Conference PaperPDF Available

Who Said That? Privacy at Link Layer

Authors:

Abstract and Figures

Wireless LAN and other radio broadcast technologies are now in full swing. However, the widespread usage of these technologies comes at the price of location privacy, be it by observing the communication patterns or the interface identifiers. Although a number of network level solutions have been proposed , this paper describes a novel approach to location privacy at the link layer level. We present a generic mechanism and then map it to a real protocol, IEEE 802.11. The work also provides an analysis of the protocol in terms of privacy and performance considerations.
Content may be subject to copyright.
Who said that? Privacy at link layer.
Frederik Armknecht and Joao Girao
NEC Europe Ltd.
{frederik.armknecht,joao.girao}@netlab.nec.de
Alfredo Matos and Rui L. Aguiar
Institute of Telecommunications, University of Aveiro
alfredo.matos@av.it.pt, ruilaa@det.ua.pt
Abstract Wireless LAN and other radio broadcast technolo-
gies are now in full swing. However, the widespread usage of
these technologies comes at the price of location privacy, be it by
observing the communication patterns or the interface identifiers.
Although a number of network level solutions have been proposed
, this paper describes a novel approach to location privacy at the
link layer level. We present a generic mechanism and then map
it to a real protocol, IEEE 802.11. The work also provides an
analysis of the protocol in terms of privacy and performance
considerations.1
I. INTRODUCTION
Wireless networks, in particular WLAN, have become pop-
ular in our homes and offices. The term hotspot’ is now
widespread as we walk the path to the ‘always connected’
paradigm. However, there are drawbacks. In this paper we
address the loss of privacy that stems from the fact that we
are always connected to the network, as we change locations,
and can therefore be tracked. Since this is a problem which has
only recently been identified, not much work has been done
specifically in this area, although many of the new network
architectures have support for location privacy by either using
pseudonyms, making use of Network Address Translation
(NAT) or other solutions (Section II). Network approaches
prevent a node from tracking the location of peers beyond
the link scope, but leave open the problem of two nodes
communicating on the same link layer domain. This problem
is most evident in broadcast mediums, mostly wireless tech-
nologies, where an attacker does not even have to participate in
the communication to monitor all the necessary information.
Finally, we would like to remark that our approach is best
combined with other network layer approaches to location
privacy in order to extend the protection to attacks originating
outside the link layer cloud.
We provide a generic mechanism to deal with location pri-
vacy issues at the link layer. We further analyze the feasibility
of a real case realization with an instantiation on 802.11, in
light of current technology and standards. Since our approach
is between the physical and link layers, we also study what
we can and cannot protect in contrast with the standard.
We begin by presenting a survey of techniques used at
different layers of the network stack for location privacy in
Section II. In Section III we formalize the description of our
network model, analyze the attacker model and provide the
security objectives for our scheme along with an analysis
1The work described in this paper is based on results of IST FP6
Integrated Project DAIDALOS. DAIDALOS receives research funding from
the European Community’s Sixth Framework Programme. Apart from this, the
European Commission has no responsibility for the content of this paper. The
information in this document is provided as is and no guarantee or warranty
is given that the information is fit for any particular purpose. The user thereof
uses the information at its sole risk and liability.
on leaked information by using 802.11. In Section IV we
present our scheme and instantiate the model in which we
apply our ideas. Section V provides some considerations on
performance, and studies the feasibility of implementing the
described scheme. We conclude our work in Section VI and
open the door to future research directions.
Note that throughout this paper certain operations are re-
placed by symbols summarized in Table I.
Symbols Description
c=Ek(m)encryption of musing key k, obtaining the ciphered
text c
m=Dk(c)decryption of cusing key k, obtaining plaintext
message m
a||bconcatenation of awith b
|m|size of message m
TABLE I
NOMENCLATURE USE D THROUGHOUT TH E A RTICLE
II. RELATED WORK
Most of the current solutions for location privacy operate
at the network level, even though location privacy issues also
afflict the MAC Layer. The privacy schemes at the network
layer usually separate the concepts of identifier and locator,
currently aggregated in IP addresses (eg. [7], [8]).
From a mobility standpoint, Mobile IP [4], [11] can provide
location privacy through sub-optimal routing. However, the
performance cost of using the Home Agent for all the traffic,
without Route Optimization, is too big for most real-time
applications.
Some architectures attempt to create new paradigms for
routing and addressing, like FARA[3], which uses a com-
pletely new architecture using new abstractions that decouple
Locators and Identifiers. While not directly aiming at location
privacy, the logical abstractions provide support for it.
Overlay networks, such as I3 [13], Triad [2] and HI3 [9]
can provide location privacy. In I3 and Hi3, this is obtained
by introducing a rendezvous point that allows nodes to reach
their peers without knowing their locators. This approach can
impact performance, since routing is not guaranteed to be op-
timal. Triad creates an overlay network to protect application
content, and so has a different scope, but still provides an
interesting approach defining realms and relay points.
A generic framework for location privacy is presented in
[6]. This proposes a hierarchical approach to location privacy,
addressing anonymity, pseudonimity and unlinkability. While
this generic framework provides several improvements on
privacy aspects, it does not protect against MAC layer tracking,
and the unlinkalibity and pseudonimity it provides can be
broken by eavesdropping on a wireless link.
All the presented solutions work either on or above the
network layer. None of them address location privacy concerns
at the Link Layer (L2), and are therefore vulnerable to L2
attacks.
Note that, although our work addresses L2 attacks, there
are highly specialized physical attacks which are not covered
by our approach. In radio based technologies attacks may
rely on the physical characteristics of the radio channel.
Such attacks include: finding the nearest station and trian-
gulation/trilateration, by analyzing the signal strength, signal
to noise ratio (SNR), time difference of arrival (TDOA) or
received signal strength indication (RSSI) and radio-frequency
(RF) fingerprinting. These attacks may erode the protection we
offer in this paper and therefore our approach should be taken
in conjunction with techniques which also protect the physical
layer (PHY), even though these attacks usually require non-
standard equipment.
III. COMMUNICATION MODEL
A. Network Model
In our model we consider the last hop of an access network
composed by one Access Point, AP and nterminals/nodes,
Ni, with i1,2,··· , n. We further extrapolate the individual
links between each of the terminals Niwith the AP and term
them as channels, where Cirefers to the channel between node
Niand the AP . Each channel has only two endpoints, which
are the address of Ni, MACi, and of the AP , MACAP . Our
assumption is that, even though communication occurs only
between the individual Niand the AP , the medium is still
broadcast and all the nodes in the group can listen to all of
the messages being sent over any Ci.
The model only considers communication between Niand
AP , which is in line with the traffic pattern at link layer in,
for example, managed WLAN.
B. Attacker and Threat Model
In Section III-A we introduced a network model which we
believe reflects typical scenarios. It seems clear that the first
threat to location privacy at the link layer is that of the attacker
having access to all the packets exchanged in all channels Ci.
An attacker may track a device from one network to the
other by moving inside the same link layer cloud and mapping
the unchanging MAC address. By associating link and network
layer addresses (e.g. MAC and IP) he will further be able
to circumvent any layer 3 location privacy protections. A
pseudonimity approach will protect the identity of the user but
not his location: passive attackers can still detect whether the
MAC pseudonym which maps to a specific layer 3 identifier
was already being used in the same link layer cloud.
Another issue is the tracking of origin and destination of
link layer messages. Currently it is easy for an outsider to de-
termine traffic patterns and traffic direction. This information
can later be used to pinpoint a user, or correlated with other
information to discover the user’s identity (e.g. periodically
checking an IMAP server). Even if the payload is encrypted,
this information allows an attacker to perform selective Denial
of Service (DoS) attacks.
Due to the nature of the scenario, DoS is a problem we
also plan to tackle inside our proposal. Our proposal must be
scalable and immune to DoS attacks.
Also, for DoS prevention reasons, it is important for the AP
to be able to distinguish valid, authorized users even from each
other, even at registration time. This is to prevent multiple
registrations and over consumption of the AP’s resources.
Although the problem of anonymously linking identity to a
form of certification is outside the scope of this paper, we
provide the mechanisms which allow the linkage of, for ex-
ample, participation certificates which can be checked against
a Public Key Infrastructure (PKI) and the Authentication,
Authorization and Accounting (AAA) servers for validity and
uniqueness. Such a combination would thwart attempts of
multiple registrations on the behalf of the same user.
C. Security Objectives
Based on our network and attacker models, we list below
the security objectives a successful location privacy approach
for link layer should achieve:
Avoid using a unique link layer identifier: Using the same
identifier allows an attacker to track the user’s location by
testing the user’s presence in different link layer clouds.
Prevent linking network layer location with link layer
identifiers.
Protect communication peer identities and pseudonyms
from traffic and header analysis.
Protect users’ traffic from direction inference: distinguish-
ing traffic direction (from the AP to the terminal or vice-
versa) allows an attacker to infer which service is being
used and possibly the user’s identity.
Should support link layer protocol operations to minimize
changes to standards and implementation costs: The fea-
sibility of our approach depends on the intrusiveness into
the link layer protocol.
Ideally, when presented with several packets in the net-
work, the attacker should not able to link them or even
distinguish anything other than the fact that they are
disjoint packets.
D. Privacy Leakage
In most widely used protocols, Layer 2 addresses used to
identify the nodes are sent in every packet. Furthermore, a
channel identifier is sometimes used and, although it cannot be
used to identify the node, it aids in tracking connections. Other
potentially leaked information includes sequence numbers,
acknowledgement frames and round-trip times, all of which
can be correlated, hence tracking the connection and the user.
Each protocol requires careful analysis in order to determine
if we can hide or otherwise obfuscate the offending fields. In
our study case, IEEE 802.11 [1] requires that information is
both hidden and obscated. It carries the source and destination
addresses in the header, requiring procedure for association
and authentication, that identify the stations. Also, some
mechanisms identify the origin of the packet, infrastructure
or not, and the destination, regular stations, as is the case
of power management bits. Sequence number are not reset,
so they enable to track nodes, neglecting the addresses. But,
some fields cannot be hidden to support mechanisms such as
the Network Allocation Vector. These types of fields must be
world readable.
IV. WHO SAID THAT?
Our privacy proposal defines a novel transport that protects
the data and management frames against the described at-
tacker model, assuming that keys have previously been agreed
between Niand AP. When used in parallel with classical
networks, the node might obtain this key by, for example,
contacting his home network. A key agreement phase should
only be necessary if the terminal, Ni, does not have another
secure way of agreeing on a key with the AP .
A. Transport
In our approach the identification of a channel Ciis given
by the key Kishared between the terminal Niand the AP ,
as shown in Fig. 1. Thus the MAC is sent encrypted.
Fig. 1. Using keys as channel identifiers in a broadcast medium.
Even with encryption, if the encryption primitive does not
provide randomization by itself, the encryption of the same
plaintext results in the same ciphered text. For this reason we
propose the use of a synchronized initialization vector (iv).
The fact that the value of iv is synchronized on both end-
points allows for fast determination algorithms of the origin
and/or destination of the packet since both end-points can pre-
compute the encrypted values. Also, with this vector iv, the
encryption of the same plaintext results in different ciphertexts
depending on the value of iv.
The main problem lays in the synchronization of both end-
points, which is an expensive operation. To this end, we
propose iv to be a sequence number, si, which is unique to
a certain channel Ci. Since messages can be lost and this
will affect synchronization, we further propose a mechanism
to recover from such cases. This recovery mechanism also
allows any Nior the AP to re-seed the iv at any moment
during the communication.
1) Encryption Process: The current value of siis appended
at the end of every sent message. Encryption is then performed
from the end to the beginning using the key Kito the
corresponding channel Ci, with the exception of the fields for
fast determination. These fields contain the known plaintext
values which are used to determine whether the packet should
be processed or not, by a node which receives the packet (in
most cases this field corresponds to the source or destination
address). This field is encrypted in parallel by appending it to
the value of si, padding the value to the block of the cipher
and encrypting. We then discard the encrypted blocks which
contain the value of siand insert the encrypted field back into
the packet2.
2It is important to note that, for this mechanism to work, we always encrypt
and decrypt the packet from the end to the beginning. This is so the value
of siaffects all the packet. We assume that either a stream cipher, which is
re-initialized for every packet with a known vector, or a block cipher with a
mode, such as for example RC5-CBC, is used.
In this example the address of node Ni, MACi, must
be encrypted independently because it is pre-computed at
the other side. The node encrypts MACiby applying
EKi (si||padding||MACi), where padding refers to the fact
that sishould be expanded to the block size of the cipher.
After encryption, the encrypted section of siis truncated and
only the encrypted MACiis added to the packet. The same
encryption process can also be applied on the receiving side
since siis synchronized.
If this protocol is employed, all unicast packets in the
network are indistinguishable from each other. In fact, an
attacker will be unable to link two different packets by using
link layer information.
2) Re-synchronization Mechanism: If a packet is lost, the
value of siis no longer synchronized on the end points. We
detect such an event by the inability of the node to find any
pre-computed value for the field. In order to re-synchronize,
the node must use all its keys to attempt to decrypt the packet
and use known values as a check to determine if the decryption
was successful. If it is not able to decrypt the packet, the
packet is discarded. If it is successful, then the new value of
sicontained in the packet is used to update the local copy of
the value.
3) Transport Header: When encryption occurs, it’s likely
that the resulting message differs from the plaintext message
not only in content, but also in size. Therefore, we must
append the size of the original message to be able to dis-
tinguish between the actual content of the original packet and
the padding.
Also, depending on the technology we apply our concepts
to, we might need to transmit information which is removed
from the packet to avoid information leakage, but must be
returned before delivering it to the higher layers.
We propose the use of a header which should be appended,
if needed, before encryption, to all packets and provide infor-
mation on the issues discussed above. This header should con-
tain the values which were removed from mandatory cleartext
fields, the original length of the packet and a termination with
the value of si. Since encryption and decryption are performed
from end to beginning, we are sure that the variability in the
ciphering caused by the changing siaffects the whole packet
encryption.
4) Sending a Packet: Algorithm 1 describes the process
a node must go through to send a unicast packet. Broadcast
packets are still sent in the same manner since, unless the
source wishes to be anonymous, the information of who is the
source must be given to all nodes and hiding the identity of
the source becomes a contradiction.
Algorithm 1 Sending a unicast packet.
Intercept the message sent from MAC to PHY
Determine which < Ki, si>to use
if is not AP then
Use stored < Ki, si>
else
Use table to map Niaddress, MACi, to < Ki, si>
end if
Insert transport header (Section IV-A.3)
Encrypt packet (Section IV-A.1)
sisi+ 1 and update pre-computed values
Send the encrypted packet using the PHY mechanisms
5) Receiving a Packet: Algorithm 2 describes the process
a unicast packet undertakes upon reception. In a similar way
to the algorithm for sending, receiving a broadcast packet
is handled in the usual method proposed by the technology
without any modifications.
Algorithm 2 Receiving a unicast packet.
Intercept the message sent from PHY to MAC
Apply the determination mechanism as follows:
if is not AP then
Use stored < Ki, si>
else
for all Stored EKi(si||padding||MACi)do
if Matches the field in the packet then
Exit the loop and use < Ki, si>
end if
end for
if No < Ki, si>was found then
for all Stored < Ki,MACi>do
Decrypt the last block with Kiand retrieve si
Use < Ki, si>to decrypt the address block
if MACiequals address block then
Exit the loop and use < Ki, si>
end if
end for
if No < Ki, si>was found then
Proceed to Key Agreement and EXIT
end if
end if
end if
Decrypt the packet using Ki
Remove transport header, update fields and deliver to MAC
if MAC did not detect errors then
sisi+ 1 and update pre-computed values
end if
B. Who in 802.11 said that?
In the previous section we presented a generic approach for
link layer location privacy which we will now map to the link
layer protocol IEEE 802.11 [1].
Duration/AID field: As identified during the information
leakage analysis , this field must be sent in plaintext so
all stations can update their NAV. This poses an additional
problem since, without knowing the packet type, stations
would also not be able to distinguish a duration field from an
AID. To protect the protocol against this problem we propose
that all packets contain the value for duration in this field,
which is possible to compute at all times. In packets where
the AID should be sent, the AID is added to the transport
header and encrypted. Before the packet is passed on to the
higher layers, and after decryption, the AID will be copied on
top of the duration field. Using this mechanism ensures the
AID is never revealed and stations are able to update their
NAV using any packet.
Beacons: In our approach the beacon must be modified to
prevent attacks on the TIM.
We address this issue by encrypting each position of the
bitmap individually to each of the stations. Each relevant
bit will be ciphered by taking the bit at position jfrom
EKi(si||b, P add), where siis the station’s current sequence
number, and bis the original TIM bit value. jis the most
significant different bit when comparing the encryption for
b= 0 and b= 1. When station ireceives a beacon, it repeats
the encryption process and uses the index jto compare the
encrypted values with the value in the TIM at the expected
position. This process can determine if packets for that station
are queued at the AP.
Registration: In order to minimize the number of packets
in the network, we re-use packets, such as the Association
Request and the Association Response, to perform the regis-
tration procedure. As such, we use the beacon to carry the
puzzles, the Association Request to transport the solutions to
the puzzle together with Ni’s part of the DH key agreement
(ga) and the Association Response as the DH part of the AP
(gb). The first data packet, management or control frame from
Nican serve as confirmation the procedure was carried out
correctly.
Transport Header: The transport header serves two pur-
poses: the first is to carry the correct length of the decrypted
packet and to solve the problem of the packets which contain
an AID which would identify the station. The second is to
transport the value of siused to seed the encryption of the
packet in order to allow for re-synchronization. Fig. 2 depicts
the fields and added options in the standardized 802.11 packet
header.
Fig. 2. 802.11 header with transport header options.
Looking at the header we can see that all fields, with the
exception of the duration field, are encrypted. Also, we observe
that one of the address fields is encrypted independently. In
the case of an Nisending a packet, this field will correspond
to the source address. When it is the AP that sends a packet
the destination field is used in this way.
The end result is that all packets are indistinguishable
from each other, with the exception of broadcast packets. The
attacker will have no way to infer the source or destination, or
to correlate two unicast packets by solely analyzing the traffic.
V. PERFORMANCE EVALUATION
Performance depends on the cipher being used. When
choosing a cipher for our scheme, we must ensure that it fits
the operations described and, since this cipher will be used
in every packet and during time-critical events, that it is also
efficient. The small block size and highly efficient duty-cycle
of RC5 [12] make it a perfect candidate. The block size fits
the minimum encryption unit required in our scheme, which
is 32 bits, which reduces the need for padding, since packets
are usually 32-bit aligned.
According to [5], RC5 encryption and decryption both
take 19 clock cycles (cc) per byte in a Pentium III. This
is an acceptable platform for the AP , considering that for
a real deployment crypto primitives should be implemented in
hardware. In this performance section we assume that this is
the cipher used, with this implementation, on a Pentium III
600 Mhz.
For our test scenario we consider one AP , one correspon-
dent node (CN), which is the destination for all communi-
cations in the wireless channel, and an increasing number of
nodes (Ni). Each added node Niincreases the load on the
network and reduces the opportunities of another node to find
the medium free.
We have performed all our simulations in NS-2 [10] 2.29,
with the node number (NN) varying between 1 and 20,
transmitting UDP packets of 178 bytes, at the rate 67.8 Kb/s.
For each simulation we perform 10 runs of 60 seconds each.
To perform our simulations we inserted a computation delay
at the AP which depends on whether or not the AP is
synchronized with this node. The mechanism used to check
whether the node is not synchronized with the AP is based
on whether the MAC layer has re-transmitted a packet due to
collision. In cases where a re-transmission has occurred, the
AP will take the average time of finding an entry in a table
which is of size NN/2(where NN corresponds to the number
of simulated nodes)3. Once the key is found, we assume the
node to be synchronized once again with the AP .
The performed simulations cover three different cases. The
first, for comparison purposes, is a plain 802.11b simulation.
The two other scenarios implement higher processing delays
at the nodes, with one and two queue variants.
1) Impact on Real-Time Traffic: In this scenario we are
interested in the behavior of real-time applications, such as
audio and video, and make use of UDP with constant bitrate
(CBR) traffic. We are interested in how our scheme affects
both end-to-end delay and jitter, where each node transmits
at 67.8 Kb/s, with 178 byte packets. This simulates a 64Kb/s
voice call and the RTP overhead.
Figures 3 and 4 show the end-to-end delay and jitter for
the real-time traffic. They show that the saturation point of
the 802.11b network is located at 7 nodes per base station,
where both the delay and jitter begin escalate rapidly, as further
detailed in the figure. The saturation point remains the same
in all scenarios.
The shligh delay increase is consistent with the encryption
and decryption times. With few collision below the saturation
point, single and double queues have a similar performance.
Above the saturation point the second queue shows greater
value by providing a significantly smaller delay than the
single queue, because the collision/retransmission frequency
increases due to network congestion. However, above the satu-
ration point, the bottleneck is the wireless access and therefore
the delay presents variations regardless of the scenario.
Figure 4 present the jitter values for all the tested scenarios.
For up to 6 nodes, the jitter increases slowly and steadily.
Afterwards we notice a rapid increase, due to network con-
gestion. The observed jitter values have similar results as the
delay, and lead to the conclusion that the extra processing has
little impact on performance.
0
0.5
1
1.5
2
2.5
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Average End-to-End delay (s)
Number of nodes
plain
1 queue
2 queue
0.013
0.0135
0.014
0.0145
7
6 to 7 Nodes Transition
Fig. 3. End-to-end delay, CBR 67.8 Kb/s per node from 1 to 15 nodes,
zoomed is the saturation point
VI. CONCLUSION
We have presented a solution to link layer location privacy
and proved its feasibility under the example of a well known
3Please note that we do not assume any optimization or ordering of this
table.
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Average End-to-End jitter (s)
Number of nodes
plain
1 queue
2 queue
Fig. 4. End-to-end jitter, CBR 67.8 Kb/s per node from 1 to 15 nodes
protocol (IEEE 802.11). Our approach should be used in con-
junction with a pseudonym mechanism to prevent tracking by
active communicating peers, which could be an interesting new
direction for our work. Nevertheless, our approach provides
privacy at the link layer without significantly undermining the
performance of the network.
VII. ACKNOWLEDGEMENTS
We would like to thank Xavier Perez-Costa and Daniel
Camps Mur for their comments and fruitful discussions.
REFERENCES
[1] IEEE Standard 802.11. IEEE standard for information technology
- telecommunications and information exchange between systems -
local and metropolitan area networks - specific requirements, part 11:
Wireless LAN medium access control (MAC) and physical layer (PHY)
specifications, 1999.
[2] D. R. Cheriton and M. Gritter. Triad: A scalable deployable nat-based
internet architecture, 2000.
[3] David Clark, Robert Braden, Aaron Falk, and Venkata Pingali. Fara:
reorganizing the addressing architecture. In FDNA ’03: Proceedings
of the ACM SIGCOMM workshop on Future directions in network
architecture, pages 313–321, New York, NY, USA, 2003. ACM Press.
[4] Charles Perkins (Ed). Ip mobility support for ipv4. Proposed Standard,
August 2002.
[5] New European Schemes for Signatures, Integrity, and Encryption
NESSIE. Performance of optimized implementations of the nessie
primitives, version 2.0, IST-1999-12324, 2003.
[6] Joao Girao, Bernd Lamparter, Marco Liebsch, and Telemaco Melia.
A practical approach to provide communication privacy. In IEEE
International Conference on Communications, Istanbul, Turkey, June
2006. ICC2006.
[7] W. Haddad. Privacy for Mobile and Multi-homed Nodes: Formalizing
the Threat Model. Internet Draft (Work in Progress), February 2005.
[8] W. Haddad. Privacy for Mobile and Multi-homed Nodes: MoMiPriv
Problem Statement. Internet Draft (Work in Progress), February 2005.
[9] P. Nikander, J. Arkko, and B.Ohlman. Host identity indirection infras-
tructure. In Proceedings of The Seconf Swedish National Computer
Network Workshop 2004 (SNCNW2004), November 2004.
[10] ns 2. The network simulator, http://www.isi.edu/nsnam/ns/, as in June
2006.
[11] C. Perkins, D. Jonhson, and J. Arkko. Mobility support in ipv6. Proposed
Standard, August 2004.
[12] Ronald L. Rivest. The rc5 encryption algorithm. In Bart Preneel, editor,
Fast Software Encryption, volume 1008 of Lecture Notes in Computer
Science, pages 86–96. Springer, 1994.
[13] Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, and Sonesh
Surana. Internet indirection infrastructure. In Proceedings of ACM
SIGCOMM, 2002.
... Even a low-power signal that is transmitted by a household Wi-Fi device can reach as far as 100 meters if a line of sight path is present [1]. In public Wi-Fi networks, it is easy for eavesdroppers to obtain standardized 802.11 frames and retrieve private information streams [2][3][4]. Because the private information is encrypted in the transport layer, we feel safe using wireless network, but this security is not guaranteed forever. ...
... For example, the small error of 2 −1022 added to the initial condition causes mismatches between the legitimate parties. 2 We resolve this issue by conceiving a chaos calibration algorithm that updates a chaos sequence at the receiver. This calibration process can be interpreted as information reconciliation of a chaotic sequence. ...
... The simulation parameters were fundamentally the same as those used for Fig. 6(a), except for the correlation ρ between the Alice-Bob and Alice-Eve channel matrices. Specifically, Bob's channel model is defined in (1), whereas Eve's channel model is defined in (2). Here, the correlation coefficient was ρ = 99.99%, ...
Article
Full-text available
In this paper, we propose a differential multiple-input multiple-output (MIMO) scheme based on the novel concept of chaos-based time-varying unitary matrices to demonstrate—for the first time in the literature—the ability of differential encoding in achieving practical physical layer security even without the need for using channel estimation. In the proposed scheme, an erroneous secret key, which is extracted from the wireless nature, is used to initialize a chaos sequence that is responsible for generating artificially time-varying unitary matrices capable of obfuscating the transmitted data symbols from illegitimate eavesdroppers. Contrary to conventional studies, the key agreement ratio in this study is assumed to be imperfect, which is often true and very realistic in high-mobility scenarios. Following this, we conceive a new calibration algorithm for reconciling the chaotic sequence generated at the legitimate parties, thus making this calibration algorithm a unique, novel solution to the key sharing problem of conventional chaos-based communication techniques, which has been overlooked over the past few decades. It is found out that differential encoding obviates additional complexity and insecurity in dealing with channel estimation, whereas an eavesdropper must tackle the complicated differentially encoded patterns, which have an exponentially increasing complexity order. In addition, the obtained simulation results demonstrate that the proposed scheme can outperform conventional chaos-based MIMO schemes that assume perfect channel knowledge.
... Thus, these two are completely different. In order to solve this kind of specific privacy threat, identifier-free approaches are proposed [12,13]. Identifier-free approaches encrypt all parts of a packet such as MAC header and payload. ...
... The pseudonym method only removes the explicit identifier which leaks implicit information about 802.11 devices. Armknecht et al. [13] think RC5 is a perfect cipher and use origin or destination address as initial vectors to make ciphertext variable with RC5 every time. Greenstein et al. [12] design an 802.11-like protocol, which uses AES cipher to encrypt management and data frame to remove explicit and implicit identifiers. ...
Article
Full-text available
Wi-Fi network has an open nature so that it needs to face greater security risks compared to wired network. The MAC address represents the unique identifier of the device, and is easily obtained by an attacker. Therefore MAC address randomization is proposed to protect the privacy of devices in a Wi-Fi network. However, implicit identifiers are used by attackers to identify user’s device, which can cause the leakage of user’s privacy. We propose device identification based on 802.11ac probe request frames. Here, a detailed analysis on the effectiveness of 802.11ac fields is given and a novel device identification method based on deep learning whose average f1-score exceeds 99% is presented. With a purpose of preventing attackers from obtaining relevant information by the device identification method above, we design a novel defense mechanism based on stream cipher. In that case, the original content of probe request frame is hidden by encrypting probe request frames and construction of probe request is reserved to avoid the finding of attackers. This defense mechanism can effectively reduce the performance of the proposed device identification method whose average f1-score is below 30%. In general, our research on attack and defense mechanism can preserve device privacy better.
... Solutions based on this approach (e.g. [1]) propose to encrypt the entire packet transmitted at the link layer, including the header of the packet (contains the physical address) that it has always been transmitted without encryption in traditional solutions (e.g. IEEE 802.11). ...
... A changes is the total number of address changes. We selected two configurations: [1,45] and [45,80] in which we vary the number of users randomly. We use the first interval Algorithm 1 Maximize perceived QoS for a given privacy entropy H and a required video quality q. ...
... This is due to the fact that information in packet overheads is left unencrypted to facilitate communication, and such overheads could provide a wealth of information for eavesdroppers. This challenge has recently led to an overwhelming interest in physical layer security (PLS), which is considered as a first-line of defense against eavesdropping [5]- [7]. ...
Preprint
Cooperative relaying is often deployed to enhance the communication reliability (i.e., diversity order) and consequently the end-to-end achievable rate. However, this raises several security concerns when the relays are untrusted since they may have access to the relayed message. In this paper, we study the achievable secrecy diversity order of cooperative networks with untrusted relays. In particular, we consider a network with an N-antenna transmitter (Alice), K single-antenna relays, and a single-antenna destination (Bob). We consider the general scenario where there is no relation between N and K, and therefore K can be larger than N. Alice and Bob are assumed to be far away from each other, and all communication is done through the relays, i.e., there is no direct link. Providing secure communication while enhancing the diversity order has been shown to be very challenging. In fact, it has been shown in the literature that the maximum achievable secrecy diversity order for the adopted system model is one (while using artificial noise jamming). In this paper, we adopt a nonlinear interference alignment scheme that we have proposed recently to transmit the signals from Alice to Bob. We analyze the proposed scheme in terms of the achievable secrecy rate and secrecy diversity order. Assuming Gaussian inputs, we derive an explicit expression for the achievable secrecy rate and show analytically that a secrecy diversity order of up to min(N,K)-1 can be achieved using the proposed technique. We provide several numerical examples to validate the obtained analytical results and demonstrate the superiority of the proposed technique to its counterparts that exist in the literature.
... However, the physical layer of the wireless communication system still lacks the corresponding security mechanism, which leads to the lack of protection of the underlying data in the wireless transmission. For example, the MAC address is not encrypted, which may expose the user's identity [6]. Moreover, these public key-based encryption schemes, such as the Diffie-Hellman algorithm [7], are designed to implement computational security via complex mathematical models, such as discrete logarithm and integer factorization. ...
Article
Full-text available
Devices in the Internet of Things (IoT) are usually limited in computing resources and energy capacity, which means that encryption schemes with higher complexity are not suitable for them to ensure secure communication. As a promising solution to this problem, physical layer key generation suggests that shared secret keys can be generated from noisy wireless channel measurements to enhance the security of wireless communications. In this paper, we propose a key generation scheme with extremely low implementation complexity, which allows physical layer key generation to be implemented on IoT nodes. Firstly, we preprocess the channel measurements with simple moving average filtering before quantization to improve channel reciprocity. Next, a bidirectional difference quantization scheme is proposed to realize reliable quantization of channel measurements, which is ingenious in that the quantization process does not depend on quantization thresholds, and thus the mismatched key bits caused by measurements close to quantization thresholds can be effectively avoided. Then, we propose an improved Cascade protocol to achieve lightweight and efficient information reconciliation. The simulation results show that our scheme can well balance the reliability and efficiency of key generation, and has excellent performance in terms of implementation complexity and key randomness.
... 4. Top uses a 64bit server address obtained from a hook program, the lower the calculated address to listen 64bit server in conjunction. 5. Listen address to return the hook program. ...
Thesis
Full-text available
In the current Internet architecture, IP address used for the node identifier, that is, generally a single IP address is assigned to a node, and used parmanentally until the node becomes inactive. The same address is used for all communications from/to the node. However, this communication paradigm has a fundamental problem regarding security that the information of IP address of the node is open not only to nodes who intend to communicate to it, but also to anonymous parties who try to attack the node. To solve this problem, we change our traditional paradigm completely and propose a new solution called Unified Multiplex Communication Architecture. The most difference from the current Internet is that an IP address is not used for node identifier, but for service identifier. In the Unified Multiplex Communication Architecture, we change IP addresses session-by-session, and the assigned address is invalid immediately after the session terminates. This architecture simply changes the direction for use of IP address but enhances the security significantly.However, there is a major issue on Unified Multiplex how to determine the IP address to connect the server, since IP address is assigned to session one-by-one. Prior to communication, the client should know the IP address of the server which is used for awaiting the connection from the client. For this problem, in this thesis we propose a new, non-negotiation type IP address determination mechanism that is feasible by updating the operating system on end hosts only (no modification of application is needed). In our mechanism, IP address generation is performed on both server and client independently, but generated addresses are synchronized because time information is used for address generation. We then analyze the interval of address update (i.e., the lifetime of generated address) for avoiding unexpected failure due to our mechanism. Our numerical result shows that our address update mechanism is extremely robust against brute-force type attacks. Moreover, detailed design and implementation methods are described for realization.
... Specifically, the authors proposed a novel mutual authentication protocol with provable link-layer location privacy. With the help of the Preset in Idle technique, the protocol [78] is efficient in terms of the packet delay time and the total packet time cost compared with the protocol [188]. On the other hand, mutual authentication with identity privacy can also be preserved using the identity management mechanism proposed by Abdelkader et al. [82]. ...
Article
This paper presents a comprehensive survey of existing authentication and privacy-preserving schemes for 4G and 5G cellular networks. We start by providing an overview of existing surveys that deal with 4G and 5G communications, applications, standardization, and security. Then, we give a classification of threat models in 4G and 5G cellular networks in four categories, including, attacks against privacy, attacks against integrity, attacks against availability, and attacks against authentication. We also provide a classification of countermeasures into three types of categories, including, cryptography methods, humans factors, and intrusion detection methods. The countermeasures and informal and formal security analysis techniques used by the authentication and privacy preserving schemes are summarized in form of tables. Based on the categorization of the authentication and privacy models, we classify these schemes in seven types, including, handover authentication with privacy, mutual authentication with privacy, RFID authentication with privacy, deniable authentication with privacy, authentication with mutual anonymity, authentication and key agreement with privacy, and three-factor authentication with privacy. In addition, we provide a taxonomy and comparison of authentication and privacy-preserving schemes for 4G and 5G cellular networks in form of tables. Based on the current survey, several recommendations for further research are discussed at the end of this paper.
Article
In broad-spectrum Traffic analysis method used for collectively processing the packet transmitted times and eavesdropping per locations at a fusion center. In Existing work, Treat models can be generalized based on the adversary's network view, the ability of the eavesdropping devices like (packet decoding , localization of transmission).It includes random walks , adding of pseudorandom sources and destinations , flooding etc. In proposed work: Resource oriented efficient traffic normalization schemes are used for comparative study to the state of the art to reduce the communication overhead by more than 50%. End to end packet delay by more than 30% by using round-robin fusion method. This method allows us to reduce the number of traffic source active at a given time while providing routing paths any node in the WSN. It reduce packet end to end delay by loosely coupling coordinating packet relaying, without rerouting the traffic directionality phantom flooding traffic detection done in two stage routing. Here it eliminates hotspot locating attack to identify regions.
Article
Full-text available
The Secure Internet Indirection Infrastructure (Secure-i3) is a proposal for a flexible and secure overlay network that, if universally deployed, would effectively block a number of denial-of-service prob- lems in the Internet. The Host Identity Protocol (HIP), on the other hand, is a proposal for deploy- ing opportunistic, IPsec based end-to-end security, allowing any hosts to communicate in a secure way through the Internet. In this paper, we explore var- ious possibilities for combining ideas from Secure-i3 and HIP, thereby producing an architecture that is more efficient and secure than Secure-i3 and more flexible and denial-of-service resistant than HIP.
Conference Paper
Full-text available
Privacy and security are important features for the future mobile wireless Internet since users expect a privacy level comparable to that of today's cellular networks. Separating identifiers from locators is a current practice in today's new network protocols and is a small step on the right direction. However, the separation must be maintained in the presence of an intruder who eavesdrops or manipulates the traffic. In this paper we present a generic framework that targets these problems at the network layer. We further instantiate this framework with an example architecture using well-known protocols which support mobility.
Article
Full-text available
Attempts to generalize the Internet's point-to-point communication abstraction to provide services like multicast, anycast, and mobility have faced challenging technical problems and deployment barriers. To ease the deployment of such services, this paper proposes a general, overlay-based Internet Indirection Infrastructure (i3) that offers a rendezvous-based communication abstraction. Instead of explicitly sending a packet to a destination, each packet is associated with an identifier; this identifier is then used by the receiver to obtain delivery of the packet. This level of indirection decouples the act of sending from the act of receiving, and allows i3 to efficiently support a wide variety of fundamental communication services. To demonstrate the feasibility of this approach, we have designed and built a prototype based on the Chord lookup protocol.
Article
Full-text available
Network address translation (NAT) has become an important technology in the Internet, supporting scalable addressing, addressing autonomy, concealed endpoint identity, and transparent redirection. However, NAT currently lacks a well-specified scalable architecture and interferes with end-to-end security and reliability. In this paper, we present TRIAD as a NAT-based architecture that solves these problems. The key ideas of TRIAD are: i) basing all identification on DNS names, not end-to-end addresses, supported by a router-integrated directory service, ii) providing end-to-end semantics with a name-based transport-level pseudo-header, and, iii) using a simple "shim" protocol on top of IPv4 to extend addressing across IPv4 realms, localizing this extension to inter-realm gateways. We claim that TRIAD solves the problems with NAT, is incrementally deployable, and eliminates the need to make the painful transition to IPv6.
Article
sloppy This paper describes PARA, a new organization of network architecture concepts. FARA (Forwarding directive, Association, and Rendezvous Architecture) defines an abstract model with considerable generality and flexibility, based upon the decoupling of end-system names from network addresses. The paper explores the implications of FARA and the range of architecture instantiations that may be derived from FARA. As an illustration, the paper outlines a particular derived architecture, M-FARA, which features support for generalized mobility and multiple realms of network addressing.
Article
. This document describes the RC5 encryption algorithm, a fast symmetric block cipher suitable for hardware or software implementations. A novel feature of RC5 is the heavy use of data-dependent rotations. RC5 has a variable word size, a variable number of rounds, and a variable-length secret key. The encryption and decryption algorithms are exceptionally simple. 1
Internet indirection infrastructure This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE INFOCOM
  • Ion Stoica
  • Daniel Adkins
  • Shelley Zhuang
  • Scott Shenker
  • Sonesh
  • Surana
Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, and Sonesh Surana. Internet indirection infrastructure. In Proceedings of ACM SIGCOMM, 2002. This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE INFOCOM 2007 proceedings.
Mobility support in ipv6. Proposed Standard
  • C Perkins
  • D Jonhson
  • J Arkko
Privacy for Mobile and Multi-homed Nodes: MoMiPriv Problem Statement
  • W Haddad
IEEE standard for information technology -telecommunications and information exchange between systems local and metropolitan area networks -specific requirements, part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications
IEEE Standard 802.11. IEEE standard for information technology -telecommunications and information exchange between systems local and metropolitan area networks -specific requirements, part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications, 1999.