Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

3 packet-hiding methods for preventing selective


Published on

Published in: Education
  • Be the first to comment

3 packet-hiding methods for preventing selective

  1. 1. IEEE TRANSACTIONS VOL. 9, NO. 1, JAN-FEB 2012 Packet-Hiding Methods for Preventing Selective Jamming Attacks ˜ Alejandro Proano and Loukas Lazos Dept. of Electrical and Computer Engineering, University of Arizona, Tucson, AZ, USA E-mail:{aaproano, llazos} Abstract—The open nature of the wireless medium leaves it vulnerable to intentional interference attacks, typically referred to as jamming. This intentional interference with wireless transmissions can be used as a launchpad for mounting Denial-of-Service attacks on wireless networks. Typically, jamming has been addressed under an external threat model. However, adversaries with internal knowledge of protocol specifications and network secrets can launch low-effort jamming attacks that are difficult to detect and counter. In this work, we address the problem of selective jamming attacks in wireless networks. In these attacks, the adversary is active only for a short period of time, selectively targeting messages of high importance. We illustrate the advantages of selective jamming in terms of network performance degradation and adversary effort by presenting two case studies; a selective attack on TCP and one on routing. We show that selective jamming attacks can be launched by performing real-time packet classification at the physical layer. To mitigate these attacks, we develop three schemes that prevent real-time packet classification by combining cryptographic primitives with physical-layer attributes. We analyze the security of our methods and evaluate their computational and communication overhead. Index Terms—Selective Jamming, Denial-of-Service, Wireless Networks, Packet Classification.1 I NTRODUCTION to node compromise, neutralizes the gains of SS. BroadcastWireless networks rely on the uninterrupted availability of communications are particularly vulnerable under an in-the wireless medium to interconnect participating nodes. ternal threat model because all intended receivers must beHowever, the open nature of this medium leaves it vulner- aware of the secrets used to protect transmissions. Hence,able to multiple security threats. Anyone with a transceiver the compromise of a single receiver is sufficient to revealcan eavesdrop on wireless transmissions, inject spurious relevant cryptographic information.messages, or jam legitimate ones. While eavesdropping and In this paper, we address the problem of jamming un-message injection can be prevented using cryptographic der an internal threat model. We consider a sophisticatedmethods, jamming attacks are much harder to counter. adversary who is aware of network secrets and the imple-They have been shown to actualize severe Denial-of-Service mentation details of network protocols at any layer in the(DoS) attacks against wireless networks [12], [17], [36], [37]. network stack. The adversary exploits his internal knowl-In the simplest form of jamming, the adversary interferes edge for launching selective jamming attacks in which specificwith the reception of messages by transmitting a continuous messages of “high importance” are targeted. For example,jamming signal [25], or several short jamming pulses [17]. a jammer can target route-request/route-reply messages at Typically, jamming attacks have been considered under the routing layer to prevent route discovery, or target TCPan external threat model, in which the jammer is not acknowledgments in a TCP session to severely degrade thepart of the network. Under this model, jamming strategies throughput of an end-to-end flow.include the continuous or random transmission of high- To launch selective jamming attacks, the adversary mustpower interference signals [25], [36]. However, adopting an be capable of implementing a “classify-then-jam” strategy“always-on” strategy has several disadvantages. First, the before the completion of a wireless transmission. Suchadversary has to expend a significant amount of energy strategy can be actualized either by classifying transmittedto jam frequency bands of interest. Second, the continuous packets using protocol semantics [1], [33], or by decodingpresence of unusually high interference levels makes this packets on the fly [34]. In the latter method, the jammertype of attacks easy to detect [17], [36], [37]. may decode the first few bits of a packet for recovering Conventional anti-jamming techniques rely extensively useful packet identifiers such as packet type, source andon spread-spectrum (SS) communications [25], or some destination address. After classification, the adversary mustform of jamming evasion (e.g., slow frequency hopping, induce a sufficient number of bit errors so that the packetor spatial retreats [37]). SS techniques provide bit-level pro- cannot be recovered at the receiver [34]. Selective jammingtection by spreading bits according to a secret pseudo-noise requires an intimate knowledge of the physical (PHY) layer,(PN) code, known only to the communicating parties. These as well as of the specifics of upper layers.methods can only protect wireless transmissions under the Our Contributions–We investigate the feasibility of real-external threat model. Potential disclosure of secrets due time packet classification for launching selective jamming attacks, under an internal threat model. We show thatA preliminary version of this paper was presented at IEEE ICC 2010 Conference. such attacks are relatively easy to actualize by exploitingThis research was supported in part by NSF (CNS-0844111, CNS-1016943). Anyopinions, findings, conclusions, or recommendations expressed in this paper are knowledge of network protocols and cryptographic primi-those of the author(s) and do not necessarily reflect the views of NSF. tives extracted from compromised nodes. We investigate the
  2. 2. IEEE TRANSACTIONS,VOL. 9, NO. 1, JAN-FEB 2012 Frame Source Dest. Seq. Addl. control adr. adr. number param. MAC PHY Preamble PHY hdr MAC hdr Payload CRC trailer (a) (b)Fig. 1. (a) Realization of a selective jamming attack, (b) a generic frame format for a wireless network.impact of selective jamming on critical network functions. modulation scheme. Every symbol carries α q data bits, βOur findings indicate that selective jamming attacks lead where α/β is the rate of the PHY-layer encoder. Here, theto a DoS with very low effort on behalf of the jammer. transmission bit rate is equal to qR bps and the informationTo mitigate such attacks, we develop three schemes that bit rate is α qR bps. Spread spectrum techniques such βprevent classification of transmitted packets in real time. as frequency hopping spread spectrum (FHSS), or directOur schemes rely on the joint consideration of crypto- sequence spread spectrum (DSSS) may be used at the PHYgraphic mechanisms with PHY-layer attributes. We analyze layer to protect wireless transmissions from jamming. SSthe security of our schemes and show that they achieve provides immunity to interference to some extent (typicallystrong security properties, with minimal impact on the 20 to 30 dB gain), but a powerful jammer is still capable ofnetwork performance. jamming data packets of his choosing. The remainder of the paper is organized as follows. In Transmitted packets have the generic format depictedSection 2, we describe the problem addressed, and state the in Fig. 1(b). The preamble is used for synchronizing thesystem and adversarial model. In Section 3, we show the sampling process at the receiver. The PHY layer headerfeasibility of selective jamming attacks. Section 4 illustrates contains information regarding the length of the frame,the impact of selective jamming. In Sections 5, 6, and 7, and the transmission rate. The MAC header determineswe develop methods for preventing selective jamming. In the MAC protocol version, the source and destination ad-Section 8, we evaluate the impact of our attack mitigation dresses, sequence numbers plus some additional fields. Themethods on the network performance. Section 9, presents MAC header is followed by the frame body that typicallyrelated work. In Section 10, we conclude. contains an ARP packet or an IP datagram. Finally, the MAC frame is protected by a cyclic redundancy check2 P ROBLEM S TATEMENT AND A SSUMPTIONS (CRC) code. At the PHY layer, a trailer may be appended2.1 Problem Statement for synchronizing the sender and receiver. Adversary Model–We assume the adversary is in controlConsider the scenario depicted in Fig. 1(a). Nodes A and B of the communication medium and can jam messages at anycommunicate via a wireless link. Within the communication part of the network of his choosing (similar to the Dolev-range of both A and B there is a jamming node J. When A Yao model). The adversary can operate in full-duplex mode,transmits a packet m to B, node J classifies m by receiving thus being able to receive and transmit simultaneously. Thisonly the first few bytes of m. J then corrupts m beyond can be achieved, for example, with the use of multi-radiorecovery by interfering with its reception at B. We address transceivers. In addition, the adversary is equipped withthe problem of preventing the jamming node from classifying directional antennas that enable the reception of a signalm in real time, thus mitigating J’s ability to perform selective from one node and jamming of the same signal at another.jamming. Our goal is to transform a selective jammer to For analysis purposes, we assume that the adversary cana random one. Note that in the present work, we do not pro-actively jam a number of bits just below the ECCaddress packet classification methods based on protocol capability early in the transmission. He can then decide tosemantics, as described in [1], [4], [11], [33]. irrecoverably corrupt a transmitted packet by jamming the last symbol. In reality, it has been demonstrated that selective2.2 System and Adversary Model jamming can be achieved with far less resources [32], [34].Network model–The network consists of a collection of A jammer equipped with a single half-duplex transceiver isnodes connected via wireless links. Nodes may commu- sufficient to classify and jam transmitted packets. However,nicate directly if they are within communication range, or our model captures a more potent adversary that can beindirectly via multiple hops. Nodes communicate both in effective even at high transmission speeds.unicast mode and broadcast mode. Communications can be The adversary is assumed to be computationally andeither unencrypted or encrypted. For encrypted broadcast storage bounded, although he can be far superior to normalcommunications, symmetric keys are shared among all nodes. In particular, he can be equipped with special pur-intended receivers. These keys are established using pre- pose hardware for performing cryptanalysis or any othershared pairwise keys or asymmetric cryptography. required computation. Solving well-known hard crypto- Communication Model–Packets are transmitted at a rate graphic problems is assumed to be time-consuming. For theof R bauds. Each PHY-layer symbol corresponds to q bits, purposes of analysis, given a ciphertext, the most efficientwhere the value of q is defined by the underlying digital method for deriving the corresponding plaintext is assumed
  3. 3. IEEE TRANSACTIONS,VOL. 9, NO. 1, JAN-FEB 2012to be an exhaustive search on the key space. data is passed via a 1/2-rate encoder before it is mapped The implementation details of every layer of the network to an OFDM symbol of q = 48 bits. In this case, decodingstack are assumed to be public. Furthermore, the adversary of one symbol provides 24 bits of data. At the highest datais capable of physically compromising network devices rate of 54 Mbps, 216 bits of data are recovered per symbol.and recovering stored information including cryptographic From our analysis, it is evident that intercepting the firstkeys, PN codes, etc. This internal adversary model is re- few symbols of a packet is sufficient for obtaining relevantalistic for network architectures such as mobile ad-hoc, header information. For example, consider the transmissionmesh, cognitive radio, and wireless sensor networks, where of a TCP-SYN packet used for establishing a TCP connec-network devices may operate unattended , thus being tion at the transport layer. Assume an 802.11a PHY layersusceptible to physical compromise. with a transmission rate of 6 Mbps. At the PHY layer, a 40- bit header and a 6-bit tail are appended to the MAC packet carrying the TCP-SYN packet. At the next stage, the 1/2-3 R EAL - TIME PACKET C LASSIFICATION rate convolutional encoder maps the packet to a sequenceIn this section, we describe how the adversary can classify of 1,180 bits. In turn, the output of the encoder is split intopackets in real time, before the packet transmission is 25 blocks of 48 bits each and interleaved on a per-symbolcompleted. Once a packet is classified, the adversary may basis. Finally, each of the blocks is modulated as an OFDMchoose to jam it depending on his strategy. symbol for transmission. The information contained in each Consider the generic communication system depicted in of the 25 OFDM symbols is as follows:Fig. 2. At the PHY layer, a packet m is encoded, interleaved, - Symbols 1-2 contain the PHY-layer header and theand modulated before it is transmitted over the wireless first byte of the MAC header. The PHY header revealschannel. At the receiver, the signal is demodulated, de- the length of the packet, the transmission rate, andinterleaved, and decoded, to recover the original packet m. synchronization information. The first byte of the MAC header reveals the protocol version and the type and subtype of the MAC frame (e.g., DATA, ACK). - Symbols 3-10 contain the source and destination MAC addresses, and the length of the IP packet header. - Symbols 11-17 contain the source and destination IP addresses, the size of the TCP datagram carried by the IP packet, and other IP layer information. The first two bytes of the TCP datagram reveal the source port.Fig. 2. A generic communication system diagram. - Symbols 18-23 contain the TCP destination port, se- The adversary’s ability in classifying a packet m depends quence number, acknowledgment number, TCP flags,on the implementation of the blocks in Fig. 2. The channel window size, and the header checksum.encoding block expands the original bit sequence m, adding - Symbols 24-25 contain the MAC CRC code.necessary redundancy for protecting m against channel Our example illustrates that a packet can be classified aterrors. For example, an α/β-block code may protect m different layers and in various ways. MAC layer classifica-from up to e errors per block. Alternatively, an α/β-rate tion is achieved by receiving the first 10 symbols. IP layerconvolutional encoder with a constraint length of Lmax , and classification is achieved by receiving symbols 10 and 11,a free distance of e bits provides similar protection. For our while TCP layer classification is achieved by symbols 12-19.purposes, we assume that the rate of the encoder is α/β. An intuitive solution to selective jamming would beAt the next block, interleaving is applied to protect m from the encryption of transmitted packets (including headers)burst errors. For simplicity, we consider a block interleaver with a static key. However, for broadcast communications,that is defined by a matrix Ad×β 1 . The de-interleaver is this static decryption key must be known to all intendedsimply the transpose of A. Finally, the digital modulator receivers and hence, is susceptible to compromise. Anmaps the received bit stream to symbols of length q, and adversary in possession of the decryption key can startmodulates them into suitable waveforms for transmission decrypting as early as the reception of the first ciphertextover the wireless channel. Typical modulation techniques block. For example, consider the cipher-block chaininginclude OFDM, BPSK, 16(64)-QAM, and CCK. (CBC) mode of encryption [27]. To encrypt a message m In order to recover any bit of m, the receiver must collect with a key k and an initialization vector IV, message m isd · β bits for de-interleaving. The d · β de-interleaved bits are split into x blocks m1 , m2 , . . . mx , and each ciphertext blockthen passed through the decoder. Ignoring any propagation ci , is generated as:and decoding delays, the delay until decoding the first c1 = IV, ci+1 = Ek (ci ⊕ mi ), i = 1, 2, . . . , x, (1)block of data is ⌈ dβ ⌉ symbol durations. As an example, in qthe 802.11a standard, operating at the lowest rate of 6 Mbps, where Ek (m) denotes the encryption of m with key k. The plaintext mi is recovered by: 1. Without loss of generality we assume that the number of columns ofthe interleaving matrix is equal to the length β of the codewords. mi = ci ⊕ Dk (ci+1 ), i = 1, 2, . . . , x. (2)
  4. 4. IEEE TRANSACTIONS,VOL. 9, NO. 1, JAN-FEB 2012 3 5 3 10 10 10 TCP-ACK RTS/CTS Data Random Number of Packets 2 4 2 10 10 10 E[D] (sec) E[T ] (bps) 1 3 1 10 10 10 TCP-ACK TCP-ACK RTS/CTS RTS/CTS Data Data 0 Random 2 0 Random 10 10 10 0 0.2 0.4 0.6 0.8 0 0.2 0.4 0.6 0.8 0 0.2 0.4 0.6 0.8 Jamming Probability p Jamming Probability p Jamming Probability p (a) (b) (c) 0 0 10 1 10 TCP-ACK RTS/CTS Data −1 −2 Random 0.8 10 Routes (normalized) 10 t (normalized) t (normalized) −2 0.6 10 −4 10 −3 0.4 10 −6 10 −4 0.2 10 −8 −5 10 0 10 0 0.2 0.4 0.6 0.8 R. 0.3 R. 0.5 R. 0.7 R. 0.9 Sel. Con. R 0.3 R 0.5 R 0.7 R 0.9 Sel. Con. Jamming Probability p (d) (e) (f)Fig. 3. (a) Average application delay E[D], (b) average effective throughput E[T ], (c) number of packets jammed, (d) fractionof time the jammer is active, (e) number of connections established in the network, (f) fraction of time the jammer is active.R p: random jammer with probability p; Con.: constant jammer; Sel.: selective jammer.Note from (2) that reception of ci+1 is sufficient to recover Selective Jamming at the Transport Layer–In the firstmi if k is known (c1 = IV is also known). Therefore, real- set of experiments, we setup a file transfer of a 3 MB filetime packet classification is still possible. between two users A and B connected via a multi-hop One solution to the key compromise problem would route. The TCP protocol was used to reliably transport thebe to update the static key whenever it is compromised. requested file. At the MAC layer, the RTS/CTS mechanismHowever, such a solution is not useful if the compromised was enabled. The transmission rate was set to 11 Mbps atnode obtains the new key. This can only be avoided if there each link. The jammer was placed within the proximityis a mechanism by which the set of compromised nodes can of one of the intermediate hops of the TCP identified. Such a task is non-trivial when the leaked key Four jamming strategies were considered: (a) selective jam-is shared by multiple nodes. Any node that possesses the ming of cumulative TCP-ACKs, (b) selective jamming ofshared key is a candidate malicious node. RTS/CTS messages, (c) selective jamming of data packets, Moreover, even if the encryption key of a hiding scheme and (d) random jamming of any packet. In each of thewere to remain secret, the static portions of a transmitted strategies, a fraction p of the targeted packets is jammed.packet could potentially lead to packet classification. Thisis because for computationally-efficient encryption meth- In Fig. 3(a), we show the average delay E[D] for complet-ods such as block encryption, the encryption of a prefix ing the file transfer, as a function of the jamming probabilityplaintext with the same key yields a static ciphertext pre- p (averaged over repeated experiments). In Fig. 3(b), wefix. Hence, an adversary who is aware of the underlying show the average throughput E[T ] as a function of p. Itprotocol specifics (structure of the frame) can use the static can be observed that all jamming attacks have significantciphertext portions of a transmitted packet to classify it. impact on E[D] which grows several orders of magnitude larger compared to the delay in the absence of a jammer. Similarly, the effective throughput drops drastically under4 I MPACT OF S ELECTIVE JAMMING both random and selective jamming attacks. TCP perfor-In this section, we illustrate the impact of selective jamming mance under jamming of TCP-ACKs can be interpretedattacks on the network performance. We used OPNETTM by the congestion control mechanism of the TCP protocol.Modeler 14.5 [18] to implement selective jamming attacks When cumulative ACKs are lost (in our case jammed),in two multi-hop wireless network scenarios. In the first the sender has to retransmit all unacknowledged datascenario, the attacker targeted a TCP connection established packets, thus increasing the incurred delay while reducingover a multi-hop wireless route. In the second scenario, the the effective throughput. At the same time, the senderjammer targeted network-layer control messages transmit- interprets the loss of ACKs as congestion and throttlested during the route establishment process. its packet transmission rate by reducing the size of the
  5. 5. IEEE TRANSACTIONS,VOL. 9, NO. 1, JAN-FEB 2012transmission window. This leads to a further slow down 5.1 Mapping to Commitment Schemesof the application. Note that, for values of p > 0.4, the TCP Commitment schemes are cryptographic primitives thatconnection is aborted for the case of random and TCP-ACK allow an entity A, to commit to a value m, to an entityjamming, due to the repeated timeouts at the sender. V while keeping m hidden. Commitment schemes are Fig. 3(c) depicts the number of packets that were jammed formally defined as follows [7].by the adversary for each value of p. Finally, Fig. 3(d) shows Commitment Scheme: A commitment scheme is a two-the fraction of time that the jammer remained active. Here, phase interactive protocol defined as a triple {X , M, E}.for selective jamming attacks, we assumed that 13% of the Set X = {A, V } denotes two probabilistic polynomial-timepacket has to be corrupted in order to be dropped [17]. In interactive parties, where A is known as the committer andthe case of random jamming, the adversary is not aware of V as the verifier; set M denotes the message space, and setthe type of packets transmitted (by means of processing the E = {(ti , fi )} denotes the events occurring at protocol stagesheader of these packets). Hence, he is assumed to jam the ti (i = 1, 2), as per functions fi (i = 1, 2). During commit-entire packet in order to drop it. We observe that selective ment stage t1 , A uses a commitment function f1 = commit()jamming requires the jamming of approximately one order to generate a pair (C, d) = commit(m), where (C, d) isof magnitude less packets than random jamming. This is called the commitment/decommitment pair. At the end ofbecause, as the packet transmission rate of the sender drops stage t1 , A releases the commitment C to V . In the openfewer packets need to be selectively targeted. Moreover, stage t2 , A releases the opening value d. Upon receptionin selective jamming, the fraction of time the adversary of d, V opens the commitment C, by applying functionremains active is several orders of magnitude less compared to f2 = open(), thus obtaining a value of m′ = open(C, d). Thisrandom jamming. From Fig. 3(d), we observe that targeting stage culminates in either acceptance (m′ = m) or rejectioncontrol packets such as RTS/CTS messages and TCP-ACKs (m′ = m) of the commitment by V . Commitment schemesyields the lowest jamming activity, because control packets satisfy the following two fundamental properties:are significantly smaller compared to data packets. Suchlow-effort jamming attacks are not only efficient in terms of - Hiding: For every polynomial-time party V interactingenergy expenditure, but also challenging in localizing and with A, there is no (probabilistic) polynomially-efficientphysically removing the jamming devices. Typical methods algorithm that would allow V to associate C with mof transmitter localization such as received signal strength and C ′ with m′ , without access to the decommitmentand angle of arrival measurements require that the jamming values d or d′ respectively, and with non-negligibledevice remains active for extended periods of time. probability. Selective Jamming at the Network Layer–In this sce- - Binding: For every polynomial-time party A interact-nario, we simulated a multi-hop wireless network of 35 ing with V , there is no (probabilistic) polynomially-nodes, randomly placed within a square area. The AODV efficient algorithm that would allow A to generate arouting protocol was used to discover and establish routing triple (C, d, d′ ), such that V accepts the commitmentspaths [19]. Connection requests were initiated between ran- (C, d) and (C, d′ ), with non-negligible probability.dom source/destination pairs. Three jammers were strate- In our context, the role of the committer is assumed bygically placed to selectively jam non-overlapping areas the transmitting node S. The role of the verifier is assumedof the network. Three types of jamming strategies were by any receiver R, including the jammer J. The committedconsidered: (a) a continuous jammer, (b) a random jammer value m is the packet that S wants to communicate toblocking only a fraction p of the transmitted packets, and (c) R. To transmit m, the sender computes the correspondinga selective jammer targeting route request (RREQ) packets. commitment/decommitment pair (C, d), and broadcasts C. In Fig. 3(e), we show the number of connections es- The hiding property ensures that m is not revealed duringtablished, normalized over the number of connections in the transmission of C. To reveal m, the sender releases thethe absence of the jammers. Fig. 3(f) shows the fraction of decommitment value d, in which case m is obtained bytime that the jammer was active during our simulation, for all receivers, including J. Note that the hiding property,each jamming strategy. We observe that a selective jamming as defined in commitment schemes, does not consider theattack against RREQ messages is equally effective to a partial release of d and its implications on the partial revealconstant jamming attack. However, selective jamming is of m. In fact, a common way of opening commitments isseveral orders of magnitude more efficient as it is illustrated by releasing the committed value itself [7].in Fig. 3(f). On the other hand, random jamming fails to For most applications, partial reveal of m with the partialdisrupt the route discovery process due to the flooding release of d does not constitute a security risk. After all, themechanism of AODV. committer intends to reveal m by exposing d. However, in our context, a partial reveal of m while d is being5 H IDING BASED ON C OMMITTMENTS transmitted can lead to the classification of m before theIn this section, we show that the problem of real-time packet transmission of d is completed. Thus, the jammer hasclassification can be mapped to the hiding property of the opportunity to jam d instead of C once m has beencommitment schemes, and propose a packet-hiding scheme classified. To prevent this scenario, we introduce the strongbased on commitments. hiding property:
  6. 6. IEEE TRANSACTIONS,VOL. 9, NO. 1, JAN-FEB 2012 - Strong Hiding: For every polynomial-time party V in- teracting with A and possessing pairs (C, dpart ) and (C ′ , d′ ), there is no (probabilistic) polynomially- part efficient algorithm that would allow V associate C with m and C ′ with m′ , with non-negligble probability. Here, dpart and d′ ′ part are partial releases of d and d , ′ respectively, and the remaining parts of d and d are assumed to be secret. In the above definition, it is easily seen that the releaseof dpart must be limited to a fraction of d, in order form to remain hidden. If a significant part of d becomesknown to the verifier, trivial attacks, such as brute forcing Fig. 4. Processing at the hiding sublayer.the unknown bits of d, become possible. input to the encryption algorithm and delay the reception5.2 A Strong Hiding Commitment Scheme (SHCS) of critical packet identifiers such as headers. After theWe propose a strong hiding commitment scheme (SHCS), permutation, π1 (m) is encrypted using a random key k towhich is based on symmetric cryptography. Our main produce the commitment value C = Ek (π1 (m)). Althoughmotivation is to satisfy the strong hiding property while the random permutation of m and its encryption with akeeping the computation and communication overhead to random key k seemingly achieve the same goal (i.e., thea minimum. Assume that the sender S has a packet m for randomization of the ciphertext), in Section 5.4 we showR. First, S constructs (C, d) = commit(m), where, that both are necessary to achieve packet hiding. In the next step, a padding function pad() appends C = Ek (π1 (m)), d = k. pad(C) bits to C, making it a multiple of the symbol size. Here, the commitment function Ek () is an off-the-shelf Finally, C||pad(C)||k is permuted by applying a publiclysymmetric encryption algorithm (e.g., DES or AES [27]), known permutation π2 . The purpose of π2 is to ensure thatπ1 is a publicly known permutation, and k ∈ {0, 1}s is a the interleaving function applied at the PHY layer does notrandomly selected key of some desired key length s (the disperse the bits of k to other symbols. We now present thelength of k is a security parameter). The sender broadcasts padding and permutation functions in detail.(C||d), where “||” denotes the concatenation operation. Padding–The purpose of padding is to ensure that k isUpon reception of d, any receiver R computes modulated in the minimum number of symbols needed for its transmission. This is necessary for minimizing the time −1 m = π1 (Dk (C)) , for which parts of k become exposed. Let ℓ1 denote the −1where π1 denotes the inverse permutation of π1 . To satisfy number of bits padded to C. For simplicity, assume thatthe strong hiding property, the packet carrying d is format- the length of C is a multiple of the block length of theted so that all bits of d are modulated in the last few PHY layer symmetric encryption algorithm and hence, has the samesymbols of the packet. To recover d, any receiver must receive length ℓ as the original message m. Let also ℓ2 denote theand decode the last symbols of the transmitted packet, length of the header added at the PHY layer The framethus preventing early disclosure of d. We now present the carrying (C, d) before the encoder has a length of (ℓ + ℓ1 +implementation details of SHCS. ℓ2 +s) bits. Assuming that the rate of the encoder is α/β the β output of the encoder will be of length, α (ℓ + ℓ1 + ℓ2 + s). For the last symbol of transmission to include α q bits of β5.3 Implementation Details of SHCS the key k, it must hold that,The proposed SHCS requires the joint consideration of the α βMAC and PHY layers. To reduce the overhead of SHCS, the ℓ1 = q − (ℓ + ℓ2 ) mod q) . (3)decommitment value d (i.e., the decryption key k) is carried β αin the same packet as the committed value C. This saves the Permutation–The hiding layer applies two publiclyextra packet header needed for transmitting d individually. known permutations π1 and π2 at different processingTo achieve the strong hiding property, a sublayer called the stages. Permutation π1 is applied to m before it is encrypted.“hiding sublayer” is inserted between the MAC and the The purpose of π1 is twofold. First, it distributes criticalPHY layer. This sublayer is responsible for formatting m frame fields which can be used for packet classificationbefore it is processed by the PHY layer. The functions of across multiple plaintext blocks. Hence, to reconstruct thesethe hiding sublayer are outlined in Fig. 4. fields, all corresponding ciphertext blocks must be received Consider a frame m at the MAC layer delivered to the and decrypted. Moreover, header information is pushedhiding sublayer. Frame m consists of a MAC header and at the end of π1 (m). This prevents early reception of thethe payload, followed by the trailer containing the CRC corresponding ciphertext blocks.code. Initially, m is permuted by applying a publicly known For example, consider the transmission of a MAC framepermutation π1 . The purpose of π1 is to randomize the of length 2,336 bytes which carries a TCP data packet. The
  7. 7. IEEE TRANSACTIONS,VOL. 9, NO. 1, JAN-FEB 2012 Field 1 Field 2 Field 3 Field n Random Payload } received first. The jammer can attempt to classify m by } } } } m launching a ciphertext-only attack on C as early as the re- . . . . . . . . . . . . . . . . . . ception of the first ciphertext block. Because the encryption π1(m) ... ... ... key is refreshed at every transmission, a very small number of ciphertext blocks are available for cryptanalysis. Appro- Ek(π1(m)) ... priate selection of the key length s can prevent this type of attack. Note that s can be well below the cryptographicFig. 5. Application of permutation π1 on packet m. standards, due to the limited time available to the adversary (until the transmission is completed). For instance, a 56-bitMAC header is 28 bytes long and has a total of 18 distinct long DES key is more than adequate for our purposes, sincefields. TCP header is 20 bytes long (assuming no optional the fastest known brute force attack on DES takes almost afields) and has 17 distinct fields. Assume the encryption day [24]. Other types of known attacks such as differentialof a fixed block of 128 bits. Packet π1 (m) is partitioned to and linear cryptanalysis are not applicable, because they146 plaintext blocks {p1 , p2 , . . . , p146 }, and is encrypted to require the collection of a large number of chosen or knownproduce 146 ciphertext blocks C = c1 ||c2 || . . . ||c146 . Each plaintext/ciphertext pairs [27].field of the TCP and MAC headers is distributed bit-by-bit Even if the key for a particular packet is revealed tofrom the most significant bit (MSB) to the least significant the adversary, packet classification is delayed until the endbit (LSB) to each of the plaintext blocks in the reverse block of C’s transmission. The application of the permutationorder. This process is depicted in Fig. 5. function π1 distributes frame fields to ciphertext blocks For fields longer than one bit, bits are numbered from in the reverse order of transmission, with the MSBs fromthe LSB to the MSB and are placed in reverse order to each field appearing on the last ciphertext block. Hence,each plaintext block. To recover any field i that is ℓi bits reception of all blocks of C is required for the completelong, the last ℓi ciphertext blocks must be received and recovery of headers. To minimize the communication over-decrypted. If ℓi > ℓb , where ℓb denotes the ciphertext block head, k must be selected to be of the smallest lengthlength, the bit placement process continues in a round- adequate for the protection of C, for the time requiredrobin fashion. The second goal of the permutation π1 is to transmit one packet. However, special care must beto randomize the plaintext blocks. Assuming a random taken to withstand codebooks attacks on k. In such attacks,payload, the permutation distributes the payload bits to all the adversary can encrypt a particular message of inter-plaintext blocks processed by the encryption function, thus est with all possible keys and construct a look-up tablerandomizing each ciphertext block. (codebook) of all possible ciphertexts. If the encryption Permutation π2 is applied to reverse the effects of in- of all possible messages with all possible keys results interleaving on the bits of k, so that k is contained at the unique ciphertexts, there is a 1-1 correspondence betweenpacket trailer. Interleaving can be applied across multiple a ciphertext and the generating plaintext/key pair. Thisfrequencies on the same symbol (e.g., in OFDM), or it may property is guaranteed with high probability when thespan multiple symbols [9]. For example, consider a d × β plaintext space M and the key space K are much smallerblock interleaver. Without loss of generality, assume that than the ciphertext space C. Assuming the encryption ofβ = q, and let the last n rows of the last block passed a plaintext block mi with a key ki randomly maps to avia the interleaver correspond to the encoded version of ciphertext ci = Eki (mi ), every ciphertext ci ∈ C occurs withthe random key k. Permutation π2 rearranges the bits of 1 probability pc = |C| . The problem of finding the probabilityk at the interleaver matrix Ad×β in such a way that all that all |M||K| ciphertexts produced by the encryption ofbits of k appear in the last n columns. Therefore, the all plaintexts with all keys are unique, can be formulatedbits of k will be modulated as the last n symbols of the as a “birthday problem” [27]:transmitted packet. Note that this operation affects onlythe interleaver block(s) that carries k. For the rest of the −|M|·|K|(|M|·|K|−1) Pr[ciphertexts unique] ≈ e 2|C| .packet, the interleaving function is performed normally,thus preserving the benefits of interleaving. For PHY layer As an example, consider the encryption of a message m =implementations in which interleaving is applied on a per- {m1 , m2 , . . . mx } with a key k of length 56 bits, using blockssymbol basis (e.g, 802.11a and 802.11g), the application of of 128 bits. For a fairly small plaintext space (e.g., |M| = 16),permutation π2 is not necessary. the probability of ciphertext uniqueness is equal to 99.8%. Thus, the adversary can recover k, by launching a codebook5.4 Security Analysis attack on m1 . The remaining ci ’s are decrypted in real-time,In this section, we analyze the security of SHCS by evalu- using the known value of k. Here, the plaintext space for m1ating the ability of J in classifying a transmitted packet at is considered to be small because of the structure imposeddifferent stages of the packet transmission. by the static header of a packet (all fields of the header are Release of C–We first examine if J can classify m by known to the adversary). Randomization of the plaintext,observing the commitment value C. Though C and k are ensures that all plaintexts are possible, thus equating thepart of the same packet, symbols corresponding to C are plaintext space with the ciphertext space.
  8. 8. IEEE TRANSACTIONS,VOL. 9, NO. 1, JAN-FEB 2012 Partial release of d–Depending on the PHY layer im- format (source/destination address must be in the contextplementation, d = k requires n ≥ 1 symbols for its of the communications, CRC code must be valid, etc). Giventransmission. Hence, part of k may become known before that k is transmitted right after C, the jammer has no timethe completion of the transmission of the packet at hand. to find an appropriate k ′ that would lead to the decryptionThis release reduces the search space for a brute force attack of an acceptable m′ , assuming that such m′ exists. If m′ ison k. Assume that the adversary pro-actively jams a few not meaningful, substituting k with k ′ is equivalent to asymbols below the ECC capability of the receiver during jamming attack on m without classification (no selectivity).the transmission of C. In the best case, he can postpone The binding property can be theoretically achieved if ahis decision to jam a transmitted packet until the trans- random string r is appended to m [23]. In this case, themission of the last symbol (jam one more symbol to drop commitment/decommitment pair (C, d) is,the packet). He must therefore complete the classification C = (γ, δ) = (Ek (m||r), r), d = k.process before the last symbol is transmitted. Assuming thatthe adversary waits until the maximum number of bits of Provided that r is sufficiently long, a computationallyk are released, the key search space before the transmission α bounded jammer cannot find a k ′ such that Dk′ (C) = m′ ||r.of the last two symbols is equal to 22 β q keys. The adversary In this case, r preserves the integrity of message m. Since αmust be capable of performing on average N = 2(2 β q−1) R the addition of r is not necessary for preventing real-timedecryptions per second in order to find k before the last classification of m, we leave the implementation of thesymbol is transmitted2 . Here, we have assumed that, on binding property to the discretion of the system designer.average, half the key space must be searched. For example, assume an 802.11a PHY layer operating at 5.5 Resource Overhead of SHCS6 Mbps, with every symbol carrying 24 bits of information.Consider k to be a 56-bit DES key, fitting in three symbols. In this section we analyze the per-packet communicationThe computational capability of the adversary must be and computational overhead of SHCS.equal to N ≈ 3.52×1019 decryptions/sec in order to recover Communication Overhead–For every packet m, a ran-k before the completion of the packet transmission. The dom key k of length s is appended. Also, (ℓb − (ℓ mod ℓb ))fastest known hardware implementation of a DES cracker bits of overhead are added by the encryption algorithm,achieves a throughput of 2.92 × 1011 keys per second [24]. to convert a plaintext of length ℓ to a multiple of theFor an operating rate of 54 Mbps, all 56 bits of the key k encryption block. Thus, the communication overhead offit in one symbol (symbol size is 216 bits), thus preventing SHCS is equal to s + (ℓb − (ℓ mod ℓb )), per packet. Here,the partial release of the decommitment value d. we do not account for the padding string pad(C), because A brute force attack on k may be successful if q ≤ the addition of pad(C) does not increase the number of β 11 transmitted symbols.2α log2 N + 1 . For instance, when N = 2.92 × 10 , theadversary can find k if q ≤ 19 bits. In fact, for small values Computation Overhead–The computation overhead ofof q (e.g., 4), the adversary can launch the brute force attack SHCS is one symmetric encryption at the sender and oneon k, several symbols before the end of k’s transmission. symmetric decryption at the receiver. Because the headerTherefore, SHCS is suitable for PHY layer implementations information is permuted as a trailer and encrypted, allwhere the number of bits per symbol q is sufficiently large. receivers in the vicinity of a sender must receive the entireNote that our security analysis has excluded all processing packet and decrypt it, before the packet type and destina-delays from the time that symbols are received to the time tion can be determined. However, in wireless protocols suchthat they become available for cryptanalysis. as 802.11, the complete packet is received at the MAC layer Binding property–The binding property is not a security before it is decided if the packet must be discarded or berequirement of SHCS under our adversary model. Since further processed [9]. If some parts of the MAC header arethe primary goal of any sender S in the network is to deemed not to be useful information to the jammer, theycommunicate m, S has no interest in modifying m after can remain unencrypted in the header of the packet, thushe has committed to it. However, under a more general avoiding the decryption operation at the receiver.adversary model, the jammer may launch denial of serviceattacks by making the receiver R to accept a k ′ = k such 6 H IDING BASED ON C RYPTOGRAPHIC P UZZLESthat m′ = Dk (C) is a meaningful message. Even though ′ In this section, we present a packet hiding scheme based onSHCS is not designed to ensure the binding property of cryptographic puzzles. The main idea behind such puzzlescommitment schemes, generating a k ′ = k that opens a is to force the recipient of a puzzle execute a pre-definedvalid value of m′ = m is a computationally hard task. set of computations before he is able to extract a secret ofIn order to find such a k ′ , the jammer has to launch a interest. The time required for obtaining the solution ofbrute force attack on C. Here, not only the attack must be a puzzle depends on its hardness and the computationalperformed in a timely manner, but m′ has to be in the right ability of the solver [10]. The advantage of the puzzle- based scheme is that its security does not rely on the PHY 2. A more accurate calculation of N would assume an adversary tryinga brute force attack on k, with the reception of the first ciphertext block, layer parameters. However, it has higher computation andand adjusting the searching space according to the partial release of k. communication overhead.
  9. 9. IEEE TRANSACTIONS,VOL. 9, NO. 1, JAN-FEB 2012 Sender S Receiver R In a time-lock puzzle, the puzzle constructor generates a composite modulus g = u · v, where u and v are two generate: k, tp compute large random prime numbers. Then, he picks a random C, P C, P a, 1 < a < g and hides the encryption key in Kh = P = puzzle(k, tp) k = solve(P) t C = E k(π1(m)) k + a2 mod g, where t = tp · N , is the amount of time compute: m = π1-1(Dk(C)) required to solve for k. Here, it is assumed that the solver verify: m is meaningful can perform N squarings modulo g per second. Note that if not: discard m Kh can be computed efficiently if φ(g) = (u − 1)(v − 1) orFig. 6. The cryptographic puzzle-based hiding scheme. the factorization of g are known, otherwise a solver would have to perform all t squarings to recover k. The puzzle In our context, we use cryptographic puzzles to tempo- consists of the values P = (g, Kh , t, a).rary hide transmitted packets. A packet m is encrypted In our setup, the value of the modulus g is known a prioriwith a randomly selected symmetric key k of a desirable and need not be communicated (may change periodically).length s. The key k is blinded using a cryptographic puzzle The sender reveals the rest of the puzzle information in theand sent to the receiver. For a computationally bounded order (Kh , t, a). Note that if any of t, a are unknown, anyadversary, the puzzle carrying k cannot be solved before value of k is possible [22].the transmission of the encrypted version of m is completed Puzzles based on hashing–Computationally limited re-and the puzzle is received. Hence, the adversary cannot ceivers can incur significant delay and energy consumptionclassify m for the purpose of selective jamming. when dealing with modulo arithmetic. In this case, CPHS can be implemented from cryptographic puzzles which6.1 Cryptographic Puzzle Hiding Scheme (CPHS) employ computationally efficient cryptographic primitives.Let a sender S have a packet m for transmission. The Client puzzles proposed in [10], use one-way hash func-sender selects a random key k ∈ {0, 1}s , of a desired tions with partially disclosed inputs to force puzzle solverslength. S generates a puzzle P = puzzle(k, tp), where search through a space of a precisely controlled size. In ourpuzzle() denotes the puzzle generator function, and tp context, the sender picks a random key k with k = k1 ||k2 .denotes the time required for the solution of the puzzle. The lengths of k1 and k2 are s1 , and s2 , respectively. He thenParameter tp is measured in units of time, and it is directly computes C = Ek (π1 (m)) and transmits (C, k1 , h(k)) in thisdependent on the assumed computational capability of the particular order. To obtain k, any receiver has to performadversary, denoted by N and measured in computational on average 2s2 −1 hash operations (assuming perfect hashoperations per second. After generating the puzzle P , the functions). Because the puzzle cannot be solved before h(k)sender broadcasts (C, P ), where C = Ek (π1 (m)). At the has been received, the adversary cannot classify m beforereceiver side, any receiver R solves the received puzzle P ′ the completion of m’s recover key k ′ and then computes m′ = π −1 (Dk′ (C ′ )). Ifthe decrypted packet m′ is meaningful (i.e., is in the proper 6.3 Security Analysis of CPHSformat, has a valid CRC code, and is within the contextof the receiver’s communication), the receiver accepts that With the completion of the transmission of P , any receiverm′ = m. Else, the receiver discards m′ . Fig. 6 shows the can recover m. Therefore, a selective jammer must attemptdetails of CPHS. to classify m before the transmission of P has been com- pleted. We analyze the security of CPHS at different stages of its execution.6.2 Implementation Details of CPHS Reception of C–The jammer can attempt to classify mIn this section, we consider several puzzle schemes as the by cryptanalyzing ciphertext C = Ek (π1 (m)). This attack isbasis for CPHS. For each scheme, we analyze the imple- identical to the effort of classifying m with the transmissionmentation details which impact security and performance. of C at the SHCS. The same analysis presented in SectionCryptographic puzzles are primitives originally suggested 5.4 holds for the case of CPHS. The selection of a key ofby Merkle as a method for establishing a secret over an adequate length (e.g., 56-bit DES key) is sufficient to preventinsecure channel [16]. They find a wide range of applica- both ciphertext-only and codebook attacks.tions from preventing DoS attacks to providing broadcast Solving P –The transmission of k in the form of a puzzleauthentication and key escrow schemes. P prevents any receiver from recovering k for at least time Time-lock Puzzles–Rivest et al. proposed a construction tp , after the puzzle has been received. A jammer may trycalled time-lock puzzles, which is based on the iterative to guess and solve P before its transmission is completed.application of a precisely controlled number of modulo In the best case, the adversary must finish the classificationoperations [22]. Time-lock puzzles have several attractive of m before the transmission of the last symbol of P. Thefeatures such as the fine granularity in controlling tp and number of possible puzzle values at the beginning of the αthe sequential nature of the computation. Moreover, the second to last symbol are 22 β q . Assuming a brute forcepuzzle generation requires significantly less computation attack on the missing bits of the puzzle, the computational αcompared to puzzle solving. load of the adversary increases on average to 22 β q−1 tp .
  10. 10. IEEE TRANSACTIONS,VOL. 9, NO. 1, JAN-FEB 2012The value of tp has already been selected to prevent the blocks, without any change on the size of the secret key.puzzle solution until its transmission is completed. Hence, Note that the original AONT proposed in [21] is computa-early solution of P before all its bits are received cannot be tionally secure. Several AONT schemes have been proposedachieved. Note that the security of CPHS is not dependent that extend the definition of AONT to undeniable securityon the PHY layer parameter q, but on the selection of [26]. Under this model, all plaintexts are equiprobable intp . Therefore, this method is applicable even to wireless the absence of at least one where q obtains relatively small values. 7.1 An AONT-based Hiding Scheme (AONT-HS)6.4 Resource Overhead of CPHS In our context, packets are pre-processed by an AONT be-Communication Overhead–The per-packet communication fore transmission but remain unencrypted. The jammer can-overhead of CPHS is equal to the length of P , in addition to not perform packet classification until all pseudo-messagesthe padding added by the encryption function. If the puzzle corresponding to the original packet have been receivedis realized using time-locks, the length of P is equal to the and the inverse transformation has been applied. Packet mlengths of Kh , a, and t. The value Kh is computed modulo g is partitioned to a set of x input blocks m = {m1 , . . . , mx },and has the same length as g. Similarly, a has a length equal which serve as an input to an AONT f : {Fu }x → {Fu }x . ′to the length of g. The size of t is potentially smaller than ′ Here, Fu denotes the alphabet of blocks mi and x denotesa, g, and Kh , and depends on the computational capability the number of output pseudo-messages with x′ ≥ x. Theof the adversary. The security of time locks depends on the set of pseudo-messages m′ = {m′ , . . . , m′ ′ } is transmitted 1 xdifficulty in factoring g or finding φ(g), where φ() denotes over the wireless medium. At the receiver, the inversethe Euler φ−function. Typical values of g are in the order transformation f −1 is applied after all x′ pseudo-messagesof 1,024 bits [27]. Since messages need to remain hidden for are received, in order to recover m.only a short period of time, the modulo can be chosen to beof much smaller size and be periodically refreshed. In thecase of hash-based puzzles, the communication overhead is 7.2 Implementation details of the AONT-HSequal to the transmission of the key k1 which is of length s1 In this section, we describe two AONTs which can beand the hash value h(k). The typical length of hash function employed in AONT-HS; a linear transformation [26], andis 160 bits [27]. the original package transformation [21]. Computation Overhead–In time-lock puzzles, the sender Linear AONT–In [26], Stinson showed how to constructhas to apply one permutation on m, perform one symmetric a linear AONT when the alphabet of the input blocks isencryption, and one modulo squaring operation to hide k. a finite field Fu , with the order u being a prime power.On the receiver side, the receiver has to perform t modulo He showed that if an invertible matrix M = {mij |mij ∈squaring operations to recover k, one symmetric decryption Fu , mij = 0}x×x exists, then the transformation f (m) =to recover π1 (m), and apply the inverse permutation. In the mM −1 is a linear AONT. He also provided a method forcase of hash-based puzzles, the modulo squaring operation constructing such M which is as substituted by, on average, 2s2 −1 hashing operations. Let u = v i , where v is prime and i is a positive integer. Choose λ ∈ Fu such that λ ∈ {n− 1 (mod v), n− 2 (mod v)} /7 H IDING BASED ON A LL - OR - NOTHING T RANS - and define the linear AONT LT to be,FORMATIONS   1 0 ··· 0 1In this section, we propose a solution based on All-Or-  . . .. . .   . . . . . Nothing Transformations (AONT) that introduces a modest LT =  . . . .  (4)  0 0 ··· 1 1 communication and computation overhead. Such transfor- 1 1 ··· 1 λmations were originally proposed by Rivest to slow downbrute force attacks against block encryption algorithms [21]. Given m = {m1 , . . . , mx },An AONT serves as a publicly known and completely x−1invertible pre-processing step to a plaintext before it is m′ = λmx + mj , m′ = mi + m′ , 1 ≤ i ≤ (x − 1). (5) x i xpassed to an ordinary block encryption algorithm. A trans- j=1formation f, mapping message m = {m1 , · · · , mx } to asequence of pseudo-messages m′ = {m′ , · · · , m′ ′ }, is an 1 x Conversely, given m′ = {m′ , . . . , m′ }, the original input 1 xAONT if [21]: (a) f is a bijection, (b) it is computationally m = {m1 , . . . , mx } is recovered as follows:infeasible to obtain any part of the original plaintext, if mi = m′ − m′ , 1 ≤ i ≤ (x − 1), i x (6)one of the pseudo-messages is unknown, and (c) f and its 1inverse f −1 are efficiently computable. mx = γ(m′ 1 + . . . m′ x−1 − m′ ), x γ= . (7) When a plaintext is pre-processed by an AONT before n−λ−1encryption, all ciphertext blocks must be received to obtain Note from (6), (7) that if any of the {m′ } is missing, all iany part of the plaintext. Therefore, brute force attacks are values of mi are possible, for every i. Thus, the linear AONTslowed down by a factor equal to the number of ciphertext provides undeniable security.
  11. 11. IEEE TRANSACTIONS,VOL. 9, NO. 1, JAN-FEB 2012 Sender S Receiver R symbol of m′ , is transmitted. The search space for m′ is x x reduced to its smallest value before the transmission of the compute: last two symbols, in which case the possible values of m are m || pad(m) α equal to 22 β q . The adversary must be capable of solving on transform: α average 22 β q−1 systems of linear equations in time equal m = f (m || pad(m)) m receive m 1 to the length of one symbol ( R sec), in the case of the compute linear AONT, or perform the same number of decryptions m || pad(m)= f -1(m) for the case of the package transform. For instance when recover m q = 48 and α/β = 1/2 (802.11a), the search space is equalFig. 7. The AONT-based Hiding Scheme (AONT-HS). to 1.4 × 1014 . As in the case of SHCS, when the value of q β becomes small (q ≤ 2α log2 N +1), a brute force attack on m The Package Transform–In the package transform [21], is possible. Therefore, AONT-HS is suitable for PHY layergiven a message m, and a random key k ′ , the output implementations where q is sufficiently large.pseudo-messages are computed as follows: m′ i = mi ⊕ Ek′ (i), for i = 1, 2, . . . , x (8) 7.4 Resource Overhead of the AONT-HS ′ mx+1 = k ′ ⊕ e1 ⊕ e2 ⊕ · · · ⊕ ex , (9) Communication Overhead–In AONT-HS, the original set of x messages is transformed to a set of x′ pseudo-messages,where ei = Ek0 (m′ ⊕ i), for i = 1, 2, . . . , x, and k0 is a fixed i with x′ ≥ x. Additionally, the function pad() appendspublicly-known encryption key. With the reception of all (ℓb − (ℓ mod ℓb )) bits in order to make the length of m apseudo-messages message m is recovered as follows: multiple of the length ℓb of the pseudo-messages m′ . Hence, k′ = m′ the communication overhead introduced is (ℓb (x′ − x) + ℓb − x+1 ⊕ e1 ⊕ e2 ⊕ · · · ⊕ ex , (10) ′ (ℓ mod ℓb )) bits. For the linear AONT, x = x′ , and therefore, mi = mi ⊕ Ek′ (i), for i = 1, 2, . . . , x. (11) only the padding communication overhead is introduced. Note that if any m′ is unknown, any value of k ′ is i For the package transform, the overhead is equal to thepossible, because the corresponding ei is not known. Hence, length of one pseudo-message (x′ = x + 1).Ek′ (i) cannot be recovered for any i, making it infeasible Computation Overhead–The linear AONT requires onlyto obtain any of the mi . elementary arithmetic operations such as string addition Hiding Sublayer Details–AONT-HS is implemented at and multiplication, making it particularly fast due to itsthe hiding sublayer residing between the MAC and the linear nature. The package transform requires x′ symmetricPHY layers. In the first step, m is padded by applying encryptions at the sender and an equal amount of sym-function pad() to adjust the frame length so that no padding metric decryptions at the receiver. Note that the length ofis needed at the PHY layer, and the length of m becomes the plaintext for the x′ encryptions is relatively small com-a multiple of the length of the pseudo-messages m′ . This i pared to the length of message m (indexes 1, . . . , x are en-will ensure that all bits of the transmitted packet are part of crypted). Therefore, only one ciphertext block is producedthe AONT. In the next step, m||pad(m) is partitioned to x per pseudo-message. Assuming a pseudo-message blockblocks, and the AONT f is applied. Message m′ is delivered size equal to the ciphertext block size ℓb , the computationalto the PHY layer. At the receiver, the inverse transformation overhead of the x′ encryptions required by the packagef −1 is applied to obtain m||pad(m). The padded bits are transform is equivalent to the overhead of one encryptionremoved and the original message m is recovered. The steps of a message of length ℓ + ℓb .of AONT-HS are shown in Fig. 7. 8 E VALUATION OF PACKET-H IDING T ECHNIQUES7.3 Security Analysis of the AONT-HS In this section, we evaluate the impact of our packet-hidingPartial reception of m′ , i < x′ –In the AONT-HS, the i techniques on the network performance via extensive sim-jammer may attempt to classify m without receiving all m′ i ulations. We used the OPNETTM Modeler 14.5 [18] to im-(1 ≤ i ≤ x′ ). By definition, AONTs prevent the computation plement the hiding sublayer and measure its impact on theof any part of m without the reception of all the pseudo- effective throughput of end-to-end connections and on themessages. In fact, for the linear AONT, undeniable security route discovery process in wireless ad-hoc networks. Weis achieved. The jammer can launch a brute force attack on chose a set of nodes running 802.11b at the PHY and MACm as early as the reception of m′ . However, the system of 1 layers, AODV for route discovery, and TCP at the transportequations formed by m′ ’s when at least one is missing, has i layer. Aside from our methods, we also implemented aa number of solutions equal to the message space. All these simple MAC layer encryption with a static are equiprobable. Impact on real-time systems–Our packet-hiding methods Partial release of m′ –With the partial release of the x require the processing of each individual packet by thelast pseudo-message m′ , the space of the possible original x hiding sublayer. We emphasize that the incurred processingmessages m is reduced. As stated by our adversarial model, delay is acceptable, even for real-time applications. Thethe classification of m must be completed before the last SCHS requires the application of two permutations and one
  12. 12. IEEE TRANSACTIONS,VOL. 9, NO. 1, JAN-FEB 2012 0.8 0.5 1 Route Discovery Time (sec) 0.7 0.4 0.8 0.6 E[T] (Mbps) E[T] (Mbps) 0.5 0.3 0.6 0.4 0.3 0.2 0.4 0.2 0.1 0.2 0.1 0 0 0 N.H. M.E. C.S. T.P. H.P. L.T. P.T. N.H. M.E. C.S. T.P. H.P. L.T. P.T. N.H. M.E. C.S. T.P. H.P. L.T. P.T. (a) (b) (c)Fig. 8. (a) Average effective throughput (line network topology), (b) average route discovery time (non-congested network),(c) average effective throughput (congested network). N.H: No packet hiding, M.E: MAC-layer encryption with a static key,C.S.: SHCS, T.P.: Time-lock CPHS, H.P.: Hash-based CPHS, L.T.: Linear AONT-HS, P.T.: Package transform.symmetric encryption at the sender, while the inverse oper- techniques based on cryptographic puzzles decrease the ef-ations have to be performed at the receiver. Such operations fective throughput of the TCP connection to half, comparedcan be implemented in hardware very efficiently. Symmetric to the no hiding case. This performance is anticipated sinceencryption such as AES can be implemented at speeds of the time required to solve a puzzle after a packet has beentens of Gbps/s when realized with Application Specific received at the MAC layer is equal to the transmissionIntegrated Circuits (ASICs) or Field Programmable Gate time of each packet. While this constitutes a significantArrays (FPGAs) [6]. These processing speeds are orders performance reduction, we emphasize that cryptographicof magnitude higher than the transmission speeds of most puzzles were suggested as a candidate solution only whencurrent wireless technologies, and hence, do not impose a the symbol size is so small that more efficient hidingsignificant delay. methods do not provide adequate levels of security. Similarly, the AONT-HS performs linear operations on In the second set of experiments, we studied the impactthe packet that can be efficiently implemented in hardware. of packet hiding on the route discovery process in anWe note that a non-negligible processing delay is incurred ad-hoc network. We generated a random topology of 54by the CPHS. This is due to the cryptographic puzzle that nodes placed in an area of 500 × 400 m2 . Nodes discoveredmust be solved at the receiver. As suggested in Section 6, routes using the AODV routing protocol. A total of twentyCPHS should only be employed when the symbol size at client/server pairs exchanged messages of size 1 KB usingthe PHY layer is too small to support the SHCS and AONT- the TCP protocol, at randomly chosen starting times. TheHS solutions. The processing delays of the various schemes size of the message exchanged between pairs of nodes wasare taken into account in our experimental evaluations. kept small in order to avoid skewing of the route discovery Experimental evaluation–In the first set of experiments, performance due to network congestion.we setup a single file transfer between a client and server, The average route discovery delay is shown in Fig. 8(b).connected via a multi-hop route. The client requested a 1 This delay is defined as the time difference between theMB file from the server. We evaluated the effects of packet transmission of the first RREQ from a source and thehiding by measuring the effective throughput of the TCP reception of the corresponding RREP from the destination.connection in the following scenarios: (a) No packet hiding We observe that the impact of packet hiding on the route(N.H.), (b) MAC-layer encryption with a static key (M.E.), discovery delay is minimal compared to the case where(c) SHCS (C.S.), (d) Time-lock CPHS (T.P.), (e) Hash-based no packet hiding is employed. This similarity in perfor-CPHS (H.P.), (f) Linear AONT-HS (L.T.), and (g) AONT-HS mance is due to the expanding ring search technique ofbased on the package transform (P.T.). AODV, which is used to prevent unnecessary network- In Fig. 8(a), we show the effective throughput aver- wide dissemination of RREQs [19]. In order to discoveraged over 100 different traces. We observe that MAC-layer a route, the originating node sends a RREQ with a time-encryption, SHCS and the linear AONT-HS achieve an to-live (TTL) value equal to one hop, and waits for theeffective throughput close to the throughput in the absence corresponding RREP. If the RREP is not received before aof packet hiding. This is justified by the the relatively timeout value (to ) expires, the originating node increasessmall communication overhead of each hiding method and the TTL and the timeout to , and re-broadcasts the RREQ.the small queuing delay at intermediate routers due to This process is repeated until a valid RREP is received,the absence of any cross traffic. The AONT-HS based on or the TTL value exceeds the maximum diameter of thethe package transform achieved slightly lower throughput, network. The expanding ring search technique introduces abecause it occurs a per-packet overhead of 128 bits as dominant delay in comparison to the delay introduced byopposed to 56 bits for SHCS. We also observe that hiding the packet-hiding techniques. For example, in the case of