Introduction Wireless Comm

Wireless Network Security
LECTURE 1: Introduction.
Wireless communication.
Security and privacy goals.
Brief overview of security
mechanisms.
Cristina Nita-Rotaru
Lecture 1/ WS Milano Summer 2011
ACKNOWLEDGEMENTS
Slides used in these lectures are based on

Lecture slides I used at Purdue (555, 590T, 590W)
www.cerias.purdue.edu/homes/crisn
Slides provided with the book "Security and

Cooperation in Wireless Networks", J-P. Hubaux
and Levente Buttyan, 2008
http://secowinet.epfl.ch/index.php?page=slideshow.html
Research presentations from collaborations with

former students and colleagues
PhD Theses of Jing Dong and Reza Curtmola
NIST SP documents
wikipedia
Topics
Monday: Wireless communication

characteristics; Wireless networks and
applications. Security goals and adversarial
models
Tuesday: Attacks on protocols. Cellular
networks; WiMAX networks
Wednesday: 802.11 networks; Data link
security; Secure routing in ad hoc networks
Thursday: Sensor networks, Bluetooth
Friday: RFID, VANETs
Readings
Security and cooperation in wireless

networks. L Buttyan, J-P Hubaux.
Slides
Research papers
NIST SP
Today
Wireless
communication
Wireless architectures
Introduction to crypto
and attacks
Security Services (or Goals)
1) Confidentiality: information is available for

reading only to authorized parties.
Example: Alice sends a message to Bob, only Alice and
Bob can understand the content of the message.
2) Authentication:
Data source authentication: the data is coming from
an authorized party.
Example: Alice receives a message from Bob. This
service ensures that the message is from Bob and not
from Carl.
Entity authentication: the entity is who it says it is.
Example: When Alice tries to obtain access to her
bank account, an authentication operation is performed
to ensure that Alice asks for the information.
Security Services (2)
3) Integrity: detect if data was modified, from the

source to the destination.
Example: Alice sends an email to Bob. Carl
intercepts the message and modifies it. Data
integrity allows for Bob to detect that the message
was modified on the way from Alice to him.
4) Non-repudiation: neither the sender, nor the
receiver of a message are able to deny the
transmission.
Example: Alice sends Bob a contract, signed. The
non-repudiation service ensures that Alice can not
claim that the signature was produced by
somebody else.
5) Access control: only authorized

parties can use specific resources.
Example: Alice wants to print a document, she must
be authorized to get that document and to use the
printer.
6) Availability: resources available to

authorized parties.
Example: A web site might become unavailable if
the server crashes, or is bombarded with requests.
Privacy
1) Anonymity: hiding who performed a given

action (k-anonymity)
2) Untraceability: making difficult for an
adversary to identify that a given set of actions
were performed by the same subject
3) Unlinkability: hiding information about the
relationships between any item
4) Unobservability: hiding of the items
themselves
5) Pseudonymity: making use of a
pseudonym instead of the real identity
Security and Wireless Communication
The usual goals: authentication,

confidentiality, integrity, access control,
non-repudiation, denial of service
Additionally: privacy is a big concern
particularly location privacy
Is wireless communication more
vulnerable?
10
Wireless Specific
Physical security: an issue for small devices,

Protocols have to consider inside attacks (assume the
device is controlled by the adversary)
Eavesdropping: easier than wired
Resource constraints: medium is shared, some

devices have limited power and computation
resources
Solutions must not have significant overhead
Privacy: many devices equipped with location
services, location privacy a bigger concern
Denial of service: jamming is an issue for some type
of wireless communication
11
Wireless communication
characteristics
12
Wireless Communication
THERE IS NO LINK: electromagnetic waves
c
f =
c (speed of light) = 3x108 m/s

f is the frequency
is the wavelength
13
Wave Propagation
Reflection: wave gets reflected when

it hits an object very large compared
with the wavelength
Diffraction: wave bends at the edges
and propagates in different directions
when it hits an impenetrable object
Scattering: wave scatters when it
travels through a medium containing
objects smaller than the wavelength
(e.g. trees)
14
Characteristics
Interaction with the environment: path

loss, interference, blockage
Transmission constraints: constrain the
ability to transmit information at different data
rates
Noise: Quality of communication is affected
by noise
Error rate: Higher than in wired
communication
15
Wave Components
Direct path component:

Path loss: attenuation of an electromagnetic wave in
transit from a transmitter to a receiver
Fading: time variation of the received signal power
caused by changes in the transmission medium or
path
Doppler shift: the apparent change in frequency and
wavelength of a wave that is perceived by an observer
moving relative to the source of the waves
Multi-path components:
Result from reflection, refraction, scattering
Wave arrives at receiver shifted in amplitude, phase
and frequency
16
Path Loss
Power of transmission reduces:

terrain contours
different environments (urban or rural, vegetation
and foliage)
propagation medium (dry or moist air)
distance between the transmitter and the receiver
height and location of the antennas
Wavelength/frequency:
Long wavelength (low frequency), less loss
Short wavelength (high frequency), more loss
Different models to estimate path loss
17
Fading
Fast fading: rapid fluctuations in

amplitude, phase
Due to multi-path propagation resulting in
interference of multiple copies of the same
transmitted signal arriving at the receiver
Slow fading: the duration of the fading

may last for multiple seconds or minutes
Due to absorption of the transmission by
objects, for example in buildings
18
Interference
Adjacent channel interference:

interference caused by extraneous power
from a signal in an adjacent channel
Co-channel interference: due to weather
conditions, wireless communications systems
(radio, TV, etc.) in different locations that
share common channels can experience cochannel interference
19
Thermal Noise
Noise generated by the thermal agitation

of the charge carriers (the electrons)
inside an electrical conductor in
equilibrium, which happens regardless of
any applied voltage
Causes errors in reception (digital) or
degradation of quality (analog)
Effectively limits transmission range
when transmitting signal strength falls
below noise floor
20
Noise Limits Transmitting Distance
Signal to Noise Ratio

(SNR)
Short range transmission (low path loss)
=
High
Long range transmission (high path loss)

=
Low
21
Transmission Rate Constraints
Nyquists Theorem: specifies the

maximum data rate possible on a
channel
C = 2 * B * log2 L (bits/sec)
B = bandwidth of the channel

C = maximum channel capacity
L = number of discrete signal levels/voltage
22
Transmission Rate Constraints
Shannons Theorem: specifies the

maximum data rate possible in a noisy
channel
C = B * log2 (1+ S/N) (bits/sec)
B = bandwidth of the channel

C = maximum channel capacity
S = signal power
N = noise power
SNR = 10 log10 (S/N)
23
Multiple Access Techniques

Multiple access techniques: methods that determine
how the medium is accessed such the channel is
shared between multiple participants
Transmission medium is broadcast

If everybody sends, then communication is not
meaningful, garbage
Multiple access such that:
maximize message throughput
minimize mean waiting time
24
Multiple Access Methods
Three domains in which users can be

separated:
frequency, time, and space
Frequency division multiple access (FDMA)

Time division multiple access (TDMA)
Code division multiple access (CDMA)
Space division multiple access (SDMA)
25
FDMA
Users are separated in frequency domain
Each station has its own frequency band,

separated by guard bands to eliminate interchannel interference
Receivers tune to the right frequency
Number of frequencies is limited
Best suited for analog links
Main drawback is under-utilization of the
frequency spectrum
26
TDMA
Users transmit data on same frequency, but at
different times (separated in time)
Relies on time synchronization

Users can be given different amounts of
bandwidth
Users can use idle times to determine best
base station
Synchronization overhead
Problems with multipath interference on
wireless links
27
CDMA
Users separated both by time and frequency
Send at a different frequency at each time slot

(frequency hopping)
Convert a single bit to a code (direct sequence),
receiver can decipher bit by inverse process
Difficult to spy
No need for all stations to synchronize
All cells can use all frequencies
Increased complexity
28
Spread Spectrum
Enables a signal to be transmitted across a

frequency band, much wider than the minimum
bandwidth required by the information signal
Transmitter spreads the energy across a
number of frequencies
Benefits: privacy, decreased narrowband
interference, increased signal capacity
In North America FCC waveband is divided
into 75 hopping channels, power transmission
limited to 1 watt on each channel
29
Frequency Hoping Spread Spectrum (FHSS)
Transmitter hops between available

frequencies according to a predefined
algorithm, which can be either random or
preplanned
Transmitter operates in synchronization with
the receiver
Large number of frequencies used
Results in a system that is quite resistant to

jamming
30
FHSS: Details
Signal hops from frequency to frequency at

fixed intervals
Transmitter operates in one channel at a time
Bits are transmitted using some encoding
scheme
At each successive interval, a new carrier
frequency is selected
Receiver, hopping between frequencies in
synchronization with transmitter, picks up
message
31
FHSS Example
32
Direct Sequence Spread Spectrum (DSSS)
Each bit in original signal is represented

by multiple bits in the transmitted signal
Data is chopped in small pieces and
spread across the frequency domain
Performance of DSSS is usually better
and more reliable
33
DSSS Example
34
DSSS vs FHSS
FHSS transmits data, using smaller

blocks of data, that are spread out over
many switching channels.
If two WLANs exist in the same area,
one of the two networks using FHSS,
FHSS will take precedence over the
DSSS-based network, which will only be
able to transport data correctly when the
FHSS-nodes are in idle mode.
35
Space Division Multiple Access

Users are separated in space domain
Several users use the same frequency & time

slot (in TDMA)
Each user is separated by the smart antenna
by using its unique spatial location
Different areas can be served using the same
frequency
Increased co-channel interference from
adjacent co-channel cells
36
OSI/ISO Model
37
Summary : Wireless Characteristics:
Higher error rate

Higher signaling overhead
Constrained information
transmission
Distance vs data rates
Shared channel
Coordination
Open environment
Eavesdropping
Limited coverage
Cooperation
38
Wireless Networks:
Architectures and
Applications
39
Spectrum Allocation
Licensed: frequencies auctioned to the

highest bidder
Unlicensed: frequencies not allocated at all,
for example ISM (industrial, scientific and
medical)
Public bands
Name
900 Mhz
2.4 Ghz
5 Ghz
Range
902 - 928
2.4 - 2.4835
5.15 - 5.35
Bandwidth
26 Mhz
83.5 Mhz
200 Mhz
Wavelength .33m / 13.1 .125m / 4.9

.06 m / 2.4
40
Spectrum Regulators
Federal Communications Commission (FCC)

regulates interstate and international
communications by radio, television, wire, satellite
and cable in US
Established by the Communications Act of 1934
and operates as an independent U.S. government
agency overseen by Congress.
Europe, on a country basis
Romania: National Regulatory Authority for
Communications and Information Technology
Italia: Ministro delle comunicazioni and
Autorit per le garanzie nelle comunicazioni.
41
IEEE Standards
Slide by Omid Fatemieh (From Spring 2010 cs463 at UIUC)
WRAN
IEEE 802.22
Range
IEEE 802.20
WMAN
WiMax
IEEE 802.16
WLAN
ZigBee
802.15.4
Bluetooth
15.4c
802.15.1
WPAN
0.01
[Heile06]
0.1
WiFi
802.11
1
10
Data Rate (Mbps)
802.15.3
802.15.3c
100
1000
42
Wireless Networks
Cellular Networks
WMAN WiMAX
MANETs
WMNs
Sensor Networks
WPAN - Bluetooth
RFID
VANETs
43
Cellular Networks
Architecture: Wireless phones

communicate with an infrastructure
consisting of base stations
Uses licensed spectrum
Communication between base stations is wired
Frequency reused by dividing the area covered
by a cellular network in cells
Wide coverage
Large number of users
Applications: voice, text, data, video,

internet, payment
44
Wireless Local Area Networks (WLANs)
Provides increased bandwidth (up to 11Mb

for 802.11b and up to 54Mb for 802.11g)
Uses unlicensed spectrum to provide access
to a local network
Infrastructure mode: Fixed access point
connected to the wired infrastructure,
mobile stations communicating wireless
with the access point
Ad hoc mode: mobile stations
communicate with each other via wireless
45
Mobile Ad Hoc Networks (MANETs)
Architecture: Mobile nodes communicate via

multi-hop with each other
Requires cooperation
Network is self-configuring
Characteristics:
Easy to deploy, do not require fixed
infrastructure
Network topology may change rapidly and
unpredictably
46
Wireless Mesh Networks (WMNs)
Architecture: Set of fixed wireless routers

that form a wireless backbone and a set of
wireless clients. A WMN can be integrated
with other types of networks such as wired
(Internet), cellular or sensors networks via
a gateway
Applications: community and
neighborhood networking, broadband home
networking, enterprise networking, health
and medical systems, surveillance systems
47
WiMAX Networks
Architecture:
Long range system, licensed (2.3 GHz, 2.5 GHz and
3.5 GHz) or unlicensed spectrum
Uses a QoS mechanism based on connections
between the base station and the user device
Applications:
Mobile broadband connectivity across cities and
countries through a variety of devices.
Wireless alternative to cable and DSL for "last mile"
broadband access
48
Sensor Networks
Architecture:
Low cost small devices, able to sense the
environment (temperature, light, humidity),
report sensed data using wireless
communication
A large number of sensors (static or mobile),
distributed in an ad hoc manner over an area
Nodes cooperate: communicate via multi-hop
wireless communication, some nodes
aggregate data
Unlicensed spectrum
Applications: battlefield surveillance, medical
monitoring, biological detection, habitant
monitoring, home security, disaster recovery
49
SCADA
Architecture: (Supervisory Control and Data

Acquisition Type of Industrial Control System)
Human-Machine Interface (HMI)
Remote Terminal Units (RTUs): many are
wireless today
Programmable Logic Controllers (PLCs)
Devices hardened with respect to environmental
and physical threats
Applications: industrial control systems: computer
systems that monitor and control industrial,
infrastructure, or facility-based processes
50
Wireless Personal Area Networks: Bluetooth
Architecture:
Connect and exchange information in short
communication range of 1, 10 and 100 meters
Uses unlicensed spectrum
Applications:
PDAs, mobile phones, laptops, PCs, printers, digital
cameras and video game consoles
Cell phone and a hands free headset or car kit
PC input and output devices (mouse, keyboard and
printer)
Test equipment, GPS receivers and medical
equipment.
Remote controls where infrared was traditionally used
51
Vehicular Networks (VANETs)
Architecture: Cars have onboard

equipment equipped with GPS
Integrated with the safety belts, steering to prevent
skidding, and warning alerts
Can communicate with the roadside infrastructure
Applications: Congestion detection, collision

alert, toll collection, deceleration warning,
road hazard warning, electronic payments,
monitor traffic, send updates, and switch
traffic signals
52
VANETs Status
US: Spectrum allocated by FCC in 1999, existent standard:

Radio standard for Dedicated Short-Range Communications
(DSRC), based on an extension of 802.11, 802.11p
US Department of Transportation Initiative VII: Vehicle
Infrastructure Integration initiative will work toward deployment
of advanced vehicle-vehicle and vehicle-infrastructure
communications that could keep vehicles from leaving the road
and enhance their safe movement through intersections.
Europe in August 2008 the European Telecommunications
Standards Institute ETSI has allocated 30 MHz of spectrum in
the 5.9GHz band
53
Radio-Frequency Identification (RFID)
Architecture:
Wireless communication between a reader and
an electronic tag attached to an object
RFID tag: microchip + RF antenna, can be active
or passive, stores few hundred bits
Applications: identification and tracking,

electronic tickets for public transport systems,
access control to building, automated toll-payment
transponders, anti-theft systems for cars, passports
54
Next Generation of
GPS
Air Traffic Control

GPS
UAT/
1090
Squitter
HF/
Satcom
UAT
IP VPN
55
Global Positioning System (GPS)
Architecture:
24 satellites that orbit the
Earth in very precise orbits
twice a day and emit
signals
Applications:
Position and coordinates
Travel progress reports
Accurate time
measurement
56
Galileo
Global navigation satellite system

currently being built by the European
Union.
Should become operational in
2013-2014.
57
Wireless Networks: Summary so Far
Wireless communication is
omnipresent today operating in
licensed and unlicensed spectrum
Architectures:
Centralized
Peer to peer
Communication:
One-hop
Multi-hop
Devices: different computational power

and physical accessibility
Mobility:
Fixed node
Mobile nodes
58
Security Goals, Attacks,

Adversarial Models
59
Information Security
Security attacks: Any action that compromises

the security of information.
Security mechanism: A mechanism that is
designed to detect, prevent, or recover from a
security attack.
Security service: A service that enhances the
security of data processing systems and
information transfers. A security service makes
use of one or more security mechanisms.
60
Security Services (or Goals)
1) Confidentiality: information is available for

reading only to authorized parties.
Example: Alice sends a message to Bob, only Alice and
Bob can understand the content of the message.
2) Authentication:
Data source authentication: the data is coming from an
authorized party.
Example: Alice receives a message from Bob. This
service ensures that the message is from Bob and not
from Carl.
Entity authentication: the entity is who it says it is.
Example: When Alice tries to obtain access to her
bank account, an authentication operation is performed
to ensure that Alice asks for the information.
61
3) Integrity: detect if data was modified, from the

source to the destination.
Example: Alice sends an email to Bob. Carl
intercepts the message and modifies it. Data
integrity allows for Bob to detect that the message
was modified on the way from Alice to him.
4) Non-repudiation: neither the sender, nor the
receiver of a message are able to deny the
transmission.
Example: Alice sends Bob a contract, signed. The
non-repudiation service ensures that Alice can not
claim that the signature was produced by
somebody else.
62
5) Access control: only authorized

parties can use specific resources.
Example: Alice wants to print a document, she must
be authorized to get that document and to use the
printer.
6) Availability: resources available to

authorized parties.
Example: A web site might become unavailable if
the server crashes, or is bombarded with requests.
63
Security Attacks
Passive: the attacker does not modify the data,

only monitors the communication. It threatens
confidentiality.
Example: listen to the communication between
Alice and Bob, and if its encrypted try to decrypt it.
Active: the attacker is actively involved in deleting,
adding or modifying data. It threatens all security
services.
Example: Alice sends Bob a message: meet me
today at 5, Carl intercepts the message and
modifies it meet me tomorrow at 5, and then
sends it to Bob.
64
Security Attacks: Examples
Interruption
Interception
65
Security Attacks: Examples
Modification
Fabrication (injection)
66
Security Mechanisms
Cryptography: protect data by performing

operations on the data (for example encrypt data).
Software: access limitations to in a database, in
operating system protect each user from other
users, networking: firewall.
Hardware: use smartcards and trusted computing
for authentication.
Policies: define who has access to what resources.
Physical security: control who has
physical access to devices storing data.
67
What is Cryptography About?
Constructing and analyzing protocols which

enable parties to achieve security objectives,
overcoming the influence of adversaries.
Note: a protocol (or a scheme) is a suite of
algorithms that tell each party what to do
Attack model: assumptions about the resources and
actions available to the adversary
How to devise and analyze protocols

understand the threats posed by the adversaries
and the secueity objectives (goals)
think as an adversary
68
Actually
Cryptography: the study of

mathematical techniques related to
aspects of providing information
security services (construct).
Cryptanalysis: the study of
mathematical techniques for
attempting to defeat information
security services (break).
Cryptology: the study of
cryptography and cryptanalysis
(both).
69
Basic Terminology in Cryptography
cryptography
cryptanalysis
cryptology
plaintexts
ciphertexts
keys
encryption
decryption
70
Secret-key vs. Public-key Cryptography
Secret-key cryptography (a.k.a. symmetric

cryptography)
encryption & decryption use the same key
key must be kept secret
key distribution is very difficult
Public-key cryptography (a.k.a. asymmetric

cryptography)
encryption key different from decryption key
cannot derive decryption key from encryption key
higher cost than symmetric cryptography
71
How Do You Know a Cipher is Secure?
Show that under the considered attack

model, security goals are NOT achieved
(break it)
model, security goals ARE achieved
(evaluate/prove)
72
Breaking Ciphers
There are different methods

of breaking a cipher, depending on:
the type of information available to
the attacker
the interaction with the cipher
machine
the computational power available to
the attacker
73
Breaking Ciphers
Ciphertext-only attack:
The cryptanalyst knows only the
ciphertext. Sometimes the language of the
plaintext and the cipher are also known.
The goal is to find the plaintext and the key.
NOTE: any encryption scheme

vulnerable to this type of attack is
considered to be completely insecure.
74
Breaking Ciphers (2)
Known-plaintext attack:
The cryptanalyst knows one
or
several pairs of ciphertext
and the corresponding
plaintext.
The goal is to find the key used to

encrypt these messages or a way
to decrypt any new messages that
use that key.
75
Chosen-plaintext attack
The cryptanalyst can choose a number of
messages and obtain the ciphertexts
for them
The goal is to deduce the key used in the other
encrypted messages or decrypt any new messages
using that key.
It can be adaptive, the choice

of plaintext depends on the
ciphertext received from
previous requests.
76
Chosen-ciphertext attack
Similar to the chosen-plaintext attack,
but the cryptanalyst can choose a
number of ciphertexts and obtain
the plaintexts.
It can also be adaptive The choice of
ciphertext may depend on the plaintext
received from previous requests.
77
How Do You Know a Cipher is Secure?

model, security goals are NOT achieved
(break it)
model, security goals ARE achieved
(evaluate/prove)
78
Models for Evaluating Security
Unconditional security
The adversary has unlimited computational
resources. Analysis is made by using probability
theory. Perfect secrecy: observation of the
ciphertext provides no information to an
adversary.
Complexity-theoretic security
The adversary is assumed to have polynomial
computational power. The analysis uses
complexity theory; Polynomial attacks although
feasible, in practice can be computationally
infeasible.
79
Models for Evaluating Security (2)
Provable security
Proof of security relies on the difficulty of solving a
well-known and supposedly difficult problem
(example: computation of discrete logarithms).
Computational security (practical security)
Measures the amount of computational effort required
to defeat a system. Sometimes related to the hard
problems, but no proof of equivalence is known.
Ad hoc security (heuristic security)
Variety of convincing arguments that every
successful attack requires more resources than the
ones available to an attacker. Unforeseen attacks
remain a threat.
80
One-Time Pad
Key is chosen randomly
Plaintext X = (x1 x2 xn)
Key
K = (k1 k2 kn)
Ciphertext Y = (y1 y2 yn)
ek(X) = (x1+k1 x2+k2 xn+kn) mod m

dk(Y) = (y1- k1 y2-k2 yn-kn) mod m
81
Shannon (Information-Theoretic) Security
Basic Idea: Ciphertext should provide no

information about Plaintext
Such a scheme has perfect secrecy
One-time pad has perfect secrecy if
Key-length msg-length
Key is random
Key is used only once
Result due to Shannon, 1949.

C. E. Shannon, Communication Theory of Secrecy Systems,
Bell System Technical Journal, vol.28-4, pp 656--715, 1949.
82
Summary so Far
Cryptographic protocols are an

important tool in ensuring
security
Security goals: confidentiality
integrity, authentication
There are very few protocols for
which we can prove security
OTP has perfect secrecy under
some conditions
Ciphers that are vulnerable to
ciphertext-only attacks are
completely insecure
83
Stream Ciphers and Block

Ciphers
84
Stream Ciphers
OTP not practical for most applications, key needs to be

random, used only once and as long as the message
OPT: a key is a random bit string of length n
Stream ciphers:
Idea: replace rand by pseudo rand
Use Pseudo Random Number Generator
PRNG: {0,1}s {0,1}n
expand a short (e.g., 128-bit) random seed into a
long (e.g., 106 bit) string that looks random
Secret key is the seed
Eseed[M] = M PRNG(seed)
85
Properties of Stream Ciphers
Do not have perfect secrecy

security depends on PRNG
PRNG must be unpredictable
given consecutive sequence of bits output
(but not seed), next bit must be hard to
predict
Typical stream ciphers are very fast
Used in many places, often incorrectly
SSL( RC4), DVD (LFSR), WEP (RC4), etc.
86
Fundamental Weaknesses of Stream Ciphers
If the same keystream is used

twice ever, then easy to break
Highly malleable
easy to change ciphertext so that
plaintext changes in predictable,
e.g., flip bits
Weaknesses exist even if the

PRNG is strong
87
Block Ciphers
Map n-bit plaintext blocks to n-bit

ciphertext blocks (n: block length).
For n-bit plaintext and ciphertext blocks
and a fixed key, the encryption function
is a bijection; E : Pn X K Cn s.t. for all
key k K, E(x, k) is an invertible
mapping written Ek(x).
The inverse mapping is the decryption
function, y = Dk(x) denotes the
decryption of plaintext x under k.
88
Block Ciphers Features
Block size: in general larger block sizes

mean greater security.
Key size: larger key size means greater
security (larger key space).
Number of rounds: multiple rounds offer
increasing security.
Encryption modes: define how messages
larger than the block size are encrypted, very
important for the security of the encrypted
message.
89
History of Data Encryption Standard (DES)
1967: Feistel at IBM

Lucifer: block size 128; key size 128 bit
1972: NBS asks for an encryption standard
1975: IBM developed DES (modification of Lucifer)
block size 64 bits; key size 56 bits
1975: NSA suggests modifications
1977: NBS adopts DES as encryption standard in
(FIPS 46-1, 46-2).
2001: NIST adopts Rijndael as replacement to DES.
90
DES Features
Features:
Block size = 64 bits
Key size = 56 bits
Number of rounds = 16
16 intermediary keys, each 48
bits
91
Cryptanalysis of DES
Brute Force:
Known-Plaintext Attack
56 possible keys
Try all 2
Requires constant memory
Time-consuming
DES challenges: (RSA)
msg=the unknown message is :xxxxxxxx

CT= C1
| C2
| C3 | C4
1997 Internet search: 3 months
1998 EFF machine (costs $250K): 3 days
1999 Combined: 22 hours
92
Triple DES
Use three different keys

Encrypt: C = EK3 [ DK2 [ EK1 [P] ] ]
Decrypt: P = DK3 [ EK2 [ DK1 [C] ] ]
Key space is 56 x 3 = 168 bits

No known practical attack
against it.
93
AES - Rijndael Features
Designed to be efficient in both hardware and

software across a variety of platforms.
Uses a variable block size, 128,192, 256-bits, key
size of 128-, 192-, or 256-bits.
128-bit round key used for each round (Can be precomputed and cached for future encryptions).
Note: AES uses a 128-bit block size.
Variable number of rounds (10, 12, 14):
10 if B = K = 128 bits
12 if either B or K is 192 and the other is 192
14 if either B or K is 256 bits
94
Rijandel Cryptanalysis
Resistant to linear and differential cryptanalysis
Academic break on weaker version of

the cipher, 9 rounds
Requires 2224 work and 285 chosen
related-key plaintexts.
Attack not practical.
95
Encryption Modes: ECB
Message is broken into independent

blocks of block_size bits;
Electronic Code Book (ECB): each block
encrypted separately.
Encryption: ci = Ek(xi)
Decryption: xi = Dk(ci)
96
Properties of ECB
Deterministic: the same data block gets

encrypted the same way, reveals
patterns of data when a data block
repeats.
Malleable: reordering ciphertext results in
reordered plaintext.
Errors in one ciphertext block do not
propagate.
Usage: not recommended to encrypt
more than one block of data.
97
Encryption Modes: CBC
Cipher Block Chaining (CBC): next

input depends upon previous output
Encryption: Ci= Ek (MiCi-1), with C0=IV
Decryption: Mi= Ci-1Dk(Ci), with C0=IV
IV
C0
M1
M2
M3
Ek
Ek
Ek
C1
C2
C3
98
Properties of CBC
Randomized encryption: repeated text gets mapped to

different encrypted data.
can be proven to be secure assuming that the block cipher has
desirable properties and that random IVs are used
A ciphertext block depends on all preceding plaintext blocks;

reorder affects decryption
Self-correcting: errors in one block propagate to two blocks
Sequential encryption: cannot use parallel hardware
Usage: chooses random IV and protects the integrity of IV
Observation: if Ci=Cj then Ek (MiCi-1) = Ek (MjCj-1); thus MiCi-1
= MjCj-1; thus Mi Mj = Ci-1 Cj-1
99
Use Block Ciphers to Construct Stream Ciphers
Cipher Feedback (CFB)

Output Feedback (OFB)
Counter Mode (CTR)
Common properties:
uses only the encryption function of the cipher
both for encryption and for decryption
malleable: possible to make predictable bit
changes
100
Encryption Modes: CFB
Cipher Feedback (CFB): the message is

XORed with the feedback of encrypting the
previous block
Decryption
Encryption
r-bit shift
r-bit shift
I1=IV
Ij
Ij
Oj
xj
cj
cj
Oj
xj
101
Properties of CFB
Randomized encryption
A ciphertext block depends on all preceding
plaintext blocks; reorder affects decryption
Errors propagate for several blocks after
the error, but the mode is selfsynchronizing (like CBC).
Decreased throughput.
Can vary the number of bits feed back, trading off
throughput for ease of use
Sequential encryption
102
Encryption Modes: OFB
Output feedback (OFB):

construct a PRNG using DES
y0=IV yi = Ek[yi-1]
Decryption
Encryption
Oj-1
Oj-1
I1=IV
Ij
Ij
I1=IV
Oj
xj
Oj
cj
cj
xj
103
Properties of OFB
Randomized encryption
Sequential encryption, but preprocessing possible
Error propagation limited
Subject to limitation of stream cipher
104
Encryption Modes:CTR
Counter Mode (CTR): Another way

to construct PRNG using DES
yi = Ek[counter+i]
Sender and receiver share: counter
(does not need to be secret) and the
secret key.
105
Properties of CTR
Software and hardware efficiency: different

blocks can be encrypted in parallel.
Preprocessing: the encryption part can be done
offline and when the message is known, just do
the XOR.
Random access: decryption of a block can be
done in random order, very useful for hard-disk
encryption.
Messages of arbitrary length: ciphertext is the
same length with the plaintext (i.e., no IV).
106
Ideal Block Cipher
An ideal block cipher is a substitution

cipher from {0,1}n to {0,1}n
Also known as a random permutation
Each key determines one permutation on the
plaintext space
A random key is chosen
Why is this an ideal block cipher?

Known-plaintext, chosen plaintext, and
chosen ciphertext attacks are totally
ineffective
107
Security Goal of Block Cipher
Indistinguishable from an ideal block

cipher (i.e., a random permutation)
The best block cipher should be a
pseudo-random permutation (PRP)
For all existing block ciphers, if there is
no known attack, they are assumed to
be PRP for some suitable parameters.
108
Block Cipher Modes Revisited
Suppose that the adversary knows that a

ciphertext results from one of two
possible plaintexts, the adversary should
not be able to tell that which one
plaintext is more likely to be the actual
one.
If a block cipher is a PRP, then using this
cipher under the CBC, CTR modes has
semantic security.
109
Summary so Far
Stream ciphers are faster than

block ciphers
Keystream reuse for stream
ciphers makes them insecure
Current standard is AES, no
known practical attacks against it
Security of block ciphers
depends on the encryption mode
Recommended encryption
modes CBC and CTR
110

Introduction Wireless Comm

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Introduction Wireless Comm

Enviado por

Direitos autorais:

Formatos disponíveis

Wireless Network Security

Lecture 1/ WS Milano Summer 2011

Slides used in these lectures are based on

Slides provided with the book "Security and

Research presentations from collaborations with

Lecture 1/ WS Milano Summer 2011

Monday: Wireless communication

Lecture 1/ WS Milano Summer 2011

Security and cooperation in wireless

Lecture 1/ WS Milano Summer 2011

Lecture 1/ WS Milano Summer 2011

Security Services (or Goals)

1) Confidentiality: information is available for

Lecture 1/ WS Milano Summer 2011

Security Services (2)

3) Integrity: detect if data was modified, from the

Lecture 1/ WS Milano Summer 2011

Security Services (3)

5) Access control: only authorized

6) Availability: resources available to

Lecture 1/ WS Milano Summer 2011

1) Anonymity: hiding who performed a given

Lecture 1/ WS Milano Summer 2011

Security and Wireless Communication

The usual goals: authentication,

Lecture 1/ WS Milano Summer 2011

Physical security: an issue for small devices,

Eavesdropping: easier than wired

Resource constraints: medium is shared, some

Lecture 1/ WS Milano Summer 2011

Lecture 1/ WS Milano Summer 2011

c (speed of light) = 3x108 m/s

Lecture 1/ WS Milano Summer 2011

Reflection: wave gets reflected when

Lecture 1/ WS Milano Summer 2011

Interaction with the environment: path

Lecture 1/ WS Milano Summer 2011

Direct path component:

Lecture 1/ WS Milano Summer 2011

Power of transmission reduces:

Different models to estimate path loss

Lecture 1/ WS Milano Summer 2011

Fast fading: rapid fluctuations in

Slow fading: the duration of the fading

Lecture 1/ WS Milano Summer 2011

Adjacent channel interference:

Lecture 1/ WS Milano Summer 2011

Noise generated by the thermal agitation

Lecture 1/ WS Milano Summer 2011

Noise Limits Transmitting Distance

Signal to Noise Ratio

Short range transmission (low path loss)

Long range transmission (high path loss)

Lecture 1/ WS Milano Summer 2011

Transmission Rate Constraints

Nyquists Theorem: specifies the

B = bandwidth of the channel

Lecture 1/ WS Milano Summer 2011

Transmission Rate Constraints

Shannons Theorem: specifies the

B = bandwidth of the channel

Lecture 1/ WS Milano Summer 2011

Multiple Access Techniques