Know Your Neighbor Keep Your Distance and other cautionary...
Transcript of Know Your Neighbor Keep Your Distance and other cautionary...
1
1
Know Your Neighbor, Keep Your Distanceand other cautionary tales
for wireless systems
Panos Papadimitratos
Joint work with
M. Poturalski, M. Fleury, J.-P. Hubaux, and J.-Y. Le Boudec
2
3 4
5 6
Wireless Systems
• Wireless local area networks (WLANs)
Link to the Internet
Wireless
Access
Point
2
7
Wireless Systems (cont’d)
• WLANs, Personal Area (PANs), Ad hoc Networks
Illustration: Ericsson, ca. 20008
Wireless Systems (cont’d)
• Radio Frequency Identification (RFID)
Readingsignal
Tagged object
ID Detailedobject
information
• Wi-Fi and Bluetooth enabled devices
Back-enddatabaseID
© L.B.
9
Wireless Systems (cont’d)
• Sensor networks
Node photos: XBow10
Wireless Systems (cont’d)
• Tactical ad hoc networks
– Military −Search-and-rescue
11
Wireless Systems (cont’d)
• Vehicular ad hoc networks (VANETs)
Illustration: C2C-CC12
Wireless Systems (cont’d)
Radio link establishment
Direct wireless communication
Multi-hop communication
Distance to other reachable devices
Device localization and own positioning
Application performance measurable in the physical world
• A set of basic elements
3
13
Wireless Systems Security
Anti-jamming techniques
Secure Neighbor Discovery
Secure data communication
Secure rangingDistance bounding
Secure localization and positioning
Vehicular Communications –transportation safety
• A set of basic elements
14
Know Your Neighbor
KYN, KYD, and other cautionary tales for wireless systems
15
Secure Neighbor Discovery
KYN, KYD, and other cautionary tales for wireless systems
16
Neighbor Discovery (ND)
• Neighbor Discovery (ND)
– A node discovers other nodes it can directly communicate with
A
B
C
D
17
Neighbor Discovery (ND) (cont’d)
• B is neighbor of A if and only if it can receive directly from A
• Link (A,B) is up � A is neighbor of B
• RA≠RB, i.e., (A,B) may be up while (B,A) is down
A
B
RA
RB
18
Neighbor Discovery (ND) (cont’d)
• Simple, widely used solution, but not secure• Easy to attack
– Mislead B that A is its neighbor, when this is not the case
A B
“Hello, I’m A”
B: “A is my neighbor”;“A is added in myNeighbor List”
4
19
Attacking ND
• Single adversary appears as multiple neighbors
M
“Hello, I’m A”
“Hello, I’m C”
“Hello, I’m Z” B: Neighbor List = {A, C, …, Z}
…
20
(2) A, nA, nB, B, SigA(A, nA,nB, B), CertCA(KA,A)
Securing ND
• An attempt– Message authenticity and replay protection
• nA, nB are nonces
– Bob essentially ‘challenges’ Alice to provide a ‘hello’ message
A B(1) nB, B
21
Attacking ND (cont’d)
• “Relay” or “Wormhole” Attack– Simply relay any message, without any modification
AB:
Neighbor List = {A}
M 22
Attacking ND (cont’d)
• Long-range relay / wormhole
– The attacker relays messages across large distances
out-of-band or private channel
B: Neighbor List = {A}
“Hello, I’m A”
“Hello, I’m A” “Hello, I’m A”
A
B
M1 M2
23
Attacking ND: Implications
• Routing in multihop ad hoc networks
24
Attacking ND: Implications (cont’d)
• Routing in multihop ad hoc networks
5
25
Attacking ND: Implications (cont’d)
• Routing in multihop ad hoc networks
26
Attacking ND: Implications (cont’d)
• RFID-based access control
Z. Kfir and A. Wool, “Picking virtual pockets using relay attacks on contact-less smartcard,” SECURECOMM ’05
• Attacker close to the access-granting RFID tag
– Relays signals from and to her accomplice, who obtains access
27
Securing Two-Party ND
• Basic ideas
– Authentication
– Node-to-node distance estimation
– x>R � A: AP not neighbor
– Y<R � B: AP neighbor
APA
Bx
y
R
28
Securing Two-Party ND (cont’d)
• Use message time-of-flight to measure distance
– Distance Bounding [1]
– Temporal Packet Leashes [2]
– SECTOR [3]
• Use node location to measure distance
– Geographical Packet Leashes [2]
[1] S. Brands and D. Chaum, “Distance-bounding protocols,” EUROCRYPT ‘93
[2] Y.-C. Hu, A. Perrig, and D. B. Johnson. “Packet leashes: A defense against wormhole attacks in wireless networks,” IEEE INFOCOM ‘03
[3] S. Capkun, L. Buttyan, and J.-P. Hubaux, “SECTOR: Secure Tracking of Node Encounters in Multi-hop Wireless Networks,” ACM SASN ‘03
29
Securing Two-Party ND (cont’d)
• Are these protocols [1,2,3] achieving secure ND?
• Can any protocol, including and similar to [1,2,3], which can measure time, solve the secure ND problem?
• Is there any provably secure ND protocol?
• Note: Measurements can be *very* accurate
None of the above protocols secures NDNo (secure) ND protocol that relies
on time measurements does
30
Traces and Events
• Trace is a set of events
A
B
C
6
31
ΘS
ΘS,P
Feasible Traces
• System execution: feasible trace
• Traces feasible with respect to:
- Setting S
- Protocol P
- Adversary AΘS,P,A
Θ
32
Setting S
{ A, B, C, D, E, F, G, H }
………
H
A
C
B
D
G
FE
33
Trace θ Feasible wrt Setting S
• Causal and timely message exchange
A
B
v – signal propagation speed
34
Trace θ Feasible wrt Setting S (cont’d)
• Causal and timely message exchange
35
Local Trace
A
B
36
Protocol P
• Actions
• Local view
• Protocol
7
37
• Correct nodes follow the protocol
Trace θ Feasible wrt Protocol
38
Trace θ Feasible wrt Adversary
• Adversarial nodes can only relay messages
with minimum delay
• Denote the adversary as:
A
39
Neighbor Discovery Specification
1) Discovered neighbors are actual neighbors
2) It is possible to discover neighbors
Protocol P solves Neighbor Discovery for adversary A if
40
Neighbor Discovery Specification (cont’d)
1) Discovered neighbors are actual neighbors
2) It is possible to discover neighbors
Protocol P solves Two-Party Neighbor Discovery for adversary A if
in the ND range R
…
41
T-protocol Impossibility
Theorem: No T-protocol can solve
Neighbor Discovery for adversary
if .
Proof (sketch):
Any T-protocol P that satisfies ND2 cannot
satisfy ND1
Observation: Physical proximity does not
necessarily imply correct nodes are able to
communicate directly42
Results
• T-protocol ND impossibility (general case)
• T-protocol solving ND (restricted case)
• TL-protocol solving ND (general case)
M. Poturalski, P. P., and J-P. Hubaux, “Secure Neighbor Discovery in Wireless Networks: A Formal Investigation of Possibility,” ACM ASIACCS 2008
M. Poturalski, P. P., and J-P. Hubaux, “Secure Neighbor Discovery: Is it Possible?” LCA-REPORT-2007-004, 2007
8
43
Protocol P CR/TL
challenge
message
response
message
authenticator
message
• Challenge-Response/Time-and-Location
44
ND Properties – Revisited (cont’d)
• Correctness:
• Availability:
TP – protocol specific duration
45
Theorem: Protocol PCR/TL satisfies the Neighbor Discovery Specification:
• Correctness (ND1)
• Availability (ND2CR/TL)Under the assumptions:
i. Any processing delay ∆relay > 0
ii. Equality of maximum information propagation speed and wireless channel propagation speed vadv = v
Protocol P CR/TL (cont’d)
M. Poturalski, P. P., and J.-P. Hubaux, “Towards provable secure neighbor discovery in wireless networks,” ACM CCS FMSE 2008
46
Summary
• Secure Neighbor Discovery– Prerequisite for:
• Networking protocols
• Various applications
• System security
– Hard problem
– Proven secure solutions
– Implementation not easy in practice
47
Additional Readings
• Overview
• Implementation
• Alternative: Detect relays (aka wormholes)
‒ E.g., statistically and centrally
R. Shokri, M. Poturalski, G. Ravot, P. P., and J.-P. Hubaux, “A Low-Cost Secure Neighbor Verification Protocol for Wireless Sensor Networks,” ACM WiSec, March 2009
P. P., M. Poturalski, P. Schaller, P. Lafourcade, D. Basin, S. Capkun, and J-P. Hubaux, "Secure Neighborhood Discovery: A Fundamental Element for Mobile Ad Hoc Networking," IEEE Communications Magazine, February 2008
Chapter 6 of ”Security and Cooperation in Wireless Networks,” by L. Buttyan and J.-P. Hubaux, Cambridge Press, 2007
48
Keep Your Distance
KYN, KYD, and other cautionary tales for wireless systems
9
49
Secure Ranging / Distance Bounding
KYN, KYD, and other cautionary tales for wireless systems
50
Ranging / Distance Bounding (DB)
• Ranging
– A: Obtains d(A,B), an estimate of dA,B, the actual A,B distance
• Distance bounding
– A: Obtains D(A,B), a bound s.t. dA,B ≤ D(A,B)
A B…
51
Attacking Ranging / DB
• A, B exchange a sequence of messages, including own measurements (e.g., times of arrival)
• The attacker, B, provides fake inputs, to manipulate (shorten or lengthen) the d(A,B) calculated by A
• Caution
– Authentication does not solve the problem
– Computation delays could dwarf measurements
A B…
52
Attack Implications
• Manipulation of calculated distance
– Illegitimate physical space access
– Defeating a theft detection system
Safe Storage
53
Attacking Ranging / DB (cont’d)
Verifier Prover
...
Dishonest Prover
...
Verifier
Verifier Colluding DishonestProver
...
... ...
Mafia Fraud or RelayAttack
Distance FraudAttack
Terrorist FraudAttack
54
Securing Ranging / DB (cont’d)
• Authenticated ranging can defeat relay (mafia fraud) attacks
• To defeat the distance fraud attacks:
– Distance-related measurements based on sufficiently fast and simple actions by the honest prover
– A dishonest prover cannot perform the same action faster than an honest prover
• A dishonest prover cannot appear closer to the verifier than it actually is
10
55
Distance Bounding
S. Brands and D. Chaum, “Distance-bounding protocols,” Advancesin Cryptology, EUROCRYPT ’93
(RBE)
56
Distance Bounding (cont’d)
• Distance bounding [Brands & Chaum]
– Phase 1: Prover sends out a commitment to a random n-bit value
– Phase 2: Rapid Bit Exchange (RBE); the Verifier sends 1-bit challenges to Prover, which then XOR’s this with the corresponding bit of the comment
• At each RBE, the verifier measures the round-trip (V-P-V) delay
– Phase 3: The Prover opens the commitment and the Verifier calculates the distance bound (the maximum of all RBE-measured delays)
• Success of attack: 1/2n
– An attacker can only guess the 1-bit responses
57
[Piramuthu07]
- 7/8n
[BrandsChaum93]
- Mafia-resistant, ½n
[CapkunBH03]
- Mutual DB[BussardBagga04]
- Asymmetric crypto
- Proof of Knowledge[HanckeKuhn05]
- Noise-tolerant, w/o noise ¾n
[ReidGNTS06]
- Symmetric crypto, ¾n
[MeadowsPPChS07]
[TuPiramuthu07]
- 4-RBEs, 9/16n
[KimAKSP08]
- 1/2n
Bold fonts: Design for resistance
to terrorist fraud attacks
[MunillaOP06]
- Void challenges, 3/5n
[SingleePreneel07]
- noise-tolerant, ½n
[NikovVauclair08]
- Rapid Bit-chunk Exchange
[MunillaPeinado08]
- [AvoineTchamkerten09]- HK ¾n → n½n, memory cost
[SchallerSchBC09]
Summary
[CapkunHubaux06]
- No RBE
- Auth. ranging
58
References
[AvoineTchamkerten09] G. Avoine and A. Tchamkerten, “An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and Memory Requirement,” ISC 2009
[BrandsChaum93] S. Brands and D. Chaum, “Distance-bounding protocols,” EUROCRYPT ’93
[BussardBagga04] L. Bussard and W. Bagga, “Distance-Bounding Proof of Knowledge Protocols to Avoid Terrorist Fraud Attacks,” EUROCOM Tech. Report, RR-04-109, 2004
[CapkunBH03] S. Capkun, L. Buttyan, and J.-P. Hubaux, “SECTOR: Secure Tracking of Node Encounters in Multi-hop Wireless Networks,” SASN 2003
[CapkunHubaux06] S. Capkun and J.P. Hubaux, “Secure positioning in wireless networks,” JSAC 2006
[HanckeKuhn05] G. Hancke and M. Kuhn, “An RFID Distance Bounding Protocol,” SecureComm 2005
[KimAKSP08] C.H. Kim, G. Avoine, F. Koeune, F.-X. Standaert and O. Pereira, “The Swiss-Knife RFID Distance Bounding Protocol,” ICISC 2008
59
References (cont’d)
[MeadowsPPChS07] C. Meadows, R. Poovendran, D. Pavlovic, L. Chang, and P. Syverson, “Distance bounding protocols: Authentication logic analysis and collusion attacks,” Sec. Loc. and Time Sync. for Wireless Sensor and Ad Hoc Networks, 2006
[MunillaOP06] J. Munilla, A. Ortiz and A. Peinado,”Distance Bounding Protocols with
Void Challenges for RFID,” RFIDSec2006
[MunillaPeinado08] J. Munilla and A. Peinado, “Attacks on Singelee and Preneel'sprotocol,” ePrint, 2008
[NikovVauclair08] V. Nikov and M. Vauclair, “Yet Another Secure Distance-Bounding Protocol,” ePrint, 2008
[Piramuthu07] S. Piramuthu, “Protocols for RFID tag/reader authentication,” Decision Support Systems 2007
[ReidGNTS06] J. Reid, J. Nieto, T. Tang, and B. Senadji, “Detecting relay attacks with timing-based protocols,” ASIACCS 2007
[SchallerSchBC09] P. Schaller, B. Schmidt, D. Basin, S. Capkun, “Modeling and Verifying Physical Properties of Security Protocols for Wireless Networks,” CSF 2009
[SingleePreneel07] D. Singelee and B. Preneel, “Distance Bounding in Noisy Environments,” ESAS 2007
[TuPiramuthu07] Y.-J. Tu and S. Piramuthu, “RFID Distance Bounding Protocols,” RFID Technology 2007
60
Attacks at the Physical Layer
• External adversaries at the physical layer: Early Detection / Late Commit
• Objective: Reduce measured distance
• Approach: Take advantage of redundancy at the physical layer
J. Clulow, G. Hancke, M. Kuhn, and T. Moore, “So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks,” ESAS 2006
11
61
Attacks at the Physical Layer (cont’d)
• Assume OOK:
• Early Detection : an adversarial receiver does not wait for the end of the symbol
• Late Commit : an adversarial transmitter can defer its signal transmission
“0” “1”
“0” “1” “0” “1”
62
Attacks at the Physical Layer (cont’d)
HTX
HRX
ATX
ARX
Honest Transmitter
Honest Receiver
Adversarial Receiver
Adversarial Transmitter
63
Attacks at the Physical Layer (cont’d)
Honest TX
Adversarial RX
Honest RX
Early detection
Adversarial TX
64
Attacks at the Physical Layer (cont’d)
Late commit
Early detection
Honest TX
Adversarial RX
Honest RX
Adversarial TX
Result : Premature arrival �
Distance decreasing attack
65
Attacks at the Physical Layer (cont’d)
• Impulse Radio Ultra Wide Band (IR-UWB)
– Highly precise (sub-meter) ranging
– Resilience to multipath propagation
– IEEE 802.15.4a standard
– No rapid bit exchange
Transmitted signal
Received signal
Sampled signal(energy detector receiver)
66
Attacking IR-UWB Ranging
• Distance-decreasing relay attack
– IEEE 802.15.4a standard
• Mandatory modes
• Energy detector receiver
– Early detection (ED) and late commit (LC) combined
– Distance decrease of up to 140m
– Success rate can be made arbitrarily high
M. Fleury, M. Poturalski, P. P., J.-Y. Le Boudec, and J.-P. Hubaux, “Distance-decreasing Attacks Against Secure Impulse Radio Ranging,” ACM WiSec 2010
12
67
Attacking IR-UWB Ranging (cont’d)
HTX
HRX
ATX
ARX
preamble payload
preamble payload
payload
payload
450ns ~ 135mDistancedecrease
preamble
preamble
Challenge : Transmission time and payload are not known to the adversary in advance
Early detection (ED)
Late commit (LC)
68
Attacking IR-UWB Ranging (cont’d)
HTX
HRX
ATX
ARX
Si
4096 ns
preamble symbol
• Preamble
69
Attacking IR-UWB Ranging (cont’d)
HTX
HRX
ATX
ARX
Si Si Si Si Si Si Si Si Si Si Si
• Preamble
70
Attacking IR-UWB Ranging (cont’d)
HTX
HRX
ATX
ARX
Si Si Si Si Si Si Si Si Si Si Si …Si
Si Si Si Si Si Si Si Si Si Si …Si Si
Si Si Si …
4096ns –450ns
Si Si Si
Si Si SiSi Si Si
acquisition
• Preamble
71
Attacking IR-UWB Ranging (cont’d)
HTX
HRX
ATX
ARX
…
…
…
…
Si Si Si Si Si Si Si Si Si Si Si Si
Si Si Si Si Si Si Si Si Si Si Si Si
Si Si Si
4096ns – 450ns
Si Si Si
Si Si SiSi Si Si
Acquisition
Si
Si
Si
Si
0
0
Si
Si
Si
S
S
S
• Preamble
72
Attacking IR-UWB Ranging (cont’d)
HTX
HRX
ATX
ARX
…
…
…
…
Si
Si
Si
Si
0
0
Si
Si
Si
Si
Si
Si
0
0
Si
Si
-Si
-Si
Si
Si
Si
Si
Si
Si
0
0
Si
Si
0
0
Si
Si
-Si
-Si
Si
Si
Start Frame Delimiter (SFD)
Early SFD detectionNormal SFD detection
• Preamble
13
73
Attacking IR-UWB Ranging (cont’d)
HTX
HRX
ATX
ARX
…
…
…
…
Si
Si
Si
Si
0
0
Si
Si
Si
Si
0
0
0
0
-Si
-Si
-Si
-Si
Si
Si
Si
Si
0
0
0
0
0
0
0
0
-Si
-Si
-Si
-Si
Start Frame Delimiter (SFD)
Early SFD detection
Late SFD commitSi
Si
Time-shift: 450ns• Preamble
74
Attacking IR-UWB Ranging (cont’d)
HTX
HRX
ATX
ARX
…
…
…
…
Si
Si
Si
Si
0
0
Si
Si
Si
Si
0
0
0
0
-Si
-Si
-Si
-Si
Si
Si
Si
Si
0
0
0
0
0
0
0
0
-Si
-Si
-Si
-Si
Start Frame Delimiter (SFD)
Early SFD detection
Late SFD commitSi
Si
• Preamble
75
Attacking IR-UWB Ranging (cont’d)
HTX
HRX
ATX
ARX
“0”
1024ns
“1”
8ns Binary PPM
…
…~70ns
• Payload
76
Attacking IR-UWB Ranging (cont’d)
HTX
HRX
ATX
ARX
1024ns 8ns Binary PPM
>< ><
Benign receiver“0” “1”
…
…→ 0 → 1
• Payload
77
Attacking IR-UWB Ranging (cont’d)
HTX
HRX
ATX
ARX
1024ns 8ns Binary PPM
ED“0” “1”
…
…
LC…
>< ><•…
→ 0 → 1
→ 0 → 1
• Payload
78
Attacking IR-UWB Ranging (cont’d)
HTX
HRX
ATX
ARX
1024ns 8ns Binary PPM
“0” “1”…
…
LC…
>< ><…
Relay time-shift 450ns = 512ns – 62ns= half symbol duration – early detection time
ED
• Payload
14
79
Attacking IR-UWB Ranging (cont’d)
1.7dB
Pack
et
Err
or
Ratio
ARX SNR [dB]
• Payload: Early detection80
Attacking IR-UWB Ranging (cont’d)
4dB
Pack
et
Err
or
Ratio
HRX SNR [dB]
• Payload: Late commit
81
Attacking IR-UWB Ranging (cont’d)
Early detection SNR(ARX)
Late commit SNR(HRX)
Pro
babili
ty o
fatt
ack
succ
ess
82
Summary (cont’d)
• Physical layer attacks are PHY-specific
• For IR UWB:
– >99% attack success probability
– 4dB (ARX) and 6dB (HRX) higher than SNR necessary for benign operation
• Easily to mount attacks
– External adversaries
– High gain antennas
– Increased transmision power
– Placement close to victim devices
83
Summary (cont’d)
Jail
•relay
???
84
Know Your Neighbor, Keep Your Distanceand other cautionary tales
for wireless systems
Panos Papadimitratos
Joint work with
M. Poturalski, M. Fleury, J.-P. Hubaux, and J.-Y. Le Boudec
http://people.epfl.ch/panos.papadimitratos
http://lca.epfl.ch