Everlasting Security and Undetectability in Wireless Communications

Everlasting Security and Undetectability in Wireless Communications ICNC Lecture February 6, 2014 Dennis Goeckel University of Massachusetts Amherst This work is supported by the National Science Foundation under Grants CNS-1019464, CCF-1249275, and ECCS-1309573.

Motivation Everlasting Secrecy: We are interested in keeping something secret forever. A challenge of cryptography (e.g. the VENONA project) is that recorded messages can be deciphered later. Undetectability: A stronger form of security than any encryption: computational or information-theoretic. Often more important than encryption: whom istalking to whom (so called “metadata”) From: The Guardian

The Alice-Bob-Eve Scenario in Wireless It might be Eve in the parking lot listening, or…. Bob Alice Eve Building …it might be Eve in the building! Important Challenge: the “near Eve” problem… …and you very likely will not know where she is.

Computational Security (Cryptography) Eve can see the transmitted bits perfectly, but cannot solve the “hard” problem presented to her. Advantages: Well-studied and efficient algorithms Does not suffer from the “Near Eve” problem Disadvantages: Implementations often broken (although the primitive is fine) Computational assumptions on Eve Message can be stored and decrypted later

Information-theoretic secrecy Information is encoded in such a way that Eve gets no information about the message…if the scenario is right Advantages: No computational assumptions on Eve. If the transmission is securely made, it is secure forever. Disadvantages (key part of this talk): Information-theoretic secrecy generally relies on a (known) advantage for Bob over Eve (e.g. less noisy). If that is not true, Eve gets the message today. Many would argue that we have traded a long-term computational risk fora short-term scenario risk…no thank you!

Outline • Computational and Information Theoretic security basics • Computation Security: Diffie-Hellman • IT Security: The wiretap channel (Wyner et al) • Application to wireless…and challenges • Potential solutions • Exploiting fading • Two-way communications • Attacking the receiver’s hardware • Cooperative jamming • Asymptotically-large networks • Cooperative jamming • Network coding • Undetectable communications (LPD) • Steganography • Emerging approaches for wireless channels • Current and Future Challenges PAB PAE t PAB>PAE PAB>PAE

Outline • Computational and Information Theoretic security basics • Computation Security: Diffie-Hellman • Information-Theoretic Security: The wiretap channel (Wyner et al) • Application to wireless…and challenges • Potential solutions • Exploiting fading • Two-way communications • Attacking the receiver’s hardware • Cooperative jamming • Asymptotically-large networks • Cooperative jamming • Network coding • Undetectable communications (LPD) • Steganography • Emerging approaches for wireless channels • Current and Future Challenges Bob Alice S

Outline • Computational and Information Theoretic security basics • Computation Security: Diffie-Hellman • Information-Theoretic Security: The wiretap channel (Wyner et al) • Application to wireless…and challenges • Potential solutions • Exploiting fading • Two-way communications • Attacking the receiver’s hardware • Cooperative jamming • Asymptotically-large networks • Cooperative jamming • Network coding • Undetectable communications (LPD) • Steganography • Emerging approaches for wireless channels • Current and Future Challenges

Outline • Computational and Information Theoretic security basics • Computation Security: Diffie-Hellman • Information-Theoretic Security: The wiretap channel (Wyner et al) • Application to wireless…and challenges • Potential solutions • Exploiting fading • Two-way communications • Attacking the receiver’s hardware • Cooperative jamming • Asymptotically-large networks • Cooperative jamming • Network coding • Undetectable communications (LPD) • Emerging approaches for wireless • Experiments • Current and Future Challenges

Outline • Computational and Information Theoretic security basics • Computation Security: Diffie-Hellman • Information-Theoretic Security: The wiretap channel (Wyner et al) • Application to wireless…and challenges • Potential solutions • Exploiting fading • Two-way communications • Attacking the receiver’s hardware • Cooperative jamming • Asymptotically-large networks • Cooperative jamming • Network coding • Undetectable communications (LPD) • Emerging approaches for wireless channels • Experiments • Current and Future Challenges

Outline • Computational and Information Theoretic security basics • Computation Security: Diffie-Hellman • Information-Theoretic Security: The wiretap channel (Wyner et al) • Application to wireless…and challenges • Potential solutions • Asymptotically-large networks • Undetectable communications (LPD) • Current and Future Challenges PAB PAE t PAB>PAE PAB>PAE

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Diffie-Hellman: Establishing a key “on the fly” Set-up: Alice announces a large prime p and a primitive root g mod p. ya yb Bob Alice Eve Alice chooses a secret random integer a, 1 < a < p-1, and broadcasts ya=ga mod p. 2. Bob chooses a secret random integer b, 1 < b< p-1, and broadcasts yb=gbmod p. Bob forms the key K=yabmod p =gab mod p Alice forms the key K=ybamod p =gab mod p Eve is left trying to solve the discrete logarithm problem, which is believed to be “hard”.

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Diffie-Hellman: An Example Set-up: Alice announces a large prime p=19 and a primitive root g=2. ya yb Bob Alice Eve Alice chooses a secret random integer a=5, 1 < a < 18, and broadcasts ya=25 mod 19=13. 2. Bob chooses a secret random integer 6, 1 < b< 18, and broadcasts yb=26mod 19=7. 3. Alice forms the key: K=75mod 19=11 Bob forms the key: K=136mod 19=11 Eve is left trying to solve the discrete logarithm problem, which is believed to be “hard”. From: J. Talbot and D. Welsh, Complexity and Cryptography

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Diffie-Hellman: How could it be broken? The discrete logarithm is not hard(unlikely?) 2. Somebody obtains the key in some other manner (e.g. side-channel analysis on power utilization of a processor). [Courtesy: C. Paar] 3. Advances in computing [from: “wired.com”] This motivates approaches of “keyless security”, where what the eavesdropperreceives does not contain enough information to (ever) decode the message…information-theoretic secrecy.

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Shannon and the one-time pad [C. Shannon, 1948] • Consider perfect secrecy over a noiselesswireline channel: Desire I(M,gK(M))=0 ? Bob Alice Eve gK(M) M M Pre-shared key K Questions: How long must K be for an N-bit message M? How do you choose gK(M)?

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Shannon and the one-time pad [C. Shannon, 1948] ? Bob Alice Eve M K M (M K) K= M Pre-shared key K Blah. Answers: You need an N-bit key K for an N-bit message M. gK(M) = M K

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Example: Why not a “two-time pad”? ? Bob Alice M1 K M2 K Eve M1,M2 M1,M2 Pre-shared key K What does Eve do? This is an information leak of K bits! Not information-theoretic secure. (VENONA exploited this).

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless The Wiretap Channel [Wyner, 1975; Cheong and Hellman, 1978] • But suppose: • There is noise in the system. • The eavesdropper has a worse view of the transmitted signal than Bob. Bob Alice RAB: Capacity of channel from Alice to Bob RAE: Capacity of channel from Alice to Eve RAB > RAE Eve Building Gaussian channels: R = log2(1 + SNRAB) – log2(1 + SNRAE) Positive rate “if Bob’s channel is better”, and Eve gets nothing.

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Wiretap Code Construction [Wyner, 1975] 00 Code Book Construction: • 1. Alice generates random codewords. 01 11 01 11 00 10 01 10 11 00 • 2. She splits them randomly into bins. 00 00 00 00 01 01 01 01 10 01 00 11 10 10 00 01 11 Codebook is broadcast to everybody, including Eve 10 10 10 10 11 11 11 11

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Wiretap Code Encoding 00 01 • Alice picks a circle at random and uses Roinformation bits to pick a codeword within that circle. 11 Alice sends. 10 00 01 11 10 00 11 01 00 00 00 00 01 01 01 01 10 00 11 10 01 01 00 10 11 10 10 10 10 11 11 11 11

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Wiretap Code Decoding 00 00 ? 01 01 11 11 Bob Eve 11 00 11 00 01 10 10 01 00 00 10 10 11 01 11 01 00 00 00 01 01 01 01 00 10 10 01 01 11 11 00 00 01 10 01 10 10 00 10 00 11 11 11 10 10 10 10 11 11 11 Secrecy capacity is given by the difference in the capacities between the main channel and the eavesdropper channel. Bob’s able to decode information bits 11 corresponding to codeword 0011

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Secrecy Outage Event Outage RS < 2 RS = 2 Eve Channel Capacity Secrecy RS >2 Bob Channel Capacity

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Critical Issue in Trying to Plan Secrecy: What do we Know? RAB Bob Alice Eve RAE Do we know RAB? Maybe. Do we know RAE? Probably not.

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Known CSI to Bob (known Rbputs on this line) Outage RS < 2 Outage Prob = P(RE > 2.5) Eve Channel Capacity Secrecy RS >2 Bob Channel Capacity

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Wireless Channels: Path Loss What happens to the transmitted wave on the way from the cell phone to the tower? Goes in all directions (broadcast) and the signal strength weakens. Let’s model it. r d A Note that the differences in received powers can be huge, for example, in a cell phone system: T.S. Rappaport, Wireless Communications

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Small Scale: Multi-path Fading What happens to the signal on the way from the cell phone to the tower? It gets reflected by many objects and the reflections add up at the receiver. • Example: • Two paths of different lengths, signals arrive at slightly different times. • One path is 100ft longer: 100ns difference (big deal?). Key: Varies 3 ways: Spatially Temporally With frequency • Carrier might be at 1 GHz -> period 1ns (So, yes, big deal) • Walk around the room while you speak on the phone -> the two signals keep adding up or canceling at the receiver as you move.

I. Comp and IT security basics: (a) Diffie-Hellman (b) The wiretap channel (c) Wireless Bob Alice Building Eve Information-Theoretic Security: Computational Security: R = log2(1 + SNRAB) – log2(1 + SNRAE) Plus: Positive rate “if Bob’s channel is better”, and Eve gets nothing. Drawback: “Only” computational security. Drawback: Zero rate “if Eve’s channel is better”, and Bob gets nothing. Plus: No problem with the “Near Eve”. Question: Can we get the best of both worlds.

Outline • Computational and Information Theoretic security basics • Potential solutions • Exploiting fading • Two-way communications • Attacking the receiver’s hardware • Cooperative jamming • Asymptotically-large networks • Undetectable communications (LPD) • Current and Future Challenges Bob Alice S

Potential Solutions: (a) Exploiting fading (b) 2-way comms (c) Rcvrharware (d) Jamming Exploiting Fading I: signal when we have the advantage R = log2(1 + PAB) – log2(1 + PAE) PAB Bob Alice Eve PAE PAB t CSI = Path-loss and fading PAB>PAE PAB>PAE Situations: (1) Known CSI, (2) Partial CSI (all Bob, path-loss to Eve), (3) No CSI Problem:If I do not know where Eve is, how do I choose a strategy/rate?

Potential Solutions: (a) Exploiting fading (b) 2-way comms (c) Rcvr hardware (d) Jamming Exploiting Fading II: derive a key from it Bob Alice Eve Alice broadcasts a pilot signal. Bob measures the channel HAB 2. Bob broadcasts a pilot signal. Alice measures the channel HBA Assuming reciprocity, HAB=HBA, and we have a source of common randomness. Alice and Bob reconcile their channel estimates to form a common key K. 4. Alice broadcasts with a one-time pad: X=M XOR K Drawback: Limited number of bits can be extracted

Potential Solutions: (a) Exploiting fading (b) 2-way comms (c) Rcvr hardware (d) Jamming Public Discussion [Maurer, 1993][Ahlswede and Csiszar, 1993] Eve is closer than Bob. Consider binary symmetric channels (0 or 1 in, 0 or 1 out): Bob Alice Eve 1-pB 0 0 pB Bob’s Channel (pB:prob of error) Eve’s Channel (pE:prob of error) pB 1 1 1-pB 1-pE 0 0 pE pE 1 1 pB>pE(since Eve is closer); hence, the secrecy capacity is zero. What to do? 1-pE

Potential Solutions: (a) Exploiting fading (b) 2-way comms (c) Rcvr hardware (d) Jamming Public Discussion II 1. Bob transmits X: Alice Receives: M Eve Receives: Bob Alice transmits (on noiseless, public channel): Alice Eve Bob Receives: …and we have a channel of positive capacity. Eve Receives: Bob forms: But it could be a really small capacity… If Eve is close to Bob…and how do you choose the rate? Eve forms:

Potential Solutions: (a) Exploiting fading (b) 2-way comms (c) Rcvr hardware (d) Jamming Public Discussion III Problem: Rate becomes limited for a very near Eve. What if Eve picks up the transmitter?

Challenges Exploiting when Alice -> Bob channel is better than Alice -> Eve Challenge: unknown Eve location Exploiting common randomness of channel reciprocity Challenge: limited number of key bits Exploiting “public discussion” Challenge: two-way communication and unknown Eve

Potential Solutions: (a) Exploiting fading (b) 2-way comms(c) Rcvr hardware (d) Jamming Attacking the Hardware I: Bounded Memory Model Cachin and Maurer introduced the “bounded memory model” to achieve everlasting secrecy [Cauchin and Maurer, 1997]. An eavesdropper with memory < M cannot store enough to eventually break the cipher. However, it is hard to pick a memory size that Eve cannot use beyond: • 1. The density of memories grows quickly (Moore’s Law) 2. Memories can be stacked arbitrarily subject only to (very large) space limitations. [From “blog.dshr.org”] 4/12

Potential Solutions: (a) Exploiting fading (b) 2-way comms(c) Rcvr hardware (d) Jamming Bounded Conversion Model Eve’s Receiver Perhaps Cachin and Maurer attacked the wrong part of the receiver: Analog “Front-End” Digital “Back-End” A/D Bob 1. In the combative sender-eavesdropper game, front-end dynamic range is a critical aspect of the receiver. Alice Eve 2. A/D Technology progresses very slowly. 3. High-end A/D’s are already stacked to the limit of the jitter. 1. IT security requires a channel advantage. Idea: Establish cryptographic security (e.g. Diffie-Hellman) Use a short-term cryptographic to establish the channel advantage. [Sheikholeslami, Goeckel, Pishro-Nik, 2013]

Potential Solutions: (a) Exploiting fading (b) 2-way comms(c) Rcvr hardware (d) Jamming System model and approach: k Alice and Bob pre-share an “emphemeral” cryptographic key k to choose g(.).Note: Key will be handed to Eve after transmission. A/D is a non-linear element. Non-commutativity of non-linear elements: potential information-theoretic security. Secrecy rate is a shaping gain: Rs=Eg[h(X) – h(g(X))] h(X): differential entropy …but, unlike traditional “shaping gains”, gain can be huge. 5/12

Potential Solutions: (a) Exploiting fading (b) 2-way comms(c) Rcvr hardware (d) Jamming Rapid power modulation for secrecy: Idea: Key used to rapidly power modulate transmitter. Bob’s receiver gain control can follow, while Eve’s struggles. 6/12

Potential Solutions: (a) Exploiting fading (b) 2-way comms(c) Rcvr hardware (d) Jamming Rapid power modulation for secrecy: 6/12

Potential Solutions: (a) Exploiting fading (b) 2-way comms(c) Rcvr hardware (d) Jamming Rapid power modulation for secrecy: Bob’s gain control is correct: input well-matched to A/D span. 6/12

Potential Solutions: (a) Exploiting fading (b) 2-way comms(c) Rcvr hardware (d) Jamming Rapid power modulation for secrecy: • Alice sets her parameters to maximize Rs, whereas Eve tries to find • a gain G that minimizes the secrecy rate Rs given Alice’s choice: • Rs=maxSminGRs(S, G) 2. It is easy to show that the optimal strategy (for Eve) is to pick a single gain G. 7/12

Potential Solutions: (a) Exploiting fading (b) 2-way comms(c) Rcvr hardware (d) Jamming Rapid power modulation for secrecy: Large gain Effect of A/D on the signal: • Clipping (due to overflow) 8/12

Potential Solutions: (a) Exploiting fading (b) 2-way comms(c) Rcvr hardware (d) Jamming Rapid power modulation for secrecy: Small gain Effect of A/D on the signal: • Clipping (due to overflow) • Quantization noise (uniformly distributed) 8/12

Potential Solutions: (a) Exploiting fading (b) 2-way comms(c) Rcvr hardware (d) Jamming Rapid power modulation for secrecy: Effect of A/D on the signal: • Clipping (due to overflow) • Quantization noise (uniformly distributed) Trade-off between choosing a large gain and a small gain: • Eve needs to compromise between more A/D overflows or less resolution. 8/12

Potential Solutions: (a) Exploiting fading (b) 2-way comms(c) Rcvr hardware (d) Jamming (b) Power modulation (a) Public Discussion (Although they are not really competing techniques. Power modulation approachcould be used under public discussion.) What if Eve picks up the transmitter?

Potential Solutions: (a) Exploiting fading (b) 2-way comms(c) Rcvr hardware (d) Jamming Secrecy rate vs. SNR at Bob, Eve has perfect access to the signal Noisy channel to Bob, noiseless channel to Eve. Bob Alice Eve Challenges: (1) Only effective (so far) in short-range environments. (2) Risk Eve has a better receiver than you thought. 10/12

Challenges Exploiting when Alice -> Bob channel is better than Alice -> Eve Challenge: unknown Eve location Exploiting common randomness of channel reciprocity Challenge: limited number of key bits Exploiting “public discussion” Challenge: two-way communication and unknown Eve Attacking Eve’s receiver hardware Challenge: short range, assumptions on Eve’s hardware

Potential Solutions: (a) Exploiting fading (b) 2-way comms (c) Rcvr hardware (d) Jamming Cooperative Jamming for Secrecy [Negi/Goel, 2005] M Bob Alice Eve First paper to guarantee a minimum secrecy capacity, independent of the location of the eavesdropper. Alice’s channel state information knowledge: She knows the channel to Bob She does not know the channel to Eve Idea: Jam in the null space of Bob’s receiver. Problem: Asymmetric capabilities are backward! (more powerful Alice than Eve)!

Potential Solutions: (a) Exploiting fading (b) 2-way comms (c) Rcvr hardware (d) Jamming Cooperative Jamming for Secrecy II [Goel/Negi, 2008] M R5 Bob Alice R4 Eve Stage 1: Alice and Bob send “noise messages” • Stage 2: • Alice sends the message plus a signal to cancel relay chatter. • Relays “chatter” Relay chatter only affects Eve due to interference pre-cancellation by Alice. Challenge: Interference cancellation challenging in a near-far environment.

Everlasting Security and Undetectability in Wireless Communications

Everlasting Security and Undetectability in Wireless Communications

Presentation Transcript

Trends in Wireless Communications

Wireless Communications

Wireless Communications

Wireless Communications Security Issues, Solutions and Challenges

Wireless Communications

Wireless Communications

Wireless Communications

Everlasting Security and Undetectability in Wireless Communications

Wireless Communications

Fading in Wireless Communications

Wireless Communications

Wireless Communications Security Issues, Solutions and Challenges

Wireless Communications

Security and Cooperation in Wireless Networks Laboratory For Communications and Applications1

Wireless Communications

Applied Communications Technology Wireless Mobile Security

Wireless Communications

Wireless Communications

WIRELESS COMMUNICATIONS

Wireless Communications