Summer Research Institute - EPFL
Jamming-resistant Key
Establishment using Uncoordinated
Frequency Hopping
Mario Čagalj
mario.cagalj@fesb.hr
University of Split, Croatia
25/6/2009
Summer Research Institute - EPFL
Uncoordinated Frequency Hopping:
Channel Availability Out of Thin Air
Mario Čagalj
mario.cagalj@fesb.hr
University of Split, Croatia
25/6/2009
Motivation: radio channel availability
• Radio-jamming is ever-present threat to radio channels
• This is an attack on the availability of signals
– Denial-of-Service (DoS) attack
RCVR
XMTR
JMR
• Traditional anti-jamming techniques rely on pre-shared
secret codes (keys) to increase channel availability
3
Motivation: anti-jamming communication
• Spread-Spectrum Techniques
– FHSS (Frequency Hopping
Spread Spectrum)
energy
PRNG
frequency
PRNG
Hopping sequence (PRNG seed) must be known
to the sender and receiver but not the jammer.
– DSSS (Direct-Sequence
Spread Spectrum)
energy
PRNG
frequency
PRNG
Spreading code (PRNG seed) must be known
to the sender and receiver but not the jammer.
4
Motivation: a new view of an old problem
• Anti-jamming/secret-establishment dependency graph
Secret spreading code (key) establishment
in the presence of a jammer
Dependency cycle
Anti-jamming communication
(FHSS or DSSS)
Shared secret code (key)
(e.g., spreading code)
• How to establish the required secret code over the same
channel when no secret is available in advance?
– Authenticated public key-based protocols (e.g., Diffie-Hellman key
establishment) also affected
5
Motivation: breaking circular dependency
• Breaking anti-jamming circular dependency graph
– Uncoordinated Frequency Hopping (UFH)
Secret spreading code (key) establishment
in the presence of a jammer
Dependency cycle
Anti-jamming communication
based on UFH
Shared secret code (key)
(e.g., spreading code)
6
General information
• This talk is based on the joint work with Strasser, Pöpper
and Čapkun of ETHZ
– “Jamming-resistant Key Establishment using Uncoordinated Frequency
Hopping”, IEEE Symposium on Security and Privacy, Oakland ‘08
• This idea of uncoordinated hopping rooted in
– “Wormhole-Based Antijamming Techniques in Sensor Networks”, Cagalj,
Capkun and Hubaux, IEEE TMC ‘07
• Some extensions
– “Efficient Uncoordinated FHSS Anti-jamming Communication”, Strasser et
al, MobiHoc ‘09
– “A Coding-Theoretic Approach for Efficient Message Verification Over
Insecure Channels”, Slater et al, WiSec ‘09
– “Jamming-resistant Broadcast Communication Without Shared Keys”,
Popper et al, USENIX Security ‘09 (uncoordinated DSSS)
• We will mainly focus on the original Oakland paper
7
Agenda
• First part
– Overview of UFH
– UFH Message Transfer Protocol
– Application to jamming resistant key establishment
• Second part
– Detailed performance analysis
– Conclusion
8
Uncoordinated Frequency Hopping (UFH)
• Key idea: abolish the need of a pre-shared secret by
using UFH
– The sender hops randomly in a set of c channels (= frequencies)
– The receiver hops randomly with a longer dwell time per slot
– Once in a while the receiver listens on a channel where the sender
is broadcasting and a packet gets through
– Equivalent to FH in jamming protection (but not in throughput)
c  300, fS  1500Hz, fS  fR

S
S:
R
12 2
on average fS /c  5 hits /s
3 23 5 65 8 32 14 7 19 52 11 41 58 8 62
t
R:
1
5
36
11
28
t
9
UFH: solution overview
• We want to establish a shared key (secret) using UFH
– E.g., use the authenticated elliptic curve (ECC) Diffie-Hellman
protocol
e.g. auth. DH
R
S
Application Protocol
M := mS , sig(mS) …
Uncoordinated Frequency
Hopping (UFH)
S:
R:
12 2
1
3 23 5 65 8 32 14 7
5
53
• For effective protection against jamming (for FH or UFH),
the time slots of the sender must be short (~100 bits)
– Problem: Typical messages do not fit into such slots!
10
UFH: message fragmentation (sender)
• Message fragmentation in the absence of an attacker
e.g. auth. DH
Application Protocol
R
S
M := mS , sig(mS) …
M := mS , sig(mS) …
Fragmentation
M1 M2 M3
Uncoordinated Frequency
Hopping (UFH)
S:
R:
12 2
1
Ml
3 23 5 65 8 32 14 7
5
53
11
Attacker model
• Attacker’s strategy space defined by the following actions:
– Jam existing messages by transmitting
signals that cause the original signal to
become unreadable by the receiver.
f1 :
– Insert own messages that she generated
by using known (cryptographic) functions
and keys as well as by reusing (parts of)
previously overheard messages.
f1 :
– Modify existing messages by e.g.,
flipping single message bits or by entirely
overshadowing (i.e., replacing) original
messages.
f1 :
f2 :
f3 :
f2 :
f3 :
f2 :
f3 :
12
Attacker model (contd.)
• Attacker types: static, random, sweep, responsive…
• Required signal strengths for different attacking strategies
– Signal successfully received if: Pt < Pa and P(J’s signal) < Pj
– PT: total signal strength that attacker can achieve at the receiver
– Given the number of frequency channels on which the attacker
inserts (ct), jams (cj), and overshadows (co), we have:
ctPt  c jPj  coPo  PT
S
R
J
Signal strength at R
S’s signal
J’s signal
Po
Pa
Pj
Pt
• Attacker’s strength: cs/ts, cj/tj, PT
t1
t2
(s stands for “sensing”)
t3
13
UFH: message fragmentation (sender)
• Assume following fragmentation with an active attacker
e.g. auth. DH
Application Protocol
R
S
M := mS , sig(mS) …
M := mS , sig(mS) …
Fragmentation
M1 M2 M3
Uncoordinated Frequency
Hopping (UFH)
S:
R:
12 2
1
Ml
3 23 5 65 8 32 14 7
5
53
14
Naive fragmentation is harmful
Sender:
Packet number
1
2
3
…
l
1
2
3
…
l
1
t
Attacker:
10
20
30
…
l0
11
21
31
…
l1
12
t
Different packets
Receiver:
2
30
…
l0
11
2
31
…
l1
1
t
Receiver sorts unique packets (fragments):
12
24
3
42
1
27
30
46
15
2
34
4
…
…
…
…
…
15
Naive fragmentation leads to a simple DoS
• Assume N adversarial packets successfully arrive at the receiver
• Message M is divided into l fragments
• Application-level signature verification at each candidate
message leads to the exponential workload at the receiver
l
N


on average ~   1
l

l
N 
  1
l

12
24
3
42
1
27
30
46
15
2
34
4
…
…
…
…
…
16
Solution to the message fragmentation
• Cryptographically link individual packets
– By the system model we cannot rely on a shared key > integrity
– Possible approach: hash linking
M := mS , sig(mS) …
M1 M2 M3
Ml
mi :=id || i || Mi || hi+1
hl := h(M1 ), hi := h(mi+1 )
M1
m1
M2
…
Ml
m2
ml
• End result: (N/l +1)*l hash verif. + (N/l+1) signature verif.
3
42
1
27
30
46
15
2
34
4
…
…
…
24
…
N/l+1
12
…
17
UFH message transfer protocol: sender
• Message Signing &
Fragmentation
M := mS , sig(mS) …
• Hash linking
M1 M2 M3
mi :=id || i || Mi || hi+1
M1
hl := h(M1 ), hi := h(mi+1 )
m1
• Packet coding/interleaving
f1 :
• Repeated transmission
using UFH
f2 :
f3 :
Ml
M2
Ml
…
m2
m1
ml
m3
m2
m1
m4
m2
18
UFH message transfer protocol: receiver
• Receiving packets
f1 :
m1
m2
f2 :
• Bit deinterleaving/
packet decoding
• Ordering and linking
packets
• Message reassambly &
signature verification
m3
m1
m4
f3 :
M1
M
M
11
M1
M
M
21
M1
M2
M1 M2 M3
…
…
m2
M1
M
M
l1
Ml
Ml
M := mS , sig(mS) …
19
UFH security: overview
• UFH is resistant to packet jamming
– Frequency hopping and packet repetitions in the sending process
• Modified packets are identified
– Using cryptographic (e.g., hash) linking
– Only linear workload on the receiver’s side
• Reassembled messages that fail the signature verification
or have an expired timestamp are discarded
S
f1:
f2:
J
f3:
m2 m3
m2
m4
m1 m2 m4 m1 m3 m1 m1
m3
m1
R
m
m2 4
m
m2 3
m1
m3 m2
m1
m1
m
m1 3
m
m1 2
m2
m2
m3
m3
m4
20
Application of UFH to key establishment
Key establishment
in the presence of a jammer
Key establishment
in the presence of a jammer
Dependency chain
Dependency cycle
Anti-jamming
comm. (e.g., FHSS)
Anti-jamming
comm. using UFH
Shared secret (key)
(e.g., spreading code)
Key Establishment
Protocol
Anti-jamming comm.
based on UFH
establishes
required for
Shared
secret key
(spreading
code)
Shared secret key
(e.g., spreading code)
Application
Protocol
Anti-jamming comm.
(e.g., FHSS or DSSS)
21
Example: ECC-based Diffie-Hellman
• Elliptic Curve Crypto. Station-to-Station DH protocol
– P is the generator of a cyclic group G with prime order p
– rX is a random element selected by X from Zp
– TX and SigX(.) are a timestamp (for anti-replay protection) and the
signature (to verify the sender and the reassembly) issued by X
S, PK , Sig
(S,PK ), T , r P, Sig (S, PK ,, r P)
R
rR U Z p
S
S
S
S

CA
SS


S

R, PK , Sig
(R,PK ), T , r P, Sig (R, PK ,, r P)
R
R
R
R
R

CA

S


R
K  rS (rRP)
 SigS rS P rRP 
K



K
K  rR (rS P)
UHF (without a
shared key)
S
rS U Z p
(Coordinated)
Frequency Hopping
(with shared key K)
22
2nd part: UFH performance analysis
• Basic scenario: communication without an attacker
• Different types and strategies by an attacker
• Performances relative to coordinated frequency hopping
23
Communication without an attacker (A0)
• Some assumptions
– Hopping frequency of the receiver << the sender (we can neglect
losses due to the lack of synchronization)
– Unintentional interference is neglected (e.g., the number of
neighbors << the number of channels (c))
– cn and cm are the number of channels on which the sender (the
receiver) simultaneously sends (receives)
• Probability that a particular fragment is successfully
received (one transmission)
cm

c
c




A
pm0  1   1  min n ,1   1  1  n 
c 
 c  i 

i0 
cm 1
cn channels
cm channels
c channels
24
Communication without an attacker (A0)
• Message is complete after all l fragments successfully
received
– Let Y be the number of times that the sender has to retransmit in
order to transfer the message
– Probability that a transfer incomplete after i (re)transmissions
l
i
 
A
P[Y  i]  1 - 1 - 1 - pm0  
 
 

Receiver:
i-2
l
i
i-1
1
2
3
…
l
1
2
3
i+1
…
l
1
2
t
25
Communication without an attacker (A0)
• The expected number of packets (fragments) that
have to transmitted in order to successfully transfer
the message
A
N pm0  



P[Y  i] il

i 0

l
i
 
A
P[Y  i]  1 - 1 - 1 - pm0  
 
 

P[Y  i]-P[Y  i] il
i 0


P[Y  i  1]-P[Y  i] il
i 0


P[Y  i] l
i 0
26
Performances without an attacker (A0)
l
i
 
A
P[Y  i]  1 - P[Y  i]  1 - 1 - pm0  
 




Probability that a message is successfully received
1
0.8
0.6
0.4
c=100
l=10
0.2
cn=cm=1
cn=2, cm=5
0
0
500
1000
number of message transmissions (i)
1500
27
Jamming performance of the attacker
• Required signal strengths for different attacking strategies
– Signal successfully received if: Pt < Pa and P(J’s signal) < Pj
– PT: total signal strength that attacker can achieve at the receiver
– Given the number of frequency channels on which the attacker
inserts (ct), jams (cj), and overshadows (co), we have:
ctPt  c jPj  coPo  PT
S
R
J
Signal strength at R
S’s signal
J’s signal
Po
Pa
Pj
Pt
t1
t2
t3
28
Jamming performance of the attacker (contd.)
• Each packet (fragment) m is “error” encoded
– ρ in (0,1] is jamming resistance of a given packet
– rc in (0,1] is a code rate
– Data of length |m| is encoded into |m|/rc and more than ρ|m|/rc
bits have to be erroneous for successful jamming
– For bitrate R, the packet transmission time tp = |m|R/rc
tp
encoded packet m
attacker senses
attacker jams
tp=ρtp
29
Jamming performance of the attacker (contd.)
• Attacker’s strength: #channels cb effectively blocked
– Probability that an ongoing packet is successfully jammed pj=cb/c
– #channels (nj) that the attacker can jam during the transmission
nj=tp/(ρtp + tj), where tj is the time to switch jamming channels
– #channels (ns) that the attacker can scan during the transmission
ns=(tp-ρtp-tj)/ts, where ts is the time to switch scanning channels
– #channels (cs) on which the attacker can sense simultaneously
For responsive-sweep jammers:
c
cb  njc j  nscs, pj  b
c
tp
encoded packet m
attacker senses
attacker jams
ts
tj
tp=ρtp
30
Jamming probab. for different attacker types
31
Attacking strategies
• Attacker’s strategy space defined by the following actions:
– Jam existing messages by transmitting
signals that cause the original signal to
become unreadable by the receiver.
f1 :
– Insert own messages that she generated
by using known (cryptographic) functions
and keys as well as by reusing (parts of)
previously overheard messages.
f1 :
– Modify existing messages by e.g.,
flipping single message bits or by entirely
overshadowing (i.e., replacing) original
messages.
f1 :
f2 :
f3 :
f2 :
f3 :
f2 :
f3 :
32
Communication in the presence of attacker
• Probability that a particular fragment is successfully
received (one transmission)
– No attacker case (A0)
cm 1
c

A0
pm  1   1  min n ,1 
 c  i 
i0 
– Jamming (AJ)
cm 1
c

AJ
pm  1   1  min n ,1 1  p j
c i 
i0 
– Message insertion (AI)





cm 1
 cj 
c


AI
n
pm  1   1  min
,11   

c  
 c  i 
i0 
– Message modification (overshadowing) (AM)
cm 1

 cn 
AM



pm  1   1  min
,1 1  po 
c i 
i0 

33
Optimal attacking strategy
• Theorem: For all attacker types (static, random, sweep,
responsive), the optimal attacker’s strategy, which minimizes
the throughput of the UFH message transfer, is jamming (AJ).
34
UFH performances with an attacker (AJ)
35
UFH performances with an attacker (AJ)
36
UFH performances with an attacker (AJ)
37
UFH resource requirements
• Storage at the receiver
– If there is no more space for new packets, delete the oldest ones
– NJ is the expected maximal time period between the first and the
last packet (fragment) of a given message
– During this period, the attacker can insert additional less than
 c 1
 c

NJ   im0 min t ,1   NJ  cm packets
 c  i 

• Example:
– Fragment length |mi|=40 bytes, l=10 fragments, c=200 channels,
cm=cn=1, ct=50 (channels for insertion) and pj=0.8
– Results in NJ ≈30 000 packets transmitted by the sender
– Finally, this results in about 7 500 packets at the receiver, that is, a
required storage capacity of about 290 kbytes
– This also results in about 160 signature verifications at the receiver
38
Comparison of UFH and coordinated hopping
• Relative throughput for UFH-enabled ECC-based Stationto-Station Diffie-Hellman protocol and a Bluetooth-like FH
scheme
– |Sig(.)|=|PK|=512 bits, |h(.)|=112, timestamps and identities 64
bits
– In total: |M|=2176 bits = 272 bytes
– Packet mi consists of message id (34 bits), frame id (6 bits), the
payload Mi (168 bits), and the hash value hi+1 (112 bits)
|mi|:=|id || i || Mi || hi+1|=320 bits
– Reed-Solomon error-correcting code (8 bits into 15 bits) with a
jamming ratio of 20% (ρ=0.2)
– Encoded packet 320*15/8=600 bits
– Data rate 1 Mbit/s, 1600 hop/s: |slot|=1Mbit/s*(1/1600)=625 bits
– The number of channels c=200
– l=2176/168≈13 for UFH and l*=2176/(168+112)≈8 for FH
– 100 000 simulated key establishements
39
Duration of key establishment using UFH
1 MBit/s, 1600 hops/s, c = 200
256-bit prime field for EC
|M| = 2176 bits, l = 13
40
Comparison of UFH and coordinated hopping
41
Concluding words
• We introduced the key-establishment anti-jamming
circular dependency
• Proposed first (and efficient) anti-jamming
communication scheme that does not rely on shared
secrets (Uncoordinated Frequency Hopping)
– UFH has the same jamming resistance as standard FH
• Presented an elaborate attacker model and derived
optimal attacking strategies (responsive-sweep jamming)
• Security implications
– Authentication implies availability (privacy not required)
Thank you for your attention!
42
Some interesting directions
• Optimal number of channels c for cm=cn=1
pm 
1
c 
1  b ,
c
c 
pm
 0  c  2cb
c
• Other fragment-linking methods
–
–
–
–
Short signatures
One-way accumulators
Merkle trees
Application of packet-level erasure codes (optimal)
• Applications to DSSS
• Applications to anti-jamming broadcast communication
(e.g., a navigation signals)
43