, and these header packets implement the UFH

scheme (e.g., hash-linked chain) to transfer them to the receiver. Once the receiver

receives all header packages, whenever the body fragment gets received by receiver,

he/she can easily implement related hash to get the data value. Also this scheme deploys

the erasure coding, then the receiver could get the whole message when he/she gets all a

Data Fragment [1] (pp.5).

Figure-10: Merkleleaf Scheme


29

5.2.2 Security Analysis of the Merkleleaf Scheme

The security of header packets is guaranteed by the original UFH hash-linked chain.

Through erasure coding is susceptible to the pollution attacks (i.e., inserting malicious

packets), the implementation of data structure merkleleaf tree promises the erasure

coding can always know its location.

To conclude, the security aspects of the Merkleleaf Scheme are promised by:


jamming in the Merkleleaf Scheme.

2. Cryptographic (e.g., hash) linking identifies the modified packets in linear workload

and erasure coding speeds up the packet reassembly process.



5.2.3 Performance Analysis of the Merkleleaf Scheme

In the Merkleleaf scheme, both the message fragmentation and reassembly is linear.

Since in section 3.2.2, we set Strategy Jamming AJ as attacker strategy in our system, the

worst probability that a particular packet is successfully received for Merkleleaf scheme

is the same as UFH model:


(pp.11). The reason why this expected packet transmissions value is the same as in the B

Merkleleaf scheme, uncoordinated frequency hopping is still used. However, since

( ) p1,1ic

cmin11p j

n1c

0i

Am

mJ

−

−−∏−=

−

=


30

Merkleleaf deploys the erasure codes combined with merkleleaf tree data structure, after

receiver gets all the header packets, he/she only needs a packets to use erasure coding

technique to get all the message, which is definitely faster than the original UFH scheme.

5.3 BMA and Merkleleaf Comparison

If we could like to know which scheme is more efficient between BMA and Merkleleaf,

the answer will be obvious and there is no need for simulation. We propose a new

scheme named S that uses erasure coding with Merkle tree based space-eddicient one-

way accumulator. Since Merkleleaf scheme uses original UFH model to send the header

packets to receivers, then the new scheme S is definitely more efficient than Merkleleaf

scheme. As Strasser, Popper and Capkun have already proved that “the one-way

accumulator based on bilinear maps that implements in BMA scheme uses strictly less

overhead per packet than a Merkle tree based accumulator” [6] (pp.4,6)., then BMA

scheme is definitely more efficient than Merkleleaf scheme. Further investigation into

how better the BMA scheme is compared to Merkleleaf scheme could be left as future

work.


31

6. Conclusions

Wireless communications are often susceptible to jamming. This paper first introduces

the general anti-jamming technique: FHSS (Frequency-hopping spread spectrum) and

then takes GPS application as an example to illustrate why people expect new protocol

that can be used to protect wireless communication from jamming without prior shared

secret keys/codes. Brief background information related to UFH and these new proposed

schemes are explained in Section 2. Details of UFH model (system and attacker models)

and hash-linked scheme are covered in Section 3 and 4. In section 5, this paper has been

proved that BMA scheme is better than Merkleleaf scheme with related analyses. The

following sections summaries the goals that reached and any missing work of this project

and finally talk about the future.

6.1 Review Goals

During this project, I got a better comprehension of Uncoordinated FHSS communication

techniques, not only understanding the original UFH model (system and attacker models)

but also get a chance to learn these coding theory (i.e., erasure codes, fountain codes,

cryptographic accumulator, etc.). It is important to realize that to get an optimal UFH-

based scheme, we should deploy correct message coding, packet coding and set the right

frequency channel set. I fully comprehend the strategies of BMA scheme and Merkleleaf

scheme and understood the related coding theory implemented in BMA and Merkleleaf.

I proved that BMA is better than Merkleleaf, however, I did not use simulation to get this

result. Also I do try the Octave programming for algorithm simulation. Therefore, I met

all the goals that set in the project proposal.


32

6.2 Unsolved Problems

In fact, this topic is really challenge, which requires you to have a lot of knowledge about

networks, network security, electronics, wireless communication, etc. During the

research, I met problems about network security coding, algorithms that I could not fully

understand in this period. I took the notes and decided to think about them later.

6.3 Future work

The possible future work for improving UFH-based protocols could be develop some

Eclipse plug-in to support related simulation of UFH-based schemes. Anti-jamming is an

interesting and critical topic in the network security society, I plan to continue study it

after I graduate.


33

7. References [1] David Slater, Patrick Tague, Radha Poovendran, and Brian J. Matt. A Coding Theoretic Approach for Efficient Message Verification Over Insecure Channels. In Proceedings of the ACM Conference on Wireless Network Security (Wise) 2009 pp.1 - 9. [2] The ABCs of Spread Spectrum – A Tutorial, http://www.sss-mag.com/ss.html#tutorial Retrieved February 10, 2010. [3] Leemon C. Baird, William L.Bahn, Michael D. Collins, Martin C. Carlisle, and Sean C. Butler. Keyless Jam Resistance, In Proceedings of the IEEE Information Assurance and Security Workshop (IAW), 2007 pp.1 [4] Matrio Strasser, Christina Popper, Srdjan Capkun, and Mario Cagalj. Jamming- resistant Key Establishment using Uncoordinated Frequenct Hopping. In Proceedings of the IEEE Symposium on Security and Privacy (2008) pp.1 - 14. [5] Mario Cagalj, Jamming-resistant Key Establishment using Uncoordinated Frequency Hopping – Summer Research Institute – EPFL. Slide 1 - 43. Retrieved November 10, 2009. http://www.fesb.hr/~mcagalj/presentations/CagaljUFH09.ppt [6] Matrio Strasser, Christina Popper and Srdjan Capkun. Efficient Uncoordinated FHSS Anti-jamming Communication. In proceedings of the tenth ACM international symposium on Mobile and hoc networking and computing (2009) pp.1-14 [7] A.D. Wood and J.A. Stankovic, “Denial of service in sensor networks”, Computer, vol.35, no.10, pp54-62,2002 [8] G. Lin and G. Noubir. On link layer denial of service in data wirless lans: Research articles. Wireless Communications &Mobile CComputing, 5(3), 2005. [9] An introduction to the Uses of ECC-based Certificates, http://www.certicom.com/index.php/an-introduction-to-the-uses-of-ecc-based-certificates Retrieved February 10, 2010. [10] R.A. Poisel. Modern Communications Jamming Principles and Techniques. Artech House Publishers, 2006. [11] W.Xu, W. Trappe, Y.Zhang, and T. Wood. Feasibility of launching and detecting jamming attacks in wireless networks. In Proc. of the 6th ACM International Symposium on Mobile Ad Hoc Networking and Computing, 2005 pp46-57 [12] Mario Cagalj, Srdjan Capkun and Jean-Pierre Hubaux. Wormholde-Based Anti- Jamming Techniques in Sensor Networks. In Proceedings of IEEE TMC (2007). pp. 21~28. [13] R.M.Roth. Introduction to Coding Theory. Cambridge University Press, 2006 [14] J.W.Byers, M.Luby, M. Mitzebnacher, and A.Rege. A digital fountain approach to reliable distribution of bulk data. ACM SIGCOMN Computer Communication Review, 28(4):56-67, 1998 [15] A.Shokrollahi. Raptor codes. IEEE/ACM Transactions on Networking (TON), 14:2551-2567, 2006 [16] M.Luby. LT codes, In Proc. of the 43rd Annual IEEE Symposium on Foundations of Computer Science (FOCS’02), pages 150-159, May 1997.


34

Appendix-A Acronyms CA Certification Authority

DoS Denial-of-Service

DSA Digital Signature Algorithm

ECC Elliptic curve cryptography

ECDSA Elliptic Curve Digital Signature Algorithm

ECPVS Elliptic Curve Pintsov Vanstone Signatures

ECQV Elliptic Curve Qu Vanstone

ECNR Elliptic Curve Nyberg Rueppel

FHSS Frequency Hopping Spread Spectrum

MAC Media Access Control

RF Radio Frequency\

RSA Rivest, Shamir, Adleman

UFH Uncoordinated Frequency Hopping

comp 4905 honours project report - school of computer ... · fhss (frequency hopping spread...

Documents