3 packet-hiding methods for preventing selective

IEEE TRANSACTIONS VOL. 9, NO. 1, JAN-FEB 2012

Packet-Hiding Methods for Preventing Selective
Jamming Attacks
˜
Alejandro Proano and Loukas Lazos
Dept. of Electrical and Computer Engineering, University of Arizona, Tucson, AZ, USA
E-mail:{aaproano, llazos}@ece.arizona.edu
Abstract—The open nature of the wireless medium leaves it vulnerable to intentional interference attacks, typically referred to as jamming.
This intentional interference with wireless transmissions can be used as a launchpad for mounting Denial-of-Service attacks on wireless
networks. Typically, jamming has been addressed under an external threat model. However, adversaries with internal knowledge of protocol
specifications and network secrets can launch low-effort jamming attacks that are difficult to detect and counter. In this work, we address the
problem of selective jamming attacks in wireless networks. In these attacks, the adversary is active only for a short period of time, selectively
targeting messages of high importance. We illustrate the advantages of selective jamming in terms of network performance degradation and
adversary effort by presenting two case studies; a selective attack on TCP and one on routing. We show that selective jamming attacks can be
launched by performing real-time packet classification at the physical layer. To mitigate these attacks, we develop three schemes that prevent
real-time packet classification by combining cryptographic primitives with physical-layer attributes. We analyze the security of our methods
and evaluate their computational and communication overhead.

Index Terms—Selective Jamming, Denial-of-Service, Wireless Networks, Packet Classification.

1 I NTRODUCTION to node compromise, neutralizes the gains of SS. Broadcast
Wireless networks rely on the uninterrupted availability of communications are particularly vulnerable under an in-
the wireless medium to interconnect participating nodes. ternal threat model because all intended receivers must be
However, the open nature of this medium leaves it vulner- aware of the secrets used to protect transmissions. Hence,
able to multiple security threats. Anyone with a transceiver the compromise of a single receiver is sufficient to reveal
can eavesdrop on wireless transmissions, inject spurious relevant cryptographic information.
messages, or jam legitimate ones. While eavesdropping and In this paper, we address the problem of jamming un-
message injection can be prevented using cryptographic der an internal threat model. We consider a sophisticated
methods, jamming attacks are much harder to counter. adversary who is aware of network secrets and the imple-
They have been shown to actualize severe Denial-of-Service mentation details of network protocols at any layer in the
(DoS) attacks against wireless networks [12], [17], [36], [37]. network stack. The adversary exploits his internal knowl-
In the simplest form of jamming, the adversary interferes edge for launching selective jamming attacks in which specific
with the reception of messages by transmitting a continuous messages of “high importance” are targeted. For example,
jamming signal [25], or several short jamming pulses [17]. a jammer can target route-request/route-reply messages at
Typically, jamming attacks have been considered under the routing layer to prevent route discovery, or target TCP
an external threat model, in which the jammer is not acknowledgments in a TCP session to severely degrade the
part of the network. Under this model, jamming strategies throughput of an end-to-end flow.
include the continuous or random transmission of high- To launch selective jamming attacks, the adversary must
power interference signals [25], [36]. However, adopting an be capable of implementing a “classify-then-jam” strategy
“always-on” strategy has several disadvantages. First, the before the completion of a wireless transmission. Such
adversary has to expend a significant amount of energy strategy can be actualized either by classifying transmitted
to jam frequency bands of interest. Second, the continuous packets using protocol semantics [1], [33], or by decoding
presence of unusually high interference levels makes this packets on the fly [34]. In the latter method, the jammer
type of attacks easy to detect [17], [36], [37]. may decode the first few bits of a packet for recovering
Conventional anti-jamming techniques rely extensively useful packet identifiers such as packet type, source and
on spread-spectrum (SS) communications [25], or some destination address. After classification, the adversary must
form of jamming evasion (e.g., slow frequency hopping, induce a sufficient number of bit errors so that the packet
or spatial retreats [37]). SS techniques provide bit-level pro- cannot be recovered at the receiver [34]. Selective jamming
tection by spreading bits according to a secret pseudo-noise requires an intimate knowledge of the physical (PHY) layer,
(PN) code, known only to the communicating parties. These as well as of the specifics of upper layers.
methods can only protect wireless transmissions under the Our Contributions–We investigate the feasibility of real-
external threat model. Potential disclosure of secrets due time packet classification for launching selective jamming
attacks, under an internal threat model. We show that
A preliminary version of this paper was presented at IEEE ICC 2010 Conference. such attacks are relatively easy to actualize by exploiting
This research was supported in part by NSF (CNS-0844111, CNS-1016943). Any
opinions, findings, conclusions, or recommendations expressed in this paper are knowledge of network protocols and cryptographic primi-
those of the author(s) and do not necessarily reflect the views of NSF. tives extracted from compromised nodes. We investigate the

IEEE TRANSACTIONS,VOL. 9, NO. 1, JAN-FEB 2012

Frame Source Dest. Seq. Addl.
control adr. adr. number param.

MAC PHY
Preamble PHY hdr MAC hdr Payload
CRC trailer
(a) (b)
Fig. 1. (a) Realization of a selective jamming attack, (b) a generic frame format for a wireless network.

impact of selective jamming on critical network functions. modulation scheme. Every symbol carries α q data bits,
β
Our findings indicate that selective jamming attacks lead where α/β is the rate of the PHY-layer encoder. Here, the
to a DoS with very low effort on behalf of the jammer. transmission bit rate is equal to qR bps and the information
To mitigate such attacks, we develop three schemes that bit rate is α qR bps. Spread spectrum techniques such
β
prevent classification of transmitted packets in real time. as frequency hopping spread spectrum (FHSS), or direct
Our schemes rely on the joint consideration of crypto- sequence spread spectrum (DSSS) may be used at the PHY
graphic mechanisms with PHY-layer attributes. We analyze layer to protect wireless transmissions from jamming. SS
the security of our schemes and show that they achieve provides immunity to interference to some extent (typically
strong security properties, with minimal impact on the 20 to 30 dB gain), but a powerful jammer is still capable of
network performance. jamming data packets of his choosing.
The remainder of the paper is organized as follows. In Transmitted packets have the generic format depicted
Section 2, we describe the problem addressed, and state the in Fig. 1(b). The preamble is used for synchronizing the
system and adversarial model. In Section 3, we show the sampling process at the receiver. The PHY layer header
feasibility of selective jamming attacks. Section 4 illustrates contains information regarding the length of the frame,
the impact of selective jamming. In Sections 5, 6, and 7, and the transmission rate. The MAC header determines
we develop methods for preventing selective jamming. In the MAC protocol version, the source and destination ad-
Section 8, we evaluate the impact of our attack mitigation dresses, sequence numbers plus some additional fields. The
methods on the network performance. Section 9, presents MAC header is followed by the frame body that typically
related work. In Section 10, we conclude. contains an ARP packet or an IP datagram. Finally, the
MAC frame is protected by a cyclic redundancy check
2 P ROBLEM S TATEMENT AND A SSUMPTIONS (CRC) code. At the PHY layer, a trailer may be appended
2.1 Problem Statement for synchronizing the sender and receiver.
Adversary Model–We assume the adversary is in control
Consider the scenario depicted in Fig. 1(a). Nodes A and B
of the communication medium and can jam messages at any
communicate via a wireless link. Within the communication
part of the network of his choosing (similar to the Dolev-
range of both A and B there is a jamming node J. When A
Yao model). The adversary can operate in full-duplex mode,
transmits a packet m to B, node J classifies m by receiving
thus being able to receive and transmit simultaneously. This
only the first few bytes of m. J then corrupts m beyond
can be achieved, for example, with the use of multi-radio
recovery by interfering with its reception at B. We address
transceivers. In addition, the adversary is equipped with
the problem of preventing the jamming node from classifying
directional antennas that enable the reception of a signal
m in real time, thus mitigating J’s ability to perform selective
from one node and jamming of the same signal at another.
jamming. Our goal is to transform a selective jammer to
For analysis purposes, we assume that the adversary can
a random one. Note that in the present work, we do not
pro-actively jam a number of bits just below the ECC
address packet classification methods based on protocol
capability early in the transmission. He can then decide to
semantics, as described in [1], [4], [11], [33].
irrecoverably corrupt a transmitted packet by jamming the
last symbol. In reality, it has been demonstrated that selective
2.2 System and Adversary Model jamming can be achieved with far less resources [32], [34].
Network model–The network consists of a collection of A jammer equipped with a single half-duplex transceiver is
nodes connected via wireless links. Nodes may commu- sufficient to classify and jam transmitted packets. However,
nicate directly if they are within communication range, or our model captures a more potent adversary that can be
indirectly via multiple hops. Nodes communicate both in effective even at high transmission speeds.
unicast mode and broadcast mode. Communications can be The adversary is assumed to be computationally and
either unencrypted or encrypted. For encrypted broadcast storage bounded, although he can be far superior to normal
communications, symmetric keys are shared among all nodes. In particular, he can be equipped with special pur-
intended receivers. These keys are established using pre- pose hardware for performing cryptanalysis or any other
shared pairwise keys or asymmetric cryptography. required computation. Solving well-known hard crypto-
Communication Model–Packets are transmitted at a rate graphic problems is assumed to be time-consuming. For the
of R bauds. Each PHY-layer symbol corresponds to q bits, purposes of analysis, given a ciphertext, the most efficient
where the value of q is defined by the underlying digital method for deriving the corresponding plaintext is assumed


to be an exhaustive search on the key space. data is passed via a 1/2-rate encoder before it is mapped
The implementation details of every layer of the network to an OFDM symbol of q = 48 bits. In this case, decoding
stack are assumed to be public. Furthermore, the adversary of one symbol provides 24 bits of data. At the highest data
is capable of physically compromising network devices rate of 54 Mbps, 216 bits of data are recovered per symbol.
and recovering stored information including cryptographic From our analysis, it is evident that intercepting the first
keys, PN codes, etc. This internal adversary model is re- few symbols of a packet is sufficient for obtaining relevant
alistic for network architectures such as mobile ad-hoc, header information. For example, consider the transmission
mesh, cognitive radio, and wireless sensor networks, where of a TCP-SYN packet used for establishing a TCP connec-
network devices may operate unattended , thus being tion at the transport layer. Assume an 802.11a PHY layer
susceptible to physical compromise. with a transmission rate of 6 Mbps. At the PHY layer, a 40-
bit header and a 6-bit tail are appended to the MAC packet
carrying the TCP-SYN packet. At the next stage, the 1/2-
3 R EAL - TIME PACKET C LASSIFICATION rate convolutional encoder maps the packet to a sequence
In this section, we describe how the adversary can classify of 1,180 bits. In turn, the output of the encoder is split into
packets in real time, before the packet transmission is 25 blocks of 48 bits each and interleaved on a per-symbol
completed. Once a packet is classified, the adversary may basis. Finally, each of the blocks is modulated as an OFDM
choose to jam it depending on his strategy. symbol for transmission. The information contained in each
Consider the generic communication system depicted in of the 25 OFDM symbols is as follows:
Fig. 2. At the PHY layer, a packet m is encoded, interleaved, - Symbols 1-2 contain the PHY-layer header and the
and modulated before it is transmitted over the wireless first byte of the MAC header. The PHY header reveals
channel. At the receiver, the signal is demodulated, de- the length of the packet, the transmission rate, and
interleaved, and decoded, to recover the original packet m. synchronization information. The first byte of the MAC
header reveals the protocol version and the type and
subtype of the MAC frame (e.g., DATA, ACK).
- Symbols 3-10 contain the source and destination MAC
addresses, and the length of the IP packet header.
- Symbols 11-17 contain the source and destination IP
addresses, the size of the TCP datagram carried by the
IP packet, and other IP layer information. The first two
bytes of the TCP datagram reveal the source port.
Fig. 2. A generic communication system diagram. - Symbols 18-23 contain the TCP destination port, se-
The adversary’s ability in classifying a packet m depends quence number, acknowledgment number, TCP flags,
on the implementation of the blocks in Fig. 2. The channel window size, and the header checksum.
encoding block expands the original bit sequence m, adding - Symbols 24-25 contain the MAC CRC code.
necessary redundancy for protecting m against channel Our example illustrates that a packet can be classified at
errors. For example, an α/β-block code may protect m different layers and in various ways. MAC layer classifica-
from up to e errors per block. Alternatively, an α/β-rate tion is achieved by receiving the first 10 symbols. IP layer
convolutional encoder with a constraint length of Lmax , and classification is achieved by receiving symbols 10 and 11,
a free distance of e bits provides similar protection. For our while TCP layer classification is achieved by symbols 12-19.
purposes, we assume that the rate of the encoder is α/β. An intuitive solution to selective jamming would be
At the next block, interleaving is applied to protect m from the encryption of transmitted packets (including headers)
burst errors. For simplicity, we consider a block interleaver with a static key. However, for broadcast communications,
that is defined by a matrix Ad×β 1 . The de-interleaver is this static decryption key must be known to all intended
simply the transpose of A. Finally, the digital modulator receivers and hence, is susceptible to compromise. An
maps the received bit stream to symbols of length q, and adversary in possession of the decryption key can start
modulates them into suitable waveforms for transmission decrypting as early as the reception of the first ciphertext
over the wireless channel. Typical modulation techniques block. For example, consider the cipher-block chaining
include OFDM, BPSK, 16(64)-QAM, and CCK. (CBC) mode of encryption [27]. To encrypt a message m
In order to recover any bit of m, the receiver must collect with a key k and an initialization vector IV, message m is
d · β bits for de-interleaving. The d · β de-interleaved bits are split into x blocks m1 , m2 , . . . mx , and each ciphertext block
then passed through the decoder. Ignoring any propagation ci , is generated as:
and decoding delays, the delay until decoding the first c1 = IV, ci+1 = Ek (ci ⊕ mi ), i = 1, 2, . . . , x, (1)
block of data is ⌈ dβ ⌉ symbol durations. As an example, in
q
the 802.11a standard, operating at the lowest rate of 6 Mbps, where Ek (m) denotes the encryption of m with key k. The
plaintext mi is recovered by:
1. Without loss of generality we assume that the number of columns of
the interleaving matrix is equal to the length β of the codewords. mi = ci ⊕ Dk (ci+1 ), i = 1, 2, . . . , x. (2)


3 5 3
10 10 10
TCP-ACK
RTS/CTS
Data
Random

Number of Packets
2 4 2
10 10 10
E[D] (sec)

E[T ] (bps)
1 3 1
10 10 10
TCP-ACK TCP-ACK
RTS/CTS RTS/CTS
Data Data
0 Random 2 0 Random
10 10 10
0 0.2 0.4 0.6 0.8 0 0.2 0.4 0.6 0.8 0 0.2 0.4 0.6 0.8
Jamming Probability p Jamming Probability p Jamming Probability p

(a) (b) (c)
0 0
10 1 10
TCP-ACK
RTS/CTS
Data −1
−2 Random 0.8 10

Routes (normalized)
10
t (normalized)

t (normalized)
−2
0.6 10
−4
10
−3
0.4 10
−6
10 −4
0.2 10

−8 −5
10 0 10
0 0.2 0.4 0.6 0.8 R. 0.3 R. 0.5 R. 0.7 R. 0.9 Sel. Con. R 0.3 R 0.5 R 0.7 R 0.9 Sel. Con.
Jamming Probability p

(d) (e) (f)
Fig. 3. (a) Average application delay E[D], (b) average effective throughput E[T ], (c) number of packets jammed, (d) fraction
of time the jammer is active, (e) number of connections established in the network, (f) fraction of time the jammer is active.
R p: random jammer with probability p; Con.: constant jammer; Sel.: selective jammer.

Note from (2) that reception of ci+1 is sufficient to recover Selective Jamming at the Transport Layer–In the first
mi if k is known (c1 = IV is also known). Therefore, real- set of experiments, we setup a file transfer of a 3 MB file
time packet classification is still possible. between two users A and B connected via a multi-hop
One solution to the key compromise problem would route. The TCP protocol was used to reliably transport the
be to update the static key whenever it is compromised. requested file. At the MAC layer, the RTS/CTS mechanism
However, such a solution is not useful if the compromised was enabled. The transmission rate was set to 11 Mbps at
node obtains the new key. This can only be avoided if there each link. The jammer was placed within the proximity
is a mechanism by which the set of compromised nodes can of one of the intermediate hops of the TCP connection.
be identified. Such a task is non-trivial when the leaked key Four jamming strategies were considered: (a) selective jam-
is shared by multiple nodes. Any node that possesses the ming of cumulative TCP-ACKs, (b) selective jamming of
shared key is a candidate malicious node. RTS/CTS messages, (c) selective jamming of data packets,
Moreover, even if the encryption key of a hiding scheme and (d) random jamming of any packet. In each of the
were to remain secret, the static portions of a transmitted strategies, a fraction p of the targeted packets is jammed.
packet could potentially lead to packet classification. This
is because for computationally-efficient encryption meth- In Fig. 3(a), we show the average delay E[D] for complet-
ods such as block encryption, the encryption of a prefix ing the file transfer, as a function of the jamming probability
plaintext with the same key yields a static ciphertext pre- p (averaged over repeated experiments). In Fig. 3(b), we
fix. Hence, an adversary who is aware of the underlying show the average throughput E[T ] as a function of p. It
protocol specifics (structure of the frame) can use the static can be observed that all jamming attacks have significant
ciphertext portions of a transmitted packet to classify it. impact on E[D] which grows several orders of magnitude
larger compared to the delay in the absence of a jammer.
Similarly, the effective throughput drops drastically under
4 I MPACT OF S ELECTIVE JAMMING both random and selective jamming attacks. TCP perfor-
In this section, we illustrate the impact of selective jamming mance under jamming of TCP-ACKs can be interpreted
attacks on the network performance. We used OPNETTM by the congestion control mechanism of the TCP protocol.
Modeler 14.5 [18] to implement selective jamming attacks When cumulative ACKs are lost (in our case jammed),
in two multi-hop wireless network scenarios. In the first the sender has to retransmit all unacknowledged data
scenario, the attacker targeted a TCP connection established packets, thus increasing the incurred delay while reducing
over a multi-hop wireless route. In the second scenario, the the effective throughput. At the same time, the sender
jammer targeted network-layer control messages transmit- interprets the loss of ACKs as congestion and throttles
ted during the route establishment process. its packet transmission rate by reducing the size of the


transmission window. This leads to a further slow down 5.1 Mapping to Commitment Schemes
of the application. Note that, for values of p > 0.4, the TCP
Commitment schemes are cryptographic primitives that
connection is aborted for the case of random and TCP-ACK
allow an entity A, to commit to a value m, to an entity
jamming, due to the repeated timeouts at the sender.
V while keeping m hidden. Commitment schemes are
Fig. 3(c) depicts the number of packets that were jammed
formally defined as follows [7].
by the adversary for each value of p. Finally, Fig. 3(d) shows
Commitment Scheme: A commitment scheme is a two-
the fraction of time that the jammer remained active. Here,
phase interactive protocol defined as a triple {X , M, E}.
for selective jamming attacks, we assumed that 13% of the
Set X = {A, V } denotes two probabilistic polynomial-time
packet has to be corrupted in order to be dropped [17]. In
interactive parties, where A is known as the committer and
the case of random jamming, the adversary is not aware of
V as the verifier; set M denotes the message space, and set
the type of packets transmitted (by means of processing the
E = {(ti , fi )} denotes the events occurring at protocol stages
header of these packets). Hence, he is assumed to jam the
ti (i = 1, 2), as per functions fi (i = 1, 2). During commit-
entire packet in order to drop it. We observe that selective
ment stage t1 , A uses a commitment function f1 = commit()
jamming requires the jamming of approximately one order
to generate a pair (C, d) = commit(m), where (C, d) is
of magnitude less packets than random jamming. This is
called the commitment/decommitment pair. At the end of
because, as the packet transmission rate of the sender drops
stage t1 , A releases the commitment C to V . In the open
fewer packets need to be selectively targeted. Moreover,
stage t2 , A releases the opening value d. Upon reception
in selective jamming, the fraction of time the adversary
of d, V opens the commitment C, by applying function
remains active is several orders of magnitude less compared to
f2 = open(), thus obtaining a value of m′ = open(C, d). This
random jamming. From Fig. 3(d), we observe that targeting
stage culminates in either acceptance (m′ = m) or rejection
control packets such as RTS/CTS messages and TCP-ACKs
(m′ = m) of the commitment by V . Commitment schemes
yields the lowest jamming activity, because control packets
satisfy the following two fundamental properties:
are significantly smaller compared to data packets. Such
low-effort jamming attacks are not only efficient in terms of - Hiding: For every polynomial-time party V interacting
energy expenditure, but also challenging in localizing and with A, there is no (probabilistic) polynomially-efficient
physically removing the jamming devices. Typical methods algorithm that would allow V to associate C with m
of transmitter localization such as received signal strength and C ′ with m′ , without access to the decommitment
and angle of arrival measurements require that the jamming values d or d′ respectively, and with non-negligible
device remains active for extended periods of time. probability.
Selective Jamming at the Network Layer–In this sce- - Binding: For every polynomial-time party A interact-
nario, we simulated a multi-hop wireless network of 35 ing with V , there is no (probabilistic) polynomially-
nodes, randomly placed within a square area. The AODV efficient algorithm that would allow A to generate a
routing protocol was used to discover and establish routing triple (C, d, d′ ), such that V accepts the commitments
paths [19]. Connection requests were initiated between ran- (C, d) and (C, d′ ), with non-negligible probability.
dom source/destination pairs. Three jammers were strate- In our context, the role of the committer is assumed by
gically placed to selectively jam non-overlapping areas the transmitting node S. The role of the verifier is assumed
of the network. Three types of jamming strategies were by any receiver R, including the jammer J. The committed
considered: (a) a continuous jammer, (b) a random jammer value m is the packet that S wants to communicate to
blocking only a fraction p of the transmitted packets, and (c) R. To transmit m, the sender computes the corresponding
a selective jammer targeting route request (RREQ) packets. commitment/decommitment pair (C, d), and broadcasts C.
In Fig. 3(e), we show the number of connections es- The hiding property ensures that m is not revealed during
tablished, normalized over the number of connections in the transmission of C. To reveal m, the sender releases the
the absence of the jammers. Fig. 3(f) shows the fraction of decommitment value d, in which case m is obtained by
time that the jammer was active during our simulation, for all receivers, including J. Note that the hiding property,
each jamming strategy. We observe that a selective jamming as defined in commitment schemes, does not consider the
attack against RREQ messages is equally effective to a partial release of d and its implications on the partial reveal
constant jamming attack. However, selective jamming is of m. In fact, a common way of opening commitments is
several orders of magnitude more efficient as it is illustrated by releasing the committed value itself [7].
in Fig. 3(f). On the other hand, random jamming fails to For most applications, partial reveal of m with the partial
disrupt the route discovery process due to the flooding release of d does not constitute a security risk. After all, the
mechanism of AODV. committer intends to reveal m by exposing d. However,
in our context, a partial reveal of m while d is being
5 H IDING BASED ON C OMMITTMENTS transmitted can lead to the classification of m before the
In this section, we show that the problem of real-time packet transmission of d is completed. Thus, the jammer has
classification can be mapped to the hiding property of the opportunity to jam d instead of C once m has been
commitment schemes, and propose a packet-hiding scheme classified. To prevent this scenario, we introduce the strong
based on commitments. hiding property:


- Strong Hiding: For every polynomial-time party V in-
teracting with A and possessing pairs (C, dpart ) and
(C ′ , d′ ), there is no (probabilistic) polynomially-
part
efficient algorithm that would allow V associate C
with m and C ′ with m′ , with non-negligble probability.
Here, dpart and d′ ′
part are partial releases of d and d ,
′
respectively, and the remaining parts of d and d are
assumed to be secret.
In the above definition, it is easily seen that the release
of dpart must be limited to a fraction of d, in order for
m to remain hidden. If a significant part of d becomes
known to the verifier, trivial attacks, such as brute forcing Fig. 4. Processing at the hiding sublayer.
the unknown bits of d, become possible.
input to the encryption algorithm and delay the reception
5.2 A Strong Hiding Commitment Scheme (SHCS) of critical packet identifiers such as headers. After the
We propose a strong hiding commitment scheme (SHCS), permutation, π1 (m) is encrypted using a random key k to
which is based on symmetric cryptography. Our main produce the commitment value C = Ek (π1 (m)). Although
motivation is to satisfy the strong hiding property while the random permutation of m and its encryption with a
keeping the computation and communication overhead to random key k seemingly achieve the same goal (i.e., the
a minimum. Assume that the sender S has a packet m for randomization of the ciphertext), in Section 5.4 we show
R. First, S constructs (C, d) = commit(m), where, that both are necessary to achieve packet hiding.
In the next step, a padding function pad() appends
C = Ek (π1 (m)), d = k. pad(C) bits to C, making it a multiple of the symbol size.
Here, the commitment function Ek () is an off-the-shelf Finally, C||pad(C)||k is permuted by applying a publicly
symmetric encryption algorithm (e.g., DES or AES [27]), known permutation π2 . The purpose of π2 is to ensure that
π1 is a publicly known permutation, and k ∈ {0, 1}s is a the interleaving function applied at the PHY layer does not
randomly selected key of some desired key length s (the disperse the bits of k to other symbols. We now present the
length of k is a security parameter). The sender broadcasts padding and permutation functions in detail.
(C||d), where “||” denotes the concatenation operation. Padding–The purpose of padding is to ensure that k is
Upon reception of d, any receiver R computes modulated in the minimum number of symbols needed for
its transmission. This is necessary for minimizing the time
−1
m = π1 (Dk (C)) , for which parts of k become exposed. Let ℓ1 denote the
−1
where π1 denotes the inverse permutation of π1 . To satisfy number of bits padded to C. For simplicity, assume that
the strong hiding property, the packet carrying d is format- the length of C is a multiple of the block length of the
ted so that all bits of d are modulated in the last few PHY layer symmetric encryption algorithm and hence, has the same
symbols of the packet. To recover d, any receiver must receive length ℓ as the original message m. Let also ℓ2 denote the
and decode the last symbols of the transmitted packet, length of the header added at the PHY layer The frame
thus preventing early disclosure of d. We now present the carrying (C, d) before the encoder has a length of (ℓ + ℓ1 +
implementation details of SHCS. ℓ2 +s) bits. Assuming that the rate of the encoder is α/β the
β
output of the encoder will be of length, α (ℓ + ℓ1 + ℓ2 + s).
For the last symbol of transmission to include α q bits of
β
5.3 Implementation Details of SHCS the key k, it must hold that,
The proposed SHCS requires the joint consideration of the
α β
MAC and PHY layers. To reduce the overhead of SHCS, the ℓ1 = q − (ℓ + ℓ2 ) mod q) . (3)
decommitment value d (i.e., the decryption key k) is carried β α
in the same packet as the committed value C. This saves the Permutation–The hiding layer applies two publicly
extra packet header needed for transmitting d individually. known permutations π1 and π2 at different processing
To achieve the strong hiding property, a sublayer called the stages. Permutation π1 is applied to m before it is encrypted.
“hiding sublayer” is inserted between the MAC and the The purpose of π1 is twofold. First, it distributes critical
PHY layer. This sublayer is responsible for formatting m frame fields which can be used for packet classification
before it is processed by the PHY layer. The functions of across multiple plaintext blocks. Hence, to reconstruct these
the hiding sublayer are outlined in Fig. 4. fields, all corresponding ciphertext blocks must be received
Consider a frame m at the MAC layer delivered to the and decrypted. Moreover, header information is pushed
hiding sublayer. Frame m consists of a MAC header and at the end of π1 (m). This prevents early reception of the
the payload, followed by the trailer containing the CRC corresponding ciphertext blocks.
code. Initially, m is permuted by applying a publicly known For example, consider the transmission of a MAC frame
permutation π1 . The purpose of π1 is to randomize the of length 2,336 bytes which carries a TCP data packet. The


Field 1 Field 2 Field 3 Field n Random Payload

}
received first. The jammer can attempt to classify m by

}
}
}
}
m
launching a ciphertext-only attack on C as early as the re-
. . . . . . . . . . . . . . . . . .

ception of the first ciphertext block. Because the encryption
π1(m) ... ... ... key is refreshed at every transmission, a very small number
of ciphertext blocks are available for cryptanalysis. Appro-
Ek(π1(m)) ... priate selection of the key length s can prevent this type
of attack. Note that s can be well below the cryptographic
Fig. 5. Application of permutation π1 on packet m. standards, due to the limited time available to the adversary
(until the transmission is completed). For instance, a 56-bit
MAC header is 28 bytes long and has a total of 18 distinct long DES key is more than adequate for our purposes, since
fields. TCP header is 20 bytes long (assuming no optional the fastest known brute force attack on DES takes almost a
fields) and has 17 distinct fields. Assume the encryption day [24]. Other types of known attacks such as differential
of a fixed block of 128 bits. Packet π1 (m) is partitioned to and linear cryptanalysis are not applicable, because they
146 plaintext blocks {p1 , p2 , . . . , p146 }, and is encrypted to require the collection of a large number of chosen or known
produce 146 ciphertext blocks C = c1 ||c2 || . . . ||c146 . Each plaintext/ciphertext pairs [27].
field of the TCP and MAC headers is distributed bit-by-bit Even if the key for a particular packet is revealed to
from the most significant bit (MSB) to the least significant the adversary, packet classification is delayed until the end
bit (LSB) to each of the plaintext blocks in the reverse block of C’s transmission. The application of the permutation
order. This process is depicted in Fig. 5. function π1 distributes frame fields to ciphertext blocks
For fields longer than one bit, bits are numbered from in the reverse order of transmission, with the MSBs from
the LSB to the MSB and are placed in reverse order to each field appearing on the last ciphertext block. Hence,
each plaintext block. To recover any field i that is ℓi bits reception of all blocks of C is required for the complete
long, the last ℓi ciphertext blocks must be received and recovery of headers. To minimize the communication over-
decrypted. If ℓi > ℓb , where ℓb denotes the ciphertext block head, k must be selected to be of the smallest length
length, the bit placement process continues in a round- adequate for the protection of C, for the time required
robin fashion. The second goal of the permutation π1 is to transmit one packet. However, special care must be
to randomize the plaintext blocks. Assuming a random taken to withstand codebooks attacks on k. In such attacks,
payload, the permutation distributes the payload bits to all the adversary can encrypt a particular message of inter-
plaintext blocks processed by the encryption function, thus est with all possible keys and construct a look-up table
randomizing each ciphertext block. (codebook) of all possible ciphertexts. If the encryption
Permutation π2 is applied to reverse the effects of in- of all possible messages with all possible keys results in
terleaving on the bits of k, so that k is contained at the unique ciphertexts, there is a 1-1 correspondence between
packet trailer. Interleaving can be applied across multiple a ciphertext and the generating plaintext/key pair. This
frequencies on the same symbol (e.g., in OFDM), or it may property is guaranteed with high probability when the
span multiple symbols [9]. For example, consider a d × β plaintext space M and the key space K are much smaller
block interleaver. Without loss of generality, assume that than the ciphertext space C. Assuming the encryption of
β = q, and let the last n rows of the last block passed a plaintext block mi with a key ki randomly maps to a
via the interleaver correspond to the encoded version of ciphertext ci = Eki (mi ), every ciphertext ci ∈ C occurs with
the random key k. Permutation π2 rearranges the bits of 1
probability pc = |C| . The problem of finding the probability
k at the interleaver matrix Ad×β in such a way that all that all |M||K| ciphertexts produced by the encryption of
bits of k appear in the last n columns. Therefore, the all plaintexts with all keys are unique, can be formulated
bits of k will be modulated as the last n symbols of the as a “birthday problem” [27]:
transmitted packet. Note that this operation affects only
the interleaver block(s) that carries k. For the rest of the −|M|·|K|(|M|·|K|−1)
Pr[ciphertexts unique] ≈ e 2|C| .
packet, the interleaving function is performed normally,
thus preserving the benefits of interleaving. For PHY layer As an example, consider the encryption of a message m =
implementations in which interleaving is applied on a per-
{m1 , m2 , . . . mx } with a key k of length 56 bits, using blocks
symbol basis (e.g, 802.11a and 802.11g), the application of of 128 bits. For a fairly small plaintext space (e.g., |M| = 16),
permutation π2 is not necessary. the probability of ciphertext uniqueness is equal to 99.8%.
Thus, the adversary can recover k, by launching a codebook
5.4 Security Analysis attack on m1 . The remaining ci ’s are decrypted in real-time,
In this section, we analyze the security of SHCS by evalu- using the known value of k. Here, the plaintext space for m1
ating the ability of J in classifying a transmitted packet at is considered to be small because of the structure imposed
different stages of the packet transmission. by the static header of a packet (all fields of the header are
Release of C–We first examine if J can classify m by known to the adversary). Randomization of the plaintext,
observing the commitment value C. Though C and k are ensures that all plaintexts are possible, thus equating the
part of the same packet, symbols corresponding to C are plaintext space with the ciphertext space.


Partial release of d–Depending on the PHY layer im- format (source/destination address must be in the context
plementation, d = k requires n ≥ 1 symbols for its of the communications, CRC code must be valid, etc). Given
transmission. Hence, part of k may become known before that k is transmitted right after C, the jammer has no time
the completion of the transmission of the packet at hand. to find an appropriate k ′ that would lead to the decryption
This release reduces the search space for a brute force attack of an acceptable m′ , assuming that such m′ exists. If m′ is
on k. Assume that the adversary pro-actively jams a few not meaningful, substituting k with k ′ is equivalent to a
symbols below the ECC capability of the receiver during jamming attack on m without classification (no selectivity).
the transmission of C. In the best case, he can postpone The binding property can be theoretically achieved if a
his decision to jam a transmitted packet until the trans- random string r is appended to m [23]. In this case, the
mission of the last symbol (jam one more symbol to drop commitment/decommitment pair (C, d) is,
the packet). He must therefore complete the classification
C = (γ, δ) = (Ek (m||r), r), d = k.
process before the last symbol is transmitted. Assuming that
the adversary waits until the maximum number of bits of Provided that r is sufficiently long, a computationally
k are released, the key search space before the transmission
α
bounded jammer cannot find a k ′ such that Dk′ (C) = m′ ||r.
of the last two symbols is equal to 22 β q keys. The adversary In this case, r preserves the integrity of message m. Since
α
must be capable of performing on average N = 2(2 β q−1) R the addition of r is not necessary for preventing real-time
decryptions per second in order to find k before the last classification of m, we leave the implementation of the
symbol is transmitted2 . Here, we have assumed that, on binding property to the discretion of the system designer.
average, half the key space must be searched.
For example, assume an 802.11a PHY layer operating at 5.5 Resource Overhead of SHCS
6 Mbps, with every symbol carrying 24 bits of information.
Consider k to be a 56-bit DES key, fitting in three symbols. In this section we analyze the per-packet communication
The computational capability of the adversary must be and computational overhead of SHCS.
equal to N ≈ 3.52×1019 decryptions/sec in order to recover Communication Overhead–For every packet m, a ran-
k before the completion of the packet transmission. The dom key k of length s is appended. Also, (ℓb − (ℓ mod ℓb ))
fastest known hardware implementation of a DES cracker bits of overhead are added by the encryption algorithm,
achieves a throughput of 2.92 × 1011 keys per second [24]. to convert a plaintext of length ℓ to a multiple of the
For an operating rate of 54 Mbps, all 56 bits of the key k encryption block. Thus, the communication overhead of
fit in one symbol (symbol size is 216 bits), thus preventing SHCS is equal to s + (ℓb − (ℓ mod ℓb )), per packet. Here,
the partial release of the decommitment value d. we do not account for the padding string pad(C), because
A brute force attack on k may be successful if q ≤ the addition of pad(C) does not increase the number of
β 11 transmitted symbols.
2α log2 N + 1 . For instance, when N = 2.92 × 10 , the
adversary can find k if q ≤ 19 bits. In fact, for small values Computation Overhead–The computation overhead of
of q (e.g., 4), the adversary can launch the brute force attack SHCS is one symmetric encryption at the sender and one
on k, several symbols before the end of k’s transmission. symmetric decryption at the receiver. Because the header
Therefore, SHCS is suitable for PHY layer implementations information is permuted as a trailer and encrypted, all
where the number of bits per symbol q is sufficiently large. receivers in the vicinity of a sender must receive the entire
Note that our security analysis has excluded all processing packet and decrypt it, before the packet type and destina-
delays from the time that symbols are received to the time tion can be determined. However, in wireless protocols such
that they become available for cryptanalysis. as 802.11, the complete packet is received at the MAC layer
Binding property–The binding property is not a security before it is decided if the packet must be discarded or be
requirement of SHCS under our adversary model. Since further processed [9]. If some parts of the MAC header are
the primary goal of any sender S in the network is to deemed not to be useful information to the jammer, they
communicate m, S has no interest in modifying m after can remain unencrypted in the header of the packet, thus
he has committed to it. However, under a more general avoiding the decryption operation at the receiver.
adversary model, the jammer may launch denial of service
attacks by making the receiver R to accept a k ′ = k such 6 H IDING BASED ON C RYPTOGRAPHIC P UZZLES
that m′ = Dk (C) is a meaningful message. Even though
′
In this section, we present a packet hiding scheme based on
SHCS is not designed to ensure the binding property of cryptographic puzzles. The main idea behind such puzzles
commitment schemes, generating a k ′ = k that opens a is to force the recipient of a puzzle execute a pre-defined
valid value of m′ = m is a computationally hard task. set of computations before he is able to extract a secret of
In order to find such a k ′ , the jammer has to launch a interest. The time required for obtaining the solution of
brute force attack on C. Here, not only the attack must be a puzzle depends on its hardness and the computational
performed in a timely manner, but m′ has to be in the right ability of the solver [10]. The advantage of the puzzle-
based scheme is that its security does not rely on the PHY
2. A more accurate calculation of N would assume an adversary trying
a brute force attack on k, with the reception of the first ciphertext block, layer parameters. However, it has higher computation and
and adjusting the searching space according to the partial release of k. communication overhead.


Sender S Receiver R In a time-lock puzzle, the puzzle constructor generates
a composite modulus g = u · v, where u and v are two
generate: k, tp
compute large random prime numbers. Then, he picks a random
C, P C', P' a, 1 < a < g and hides the encryption key in Kh =
P = puzzle(k, tp) k' = solve(P) t
C = E k(π1(m)) k + a2 mod g, where t = tp · N , is the amount of time
compute: m' = π1-1(Dk'(C'))
required to solve for k. Here, it is assumed that the solver
verify: m' is meaningful
can perform N squarings modulo g per second. Note that
if not: discard m'
Kh can be computed efficiently if φ(g) = (u − 1)(v − 1) or
Fig. 6. The cryptographic puzzle-based hiding scheme. the factorization of g are known, otherwise a solver would
have to perform all t squarings to recover k. The puzzle
In our context, we use cryptographic puzzles to tempo- consists of the values P = (g, Kh , t, a).
rary hide transmitted packets. A packet m is encrypted In our setup, the value of the modulus g is known a priori
with a randomly selected symmetric key k of a desirable and need not be communicated (may change periodically).
length s. The key k is blinded using a cryptographic puzzle The sender reveals the rest of the puzzle information in the
and sent to the receiver. For a computationally bounded order (Kh , t, a). Note that if any of t, a are unknown, any
adversary, the puzzle carrying k cannot be solved before value of k is possible [22].
the transmission of the encrypted version of m is completed Puzzles based on hashing–Computationally limited re-
and the puzzle is received. Hence, the adversary cannot ceivers can incur significant delay and energy consumption
classify m for the purpose of selective jamming. when dealing with modulo arithmetic. In this case, CPHS
can be implemented from cryptographic puzzles which
6.1 Cryptographic Puzzle Hiding Scheme (CPHS) employ computationally efficient cryptographic primitives.
Let a sender S have a packet m for transmission. The Client puzzles proposed in [10], use one-way hash func-
sender selects a random key k ∈ {0, 1}s , of a desired tions with partially disclosed inputs to force puzzle solvers
length. S generates a puzzle P = puzzle(k, tp), where search through a space of a precisely controlled size. In our
puzzle() denotes the puzzle generator function, and tp context, the sender picks a random key k with k = k1 ||k2 .
denotes the time required for the solution of the puzzle. The lengths of k1 and k2 are s1 , and s2 , respectively. He then
Parameter tp is measured in units of time, and it is directly computes C = Ek (π1 (m)) and transmits (C, k1 , h(k)) in this
dependent on the assumed computational capability of the particular order. To obtain k, any receiver has to perform
adversary, denoted by N and measured in computational on average 2s2 −1 hash operations (assuming perfect hash
operations per second. After generating the puzzle P , the functions). Because the puzzle cannot be solved before h(k)
sender broadcasts (C, P ), where C = Ek (π1 (m)). At the has been received, the adversary cannot classify m before
receiver side, any receiver R solves the received puzzle P ′ the completion of m’s transmission.
to recover key k ′ and then computes m′ = π −1 (Dk′ (C ′ )). If
the decrypted packet m′ is meaningful (i.e., is in the proper 6.3 Security Analysis of CPHS
format, has a valid CRC code, and is within the context
of the receiver’s communication), the receiver accepts that With the completion of the transmission of P , any receiver
m′ = m. Else, the receiver discards m′ . Fig. 6 shows the can recover m. Therefore, a selective jammer must attempt
details of CPHS. to classify m before the transmission of P has been com-
pleted. We analyze the security of CPHS at different stages
of its execution.
6.2 Implementation Details of CPHS Reception of C–The jammer can attempt to classify m
In this section, we consider several puzzle schemes as the by cryptanalyzing ciphertext C = Ek (π1 (m)). This attack is
basis for CPHS. For each scheme, we analyze the imple- identical to the effort of classifying m with the transmission
mentation details which impact security and performance. of C at the SHCS. The same analysis presented in Section
Cryptographic puzzles are primitives originally suggested 5.4 holds for the case of CPHS. The selection of a key of
by Merkle as a method for establishing a secret over an adequate length (e.g., 56-bit DES key) is sufficient to prevent
insecure channel [16]. They find a wide range of applica- both ciphertext-only and codebook attacks.
tions from preventing DoS attacks to providing broadcast Solving P –The transmission of k in the form of a puzzle
authentication and key escrow schemes. P prevents any receiver from recovering k for at least time
Time-lock Puzzles–Rivest et al. proposed a construction tp , after the puzzle has been received. A jammer may try
called time-lock puzzles, which is based on the iterative to guess and solve P before its transmission is completed.
application of a precisely controlled number of modulo In the best case, the adversary must finish the classification
operations [22]. Time-lock puzzles have several attractive of m before the transmission of the last symbol of P. The
features such as the fine granularity in controlling tp and number of possible puzzle values at the beginning of the
α
the sequential nature of the computation. Moreover, the second to last symbol are 22 β q . Assuming a brute force
puzzle generation requires significantly less computation attack on the missing bits of the puzzle, the computational
α
compared to puzzle solving. load of the adversary increases on average to 22 β q−1 tp .


The value of tp has already been selected to prevent the blocks, without any change on the size of the secret key.
puzzle solution until its transmission is completed. Hence, Note that the original AONT proposed in [21] is computa-
early solution of P before all its bits are received cannot be tionally secure. Several AONT schemes have been proposed
achieved. Note that the security of CPHS is not dependent that extend the definition of AONT to undeniable security
on the PHY layer parameter q, but on the selection of [26]. Under this model, all plaintexts are equiprobable in
tp . Therefore, this method is applicable even to wireless the absence of at least one pseudo-message.
systems where q obtains relatively small values.
7.1 An AONT-based Hiding Scheme (AONT-HS)
6.4 Resource Overhead of CPHS
In our context, packets are pre-processed by an AONT be-
Communication Overhead–The per-packet communication fore transmission but remain unencrypted. The jammer can-
overhead of CPHS is equal to the length of P , in addition to not perform packet classification until all pseudo-messages
the padding added by the encryption function. If the puzzle corresponding to the original packet have been received
is realized using time-locks, the length of P is equal to the and the inverse transformation has been applied. Packet m
lengths of Kh , a, and t. The value Kh is computed modulo g is partitioned to a set of x input blocks m = {m1 , . . . , mx },
and has the same length as g. Similarly, a has a length equal which serve as an input to an AONT f : {Fu }x → {Fu }x .
′

to the length of g. The size of t is potentially smaller than ′
Here, Fu denotes the alphabet of blocks mi and x denotes
a, g, and Kh , and depends on the computational capability the number of output pseudo-messages with x′ ≥ x. The
of the adversary. The security of time locks depends on the set of pseudo-messages m′ = {m′ , . . . , m′ ′ } is transmitted
1 x
difficulty in factoring g or finding φ(g), where φ() denotes over the wireless medium. At the receiver, the inverse
the Euler φ−function. Typical values of g are in the order transformation f −1 is applied after all x′ pseudo-messages
of 1,024 bits [27]. Since messages need to remain hidden for are received, in order to recover m.
only a short period of time, the modulo can be chosen to be
of much smaller size and be periodically refreshed. In the
case of hash-based puzzles, the communication overhead is 7.2 Implementation details of the AONT-HS
equal to the transmission of the key k1 which is of length s1 In this section, we describe two AONTs which can be
and the hash value h(k). The typical length of hash function employed in AONT-HS; a linear transformation [26], and
is 160 bits [27]. the original package transformation [21].
Computation Overhead–In time-lock puzzles, the sender Linear AONT–In [26], Stinson showed how to construct
has to apply one permutation on m, perform one symmetric a linear AONT when the alphabet of the input blocks is
encryption, and one modulo squaring operation to hide k. a finite field Fu , with the order u being a prime power.
On the receiver side, the receiver has to perform t modulo He showed that if an invertible matrix M = {mij |mij ∈
squaring operations to recover k, one symmetric decryption Fu , mij = 0}x×x exists, then the transformation f (m) =
to recover π1 (m), and apply the inverse permutation. In the mM −1 is a linear AONT. He also provided a method for
case of hash-based puzzles, the modulo squaring operation constructing such M which is as follows.
is substituted by, on average, 2s2 −1 hashing operations. Let u = v i , where v is prime and i is a positive integer.
Choose λ ∈ Fu such that λ ∈ {n− 1 (mod v), n− 2 (mod v)}
/
7 H IDING BASED ON A LL - OR - NOTHING T RANS - and define the linear AONT LT to be,
FORMATIONS
 
1 0 ··· 0 1
In this section, we propose a solution based on All-Or-  . . .. . . 
 . . . . . 
Nothing Transformations (AONT) that introduces a modest LT =  . . . .  (4)
 0 0 ··· 1 1 
communication and computation overhead. Such transfor-
1 1 ··· 1 λ
mations were originally proposed by Rivest to slow down
brute force attacks against block encryption algorithms [21]. Given m = {m1 , . . . , mx },
An AONT serves as a publicly known and completely x−1
invertible pre-processing step to a plaintext before it is m′ = λmx + mj , m′ = mi + m′ , 1 ≤ i ≤ (x − 1). (5)
x i x
passed to an ordinary block encryption algorithm. A trans- j=1
formation f, mapping message m = {m1 , · · · , mx } to a
sequence of pseudo-messages m′ = {m′ , · · · , m′ ′ }, is an
1 x
Conversely, given m′ = {m′ , . . . , m′ }, the original input
1 x
AONT if [21]: (a) f is a bijection, (b) it is computationally m = {m1 , . . . , mx } is recovered as follows:
infeasible to obtain any part of the original plaintext, if
mi = m′ − m′ , 1 ≤ i ≤ (x − 1),
i x (6)
one of the pseudo-messages is unknown, and (c) f and its
1
inverse f −1 are efficiently computable. mx = γ(m′
1 + . . . m′
x−1 − m′ ),
x γ= . (7)
When a plaintext is pre-processed by an AONT before n−λ−1
encryption, all ciphertext blocks must be received to obtain Note from (6), (7) that if any of the {m′ } is missing, all
i
any part of the plaintext. Therefore, brute force attacks are values of mi are possible, for every i. Thus, the linear AONT
slowed down by a factor equal to the number of ciphertext provides undeniable security.


Sender S Receiver R symbol of m′ , is transmitted. The search space for m′ is
x x
reduced to its smallest value before the transmission of the
compute: last two symbols, in which case the possible values of m are
m || pad(m) α
equal to 22 β q . The adversary must be capable of solving on
transform: α
average 22 β q−1 systems of linear equations in time equal
m' = f (m || pad(m)) m' receive m' 1
to the length of one symbol ( R sec), in the case of the
compute linear AONT, or perform the same number of decryptions
m || pad(m)= f -1(m') for the case of the package transform. For instance when
recover m q = 48 and α/β = 1/2 (802.11a), the search space is equal
Fig. 7. The AONT-based Hiding Scheme (AONT-HS). to 1.4 × 1014 . As in the case of SHCS, when the value of q
β
becomes small (q ≤ 2α log2 N +1), a brute force attack on m
The Package Transform–In the package transform [21], is possible. Therefore, AONT-HS is suitable for PHY layer
given a message m, and a random key k ′ , the output implementations where q is sufficiently large.
pseudo-messages are computed as follows:
m′
i = mi ⊕ Ek′ (i), for i = 1, 2, . . . , x (8) 7.4 Resource Overhead of the AONT-HS
′
mx+1 = k ′ ⊕ e1 ⊕ e2 ⊕ · · · ⊕ ex , (9) Communication Overhead–In AONT-HS, the original set
of x messages is transformed to a set of x′ pseudo-messages,
where ei = Ek0 (m′ ⊕ i), for i = 1, 2, . . . , x, and k0 is a fixed
i with x′ ≥ x. Additionally, the function pad() appends
publicly-known encryption key. With the reception of all (ℓb − (ℓ mod ℓb )) bits in order to make the length of m a
pseudo-messages message m is recovered as follows: multiple of the length ℓb of the pseudo-messages m′ . Hence,
k′ = m′ the communication overhead introduced is (ℓb (x′ − x) + ℓb −
x+1 ⊕ e1 ⊕ e2 ⊕ · · · ⊕ ex , (10)
′ (ℓ mod ℓb )) bits. For the linear AONT, x = x′ , and therefore,
mi = mi ⊕ Ek′ (i), for i = 1, 2, . . . , x. (11)
only the padding communication overhead is introduced.
Note that if any m′ is unknown, any value of k ′ is
i For the package transform, the overhead is equal to the
possible, because the corresponding ei is not known. Hence, length of one pseudo-message (x′ = x + 1).
Ek′ (i) cannot be recovered for any i, making it infeasible Computation Overhead–The linear AONT requires only
to obtain any of the mi . elementary arithmetic operations such as string addition
Hiding Sublayer Details–AONT-HS is implemented at and multiplication, making it particularly fast due to its
the hiding sublayer residing between the MAC and the linear nature. The package transform requires x′ symmetric
PHY layers. In the first step, m is padded by applying encryptions at the sender and an equal amount of sym-
function pad() to adjust the frame length so that no padding metric decryptions at the receiver. Note that the length of
is needed at the PHY layer, and the length of m becomes the plaintext for the x′ encryptions is relatively small com-
a multiple of the length of the pseudo-messages m′ . This
i pared to the length of message m (indexes 1, . . . , x are en-
will ensure that all bits of the transmitted packet are part of crypted). Therefore, only one ciphertext block is produced
the AONT. In the next step, m||pad(m) is partitioned to x per pseudo-message. Assuming a pseudo-message block
blocks, and the AONT f is applied. Message m′ is delivered size equal to the ciphertext block size ℓb , the computational
to the PHY layer. At the receiver, the inverse transformation overhead of the x′ encryptions required by the package
f −1 is applied to obtain m||pad(m). The padded bits are transform is equivalent to the overhead of one encryption
removed and the original message m is recovered. The steps of a message of length ℓ + ℓb .
of AONT-HS are shown in Fig. 7.
8 E VALUATION OF PACKET-H IDING T ECHNIQUES
7.3 Security Analysis of the AONT-HS In this section, we evaluate the impact of our packet-hiding
Partial reception of m′ , i < x′ –In the AONT-HS, the
i techniques on the network performance via extensive sim-
jammer may attempt to classify m without receiving all m′ i ulations. We used the OPNETTM Modeler 14.5 [18] to im-
(1 ≤ i ≤ x′ ). By definition, AONTs prevent the computation plement the hiding sublayer and measure its impact on the
of any part of m without the reception of all the pseudo- effective throughput of end-to-end connections and on the
messages. In fact, for the linear AONT, undeniable security route discovery process in wireless ad-hoc networks. We
is achieved. The jammer can launch a brute force attack on chose a set of nodes running 802.11b at the PHY and MAC
m as early as the reception of m′ . However, the system of
1 layers, AODV for route discovery, and TCP at the transport
equations formed by m′ ’s when at least one is missing, has
i layer. Aside from our methods, we also implemented a
a number of solutions equal to the message space. All these simple MAC layer encryption with a static key.
solutions are equiprobable. Impact on real-time systems–Our packet-hiding methods
Partial release of m′ –With the partial release of the
x require the processing of each individual packet by the
last pseudo-message m′ , the space of the possible original
x hiding sublayer. We emphasize that the incurred processing
messages m is reduced. As stated by our adversarial model, delay is acceptable, even for real-time applications. The
the classification of m must be completed before the last SCHS requires the application of two permutations and one


0.8 0.5 1

Route Discovery Time (sec)
0.7
0.4 0.8
0.6

E[T] (Mbps)
E[T] (Mbps)

0.5 0.3 0.6
0.4

0.3 0.2 0.4

0.2
0.1 0.2
0.1

0 0 0
N.H. M.E. C.S. T.P. H.P. L.T. P.T. N.H. M.E. C.S. T.P. H.P. L.T. P.T. N.H. M.E. C.S. T.P. H.P. L.T. P.T.

(a) (b) (c)
Fig. 8. (a) Average effective throughput (line network topology), (b) average route discovery time (non-congested network),
(c) average effective throughput (congested network). N.H: No packet hiding, M.E: MAC-layer encryption with a static key,
C.S.: SHCS, T.P.: Time-lock CPHS, H.P.: Hash-based CPHS, L.T.: Linear AONT-HS, P.T.: Package transform.

symmetric encryption at the sender, while the inverse oper- techniques based on cryptographic puzzles decrease the ef-
ations have to be performed at the receiver. Such operations fective throughput of the TCP connection to half, compared
can be implemented in hardware very efficiently. Symmetric to the no hiding case. This performance is anticipated since
encryption such as AES can be implemented at speeds of the time required to solve a puzzle after a packet has been
tens of Gbps/s when realized with Application Specific received at the MAC layer is equal to the transmission
Integrated Circuits (ASICs) or Field Programmable Gate time of each packet. While this constitutes a significant
Arrays (FPGAs) [6]. These processing speeds are orders performance reduction, we emphasize that cryptographic
of magnitude higher than the transmission speeds of most puzzles were suggested as a candidate solution only when
current wireless technologies, and hence, do not impose a the symbol size is so small that more efficient hiding
significant delay. methods do not provide adequate levels of security.
Similarly, the AONT-HS performs linear operations on In the second set of experiments, we studied the impact
the packet that can be efficiently implemented in hardware. of packet hiding on the route discovery process in an
We note that a non-negligible processing delay is incurred ad-hoc network. We generated a random topology of 54
by the CPHS. This is due to the cryptographic puzzle that nodes placed in an area of 500 × 400 m2 . Nodes discovered
must be solved at the receiver. As suggested in Section 6, routes using the AODV routing protocol. A total of twenty
CPHS should only be employed when the symbol size at client/server pairs exchanged messages of size 1 KB using
the PHY layer is too small to support the SHCS and AONT- the TCP protocol, at randomly chosen starting times. The
HS solutions. The processing delays of the various schemes size of the message exchanged between pairs of nodes was
are taken into account in our experimental evaluations. kept small in order to avoid skewing of the route discovery
Experimental evaluation–In the first set of experiments, performance due to network congestion.
we setup a single file transfer between a client and server, The average route discovery delay is shown in Fig. 8(b).
connected via a multi-hop route. The client requested a 1 This delay is defined as the time difference between the
MB file from the server. We evaluated the effects of packet transmission of the first RREQ from a source and the
hiding by measuring the effective throughput of the TCP reception of the corresponding RREP from the destination.
connection in the following scenarios: (a) No packet hiding We observe that the impact of packet hiding on the route
(N.H.), (b) MAC-layer encryption with a static key (M.E.), discovery delay is minimal compared to the case where
(c) SHCS (C.S.), (d) Time-lock CPHS (T.P.), (e) Hash-based no packet hiding is employed. This similarity in perfor-
CPHS (H.P.), (f) Linear AONT-HS (L.T.), and (g) AONT-HS mance is due to the expanding ring search technique of
based on the package transform (P.T.). AODV, which is used to prevent unnecessary network-
In Fig. 8(a), we show the effective throughput aver- wide dissemination of RREQs [19]. In order to discover
aged over 100 different traces. We observe that MAC-layer a route, the originating node sends a RREQ with a time-
encryption, SHCS and the linear AONT-HS achieve an to-live (TTL) value equal to one hop, and waits for the
effective throughput close to the throughput in the absence corresponding RREP. If the RREP is not received before a
of packet hiding. This is justified by the the relatively timeout value (to ) expires, the originating node increases
small communication overhead of each hiding method and the TTL and the timeout to , and re-broadcasts the RREQ.
the small queuing delay at intermediate routers due to This process is repeated until a valid RREP is received,
the absence of any cross traffic. The AONT-HS based on or the TTL value exceeds the maximum diameter of the
the package transform achieved slightly lower throughput, network. The expanding ring search technique introduces a
because it occurs a per-packet overhead of 128 bits as dominant delay in comparison to the delay introduced by
opposed to 56 bits for SHCS. We also observe that hiding the packet-hiding techniques. For example, in the case of


time-lock CPHS, the per-packet delay overhead is tp = 448 [14]. The adversary was assumed to target control messages
µsec. Using the default values specified by RFC 3561 [19], at different layers of the network stack. To mitigate smart
the value of the first timeout is to = 240 msec, which is 535 jamming, the authors proposed the SPREAD system, which
times higher than tp , making the total delay introduced by is based on the idea of stochastic selection between a
time-lock CPHS insignificant. collection of parallel protocols at each layer. The uncer-
In the third set of experiments, we evaluated the per- tainty introduced by this stochastic selection, mitigated the
formance of TCP in a congested ad-hoc network. We con- selective ability of the jammer. Greenstein et al. presented
sidered the same network topology used in the second set a 802.11-like wireless protocol called Slyfi that prevents the
of experiments. Twenty source/destination pairs simultane- classification of packets by external observers. This protocol
ously exchanged 2 MB files using TCP. In Fig. 8(d), we show hides all explicit identifiers from the transmitted packets
the effective throughput averaged over all 20 TCP connec- (e.g. MAC layer header and payload), by encrypting them
tions. We observe that efficient packet-hiding techniques with keys only known to the intended receivers [8].
such as SHCS, and AONT-HS have a relatively small impact Selective jamming attacks have been experimentally im-
on the overall throughput. This is because in a congested plemented using software-defined radio engines [32], [34].
network, the performance is primarily dependent on the Wilhelm et al. implemented a USRP2-based jamming plat-
queueing delays at the relay nodes. The communication form called RFReact that enables selective and reactive jam-
overhead introduced by the transmission of the packet- ming [34]. RFReact was shown to be agnostic to technology
hiding parameters is small and hence, does not significantly standards and readily adaptable to any desired jamming
impact the throughput. On the other hand, for CPHS, we strategy. The success rate of a selective jamming attack
observe a performance reduction of 25% − 30% compared against a 802.15.4 network was measured to be 99.96%.
to the case of no packet-hiding. This reduction is attributed Blapa et al. studied selective jamming attacks against the
to the delay introduced by CPHS for the reception of each rate-adaptation mechanism of 802.11 [32]. They showed that
packet. Note that in the congested network scenario, the a selective jammer targeting specific packets in a point-to-
throughput reduction of CPHS is smaller compared to the point 802.11 communication was able to reduce the rate
non-congested one because nodes can take advantage of the of the communication to the minimum value of 1 Mbps,
queuing delays to solve puzzles. with relatively little effort (jamming of 5-8 packets per
second). The results were experimentally verified using the
9 R ELATED WORK USRP2/GNU radio platform.
Several researchers have suggested channel-selective jam-
Jamming attacks on voice communications have been ming attacks, in which the jammer targets the broadcast
launched since the 1940s [25]. In the context of digital control channel. It was shown that such attacks reduce the
communications, the jamming problem has been addressed required power for performing a DoS attack by several or-
under various threat models. We present a classification ders of magnitude [3]. To protect control-channel traffic, the
based on the selective nature of the adversary. replication of control transmission in multiple channels was
suggested in [3], [30], [31]. The “locations” of the control
9.1 Prior work on Selective Jamming channels where cryptographically protected. In [12], Lazos
In [33], Thuente studied the impact of an external selec- et al. proposed a randomized frequency hopping algorithm
tive jammer who targets various control packets at the to protect the control channel from inside jammers. Strasser
MAC layer. To perform packet classification, the adversary et al. proposed a frequency hopping anti-jamming tech-
exploits inter-packet timing information to infer eminent nique that does not require the existence of a secret hopping
packet transmissions. In [11], Law et al. proposed the sequence, shared between the communicating parties [28].
estimation of the probability distribution of inter-packet
transmission times for different packet types based on 9.2 Non-Selective Jamming Attacks
network traffic analysis. Future transmissions at various Conventional methods for mitigating jamming employ
layers were predicted using estimated timing information. some form of SS communications [5], [25]. The transmitted
Using their model, the authors proposed selective jamming signal is spread to a larger bandwidth following a PN
strategies for well known sensor network MAC protocols. sequence. Without the knowledge of this sequence, a large
In [1], Brown et al. illustrated the feasibility of selective amount of energy (typically 20-30 dB gain) is required to in-
jamming based on protocol semantics. They considered terfere with an ongoing transmission. However, in the case
several packet identifiers for encrypted packets such as of broadcast communications, compromise of commonly
packet size, precise timing information of different pro- shared PN codes neutralizes the advantages of SS.
tocols, and physical signal sensing. To prevent selectivity, Popper et al. proposed a jamming-resistant communi-
¨
the unification of packet characteristics such as the mini- cation model for pairwise communications that does not
mum length and inter-packet timing was proposed. Similar rely on shared secrets. Communicating nodes use a physi-
packet classification techniques were investigated in [4]. cal layer modulation method called Uncoordinated Direct-
Liu et al. considered a smart jammer that takes into Sequence Spread Spectrum (UDSSS) [20]. They also pro-
account protocol specifics to optimize its jamming strategy posed, a jamming-resistant broadcast method in which


transmissions are spread according to PN codes randomly [10] A. Juels and J. Brainard. Client puzzles: A cryptographic counter-
selected from a public codebook [20]. Several other schemes measure against connection depletion attacks. In Proceedings of NDSS,
pages 151–165, 1999.
eliminate overall the need for secret PN codes [15], [29]. [11] Y. W. Law, M. Palaniswami, L. V. Hoesel, J. Doumen, P. Hartel, and
Lin et al. showed that jamming 13% of a packet is suffi- P. Havinga. Energy-efficient link-layer jamming attacks against WSN
cient to overcome the ECC capabilities of the receiver [13]. MAC protocols. ACM Transactions on Sensors Networks, 5(1):1–38, 2009.
[12] L. Lazos, S. Liu, and M. Krunz. Mitigating control-channel jamming
Xu et al. categorized jammers into four models: (a) a con- attacks in multi-channel ad hoc networks. In Proceedings of the 2nd
stant jammer, (b) a deceptive jammer that broadcasts fab- ACM conference on wireless network security, pages 169–180, 2009.
ricated messages, (c) a random jammer, and (d) a reactive [13] G. Lin and G. Noubir. On link layer denial of service in data wireless
LANs. Wireless Communications and Mobile Computing, 5(3):273–284,
jammer that jams only if activity is sensed [37]. They further May 2004.
studied the problem of detecting the presence of jammers [14] X. Liu, G. Noubir, and R. Sundaram. Spread: Foiling smart jammers
by measuring performance metrics such as packet delivery using multi-layer agility. In Proceedings of INFOCOM, pages 2536–
2540, 2007.
ratio [35]–[37]. Cagalj et al. proposed wormhole-based anti- [15] Y. Liu, P. Ning, H. Dai, and A. Liu. Randomized differential DSSS:
jamming techniques for wireless sensor networks (WSNs) Jamming-resistant wireless broadcast communication. In Proceedings
[2]. Using a wormhole link, sensors within the jammed of INFOCOM, San Diego, 2010.
[16] R. C. Merkle. Secure communications over insecure channels. Com-
region establish communications with outside nodes, and munications of the ACM, 21(4):294–299, 1978.
notify them regarding ongoing jamming attacks. [17] G. Noubir and G. Lin. Low-power DoS attacks in data wireless lans
and countermeasures. Mobile Computing and Communications Review,
7(3):29–30, 2003.
[18] OPNET. OPNETtm modeler 14.5. http://www.opnet.com/.
10 C ONCLUSION [19] C. Perkins, E. Belding-Royer, and S. Das. RFC 3561: Ad hoc on-
demand distance vector (AODV) routing. Internet RFCs, 2003.
We addressed the problem of selective jamming attacks ˇ
[20] C. Popper, M. Strasser, and S. Capkun. Jamming-resistant broadcast
¨
in wireless networks. We considered an internal adversary communication without shared keys. In Proceedings of the USENIX
model in which the jammer is part of the network under Security Symposium, 2009.
[21] R. Rivest. All-or-nothing encryption and the package transform.
attack, thus being aware of the protocol specifications and Lecture Notes in Computer Science, pages 210–218, 1997.
shared network secrets. We showed that the jammer can [22] R. Rivest, A. Shamir, and D. Wagner. Time-lock puzzles and timed-
classify transmitted packets in real time by decoding the release crypto. Massachusetts Institute of Technology, 1996.
[23] B. Schneier. Applied cryptography: protocols, algorithms, and source code
first few symbols of an ongoing transmission. We evaluated in C. John Wiley & Sons, 2007.
the impact of selective jamming attacks on network proto- [24] SciEngines. Break DES in less than a single day. http://www.
cols such as TCP and routing. Our findings show that a sciengines.com, 2010.
[25] M. K. Simon, J. K. Omura, R. A. Scholtz, and B. K. Levitt. Spread
selective jammer can significantly impact performance with Spectrum Communications Handbook. McGraw-Hill, 2001.
very low effort. We developed three schemes that transform [26] D. Stinson. Something about all or nothing (transforms). Designs,
a selective jammer to a random one by preventing real-time Codes and Cryptography, 22(2):133–138, 2001.
[27] D. Stinson. Cryptography: theory and practice. CRC press, 2006.
packet classification. Our schemes combine cryptographic ˇ
[28] M. Strasser, C. Popper, and S. Capkun. Efficient uncoordinated fhss
¨
primitives such as commitment schemes, cryptographic anti-jamming communication. In Proceedings of MobiHoc, pages 207–
puzzles, and all-or-nothing transformations (AONTs) with 218, 2009.
ˇ
[29] M. Strasser, C. Popper, S. Capkun, and M. Cagalj. Jamming-resistant
¨
physical layer characteristics. We analyzed the security key establishment using uncoordinated frequency hopping. In Pro-
of our schemes and quantified their computational and ceedings of IEEE Symposium on Security and Privacy, 2008.
communication overhead. [30] P. Tague, M. Li, and R. Poovendran. Probabilistic mitigation of control
channel jamming via random key distribution. In Proceedings of
PIMRC, 2007.
[31] P. Tague, M. Li, and R. Poovendran. Mitigation of control channel
R EFERENCES jamming under node capture attacks. IEEE Transactions on Mobile
Computing, 8(9):1221–1234, 2009.
[1] T. X. Brown, J. E. James, and A. Sethi. Jamming and sensing of [32] B. Thapa, G. Noubir, R. Rajaramanand, and B. Sheng. On the
encrypted wireless ad hoc networks. In Proceedings of MobiHoc, pages robustness of IEEE802.11 rate adaptation algorithms against smart
120–130, 2006. jamming. In Proceedings of WiSec, 2011.
[2] M. Cagalj, S. Capkun, and J.-P. Hubaux. Wormhole-based anti- [33] D. Thuente and M. Acharya. Intelligent jamming in wireless networks
jamming techniques in sensor networks. IEEE Transactions on Mobile with applications to 802.11 b and other networks. In Proceedings of
Computing, 6(1):100–114, 2007. the IEEE Military Communications Conference MILCOM, 2006.
[3] A. Chan, X. Liu, G. Noubir, and B. Thapa. Control channel jamming: [34] M. Wilhelm, I. Martinovic, J. Schmitt, and V. Lenders. Reactive
Resilience and identification of traitors. In Proceedings of ISIT, 2007. jamming in wireless networks: How realistic is the threat? In
[4] T. Dempsey, G. Sahin, Y. Morton, and C. Hopper. Intelligent sensing Proceedings of WiSec, 2011.
and classification in ad hoc networks: a case study. Aerospace and [35] W. Xu, W. Trappe, and Y. Zhang. Anti-jamming timing channels for
Electronic Systems Magazine, IEEE, 24(8):23–30, August 2009. wireless networks. In Proceedings of WiSec, pages 203–213, 2008.
[5] Y. Desmedt. Broadcast anti-jamming systems. Computer Networks, [36] W. Xu, W. Trappe, Y. Zhang, and T. Wood. The feasibility of launching
35(2-3):223–236, February 2001. and detecting jamming attacks in wireless networks. In Proceedings
[6] K. Gaj and P. Chodowiec. FPGA and ASIC implementations of AES. of MobiHoc, pages 46–57, 2005.
Cryptographic Engineering, pages 235–294, 2009. [37] W. Xu, T. Wood, W. Trappe, and Y. Zhang. Channel surfing and spatial
[7] O. Goldreich. Foundations of cryptography: Basic applications. Cam- retreats: defenses against wireless denial of service. In Proceedings of
bridge University Press, 2004. the 3rd ACM workshop on Wireless security, pages 80–89, 2004.
[8] B. Greenstein, D. Mccoy, J. Pang, T. Kohno, S. Seshan, and D. Wether-
all. Improving wireless privacy with an identifier-free link layer
protocol. In Proceedings of MobiSys, 2008.
[9] IEEE. IEEE 802.11 standard. http://standards.ieee.org/getieee802/
download/802.11-2007.pdf, 2007.

3 packet-hiding methods for preventing selective

More Related Content

What's hot (20)

Similar to 3 packet-hiding methods for preventing selective (20)

Recently uploaded (20)

3 packet-hiding methods for preventing selective