Wireless Communications Security Issues, Solutions and Challenges
description
Transcript of Wireless Communications Security Issues, Solutions and Challenges
Wireless Communications Security Issues, Solutions and Challenges
Michel Barbeau and Jeyanthi Hall
2
Outline
• Availability
• Privacy
• Integrity
• Legitimate Participants
• Absence of misbehavior
Security Requirements
• Availability– no jamming, adaptability to unforeseen topologies
• Privacy– nondisclosure of cell phone communications and 802.11 frames
• Integrity– data is not intercepted and tampered
• Legitimate participants– no cell phone cloning and 802.11 frame spoofing
• Absence of misbehavior– fairness, greedy user detection
Availability
• Jamming
• Inability to deal with unforeseen topologies
Jamming
• Shannon’s model:
N
SWC 1log
How to Deal With Jamming?
• Increase the bandwidth– Frequency Hopping/Direct Sequence Spread Spectrum
• 801.11(b) : 2.4 - 2.4835 Giga Hertz
• 801.11(a): 5.15- 5.35 Giga Hertz; 5.725- 5.825 Giga Hertz
– Ultra Wide Band• Bandwidth greater than 25% if center frequency
• Increase the power– GPS III, planned for 2010 [Ashley, Next-Generation GPS, Scientific
American, September 2003.]
Inability to Deal With Unforeseen Topologies
Images by: J.&G. Naudet (9/11/2001)
Privacy
• Cellular phone eavesdropping
• Overview of privacy techniques in 2G and 3G of cellular mobile radiophones– Refs.:
• V. Niemi and K. Nyberg, UMTS Security, Wiley, 2003.• M.Y. Rhee, CDMA Cellular Mobile Communications and Network Security,
Prentice Hall PTR,1998.
– GSM, UMTS
• Challenges
• Future– Reconfigurable security– Chaotic communication– Quantum cryptography
Cellular Phone Eavesdropping
• Inexpensive equipment for intercepting analog communications is easy to obtain in Canada.
• In US, the regulations authorize the sale of scanners to the general public only is cellular frequencies are blocked. However, there are several workarounds– Web sites publish modifications to restore reception of cellular frequencies
by scanners.– Frequency converters can translate cellular frequencies to the frequency
range supported by a receiver.– With receivers using non quadrature mixing, the image frequency
technique can be used.
• Digital communications can also be intercepted with the appropriate equipment!
Generations of Cellular Mobile Radiophones*
• 1G– Advanced Mobile Phone System (AMPS): 1980s, Frequency Modulation
(FM), Frequency Division Multiple Access (FDMA), handover between cells, limited roaming between networks
• 2G– Global System for Mobile communications (GSM): 1990s, digital-coding of
voice, Time Division Multiple Access (TDMA), Subscriber Identity Module (SIM), data communications
• 3G– 3G Partnership Project (3GPP), Universal Mobile Telecommunications
System (UMTS): 1998-, Wideband Code Division Multiple Access (WCDMA), use of GSM network model, global roaming; 2 Mbps data
• 4G– All-IP-based, 100 Mbps data
* List of cited technologies is not exhaustive.
Security Associations in GSM
S ub s c rib erId entity M o d ule
(S IM )
A uthentic atio nC entre (A uC )
P erm anentS ec ret K ey
(K i)
M o b ileP ho ne
is p art o f
S es s io nEnc ryp tio n K ey
(K c )Internatio nal M o b ileS ub s c rib er Id entity
(IM S I)
is p art o f
V is ito r Lo c atio nR egis ter (V LR )/B as eT rans c eiver S tatio n
(B T S )
T em p o raryM o b ile S ub s c rib er
Id entity (T M S I)
Authentication in GSM
RAND Random NumberSRES Signed Response
M o b ileP ho ne
S ervingN etw o rk
M o b ile S w itc hingC entre (M S C )/
V LR
H o m e Lo c atio nR egis ter
(H LR )/A uCIM S I
IM S I
(R A N D , S R ES , K c )A uthentic atio ntrip let is s ent R A N D
S R ES '
S R ES '= S R ES ?
U s ing K i and R A N D ,func tio n A 3 yield s S R ESfunc tio n A 8 yield s K c
T M S I K c
Encryption/Decryption in GSM
K c (64 b its )
F ram e num b er(22 b its )
A 5p s eud o rand o m
key s tream(114 b its )
p lain text m es s age o renc ryp ted m es s age
(114 b its )
X O R
enc ryp ted /d ec ryp ted m es s age(114 b its )
Stream Cipher Weakness
2121 )()( MMMEncryptedMEncrypted
Security Holes in GSM [Niemi & Nyberg ‘03]
• Active attack– Attacker masquerades as a legitimate base station/cell phone
• Encryption keys– Plain text session key inter-network forwarding
– Brute force attack
• Some encryption algorithms are kept secret– Were not subjected to a comprehensive analysis/peer review
Security Associations in UMTS
U nivers alS I M o d ule
(U S IM )A uC
M as ter S ec retK ey (K )128 b its
U s erEq uip m ent
(U E)
is p art o f
C yp her K ey(C K )
128 b its
IM S I
is p art o f
V LR
T M S I
Integrity K ey(IK )
128 b its
Mutual Authentication and Key Agreement in UMTS
AUTN Authentication TokenRES User ResponseXRES Expected Response
U EV LRA uC
IM S I
authentic atio nd ata res p o ns e
(R A N D , A U T N , X R ES ,C K , IK )
R A N D , A U T N
R ES
R ES = X R ES ?
T M S I C K
authentic atio n d ata req ues t(IM S I)
U S IM
R A N D , A U T NA U T N is new andfro m A uC ?
R ES Y es !
A C K
Encryption/Decryption in UMTS
COUNT-C: Frame number plus Hyper frame number, incremented when the frame number wraps aroundDirection: up/down-link
C K(128 b its )C o unt-C
(32 b its )
K A S U M I key s tream b lo c k("Length" b its )
p lain text m es s age o renc ryp ted m es s age
("Length" b its )
X O Renc ryp ted /
d ec ryp ted m es s age("Length" b its )
Length
B earer id(5 b its )
D irec tio n(1 b it)
Integrity in UMTS
COUNT-I: similar to COUNT-C, replay protectionFRESH: start value of COUNT-I
M es s ageM es s age
A uthentic atio nC o d e (32 b its )
O ne-w ayfunc tio n
(K A S U M I)
IK(128 b its )
D irec tio n(1 b it)F R ES H
(32 b its )
C o unt-I(32 b its )
Challenge: Co-existence of analog technology and digital technology
• The digital technology has higher potential for being secure than analog technology. For example, the Cellular Digital Packet Data (CDPD) uses data encryption and provides privacy.
• Most of the cellular phones use hybrid technology, both analog and digital. The reason for that is that digital communications require a relatively stronger signal, for intelligibility, than analog communications, all other things being equal (such as bandwidth of a voice channel). A cell phone will hence operate in digital mode over relatively short distances.
• In order to enable long range communications, cell phones fall back to the analog mode when the signal gets too weak for digital communications. As a result, digital systems inherit all the security vulnerabilities of analog systems.
• Co-existence of legacy analog technology and digital technology is a challenge for system security design.
Challenge: Introduction of new defense method in existing systems• Attack methods evolve
• Defense methods evolve
• New defense methods are difficult to introduce in existing
systems
Reconfigurable security
Reference
• Al-Muhtadi at al., A lightweight reconfigurable security
mechanism for 3G/4G mobile devices, IEEE Wireless
Communications, April 2002.
Definition
• Security mechanisms are reconfigured dynamically according
to capabilities, processing power, and needs
• Loading/configuration/unloading of software components that
implement security services
Chaotic Communication (1)
Chaotic Communication (2)
Background
• Abel and Schwarz, Chaos Communications—Principles, Schemes, and
System Analysis, Proceedings of the IEEE, 2002.
• Itoh, Spread Spectrum Communication via Chaos, World Scientific
Publishing Company, International Journal of Bifurcation and Chaos,
1999.
Theoretical Attacks
• Guojie, Zhengjin, and Ruiling, Chosen Ciphertext Attack on Chaos
Communication Based on Chaotic Synchronization, IEEE
Transactions on Circuits and Systems, 2003.
• Ogorzatek and Dedieu, Some Tools for Attacking Secure
Communication Systems Employing Chaotic Carriers, IEEE, 1998.
Theoretically Broken Chaotic Communication (cont’d)
• Chaotic masking– Low amplitude modulating signal, high amplitude chaotic carrier
• Chaotic switching– Two waveforms representing binary values zero and one
– Has a differential version
• Chaotic modulation– Chaotic carrier influenced by a non invertible function, according to
the information
Quantum Cryptography
• Wiesner, “Quantum Money”, 1960 (unpublished)– Polarity of photons (angle of vibration) can be verified, but not measured
• Bennett, Brassard, and Ekert, Quantum Cryptography, Scientific American,
October 1992.
• Hughes et al., Quantum cryptography for secure satellite communications,
Aerospace Conference Proceedings, 2000.– 0.5 km free-space link
• Kurtsiefer et al., Long Distance Free Space Quantum Cryptography, SPIE,
2002.– 23.4 km free-space link (try to achieve 1000 km)
• First Quantum Cryptography Network Unveiled, NewScientist.com news
service, June 2004.– Quantum Net: six servers, 10 km links, software-controlled optical switches
Legitimate Devices
PROBLEM
AUTHENTICATION OF USERS IS INSUFFICIENT DUE TO
MALLEABILITY OF USER IDENTITY
Need for Device Authentication
• Outline– Problem: User Authentication is incapable of detecting identity
theft • Malleability of user identity
– Result• Unauthorized access to network resources
– Within cellular domain (cloning fraud) and wireless network domain (Media Access Control – MAC address spoofing)
Wireless Network (e.g. 802.11)
• MAC address spoofing (over the air)
MAC Address*
List of Authorized MAC Addresses (Access Control)
Wired Network
MAC Address
1
2
3
* MAC address is sent in the clear even with WEP [Arbaugh et al., 2002]
IntruderSniff MAC Address
and use it
LegitimateUser
Cellular Network - Identification of 1G Cell Phone
• Every cellular phone is assigned, – by the service provider, a phone number (Mobile
station Identification Number (MIN)):• 10 digits: area code (3), switching station (3), and
individual number (4)
– by the manufacturer, an Electronic Serial Number (ESN)
M anufac ture 's C o d e(8 b its )
R es erved(6 b its )
S erial N um b er(18 b its )
32 b its
Identification of 2G or 3G Cell Phones [Koien, 2004]
According to: ITU-T Recommendation E.212
M o b ile C o u n tr yC o d e
( 3 d ig its )
M o b ileN etw o r k
C o d e( 2 d ig its )
M o b ile S ta tio n I d en tif ic a tio n N u m b er ( te lep h o n e n u m b er )( 1 0 d ig its )
N atio n a l M o b ile S ta tio n I d en tity
I n te r n a tio n a l M o b ile S ta tio n I d en tity ( I M S I )
International Mobile Station Equipment Identity (IMEI)- Check against the Equipment Identity Register
Cellular Network
• Cloning fraudGeneration/Information Over the Air Direct Extraction
1G (Analog) – ESN and MIN Using readily available tools 1 Transfer MIN from ROM and
ESN - back of phone
2G (GSM) – IMSI, Ki Using differential cryptanalysis
and rogue base station 2
Extract secret key Ki from
SIM 2,3
3G (GSM) - IMSI, Ki Possible but no specific attack
has been documented.
Possible but no specific attack
has been documented.• 1 [J. Hynninen, 2000]
• 2 [I. Goldberg and M. Briceno, 2002]
– With a smartcard reader, derive the secret key by challenging the SIM-card (approx. 150,000 queries; eight to 11 hours)
• 3 [R.Lemos, 2002]
– Ask seven questions and analyze electromagnetic field changes and power fluctuations for each response
User Authentication in GSM
RAND Random NumberSRES Signed ResponseSIM Subscriber Identity Module(IMSI, AuthKey Ki, CipherKey Kc, Algorithms, PIN)
M o b ileP ho ne
S ervingN etw o rk
M o b ile S w itc hingC entre (M S C )/
V LR
H o m e Lo c atio nR egis ter
(H LR )/A uCIM S I
IM S I
(R A N D , S R ES , K c )A uthentic atio ntrip let is s ent R A N D
S R ES '
S R ES '= S R ES ?
U s ing K i and R A N D ,func tio n A 3 yield s S R ESfunc tio n A 8 yield s K c
T M S I K c
SIM
References
• Wireless Network– Arbaugh et al. Your 802.11 Wireless Network has no clothes, IEEE
Wireless Communications. Dec. 2002.– Mishra and Arbough. An Initial Security Analysis of the IEEE 802.1X
Standard. 2002.
• Cellular Network– G. Koien et al. An Introduction to Access Security in UMTS, IEEE
Wireless Communications. Feb. 2004.– I. Goldberg and M. Briceno. GSM Cloning. 2002 [Web].– J. Hynninen. Experiences in Mobile Phone fraud. Helsinki University of
Technology [Web].– R.Lemos. IBM: Cell phones easy targets for hackers. CNET News. 2002.
• Others– J. Schiller. Mobile Communications. Addison-Wesley. 2000.
Radio Frequency Fingerprinting
Mechanism for addressing the malleability of user identity
Radio Frequency Fingerprinting (RFF)
• Background– Technique used by research teams including [H. Choe et al., 1995, Ureten
1999] for the purpose of identifying RF transceivers– Premise: a transceiver can be uniquely identified based on the
characteristics of the transient section of the signal it generates– Primary benefit: Non-malleability of device identity
• based on hardware characteristics of the transceiver
• Key Objective:– Create a profile of the user’s device (transceiver) using RFF– Make use of both user and device profiles for authentication
purposes• Wireless Network – device profile and MAC address• Cellular Network – device profile and IMSI
RFF
• Key Phases– Create profile for each transceiver
• Phase 1: Collection of Signals
• Phase 2: Extraction of Transient
• Phase 3: Extraction of Features (transceiverprint - TP)
• Phase 4: Definition of Transceiver Profile
– Classify/Compare an observed TP with transceiver profiles• Phase 1-3: Repeated for each observed TP
• Phase 5: Identification of transceiver
– Improve Classification Success Rate (CSR) – Proposed Extension to RFF process• Phase 6: Enhancement of CSR (work in progress)
RFF: Phase 1 - Collect Signals
CM
MM
RR
LAPDm – TDMA Frame
Radio - Burst
CM – Call ManagementMM – Mobility ManagementRR – Radio Resource ManagementLAPD – Link Access Procedure for D-Channel in ISDN system
Layer 1
MAC - Frame
PHY – FHSS/DSSS Frame
GSM Protocol Stack 802.11 Protocol Stack [Schiller, 2000]
Analog Signal transmitted by physical layer = 1 frame
Authentication Response = more than 1 frame/signal
LLC – Logical Link ControlFHSS – Frequency Hopping Spread SpectrumDSSS – Direct Sequence SpreadSpectrum
TCP
IP
LLC
RFF: Phase 2 – Extraction of Transient
• Extract transient section of digital signal– Step 1: Preprocessing
• Segmenting the signal and applying first-order statistics (data reduction exercise)
• Results in a smaller vector – data/fractal trajectory
– Step 2: Detection of the start of the transient using data trajectory • Using the variance in the amplitude characteristics of the signal
– Threshold Detection
– Bayesian Step Change Detection
• Using the variance in the phase characteristics of the signal– Threshold Detection using Phase Characteristics
RFF: Phase 2 – Extraction of Transient
• Threshold Detection [Shaw and Kinsner, 1997]
RFF: Phase 2 – Extraction of Transient
• Bayesian Step Change Detection [Ureten, 1999]
RFF: Phase 2 – Extraction of Transient
• Threshold Detection using Phase Characteristics [Hall, Barbeau, Kranakis
(IASTED, 2003)]
demo
RFF: Phase 3 – Extraction of Components
• Extract components/characteristics from the transient– Instantaneous amplitude [Proakis and Manolakis, 1996]
– Instantaneous phase
– Instantaneous frequency components [Polikar, 1999]
• using Discrete Wavelet Transform (Daubechies filter)
• Wavelet function
• Scaling function
)()()( 22 tqtita
)(
)(tan)( 1
ti
tqt
]2[][][ nkgnxkyhigh
]2[][][ nkhnxkylow
RFF: Phase 3 – Extraction of Components
RFF: Phase 3 – Extraction of Features
• Extract features from components (vector of 1000 samples)– Average, Standard Deviation, Energy, Variance
• Representation of features (dependent on classification tool)
• Challenge/Goal: – Select features (transceiverprint) that accentuate the distinguishing
characteristics of transceivers, especially those from the same manufacturer
Classification Tool Component Feature
Pattern Recognition –
Neural Network
Instantaneous amplitude
(1000 data samples)
Variance in amplitude (100
data points) window=10
Statistical Classifier Instantaneous amplitude
(1000 data samples)
Variance in amplitude (1
variable)
RFF: Phase 4 – Definition of Profile
• Create profile for each transceiver– Obtain TPs from each signal in the collected data set (Phases 2-3) – Select a subset of TPs and store them in a profile (remaining TPs
used for testing/classification)• Using Self-Organizing Maps [Fausett, 1994]
– Take TPs from the data set as input– Create group(s) / cluster(s) of transceiverprints based on their distance
(Euclidean distance) from a given centroid– Select a representative sample of TPs from the various clusters to create a
profile
• Other approaches include– Random selection of TPs from the data set– Use of probabilistic neural network [Hunter, 2000]
RFF: Phase 5 – Identification of transceiver
• Classification Techniques– Pattern matching – e.g. Neural Networks (Artificial NN,
Probabilistic NN, etc.) [Fausett, 1994] • Based on Bayes Probabilistic Model
– Genetic Algorithms [Toonstra and Kinsner, 1995]
• Achieve an optimized solution through multiple iterations
– Statistical classifiers [Brickle, 2003]
• Determine probability of a match between an observed transceiverprint (TP) and each of the transceiver profiles
)()(
2
1exp)( 1
Vp T
TP to be classified centroid – center of cluster covariance matrix of TPs in profile
Modified Kalman Filter
V
RFF: Phase 6 – Enhancement of CSR
• Weakness in current classification techniques– attempt to identify transceiver using a single observation (TP)
– unable to accommodate moderate level of variation (interference and noise) in the TPs being classified
• Address weakness using the Bayes Filter [Fox et al., 2003]
– Identify transceiver with highest probability after several rounds (using consecutive TPs) of classification
xt = Transceiver at time t
Bel(xt) = Probability of Transceiver x at time t
p(xt | ot) = Probability of TP belonging to transceiver x at time tBel(xt-1) = Probability of transceiver x at t-1
Bel(xt) = p(xt|ot)Bel(xt-1)
RFF: Phase 6 – Enhancement of CSR
Conclusions
• Use of RFF can prove beneficial in addressing malleability of identity (MAC address spoofing, cloning fraud)
• Level of confidence can be increased by using the Bayes Filter before rendering a final decision (legitimate user/intruder)
• The issue of scalability can be addressed– Application of Bayes filter to the target transceiver profile only for
transceiver recognition/confirmation– Based on the final probability, Bayes filter can then be applied to identify
other potential transceivers
• Future Research Initiatives– Enhancing the composition of TPs – improve classification rate– Using RFF with Bluetooth and cellular phones– Assessing the technical feasibility of incorporating RFF into current
security systems
References
• Radio Frequency Fingerprinting– Amplitude
• O. Ureten and N. Serinken. Detection of radio transmitter turn-on transients. Electronic Letters, 35:1996–1997, 1999.
• D. Shaw and W. Kinsner, Multifractal Modeling of Radio Transmitter Transients for Classification, Proc. Conference on Communications, Power and Computing, 1997, 306-312.
– Phase• J. Hall, M. Barbeau, E. Kranakis. Detection of transient in radio frequency
fingerprinting using phase characteristics of signals. In L.Hesslink (Ed.), Proceedings of the 3rd International IASTED Conference on Wireless and Optical Communication, Banff, Canada, 13-18, 2003.
– Wavelet Coefficients• H. Choe et al. Novel identification of intercepted signals from unknown radio
transmitters. SPIE, 2491:504–516, 1995.• R.D. Hippenstiel and Y.P. Wavelet based transmitter identification. In
International Symposium on Signal Processing and its Applications, Gold Coast Australia, August 1996.
References
• Bayes Filter– D. Fox et al. Bayesian Filtering for location estimation. Pervasive Computing. 24-
33, 2003.
• Statistical Classifier– Frank Brickle. Automatic signal classification for software defined radios. QEX,
pages 34–41, November 2003.
• Others– A. Hunter. Feature Selection using Probabilistic Neural Networks. Neural
Computing and Applications. 124-132, 2000.
– J. Schiller. Mobile Communications. Addison-Wesley, 2000.
– J. Proakis and D. Manolakis. Digital Signal Processing. Prentice-Hall, 1996.
– J. Toonstra and W. Kinsner. Transient Analysis and Genetic Algorithms for Classification. IEEE WESCANEX 95. 432-437, 1995
– L. Fausett. Fundamentals of Neural Networks. Prentice-Hall, 1994.
– R. Polikar. The Wavelet Tutorial. [web]