Friendly CryptoJam: A Mechanism for Securing Physical-Layer Attributes

Friendly CryptoJam: A Mechanism for Securing Physical-Layer Attributes

Friendly CryptoJam: A Mechanism for Securing Physical-Layer Attributes Hanif Rahbari and Marwan Krunz Department of Electrical and Computer Engineering University of Arizona ACM WiSec 2014 Motivation Even when encrypted, wireless transmissions reveal information IPT PRL PRL size PRL PRL PRL PRL payload PRL PRL Mod. scheme Rate (1) Side-channel information (e.g., packet duration, inter-packet times, modulation scheme, traffic volume, etc.), or (2) Unencrypted low-layer fields (e.g., type field in the 802.11 MAC header, rate field in 802.11 PHY header, ) (3) Encrypted but semi-static fields (encryption results in a few possible

outputs; can be pinned down via a dictionary attack) Leaked info can be used in passive and active attacks Examples of Privacy Attacks Assume payload is encrypted (e.g., WPA2, IPSec, HTTPS, etc.) 1) Nave Bayes classification attack 3) Googles auto-suggestion vulnerability Downstream (Kilobytes) (uses traffic volume & directionality) Search for guns x x+1 x+2 x+3 y+97 y+85 y+21 y

gun gu g guns e Skyp Upstream (Kilobytes) g Browsin [Dyer et al., SP12] 2) Application classification attack (uses frame-size statistics, # of frames, and directionality) g din loa Up g Gamin Hierarchical (decision-tree) classification structures 5-second eavesdropping on encrypted MAC traffic 80% classification accuracy

Watching video Dow nloa ding B it Tor ren Ch t at t in g Example of an Active Attack Rate-adaptation attack [Noubir et al., WiSec11] PRL PRL PRL PRL PRL PRL Retransmission Rate Rate 1 2

Existing Countermeasures Friendly jamming / Artificial noise (with MIMO or relay nodes) I-value Normalized Symbol Cross-Correlation Ineffective against: (1) plain-text attack, (2) cross-correlation attack Padding Sample index Correct value Jamming-to-Signal Ratio (dB) (1) Effective in hiding traffic volume & packet size but with 100-400% overhead (2) Ineffective in hiding unencrypted headers and the modulation scheme Digital encryption (block ciphering) (1) In a networked scenario, digital encryption is limited to MAC payload (2) Ineffective in hiding mod. scheme and semi-static fields (dictionary attack) Design Goals of Friendly CryptoJam 1st Goal: Maintain interoperability with current systems Add-on module Keep same set of modulation schemes 01010101 802.11 FCJ

Must know supported modulation schemes and preamble structure Challenges: (1) Must have minimal impact on the acquisition of wireless parameters Ex: Frequency offset, frame timing, channel estimation, (2) Must be done at the symbol level Design Goals of Friendly CryptoJam (Contd) 2nd Goal: Hide unencrypted/semi-static encrypted PHY/MAC headers Implications: Use symbol-level stream cipher that is robust to cross-correlation attacks Keys must vary on a per-frame basis to counter dictionary attacks Must be able to identify senders without their (encrypted) MAC addresses Preamble PHY header MAC header Payload Challenges: (1) How to convey per-frame IDs for pulling up the right decryption key before the arrival of the PHY header (2) How to generate an unpredictable cipher-text for each frame Design Goals of Friendly CryptoJam 3rd Goal: Hide modulation scheme without sacrificing throughput Decorrelate packet size from frame duration Maintain same BER performance 64-QAM Idea: Upgrade payloads mod. scheme to the highest modulation order using a secret sequence Challenges:

BPSK QPSK (1) Upgrading the modulation scheme may degrade data rate (2) Rx needs to recover the original modulation symbols 16-QAM 64-QAM Friendly Jamming vs. Collisions Friendly jamming signal is controllable but independent of the data Under existing friendly jamming schemes, an information frame can still be partially or fully recovered by a MIMO-capable adversary Collision is uncontrollable Jamming signal is modulated with a structured modulation Theoretically, collided frames are not recoverable Superposition of modulated signals creates a new constellation map Example: Superposition of two QPSK-modulated signals -1 +1 -1 +2 +1 +1

-1 +1 -1 -2 +2 -2 The new map may reveal the original modulation scheme(s) Friendly CryptoJam in a Nutshell Fusion of symbol-level cryptography and non-extractable friendly jamming (with jamming in the form of signal combining/collision) Main Elements: 1) Modulation Encryption: Randomizes locations of modulated symbols to protect unencrypted and semi-static encrypted headers 2) Modulation Unification: Randomly upgrades a modulated symbol to hide the true modulation scheme (and hence, packet size) 3) ID Embedding: Embeds a frame-specific ID in the preamble: P P*=P+ID (identifies sender + maintains synchrony in secret generation of bogus traffic) 01 11 +1 -1 00

Mod. Encryption 00 10 01 +1 -1 +1 -1 16-QAM Enc. QPSK QPSK 11 +1 -1 Mod. Unification -3 10 -1

+1 +3 System Model (802.11b) Scrambled 1s Rate CSI Payload Compute and prepend header Coding / Scrambling (1) Modulation Encryption (2) Modulation Unification (3) ID Embedding 1 Modulation 2 Modulation 3 Prepend preamble

Example Encrypt. Payload 400 bytes Before FCJ P hdr 16-QAM 16-QAM Encrypt. Payload 150 bytes P hdr Mod. encrypted After FCJ Eves belief: P*hdr 64-QAM bytes BPSK Mod. encrypted P*hdr

64-QAM bytes Information rate remains the same Payload size decorrelated from frame duration packet-size obfuscation Bogus Traffic Generation Replaces the jamming signal and is interleaved with the data symbols 1000 1011 0100 0101 1011 0010 1101 Encryption Unification Let |R| be # of constellation points of a modulation scheme R QPSK Let M be the highest-order modulation order Generate a random secret sequence of 0s/1s Divide sequence into blocks of log2|M| bits (1) log2|R| used for modulation encryption (2) Remaining log2(|M|/|R|) bits used for mod. unification 64-QAM Modulation Encryption Applies to modulated symbols of unencrypted PHY/MAC header fields Encryption function: mod |R| Decryption function: (|R| mod |R| Encryption function R = QPSK

Example: 01 00 11 +1 01 +1 x y 0 1 2 3 0 0 1 2 3 -1 00 -1 +1 -1 11 10

+1 1 1 2 3 0 2 2 3 0 1 -1 10 3 3 0 1 2 1000 1011 0100 0101 1011 0010 Bogus traffic (x): Data symbols (y): Encrypted symbol: 2 3 1 2 0 2 1 2 0 1 0 1 2 1

3 0 3 3 Modulation Unification For every R-modulated information symbol, there are |M|/|R| possible points on the constellation map of M Each possibility is selected based on value of unification bits An optimal mapping maximizes the avg. pairwise distance between the resultant points so as to reduce demodulation error M = 16-QAM R = QPSK 01 11 +1 -1 00 Mod. Unification +1 -1 11

01 -1.34 10 00 -0.44 +0.44 +1.34 10 Symbols correspond to one given unit of unification bits Modulation Unification (contd) M = 16-QAM R = BPSK 0 0 1 -1 +1

Mod. Unification -0.95 -0.32 +0.32 1 +0.95 Implication on Transmission Power Friendly CryptoJam comes at a cost in transmission power (1) Optimal modulation upgrade may not preserve original distances higher information BER at Bob (2) Mapping used for mod. encryption destroys Gray code structure 00 mod. unification +1 -1 -1 +1 -1 -0.44 01

+1 +1 0.44 1.34 11 -1 10 Gray code violation must boost transmission power to maintain same BER For the set of {BPSK, QPSK, 16-QAM, and 64-QAM}, only 1.2 dB increase in transmission power is needed Synchronous Generation of Bogus Traffic Secure hash function (e.g., SHA-2) is used to generate bogus traffic Requires a seed value; the receiver should have it before getting PHY header 1-bit change in seed changes the whole sequence (i.e., it is difficult to guess) One-way function (hashed value cannot be used to recover the initial value) Idea: Embed a part of the seed (frame ID) in the preamble, which has a known structure session key will be the other part of the seed P*hdr Session key k ID k | ID

seed SHA-2 Bogus traffic 01010101 Case Study: Embed ID in 802.11b Preamble In 802.11b, the preamble is a series of Barker sequences A Barker sequence has a low cross correlation with its shifted versions Embed ID as a concatenation of cyclically shifted versions: P*=P+ID Embedded message does not impact normal functions of the preamble (1) Frame detection (2) Frequency offset estimation (3) Channel estimation Example (1 bit in preamble): Cross-correlation w/o FCJ: 11 P: ID +1 -1 +1 +1 -1 +1 +1 +1 -1 -1

-1 2 ( P P ) i i 121 i 1 -1 -1 +1 -1 +1 +1 -1 +1 +1 +1 -1 Cross-correlation with FCP: 11 2 ( P P * ) i i 100 P*:

0 -2 +2 0 0 +2 0 +2 0 0 -2 i 1 11 (P i 2 i 1 P *i ) 2 100 Performance Evaluation (Simulations) Bob runs a sliding-window cross-correlation Spikes due to embedded ID are detectable and also distinguishable from main spike Embedded Message Spikes

% of Accurately Detected Frames 802.11 system with four Barker sequences (4-bit preamble) Frame detection and ID extraction: SNR (dB) Eve cannot decode originally unencrypted fields Bob, however, performs almost as good as default With FCJ, Alice needs a slight power boost (~1 dB) BER BER performance (QPSK): SNR (dB) Experimental Setup NI-USRP 2922 (Alice and Bob/Eve) 1.2 meter distance with a cardboard box delimiter (not shown below) LabVIEW programming environment Performance Evaluation (USRP Experiments) USRPs in an indoor environment Received symbols at Bob/Eve: BPSK 16-QAM QPSK 16-QAM Original modulations: BPSK & QPSK Upgraded modulation: 16-QAM

To Eve, they both look 16-QAM BPSK: 250 bits, QPSK: 500 bits, 16-QAM: 1000 bits Eve cannot distinguish between packet sizes Successful modulation-encryption BER Same frame duration (3.64 ms) for different modulation schemes: Modulation Scheme Conclusions With a slightly increased transmission power, Friendly CryptoJam can Encrypt the header fields at modulation level (perfect secrecy), Obfuscate the packet size, and Hide the modulation scheme; but without Increasing the transmission time (no padding), Any significant overhead, Modifying the standard protocols on the devices (add-on feature). Publicity of preamble can be exploited to embed a frame (session) ID Now the MAC address can be encrypted Future work Extend to OFDM-based standards More complicated experimental scenarios

Recently Viewed Presentations

  • Wafer Starts, Cycle Time, and Tools a complicated ...

    Wafer Starts, Cycle Time, and Tools a complicated ...

    The Ongoing Challenge - Tutorial The Illusion Of Capacity Incorporating the Complexity Of FAB Capacity (tool deployment & operating curve) into Central Planning for Demand-Supply Networks for the production of semiconductor based packaged goods with substantial non-FAB complexity Traditional CPE...
  • Make your lab report better - University of Sussex

    Make your lab report better - University of Sussex

    Predictions should be based on previous findings from other authors (Step 2) Design the study For this term: Questionnaire study Again, keep it simple You should be able to test your hypotheses with the questions you choose to use We'll...
  • Crash course in nuclear power generation Ruaridh Macdonald

    Crash course in nuclear power generation Ruaridh Macdonald

    Fission products - radioactive daughter particles. Minor actinides - heavy particles created by non-fission absorption. Most of these are radioactive but to different degrees and for different amounts of time. Different strategies for storage. Waste Storage.
  • The Alamo -

    The Alamo -

    Texians reasoning: Alamos sits on an important road Travis and Bowie felt that they could hold the Alamo and felt safe there Alamo could slow down the Mexican army because it is in the middle of Texas The Siege of...
  • Stockholm: European Green Capital

    Stockholm: European Green Capital

    Boston and recycling. Residential recycling rate is only on 20% (80% in San Francisco, 60% in Seattle) Food waste comprises 25% of the current waste stream. 100 cities have curbside collection of organic waste => Boston has only a voluntary...
  • Leucémie lymphoïde chronique

    Leucémie lymphoïde chronique

    Regardes au microscopie optique à fort grossissement . permet une étude cytologique des éléments figurés du sang GR , GB , PLT . Permet de confirmer les données hématimetriques . les globules rouges :des cellules anucléés de 8 µm de...
  • TKAM Introduction And Other Materials Banned Books!?! List

    TKAM Introduction And Other Materials Banned Books!?! List

    -Someone tried to break into Judge Taylor's house 3. - Helen Robinson is hired by Link Deas and harassed by Bob Ewell 4. -he seems to have a "permanent grudge with everyone involved in the case" 5. -children moved it...
  • Chapter 5 The Skin and Dermatologic Drug Therapy

    Chapter 5 The Skin and Dermatologic Drug Therapy

    If patients have a skin problem, pharmacy technicians can get involved. Can help identify patients with likely problems. ... Are vitamin A derivatives. Mechanism of Action: increase cell turnover in follicles, which pushes clogged material of the pores.