Security in Wireless Ecosystems Security in Wireless Ecosystems - - PowerPoint PPT Presentation

Security in Wireless Ecosystems Security in Wireless Ecosystems

Wade Trappe

WINLAB

Wireless Ecosystems represent the next generation of Wireless Ecosystems represent the next generation of pervasive computing systems pervasive computing systems

• Integrating the physical world with the Internet

– Ability to view, search and interact with the physical world – Pervasively deployed mobile and embedded computing devices

• A set of evolving ”wireless ecosystems” emerge

– Weaving information into the fabric of human lives

• Characteristics of pervasive ecosystems

– 10s of billions of wireless devices connected to the global network – Scale is 2 orders of magnitude greater than today’s internet – Licensed and Unlicensed Spectrum – New challenges in enabling technologies, system architecture and human-centric design

• Communications/Networking with Cognitive Radios

– Design of hierarchical, distributed, decentralized and adaptive protocols – Spectrum Coexistence in dense wireless networks – Efficient integration with the future internet

• Security and Privacy

– Personal nature of use of technologies – Ubiquitous nature of use of technologies

[3]

WINLAB

Vehicles with Sensors & Wireless Hospital with Embedded Monitoring Robotics Application Smart Public Space Autonomous Wireless Clusters (“ecosystems”)

Physical World with Embedded Wireless

Network Connectivity & Computation

Autonomous software agents

Application Management & Control Software

Control Module Control Module “Human in the Loop” From Sensors Virtualized physical world object Content & Location Aware Routers Computation & Storage Protocol module Ambient interfaces Cognitive Intelligence Module

Global Pervasive Network (Future Internet)

Multiple radio standards, Cognitive radios To Actuators

Wireless Ecosystems represent the next generation of Wireless Ecosystems represent the next generation of pervasive computing systems pervasive computing systems

WINLAB

• Spectrum Policy

– Economics – Regulation – Legal – Business

• Cooperative Communications

– Information & Coding Theory – Statistical Signal Processing – Game Theory/Microeconomics – MAC & Networking Algorithms

• Platforms/Prototypes

– WiNC2R Programmable agile radios – GNU platforms – Cognitive Radio Network Testbeds

Spectrum Policy Server rate4 rate1 rate2 rate3

“Wireless Ecosystems”

Wireless Ecosystems are a multi Wireless Ecosystems are a multi-

• dimensional activity

dimensional activity at WINLAB at WINLAB

WINLAB

Confidentiality

Wireless is easy to sniff. We still need encryption services and key management. Key freshness is an issue.

Integrity

Wireless hardware/equipment need to be safe from modification. Data/control info should not be modified before or during transit.

Forensics

Wireless networks will be the platform of choice for attacks. Should the network keep track of forensic evidence?

Privacy

Perpetual connectivity can mean constant surveillance! With snooping one can monitor mobility and handoffs between networks.

Location

Location is a new form of information provided by wireless systems that will facilitate new

• services. Location information needs to be trusted.

Intrusion

The pervasiveness of the wireless networks should not mean that just anyone can participate! Example: Rogue APs

Availability

The value of a wireless network is its promise of ubiquitous connectivity. Unfortunately, wireless networks are easy to “break” (e.g. jam, denial of service)

Non-repudiation

RF energy radiates, and wireless entities within the radio coverage pattern may serve as witnesses for the actions of the transmitter.

WINLAB has a holistic approach to addressing security WINLAB has a holistic approach to addressing security issues in emerging wireless systems issues in emerging wireless systems

WINLAB

Security can be achieved by exploiting unique properties of Security can be achieved by exploiting unique properties of the wireless physical layer (SEVILLE) the wireless physical layer (SEVILLE)

• Wireless channels are “open” and hence more susceptible to eavesdropping,

intrusion and spoofing…

• Interestingly, wireless channel properties (“RF signatures”) can be exploited for

authentication and to identify attackers

• Project on protocols and algorithms for security functions; also experimental

validation

WINLAB

• Use channel reciprocity to build highly correlated

data sets

– Probe the channel in each direction – Estimate channel using recd. probe

• Eve receives only uncorrelated information as she

is more than λ/2 away

• Level crossings are used to generate bits
• Alice and Bob must exchange msgs over public

channel to create identical bits

• What if channel is not already authenticated?

– Requires additional sophistry to prevent man-in-the-middle attack. – It is possible using the correlated data collected from received probes.

P R O B E P R O B E P R O B E Get channel estimates L

• c

a t i

• n

s

• f

e x c u r s i

• n

s L

• c

a t i

• n

s i n a g r e e m e n t Key Key Positive excursion Negative excursion

SEVILLE exploits the physical layer to achieve new forms of SEVILLE exploits the physical layer to achieve new forms of key establishment key establishment

WINLAB

• Experimental setup:

– Alice = AP – Bob = Client – Eve = Client on same channel

• Alice Bob: PING REQUEST Bob

Alice: PING REPLY

• 20 packets per second
• Eve overhears packets from both

legitimate users

• (RSSI, timestamp) from recd. packet

headers are pulled out by each user

• Mesg. exchange protocol uses the

locations of excursions to distil identical bits

• ~1 bit/sec in typical indoor environments

with no errors.

Alice Eve Bob Eve Alice Bob Bob Alice Bob Alice Alice Bob

SEVILLE SEVILLE’ ’s s key establishment has been validated in real key establishment has been validated in real customized and COTS systems customized and COTS systems

WINLAB

• Goal: to maintain wireless network connectivity in the presence of wireless interference (i.e.

jamming)

• Strategies:

– Channel Surfing: Adapt network channel allocations in an on-demand manner – Spatial Retreats: Use mobility to evade interference sources and re-establish network connectivity – Anti-jamming Timing Channels: Failed packet reception events may be modulated to establish a low-rate jamming resistant communication channel – Radio Teaming: A team of transmitters exploits multipath environments to perturb angular receiver patterns, in spite of SINR levels of -10dB or worse.

(Effect of a jammer on a network of Chipcon 1100 Radios) (Channel Surfing adjusts channels to re-establishes the network)

DARWIN seeks to defend wireless networks from adversarial DARWIN seeks to defend wireless networks from adversarial wireless interference wireless interference

WINLAB

• Objective:

Objective:

– – Create a Create a low bit low bit-

• rate overlay

rate overlay that exists on that exists on the conventional physical/link the conventional physical/link-

• layers

layers in spite in spite

• f
• f a broadband interferer.

a broadband interferer.

• Approach: Modulate the

Approach: Modulate the interarrival interarrival time time between packet transmissions to convey between packet transmissions to convey information information

– – Jammed packets are detectable Jammed packets are detectable

tim e ……

t1 t2 t3 t4 t5 ti ti+ 1

τ1 τ2 τ3 τ4 τi

Network Datalink Physical Network Datalink Physical

4Oz Overlay 4Oz Overlay Timing channel Overlay Framing Error Correct Overlay Authent.

Virtual Bitpipe

Timing channel Overlay Framing Error Correct Overlay Authent.

Virtual Bitpipe

Sender Receiver

Network Datalink Physical Network Datalink Physical

4Oz Overlay 4Oz Overlay Timing channel Overlay Framing Error Correct Overlay Authent.

Virtual Bitpipe

Timing channel Overlay Framing Error Correct Overlay Authent.

Virtual Bitpipe

Sender Receiver

The Timing Channel Overlay

A non A non-

• jammable

jammable timing channel remains when the physical timing channel remains when the physical layer is being jammed layer is being jammed

WINLAB

Jammer Jammer Target Receiver

Motivation:

• Units moving through “urban canyons”

experience complex link quality conditions

• Adversarial scenarios, involving jammers, further complicate conditions

Increasing transmit power may not be an option… Team solutions are needed

• Can we do beamforming
• r cooperative communications?
• Can we utilize the “RF Clutter”

to convey information?

Communication is Jammed + Blocked SINR = -15dB

“Help me!”

What’s this RF Clutter?

Radio transmitters can team to overcome radio interference Radio transmitters can team to overcome radio interference by non by non-

• coherently perturbing receiver

coherently perturbing receiver beampattern beampattern

WINLAB

MIAMI: MIAMI: M Mobile

• bile I

Infrastructures for nfrastructures for A Advancing dvancing M Military ilitary I Information Technologies involves security analysis of MIMO nformation Technologies involves security analysis of MIMO

• DoD is reliant on wireless networks to support

critical communications – Mobile Ad Hoc Networks – Pervasive monitoring of valuable military assets (such as artillery or food supplies)

• MIAMI seeks to address issues of performance,

adaptability and reliability for three different wireless scenarios – Design of Active RFID Systems for Inventory Management. – Development of a Protocol Architecture for Cognitive Radio Networks. – Design and Evaluation of Military MIMO Systems.

• Task-1 emphasis is on tactical MIMO systems

– Modeling of MIMO channels – Integrating ray-tracing and MIMO channel models with ns-2 – Threat analysis of tactical MIMO radios

TARGET high density, no mobility and low traffic zone STAGE 1 Group 1 Group 2 Group 3 low density, mobile and high traffic zone STAGE 2 high density, low mobility and high traffic zone STAGE 3

Initial meeting stage Approaching the target Congregation at the target X

TARGET high density, no mobility and low traffic zone STAGE 1 Group 1 Group 2 Group 3 low density, mobile and high traffic zone STAGE 2 high density, low mobility and high traffic zone STAGE 3 TARGET high density, no mobility and low traffic zone STAGE 1 Group 1 Group 2 Group 3 low density, mobile and high traffic zone STAGE 2 high density, low mobility and high traffic zone STAGE 3

Initial meeting stage Approaching the target Congregation at the target X Initial meeting stage Approaching the target Congregation at the target X

Basic adversarial MIMO setting, where Eve seeks to interfere with Alice and Bob’s communication. MIMO tactical scenarios will be integrated into a custom ns-2 simulator tool.

WINLAB

• Expose the lower-layers of the protocol stack to researchers, developers and the “public”

– scan the available spectrum, select from a wide range of operating frequencies – adjust modulation waveforms, perform adaptive resource allocation

• An ideal platform for abuse since the lowest layers of the wireless protocol stack are

accessible to programmers.

1.

Poor programming:

• 1. CR protocols will be complex, it will be easy to write buggy implementations
• 2. Runaway software processes…

2.

Greedy exploitation:

• Decrease back-off window in an 802.11 (or comparable) implementation
• Ignore fairness in spectrum etiquette (many co-existence protocols assume honest participants, or

honest data)

3.

Simply Ignoring Etiquette

• Primary user returns… so-what???

4.

Economic/Game-theoretic Models

• Standard economic models for spectrum sharing seek to support cooperation– but cooperation does

not ensure trusted operation!

• Security is an anti-social topic!

Cognitive Radios are an emerging wireless system with Cognitive Radios are an emerging wireless system with many potential security threats many potential security threats

WINLAB

WINLAB is developing AUSTIN: WINLAB is developing AUSTIN: A Ass ssu uring ring S Software Radios

• ftware Radios

have have T Trusted rusted In Interactions teractions

• Goal: to regulate the future radio environment, ensure trustworthy cognitive radio
• peration (Team: Rutgers, Virginia Tech, UMass)
• How — two complementary mechanisms

– On-board enforcement – restrict any violation attempt from accessing the radio:

Each CR runs its ow n suite of spectrum etiquette protocols Onboard policy checking verifies actions occur according to “spectrum law s”

– An external monitoring infrastructure:

Distributed Spectrum Authority (DSA) — police agent observes the radio

environm ent

DSA w ill punish CRs if violations are detected via authenticated kill com m ands.

Research

WINLAB

Approach:

To address threats across all of the separate and interacting layers in the MANET, CARMEN involves a holistic suite of security mechanisms to assure proper operation of each layer. Some components that will be developed include:

• PHY/Link-Layer Assurance:

Anti-jamming Channel Adaptation Methods will reconstruct network link connectivity to recover the network in the presence of interference

• Routing-Layer Assurance: Multipath “Security Control” for

Byzantine-Robust Forwarding will automatically re-allocate traffic around Byzantine nodes

• Transport and Resource Assurance: Byzantine-Secure

Accounting and Pin-pointing of Malicious Insiders will recognize when nodes utilize an unfair portion of system-wide network resources

CARMEN: A CARMEN: A C Collaborative,

• llaborative, A

Assurable ssurable, and , and R Reliable eliable M Mobil

• bile

e N Network for Tactical Operations addresses MANET security etwork for Tactical Operations addresses MANET security

Video Surveillance Sensor Network

Forward Observer

Communications Satellite

Relay Alpha Broadband Relay Bravo

Satellite Link

Enemy jammer blocks link to Bravo!

Alpha is captured by enemy, and becomes malicious!

Relay Charlie Enemy FO Mission is to deliver Intel

• bservations to Satellite.

Network must support multiple traffic types.

Innovative Technology:

• The CARMEN effort is centered on a novel

architecture, involving a Secure Management Plane (SMP) that will support consistent and

• bservable security control information across the

entire MANET.

• Advantages of CARMEN-SMP:

(1) may utilize a separate radio link, optimized for reliability and radio range (not bandwidth). (2) provides a common method/framework for exchanging security audit information; (3) separate out signaling from the normal traffic/data plane (4) can be fed directly into trusted computing components (5) Reduction in hops on control plane increases provability of security for protocols

SMP

Data Plane

Implementation:

The SMP is possible through a separate radio link optimized for reliability not bandwidth:

• Possible on dual-radio nodes (e.g. multiple 802.11

interfaces, with SMP using low-rate, more resilient modulation)

• For single-radio nodes it is possible to implement as a

TDMA-overlay on 802.11

• Forward-looking vision: JTRS and other software

radios can easily support multiple radio interfaces

WINLAB

• Characteristics

– Authenticate RREQs/RREPs/RERRs – Based on symmetric key cryptography – Public key cryptography is only used in initial bootstrap phase – Sequence #’s and hop counts are protected through the use of a one-way function – Route errors are protected through a variation of TESLA

• Each node maintains 2 hash chains for itself to use

– Authenticator hash chain – TESLA key chain

• Authenticator Hash Chain: What basically happens is…

– Each individual hop for each even sequence number should have a corresponding hash value – Odd sequence number only needs one hash value – Nodes who have an even sequence number have the corresponding next higher odd sequence number – Intermediate nodes cannot increase the sequence number or decrease the hop count

h0 ,h1 …,hn-2m-1 , …, hn-m-2 , hn-m-1 , hn-m ,hn-m+1 … ,hn-1 , hn Generation Seq#0 Seq#1 m+1 Seq#3 Seq#2 m+1 Hop0 Hop1

For RERRs

SEAR addresses known security weaknesses in secure AODV SEAR addresses known security weaknesses in secure AODV protocols (SAODV, ARAN) protocols (SAODV, ARAN)

WINLAB

• Rethink the RFID problem from bottom up using state-of-

art technology

– Simple (cheap!) tags, sophisticated readers – Continuous inventory, not portals – Route to extreme miniaturization—works for items of all sizes

• NSF STTR support and strong industry connections.

– Initial target: jewelry supply/sales chain (Retail only: ~$50B/yr)

• RFID tags only responds when queried.
• Easily shielded intentionally or by

environment.

• Only “seen” when pass a portal
• RFID tags are complex.
• Many have processors, memory, and
• ther features.
• Long life tags are passive
• Short range, poor link quality
• High power base stations (~5W each!)

MRTs announce their status continuously. User knows immediately when/where

they are moved.

Network connectivity allows remote

access.

MRTs only announce serial number All other complexity is in the network

and database.

Long life with active radio Long range, good link quality Passive Basestations MRT: MicroRadio Tag

TM

RFID: Radio Frequency IDentification

New Active RFID technology targets advancing state New Active RFID technology targets advancing state-

• of
• f-
• the

the art in inventory management with unique security issues art in inventory management with unique security issues

Research