Know Your Neighbor Keep Your Distance and other cautionary...

1

1

Know Your Neighbor, Keep Your Distanceand other cautionary tales

for wireless systems

Panos Papadimitratos

Joint work with

M. Poturalski, M. Fleury, J.-P. Hubaux, and J.-Y. Le Boudec

2

3 4

5 6

Wireless Systems

• Wireless local area networks (WLANs)

Link to the Internet

Wireless

Access

Point

2

7

Wireless Systems (cont’d)

• WLANs, Personal Area (PANs), Ad hoc Networks

Illustration: Ericsson, ca. 20008


• Radio Frequency Identification (RFID)

Readingsignal

Tagged object

ID Detailedobject

information

• Wi-Fi and Bluetooth enabled devices

Back-enddatabaseID

© L.B.

9


• Sensor networks

Node photos: XBow10


• Tactical ad hoc networks

– Military −Search-and-rescue

11


• Vehicular ad hoc networks (VANETs)

Illustration: C2C-CC12


Radio link establishment

Direct wireless communication

Multi-hop communication

Distance to other reachable devices

Device localization and own positioning

Application performance measurable in the physical world

• A set of basic elements

3

13

Wireless Systems Security

Anti-jamming techniques

Secure Neighbor Discovery

Secure data communication

Secure rangingDistance bounding

Secure localization and positioning

Vehicular Communications –transportation safety

• A set of basic elements

14

Know Your Neighbor

KYN, KYD, and other cautionary tales for wireless systems

15

Secure Neighbor Discovery


16

Neighbor Discovery (ND)

• Neighbor Discovery (ND)

– A node discovers other nodes it can directly communicate with

A

B

C

D

17

Neighbor Discovery (ND) (cont’d)

• B is neighbor of A if and only if it can receive directly from A

• Link (A,B) is up � A is neighbor of B

• RA≠RB, i.e., (A,B) may be up while (B,A) is down

A

B

RA

RB

18

Neighbor Discovery (ND) (cont’d)

• Simple, widely used solution, but not secure• Easy to attack

– Mislead B that A is its neighbor, when this is not the case

A B

“Hello, I’m A”

B: “A is my neighbor”;“A is added in myNeighbor List”

4

19

Attacking ND

• Single adversary appears as multiple neighbors

M


“Hello, I’m C”

“Hello, I’m Z” B: Neighbor List = {A, C, …, Z}

…

20

(2) A, nA, nB, B, SigA(A, nA,nB, B), CertCA(KA,A)

Securing ND

• An attempt– Message authenticity and replay protection

• nA, nB are nonces

– Bob essentially ‘challenges’ Alice to provide a ‘hello’ message

A B(1) nB, B

21

Attacking ND (cont’d)

• “Relay” or “Wormhole” Attack– Simply relay any message, without any modification

AB:

Neighbor List = {A}

M 22

Attacking ND (cont’d)

• Long-range relay / wormhole

– The attacker relays messages across large distances

out-of-band or private channel

B: Neighbor List = {A}


“Hello, I’m A” “Hello, I’m A”

A

B

M1 M2

23

Attacking ND: Implications

• Routing in multihop ad hoc networks

24

Attacking ND: Implications (cont’d)


5

25



26


• RFID-based access control

Z. Kfir and A. Wool, “Picking virtual pockets using relay attacks on contact-less smartcard,” SECURECOMM ’05

• Attacker close to the access-granting RFID tag

– Relays signals from and to her accomplice, who obtains access

27

Securing Two-Party ND

• Basic ideas

– Authentication

– Node-to-node distance estimation

– x>R � A: AP not neighbor

– Y<R � B: AP neighbor

APA

Bx

y

R

28

Securing Two-Party ND (cont’d)

• Use message time-of-flight to measure distance

– Distance Bounding [1]

– Temporal Packet Leashes [2]

– SECTOR [3]

• Use node location to measure distance

– Geographical Packet Leashes [2]

[1] S. Brands and D. Chaum, “Distance-bounding protocols,” EUROCRYPT ‘93

[2] Y.-C. Hu, A. Perrig, and D. B. Johnson. “Packet leashes: A defense against wormhole attacks in wireless networks,” IEEE INFOCOM ‘03

[3] S. Capkun, L. Buttyan, and J.-P. Hubaux, “SECTOR: Secure Tracking of Node Encounters in Multi-hop Wireless Networks,” ACM SASN ‘03

29

Securing Two-Party ND (cont’d)

• Are these protocols [1,2,3] achieving secure ND?

• Can any protocol, including and similar to [1,2,3], which can measure time, solve the secure ND problem?

• Is there any provably secure ND protocol?

• Note: Measurements can be *very* accurate

None of the above protocols secures NDNo (secure) ND protocol that relies

on time measurements does

30

Traces and Events

• Trace is a set of events

A

B

C

6

31

ΘS

ΘS,P

Feasible Traces

• System execution: feasible trace

• Traces feasible with respect to:

- Setting S

- Protocol P

- Adversary AΘS,P,A

Θ

32

Setting S

{ A, B, C, D, E, F, G, H }

………

H

A

C

B

D

G

FE

33

Trace θ Feasible wrt Setting S

• Causal and timely message exchange

A

B

v – signal propagation speed

34

Trace θ Feasible wrt Setting S (cont’d)

• Causal and timely message exchange

35

Local Trace

A

B

36

Protocol P

• Actions

• Local view

• Protocol

7

37

• Correct nodes follow the protocol

Trace θ Feasible wrt Protocol

38

Trace θ Feasible wrt Adversary

• Adversarial nodes can only relay messages

with minimum delay

• Denote the adversary as:

A

39

Neighbor Discovery Specification

1) Discovered neighbors are actual neighbors

2) It is possible to discover neighbors

Protocol P solves Neighbor Discovery for adversary A if

40

Neighbor Discovery Specification (cont’d)

1) Discovered neighbors are actual neighbors

2) It is possible to discover neighbors

Protocol P solves Two-Party Neighbor Discovery for adversary A if

in the ND range R

…

41

T-protocol Impossibility

Theorem: No T-protocol can solve

Neighbor Discovery for adversary

if .

Proof (sketch):

Any T-protocol P that satisfies ND2 cannot

satisfy ND1

Observation: Physical proximity does not

necessarily imply correct nodes are able to

communicate directly42

Results

• T-protocol ND impossibility (general case)

• T-protocol solving ND (restricted case)

• TL-protocol solving ND (general case)

M. Poturalski, P. P., and J-P. Hubaux, “Secure Neighbor Discovery in Wireless Networks: A Formal Investigation of Possibility,” ACM ASIACCS 2008

M. Poturalski, P. P., and J-P. Hubaux, “Secure Neighbor Discovery: Is it Possible?” LCA-REPORT-2007-004, 2007

8

43

Protocol P CR/TL

challenge

message

response

message

authenticator

message

• Challenge-Response/Time-and-Location

44

ND Properties – Revisited (cont’d)

• Correctness:

• Availability:

TP – protocol specific duration

45

Theorem: Protocol PCR/TL satisfies the Neighbor Discovery Specification:

• Correctness (ND1)

• Availability (ND2CR/TL)Under the assumptions:

i. Any processing delay ∆relay > 0

ii. Equality of maximum information propagation speed and wireless channel propagation speed vadv = v

Protocol P CR/TL (cont’d)

M. Poturalski, P. P., and J.-P. Hubaux, “Towards provable secure neighbor discovery in wireless networks,” ACM CCS FMSE 2008

46

Summary

• Secure Neighbor Discovery– Prerequisite for:

• Networking protocols

• Various applications

• System security

– Hard problem

– Proven secure solutions

– Implementation not easy in practice

47

Additional Readings

• Overview

• Implementation

• Alternative: Detect relays (aka wormholes)

‒ E.g., statistically and centrally

R. Shokri, M. Poturalski, G. Ravot, P. P., and J.-P. Hubaux, “A Low-Cost Secure Neighbor Verification Protocol for Wireless Sensor Networks,” ACM WiSec, March 2009

P. P., M. Poturalski, P. Schaller, P. Lafourcade, D. Basin, S. Capkun, and J-P. Hubaux, "Secure Neighborhood Discovery: A Fundamental Element for Mobile Ad Hoc Networking," IEEE Communications Magazine, February 2008

Chapter 6 of ”Security and Cooperation in Wireless Networks,” by L. Buttyan and J.-P. Hubaux, Cambridge Press, 2007

48

Keep Your Distance


9

49

Secure Ranging / Distance Bounding


50

Ranging / Distance Bounding (DB)

• Ranging

– A: Obtains d(A,B), an estimate of dA,B, the actual A,B distance

• Distance bounding

– A: Obtains D(A,B), a bound s.t. dA,B ≤ D(A,B)

A B…

51

Attacking Ranging / DB

• A, B exchange a sequence of messages, including own measurements (e.g., times of arrival)

• The attacker, B, provides fake inputs, to manipulate (shorten or lengthen) the d(A,B) calculated by A

• Caution

– Authentication does not solve the problem

– Computation delays could dwarf measurements

A B…

52

Attack Implications

• Manipulation of calculated distance

– Illegitimate physical space access

– Defeating a theft detection system

Safe Storage

53

Attacking Ranging / DB (cont’d)

Verifier Prover

...

Dishonest Prover

...

Verifier

Verifier Colluding DishonestProver

...

... ...

Mafia Fraud or RelayAttack

Distance FraudAttack

Terrorist FraudAttack

54

Securing Ranging / DB (cont’d)

• Authenticated ranging can defeat relay (mafia fraud) attacks

• To defeat the distance fraud attacks:

– Distance-related measurements based on sufficiently fast and simple actions by the honest prover

– A dishonest prover cannot perform the same action faster than an honest prover

• A dishonest prover cannot appear closer to the verifier than it actually is

10

55

Distance Bounding

S. Brands and D. Chaum, “Distance-bounding protocols,” Advancesin Cryptology, EUROCRYPT ’93

(RBE)

56

Distance Bounding (cont’d)

• Distance bounding [Brands & Chaum]

– Phase 1: Prover sends out a commitment to a random n-bit value

– Phase 2: Rapid Bit Exchange (RBE); the Verifier sends 1-bit challenges to Prover, which then XOR’s this with the corresponding bit of the comment

• At each RBE, the verifier measures the round-trip (V-P-V) delay

– Phase 3: The Prover opens the commitment and the Verifier calculates the distance bound (the maximum of all RBE-measured delays)

• Success of attack: 1/2n

– An attacker can only guess the 1-bit responses

57

[Piramuthu07]

- 7/8n

[BrandsChaum93]

- Mafia-resistant, ½n

[CapkunBH03]

- Mutual DB[BussardBagga04]

- Asymmetric crypto

- Proof of Knowledge[HanckeKuhn05]

- Noise-tolerant, w/o noise ¾n

[ReidGNTS06]

- Symmetric crypto, ¾n

[MeadowsPPChS07]

[TuPiramuthu07]

- 4-RBEs, 9/16n

[KimAKSP08]

- 1/2n

Bold fonts: Design for resistance

to terrorist fraud attacks

[MunillaOP06]

- Void challenges, 3/5n

[SingleePreneel07]

- noise-tolerant, ½n

[NikovVauclair08]

- Rapid Bit-chunk Exchange

[MunillaPeinado08]

- [AvoineTchamkerten09]- HK ¾n → n½n, memory cost

[SchallerSchBC09]

Summary

[CapkunHubaux06]

- No RBE

- Auth. ranging

58

References

[AvoineTchamkerten09] G. Avoine and A. Tchamkerten, “An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and Memory Requirement,” ISC 2009

[BrandsChaum93] S. Brands and D. Chaum, “Distance-bounding protocols,” EUROCRYPT ’93

[BussardBagga04] L. Bussard and W. Bagga, “Distance-Bounding Proof of Knowledge Protocols to Avoid Terrorist Fraud Attacks,” EUROCOM Tech. Report, RR-04-109, 2004

[CapkunBH03] S. Capkun, L. Buttyan, and J.-P. Hubaux, “SECTOR: Secure Tracking of Node Encounters in Multi-hop Wireless Networks,” SASN 2003

[CapkunHubaux06] S. Capkun and J.P. Hubaux, “Secure positioning in wireless networks,” JSAC 2006

[HanckeKuhn05] G. Hancke and M. Kuhn, “An RFID Distance Bounding Protocol,” SecureComm 2005

[KimAKSP08] C.H. Kim, G. Avoine, F. Koeune, F.-X. Standaert and O. Pereira, “The Swiss-Knife RFID Distance Bounding Protocol,” ICISC 2008

59

References (cont’d)

[MeadowsPPChS07] C. Meadows, R. Poovendran, D. Pavlovic, L. Chang, and P. Syverson, “Distance bounding protocols: Authentication logic analysis and collusion attacks,” Sec. Loc. and Time Sync. for Wireless Sensor and Ad Hoc Networks, 2006

[MunillaOP06] J. Munilla, A. Ortiz and A. Peinado,”Distance Bounding Protocols with

Void Challenges for RFID,” RFIDSec2006

[MunillaPeinado08] J. Munilla and A. Peinado, “Attacks on Singelee and Preneel'sprotocol,” ePrint, 2008

[NikovVauclair08] V. Nikov and M. Vauclair, “Yet Another Secure Distance-Bounding Protocol,” ePrint, 2008

[Piramuthu07] S. Piramuthu, “Protocols for RFID tag/reader authentication,” Decision Support Systems 2007

[ReidGNTS06] J. Reid, J. Nieto, T. Tang, and B. Senadji, “Detecting relay attacks with timing-based protocols,” ASIACCS 2007

[SchallerSchBC09] P. Schaller, B. Schmidt, D. Basin, S. Capkun, “Modeling and Verifying Physical Properties of Security Protocols for Wireless Networks,” CSF 2009

[SingleePreneel07] D. Singelee and B. Preneel, “Distance Bounding in Noisy Environments,” ESAS 2007

[TuPiramuthu07] Y.-J. Tu and S. Piramuthu, “RFID Distance Bounding Protocols,” RFID Technology 2007

60

Attacks at the Physical Layer

• External adversaries at the physical layer: Early Detection / Late Commit

• Objective: Reduce measured distance

• Approach: Take advantage of redundancy at the physical layer

J. Clulow, G. Hancke, M. Kuhn, and T. Moore, “So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks,” ESAS 2006

11

61

Attacks at the Physical Layer (cont’d)

• Assume OOK:

• Early Detection : an adversarial receiver does not wait for the end of the symbol

• Late Commit : an adversarial transmitter can defer its signal transmission

“0” “1”

“0” “1” “0” “1”

62


HTX

HRX

ATX

ARX

Honest Transmitter

Honest Receiver

Adversarial Receiver

Adversarial Transmitter

63


Honest TX

Adversarial RX

Honest RX

Early detection

Adversarial TX

64


Late commit

Early detection

Honest TX

Adversarial RX

Honest RX

Adversarial TX

Result : Premature arrival �

Distance decreasing attack

65


• Impulse Radio Ultra Wide Band (IR-UWB)

– Highly precise (sub-meter) ranging

– Resilience to multipath propagation

– IEEE 802.15.4a standard

– No rapid bit exchange

Transmitted signal

Received signal

Sampled signal(energy detector receiver)

66

Attacking IR-UWB Ranging

• Distance-decreasing relay attack

– IEEE 802.15.4a standard

• Mandatory modes

• Energy detector receiver

– Early detection (ED) and late commit (LC) combined

– Distance decrease of up to 140m

– Success rate can be made arbitrarily high

M. Fleury, M. Poturalski, P. P., J.-Y. Le Boudec, and J.-P. Hubaux, “Distance-decreasing Attacks Against Secure Impulse Radio Ranging,” ACM WiSec 2010

12

67

Attacking IR-UWB Ranging (cont’d)

HTX

HRX

ATX

ARX

preamble payload

preamble payload

payload

payload

450ns ~ 135mDistancedecrease

preamble

preamble

Challenge : Transmission time and payload are not known to the adversary in advance

Early detection (ED)

Late commit (LC)

68


HTX

HRX

ATX

ARX

Si

4096 ns

preamble symbol

• Preamble

69


HTX

HRX

ATX

ARX

Si Si Si Si Si Si Si Si Si Si Si

• Preamble

70


HTX

HRX

ATX

ARX

Si Si Si Si Si Si Si Si Si Si Si …Si

Si Si Si Si Si Si Si Si Si Si …Si Si

Si Si Si …

4096ns –450ns

Si Si Si

Si Si SiSi Si Si

acquisition

• Preamble

71


HTX

HRX

ATX

ARX

…

…

…

…

Si Si Si Si Si Si Si Si Si Si Si Si

Si Si Si Si Si Si Si Si Si Si Si Si

Si Si Si

4096ns – 450ns

Si Si Si

Si Si SiSi Si Si

Acquisition

Si

Si

Si

Si

0

0

Si

Si

Si

S

S

S

• Preamble

72


HTX

HRX

ATX

ARX

…

…

…

…

Si

Si

Si

Si

0

0

Si

Si

Si

Si

Si

Si

0

0

Si

Si

-Si

-Si

Si

Si

Si

Si

Si

Si

0

0

Si

Si

0

0

Si

Si

-Si

-Si

Si

Si

Start Frame Delimiter (SFD)

Early SFD detectionNormal SFD detection

• Preamble

13

73


HTX

HRX

ATX

ARX

…

…

…

…

Si

Si

Si

Si

0

0

Si

Si

Si

Si

0

0

0

0

-Si

-Si

-Si

-Si

Si

Si

Si

Si

0

0

0

0

0

0

0

0

-Si

-Si

-Si

-Si


Early SFD detection

Late SFD commitSi

Si

Time-shift: 450ns• Preamble

74


HTX

HRX

ATX

ARX

…

…

…

…

Si

Si

Si

Si

0

0

Si

Si

Si

Si

0

0

0

0

-Si

-Si

-Si

-Si

Si

Si

Si

Si

0

0

0

0

0

0

0

0

-Si

-Si

-Si

-Si


Early SFD detection

Late SFD commitSi

Si

• Preamble

75


HTX

HRX

ATX

ARX

“0”

1024ns

“1”

8ns Binary PPM

…

…~70ns

• Payload

76


HTX

HRX

ATX

ARX

1024ns 8ns Binary PPM

>< ><

Benign receiver“0” “1”

…

…→ 0 → 1

• Payload

77


HTX

HRX

ATX

ARX


ED“0” “1”

…

…

LC…

>< ><•…

→ 0 → 1

→ 0 → 1

• Payload

78


HTX

HRX

ATX

ARX


“0” “1”…

…

LC…

>< ><…

Relay time-shift 450ns = 512ns – 62ns= half symbol duration – early detection time

ED

• Payload

14

79


1.7dB

Pack

et

Err

or

Ratio

ARX SNR [dB]

• Payload: Early detection80


4dB

Pack

et

Err

or

Ratio

HRX SNR [dB]

• Payload: Late commit

81


Early detection SNR(ARX)

Late commit SNR(HRX)

Pro

babili

ty o

fatt

ack

succ

ess

82

Summary (cont’d)

• Physical layer attacks are PHY-specific

• For IR UWB:

– >99% attack success probability

– 4dB (ARX) and 6dB (HRX) higher than SNR necessary for benign operation

• Easily to mount attacks

– External adversaries

– High gain antennas

– Increased transmision power

– Placement close to victim devices

83

Summary (cont’d)

Jail

•relay

???

84

Know Your Neighbor, Keep Your Distanceand other cautionary tales

for wireless systems

Panos Papadimitratos

Joint work with

M. Poturalski, M. Fleury, J.-P. Hubaux, and J.-Y. Le Boudec

[email protected]

http://people.epfl.ch/panos.papadimitratos

http://lca.epfl.ch

Know Your Neighbor Keep Your Distance and other cautionary...

Documents

Transcript of Know Your Neighbor Keep Your Distance and other cautionary...