Zero Pre-shared Secret Key Establishmet i the Presece of ammers Tao i College of Computer Sciece Northeaster Uiversity Bosto, MA 25 taoji@ccs.eu.edu Guevara Noubir College of Computer Sciece Northeaster Uiversity Bosto, MA 25 oubir@ccs.eu.edu Bishal Thapa College of Computer Sciece Northeaster Uiversity Bosto, MA 25 bthapa@ccs.eu.edu ABSTRACT We cosider the problem of key establishmet over a wireless radio chael i the presece of a commuicatio jammer, iitially itroduced i [4]. The commuicatig odes are ot assumed to pre-share ay secret. The established key ca later be used by a covetioal spread-spectrum commuicatio system. We itroduce ew commuicatio cocepts called itractable forward-decodig ad efficiet backwarddecodig. Decodig uder our mechaism requires at most twice the computatio cost of the covetioal SS decodig ad oe packet worth of sigal storage. We itroduce techiques that apply a key schedule to packet spreadig ad develop a provably optimal key schedule to miimize the bit-despreadig cost. We also use efficiet FFT-based algorithms for packet detectio. We evaluate our techiques ad show that they are efficiet both i terms of resiliecy agaist jammers ad computatio. Fially, our techique has additioal features such as the iability to detect packet trasmissio util the last few bits are beig trasmitted, ad trasmissios beig destiatio-specific. To the best of our kowledge, this is the first solutio that is optimal i terms of commuicatio eergy cost with very little storage ad computatio overhead. Categories ad Subject Descriptors C.2. [Computer-Commuicatio Networks]: Desig Wireless Commuicatio Geeral Terms Algorithms, Desig, Security Keywords Ati-jammig, Spread Spectrum, Zero Pre-shared Secret Permissio to make digital or hard copies of all or part of this work for persoal or classroom use is grated without fee provided that copies are ot made or distributed for profit or commercial advatage ad that copies bear this otice ad the full citatio o the first page. To copy otherwise, to republish, to post o servers or to redistribute to lists, requires prior specific permissio ad/or a fee. MobiHoc 9, May 8 2, 29, New Orleas, Louisiaa, USA. Copyright 29 ACM 978--6558-53-4/9/5...$5... INTRODUCTION Radio-Frequecy wireless commuicatio occurs through the propagatio of electro-magetic waves over a broadcast medium. Such broadcast medium is ot oly shared betwee the commuicatig odes but is also exposed to adversaries. The resiliecy agaist malicious behavior is obviously of sigificat importace for military commuicatio i a battle-field. It is also rapidly gaiig sigificace i civilia ad commercial applicatios due to the icreased reliace o wireless etworks for coectivity to the cyberifrastructure, ad applicatios that moitor our physical ifrastructure such as tuels, bridges, ladmarks, buildigs, etc. ammig ad ati-jammig techiques for the physical layer of wireless systems supportig mostly voice commuicatio have bee extesively studied for several decades [3]. However, it is oly recetly that the popularity of multi-hop data etworks with complex medium sharig, codig, ad applicatio protocols opeed the door for sophisticated attacks ad resulted i the exploratio of ew resiliece mechaisms. Emergig attacks iclude ultra low-power crosslayer attacks that aim at disturbig the operatio of etworks by targetig cotrol-mechaisms such as packet routig, commuicatio beacos or pilots, carrier sesig mechaism, collisio avoidace expoetial back-off mechaism, etwork topology, ad size of the cogestio cotrol widow. For example, by trasmittig a few pulses at the right frequecy, right time ad right locatio, highly efficiet (eergy/computatio wise) attacks ca be deployed with offthe-shelf hardware [, 2,, 4, 6, 5].. Motivatio Spread Spectrum (SS) is oe of the most efficiet mechaisms used for ati-jammig commuicatio. Military systems, i particular, rely o SS systems alog with atea ullig, chael codig to couteract malicious attacks. I civilia systems however, SS has bee discarded from usage maily because it requires a pre-shared secret, which may ot be available [, 7]. For example, i systems which employ large umber of dyamically associatig/disassociatig odes, the pre-sharig has to be doe over a ope chael makig it a easy target by a adversary who focuses all its jammig eergy o the key establishmet protocol. The problem has bee itroduced previously as the atijammig/key establishmet circular depedecy problem [4]. Strasser et al. also propose a ew mechaism called Ucoordiated Frequecy Hoppig (UFH) to break this circular depedecy, however, at a high commuicatio cost.
I this paper, we propose a ovel approach for breakig the ati-jammig/key establishmet circular depedecy with sigificat eergy efficiecy advatages over UFH. Our mechaism relies o two mai properties: () itractable forwarddecodig (prevetig a adversary from detectig or decodig a o-goig commuicatio), (2) efficiet backwarddecodig (allowig ay receiver to decode the time-reversed sigals). Note that although the adversary ca also decode the time-reversed sigal (ad fid out which Pseudo radom (PN) spreadig sequece was used), it will be too late for it to jam by the time it retrieves the PN-sequece (See Figure ). The basic idea behid our scheme is that the seder spreads the message with a cryptographically-strog PN-sequece. Forward-decodig the packet requires guessig the whole key iitially, which we will show to be ifeasible for the jammer to accomplish (by brute force) i time to jam the packet before the ed of the packet trasmissio. As commuicatio progresses, the etropy of the spreadig sequece decreases (See Figure 4), thus o the receiver side, decodig the time-reversed versio of the packet oly requires the receiver to guess oe bit of the key at each stage of the decodig process. We will also show that uder our scheme, at each istat the time it takes for a ode to brute-force the PN sequece plus the TX/RX tur-aroud time ad propagatio time is larger tha the time it takes for the seder to sed the remaiig bits of the message. This makes forward-decodig itractable. The mai advatage of our solutio, i compariso with UFH [4], is that it does ot require extra eergy for trasmittig packets. It is i fact as eergy efficiet as the covetioal SS commuicatio where the commuicatig odes pre-share a secret key. UFH, o the other had, requires o average times more eergy tha traditioal SS, beig the spreadig factor that is i the order of hudreds. We achieve this commuicatio-eergy efficiecy with a slight icrease i the receiver computatio ad storage cost. We show that the computatio/decodig cost is at most twice the computatio cost of covetioal SS (See Theorem 2) ad the storage required is of oe packet legth. A secodary advatage of our techique is the delayed commuicatio detectio, which makes it practically impossible for a adversary to sese a ogoig commuicatio util it is almost over. This stealthiess further icreases the iefficiecy of the adversary by forcig it to be a chael-oblivious jammer [2]..2 Related Work Ati-jammig techiques have bee studied for decades [3]. Most of the earlier mechaisms however, oly focussed o a physical layer protectio ad made use of SS techiques, directioal ateas, ad codig schemes. At the time, most wireless commuicatio was ot packetized or etworked. Furthermore, the small size of the etworks the (mostly military), ad the way they were deployed allowed for precofiguratio with shared secret keys to be possible. Reliable commuicatio i the presece of adversaries regaied sigificat iterest i the last few years. New attacks emerged with the advet of more complex applicatios ad deploymet eviromets. Several specifically crafted attacks ad couter-attacks were proposed for: packetized wireless data etworks [, ], multiple access resolutio i the presece of adversaries [3, 2, ], multi-hop etworks [6, 5, ], broadcast commuicatio [6, 5], cross-layer attacks [], ad avigatio iformatio broadcast [2]. While may recetly proposed coutermeasure techiques ca (ad are assumed to) be layered o a SS physical layer, it is usually take for grated that the commuicatig odes pre-share a secret key. Strasser et al. recogized this as a sigificat impedimet to the use of SS, eve whe the commuicatig odes possess public keys ad certificates that potetially allow them to setup a shared secret key [4]. Strasser et al. proposed UFH, a techique for establishig a symmetric secret key i the presece of adversaries. I UFH, the sedig ode hops at a relatively fast rate (e.g., 6 hops per secod) over chaels. It repeatedly seds fragmets of the mutual autheticatio ad key establishmet protocol. The receiver hops, o the other had, are sigificatly slower. Therefore, although the receiver does ot kow the seder s hoppig sequece, statistically, it ca receive / of the set packets. The authors show that a adversary has a very low probability of jammig these packets. They build upo this basic mechaism to costruct a jammig-resiliet mutual autheticatio ad key establishmet protocol. Their paper itroduces the first reliable key establishmet protocol for SS without a pre-shared secret. However, ulike traditioal SS systems with pre-shared keys, the proposed mechaism icurs a icrease i eergy cost by a factor of due to the implicit redudacy i packet trasmissios (retrasmissios of message fragmets that are ot received) required by their scheme. This is the closest work related to our paper. Our mechaism, ulike UFH, retais the mai beefits of the origial SS commuicatio i terms of commuicatio eergy (all trasmitted eergy is used i the packet decodig process). It does icur a higher computatio cost, which we show later is o more tha twice the cost of the traditioal SS with pre-shared secret. With ever icreasig computatio power of computers today, this is a egligible issue. Other coutermeasure techiques discard the possibility of usig SS because of the arrow RF bads available to ad hoc etworks, or because of the absece of a pre-shared key as metioed above [7, ]. These techiques are much less eergy efficiet tha SS. Note that SS ca still be used i arrow bad if the sigal is spread i time at o additioal eergy cost. The tradeoff i that will be a reduced data rate by a factor equal to the spreadig legth, which is ot ecessarily a limitatio as two odes ca have multiple simultaeous commuicatios as i Code Divisio Multiple Access systems..3 Cotributios The cotributios of this paper are both coceptual ad algorithmic: Zero commuicatio-eergy overhead key establishmet of a shared key without pre-agreed kowledge (i compariso with covetioal SS with pre-shared keys): a ovel approach based o itractable forward-decodig ad efficiet backward-decodig. Udetectable commuicatio util ed of trasmissio (delayed detectio) forcig the jammer to become eergy-iefficiet ad chael-oblivious [2]. A destiatio-orieted scheme that prevets efficiet simultaeous-attacks o multiple receivers.
Computatioally efficiet ed of the message detectio (a FFT-based techique), ad message extractio (use of a key-schedulig algorithm that requires at most twice the decodig cost of covetioal SS). 2. SETUP MODEL Our setup model cosiders systems that are traditioally capable of doig SS, such as mobile ad hoc etwork. I particular, it is ot applicable to systems with low computatioal power, e.g., wireless sesor etwork. The implemetatio of our scheme requires systems to have at least a GB of memory to carry out FFT computatios. 2. System Model We cosider a wireless commuicatio etwork where several odes are tryig to establish pairwise-shared secret that would eable SS commuicatio. Our model ad the problem formulatio is very similar to [4]. We focus o a pair of commuicatig odes alog with a jammer, all sharig a RF chael. The jammer s objective is to prevet the establishmet of the secret key betwee the commuicatig odes, because oce this key is established, the commuicatig odes ca use covetioal SS for commuicatio makig them resiliet to jammig. Our mai objective is to devise a jammer-resiliet message-delivery mechaism with o pre-shared iformatio. which ca be used by ay Mutual Autheticatio ad Key Agreemet Protocol (MAKAP) to deliver few messages ad establish a key for future SS commuicatio. I this paper, we cosider the same MAKAP as i [4], amely Elliptic Curve Diffie Hellma (ECDH) because of the small umber of messages exchaged (two) ad their short legth. Our method uses Direct-Sequece SS (DSSS), but it easily geeralizes to Frequecy-Hopig SS (FHSS). Assumptio We assume that there exists a trusted Certificate Authority (CA) that issues digital certificates attestig each user s public key. Aythig that is kow to the receiver about the protocol ad the seder is kow to the jammer. This icludes the ecodig the decodig mechaism that makes our system so efficiet. 2 2.2 Adversary Model We cosider a adversary that is co-located with the seder ad the receiver that ca jam, replay previously collected messages, isert fake messages ad/or modify bits of the message. The primary goal of the adversary is to prevet successful receptio of the seder s message by the receiver. However, i a attempt to do so, a jammer may simply icrease the delay of the message extractio process or cause deial of service (DoS) attack o the receiver side. So, it s secodary goal may very well be to icrease the computatio ad eergy cost of the receiver while miimizig its Note that give the eergy, computatio, ad storage efficiecy of our techiques, if o certificatio authority is available, we ca cosider usig our scheme to trasmit all packet without ever establishig a key. 2 Regardless of the attacker beig oe of the participatig odes or a outside jammer, it has the same amout of iformatio available to the receiver. ow jammig cost. We defie jammer s performace as the trade-off fuctio relatig the packet loss rate (PLR) with the total jammig cost. Our classificatio of the adversary attacks is ispired by the well kow active attack categorizatio ad the attacker model of [4]. However, the specific attacker strategies we desiged ad implemeted for evaluatio of our scheme are protocol-specific. I Sectio 5, we also preset the empirical optimal jammer strategy ad show that it is cost-iefficiet uder our proposed scheme. Assumptio We igore the gai of cofigurig physical layer parameters such as atea gais, codig schemes, ad power-cotrol (e.g., ear-far problem) sice they ca be optimized the same way as they are optimized i covetioal SS, idepedet of our mechaism. Our model does ot cosider the case where the jammer ca block the propagatio of the radio sigal (e.g., by puttig a ode ito a Faraday s cage) We assume that the adversary caot tuel the chael sigals for remote brute-forcig before the ed of the packet trasmissio (few millisecods). Taxoomy of the Attacks. ammig: The attacker ca jam the commuicatio lik i various ways, such as sedig a high-power pulse either at periodic itervals, cotiuously, or i a memoryless fashio [2]. The goal is to distort packets ad cause failure of correct packet decodig. 2. Replay Attack: The attacker ca replay previously captured commuicatio messages. The goal is to icrease the computatio cost of () packet decodig, ad/or (2) sigature verificatio. 3. Targeted Modificatio: The attacker ca modify some bits of the message by focusig the jammig eergy o some portio of the message. The jammer caot determiistically carry out this attack sice it ca ot detect o-goig commuicatio uder our mechaism util last few bits of message are set. 4. Computatio Deial of Service: The attacker iserts partial or complete messages to overwhelm receiver s () packet decodig, ad/or (2) sigature verificatio. Notice that we do ot make ay additioal assumptio o the limitatio of jammer s computatio power ad eergy more tha what a traditioal SS does. Obviously, if the jammer is ifiitely powered eergy-wise ad cotiuously jams all the time, it could reduce the throughput to %, just like it would i a traditioal SS. Our mai goal here is to devise a jammer resiliet key establishmet protocol with o pre-shared key ad at o additioal cost compared to the traditioal SS. I Sectio 5, we evaluate the performace of the jammer types described above ad preset simulatio results.
3. TREKS IN DSSS Time-Reversed Message Extractio ad Key Schedulig (TREKS) is a commuicatio approach based o zero preshared key spread spectrum (ZPKS), specifically DSSS (ZPK- DSSS) i this paper. We will first preset the core idea of ZPK-DSSS ad its efficiecy agaist jammig. The we propose a ovel key schedulig scheme, which eables efficiet backward-decodig makig TREKS very applicable to systems i terms of commuicatio eergy, computatio ad storage cost. 3. Zero pre-shared key DSSS Assume that seder S, receiver R, ad jammer all share the same chael. Let M deote the message that S wats to sed to R, l the bit-legth of M. Prior to the start of trasmissio, S radomly geerates a secret key K of k bit legth. Ulike covetioal DSSS, K is ot kow to ayoe but S whe commuicatio occurs. S geerates a cryptographically strog PN-sequece usig S ad spreads M. Although, a PN-sequece cryptographically geerated from the key (as a seed to a symmetric ecryptio algorithm such as AES) are ot optimal i terms of orthogoality, they perform reasoably well ad have bee used i may military SS systems [3]. I covetioal DSSS, R keeps attemptig to despread icomig sigals with the key, that is pre-shared betwee S ad R, util it detects the begiig of the message, the the forward-decodig of whole message starts. I ZPK- DSSS, there is o pre-sharig of the key. Thus, R eeds to first idetify the key K chose by S. Without kowig K, R does ot eve kow whe the DSSS commuicatio occurred. The oly possibility is to brute force all possible keys o every chip of the icomig sigal util a key is foud that could properly decode the complete message. Give that the key size is k bit, the complexity of explorig the key space by brute force is O(2 k ). This cost is ifeasible for real-time commuicatio. I Sectio 3.3, we itroduce our backward-decodig mechaism with a key schedule to be itegrated ito this approach that make its efficiet ad viable for real-time commuicatio. 3.2 ammig resiliecy We first demostrate the fudametal stregths of the proposed approach from the stadpoit of key recovery itractability ad eergy efficiecy agaist jammers. 3.2. Commuicatio eergy efficiecy I this sectio, we preset the way the message bits are spread ad how the total eergy per packet is preserved. We also show that the eergy cost of the jammer to couter the effect of spreadig icreases by factor of. Symbol Defiitio d {+, } BPSK symbols that are estimated ad mapped to {, } equiprobably ˆd {+, } Received BPSK symbols that are estimated ad mapped to {, } Spreadig Factor pi 2 f ; : : : ; g {, +} i t h chip of cryptographically desiged SSEQ ukow to adversary. Eb Eergy per trasmitted bit assumig w.l.o.g bit set per uit time. ui = d E b pi BPSK modulated sigal trasmitted by the seder. ammer eergy per uit time Ii 2 f ; : : : ; g Adversary s trasmitted sigals idexed at the chip level. Mea square of Ii vi Received sigal idexed at chip level. ri jammig chip with uit mea square. BER(x, y, z) Bit Error Rate of despread sigal whe Eb = x, = y ad = z Table : Termiology FACT. Spreadig a sigal by a factor allows, the commuicatig odes to couter a -times stroger jammer at o extra-eergy cost for the seder: P r o o f. Sice, we are oly iterested i the impact of jammig, we ormalize the path loss ad atea gais to. For simplicity, we igore thermal (white) oise. The same result still holds i the geeral case. By defiitio, Eb v i = u i + I i = d p i + r i Cosider the followig decodig techique 3 : ˆd =iff v i p i > We cosider BPSK modulatio but the results geeralize to other modulatios as well. The BER(E b,, ) = Pr[ ˆd =ad d = ] + Pr[ ˆd = ad d = ] = 2 Pr[ v i p i > ad d = ] Eb = 2 Pr[d p i p i + r i p i > ad d = ] Eb = 2 Pr[ p i p i + r i p i > ad d = ] = 2 Pr[ E b + r i p i > ] Pr[d = ] Eb = Pr[ r i p i > ] where p i is a radom variable idepedet from the adversary s r i choices. Therefore, ripi is the sum of radom variables of equal probability takig values {, +}. The distributio of the sum ca be derived from the Biomial distributio. For, this distributio ca be approximated by a Normal distributio of zero mea ad variace : N(,). Thus, BER(E b,, ) = e x2 2π 2 dx = E b E b e x2 dx () 2π 2 Eq. () idicates that whe the spreadig factor is icreased by a factor c, the adversary eeds to scale its jammig eergy by a factor c to maitai the same BER. O the trasmitter side, sice the eergy per bit is kept costat, trasmitter still speds the same amout of eergy while beig resiliet to c times more jammig. 3.2.2 Computatioal ifeasibility for jammer I order to jam i a cost efficiet way, the jammer eeds to idetify the spreadig key. As show above, the complexity of fidig the key is O(2 k ). If k is desiged such that idetifyig the key takes sigificatly more time tha the packet trasmissio the eve if the jammer evetually fids the key, it is too late to jam the packet as the trasmissio is already over. For example, give a key size of 3 Note that we are assumig that the receiver kows the bit sychroizatio. This is a commo assumptio i aalyzig SS systems. We will see i Sectio 4 how this is achieved.
k = 2, =, ad seder chip rate of Mcps (s chip duratio), it takes few millisecods to trasmit (e.g., ms for bits spread with = ). That meas it requires the jammer i the order of multiplicatio operatios per picosecod to brute-force 2 2 possible keys withi few millisecods of trasmissio time, which is ot possible for a field deployed jammer to accomplish. We call this itractable forward-decodig, which is illustrated i Figure. 3.2.3 Limitatios Itractable forward-decodig is due to zero pre-shared secret i ZPK-DSSS, which i-tur also applies to the receiver. Sice the receiver eeds to try O(2 k ) possibilities o each icomig chip sigal to figure out the spreadig key, it causes a cosiderably high computatio overhead. This is a major limitatio of the basic ZPK-DSSS. I the followig sectio, we itroduce a ovel spreadig key schedulig scheme, which builds upo ZPKS ad eables both itractable forward-decodig ad efficiet backwarddecodig. This drastically reduces the computatio overhead for the receiver from O(2 k ) to O(2k) while the jammig resiliecy remais the same. 3.3 Key scheduled reverse-time decodig 3.3. Key size vs. jammig resiliecy Before delvig ito the details of our key schedulig scheme, we first show how the key-etropy is reduced as the trasmissio gets closer to the ed, which sigificatly cuts dow the cost to idetify the key for the receiver but still requires the same effort from a adversary. T heo r em. Let T t r a s (l) deote the trasmissio time of l bits, T s(k) the time required to brute force all possible k bit keys. Give a message M ad key size k, if it is secure 4 to spread M with a k-bit key, it is secure to spread the last j M j 2 i bits with k i bit key, where i log 2 ( M ). Eq. (2) shows that it is secure to ecode j M j bits with k 2 bit key. Therefore, eve if we use a -bit weaker key to ecode the secod-half of M, we ca guaratee that the whole message ca still be delivered before the jammer brute forces all possible keys. By iductio, it is easy to get that T t r a s ( j M j ) T 2 i s (k i). Thus, it is secure to spread the last j M j bits with k i bit key. 2 i The ituitio behid Theorem is that as trasmissio goes o, less time is left for jammer to fid the key, so it is safe to ecode the rest of the message with slightly weaker keys 5. 3.3.2 Spread key schedulig Based o Theorem, we itroduce a key schedulig scheme to TREKS. As show i figure 2, istead of spreadig the complete message with a fixed key, we partitio the message ito k segmets (ote that the segmets are trasmitted i a cotiuous way), where k is the key size. We call each segmet schedule. The size of ith segmet M i is j M j. At the start of spreadig process, we use full legth 2 key i to spread M. After each schedule, we set the most sigificat bit of the key to a kow value ad resume ecodig the ext segmet with this -bit weaker key. We repeat this process util the last schedule, which is ecoded with a key with oly bit secret. So, it is easy to see that the message legth l has to be at least 2 k such that k could be decreased to bit towards the ed of the key schedule. For simplicity, we assume that l = 2 k. We loose this assumptio i the later sectio. Algorithm outlies the message segmetatio ad key schedulig. Symbol M K l k K[m... ] M[m... ] K i M i N i Defiitio message to be trasferred secret key legth of message i bits size of secret key i bits part of the K from m t h bit to t h bit part of the M from m t h bit to t h bit key used i schedule i message segmet belogig to schedule i size of rest of message at the start of schedule i Table 2: Summary of the otatios. Figure : Message delivered before the key is broke. P r o o f. We first show that it is secure to spread the secod half of M with k bit key. Sice it is secure to spread M with a k bit key, we have T t r a s( M ) T s(k) T t r a s( j M j 2 ) = Tt r a s( M ) 2 2 T s(k) =T s (k ) (2) 4 I the rest of the paper, secure key size implies it takes sigificatly more time to brute-force all possible keys used to spread tha to trasmit the message. Algorithm : Seder ecodig message with key schedule.. N M 2. for i =...k do K i K[i... k] M i N i [... N i 2 ] cryptographically geerate PN i ecode M i with PN i N i + N i [ M i +... N i ] from K i Itractable forward-decodig: By the defiitio of the key schedule ad theorem, the property of itractable forward-decodig is maitaied. Efficiet backward-decodig: Due to the decreasig key etropy, it becomes easier for the receiver to idetify the key as the trasmissio is closer to the ed. Specifically, sice the last key schedule has etropy of bit, the receiver eeds 5 Additioal measures ca be take to prevet overlap betwee weakeed key spaces.
to try just two keys o each icomig chip to detect the potetial ed of message (EoM). Oce the receiver detects a potetial EoM, it starts iferrig the key from previously received sigals usig the kowledge that the etropy of K i from that of K i i the key schedule icrease by oly a bit i reverse time. So the receiver eeds to try 2k keys i total before realizig all the k bits of the key, sigificatly lowerig the cost of fidig the key from the basic scheme. Figure 4: Key schedulig with liear tail. Figure 2: TREKS with key schedulig. 3.4 Further improvemets ad discussio 3.4. MAC-masked key schedulig I the key schedulig scheme above, the last scheduled key K k is always either or for ay seder/receiver pair. Thus, the jammer could jam with a PN-sequece geerated by or, which is likely to compromise the last message segmet. Oce the EoM is jammed ad the receiver is ot able to detect it, the reverse decodig caot start. I order to tackle this issue, we take the receiver s MAC address to mask the key at each schedule. The revised key schedulig strategy is illustrated i figure 3. The key K i used to ecode M i is geerated by replacig the most sigificat i bits of the receiver s MAC address with the most sigificat i bits of K. It is easy to see that the hardess of the key iferrig remais the same. Whereas, the last scheduled key is differet across differet receivers. Thus, the jammer ca oly target oe receiver at a time. The potetial jammig attack metioed earlier becomes a destiatio-orieted attack. I sectio 5 we will discuss the impact of the MAC jammer ad show that our system is highly resiliet agaist such jammer as it is agaist other jammers. 3.4.2 Key schedulig with liear tail As metioed at the ed of 3.3.2, we assumed that l = 2 k so that key size ca be decreased dow to bit by k t h schedule, ad total message legth l for k = 2 would be M bits. Obviously this is too large for a message size. We also observed that if T t r a s ( M ) T ±, where T ± is the radio tur aroud time of the jammer, it is impossible for the jammer to jam M. I this case, whe the jammer detects the trasmissio ad switches to a trasmit mode, the message has already bee delivered. Take 82. as a example, the radio tur aroud time is us. Cosider a spreadig factor =, chip rate of Mcps, the we have T t r a s () = us. So for the last bits of the message, the seder ca weake the key at a liear rate of key bit per packet bit. Therefore, oly the first bits of the key eed to be scheduled. Thus, the message size becomes + 9 i= 2i = 33 bits, which is a reasoable size. Note that if T ± allowed for oly the trasmissio of a smaller umber of bits, we ca liearly weake the key by more tha oe key-bit per trasmitted bit. This slightly icreases the computatio cost of key iferrig but oly o a small umber of bits. The revised key schedulig algorithm is illustrated i Figure 4. Next, we preset the efficiet backward decodig algorithm, its computatio complexity ad briefly discuss the key establishmet protocol uder TREKS. 4. EFFICIENT BACKWARD-DECODING Figure 5: Workflow of TREKS Message Decodig 4. Overview of TREKS Decodig MAC-masked TREKS eables efficiet backward-decodig, which is best described as a two-phase pheomeo [See Figure 5]: Phase-I : Fidig EoM by computig the cross-correlatio betwee received chips ad the PN-sequece geerated with receiver s MAC address. Phase-II : Iferrig the key i time-reversed fashio, which is used to despread the message. Figure 3: MAC-masked key schedulig.
4.2 Fidig the EoM (Phase-I) As show i Figure 5, Phase-I cosists of two steps, (a) samplig ad bufferig, ad (b) FFT EoM detectio. Whe ew sigal samples arrive, the receiver equeues them ito a FIFO. At ay istace, the receiver oly have to keep 2l chips i his buffer because after fidig the EoM, he will have to traverse at most l legth before he recovers the message. We compute cross-correlatio to achieve bit sychroizatio, a very commo practice i SS systems [3]. However, calculatig cross correlatio is computatioally expesive. We optimize this calculatio (a) by usig FFT, which reduces the cost of computig cross correlatio from 2 2 l to l log(l), ad (b) by processig a batch of l chips at oce durig FFT computatio ulike covetioal SS systems that process chips (spread of a bit) at a time. Symbol Defiitio m message set by the seder, as z segmets Seg[i] Segmets of a message, where i z K[i] Key used to geerate spread PN-sequece, i z Ki Possible set of keys, Ki 2, that receiver tries to despread Seg[i] with. S[i] Real-time Sigal that is sampled at the receiver side. P EoM[i] Array of possible EoM idices. M[i] Array of extracted complete messages. GetBuffer(.) Gets the ext l chips from the sigal stream for samplig. DotP rod(.) Dot product of two vectors (correlatio fuctio). F F T (.) Fast Fourier Trasform. IF F T (.) Iverse Fast Fourier Trasform. Fast Correlate(.) Calculatig Covolutio betwee a short ad a log sigal. Key Ifer(.) Fuctio to ifer the key. P eak Detectio(.) Fuctio to detect peaks at Seg[i], i z Despread(.) Stadard Spread Spectrum fuctio to despread received sigal. Sigature V erify(.) Fuctio to verify the seder. Table 3: Additioal otatios Algorithm 2: Fidig the Ed of the Message (EoM). Old Buffer = GetBuffer(S); 2. for each buffer of legth ( l) do Curret Buffer = GetBuffer(S); Set k = MAC ADDRESS(Rcvr); Corr[ : l]=fast Correlate(Curret Buffer,k); for each j {,, l} do If Corr[j] > threshold the push j ito PEoM[]; If PEoM[] is empty Old Buffer = Curret Buffer; Else Buffer = cocat(old Buffer,Curret Buffer); Key Ifer(Buffer,PEoM); Fast Correlate(Buff,key){ Temp Key[:*l] = Zeros; Temp Key[:] = key; Iput = FFT(Buff); Iput2 = FFT(Temp Key); //Pre-computed Corr[:*l] = IFFT(Iput*Iput2 ); retur Corr;} As illustrated i Algorithm 2, our FFT detectio process iterates over each chip i the buffer to fid the EoM. Oe challege is that there might be more tha oe cadidate for EoM, i.e., multiple values of the correlatio vector may pass the threshold test to produce false positives. Thus, we equeue all possible EoMs ito PEoM[], ad pass it to Phase-II for further processig. We pick threshold value empirically by observig TREKS performace over large umber of simulatio rus, details of which is give i Sectio 5. 4.3 Message Extractio (Phase-II) Phase-II cosists of Step 3 ad 4 as show i Figure 5. I Step-3, we ifer the key by fidig the legitimate EoM out of all PEoM foud i Phase-I. For each PEoM, we begi timereversed key iferrig. For each key bit, we try two possible choices. Algorithm 3 shows this process. For a certai guess, if more tha 5% of the total bits are detected i a schedule, the we cofirm the value for this key bit ad move oto the ext. Otherwise, we abort the key iferrig. Hece, we get Theorem 2. T heo r em 2. The computatioal cost of TREKS message despreadig is at most twice the computatioal cost of covetioal SS systems with a pre-shared key. P r o o f. For each segmet, the receiver attempts to despread the bits with two potetial keys. Therefore each bit is despread twice. Leadig to a computatioal cost of twice a covetioal spread-spectrum. Note, that this cost ca be reduced by elimiatig oe of the two keys after attemptig oly few bits of a packet. I Phase-II, aother optimizatio we employ is that after we fid the EoM, istead of computig FFT each time to sychroize with the bits of the message, we compute the dot-product betwee chips ad the PN-sequece. The abortio of key iferrig process implies a packet loss otherwise we despread the message usig the key iferred [Step-4]. We discuss the choice of the threshold values used i Algorithm 2 i Sectio 5. Algorithm 3: Message Extractio. Key Ifer(Buffer,PEoM){ for each possible EoM j PEoM do PeakPos = +j; //EoM = Buffer[+j] edidx = PeakPos-; //Ed of Seg[z-] for each p {,,z} do startidx = edidx Seg[z] + ; CtOfSucc = ; for each key cadidate k K z p do succ = Peak Detectio(k,Buffer, startidx, edidx); CtOfSucc = CtOfSucc + succ; If(CtOfSucc==) K[p] =k; Else Abort Key Ifer(Buffer,PEoM); edidx = startidx; m = Despread(Buffer[j ( l) +,j],k[]); Equeue m ito M[];} 2. Sigature Verify(M[]); Peak Detectio(key, Buf, startidx, edidx) { ExpNumofPeaks = (edidx - startidx)/; CtOfPeaks = ; for each d {,,ExpNumOfPeaks} do P=DotProd(key,Buf[startIdx,startIdx+]); If P > threshold the CtOfPeaks = CtOfPeaks+; startidx = startidx+(d ) ; If CtOfPeaks > 5%*ExpNumOfPeaks succ = ; Else succ = ; retur succ; } Sigature Autheticatio ad Key Establishmet At the ed of Algorithm 3, depedig o the type of jammer ad its strategy, a receiver might ed up recoverig more tha oe message, amely the jammer messages. I that case, the receiver has to verify the seder usig some
Bit Error Rate (BER).... (a) SNR vs. BER t= t=2.5 No e-5-2 -5 - -5 5 5 Sigal to Noise Ratio (SNR) i db Packet Loss Rate (PLR).6.4.2 (b) SNR vs. PLR t=2.5 t= No -2-5 - -5 5 5 Sigal to Noise Ratio (SNR) i db Figure 6: Two graphs (a) SNR vs. BER (b) SNR vs. PLR. t = T h r e s h o l d ad No without TREKS. a v e r a g e kid of mutual autheticatio ad idetificatio mechaism. TREKS uses 6 bit Elliptic Curve based Digital Sigature Algorithm (ECDSA) to autheticate the odes ad their data set over the chael. A 6-bit ECC key provides the same level of security as that of a 24-bit RSA key [8], which is sufficietly secure for the purposes of a sessio-based ecrypted message trasmissio of TREKS. The choice of the key establishmet protocol for TREKS eed ot be a specific key establishmet protocol. Similar issue is already discussed extesively i [4]. So, we will use the same protocols of [4]. 5. PERFORMANCE EVALUATION We evaluate the performace of TREKS i terms of the Packet Loss Rate (P LR) as a fuctio of commuicatio/jammer eergy, computatio cost, ad storage cost. Based o Fact, we ca focus o two jammers: () additive white gaussia jammer (whose eergy is reduced by a factor ) evaluated i Sectio 5., ad (2) jammers spreadig a sigal with the receiver MAC address evaluated i Sectio 5.2. Without kowig the begiig of the trasmissio, the jammer is forced to operate as a memoryless jammer with a rate λ. We call these λ-jammers. Note that if λ =, it becomes a cotiuous jammer. Simulatio Setup: We use MATLAB to simulate the commuicatio, jammig, ad message extractio uder various settigs of the cofigurable parameters to depict differet types of jammers uder differet scearios. All the graphs are based o K simulatio rus of same parameter settig. The variables of our simulatios are: Spreadig Factor, Packet Size, l 33 bits Key Size, 9 ammer Power to Sigal Power Ratio, SR [..] Normalized Sigal Power dbw Noise Power -2 dbw Table 4: Parameters for Simulatio. 5. TREKS vs. Gaussia ammers We cosider the case where the seder ad the receiver commuicate uder a white Gaussia jammer. From Fact, this correspods to iterferers ot usig the destiatio MAC address. Their iterferece results i Gaussia oise of eergy reduced by a factor. 5.. Packet Loss Rate (PLR) The P LR uder our model implies oe of the followig: (a) Key Ifer Failure, (b) EoM missig, ad (c) High BER (over 5% []). Figure 6 shows the PLR ad the BER icurred usig TREKS, as a fuctio of a icreasig SNR ad differet detectio threshold. Note that due to the imperfect sychroizatio ad EoM recovery, we oly obtai a gai of 5 7 db (i.e., 2 to 5 times resiliecy gai). 5..2 False Positives The umber of False Positives (FP) ecoutered durig the FFT EoM detectio process affects the performace of TREKS i terms of its computatioal delay. I fact, we use the PLR ad the umber of FPs observed while ruig TREKS at a fixed oise level of db to choose the peak detectio threshold used i Algorithm-2. We defie threshold as t avg where avg is the average of the correlatio vector produced by fast correlate(.) of Algorithm-2, ad t is a multiplier. Based o the results from Tables 5 ad 6, we chose t to be 2.5 because of a much smaller FP rate observed at threshold = 2.5 avg, eve though we loose about 2dB of jammer resiliecy. SNR (db) t=. t = 2. t = 2.3 t = 2.5 t = 3..79%.48%.94%.58%.22% 5.8%.48%.94%.58%.22%.79%.47%.96%.59%.22% 5.79%.5%.98%.6%.23%.78%.57%.%.64%.25% Table 5: False Positives (FP) SNR (db) t=. t = 2. t = 2.3 t = 2.5 t = 2.9 9.% 48.% 49.5% 47.5% 64.5% 5.%.2%.5%.5% 4.%.%.%.%.%.% Table 6: Packet Loss Rate (PLR). Importat Observatio: Figure 7 shows that we detect almost all of the FPs amog PEoMs by the first two iteratios (stages) of key ifer() i Algorithm 3 whe threshold = 2.5 avg. Thus, FP does ot impact TREKS computatioally by much. The icrease i computatio cost is egligible compared to the decodig cost, which itself is less tha double the cost of decodig i traditioal SS. 5..3 Computatio Cost Operatio Usig GPU Lab Computer FFT bechmark ms 28ms Key Iferrig - ms Sigature Verificatio - ms Table 7: TREKS Computatio Cost. Table 7 shows the computatio cost of TREKS performed i our lab computer versus usig a GPU NVidia GeForce 88 GTX. Usig the latter, we ca accelerate the FFT computatio by 28 times [9]. The specificatio of our lab computer is a 64-bit Itel(R) Core(TM)2 CPU 64 @2.3GHz with 3GB memory. It clearly shows that with appropriate off-the-shelf hardware, TREKS ca operate i real time with its total executio time uder 3ms. We used OPENSSL-.9.8 versio to calculate the bechmark for verifyig 6-bit ECC-DSA. 5..4 Storage Cost The storage cost of TREKS accouts for (a) the total umber of messages recovered at the ed of message extractio, ad (b) the size of the FIFO used i bufferig the sigal
Percetage of FPs Detected (b) FP Detectio Stage Distributio (Threshold 2.5).9.7.6.5.4.3.2. S S2 S3 S4 S5 S6 S7 S8 S9 Key Iferrig Stages Percetage of FPs Detected (a) FP Detectio Stage Distributio (Threshold ).7.6.5.4.3.2. S S2 S3 S4 S5 S6 S7 S8 S9 Key Iferrig Stages Packet Loss Rate (PLR) a. PLR as a fuctio of Budget (Radom ammer) Budget= Budget=5 Budget= Budget=5.6 Budget=2.4.2 2 3 4 5 6 7 8 9 ammer Power to Sigal Power Ratio(SR) Packet Loss Rate (PLR) b. PLR as a fuctio of Budget (MAC ammer) Budget= Budget=5 Budget= Budget=5.6 Budget=2.4.2 2 3 4 5 6 7 8 9 ammer Power to Sigal Power Ratio(SR) Figure 7: Distributio of the FP detectio stage. Figure 9: ammer performace uder fixed budget. Packet Loss Rate (PLR) a. PLR due to differet jammers (=).6 (Radom) Sceario-.4 (Radom) Sceario-2 (Radom) Sceario-3 (MAC) Sceario-.2 (MAC) Sceario-2 (MAC) Sceario-3 2 3 4 5 6 7 8 9 ammer Power to Sigal Power Ratio(SR) False Positives (FP).3.2...9.8.7.6.5.4 b. FP due to differet jammers (=) (Radom) Overlap (Radom) No Overlap (MAC) Overlap (MAC) No Overlap 2 3 4 5 6 7 8 9 ammer Power to Sigal Power Ratio(SR) Figure 8: ammer performace compariso. samples i Algorithm-2. Eve if a jammer ijects j packets, we store at most (j + ) l/8 bytes, ad the curret buffer i Algorithm-3 holds l samples. Hece, the storage cost of TREKS is 4 l+(j +) l/8 bytes (assumig each sample is a 32-bit I/Q value), clearly withi the storage capacity of today s computer. 5.2 TREKS vs. λ-ammers Cosider a discretized time with timeslots of duratio l chips. We defie two differet kids of jammers that take parameters λ ad SR. λ represets the probability that a jammer seds a jammig message at a give timeslot (this correspods to discretizatio of a Poisso memoryless jammer to a Beroulli jammer), ad SR is the jammer to sigal power ratio. The cost of the jammer is λ SR, ad its goal is to maximize the P LR for a give budget. I our simulatio, we assume that the seder is always sedig messages. Note that the actual jammer impact will be less tha the simulatio graph s because the jammer does ot kow whe a trasmissio occurs. Thus, a source trasmittig with probability µ would cause a jammer efficiecy decrease by a factor of /µ. ammer Types: ammers could also sed partial messages but this ca be idepedetly addressed with appropriate iterleavig ad codig []. Hece, we cosider followig jammers i our simulatio: (Radom) ammer-: Iserts a l-bit message, each bit spread with a radom PN-sequece. (MAC) ammer-2: Iserts a l-bit message, each bit spread with the PN-sequece geerated usig the MAC address of the receiver as the seed. ammig Scearios: Cosider a data message that occurs iside a two timeslot (TS) widow. Now, a jammer message might occur i the first, secod, both or oe of the timeslots. This gives rise to followig possible scearios: Sceario-: ammer message occurs i the first TS. Impact: Key iferrig. Sceario-2: ammer message occurs i secod TS. Impact: EoM detectio. Sceario-3: ammer message itersects both TS. Impact: Key iferrig ad EoM detectio. Sceario-4: Does ot occur durig those two TS. Impact: Noe. Sceario-5: ammer s packet is perfectly sychroized with the seder packet at the receiver side. Impact: If perfect sychroizatio was possible, the there is a.5 probability that the last bit of the message is jammed, hece causig to miss the EoM. Observatio: I Figure 8(b), we show that o matter which of the four scearios we ru, there is o icetive for the jammer to icrease its SR if its objective is to icrease the FPs. With overlappig or without, the resultig umber of FPs that impacts EoM detectio is same. For a give λ, let s defie the expected PLR: E[P LR] =E λ( λ)+e 2 λ( λ)+e 3 λ 2 +E 4 ( λ) 2 where E,E 2,E 3,ad E 4 are the expected P LR for above defied Scearios-,2,3 ad 4 respectively. Figure 8(a) shows that for both the MAC ad Radom jammer, sceario-2 has more impact o PLR tha Sceario- ad Sceario-3 has slightly more impact tha the both. Obviously, E 4 =. Figure 9 shows that Radom ammer ad the MAC ammer attai their optimum (expected) PLR approximately whe SR 5. Note that these results are based o the assumptio that the commuicatio is always happeig. I reality, the impact of the jammer will be much less. Case of the MAC ammer: The MAC jammer outperforms the Radom jammer oly i terms of the umbers of FP produced. However, Figure 7 shows that by the third stage of key iferrig, almost all of the FPs are detected. Thus, its impact i terms of computatio ad delay is egligible compared to decodig cost. I terms of PLR, it is a very close race betwee the MAC jammer ad the Radom jammer with MAC jammer wiig by a slight margi. This is simply because oly the last bit of the message is spread with receiver s MAC address. Case of Perfect Sychroizatio (Sceario 5): We believe that it is very hard for the jammer to attai Sceario 5, i.e., achieve perfect sychroizatio, because uder our mechaism the jammer does ot kow whe the commuicatio is happeig, ad oly oe (last) bit of the packet is actually spread with receiver s MAC address. Therefore, the probability of Sceario 5 is /. 6. CONCLUSION AND FUTURE WORK We itroduce a method for achievig SS ati-jammig without a pre-shared key. Our method has zero eergy overhead i compariso with covetioal SS commuicatio.
Our solutio relies o itractable forward-decodig ad efficiet backward-decodig. We propose several algorithms to optimize the decodig ad show that the computatioal cost of despreadig is less tha twice the covetioal SS cost. Our method has additioal beefits of delayed detectio ad destiatio-orieted trasmissio makig jammig ifeasible ad keepig its impact to miimal by prohibitig jammers from simultaeously jammig multiple receivers. Future Work: Sice we focus o the key establishmet for systems like SS, graceful degradatio of the system throughput due to small PLR ad itermittet losses wo t affect our protocol. However, if we were to exted TREKS for log-lived commuicatio without key establishmet, the it would be iterestig to ivestigate their impact. That is our future work. Furthermore, we believe that extedig TREKS to today s popular systems, such as Widebad Orthogoal Frequecy Divisio Multiplexig (W-OFDM), ca icrease the applicability of our scheme. We pla o studyig differet extesios of TREKS i future. 7. ACKNOWLEDGMENTS This work was partially fuded by NSF grat 44833 (CAREER) ad NSF CyberTrust grat 7658. 8. REFERENCES [] B. Awerbuch, A. Richa, ad C. Scheideler. A jammig-resistat mac protocol for sigle-hop wireless etworks. I ACM PODC, 28. [2] E. Bayraktaroglu, C. Kig, X. Liu, G. Noubir, R. Rajarama, ad B. Thapa. O the performace of ieee 82. uder jammig. I Ifocom, 28. [3] M. A. Beder, M. Farach-Colto, S. He, B. C. Kuszmaul, ad C. E. Leiserso. Adversarial cotetio resolutio for simple chaels. I SPAA, 25. [4] T. Brow,. ames, ad A. Sethi. ammig ad sesig of ecrypted wireless ad hoc etworks. I ACM MobiHoc, 26. [5] A. Cha, X. Liu, G. Noubir, ad B. Thapa. Cotrol chael jammig: Resiliece ad idetificatio of traitors. I IEEE ISIT, 27. [6]. Chiag ad Y.-C. Hu. Cross-layer jammig detectio ad mitigatio i wireless broadcast etworks. I MobiCom, 27. [7] S. Gilbert, R. Guerraoui, ad C. Newport. Of malicious motes ad suspicious sesors: O the efficiecy of malicious iterferece i wireless etworks. I OPODIS, 26. [8] B. Gupta, S. Gupta, ad S. Chag. Performace aalysis of elliptic curve cryptography for ssl. I MobiCom, 22. [9] http://www.cv.rao.edu/pdemores/gpu/. Gpu bechmarkig. [] M. Li, I. Koutsopoulos, ad R. Poovedra. Optimal jammig attacks ad etwork defese policies i wireless sesor etworks. I INFOCOM, 27. [] G. Li ad G. Noubir. O lik layer deial of service i data wireless las. Wireless Commuicatio ad Mobile Computig, 25. [2] K. B. Rasmusse, S. Capku, ad M. Cagalj. Secav: Secure broadcast localizatio ad time sychroizatio i wireless etworks. I MobiCom, 27. [3] M. K. Simo,. K. Omura, R. A. Scholtz, ad B. K. Levitt. Spread spectrum commuicatios; vols. -3. Computer Sciece Press, Ic., NY, 986. [4] M. Strasser, C. Popper, S. Capku, ad M. Cagalj. ammig-resistat key establishmet usig ucoordiated frequecy hoppig. I ISSP, 28. [5] P. Tague, D. Slater, G. Noubir, ad R. Poovedra. Liear programmig models for jammig attacks o etwork traffic flows. I WiOpt, 28. [6] W. Xu, K. Ma, W. Trappe, ad Y. Zhag. ammig sesor etworks: attack ad defese strategies. IEEE Network, 26.