Download - Securing Wireless Systems - SIGSAC
1
Securing Wireless Systems
Panos Papadimitratos
ACM CCS 2009 – Tutorial: Securing Wireless Systems
2
Wireless Systems
• Wireless local area networks (WLANs)
Link to the Internet
Wireless
Access
Point
3
Wireless Systems (cont‟d)
• WLANs, Personal Area (PANs), Ad hoc Networks
Illustration: Ericsson, ca. 2000
4
Wireless Systems (cont‟d)
• Radio Frequency Identification (RFID)
Readingsignal
tagged object
ID Detailedobject
information
• Wi-Fi and Bluetooth enabled devices
Back-enddatabaseID
8
Wireless Systems (cont‟d)
• Ad hoc networks– Limited wireless communication range
– Collaborative support of the network operation
– Peer-to-peer interactions
– Transient associations
– Openness Nodes
Links
9
Wireless Systems (cont‟d)
• Security challenges
– Easy eavesdropping and message injection
– Each and every node can disrupt the network operation
– No monitoring facility
– Resource constraints
– Error-prone communication
– Hostile environments
– Nodes and applications tightly coupled to the user and her physical environment
10
Wireless Systems (cont‟d)
Radio link establishment
Direct wireless communication
Multi-hop communication
Distance to other reachable devices
Device localization and own positioning
Application performance measurable in the physical world
• A set of basic elements
11
Wireless Systems Security
Anti-jamming techniques
Secure Neighbor Discovery
Secure data communication
Secure rangingDistance bounding
Secure localization and positioning
Vehicular Communications –transportation safety
• Tutorial outline
12
Anti-Jamming Techniques
© 2009 P. Papadimitratos
ACM CCS 2009 – Tutorial: Securing Wireless Systems
13
Wireless Communication (WCOM)
• Transmissions over the same channel that overlap (partially) in time:
– Interference : communication degradation
– Collision : the receiver cannot successfully decode any signal
Transmitter Receiver
Device A Device B- Wireless medium- Transmission
Transmitter
Device C
14
Preventing WCOM
Transmitter Receiver
Device A Device B- Wireless medium- Transmission
Transmitter
Jammer• Jamming: deliberate interference,
to prevent signal reception
– Over one or multiple channels
– Intermittently or continuously
– Varying transmission power
– Violation of regulations
15
Frequency
Power
Preventing WCOM (cont‟d)
Frequency
Power
Frequency
Power
Barrage jamming
Swept-spot jamming
Multi-spot jamming
16
Anti-Jamming Defense
• Robust antenna and receiver designs
– Withstand interference
• System diversity
– Multiple channels available
– Use each channel for a period of time
– Then, „jump‟ to another channel
– Assumption: the jammer is constrained
• E.g., out of n available channels, the jammer can prevent communication (jam) up to t < n channels
17
Anti-Jamming Defense (cont‟d)
• Popular technologies operate with:
– Multiple channels, e.g., IEEE 802.11a/b/g/n, IEEE 802.15.4
– Direct sequence spread spectrum, i.e., signals occupy a wide spectrum
• Resilience depends (primarily) on:
– Pre-established knowledge (channel hopping pattern, spreading codes)
– Spread spectrum communication parameters
– Jammer strength (jammer to signal ratio)
18
Anti-Jamming Defense (cont‟d)Fre
quency
Time
Transmissions
• Frequency hopping (FH): transmit over a part of the available bandwidth for a short period of time
19
Anti-Jamming Defense (cont‟d)
• FH patterns should be hard to determine
• Adaptive FH patterns
• Bootstrapping without pre-shared information?
– Uncoordinated Frequency Hopping
• Random FH for both sender and receiver; the sender hops much faster than the receiver
• Transmission of data fragments, from which the receiver has to reconstruct the message
• Communication possible when both sender and receiver are simultaneously at the same channel
M. Strasser, C. Pöpper, S, Capkun, and M. Cagalj, “Jamming-resistant Key Establishment using Uncoordinated Frequency Hopping,” IEEE S&P 2008
20
Preventing WCOM (cont‟d)
• Bottom line: Jammer can overpower receivers
– Technology known to adversary
– Sufficiently high transmission power
– Sufficient proximity to victims
Graphic by Tektronix
21
Preventing WCOM (cont‟d)
• Numerous examples of commercially available devices
– Against WiFi, GSM, PCS, GPS, Bluetooth
• Applications in law enforcement, anti-terrorism, military operations
22
Anti-Jamming Defense (cont‟d)
• Detect the location of the jammer and remove it (physically)
– Determine the jamming signal direction from multiple points
Jammer
24
Summary
• Jamming is a long-known problem
• Various technologies to increase resilience
• Detection of jammer location and removal
• Jamming = denial of service within a region = wireless links down
– Selective and local erasure of messages across the wireless medium by an adversary
• Additional reading:
R. A. Poisel, “Modern Communications Jamming Principles and
Techniques,” Artech House, 2003
25
Secure Neighbor Discovery
© 2009 P. Papadimitratos
ACM CCS 2009 – Tutorial: Securing Wireless Systems
26
Neighbor Discovery (ND)
• Neighbor Discovery (ND)
– A node discovers other nodes it can directly communicate with
A
B
C
D
27
Neighbor Discovery (ND) (cont‟d)
• B is neighbor of A if and only if it can receive directly from A
• Link (A,B) is up A is neighbor of B
• RA≠RB, i.e., (A,B) may be up while (B,A) is down
A
B
RA
RB
28
Neighbor Discovery (ND) (cont‟d)
• Simple, widely used solution, but not secure• Easy to attack
– Mislead B that A is its neighbor, when this is not the case
A B
“Hello, I‟m A”
B: “A is my neighbor”;“A is added in myNeighbor List”
29
Attacking ND
• Single adversary appears as multiple neighbors
M
“Hello, I‟m A”
“Hello, I‟m C”
“Hello, I‟m Z” B: Neighbor List = {A, C, …, Z}
…
30
(2) A, nA, nB, B, SigA(A, nA,nB, B), CertCA(KA,A)
Securing ND
• An attempt– Message authenticity and replay protection
• nA, nB are nonces
– Bob essentially „challenges‟ Alice to provide a „hello‟ message
A B(1) nB, B
31
Attacking ND (cont‟d)
• “Relay” or “Wormhole” Attack– Simply relay any message, without any modification
AB:
Neighbor List = {A}
M
32
Attacking ND (cont‟d)
• Long-range relay / wormhole
– The attacker relays messages across large distances
out-of-band or private channel
B: Neighbor List = {A}
“Hello, I‟m A”
“Hello, I‟m A” “Hello, I‟m A”
A
B
M1 M2
36
Attacking ND: Implications (cont‟d)
• RFID-based access control
Z. Kfir and A. Wool, “Picking virtual pockets using relay attacks on contact-less smartcard,” SECURECOMM ‟05
• Attacker close to the access-granting RFID tag
– Relays signals from and to her accomplice, who obtains access
37
Securing Two-Party ND
• Basic ideas
– Authentication
– Node-to-node distance estimation
– x>R A: AP not neighbor
– Y<R B: AP neighbor
APA
Bx
y
R
38
Securing Two-Party ND (cont‟d)
• Use message time-of-flight to measure distance
– Distance Bounding [1]
– Temporal Packet Leashes [2]
– SECTOR [3]
• Use node location to measure distance
– Geographical Packet Leashes [2]
[1] S. Brands and D. Chaum, “Distance-bounding protocols,” EUROCRYPT „93[2] Y.-C. Hu, A. Perrig, and D. B. Johnson. “Packet leashes: A defense against wormhole attacks in wireless networks,” IEEE INFOCOM „03[3] S. Capkun, L. Buttyan, and J.-P. Hubaux, “SECTOR: Secure Tracking of Node Encounters in Multi-hop Wireless Networks,” ACM SASN „03
39
Securing Two-Party ND (cont‟d)
• Are these protocols [1,2,3] achieving secure ND?
• Can any protocol, including and similar to [1,2,3], which can measure time, solve the secure ND problem?
• Is there any provably secure ND protocol?
• Note: Measurements can be *very* accurate
None of the above protocols secures NDNo (secure) ND protocol that relies
on time measurements does
41
S
S,P
Feasible Traces
• System execution: feasible trace
• Traces feasible with respect to:
- Setting S
- Protocol P
- Adversary AS,P,A
43
Trace Feasible wrt Setting S
• Causal and timely message exchange
A
B
v – signal propagation speed
48
Trace Feasible wrt Adversary
• Adversarial nodes can only relay messages
with minimum delay
• Denote the adversary as:
A
49
Neighbor Discovery Specification
1) Discovered neighbors are actual neighbors
2) It is possible to discover neighbors
Protocol P solves Neighbor Discovery for adversary A if
50
Neighbor Discovery Specification (cont‟d)
1) Discovered neighbors are actual neighbors
2) It is possible to discover neighbors
Protocol P solves Two-Party Neighbor Discovery for adversary A if
in the ND range R
…
51
T-protocol Impossibility
Theorem: No T-protocol can solve Neighbor Discovery for adversary if .
Proof (sketch):
Any T-protocol P that satisfies ND2 cannot satisfy ND1
Observation: Physical proximity does not necessarily imply correct nodes are able to communicate directly
52
Results
• T-protocol ND impossibility (general case)
• T-protocol solving ND (restricted case)
• TL-protocol solving ND (general case)
M. Poturalski, P. P., and J-P. Hubaux, “Secure Neighbor Discovery in Wireless Networks: A Formal Investigation of Possibility,” ACM ASIACCS 2008
M. Poturalski, P. P., and J-P. Hubaux, “Secure Neighbor Discovery: Is it Possible?” LCA-REPORT-2007-004, 2007
53
Protocol P CR/TL
challengemessage
responsemessage
authenticatormessage
• Challenge-Response/Time-and-Location
54
ND Properties – Revisited (cont‟d)
• Correctness:
• Availability:
TP – protocol specific duration
55
Theorem: Protocol PCR/TL satisfies the Neighbor Discovery Specification:
• Correctness (ND1)
• Availability (ND2CR/TL)Under the assumptions:
i. Any processing delay relay > 0
ii. Equality of maximum information propagation speed and wireless channel propagation speed vadv = v
Protocol P CR/TL (cont‟d)
M. Poturalski, P. P., and J.-P. Hubaux, “Towards provable secure neighbor discovery in wireless networks,” ACM CCS FMSE 2008
56
Summary
• Secure Neighbor Discovery– Prerequisite for secure networking protocols
and various applications, and system security
– Hard problem
– Proven secure solutions
– Implementation is not easy in practice
57
Additional Readings
• Overview
• Implementation
• Early works relating to SND
R. Shokri, M. Poturalski, G. Ravot, P. P., and J.-P. Hubaux, “A Low-Cost Secure Neighbor Verification Protocol for Wireless Sensor Networks,” ACM WiSec, March 2009
P. P., M. Poturalski, P. Schaller, P. Lafourcade, D. Basin, S. Capkun, and J-P. Hubaux, "Secure Neighborhood Discovery: A Fundamental Element for Mobile Ad Hoc Networking," IEEE Communications Magazine, February 2008
J. Arkko, J. Kempf, B. Zill, and P. Nikander, “SEcure Neighbor Discovery (SEND),” IETF RFC 3971, March 2005
P. P. and Z.J. Haas, “Secure Link State Routing Protocol”, IEEE WSAAN, January 2003
58
Secure Ranging / Distance Bounding
© 2009 P. Papadimitratos
ACM CCS 2009 – Tutorial: Securing Wireless Systems
59
Ranging / Distance Bounding
• Ranging
– A: Obtains d(A,B), an estimate of dA,B, the actual A,B distance
• Distance bounding
– A: Obtains D(A,B), a bound s.t. dA,B ≤ D(A,B)
A B…
60
Attacking Ranging / DB
• Ranging: A, B exchange a sequence of messages, including own measurements (e.g., times of arrival)
• The attacker, B, provides fake inputs, to manipulate (shorten or lengthen) the d(A,B) calculated by A
• Caution
– Authentication does not solve the problem
– Computation delays could dwarf measurements
A B…
61
Attack Implications
• Manipulation of calculated distance
– Illegitimate physical space access
– Defeating a theft detection system
Safe Storage
62
Attacking Ranging / DB (cont‟d)
Verifier Prover
...
Dishonest Prover
...
Verifier
Verifier Colluding DishonestProver
...
... ...
Mafia Fraud or RelayAttack
Distance FraudAttack
Terrorist FraudAttack
63
Securing Ranging / DB (cont‟d)
• Authenticated ranging can defeat relay (mafia fraud) attacks
• To defeat the distance fraud attacks:
– Distance-related measurements based on sufficiently fast and simple actions by the honest prover
– A dishonest prover cannot perform the same action faster than an honest prover
• A dishonest prover cannot appear closer to the verifier than it actually is
64
Distance Bounding
S. Brands and D. Chaum, “Distance-bounding protocols,” Advancesin Cryptology, EUROCRYPT ‟93
(RBE)
65
Distance Bounding (cont‟d)
• Distance bounding [Brands & Chaum]
– Phase 1: Prover sends out a commitment to a random n-bit value
– Phase 2: Rapid Bit Exchange (RBE); the Verifier sends 1-bit challenges to Prover, which then XOR‟s this with the corresponding bit of the comment
• At each RBE, the verifier measures the round-trip (V-P-V) delay
– Phase 3: The Prover opens the commitment and the Verifier calculates the distance bound (the maximum of all RBE-measured delays)
• Success of attack: 1/2n
– An attacker can only guess the 1-bit responses
66
Distance Bounding (cont‟d)
• Practical issues
– Short symbols over RF, for each 1-bit exchange
• High propagation speed
• Nanosecond time precision
– Lengthy RBE
• Increased security
• Higher delay
– Bit error(s)
• Likely across a wireless link (e.g., noise)
• Failure of the entire protocol (prob. ½ to respond correctly to a single corrupted bit)
67
Distance Bounding (cont‟d)
G. Hancke and M. Kuhn, “An RFID Distance Bounding Protocol,” SecureComm 2005
68
Distance Bounding (cont‟d)
(1)
(2)
(3)
Defense for terroristfraud attacks
– RBE tied to the prover identification
[BussardBagga04]
69
Distance Bounding (cont‟d)
J. Reid, J. Nieto, T. Tang, and B. Senadji, “Detecting relay attacks with timing-based protocols,” ACM ASIACCS 2007
71
[Piramuthu07] - 7/8n
[BrandsChaum93]- Mafia-resistant, ½n
[CapkunBH03]- Mutual DB
[BussardBagga04]- Asymmetric crypto- Proof of Knowledge
[HanckeKuhn05]- Noise-tolerant, w/o noise ¾n
[ReidGNTS06]- Symmetric crypto, ¾n
[MeadowsPPChS07]
[TuPiramuthu07]- 4-RBEs, 9/16n
[KimAKSP08]- 1/2n
Bold fonts: Design for resistance to terrorist fraud attacks
[MunillaOP06]- Void challenges, 3/5n
[SingleePreneel07]- noise-tolerant, ½n
[NikovVauclair08]- Rapid Bit-chunk Exchange
[MunillaPeinado08]- [AvoineTchamkerten09]
- HK ¾n → n½n, memory cost
[SchallerSchBC09]
Summary
[CapkunHubaux06]- No RBE- Auth.ranging
72
Summary (cont‟d)
• Authenticated ranging resists external attacks (mafia frauds)
• Distance bounding resists an isolated dishonest prover (distance fraud)
• More recent protocols to defend against a colluding prover (terrorist fraud)
• Additional reading
– Attacks by external adversaries at the physical layer: Early Detect / Late Commit
J. Clulow, G. Hancke, M. Kuhn, and T. Moore, “So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks,” ESAS 2006
73
References
[AvoineTchamkerten09] G. Avoine and A. Tchamkerten, “An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and Memory Requirement,” ISC 2009
[BrandsChaum93] S. Brands and D. Chaum, “Distance-bounding protocols,” EUROCRYPT ‟93
[BussardBagga04] L. Bussard and W. Bagga, “Distance-Bounding Proof of Knowledge Protocols to Avoid Terrorist Fraud Attacks,” EUROCOM Tech. Report, RR-04-109, 2004
[CapkunBH03] S. Capkun, L. Buttyan, and J.-P. Hubaux, “SECTOR: Secure Tracking of Node Encounters in Multi-hop Wireless Networks,” SASN 2003
[CapkunHubaux06] S. Capkun and J.P. Hubaux, “Secure positioning in wireless networks,” JSAC 2006
[HanckeKuhn05] G. Hancke and M. Kuhn, “An RFID Distance Bounding Protocol,” SecureComm 2005
[KimAKSP08] C.H. Kim, G. Avoine, F. Koeune, F.-X. Standaert and O. Pereira, “The Swiss-Knife RFID Distance Bounding Protocol,” ICISC 2008
74
References (cont‟d)
[MeadowsPPChS07] C. Meadows, R. Poovendran, D. Pavlovic, L. Chang, and P. Syverson, “Distance bounding protocols: Authentication logic analysis and collusion attacks,” Sec. Loc. and Time Sync. for Wireless Sensor and Ad Hoc Networks, 2006
[MunillaOP06] J. Munilla, A. Ortiz and A. Peinado,”Distance Bounding Protocols with Void Challenges for RFID,” RFIDSec2006
[MunillaPeinado08] J. Munilla and A. Peinado, “Attacks on Singelee and Preneel'sprotocol,” ePrint, 2008
[NikovVauclair08] V. Nikov and M. Vauclair, “Yet Another Secure Distance-Bounding Protocol,” ePrint, 2008
[Piramuthu07] S. Piramuthu, “Protocols for RFID tag/reader authentication,” Decision Support Systems 2007
[ReidGNTS06] J. Reid, J. Nieto, T. Tang, and B. Senadji, “Detecting relay attacks with timing-based protocols,” ASIACCS 2007
[SchallerSchBC09] P. Schaller, B. Schmidt, D. Basin, S. Capkun, “Modeling and Verifying Physical Properties of Security Protocols for Wireless Networks,” CSF 2009
[SingleePreneel07] D. Singelee and B. Preneel, “Distance Bounding in Noisy Environments,” ESAS 2007
[TuPiramuthu07] Y.-J. Tu and S. Piramuthu, “RFID Distance Bounding Protocols,” RFID Technology 2007
75
Secure Route Discovery
© 2009 P. Papadimitratos
ACM CCS 2009 – Tutorial: Securing Wireless Systems
76
Route Discovery
• Stage 0: Neighbor discovery
• Stage 1: Route discovery
G
F
B
C E
D
A
H Route : Sequence of nodes (and edges); for simplicity: (A, G, E)
Sourcenode
Destinationnode
Intermediatenodes
77
E
F
B
C H
G
A
D
RREP: “I am H”
RREQ: “A is looking for H”
Attacking Route Discovery
• Impersonation of the destination, for example, in any reactive routing protocol
78
Attacking Route Discovery (cont‟d)
• Disrupting distance vector routing (for example, in AODV)
E
F
B
C H
G
A
D
RREP: “Hop count = 3”
RREQ: “A is looking for H”
RREP: “Hop count = 2”
79
Attacking Route Discovery (cont‟d)
• Caution: None of these protocols (DSR, AODV) was designed with security in mind
• Many possible ways to attack the route discovery
• Outcome of attacks – Control communication
• Become part of utilized routes
• Monopolize resources
– Disrupt communication• Degrade or deny
80
Requirements
• We are interested in protocols that discover routes with the following two properties:
(1) Loop-freedom: an (S,T)-route is loop-free when it has no repetitions of nodes
(2) Freshness: an (S,T)-route is fresh with respect to a (t1,t2) interval if each of the route‟s constituent links is up at some point during the (t1,t2)
• Loop-freedom and freshness are relevant for both explicit and implicit route discovery
P. P., Z.J. Haas, and J.-P. Hubaux, "How to Specify and How to Prove Correctness of Secure Routing Protocols for MANET," BroadNets‟06
81
Secure Routing Protocol (SRP)
• Explicit basic route discovery
• Observation
– It is hard to „know‟ all nodes in the network, i.e., establish associations with all of them
– Often infeasible and very costly
– Especially in „open‟ networks
• SRP assumptions
– Secure neighbor discovery
– Hop-by-hop authentication of all control traffic
– End nodes (source, destination) „know‟ each other
• Can set up security associations
P. P. and Z.J. Haas, "Secure Routing for Mobile Ad Hoc Networks," CNDS 2002
82
SRP (cont‟d)
S V1 V3V2 T
Route Request (RREQ): S, T, QSEQ, QID, MAC(KS,T, S, T, QSEQ, QID)
1.S broadcasts RREQ;2.V1 broadcasts RREQ, {V1}; 3.V2 broadcasts RREQ, {V1, V2};4.V3 broadcasts RREQ, {V1, V2, V3};
1 2 3 4
83
SRP (cont‟d)
Route Reply (RREP): QID, {T, V3, V2, V1, S},MAC(KS,T, QID, QSEQ, T, V3, V2, V1, S)
5. T → V3 : RREP;6. V3 → V2 : RREP;7. V2 → V1 : RREP;8. V1 → S : RREP;
S V1 V3V2 T
1 2 3 4
8 7 6 5
84
Additional Readings
• Secure Explicit Routing– Link State Routing
– Reactive Route Discovery
– Ariadne
– EndAir
P. P. and Z.J. Haas, "Secure Link State Routing for Mobile Ad Hoc Networks," IEEE WSAAN, Orlando, Florida, January 2003
Y.-C. Hu, A. Perrig, and D. Johnson, ”Ariadne: A secure on-demand routing protocol for ad hoc networks,” Wireless Networks, 2005
G. Acs, L. Buttyan, and I. Vajda, “Provably secure on-demand source routing in mobile ad hoc networks,” IEE TMC, 2006
85
Additional Readings (cont‟d)
• Secure Implicit Routing
• Secure Augmented Routing– QoS-aware routing
• OverviewChapter 7, L. Buttyan and J.-P. Hubaux, “Security and Cooperation in Wireless Networks”, Cambridge Press, 2008
P. P. and Z.J. Haas, "Secure Route Discovery for QoS-Aware Routing in Ad Hoc Networks," IEEE Sarnoff Symposium, 2005
K. Sanzgiri, D. LaFlamme, B. Dahill, B. Levine, C. Shields, E. Belding-Royer, “Authenticated routing for ad hoc networks,” IEEE JSAC 2005
Y.-C. Hu, D.B. Johnson, A. Perrig, Secure efficient distance vector routing in mobile wireless ad hoc networks, IEEE WMCSA 2002
P. P. and Z.J. Haas, "Secure On-Demand Distance Vector Route Discovery in Ad Hoc Networks,“ IEEE Sarnoff Symposium, 2005
86
Attacking Routing - Revisited
• Tunneling Attack– Two colluding attackers: M1, M2
– M1 encapsulates control traffic and forwards to M2 and vice versa
– Attackers seemingly follow the protocol with respect to their neighbors
S
T
M1
M2
P. P. and Z.J. Haas, "Secure Routing for Mobile Ad Hoc Networks," CNDS 2002
87
Attacking Routing – Revisited (cont‟d)
• Multiple Colluding Attackers
– M1 and M3 are seemingly correct to their neighbors, but they „omit‟ protocol functionality when handling packets from M2
– Example: M2 relays RREQ and RREP packets without appearing in the route discovery
V‟VS
M1 M2M3
T
88
Summary
• Route discovery is vulnerable
• Secure route discovery specification– Loop freedom, Freshness
– Accuracy
• Secure basic and augmented route discovery in open, dynamic networks
• Protocols rely on different trust assumptions
• Colluding adversarial nodes can subvert any route discovery protocol; „tunneling attack‟
89
Secure Data Communication
© 2009 P. Papadimitratos
ACM CCS 2009 – Tutorial: Securing Wireless Systems
92
Secure Data Communication
• Goal:
– Reliable and low-delay data delivery in the presence of attackers that disrupt the data communication
• Solution:– Detect and avoid compromised and
failing routes
– Tolerate malicious and benign faults• In general, hard to distinguish in highly
dynamic networking environments
93
Data Communication (cont‟d)
• What is the impact of the adversary that „lies low‟ and disrupts only the data communication?
Attacker Strength
Relia
bili
ty
50% of the network
nodes attacking
35% message delivery
100%
95
1
2
m-1
m
3
1
2
n
n-2
n-3
Introduce
redundancy
to the original
message
=
Original message
Securing Data Communication (cont‟d)
• Disperse data
96
1
3
n-2
n
3
1
2
n
n-2
n-3
Reconstruct
message
if any m-out-of-n
pieces are intact
=
Securing Data Communication (cont‟d)
• Disperse data
97
G
F
B
C E
D
H
Sending
n=3
E needs
m=2
A
Received
m pieces!
Securing Data Communication (cont‟d)
• Transmit simultaneously across the routes
98
H G
F
B
C E
D
A
Route 1
Route 2
Route 3
Tell A which
pieces were
intact
Securing Data Communication (cont‟d)
• Get feedback
99
Securing Data Communication (cont‟d)
• Secure Message Transmission (SMT) protocol– Dispersion of the transmitted data
– Simultaneous usage of multiple node-disjoint routes
– Data integrity and origin authentication
– End-to-end secure and robust feedback
– Adaptation to the network conditions
• Secure Single Path (SSP) protocol– Discovery and utilization of a single route
– End–to–end security and feedback
P. P. and Z.J. Haas, "Secure Data Communication in Mobile Ad Hoc Networks," IEEE JSAC, 2006
P. P. and Z.J. Haas, “Secure Message Transmission in Mobile Ad Hoc Networks,” ACM WiSe, 2003
P. P. and Z.J. Haas, "Secure Message Transmission in Mobile Ad Hoc Networks," Ad Hoc Networks, 2003
100
Securing Data Communication (cont‟d)
Nodes 50
Fraction of Adversaries
10%, 20%, 30%, 40%, or 50% of the network nodes
Measurements 50 randomly seeded runs for each point
Security Bindings Single destination per source
Simulated time 300 sec
Mobility Random waypoint; Pause times: 0, 20, 40, 60, 100, 150, 200, 250 seconds
Load 3, 7, 15, 20 CBR flows, Data payload: 512 Bytes
Rates: 4, 10, 15, 20, 25, and 30 packets/sec
Coverage Area 1000m-by-1000m
PHY/MAC IEEE 802.11, DCF, 2 and 5.5 Mbps, 300m
Transport UDP / TCP
Tool OPNET
101
Securing Data Communication (cont‟d)
• Secure Message Transmission (SMT) protocol
• Secure Single Path (SSP) protocol
• Secure route discovery for both protocols– Explicit, basic
• Reactive, Proactive
• SRP, SLSP
• Attack pattern– Full compliance with the route discovery
– Discard in–transit data packets
102
Secure Routing OnlySecure Routing + Secure Data Communication
Attacker Strength
Relia
bili
ty
50% of the
network
nodes are
attacking
35% message
delivery
93% message
delivery
without
retransmissions
Securing Data Communication (cont‟d)
• Reliable and Real-Time Communication in Hostile Environments
103
RedundancyD
ela
y1 3.5
1.2 s
0.4 s
Average delay for 100%
message delivery
Redundancy
Relia
bili
ty
1 3.5
82%
93%
Redundancy Message delivery without
retransmissions
Bandwidth For
Security
Securing Data Communication (cont‟d)
104
Performance Evaluation (cont‟d)
Impact of Load
and SMT-TCP interaction
Throughput – no flow control Throughput - SMT-RRD with TCP
105
Performance Evaluation (cont‟d)
Impact of Load
and SMT-TCP interaction
Message delay – no flow control Message delay - SMT-RRD with TCP
106
Summary
• Secure data communication is critical
– Secure routing protocols are vulnerable
– As long as attackers can place themselves on utilized routes, they can degrade or deny communication
– The only answer is to assess whether data are delivered, and avoid non-operational routes
• Secure data communication is practical
– Low-delay, low-jitter, and highly reliable; essentially, real-time
– Flexible
– Low overhead
– End-to-end
– Effective against any data-dropping pattern
107
Additional Readings
• More on secure data communication mechanisms
• CASTOR (Continuously Adapting Secure Topology-Oblivious Routing)
– Integration route discovery and communication
– Localized routing decisions
– Outcome: Scalability and resilience
W. Galuba, P. P., M. Poturalski, K. Aberer, Z. Despotovic, and W. Kellerer, “Castor: Scalable Secure Routing for Ad hoc Networks,” EPFL Technical Report, LSIR-REPORT-2009-002, 2009
J.-P. Hubaux and P. P., “Security and Cooperation in Wireless Networks,” ACM MobiCom 2007 tutorial[slides] http://icapeople.epfl.ch/panos/Hubaux-Papadimitratos-Tutorial-Mobicom07-
camera-ready.pdf
109
Localization
• Mobile computing is becoming increasingly location-based
– Location-aware devices
– Location-based services
• Two main problems
– Determine the location of a (another) device
• Could be as simple as asking a location-aware device to report its location
• Often, some infrastructure performs the task
– Determine own location
• With the help of own equipment and infrastructure
110
Localization (cont‟d)
• Device localization
– Indoor and outdoor
– Various technologies (infrared, ultrasound, RF)
– Various approaches (angle of arrival, time of arrival, signal strength, etc)
I1
I2I3A
111
Attacking Localization
• Adversary M (actually at loc(M)) misleads the infrastructure; which erroneously perceives it as M‟ (at loc(M‟))
I1
I2I3M
M‟
I1
I2I3
M
M‟
112
Securing Localization
• Multiple (at least three) verifiers run DB with the node (prover); relevant area: verifiers‟ triangle
– An isolated dishonest prover cannot fake its position inside the triangle (intuition: it cannot perpetrate a distance fraud against any of the verifiers)
S. Capkun and J.-P. Hubaux, “Secure Positioning in Wireless Networks,” IEEE JSAC 2006
I1
I2I3
M
113
Localization (cont‟d)
• Determining own position
– Infrastructure serving as reference
– Multiple points of reference allow the node to calculate its position
• Infrastructure type can vary, e.g.:
– Wi-Fi access points
– Specialized beacons
– Global Navigation Satellite Systems (GNSS)
114
Localization (cont‟d)
Context awareness
Navigation
Fleet and
cargo management
Sensing
Global Navigation
Satellite Systems
Graphics by Nokia
115
Localization (cont‟d)
• Global Navigation Satellite Systems
4. Obtain own position, locV, and clock correction, tV
ρ1
ρ2
ρ3 ρ4 GPS receiver,V 1. Receive NAVi from satellite
Si at position si
2. Estimate the NAVi
propagation delays, and thus V-Si distances (pseudoranges), ρi
3. Solve a system of equations:
116
Attacking Localization (cont‟d)
• Mislead devices (and their users) about their location
– Compromise the device: hard
– Compromise the infrastructure: much harder
– Interfere with the infrastructure-to-device wireless communication
• Easy
• Jam Outage
• Overwrite legitimate transmissions with synthesized ones Control locV and tV
117
Attacking Localization (cont‟d)
• Attacker: Record and replay, or forge, GPS signals, overwriting the legitimate GPS signals
• System: GPS receiver locks on spoofed signals
• Consequence: User is provided with a false, attacker-controlled location
118
Attacking Localization (cont‟d)
• GPS Jammers and Simulators
• Meaconing (record and re-broadcast, a.k.a. replay)
Low-power jammer (1 W); it can affect a 35km radius
B. O‟Hanlon, B. Ledvina, M.L. Psiaki, P.M. Kintner Jr., T. E. Humphreys, “Assessing the GPS Spoofing Threat,” GPS World, January 2009
119
Securing Localization
• Authenticate navigation messages (NAV)– Public key crypto: one private-public key pair per
satellite
– Symmetric key authentication; single system key
• Need tamper-resistant storage at receivers
• Public key authentication delays can be significant
• Low NAV transmission rate;
~ 40 sec for a signature
• Caution: Need to maintain
the relative NAV arrival
timings
120
Securing Localization (cont‟d)
• Public key authentication / “Hidden markers”
- Si transmit unpredictable sequences below noise; they release an authenticated spreading code with a delay ρ
- V record the entire bandwidth and “detect” the hidden marker a posteriori, to calculate the NAV arrival times (thus the pseudo-ranges)
M. Kuhn, An Asymmetric Security Mechanism for Navigation Signals, 6th Information Hiding Workshop, 2004
121
Attacking Localization (cont‟d)
• Replay attacks can be effective even against future systems with authentication (e.g., Galileo)
P. P. and A. Jovanovic, “Protection and Fundamental Vulnerability of Global Navigation Satellite Systems (GNSS),” IEEE IWSSC 2008
122
Attacking Localization (cont‟d)
• One ms of replay translates into ~300m of position error
1. Jam Receiver looses its
“lock” on the satellites
2. Replay Receiver locks
on the spoofed signal
123
Attacking Localization (cont‟d)
0 50 100 150 200 250 3000
50
100
150
200
250
300
350
Attack duration [s]
Tim
e o
ffse
t
[ms]
(b)
0 50 100 150 200 250 3000
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
Attack duration [s]
Dis
tan
ce
off
se
t [m
]
(a)
• Record NAV messages after the detection of the preamble at least the first bit
– Minimum replay delay tmin =20ms
– Replay after any tmin + treplay
124
Securing Localization (cont‟d)
• Assumption: the adversary covers part of the system: Receivers can operate in an unaffected area
before entering an area under attack
• Objective: Receivers detect the attack onset
– No additional complex equipment
– No system reconfiguration
– Resilience to sophisticated adversaries
• Approach: Rely on own (receiver) measurements
– Predict future values from available ones that are deemed correct
– Discrepancy between measurements and predicted values Attack
125
Securing Localization (cont‟d)
1. Normal mode:
Collect [Vk, Vk-1, Vk-2, …, Vk-W ]
Predict [PVk+p, …, PVk+2 , PVk+1 ]
= f (Vk, Vk-1, Vk-2, …, Vk-W)
2. Alert mode:
Collect [Vk+p, …,Vk+2 , Vk+1 ] and
Compare with [PVk+p, …, PVk+2 , PVk+1 ]
Normal modeAlert mode
3. Attack mode:If |g([Vk+j]) – h([PVk+i])| > ε, detect attack
126
Securing Localization (cont‟d)
• Inertial sensors
– Location Inertial Test
• Accurate and stable clocks
– Clock Offset Test
• Doppler shift
– Doppler Shift Test
P. P. and A. Jovanovic, “GNSS positioning: Attacks and Countermeasures,” IEEE MILCOM 2008
127
Securing Localization (cont‟d)
• Setup
– Observation and navigation data; RINEX format
– GPS functionality implemented in Matlab
– Receiver movement over 300s
– Adversary
• Static
• Mobile with velocities less than 250 km/h
• Without or with control over the transmission frequency
• Multiple radios
128
Securing Localization (cont‟d)
• Location Inertial Test
• Fast increasing inaccuracy of the inertial measurement unit
– To succeed with replay attack: Jam for < 1 min
0 10 20 30 40 50 60 70 80 90 1000
50
100
150
200
250
300
GNSS unavailability period [s]
Inert
ial n
avig
atio
n e
rro
r [m
]
3.456 3.458 3.46 3.462 3.464 3.466 3.468
x 106
5.29
5.3
5.31
5.32
5.33
5.34
5.35
5.36
5.37
5.38x 10
5
X coordinate [m]
Y c
oord
ina
te [
m]
Attacker-induced trajectory
Actual trajectory
129
Securing Localization (cont‟d)
• Clock Offset Test
• Commodity receivers: clocks drift fast (see left figure)
– To succeed with replay attack: Jam for 2 min, to make tV ~20-30 ms acceptable
• Improve clock; e.g., micro-second accuracy for 6 min
– To succeed with replay attack: Jam for hours
0 5 10 15 20 25 30-9
-8.5
-8
-7.5
-7
-6.5
-6x 10
-3
Time [30s step]
Tim
e o
ffse
t [
s]
0 50 100 150 200 250 3000
50
100
150
200
250
300
350
Attack duration [s]
Tim
e o
ffse
t
[ms]
(b)
130
Securing Localization (cont‟d)
• Doppler Shift Test
• Doppler Shift (DS) at the receiver depends primarily on the relative velocity of transmitter and receiver
– Satellite velocity, ~ 3km/s, dominant; Smooth DS changes
– Easy to detect a simple attacker
– Sophisticated attackers need to predict the mobility of the receiver, thus predict the DS, and adjust their transmission frequency accordingly
50 100 150 200 250 300
2300
2350
2400
2450
2500
2550
2600
2650
2700
2750
Time [s]
Fre
qu
en
cy o
ffse
t [H
z]
Doppler shift variation SV-04 time period t=300s
Doppler shift [Hz ] vs. time [s] measured
Linear approximation
Pred bnds (Linear approximation)
131
• Doppler Shift Test
– Simple attacker: striking difference between measured and expected DS
0 50 100 150 200 250 300-1000
0
1000
2000
3000
Time [s]Fre
qu
ency o
ffset
[Hz]
SV-1
0 50 100 150 200 250 300-10000
-5000
0
Time [s]Fre
qu
ency o
ffset
[Hz]
SV-4
0 50 100 150 200 250 300
0
2000
4000
6000
Time [s]Fre
qu
ency o
ffset
[Hz]
SV-7
0 50 100 150 200 250 300
0
1000
2000
3000
Time [s]Fre
qu
ency o
ffset
[Hz]
SV-13
0 50 100 150 200 250 300
-4000
-2000
0
Time [s]Fre
qu
ency o
ffset
[Hz]
SV-20
0 50 100 150 200 250 300-1000
0
1000
2000
3000
Time [s]Fre
qu
ency o
ffset
[Hz]
SV-24
0 50 100 150 200 250 300
-4000
-2000
0
Time [s]Fre
qu
ency o
ffset
[Hz]
SV-25
Securing Localization (cont‟d)
132
• Doppler Shift Test
– Sophisticated attacker: some uncertainty about the receiver‟s mobility; detectable DS differences ~ 300 Hz
Securing Localization (cont‟d)
0 50 100 150 200 250 3000
2000
4000
Time [s]
Fre
que
ncy o
ffset [H
z] SV-1
0 50 100 150 200 250 300-10000
-5000
0
Time [s]
Fre
que
ncy o
ffse
t [H
z]
SV-21
0 50 100 150 200 250 3000
5000
10000
Time [s]
Fre
que
ncy o
ffset [H
z] SV-7
0 50 100 150 200 250 3000
2000
4000
Time [s]
Fre
que
ncy o
ffse
t [H
z] SV-25
0 50 100 150 200 250 300-4000
-2000
0
Time [s]
Fre
que
ncy o
ffset [H
z] SV-9
0 50 100 150 200 250 3000
1000
2000
3000
Time [s]
Fre
que
ncy o
ffse
t [H
z] SV-29
0 50 100 150 200 250 300-4000
-2000
0
Time [s]
Fre
que
ncy o
ffset [H
z] SV-13
133
Summary
• Vulnerability of GNSS: Long known issue, could become a major problem
• Upcoming systems are to enhance availability (against unintentional interference) and offer security features
• Attacks at the physical layer (e.g., replay attacks) are possible even when cryptographic protection is available
• Simple non-cryptographic solutions can raise the bar even for sophisticated adversaries
134
Additional Readings
• Secure localization
R. Poovendran, C. Wang, S. Roy (Editors), “Secure Localization and Time Synchronization for Wireless Sensor and Ad Hoc Networks,” Series: Advances in Information Security , Vol. 30, Springer, 2007
• Security for GPS-based Localization
J.A. Volpe, “Vulnerability Assessment of the Transportation Infrastructure Relying on GPS,” NTSC, NAVCEN draft report, 2001
T.K. Adams, “GPS Vulnerabilities,” Military Review, 2001
L. Scott, “Anti-Spoofing and Authenticated Signal Architectures for Civil Navigation Signals,” ION-GNNS 2003
135
Complex Wireless Systems:
Secure Vehicular Communications
© 2009 P. Papadimitratos
ACM CCS 2009 – Tutorial: Securing Wireless Systems
136
Secure and Privacy-Enhancing
V2V and V2I Single- and Multi-
hop Wireless Communication
RSUA RSUB
CABCAA
Secure Wire-line
Communication
Secure Vehicular Communications
137
Secure VC (cont‟d)
Warning:Accident at (x,y,z)
!!
Payload
Location: (xV,yV,zV)
CertCA(V,KV,AV,T)
Signature with kV
Vehicle V
Time: tV
Vehicle U
Warning:Accident at (x,y,z)
138
Secure VC (cont‟d)
Source (S) Destination (D)Forwarder 1 (F1)
Forwarder 2 (F2)
• Position-based routing
– Relaying nodes (forwarders) also send packets to the geographically closest node to the destination (location)
– Security: prevent manipulation of PBR-specific mechanisms
A. Festag, P. Papadimitratos, and T. Tielert, “Design and Performance of Secure GeoCast for Vehicular Communication,” LCA-REPORT-2009-007
139
Pseudonymous Authentication (cont‟d)
PNYM_K1
Time
Msg. 1 Sig_k1 Cert_1
PNYM_K1Msg. 3 Sig_k1 Cert_1
PNYM_K1Msg. 2 Sig_k1 Cert_1
140
Pseudonymous Authentication (cont‟d)
PNYM_K1
Time
Msg. 1 Sig_k1 Cert_1
PNYM_K1Msg. 3 Sig_k1 Cert_1
PNYM_K1Msg. 2 Sig_k1 Cert_1
PNYM_K2Msg. 4 Sig_k2 Cert_2
PNYM_K2Msg. 6 Sig_k2 Cert_2
PNYM_K2Msg. 5 Sig_k2 Cert_2
142
Are Secure VC Systems Practical?
• Can security protocols run, along with the VC protocol stack, on the embedded computing units?
• Are security architectures easy to manage?
• Can a secured vehicular communication system be as effective as one without security?
143
• Lesson 1: More on-board processing power
• Lesson 2: Careful use of strong security
– Communication optimizations
– Adaptation to operational requirements
• Lesson 3: Impact of security on VC-enabled applications
• Lesson 4: Security is perceived as a constraint
Are secure VC systems practical? (cont‟d)
P. P., "On the road - Reflections on the Security of Vehicular Communication Systems," IEEE ICVES, 2008
144
Communication Overhead
Communication reliability (P) as a function of the neighborhood size (N); γ: beaconing rate
145
Processing Power
2-class M/D/1 queue
Message verification delay, for short packets; α= 10, β= 0, τ= 60; HP scheme; λ for the same setup and for γ=10 beacons/sec
146
SVC and Transportation Safety
• Emergency braking
• Platoon on 100 cars on one lane– Average spacing: 20 m
– Average speed: 80 Km/h
– Wet road• Braking capability: 4 m/s2
– Driver reaction 0.75 – 1.5 s
– Pseudonym lifetime 60 s
– Emergency event at the head after 60 s
– No lane change
P. P., G. Calandriello, A. Lioy, and J.-P. Hubaux, “Impact of Vehicular Communication Security on Transportation Safety," IEEE INFOCOM MOVE 2008
G. Calandriello, P. P., J-P. Hubaux, and A. Lioy, "On the Performance of Secure Vehicular Communication Systems," LCA-REPORT-2009-006, May 2009
147
SVC and transportation safety (cont‟d)
• Hybrid scheme, 8 lane highway, 160 vehicles in range
• Crash average is 80-100% without V2V-communication
149
Summary
• Addressed problems
– Identity and key management, Secure communication, Privacy enhancing technologies
• System resource and cost constraints
• Stringent operational (application) requirements beyond information technology terms
• Careful security design and overall system performance evaluation
P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger, M. Raya, Z. Ma, F. Kargl, A. Kung, and J.-P. Hubaux, “Secure Vehicular Communications: Design and Architecture,” IEEE Communications Magazine, November 2008
F. Kargl, P. Papadimitratos, L. Buttyan, M. Müter, B. Wiedersheim, E. Schoch, T.-V. Thong, G. Calandriello, A. Held, A. Kung, and J.-P. Hubaux, “Secure Vehicular Communications: Implementation, Performance, and Research Challenges,” IEEE Communications Magazine, November 2008
150
Wireless System Security
Panos Papadimitratos
http://people.epfl.ch/panos.papadimitratos
Summer School on Network and Information Security 2009