improving the privacy of ieee 802.15.4 with dynamic and secret spreading sequences björn muntwyler...

Improving the Privacy of IEEE 802.15.4 with Dynamic and Secret Spreading Sequences

Björn Muntwyler

18th March 2010 - 17th September 2010

Advisors: Dr. Vincent Lenders & Dr. Franck Legendre

Supervisor: Prof. Dr. Bernhard Plattner

ITET / TIK / CSG21 October 2010

Motivation

Hardened WLAN Systems: Specialized High security and privacy High costs Proprietary and hard to get

Standard WLAN Systems: Standardized Low security and privacy Low costs High interoperability

military proprietary solutions

Wifi (WPA)

ZigBeeBluetooth

Picture Source: http://galerie.designnation.de/bild/17750

1


Motivation

Goal: Hardening an open standard wireless communication protocol to increase the users „privacy“.

Conditions: Based on an open standard Using Software Defined Radios (SDR)


Wifi (WPA)

ZigBeeBluetooth

Ideas, Mechanisms


1


Motivation

Goal: Hardening an open standard wireless communication protocol to increase the users „privacy“.

Conditions: Based on an open standard Using Software Defined Radios (SDR)


Wifi (WPA)

ZigBeeBluetooth

Ideas, Mechanisms

Informational

Communication Relationships Location

Identification


1


Background: Direct Sequence Spread Spectrum

Information spread to a bandwidth much greater than required for transmission Spreading by modulating each information bit on a spreading sequence (chips)

Spreading sequence independent of data, higher bandwidth Narrowband signal spread to a broadband signal

Power spectrum is spread over a larger bandwidth

Benefits: anti-jamming, anti-interference, low probability of intercept, frequency reuse (e.g. CDMA)

2


Background: IEEE 802.15.4

Working with the SDR for IEEE 802.15.4: PHY and MAC sublayer for a LR-WPAN (e.g. used by ZigBee) Used frequency band at 2450 MHz Uses 16-ary Direct Sequence Spread Spectrum technique and O-QPSK

modulation (16 spreading sequences, not only one!)

Publicly known symbol-to-chip table

used by all the nodes

ITET / TIK / CSG21 October 2010 3


Our Approach

Idea: Using secret and random symbol-to-chip table and changing it dynamically + customizable privacy solution

Obfuscating all transmitted bits at the lowest possible layer (PHY) Using low probability of intercept property of DSSS Defend against cryptographic attacks on spreading sequences by

dynamically changing them

4

Secret pairwise CodesFixed standard Code


Pairwise Synchronized Code Hopping Protocol (PSCHP)

Secret Code = Secret Symbol-to-Chips table Containing 16 secret, random spreading sequences, can’t determine

one spreading sequence from another.

Use two pairwise Codes for each neighboring node One for sending and one for receiving (prevent correlations btw.

request/reply)

Periodic pairwise Code Hopping Dynamically hop from one Code to the next

every b bytes or t secs Periodically renewing seed value for Code-

Generator using Elliptic-Curve Diffie-Hellman (3WHS-KA)

B

A

C

K1 K2 K3 K4

A

5

C1 C2 C3 C4


PSCHP Overview

Global Code Cglobal to join the network

Device Discovery using Beacon New Code-Generator-seed

using 3WHS-KA (Elliptic-Curve Diffie-Hellman)

Local Code generation Periodically checking Code

lifetime ... Sent bytes b Time since last Code Hop t

... and hop to next Code Periodically renew seed every

k Code Hops (using 3WHS-KA)

6

Com

munication

Joining the Netw

ork


PSCHP: Code Hops

Code identification during synchronization with preamble c Backup Codes to account for packet losses (per neighbor) Node needs to check n (c+1) ⋅ Codes to identify the matching one Depending on hardware one might need to reduce the number of

allowed neighbor associations (n) and/or the number of Backup Codes (c)

Code Generator Seed lifetime

3WHS-KA(renew seed)

3WHS-KA(renew seed)

Code lifetime

Seed 1Code 1.1 Code 1.2 Code 1.3 Code 1.4 Code 1.5 Code 1.6 Code 1.7 Code 1.8 Code 1.9

Seed 2Code 2.1

7

time

k = 9


Evaluation: PSCHP vs. IEEE 802.15.4

Setup: Implementation of PSCHP based on GNU Radio toolkit UCLA ZigBee Physical Layer Implementation USRP2 with the XCVR2450 transceiver

daughterboard

Key Questions: Performance loss in terms of Packet Loss by using dynamic and

random Codes vs. the nearly orthogonal Code from IEEE 802.15.4? Protocol Overhead of PSCHP compared to IEEE 802.15.4? How fast could a passive attacker corrupt the secrecy of the Codes?

8


Evaluation: Packet Loss

Left: Cable Right: Over the air (real world scenario)

Random Codes compared to nearly orthogonal Code from IEEE 802.15.4 standard: No minimum distance between chip-sequences of a Code

PER increase below 13 %

100%

80%

60%

40%

20%

0%-7 -6 -5 -4 -3 -2 -1 0 1 2 3

-7 -6 -5 -4 -3 -2 -1 0 1 2 3SNR [dB] SNR [dB]

100%

80%

60%

40%

20%

0%

Packet Loss [%] vs. Signal-to-Noise Ratio (SNR) [dB] Cable

IEEE 802.15.4PSCHP 2 sec lifetimePSCHP 5 sec lifetimePSCHP 20 sec lifetimePSCHP 50 sec lifetime

IEEE 802.15.4PSCHP 2 sec lifetimePSCHP 5 sec lifetimePSCHP 20 sec lifetimePSCHP 50 sec lifetime

Over the air (Real World)Packet Loss [%] vs. Signal-to-Noise Ratio (SNR) [dB]

9


Evaluation: Overhead and finding suitable k

k = 100 Overhead = 4.9%➔ k = 1000 Overhead = 0.5%➔

10

k: Number of Code Hops per seed (between two 3WHS)


Attacking the Secrecy of the Codes Worst Case Attacker (PSCHP point of view):

All Parameters assumed to be known (except the secret Code!) Assumed ability to distinguish Codes Attacker can synchronize and demodulate message

Adapted m-ary DSSS attack [Wang, ICC, 2008] Attacker Strategy:

1. Record chip stream from channelAs synchronization assumed, this results in a list of intercepted chip-sequences

2. ∃chip errors K-means Clustering to eliminate chip errors (K = 16)➔3. Collect centroids / Stop if matching true Codes

Finding theoretical bound Implemented and measure performance of attacker (cable setup) Determine how often each individual chip sequence is needed Determine required amount of chip sequences

11


Attacking the Secrecy of the Codes The lower the SNR (the higher the chip

error rate) the more often each individual chip sequence is required

Asymptote: (uniform distributed)

No Chip Errors each once➔

E[each Chip Seq. received once] ≅ 54

b ≤ 27 bytes Need a Code Hop every packet to

defend against Worst Case Attacker (with an average packet size of 22 bytes)

Measured required amount of Chip Sequences

vs. SNR [dB]

Measured averaged number of appearances per chip-

sequence vs. SNR [dB]

40

35

30

25

20

15

10

5

0-3.5 -3 -2.5 -2 -1.5 -1 -0.5 0 0.5 1

SNR [dB]-3.5 -3 -2.5 -2 -1.5 -1 -0.5 0 0.5 1

1200

1000

800

600

400

200

0

SNR [dB]

12

Measurements obtained over cable setup Over the air (wireless channel) might require even more bytes


Conclusion

Implementation of PSCHP protocol using SDR Secret and dynamically changing Codes instead of the publicly

known Code from IEEE 802.15.4 PER increase compared to IEEE 802.15.4 below 13% Protocol overhead smaller than 1% Shown that Worst Case Attacker requires 27 bytes to break the

secrecy of the Codes Working idea, acceptable tradeoff, but requires hardware adaptation Paper (14 pages, available on wiki)

Future Work: Dynamic spreading factor Randomizing inter packet timings and packet size max. entropy ➔

[Kamat, ACM TOSN, 2009]

13


Thank you for listening...

... any questions?

14


Appendix: Privacy in Wireless Communications

Privacy is a very broad topic - In my Master Thesis, the main focus is on the following four privacy dimensions:

Informational: What is the content of the communication?

Identification:Who is communicating?

Communication Relationships:Who is communicating with whom?

Location:Where are the nodes communicating?


Appendix: Privacy Benefits

Informational: All transmitted bits obfuscated at lowest possible layer (PHY) provides

informational privacy - can’t decode message without matching Code

Identification:No more identifiers available as all transmitted bits obfuscated

Communication Relationships:Using two pairwise keys - no correlations between requests and replies

Location:Low probability of intercept property can deliver some level of location

privacy - plus the additional missing identifiers and the fact that the Codes are changed dynamically will make localization harder

(Physical layer fingerprinting not considered - out of scope)


Appendix: Privacy in Wireless Communications

Many potential privacy leaks of wireless communication protocols

(considering a passive attacker)

Passive Attacker on Privacy

Identifiers

RSSI

Packet timing Traffic shape

Identifiers Location

ToA AoARandom

-nessPacket

sizeInter-arrival

TimingSending

TimeNetwork

LayerLink

LayerPhysical

LayerService disc,,Control Msgs.

TraceLinkability

Application(Traffic Analysis)


Appendix: IEEE 802.15.4 PPDU

Preamble for synchronizaion: find τ SFD = Start of Frame Delimiter

111001010000...0000

Preamble SFD Frame length(7 bits)

Reserved(1 bit)

PSDU

PHR PHY payloadSHR

Octets: 4 1 1 variable


Appendix: IEEE 802.15.4: Spreading

Entering bit stream divided into 4-bit

symbols Symbols mapped to chip sequence

according to symbol-to-chips table ➟ 16-ary Direct Sequence Spread

Spectrum

16 PN sequences, not only one!

O-QPSK modulation


Appendix: PSCHP Privacy Parameters

Code lifetime: b bytes and t seconds Code-lifetime-BC & Code-lifetime-TC

Number of Backup Codes c Number of Silent-Code-Hops k D-Beacon interval


Appendix: PSCHP ExampleINI-SYNC(C

i,0,SEND,AB)

INI-ACK(Ci,0,SEND,BA)

ACK-SYNC(Ci,0,SEND,AB)

Node A Node B

time

Code-Set:Active Codes Backup Codes (REC)Ci,0,SEND,BA;Ci,0,REC,BA Ci,1,REC,BA;...;Ci,REC,BA

Code-Set:Backup Codes (REC) Active CodesCi,1,REC,AB;...;Ci,REC,AB Ci,0,SEND,AB;Ci,0,REC,AB



i,0,SEND,AB)



DATA(Ci+1,0,SEND,AB)





Node A Node B

time


Ci+1,0,SEND,BA;Ci+1,0,REC,BA Ci+1,1,REC,BA;...;Ci+1,c,REC,BA


Ci+1,0,SEND,BA;Ci+1,1,REC,BA Ci+1,2,REC,BA;...;Ci+1,c+1,REC,BA


Ci+1,0,SEND,AB;Ci+1,0,REC,AB








i,0,SEND,AB)













Node A Node B

time






Pac

kets

Los

t













Successful decoding using Backup Code



i,0,SEND,AB)














Node A Node B

time






Ci+1,0,SEND,BA;Ci+1,3,REC,BA Ci+1,4,REC,BA;...;Ci+1,c+3,REC,BAP

acke

ts L

ost















i,0,SEND,AB)














DATA(Ci+1,k,SEND,AB)

INI-SYNC(Ci+1,k,SEND,AB)

INI-ACK(Ci+1,0,SEND,BA)

Node A Node B

time







Ci+1,0,SEND,BA;Ci+1,k,REC,BA Ci+1,k+1,REC,BA;...;Ci+1,k+c,REC,BA

Pac

kets

Los

t













Ci+1,k,SEND,AB;Ci+1,0,REC,AB




Appendix: Coupon Collectors ProblemDixie Cup Problem

How many Panini Pictures do we need to buy to get each of the m pictures at least r times

In our case m = 16 Codes Get the expectation value

according to the fomula below:


Appendix: Attack Tree


Appendix: Zero Symbol Collision

Probability of having at least twice the same zero-symbol chip sequence in the neighbor table


Appendix: Neighbor Table


Appendix: Code Generation from Seed


Appendix: 3WHS-KA


Appendix: PSCHP Packets


Appendix: ZigBee Layers

improving the privacy of ieee 802.15.4 with dynamic and secret spreading sequences björn muntwyler...

Documents

debild177501itet tik

nodesitet tik csg21

cdma2itet tik csg21

random spreading sequences

privacy of ieee

secret symbol

ary direct sequence

random symbol