Wireless Communications Security Issues, Solutions and Challenges Michel Barbeau and Jeyanthi Hall Outline • Availability • Privacy • Integrity • Legitimate Participants • Absence of misbehavior 2 Security Requirements • Availability – no jamming, adaptability to unforeseen topologies • Privacy – nondisclosure of cell phone communications and 802.11 frames • Integrity – data is not intercepted and tampered • Legitimate participants – no cell phone cloning and 802.11 frame spoofing • Absence of misbehavior – fairness, greedy user detection Availability • Jamming • Inability to deal with unforeseen topologies Jamming • Shannon’s model: S C W log 1 N How to Deal With Jamming? • Increase the bandwidth – Frequency Hopping/Direct Sequence Spread Spectrum • 801.11(b) : 2.4 - 2.4835 Giga Hertz • 801.11(a): 5.15- 5.35 Giga Hertz; 5.725- 5.825 Giga Hertz – Ultra Wide Band • Bandwidth greater than 25% if center frequency • Increase the power – GPS III, planned for 2010 [Ashley, Next-Generation GPS, Scientific American, September 2003.] Inability to Deal With Unforeseen Topologies Images by: J.&G. Naudet (9/11/2001) Privacy • Cellular phone eavesdropping • Overview of privacy techniques in 2G and 3G of cellular mobile radiophones – Refs.: • V. Niemi and K. Nyberg, UMTS Security, Wiley, 2003. • M.Y. Rhee, CDMA Cellular Mobile Communications and Network Security, Prentice Hall PTR,1998. – GSM, UMTS • Challenges • Future – Reconfigurable security – Chaotic communication – Quantum cryptography Cellular Phone Eavesdropping • Inexpensive equipment for intercepting analog communications is easy to obtain in Canada. • In US, the regulations authorize the sale of scanners to the general public only is cellular frequencies are blocked. However, there are several workarounds – Web sites publish modifications to restore reception of cellular frequencies by scanners. – Frequency converters can translate cellular frequencies to the frequency range supported by a receiver. – With receivers using non quadrature mixing, the image frequency technique can be used. • Digital communications can also be intercepted with the appropriate equipment! Generations of Cellular Mobile Radiophones* • 1G – Advanced Mobile Phone System (AMPS): 1980s, Frequency Modulation (FM), Frequency Division Multiple Access (FDMA), handover between cells, limited roaming between networks • 2G – Global System for Mobile communications (GSM): 1990s, digital-coding of voice, Time Division Multiple Access (TDMA), Subscriber Identity Module (SIM), data communications • 3G – 3G Partnership Project (3GPP), Universal Mobile Telecommunications System (UMTS): 1998-, Wideband Code Division Multiple Access (WCDMA), use of GSM network model, global roaming; 2 Mbps data • 4G – All-IP-based, 100 Mbps data * List of cited technologies is not exhaustive . Security Associations in GSM Mobile Phone is part of is part of International Mobile Subscriber Identity (IMSI) Subscriber Identity Module (SIM) Temporary Mobile Subscriber Identity (TMSI) Visitor Location Register (VLR)/Base Transceiver Station (BTS) Permanent Secret Key (Ki) Authentication Centre (AuC) Session Encryption Key (Kc) Authentication in GSM Serving Network Home Location Register (HLR)/AuC Mobile Switching Centre (MSC)/ VLR Mobile Phone IMSI IMSI Authentication triplet is sent (RAND, SRES, Kc) RAND Using Ki and RAND, function A3 yields SRES function A8 yields Kc SRES' SRES'=SRES? RAND Random Number SRES Signed Response TMSI Kc Encryption/Decryption in GSM Kc (64 bits) A5 pseudo random key stream (114 bits) Frame number (22 bits) XOR plain text message or encrypted message (114 bits) encrypted/ decrypted message (114 bits) Stream Cipher Weakness Encrypted (M1 ) Encrypted (M 2 ) M1 M 2 Security Holes in GSM [Niemi & Nyberg ‘03] • Active attack – Attacker masquerades as a legitimate base station/cell phone • Encryption keys – Plain text session key inter-network forwarding – Brute force attack • Some encryption algorithms are kept secret – Were not subjected to a comprehensive analysis/peer review Security Associations in UMTS User Equipment (UE) is part of is part of Universal SI Module (USIM) Master Secret Key (K) 128 bits AuC Integrity Key (IK) 128 bits IMSI TMSI VLR Cypher Key (CK) 128 bits Mutual Authentication and Key Agreement in UMTS AuC VLR UE authentication data request (IMSI) USIM IMSI authentication data response (RAND, AUTN, XRES, CK, IK) RAND, AUTN RAND, AUTN RES AUTN Authentication Token RES User Response XRES Expected Response RES=XRES? TMSI CK ACK AUTN is new and from AuC? RES Yes! Encryption/Decryption in UMTS Count-C (32 bits) Bearer id (5 bits) Direction (1 bit) CK (128 bits) KASUMI key stream block ("Length" bits) XOR Length encrypted/ decrypted message ("Length" bits) plain text message or encrypted message ("Length" bits) COUNT-C: Frame number plus Hyper frame number, incremented when the frame number wraps around Direction: up/down-link Integrity in UMTS FRESH (32 bits) Count-I (32 bits) Message Direction (1 bit) IK (128 bits) One-way function (KASUMI) Message Authentication Code (32 bits) COUNT-I: similar to COUNT-C, replay protection FRESH: start value of COUNT-I Challenge: Co-existence of analog technology and digital technology • • • • The digital technology has higher potential for being secure than analog technology. For example, the Cellular Digital Packet Data (CDPD) uses data encryption and provides privacy. Most of the cellular phones use hybrid technology, both analog and digital. The reason for that is that digital communications require a relatively stronger signal, for intelligibility, than analog communications, all other things being equal (such as bandwidth of a voice channel). A cell phone will hence operate in digital mode over relatively short distances. In order to enable long range communications, cell phones fall back to the analog mode when the signal gets too weak for digital communications. As a result, digital systems inherit all the security vulnerabilities of analog systems. Co-existence of legacy analog technology and digital technology is a challenge for system security design. Challenge: Introduction of new defense method in existing systems • Attack methods evolve • Defense methods evolve • New defense methods are difficult to introduce in existing systems Reconfigurable security Reference • Al-Muhtadi at al., A lightweight reconfigurable security mechanism for 3G/4G mobile devices, IEEE Wireless Communications, April 2002. Definition • Security mechanisms are reconfigured dynamically according to capabilities, processing power, and needs • Loading/configuration/unloading of software components that implement security services Chaotic Communication (1) Chaotic Communication (2) Background • Abel and Schwarz, Chaos Communications—Principles, Schemes, and System Analysis, Proceedings of the IEEE, 2002. • Itoh, Spread Spectrum Communication via Chaos, World Scientific Publishing Company, International Journal of Bifurcation and Chaos, 1999. Theoretical Attacks • Guojie, Zhengjin, and Ruiling, Chosen Ciphertext Attack on Chaos Communication Based on Chaotic Synchronization, IEEE Transactions on Circuits and Systems, 2003. • Ogorzatek and Dedieu, Some Tools for Attacking Secure Communication Systems Employing Chaotic Carriers, IEEE, 1998. Theoretically Broken Chaotic Communication (cont’d) • Chaotic masking – Low amplitude modulating signal, high amplitude chaotic carrier • Chaotic switching – Two waveforms representing binary values zero and one – Has a differential version • Chaotic modulation – Chaotic carrier influenced by a non invertible function, according to the information Quantum Cryptography • Wiesner, “Quantum Money”, 1960 (unpublished) – Polarity of photons (angle of vibration) can be verified, but not measured • Bennett, Brassard, and Ekert, Quantum Cryptography, Scientific American, October 1992. • Hughes et al., Quantum cryptography for secure satellite communications, Aerospace Conference Proceedings, 2000. – 0.5 km free-space link • Kurtsiefer et al., Long Distance Free Space Quantum Cryptography, SPIE, 2002. – 23.4 km free-space link (try to achieve 1000 km) • First Quantum Cryptography Network Unveiled, NewScientist.com news service, June 2004. – Quantum Net: six servers, 10 km links, software-controlled optical switches Legitimate Devices PROBLEM AUTHENTICATION OF USERS IS INSUFFICIENT DUE TO MALLEABILITY OF USER IDENTITY Need for Device Authentication • Outline – Problem: User Authentication is incapable of detecting identity theft • Malleability of user identity – Result • Unauthorized access to network resources – Within cellular domain (cloning fraud) and wireless network domain (Media Access Control – MAC address spoofing) Wireless Network (e.g. 802.11) • MAC address spoofing (over the air) Wired Network List of Authorized MAC Addresses (Access Control) 1 MAC Address* 3 MAC Address 2 Legitimate User * MAC address is sent in the clear even with WEP [Arbaugh et al., 2002] Intruder Sniff MAC Address and use it Cellular Network - Identification of 1G Cell Phone • Every cellular phone is assigned, – by the service provider, a phone number (Mobile station Identification Number (MIN)): • 10 digits: area code (3), switching station (3), and individual number (4) – by the manufacturer, an Electronic Serial Number (ESN) 32 bits Manufacture's Code (8 bits) Reserved (6 bits) Serial Number (18 bits) Identification of 2G or 3G Cell Phones [Koien, 2004] International Mobile Station Identity (IMSI) National Mobile Station Identity Mobile Country Code (3 digits) Mobile Network Code (2 digits) Mobile Station Identification Number (telephone number) (10 digits) According to: ITU-T Recommendation E.212 International Mobile Station Equipment Identity (IMEI) - Check against the Equipment Identity Register Cellular Network • Cloning fraud Generation/Information Over the Air Direct Extraction 1G (Analog) – ESN and MIN Using readily available tools 1 Transfer MIN from ROM and ESN - back of phone 2G (GSM) – IMSI, Ki Using differential cryptanalysis and rogue base station 2 Extract secret key Ki from SIM 2,3 3G (GSM) - IMSI, Ki Possible but no specific attack has been documented. Possible but no specific attack has been documented. • 1 [J. Hynninen, 2000] • 2 [I. Goldberg and M. Briceno, 2002] – With a smartcard reader, derive the secret key by challenging the SIM-card (approx. 150,000 queries; eight to 11 hours) • 3 [R.Lemos, 2002] – Ask seven questions and analyze electromagnetic field changes and power fluctuations for each response User Authentication in GSM Serving Network Home Location Register (HLR)/AuC Mobile Switching Centre (MSC)/ VLR Mobile Phone SIM IMSI IMSI Authentication triplet is sent (RAND, SRES, Kc) RAND Using Ki and RAND, function A3 yields SRES function A8 yields Kc SRES' SRES'=SRES? RAND Random Number SRES Signed Response SIM Subscriber Identity Module (IMSI, AuthKey Ki, CipherKey Kc, Algorithms, PIN) TMSI Kc References • Wireless Network – Arbaugh et al. Your 802.11 Wireless Network has no clothes, IEEE Wireless Communications. Dec. 2002. – Mishra and Arbough. An Initial Security Analysis of the IEEE 802.1X Standard. 2002. • Cellular Network – G. Koien et al. An Introduction to Access Security in UMTS, IEEE Wireless Communications. Feb. 2004. – I. Goldberg and M. Briceno. GSM Cloning. 2002 [Web]. – J. Hynninen. Experiences in Mobile Phone fraud. Helsinki University of Technology [Web]. – R.Lemos. IBM: Cell phones easy targets for hackers. CNET News. 2002. • Others – J. Schiller. Mobile Communications. Addison-Wesley. 2000. Radio Frequency Fingerprinting Mechanism for addressing the malleability of user identity Radio Frequency Fingerprinting (RFF) • Background – Technique used by research teams including [H. Choe et al., 1995, Ureten 1999] for the purpose of identifying RF transceivers – Premise: a transceiver can be uniquely identified based on the characteristics of the transient section of the signal it generates – Primary benefit: Non-malleability of device identity • based on hardware characteristics of the transceiver • Key Objective: – Create a profile of the user’s device (transceiver) using RFF – Make use of both user and device profiles for authentication purposes • Wireless Network – device profile and MAC address • Cellular Network – device profile and IMSI RFF • Key Phases – Create profile for each transceiver • • • • Phase 1: Phase 2: Phase 3: Phase 4: Collection of Signals Extraction of Transient Extraction of Features (transceiverprint - TP) Definition of Transceiver Profile – Classify/Compare an observed TP with transceiver profiles • Phase 1-3: Repeated for each observed TP • Phase 5: Identification of transceiver – Improve Classification Success Rate (CSR) – Proposed Extension to RFF process • Phase 6: Enhancement of CSR (work in progress) RFF: Phase 1 - Collect Signals GSM Protocol Stack 802.11 Protocol Stack CM TCP MM IP RR LLC LAPDm – TDMA Frame Layer 1 Radio - Burst [Schiller, 2000] MAC - Frame PHY – FHSS/DSSS Frame Analog Signal transmitted by physical layer = 1 frame CM – Call Management MM – Mobility Management RR – Radio Resource Management LAPD – Link Access Procedure for D-Channel in ISDN system Authentication Response = more than 1 frame/signal LLC – Logical Link Control FHSS – Frequency Hopping Spread Spectrum DSSS – Direct Sequence Spread Spectrum RFF: Phase 2 – Extraction of Transient • Extract transient section of digital signal – Step 1: Preprocessing • Segmenting the signal and applying first-order statistics (data reduction exercise) • Results in a smaller vector – data/fractal trajectory – Step 2: Detection of the start of the transient using data trajectory • Using the variance in the amplitude characteristics of the signal – Threshold Detection – Bayesian Step Change Detection • Using the variance in the phase characteristics of the signal – Threshold Detection using Phase Characteristics RFF: Phase 2 – Extraction of Transient • Threshold Detection [Shaw and Kinsner, 1997] RFF: Phase 2 – Extraction of Transient • Bayesian Step Change Detection [Ureten, 1999] RFF: Phase 2 – Extraction of Transient • Threshold Detection using Phase Characteristics [Hall, Barbeau, Kranakis (IASTED, 2003)] RFF: Phase 3 – Extraction of Components • Extract components/characteristics from the transient – Instantaneous amplitude [Proakis and Manolakis, 1996] a(t ) i 2 (t ) q 2 (t ) – Instantaneous phase q(t ) i (t ) (t ) tan 1 – Instantaneous frequency components [Polikar, 1999] • using Discrete Wavelet Transform (Daubechies filter) • Wavelet function • Scaling function y high[k ] x[n] g[2k n] ylow[k ] x[n] h[2k n] RFF: Phase 3 – Extraction of Components RFF: Phase 3 – Extraction of Features • Extract features from components (vector of 1000 samples) – Average, Standard Deviation, Energy, Variance • Representation of features (dependent on classification tool) Classification Tool Component Feature Pattern Recognition – Neural Network Instantaneous amplitude (1000 data samples) Variance in amplitude (100 data points) window=10 Statistical Classifier Instantaneous amplitude (1000 data samples) Variance in amplitude (1 variable) • Challenge/Goal: – Select features (transceiverprint) that accentuate the distinguishing characteristics of transceivers, especially those from the same manufacturer RFF: Phase 4 – Definition of Profile • Create profile for each transceiver – Obtain TPs from each signal in the collected data set (Phases 2-3) – Select a subset of TPs and store them in a profile (remaining TPs used for testing/classification) • Using Self-Organizing Maps [Fausett, 1994] – Take TPs from the data set as input – Create group(s) / cluster(s) of transceiverprints based on their distance (Euclidean distance) from a given centroid – Select a representative sample of TPs from the various clusters to create a profile • Other approaches include – Random selection of TPs from the data set – Use of probabilistic neural network [Hunter, 2000] RFF: Phase 5 – Identification of transceiver • Classification Techniques – Pattern matching – e.g. Neural Networks (Artificial NN, Probabilistic NN, etc.) [Fausett, 1994] • Based on Bayes Probabilistic Model – Genetic Algorithms [Toonstra and Kinsner, 1995] • Achieve an optimized solution through multiple iterations – Statistical classifiers [Brickle, 2003] • Determine probability of a match between an observed transceiverprint (TP) and each of the transceiver profiles 1 p( ) exp ( )T V 1 ( ) 2 Modified Kalman Filter TP to be classified centroid – center of cluster V covariance matrix of TPs in profile RFF: Phase 6 – Enhancement of CSR • Weakness in current classification techniques – attempt to identify transceiver using a single observation (TP) – unable to accommodate moderate level of variation (interference and noise) in the TPs being classified • Address weakness using the Bayes Filter [Fox et al., 2003] – Identify transceiver with highest probability after several rounds (using consecutive TPs) of classification xt = Transceiver at time t Bel(xt) = Probability of Transceiver x at time t p(xt | ot) = Probability of TP belonging to transceiver x at time t Bel(xt-1) = Probability of transceiver x at t-1 Bel(xt) = p(xt|ot)Bel(xt-1) RFF: Phase 6 – Enhancement of CSR Conclusions • Use of RFF can prove beneficial in addressing malleability of identity (MAC address spoofing, cloning fraud) • Level of confidence can be increased by using the Bayes Filter before rendering a final decision (legitimate user/intruder) • The issue of scalability can be addressed – Application of Bayes filter to the target transceiver profile only for transceiver recognition/confirmation – Based on the final probability, Bayes filter can then be applied to identify other potential transceivers • Future Research Initiatives – Enhancing the composition of TPs – improve classification rate – Using RFF with Bluetooth and cellular phones – Assessing the technical feasibility of incorporating RFF into current security systems References • Radio Frequency Fingerprinting – Amplitude • O. Ureten and N. Serinken. Detection of radio transmitter turn-on transients. Electronic Letters, 35:1996–1997, 1999. • D. Shaw and W. Kinsner, Multifractal Modeling of Radio Transmitter Transients for Classification, Proc. Conference on Communications, Power and Computing, 1997, 306-312. – Phase • J. Hall, M. Barbeau, E. Kranakis. Detection of transient in radio frequency fingerprinting using phase characteristics of signals. In L.Hesslink (Ed.), Proceedings of the 3rd International IASTED Conference on Wireless and Optical Communication, Banff, Canada, 13-18, 2003. – Wavelet Coefficients • H. Choe et al. Novel identification of intercepted signals from unknown radio transmitters. SPIE, 2491:504–516, 1995. • R.D. Hippenstiel and Y.P. Wavelet based transmitter identification. In International Symposium on Signal Processing and its Applications, Gold Coast Australia, August 1996. References • Bayes Filter – D. Fox et al. Bayesian Filtering for location estimation. Pervasive Computing. 2433, 2003. • Statistical Classifier – Frank Brickle. Automatic signal classification for software defined radios. QEX, pages 34–41, November 2003. • Others – A. Hunter. Feature Selection using Probabilistic Neural Networks. Neural Computing and Applications. 124-132, 2000. – J. Schiller. Mobile Communications. Addison-Wesley, 2000. – J. Proakis and D. Manolakis. Digital Signal Processing. Prentice-Hall, 1996. – J. Toonstra and W. Kinsner. Transient Analysis and Genetic Algorithms for Classification. IEEE WESCANEX 95. 432-437, 1995 – L. Fausett. Fundamentals of Neural Networks. Prentice-Hall, 1994. – R. Polikar. The Wavelet Tutorial. [web] Thank You Michel Barbeau (barbeau@scs.carleton.ca) Jeyanthi Hall (jeyanthihall@rogers.com) Questions ?