Transcript Document
Wireless Communications Security
Issues, Solutions and Challenges
Michel Barbeau and Jeyanthi Hall
Outline
• Availability
• Privacy
• Integrity
• Legitimate Participants
• Absence of misbehavior
2
Security Requirements
• Availability
– no jamming, adaptability to unforeseen topologies
• Privacy
– nondisclosure of cell phone communications and 802.11 frames
• Integrity
– data is not intercepted and tampered
• Legitimate participants
– no cell phone cloning and 802.11 frame spoofing
• Absence of misbehavior
– fairness, greedy user detection
Availability
• Jamming
• Inability to deal with unforeseen topologies
Jamming
• Shannon’s model:
S
C W log 1
N
How to Deal With Jamming?
• Increase the bandwidth
– Frequency Hopping/Direct Sequence Spread Spectrum
• 801.11(b) : 2.4 - 2.4835 Giga Hertz
• 801.11(a): 5.15- 5.35 Giga Hertz; 5.725- 5.825 Giga Hertz
– Ultra Wide Band
• Bandwidth greater than 25% if center frequency
• Increase the power
– GPS III, planned for 2010 [Ashley, Next-Generation GPS, Scientific
American, September 2003.]
Inability to Deal With Unforeseen Topologies
Images by: J.&G. Naudet (9/11/2001)
Privacy
• Cellular phone eavesdropping
• Overview of privacy techniques in 2G and 3G of cellular
mobile radiophones
– Refs.:
• V. Niemi and K. Nyberg, UMTS Security, Wiley, 2003.
• M.Y. Rhee, CDMA Cellular Mobile Communications and Network Security,
Prentice Hall PTR,1998.
– GSM, UMTS
• Challenges
• Future
– Reconfigurable security
– Chaotic communication
– Quantum cryptography
Cellular Phone Eavesdropping
• Inexpensive equipment for intercepting analog communications is
easy to obtain in Canada.
• In US, the regulations authorize the sale of scanners to the general
public only is cellular frequencies are blocked. However, there are
several workarounds
– Web sites publish modifications to restore reception of cellular frequencies
by scanners.
– Frequency converters can translate cellular frequencies to the frequency
range supported by a receiver.
– With receivers using non quadrature mixing, the image frequency technique
can be used.
• Digital communications can also be intercepted with the appropriate
equipment!
Generations of Cellular Mobile Radiophones*
• 1G
– Advanced Mobile Phone System (AMPS): 1980s, Frequency Modulation
(FM), Frequency Division Multiple Access (FDMA), handover between
cells, limited roaming between networks
• 2G
– Global System for Mobile communications (GSM): 1990s, digital-coding of
voice, Time Division Multiple Access (TDMA), Subscriber Identity Module
(SIM), data communications
• 3G
– 3G Partnership Project (3GPP), Universal Mobile Telecommunications
System (UMTS): 1998-, Wideband Code Division Multiple Access
(WCDMA), use of GSM network model, global roaming; 2 Mbps data
• 4G
– All-IP-based, 100 Mbps data
* List of cited technologies is not exhaustive
.
Security Associations in GSM
Mobile
Phone
is part of
is part of
International Mobile
Subscriber Identity
(IMSI)
Subscriber
Identity Module
(SIM)
Temporary
Mobile Subscriber
Identity (TMSI)
Visitor Location
Register (VLR)/Base
Transceiver Station
(BTS)
Permanent
Secret Key
(Ki)
Authentication
Centre (AuC)
Session
Encryption Key
(Kc)
Authentication in GSM
Serving
Network
Home Location
Register
(HLR)/AuC
Mobile Switching
Centre (MSC)/
VLR
Mobile
Phone
IMSI
IMSI
Authentication
triplet is sent
(RAND, SRES, Kc)
RAND
Using Ki and RAND,
function A3 yields SRES
function A8 yields Kc
SRES'
SRES'=SRES?
RAND Random Number
SRES Signed Response
TMSI Kc
Encryption/Decryption in GSM
Kc (64 bits)
A5
pseudo random
key stream
(114 bits)
Frame number
(22 bits)
XOR
plain text message or
encrypted message
(114 bits)
encrypted/
decrypted
message
(114 bits)
Stream Cipher Weakness
Encrypted(M1 ) Encrypted(M 2 ) M1 M 2
Security Holes in GSM [Niemi & Nyberg ‘03]
• Active attack
– Attacker masquerades as a legitimate base station/cell phone
• Encryption keys
– Plain text session key inter-network forwarding
– Brute force attack
• Some encryption algorithms are kept secret
– Were not subjected to a comprehensive analysis/peer review
Security Associations in UMTS
User
Equipment
(UE)
is part of
is part of
Universal
SI Module
(USIM)
Master Secret
Key (K)
128 bits
AuC
Integrity Key
(IK)
128 bits
IMSI
TMSI
VLR
Cypher Key
(CK)
128 bits
Mutual Authentication and Key Agreement in
UMTS
AuC
VLR
UE
authentication data request
(IMSI)
USIM
IMSI
authentication
data response
(RAND, AUTN, XRES,
CK, IK)
RAND, AUTN
RAND, AUTN
RES
AUTN Authentication Token
RES User Response
XRES Expected Response
RES=XRES?
TMSI CK
ACK
AUTN is new and
from AuC?
RES
Yes!
Encryption/Decryption in UMTS
Count-C
(32 bits)
Bearer id
(5 bits)
Direction
(1 bit)
CK
(128 bits)
KASUMI
key stream block
("Length" bits)
XOR
Length
encrypted/
decrypted message
("Length" bits)
plain text message or
encrypted message
("Length" bits)
COUNT-C: Frame number plus Hyper frame number,
incremented when the frame number wraps around
Direction: up/down-link
Integrity in UMTS
FRESH
(32 bits)
Count-I
(32 bits)
Message
Direction
(1 bit)
IK
(128 bits)
One-way
function
(KASUMI)
Message
Authentication
Code (32 bits)
COUNT-I: similar to COUNT-C, replay protection
FRESH: start value of COUNT-I
Challenge: Co-existence of analog technology and
digital technology
•
•
•
•
The digital technology has higher potential for being secure than analog
technology. For example, the Cellular Digital Packet Data (CDPD) uses data
encryption and provides privacy.
Most of the cellular phones use hybrid technology, both analog and digital. The
reason for that is that digital communications require a relatively stronger
signal, for intelligibility, than analog communications, all other things being
equal (such as bandwidth of a voice channel). A cell phone will hence operate in
digital mode over relatively short distances.
In order to enable long range communications, cell phones fall back to the
analog mode when the signal gets too weak for digital communications. As a
result, digital systems inherit all the security vulnerabilities of analog systems.
Co-existence of legacy analog technology and digital technology is a challenge
for system security design.
Challenge: Introduction of new defense method in
existing systems
• Attack methods evolve
• Defense methods evolve
• New defense methods are difficult to introduce in existing
systems
Reconfigurable security
Reference
• Al-Muhtadi at al., A lightweight reconfigurable security
mechanism for 3G/4G mobile devices, IEEE Wireless
Communications, April 2002.
Definition
• Security mechanisms are reconfigured dynamically according
to capabilities, processing power, and needs
• Loading/configuration/unloading of software components that
implement security services
Chaotic Communication (1)
Chaotic Communication (2)
Background
•
Abel and Schwarz, Chaos Communications—Principles, Schemes, and
System Analysis, Proceedings of the IEEE, 2002.
•
Itoh, Spread Spectrum Communication via Chaos, World Scientific
Publishing Company, International Journal of Bifurcation and Chaos,
1999.
Theoretical Attacks
•
Guojie, Zhengjin, and Ruiling, Chosen Ciphertext Attack on Chaos
Communication Based on Chaotic Synchronization, IEEE
Transactions on Circuits and Systems, 2003.
•
Ogorzatek and Dedieu, Some Tools for Attacking Secure
Communication Systems Employing Chaotic Carriers, IEEE, 1998.
Theoretically Broken Chaotic Communication (cont’d)
• Chaotic masking
– Low amplitude modulating signal, high amplitude chaotic carrier
• Chaotic switching
– Two waveforms representing binary values zero and one
– Has a differential version
• Chaotic modulation
– Chaotic carrier influenced by a non invertible function, according to
the information
Quantum Cryptography
•
Wiesner, “Quantum Money”, 1960 (unpublished)
– Polarity of photons (angle of vibration) can be verified, but not measured
•
Bennett, Brassard, and Ekert, Quantum Cryptography, Scientific American,
October 1992.
•
Hughes et al., Quantum cryptography for secure satellite communications,
Aerospace Conference Proceedings, 2000.
– 0.5 km free-space link
•
Kurtsiefer et al., Long Distance Free Space Quantum Cryptography, SPIE,
2002.
– 23.4 km free-space link (try to achieve 1000 km)
•
First Quantum Cryptography Network Unveiled, NewScientist.com news
service, June 2004.
– Quantum Net: six servers, 10 km links, software-controlled optical switches
Legitimate Devices
PROBLEM
AUTHENTICATION OF USERS IS INSUFFICIENT DUE TO
MALLEABILITY OF USER IDENTITY
Need for Device Authentication
• Outline
– Problem: User Authentication is incapable of detecting identity
theft
• Malleability of user identity
– Result
• Unauthorized access to network resources
– Within cellular domain (cloning fraud) and wireless network domain (Media
Access Control – MAC address spoofing)
Wireless Network (e.g. 802.11)
• MAC address spoofing (over the air)
Wired Network
List of Authorized MAC
Addresses (Access Control)
1
MAC Address*
3
MAC Address
2
Legitimate
User
* MAC address is sent in the clear even with WEP [Arbaugh et al., 2002]
Intruder
Sniff MAC Address
and use it
Cellular Network - Identification of 1G Cell Phone
• Every cellular phone is assigned,
– by the service provider, a phone number (Mobile
station Identification Number (MIN)):
• 10 digits: area code (3), switching station (3), and
individual number (4)
– by the manufacturer, an Electronic Serial Number
(ESN)
32 bits
Manufacture's Code
(8 bits)
Reserved
(6 bits)
Serial Number
(18 bits)
Identification of 2G or 3G Cell Phones [Koien, 2004]
International Mobile Station Identity (IMSI)
National Mobile Station Identity
Mobile Country
Code
(3 digits)
Mobile
Network
Code
(2 digits)
Mobile Station Identification Number (telephone number)
(10 digits)
According to: ITU-T Recommendation E.212
International Mobile Station Equipment Identity (IMEI)
- Check against the Equipment Identity Register
Cellular Network
• Cloning fraud
Generation/Information
Over the Air
Direct Extraction
1G (Analog) – ESN and MIN
Using readily available tools 1
Transfer MIN from ROM and
ESN - back of phone
2G (GSM) – IMSI, Ki
Using differential cryptanalysis
and rogue base station 2
Extract secret key Ki from
SIM 2,3
3G (GSM) - IMSI, Ki
Possible but no specific attack
has been documented.
Possible but no specific attack
has been documented.
•
1 [J.
Hynninen, 2000]
•
2 [I.
Goldberg and M. Briceno, 2002]
– With a smartcard reader, derive the secret key by challenging the SIM-card
(approx. 150,000 queries; eight to 11 hours)
•
3 [R.Lemos,
2002]
– Ask seven questions and analyze electromagnetic field changes and power
fluctuations for each response
User Authentication in GSM
Serving
Network
Home Location
Register
(HLR)/AuC
Mobile Switching
Centre (MSC)/
VLR
Mobile
Phone
SIM
IMSI
IMSI
Authentication
triplet is sent
(RAND, SRES, Kc)
RAND
Using Ki and RAND,
function A3 yields SRES
function A8 yields Kc
SRES'
SRES'=SRES?
RAND Random Number
SRES Signed Response
SIM Subscriber Identity Module
(IMSI, AuthKey Ki, CipherKey Kc,
Algorithms, PIN)
TMSI Kc
References
• Wireless Network
– Arbaugh et al. Your 802.11 Wireless Network has no clothes, IEEE
Wireless Communications. Dec. 2002.
– Mishra and Arbough. An Initial Security Analysis of the IEEE 802.1X
Standard. 2002.
• Cellular Network
– G. Koien et al. An Introduction to Access Security in UMTS, IEEE
Wireless Communications. Feb. 2004.
– I. Goldberg and M. Briceno. GSM Cloning. 2002 [Web].
– J. Hynninen. Experiences in Mobile Phone fraud. Helsinki University of
Technology [Web].
– R.Lemos. IBM: Cell phones easy targets for hackers. CNET News. 2002.
• Others
– J. Schiller. Mobile Communications. Addison-Wesley. 2000.
Radio Frequency Fingerprinting
Mechanism for addressing the malleability of user identity
Radio Frequency Fingerprinting (RFF)
• Background
– Technique used by research teams including [H. Choe et al., 1995, Ureten
1999] for the purpose of identifying RF transceivers
– Premise: a transceiver can be uniquely identified based on the
characteristics of the transient section of the signal it generates
– Primary benefit: Non-malleability of device identity
• based on hardware characteristics of the transceiver
• Key Objective:
– Create a profile of the user’s device (transceiver) using RFF
– Make use of both user and device profiles for authentication
purposes
• Wireless Network – device profile and MAC address
• Cellular Network – device profile and IMSI
RFF
• Key Phases
– Create profile for each transceiver
•
•
•
•
Phase 1:
Phase 2:
Phase 3:
Phase 4:
Collection of Signals
Extraction of Transient
Extraction of Features (transceiverprint - TP)
Definition of Transceiver Profile
– Classify/Compare an observed TP with transceiver profiles
• Phase 1-3: Repeated for each observed TP
• Phase 5: Identification of transceiver
– Improve Classification Success Rate (CSR) – Proposed Extension
to RFF process
• Phase 6: Enhancement of CSR (work in progress)
RFF: Phase 1 - Collect Signals
GSM Protocol Stack
802.11 Protocol Stack
CM
TCP
MM
IP
RR
LLC
LAPDm – TDMA Frame
Layer 1 Radio - Burst
[Schiller, 2000]
MAC - Frame
PHY – FHSS/DSSS Frame
Analog Signal transmitted
by physical layer = 1 frame
CM – Call Management
MM – Mobility Management
RR – Radio Resource Management
LAPD – Link Access Procedure for
D-Channel in ISDN system
Authentication Response =
more than 1 frame/signal
LLC – Logical Link Control
FHSS – Frequency Hopping
Spread Spectrum
DSSS – Direct Sequence Spread
Spectrum
RFF: Phase 2 – Extraction of Transient
• Extract transient section of digital signal
– Step 1: Preprocessing
• Segmenting the signal and applying first-order statistics (data reduction
exercise)
• Results in a smaller vector – data/fractal trajectory
– Step 2: Detection of the start of the transient using data trajectory
• Using the variance in the amplitude characteristics of the signal
– Threshold Detection
– Bayesian Step Change Detection
• Using the variance in the phase characteristics of the signal
– Threshold Detection using Phase Characteristics
RFF: Phase 2 – Extraction of Transient
• Threshold Detection [Shaw and Kinsner, 1997]
RFF: Phase 2 – Extraction of Transient
• Bayesian Step Change Detection [Ureten, 1999]
RFF: Phase 2 – Extraction of Transient
• Threshold Detection using Phase Characteristics [Hall, Barbeau, Kranakis
(IASTED, 2003)]
RFF: Phase 3 – Extraction of Components
• Extract components/characteristics from the transient
– Instantaneous amplitude [Proakis and Manolakis, 1996]
a(t ) i 2 (t ) q 2 (t )
– Instantaneous phase
q(t )
i (t )
(t ) tan 1
– Instantaneous frequency components [Polikar, 1999]
• using Discrete Wavelet Transform (Daubechies filter)
• Wavelet function
• Scaling function
y high [k ]
x[n] g[2k n]
ylow [k ]
x[n] h[2k n]
RFF: Phase 3 – Extraction of Components
RFF: Phase 3 – Extraction of Features
• Extract features from components (vector of 1000 samples)
– Average, Standard Deviation, Energy, Variance
• Representation of features (dependent on classification tool)
Classification Tool
Component
Feature
Pattern Recognition –
Neural Network
Instantaneous amplitude
(1000 data samples)
Variance in amplitude (100
data points) window=10
Statistical Classifier
Instantaneous amplitude
(1000 data samples)
Variance in amplitude (1
variable)
• Challenge/Goal:
– Select features (transceiverprint) that accentuate the distinguishing
characteristics of transceivers, especially those from the same manufacturer
RFF: Phase 4 – Definition of Profile
• Create profile for each transceiver
– Obtain TPs from each signal in the collected data set (Phases 2-3)
– Select a subset of TPs and store them in a profile (remaining TPs
used for testing/classification)
• Using Self-Organizing Maps [Fausett, 1994]
– Take TPs from the data set as input
– Create group(s) / cluster(s) of transceiverprints based on their distance
(Euclidean distance) from a given centroid
– Select a representative sample of TPs from the various clusters to create a
profile
• Other approaches include
– Random selection of TPs from the data set
– Use of probabilistic neural network [Hunter, 2000]
RFF: Phase 5 – Identification of transceiver
• Classification Techniques
– Pattern matching – e.g. Neural Networks (Artificial NN,
Probabilistic NN, etc.) [Fausett, 1994]
• Based on Bayes Probabilistic Model
– Genetic Algorithms [Toonstra and Kinsner, 1995]
• Achieve an optimized solution through multiple iterations
– Statistical classifiers [Brickle, 2003]
• Determine probability of a match between an observed transceiverprint
(TP) and each of the transceiver profiles
1
p( ) exp ( )T V 1 ( )
2
Modified Kalman Filter
TP to be classified
centroid – center of cluster
V covariance matrix of TPs in
profile
RFF: Phase 6 – Enhancement of CSR
• Weakness in current classification techniques
– attempt to identify transceiver using a single observation (TP)
– unable to accommodate moderate level of variation (interference and
noise) in the TPs being classified
• Address weakness using the Bayes Filter [Fox et al., 2003]
– Identify transceiver with highest probability after several rounds
(using consecutive TPs) of classification
xt = Transceiver at time t
Bel(xt) = Probability of
Transceiver x at time t
p(xt | ot) = Probability of TP belonging to transceiver x at time t
Bel(xt-1) = Probability of transceiver x at t-1
Bel(xt) = p(xt|ot)Bel(xt-1)
RFF: Phase 6 – Enhancement of CSR
Conclusions
• Use of RFF can prove beneficial in addressing malleability of
identity (MAC address spoofing, cloning fraud)
• Level of confidence can be increased by using the Bayes Filter
before rendering a final decision (legitimate user/intruder)
• The issue of scalability can be addressed
– Application of Bayes filter to the target transceiver profile only for
transceiver recognition/confirmation
– Based on the final probability, Bayes filter can then be applied to identify
other potential transceivers
• Future Research Initiatives
– Enhancing the composition of TPs – improve classification rate
– Using RFF with Bluetooth and cellular phones
– Assessing the technical feasibility of incorporating RFF into current security
systems
References
• Radio Frequency Fingerprinting
– Amplitude
• O. Ureten and N. Serinken. Detection of radio transmitter turn-on transients.
Electronic Letters, 35:1996–1997, 1999.
• D. Shaw and W. Kinsner, Multifractal Modeling of Radio Transmitter Transients
for Classification, Proc. Conference on Communications, Power and Computing,
1997, 306-312.
– Phase
• J. Hall, M. Barbeau, E. Kranakis. Detection of transient in radio frequency
fingerprinting using phase characteristics of signals. In L.Hesslink (Ed.),
Proceedings of the 3rd International IASTED Conference on Wireless and Optical
Communication, Banff, Canada, 13-18, 2003.
– Wavelet Coefficients
• H. Choe et al. Novel identification of intercepted signals from unknown radio
transmitters. SPIE, 2491:504–516, 1995.
• R.D. Hippenstiel and Y.P. Wavelet based transmitter identification. In
International Symposium on Signal Processing and its Applications, Gold Coast
Australia, August 1996.
References
• Bayes Filter
– D. Fox et al. Bayesian Filtering for location estimation. Pervasive Computing. 2433, 2003.
• Statistical Classifier
– Frank Brickle. Automatic signal classification for software defined radios. QEX,
pages 34–41, November 2003.
• Others
– A. Hunter. Feature Selection using Probabilistic Neural Networks. Neural
Computing and Applications. 124-132, 2000.
– J. Schiller. Mobile Communications. Addison-Wesley, 2000.
– J. Proakis and D. Manolakis. Digital Signal Processing. Prentice-Hall, 1996.
– J. Toonstra and W. Kinsner. Transient Analysis and Genetic Algorithms for
Classification. IEEE WESCANEX 95. 432-437, 1995
– L. Fausett. Fundamentals of Neural Networks. Prentice-Hall, 1994.
– R. Polikar. The Wavelet Tutorial. [web]
Thank You
Michel Barbeau ([email protected])
Jeyanthi Hall ([email protected])
Questions ?