Mario Čagalj University of Split 2013/2014. FELK 19: Security of Wireless Networks.
-
Upload
nicholas-price -
Category
Documents
-
view
220 -
download
0
Transcript of Mario Čagalj University of Split 2013/2014. FELK 19: Security of Wireless Networks.
Mario Čagalj
University of Split
2013/2014.
FELK 19: Security of Wireless Networks
Adversarial interference: radio jamming
3
Adversarial interference: jamming (1/4) • Transmitting a signals on the same frequency/band on which
the honest parties communicate • Blocks the reception of the message at the receiver B
S (original signal)
J (jamming signal)
3
A B
M
Jamming - physical layer (2/4) Modification (e.g. bit flipping)
Can cause the message to change or become undecodableCan be (partially) addressed by Error Correction Codes
OvershadowingThe attacker's signal is dominant, the original seems like noise,
i.e., mSource+mAttacker= mAttacker
Jamming (Interference)The attacker's signal makes it impossible for the radio to decode
(demodulate) the message, i.e., mSource+mAttacker= random/cannot be decoded (low SINR, low Eb/N, implies high BER)
Jamming and overshadowing can be (partially) addressed by spread spectrum and similar communication techniques
4
Jamming - physical layer (3/4)
5http://eprint.iacr.org/2013/581.pdf
Jamming parameters (4/4) Jamming-to-signal (J/S) ratio:
The ratio of the power of the two received signals within the frequency passband of the receiver.
6©D. Adamy, A First Course on Electronic Warfare
Frequency
Receiver Passband
Jamming Signal
Desired Signal
J/S
S = PT + GT - const. - 20log(RS)+ GR
J = PJ + GJ - const. - 20log(RJ)+ GRJ
(free-space model)
J/S = J-S (dB)Example:– For effective jamming J/S = 0 to 40dB
(typically 10dB).
– Jammer uses 100W (50dBm), antenna gain 10dB, distance 30km
– Transmitter uses 1W (30dBm), antenna gain 3dB, distance 10km
– J/S ≈ 17dB > probably successful jamming
Power speactral density (W/Hz)
7
The importance of jammer’s location
©D. Adamy, A First Course on Electronic Warfare
Antenna Gain Pattern
To DesiredSignal
Transmitter
To Jammer
GR
GRJ
7
• Antenna gain: The ratio of the intensity, in a given direction, to the radiation intensity that would be obtained if the power accepted by antenna were radiated isotropically
• If the receiving antenna is not omnidirectional, its gain to the jamming signal will be different (usually less) than its gain to the desired signal
Parameters influencing J/S
8
The Effect of Each Parameter in the Jamming Situation on J/S
Parameter (increasing) Effect on J/S
Jammer transmit power Directly increases on J/S dB for dB
Jammer antenna gain Directly increases J/S dB for dB
Jammer-to-receiver distance Decreases J/S as the distance2
Signal transmit power Directly decreases J/S db for dB
Transmitter-to-receiver distance Increases J/S as the distance2
Transmit antenna gain Directly decreases J/S db for dB
(Directional) receiver antenna gain Directly decreases J/S db for dB
Implications on jamming (example): Attacks on Skyhook localization system
http://www.skyhookwireless.com
• Skyhook – utilizes public WiFi access points and cellular towers to provide an accurate information about the user’s location
http://www.skyhookwireless.com/howitworks/loader_howitworks.swf
9
10
• Attack goal: device displays an incorrect location • Attack: jam signals from legitimate APs and insert messages with MAC addresses
corresponding to other APs
• More attacks:database poisoning, ... www.syssec.ethz.ch
Implications on jamming (example): Attacks on Skyhook localization system
11
Implications on jamming - example: Stealing bandwidth in WiFi networks
Station 1 gets all the bandwidth
Station 2 jams (a directional
antenna)
Implications on jamming - example: The case of GPSUsed not only for possitioning, but also for fine synchronization
of communication systemsMobile networksPagersATMs
12
Implications on jamming - example: The case of GSM, UMTSIt is possible to mount a man-in-the-middle attack on your
mobile phone voice/data communication We will see this in the lab :)
13
Implications on jamming - example: Jamming for good or friendly jammingSecuring implantable devices
“They Can Hear Your Heartbeats: Non-Invasive Security for Implantable Medical Devices“
http://groups.csail.mit.edu/netmit/IMDShield/paper.pdf
Cool, but one should exercise caution“On Limitations of Friendly Jamming for Confidentiality”http://www.syssec.ethz.ch/research/sp2013_tippenhauer.pdf
14
Anti-jamming communication
Basic Anti-jamming Communication Basic principle: “If you cannot beat them – run and hide”
Spread Spectrum techniques: FHSS (Frequency Hopping Spread Spectrum) DSSS (Direct Sequence Spread Spectrum) FHSS/DSSS (combination)
16Frequency
Power
Spread Spectrum(Low Peak Power)
Narrowband(High Peak Power)
Anti-jamming Communication• We need an advantage over the attacker• Secret key (K) shared between the sender and receiver provides
this advantage • If time permits, we will show how to provide anti-jamming communication
without the shared key (Uncoordinated Frequency Hopping)
17
K
A B
Frequency Hopping Spread Spectrum FHSS Synchronized sender and receiver Share a key – from the key a sequence of frequencies is derived
E.g., used in Bluetooth (79 x 1MHz channels)
18©D. Adamy, A First Course on Electronic Warfare
Time
Freq
uenc
y
Hop
ping
Ran
ge
Hop Period
Frequency spectrum for FHSS
19
Frequency
Pow
er S
pect
ral D
ensi
ty
HOP#34
HOP#3
HOP#34
HOP#1
HOP#56
… …
Bandwidth
Jamming FHSS signals: follower jammer
(1) Detect the frequency and (2) jamm
20©D. Adamy, A First Course on Electronic Warfare
Bluetooth: 79 channels, 1MHz each1600 hops/second
Jaguar V system: 2320 channels
Jamming FHSS signals: partial band jammer
A partial band jammer distributes its available power to achieve 0 dB J/S in each jammed channel at the jammed receiverE.g., J/S=0 dB sufficient to achieve high bit error rate (BER)Optimizes the available jamming power to successfully jam as many
channels as possible
2121©D. Adamy, A First Course on Electronic Warfare
Hopping channels
Evenly spread
For 0dB J/S per channel
Jammer power
XMTR
RCVR
JMR
RS
RJ J/S
Finding FHSS transmitters
22
Detection of signal direction: When colleted data shows multiple frequencies at one angle of arrival, a frequency hopper is identified.
©D. Adamy, A First Course on Electronic Warfare
Direct Sequence Spread Spectrum (DSSS) Secret spreading code – DSSS hides the signal Signal detection is now more difficult
Signal “hidden” in the noise Signal interception/modification difficult Jamming
Narrowband jamming now requires much higher power Broadband jamming still effective
Motivation: Shannon channel capacity (C) C = B × log2 (1 + S/N), or C/B ≈ 1.433 × S/N (for small S/N<<1) B is the available channel bandwith For S/N << 1, it is still possible to communicate in an error-free manner
given sufficiently large B! 23
Direct Sequence Spread Spectrum (DSSS)
Spreading Modulator
Spreading Code
Spreading Demodulator
Spreading Code
DSSS Signal(RF link)
24
Example: DSSS with BPSK modulation
25
Example: DSSS with BPSK modulationOriginal BPSK modulated signal
s(t) = b(t)·cos(ω0t), with b(t)={-1,+1} being input data
DS spread spectrum signal ss(t) = a(t)·s(t) = a(t)·b(t)·cos(ω0t), with a(t)={-1,+1} being the spreading code
The bit rate of b(t) denoted Rb, and of a(t) denoted Ra
Rb << Ra (the spreading effect)
26
0 1
b(t)
a(t)
a(t)·b(t)
Example: Spreading effectThe resulting signal similar to g(t)Bandwith of s(t) is 2Rb and of ss(t) is 2Ra
The spectrum is spread by the ratio Ra/Rb
The power of s(t) and ss(t) is the same, so the Power Spectral Density reduced by Ra/Rb
27Frequency
Pow
er S
pect
ral D
ensi
ty
spectrum of original signal s(t)
2Rb
2Ra
spectrum of spread signal ss(t)
Example: DSSS with BPSK demodulationIncoming signal at the receiver r(t)=AS·ss(t) is first multiplied by
a(t), then by cos(ω0t), integrated for the duration of the bit and finally low-pass filteredSpreading code a(t) has impuls like autocorrelation function
After multiplying the incoming signal with a(t), we despread
After multiplying with cos(ω0t)
28
0 and 0 ,)t(aa(t),)t(aa(t) 11
)t(s
S
)t(s
SS t)(ωcosb(t)·Aa(t)t)(ωcosb(t)·a(t)A)t(a)t(ssA)t(ar(t) 00
t)ω(cos)t(bA
b(t)A
t)(ωcost)·(ωcosb(t)·A ssS 000 2
22
low-pass filtered
Frequency
Pow
er S
pect
ral D
ensi
ty
DATA BEFORE SPREAD
Noise floor
Pow
er S
pect
ral D
ensi
ty
DATA SPREAD
Noise floor
Spreading Modulator
Spreading Code
Spreading Demodulator
Spreading Code
DSSS Signal(RF link)
29
Why spreading?
2Rb 2Ra
Why spreading?Imunitiy to interfering (narrowband) signalsSuppose a jamming signal present at ω0
Input to the receiver
30
signal jamming
t)(ωcos·A)t(ssAr(t) JS 0Po
wer
Spe
ctra
l Den
sity
DATA SPREAD
Noise floor
INTERFERER
Spreading Modulator
Spreading Code
Spreading Demodulator
Spreading Code
DSSS Signal(RF link)
Why spreading?Imunitiy to interfering (narrowband) signalsSuppose a jamming signal present at ω0
After multiplying the incoming signal with spreading code a(t) we have
31
spread! gets
signal jammingdespread gets
signal wanted
t)(ωcos)t(aAt)(ωcos)t(bA)t(ar(t) JS 00
Frequency
Pow
er S
pect
ral D
ensi
ty DATA DESPREAD AND
LOWPASS FILTERED
Noise floor
INTERFERER SPREAD
Why spreading?By lowpass filtering the resulting signal, the effective power of
the interference is reduced by factor Ra/Rb
The processing gain
32
Frequency
Pow
er S
pect
ral D
ensi
ty DATA DESPREAD AND
LOWPASS FILTERED
Noise floor
INTERFERER SPREAD
2Rb
2Ra
33
Processing gain (PG)
• The ratio (in dB) between the spread bandwidth and the original (unspread) bandwidth• E.g., if a 1 kHz signal is spread to 100 kHz, the processing gain is
100,000/1,000 = 100, or 10log10(100) = 20 dB
• The PG is a signal to jammer (interference) ratio at the receiver after the despreading operation (removal of pseudo noise)
• PG increases the jamming margin: MJ = PG – (SNRrequired + Losssystem)• The level of interference that a system is able to accept and still maintain a
specified level of performace (e.g., BER)
Example: A spread spectrum system with a 30 dB process gain, a minimum required output signal to noise of 10 dB and system implementation loss of 3 dB would have a jamming margin of 30 - (10+3) dB which is 17 dB. The spread spectrum system in this example could not be expected to work in an environment with interference more than 17 dB above the desired signal (50 times stronger signal).
DSSS narrowband jamming immunity
34
35
Recapitulation: DSSS signal spreading (1/3)
Frequency
Pow
er S
pect
ral D
ensi
ty
DATA BEFORE SPREAD
Noise floor
Frequency
Pow
er S
pect
ral D
ensi
ty
DATA SPREAD
Noise floor
Spreading Modulator
Spreading Code
Spreading Demodulator
Spreading Code
DSSS Signal(RF link)
35
36
Recapitulation: DSSS signal and narrowband interferer (2/3)
Frequency
Pow
er S
pect
ral D
ensi
ty
DATA SPREAD
Noise floor
INTERFERER
36
Spreading Modulator
Spreading Code
Spreading Demodulator
Spreading Code
DSSS Signal(RF link)
37
Recapitulation: antijamming advantage (3/3)
Spreading Modulator
Spreading Code
Spreading Demodulator
Spreading Code
DSSS Signal(RF link)
Frequency
Pow
er S
pect
ral D
ensi
ty DATA DESPREAD
Noise floor
INTERFERER SPREAD
37
Frequency
Pow
er S
pect
ral D
ensi
ty DATA DESPREAD AND
LOWPASS FILTERED
Noise floor
INTERFERER SPREAD
CDMA: Code Division Multiple AccessMultiplexing users by distinct (orthogonal) PN codes
Transmitters use low correlation PN codesUse the same RF bandwidthTransmit simultaneously
38http://sss-mag.com/pdf/Ss_jme_denayer_intro_print.pdf
CDMA: Code Division Multiple AccessCorrelation of the received baseband spread spectrum signal
with PN code of user 1 only despreads the signal of user 1PN have impuls like autocorrelationLow crosscorrelation
39http://sss-mag.com/pdf/Ss_jme_denayer_intro_print.pdf
40
Jamming impact on current systems IEEE 802.11a/b/g (DSSS, known codes) > to be covered in the
lectures GPS (DSSS, known codes, low power) GSM/UMTS (TDMA/CDMA, known code sets) AM/FM radios ...
40