Sage Journals: Discover world-class research

Abstract

Due to the broadcast nature of wireless channel, attacks against wireless sensor networks are much easier to carry out as compared to wired networks. Passive attacks such as eavesdropping and traffic analysis cannot be eliminated even if cryptographic technologies are used. Conventional frames are usually designed to include checksum, which facilitates to adversaries capturing correct frames for further attacks. In most wireless sensor networks, source address and destination address at data link layer are unprotected, which makes traffic analysis quite easy. In this paper, we argue that the long-hold design principles of data link layer protocols are unreasonable from the perspective of wireless security. A secure ARQ scheme for wireless sensor networks named Sec-ARQ is proposed. Without the help of preshared keys or complex authentication infrastructure, Sec-ARQ protects frame checksum and addresses by cumulated checksum. Cumulated checksum is unknown to adversaries because of unavoidable wireless transmission errors. As frame checksum is unavailable to adversaries, error frames caused by collision cannot be detected, rendering eavesdropping useless. Addresses protection provided by cumulated checksum disables traffic analysis attacks. Sec-ARQ can defend against passive attacks effectively. Simulation results prove that Sec-ARQ can improve wireless security with little performance sacrifice, which is more suitable for resource-constrained wireless sensor networks.

1. Introduction

With the technology advances in wireless communications, wireless networking has been experiencing an explosive growth recently. While wireless communications provide great flexibility and mobility, they often come at the expense of security [1]. This is because wireless communications rely on open and public transmission media that raise further security vulnerabilities in addition to the security threats found in regular wired networks. Attacks against wireless networks are much easier to carry out as compared to wired networks. Cryptographic technologies are widely used to provide data confidentiality and integration. However, passive attacks such as eavesdropping and traffic analysis can be successfully launched even if the frames are encrypted [2]. Passive attacks are usually followed by active attacks. And such passive attacks are fundamental for successful active attacks. Eliminating passive attacks can improve wireless security dramatically.

Eavesdropping attacks try to capture frames for the purpose of accessing secret of the payload. Frame payload at data link layer is usually encrypted to protect sensitive information. It is very difficult to take advantage of weakness of a modern encryption system. But the secret can be recovered by offline brute-force attacks, in which the adversaries search the key or password exhaustively. On the one hand, with the development of high performance computing technologies such as GPU technology and cloud-based computing technology, up to 130 million password combinations are run through in just 20 minutes [3–5]. On the other hand, current researches show that users are reluctant to user complex passwords that are usually difficult to remember [6]. Both situations make wireless networks vulnerable to brute-force attacks, which cannot be eliminated by adopting more complex encryption algorithms. Normally, eavesdropping is the foundation of brute-force attacks. The adversaries must capture frames from targeted communications pair first. And only based on correct frames from this pair can they launch success brute-force attacks. That is, two conditions must be satisfied for successful brute-force attacks. First, the adversaries must identify the communication pairs. And secondly, the adversaries must capture correct frames between the communication pair and discard corrupted ones. Unfortunately, the source address and destination address are known to adversaries because they are not protected in conventional wireless networks. And most wireless frames at data link layer include checksum, which facilitates adversaries to capture correct frame and drop corrupted ones based on checksum validation. The adversaries can capture correct frame between the communication pair easily [7, 8].

Different from eavesdropping, traffic analysis attacks try to deduce the context information by analysing the traffic pattern from eavesdropping on wireless communication [9, 10]. For instance, adversaries might gather information such as how many terminals in the network, address and physical location for each terminal, network topology and the traffic volume, and pattern of the network. Such information can be used to deduce key terminals in the network such as sink terminals in wireless sensor networks, mesh router in mesh networks, or access point in wireless LAN. The following active attacks can be launched targeting these key terminals. Most conventional wireless networks are designed to provide strong encryption to payload in data link layer frame, but the source and destination addresses are left unprotected, which makes traffic analysis quite easy.

In this paper, we argue that the long-hold design principle is unreasonable from the perspective of wireless security. As illustrated in Figure 1, only payload is encrypted in conventional data link layer frame design. Other fields are transmitted without any protections, which make passive attacks quite easy. To eliminate passive attacks, link layer information such as source address, destination address, and checksum must be prevented from being decoded except the intended receivers. Link layer information protection is an effective countermeasure to passive attacks. Firstly, checksum protection prevents adversaries from distinguishing corrupted frame from correct ones. As wireless channel is error prone, adversaries may capture error frames for future brute-force attacks. Based on such untrustworthy frames, the success probability of the brute-force attacks decreased dramatically, rendering eavesdropping useless. Secondly, without source address and destination address, the adversaries cannot deduce network information by traffic analysis. Moreover, addresses protection can further confuse eavesdropping because they cannot identify the communication pair by addresses any more.

Figure 1

DATA frame at conventional wireless network is prone to passive attacks.

To protect information at data link layer, a secure ARQ (Automatic Repeat Request) scheme named Sec-ARQ is proposed. Without adopting preshared keys or complex authentication infrastructure, Sec-ARQ protects data link layer information by cumulated checksum. Cumulated checksum is a result of all frames that have been transmitted successfully from the transmitter to receiver. It is shared by the communication pair only. The adversaries cannot access cumulated checksum because of the unavoidable wireless frame error. Cumulated checksum can defend passive attacks effectively. Firstly, the checksum transmitted in frame is protected by cumulated checksum. The adversaries cannot distinguish error frames from correct ones without checksum. It is impossible for adversaries to launch success brute-force attacks based on such error prone frames. Secondly, cumulated checksum changes each time a successful transmission finished, which is used to provide dynamic address. As dynamic address is a hash result of cumulated checksum, and cumulated checksum is only available to the sender and receiver, it is impossible for the adversaries to analyse the traffic of wireless networks.

2. Related Work

In order to resist passive attacks, several countermeasures have been proposed. Fake packet injection is the most widely used approach to confuse adversaries. In such approaches [11–13], terminals in the network transmit fake packets while they are idle. With the present fake traffic, the adversaries cannot deduce traffic pattern or locate key terminals of the target network. The main drawback of fake packet injection is that the injected traffic will undoubtedly decrease network throughput and increase power consumption, especially for resource-constrained wireless networks such as wireless sensor networks. ACS (Anonymous Communication Scheme) is proposed in [14], which adopts the keyed hash result of address and sequence number as addresses. As the sequence number is increased on successful transmission, the resulting address changes dynamically and is unknown to adversaries. Because all terminals in the network use dynamic and encrypted addresses, the adversary cannot deduce anything about the network. In ACS, one key is necessary for each pair of terminals. In a real wireless network, one terminal may be required to communicate with many neighbours, and many keys are required. How to maintain or distribute these keys is a difficult task.

Countermeasures against eavesdropping can be divided into two categories, the physical security and encryption. ACDM and iJam are two typical physical security schemes. ACDM (Algebraic Channel Decomposition Multiplexing) [15] tries to solve open channel problem through physical layer spread-spectrum precoding. In ACDM, the transmit code vectors are determined from the SVD (singular value decomposition) of the convolution matrix describing the channel between the transmitter and desired receiver. Since any potential transmitter-eavesdropper channel will have a different multipath structure, eavesdropper’ ability to detect and decode the transmissions can be severely reduced. Under iJam [16], the sender repeats its transmission two times. For each sample in these repeated transmissions, the receiver randomly jams either the sample in the original transmission or the corresponding sample in the repetition. Since the eavesdropper does not know which signal sample is jammed and which one is clean, it cannot correctly decode the data. Such approaches require more complex wireless hardware devices. A great deal of time and efforts are needed to develop such devices. And further, such schemes need total replacements of wireless devices that are widely used.

Encryption approaches try to fight against eavesdropping through data encryption, which is the most widely used in conventional wireless networks. Unfortunately, as mentioned above, such approaches are under the risk of brute-force attack. For example, the weak password of the most popular security scheme WPA2-PSK can be cracked in about 20 minutes by using GPU technology [17].

In this paper, the proposed Sec-ARQ tries to eliminate passive attacks at data link layer. As compared to physical security, Sec-ARQ requires no hardware modification, only minimal firmware updates are necessary, which is particularly suitable for widely deployed wireless devices. Cumulated checksum instead of key is used to protect addresses and checksum at data link layer, which is more flexible as compared to ACS. Sec-ARQ can be deemed as complimentary strategy to conventional encryption approach. That is, it can defend against weak password brute-force attacks targeted at conventional encryption schemes, rendering eavesdropping attack useless. Dynamic addresses provided by cumulated checksum can further effectively eliminate traffic analysis attacks and eavesdropping attacks.

3. Attack Model and Introduction of ARQ

Adversaries can be divided into two categories: passive and active. Passive adversaries eavesdrop on communications between terminals in the network. Active adversaries can forge frames with any addresses and any payload data. Although Sec-ARQ is the focus on defending against passive attack, the scheme itself must be resistant to any active attacks. Therefore, we assume that adversaries have both of the above capabilities: an adversary can capture all the communications in the network and forge frame with any data in the network.

Sec-ARQ works at data link layer. Data link layer services include framing, error control, and media access control (MAC). MAC services are responsible for coordinating multiple terminals to access the wireless channel, while error control services are used to deal with error in wireless channel. In this paper, the proposed security scheme is implemented by improving error control scheme, leaving MAC schemes untouched. ARQ is the most widely used error control scheme. Sec-ARQ is based on improvement of ARQ scheme. We give a brief introduction of ARQ first.

To simplify presentation, denote the transmitter with S and the receiver with R. As illustrated in Figure 2, fields in DATA frame include frame control, duration, source address, destination address, sequence number, payload, and CRC checksum. Frame control field is mainly used for framing, and duration field is used for media access, which is out the scope of this paper. We focus on the following fields of the frame. Source address and destination address are the address of S and R, respectively. Sequence number is used for identifying the frame, which is an increasing number with step one. Payload is the data from upper layers, which is usually encrypted. FCS is the checksum of this frame.

Figure 2

DATA frame at link layer.

ARQ at data link layer is quite simple and efficient. As illustrated in Figure 3, we denote payload with m and checksum with $c s$ . S sends a DATA frame to R, which includes m and $c s$ . On receiving the DATA frame, R computes a checksum of the received frame. We denote it with $c s^{'}$ . If $c s^{'}$ equals $c s$ , correct frame is received. R delivers m to upper layers and responds to S with an ACK frame. If the checksums are not equal, R discards the frame and does nothing. Having sent the DATA frame, S starts a timer, if a correct ACK frame is received before timeout, S knows that the DATA frame is received correctly. Otherwise, something is wrong with DATA frame or ACK frame and the DATA frame must be retransmitted. Note that checksum is also carried in ACK frame for S to validate the frame. Figure 4 illustrates the structure of ACK frame.

Figure 3

ARQ process at data link layer is efficient.

Figure 4

ACK frame for conventional wireless networks.

At data link layer, only payload is encrypted in conventional wireless networks, and addresses and checksum are transmitted without any protection, which is unreasonable from the perspective of wireless security. Due to the broadcast nature of wireless channel, adversaries can launch passive attacks easily. As to eavesdropping attacks, checksum in DATA frame facilitates adversaries to capture correct frames. Only based on correct frames can the following brute-force attack succeed. If the captured frames include error frames or even fake frames, the attack will be confused by such frames, which leads to failure of the following brute-force attacks. How to protect frame checksum and inject fake frame to confuse the adversaries is the first task of this paper. As to the traffic analysis attack, unprotected source address and destination address make traffic analysis quite easy. Therefore, how to protect these addresses without introducing complex authentication infrastructure is the second task of this paper.

It is commonly accepted that wireless channel are error prone; the packet error rate in wireless network is much higher than in wired domain. And further, because wireless channels are shared by many terminals, MAC schemes at link layer are very important, which coordinate terminals to share the channel efficiently. Unfortunately, the most used CSMA/CA based MAC schemes cannot eliminate hidden terminal in wireless network [18]. Frame collisions in wireless network are unavoidable with the presence of hidden terminals. For these reasons, the ARQ is widely used in wireless network to retransmit collided or error frames. But from another viewpoint, such instinct characteristic of wireless can be used for information protection. Because collisions and error frame are unavoidable for both the receiver and the adversaries, collisions at the adversaries can be used for security. The scheme proposed in this paper is based on this observation. It is based on conventional ARQ, we call it a secure ARQ (Sec-ARQ).

4. Description of Sec-ARQ

4.1. Basic Idea

As mentioned above, the checksum validation process of ARQ is executed by R. S calculates checksum of the frame and append it in DATA frame. R calculates another checksum of the received frame and compares it with the checksum in the frame. Such process is simple but has security flaw. This facilitates the adversaries to capture correct frames.

Now we redesign the checksum validation process as follows. Note that normal checksum function such as CRC is in fact a hash function. In this process, we use a keyed hash function, which takes another parameter key except the payload m. As illustrated in Figure 5, S calculates checksum $c s$ but does not include it in DATA frame. Only payload m is transmitted to R. On receiving the data frame, R calculates the checksum of receive DATA frame $m^{'}$ using the same function and key. We denote the checksum with $c s^{'}$ . Then R sends $c s^{'}$ to S by including $c s^{'}$ in ACK frame. Finally, S compares $c s^{'}$ with local checksum $c s$ . On such a way, the checksum is checked by S instead of R. The only thing left to do for S is to notify R about the checksum result, which will be discussed in detail in the following paragraphs. As $c s^{'}$ in ACK frame is a keyed hash result of m, the adversaries cannot check whether the captured frame is correct without parameter key. In this way, the checksum is protected. How to generate key for S and R that are unknown to adversaries is the most important step.

Figure 5

Basic idea of proposed ARQ.

Key extraction for S and R that is unknown to adversaries is based on the instinct characteristic of wireless networks. As we know, error frames and collisions are unavoidable at both R and the adversaries. Errors at R can be resolved by retransmission, but errors at the adversaries cannot be resolved. That is, S and R know exactly the frames that have already been transmitted. Error frames caused by collision or unreliable channel can be retransmitted by ARQ. But the adversaries may lose at least one frame with high probability, because they cannot request retransmission from S for error frames. This can be used to extract keys for checksum protection.

4.2. Checksum Protection

The details are illustrated in Figure 6. S maintains two variables, hsc and hsh. hsc is the cumulated checksum for S and hsh is called the hidden checksum for S. R maintains three variables, hrc, hrh, and hrt. hrc is the cumulated checksum for R. hrh is the hidden checksum for R. hrt is a temporary checksum. Sec-ARQ uses cumulated checksums hsc and hrc as the key. The hidden checksum hrh is the checksum that is actually transmitted in ACK frame. It is called a hidden checksum because it is protected by cumulated checksum.

Figure 6

Checksum protection in Sec-ARQ.

To illustrate how it works, we give an example. Supposing that hsc = hrc and a frame m is to be transmitted, S calculates the hidden checksum of mhsh using $h s c h s h = h_{1} (h s c, m)$ . And then, S transmits DATA frame m without hsh. After the transmission, S updates cumulated checksum hsc by XORing it with the checksum of new transmitted frame $h s c = h s c \oplus h_{2} (m)$ . Meanwhile, S starts a timer to wait for ACK frame from R. On receiving the DATA frame, R calculates the hidden checksum hrh of received frame using $h r c h r h = h_{1} (h r c, m)$ and transmits hrh to S in ACK frame. S compares hrh and hsh after receiving the ACK frame. If they are equal, S knows that R has received the frame successfully. Note that the checksum is being validated by S instead of R. S must notify the result to R. To do this, S sends the next frame $m + 1$ to R, which is indicated by the sequence number $s e q + 1$ . If R receives a DATA frame with sequence number $s e q + 1$ , it knows that previously received DATA frame is correct. R updates $h r c h r c = h r c \oplus h r t$ . Note that hrt is already calculated as $h r t = h_{2} (m)$ . In this way, the cumulated checksum is synchronized for S and R again; hsc = hrc. If hrh and hsh are not equal, R has not received the DATA frame correctly. S transmits m again. As to R, no hrc update is necessary if m is retransmitted, which is indicated by DATA frame with sequence number seq.

In Sec-ARQ, cumulated checksum is used as a key to protect checksum of DATA frames. Cumulated checksum is the XORed result of all previous DATA frame checksum, and it is updated once new DATA frame is received successfully. As to the adversaries, they can trace the cumulated checksum just as R does. Since they cannot request retransmission from S, any error in the captured frame will make the cumulated checksum lost. Without cumulated checksum, the adversaries cannot validate the following frame any more. As compared to conventional approaches, benefits of cumulated checksum are twofold. Firstly, any terminals in the network can talk to any neighbour without key distribution protocol. This can greatly simplify the network design and improve performance of network. Secondly, cumulated checksum changes dynamically. It is impossible to access this key through brute-force attacks.

4.3. Defend Brute-Force Attacks against Cumulated Checksum

To identify a unique DATA frame, Sec-ARQ uses sequence number seq, which is included in DATA frame. R uses seq to determine whether this is a required frame. Assuming that previously received DATA frame is ${D A T A}_{n}$ , the next DATA frame must be a frame with $s e q = n + 1$ or $s e q = n$ . All DATA frames with seq not equal to $n + 1$ or n are discarded. Therefore, to launch a packets injection attack against Sec-ARQ, the adversary can forge a packet with $s e q = n + 1$ . R receives it unaware of the attack and acknowledges with ${A C K}_{n + 1}$ . The adversary can further forge ${D A T A}_{n + 2}$ . According to Sec-ARQ, R considers that ${D A T A}_{n + 1}$ is correct and delivers it to upper layer. In this way, the actual ${D A T A}_{n + 1}$ from S will never be accepted by R because the anticipant frame is ${D A T A}_{n + 2}$ or ${D A T A}_{n + 3}$ . Sec-ARQ is cracked. Active attack protection is shown in Figure 7.

Figure 7

Active attack protection.

Sec-ARQ adopts sequence number hashing to fight against such attacks. As hsc and hrc are known to be S and R, respectively, and adversary knows nothing about them, they can be used to protect sequence number against attacks. For this purpose, some modifications are necessary to DATA frame. A field name IV is appended to DATA frame. IV is a random vector to introduce computation complexity to adversaries. seq field of DATA frame is set to $h_{3} (h s c, s e q ∥ I V)$ by S. As hrc = hsc and the next sequence number is either n or $n + 1$ , R can calculate the hash value, respectively. If seq equals hash result using n, it is ${D A T A}_{n}$ . If seq equals hash result using $n + 1$ , it is ${D A T A}_{n + 1}$ . Otherwise, error frame is received or attack occurs. In this way, sequence number is protected. To the adversaries, as cumulated checksum is unknown, they cannot forge DATA frames any more.

4.4. Last Frame Problem in Sec-ARQ

Assuming that S sends a DATA frame to R, and no more frames are to be transmitted, the last frame problem occurs in Sec-ARQ. If S sends ${D A T A}_{n}$ to R, R acknowledges S with ${A C K}_{n}$ . ${D A T A}_{n}$ cannot be delivered to the application or upper layer as it may be corrupted. Only if ${D A T A}_{n + 1}$ is received, S can confirm that ${D A T A}_{n}$ is correct. This will cause serious delay to ${D A T A}_{n}$ . This problem can be solved as follows. On receiving ${A C K}_{n}$ from R, S validates checksum as described in previous sections. If the checksum is correct and no more frames are available for transmission, S sends a random DATA frame with sequence number $n + 1$ . On receiving ${D A T A}_{n + 1}$ , R delivers ${D A T A}_{n}$ to upper layer without further delay. Having more frames to be transmitted, S transmits the real ${D A T A}_{n + 1}$ . R treats previously received ${D A T A}_{n + 1}$ as error frame and discarded it. By such approach, the last frame problem is solved.

4.5. Dynamic Addresses in Sec-ARQ

As mentioned above, anonymous address is an effective countermeasure to traffic analysis attacks. Conventional schemes such as ACS adopt preconfigured key to hide addresses. Sec-ARQ achieves anonymous address with the help of cumulated checksum. As cumulated checksum is a secret shared by S and R and is updated after each success transmission, it is ideal option for hidden address. We call them the dynamic addresses.

In wireless networks, each terminal has a unique MAC address. Neighbour discovery is usually achieved by beacon broadcasting, which includes MAC address of the transmitter. Therefore, S knows address of R before communication and so do R. Supposing MAC address of S is saddr, and the address of R is raddr, the dynamic address of them can be calculated as follows. Dynamic address of S is $s a = h_{1} (h s c, s a d d r)$ and dynamic address of R is $r a = h_{1} (h r c, r a d d r)$ . Supposing that S tries to transmit to R, the src in DATA frame from S to R can be replaced by sa and dest in DATA frame can be replaced by ra. On receiving DATA frame, R calculates hash result of its address $h_{1} (h r c, r a d d r)$ and compares it with dest. If it matches, R confirms that the frame is from S. To acknowledge the reception of DATA frame, S sends ACK frame to R. The address in ACK frame is also hashed, and the S processes such address just like R.

In a typical wireless network that is composed of more than two terminals, there may be more than one terminal that send data to R. For each communication pair, R maintains one hrc and one seq. On receiving DATA frame, R must calculate a hash for each communication pair and compare it with .dest field in DATA frame. That is inefficient if R has many communications pairs and the networks are heavy loaded. Sec-ARQ overcomes such inefficiency by calculating the hash before DATA frame receiving. For example, if ${D A T A}_{n}$ is confirmed by receiving ${D A T A}_{n + 1}$ , R updates hrc and calculates $r a = h_{1} (h r c, r a d d r)$ and responds with ${A C K}_{n + 1}$ . On receiving the following DATA frame, R compares DATA.dest with ra for each communication pair. By this way, R can find DATA frames for itself by only x comparisons, where x is the number of its communication pairs. As compared to conventional approaches without addresses protection, which needs one comparison, the overhead is negligible because string comparison is very fast.

The address in Sec-ARQ is a keyed hash result of address with cumulated checksum as key. Different from ACS, Sec-ARQ provides anonymous address through cumulated checksum. As cumulated checksum is updated on success transmission, the hashed results addresses are also changed, creating a dynamic address. With dynamic address, only R and S know the anticipated address of the next frame. To the adversaries, as hsc and hrc are unknown to them, they cannot trace the address of S and R. Without these addresses, it is impossible to deduce traffic pattern, network topology, or even how many terminals in the network, rendering traffic analysis attack impossible. Moreover, the adversaries cannot identify the communication pair with dynamic addresses, rendering eavesdropping and following brute-force even more difficult.

4.6. Formal Description of Sec-ARQ

See Algorithm 1.

Algorithm 1

Sender:

On initialization:

$h s c \leftarrow 0 \times 0$ ;

$s e q \leftarrow 0$ ;

$s a d d r \leftarrow$ local address;

On have packet to be sent:

$I V \leftarrow$ random number;

$h s h \leftarrow h_{1} (h s c, {D A T A}_{n})$ ;

$s r c \leftarrow h_{3} (h s c, s a d d r)$ ;

$d e s t \leftarrow h_{3} (h s c, r a d d r)$ ;

$s e q \leftarrow h_{3} (h s c, s e q ∥ I V$ );

${h s c \leftarrow h}_{2} ({D A T A}_{n}) \oplus h s c$ ;

Send DATA frame without checksum;

Start a timer;

On receive ACK frame:

if $h_{1} (h r c, s a d d r)$ = ACK.dest then

if hsh = ACK.hrh then

seq++; //next frame

else

Retransmit DATA $_{n}$ ;

end;

end if;

On timeout:

Retransmit DATA $_{n}$ ;

Receiver:

On initialization:

$h r c \leftarrow 0 \times 0$ ;

$s e q \leftarrow 0$ ;

$r a d d r \leftarrow$ local address;

On receive DATA $_{n}$ :

if $h_{3} (h r c, r a d d r)$ = DATA.dest then

if DATA.seq = $h_{3} (h r c, s e q + 1)$ then //transmit successfully

$h r c \leftarrow h r t \oplus h r c$

$h r t \leftarrow h_{2} ({D A T A}_{n + 1^{'}})$

$h r h \leftarrow h_{1} (h r c, {D A T A}_{n + 1^{'}})$

Send ACK with hrh;

seq++;

else if DATA.seq = $h_{3} (h r c, s e q ∥ DATA. I V$ ) then

$h r t \leftarrow h_{2} ({D A T A}_{n^{'}})$

$h r h \leftarrow h_{1} (h r c, {D A T A}_{n^{'}})$

Send ACK with hrh;

end if;

5. Performance Analysis and Evaluation

Because protocols at data link layer are low level protocol, efficiency is among the most important design considerations. Two different checksum functions are used in Sec-ARQ, $h_{1} (\cdot)$ , and $h_{2} (\cdot)$ . Firstly, results of $h_{1} (\cdot)$ are hidden checksum, sequence number, and addresses. All this information has been transmitted in frames. Selection of the checksum functions is a tradeoff between performance and security level. As this information is transmitted in frames, they can be captured by adversary and cracked through brute-force attacks. Therefore, selection of $h_{1} (\cdot)$ and its parameters are focused on security. $h_{1} (\cdot)$ takes two parameters, the cumulated checksum and the DATA frame. Message authentication functions can be adopted for $h_{1} (\cdot)$ . Taking the cumulated checksum as the key, the resulting message authentication code can be used for integration check, protected sequence number, and protected addresses. For performance consideration, efficient MAC functions such as UMAC/32 [19] can be used for $h_{1} (\cdot)$ . Secondly, $h_{2} (\cdot)$ is used to calculate the checksum of the DATA frame. Different from conventional approaches, the checksum is used to further calculate the cumulated checksum. Cumulated checksum is used as key to protect hidden checksum, sequence number, and addresses. But it is never transmitted. According to the characteristics of MAC function, the computation complexity of brute-force attacks on MAC key is $2^{k}$ , where k is the length of the key. Long key improves security. Therefore, the hashed results of $h_{2} (\cdot)$ should be long enough to defend against brute-force attacks. Tiger/192 [20] is a good option because it is almost as fast as CRC-32, and the width of the output is 192 bits. In Sec-ARQ, the transmitter uses $h_{1} (\cdot)$ five times and $h_{2} (\cdot)$ one time. The receiver uses $h_{1} (\cdot)$ three times and $h_{2} (\cdot)$ one time. UMAC/32 is used for $h_{1} (\cdot)$ and Tiger/192 is used for $h_{2} (\cdot)$ in Sec-ARQ. According to the performance of hash functions [21, 22], the performance of UMAC/32 is 1 cycle per byte and the performance of Tiger/192 is 8.1 cycle per byte. Therefore, the transmitter requires 13.1 cycles per byte, and the receiver requires 11.1 cycles per byte. As compared to traditional CRC-32, which requires 6.9 cycles per byte, the overhead is 13.1/6.9 = 1.93 and 11.1/6.9 = 1.63 for the transmitter and receiver, respectively. Note that Sec-ARQ is a complimentary strategy to conventional encryption. Therefore, we compare the performance of WPA2 with Sec-ARQ and without Sec-ARQ. WPA2 used AES/CCM for both authentication and confidentiality. The performance is AES/CCM, 28.6 cycles per byte. Accounting for the budget for CRC-32, WPA2 requires at least 35.5 cycles per byte for both transmitter and receiver. As hash operations are required by Sec-ARQ, WPA2 with Sec-ARQ takes additional 6.2 cycles per byte and 4.2 cycle per byte for transmitter and receiver respectively. Only about 17% and 12% additional computation complexity are introduced by Sec-ARQ.

Sec-ARQ protects checksum by cumulated checksum, which is shared by the sender and receiver only. This is based on the facts that checksum is the only way to verify that the frame is correct. But someone may worry that the received signal strength may be used for another indication of frame error. Apparently, it is easy for adversaries to get received signal strength (RSS) for DATA frames. If packet error can be detected by RSS, Sec-ARQ will be bypassed, and the adversaries can drop error frames without checksum. As we know, the main reasons for frame error are weak signal and collisions [23]. First, the error frames introduced by collisions are irrelevant to RSS. Frames may be corrupted because of collision even if the RSS is pretty strong. And further, previous researches show that CSMA/CA based MAC protocols such as 802.11 cannot eliminate hidden terminal problem. Collisions introduced by hidden terminal problem are the main source for error frames in high densely deployed wireless network. Secondly, there are not established relations between RSS and error frame even if frame error is introduced by weak signals. Without checksum, the adversaries cannot confirm that the frame captured is error only by RSS. To validate the irrelevance between RSS and frame error, the first simulations is conducted.

Glomosim [24] is used for the simulations. As shown in Figure 8, two APs are deployed in the network, and 4 clients are associated with them, respectively. As WLAN are densely deployed, this is a simplified network. The build-in 802.11 of Glomosim is used for the simulation. Constant Bit Rate (CBR) model is used for the upper layer traffics. By adjusting the distance between APs, and APs to clients, several simulations are conducted. The results are shown in Figure 9.

Figure 8

Simulation topology.

Figure 9

Relation between signal strength and PER.

The simulations are configured for three payload sizes, which means different frame size. Short frame results in low packet error rate but cannot eliminate it. When the RSS is pretty strong (such as −40 dBm), the frame error rate remains not less than 2.1% because of collisions. We have conducted simulations with more nodes in the network, and the results reveal that more nodes in the network lead to greater frame collision rate. Simulation results show that error frame cannot be avoided even if the adversaries have very strong RSS.

Sec-ARQ is implemented in Glomosim. The adversaries lose information about the checksum if a single frame is corrupted. The time from the beginning of the transmission to the first error frame (we call loss sync time) is an important metric for Sec-ARQ. During loss sync time, the adversaries can trace checksum by checking DATA frame and ACK frame. That is, they can eavesdrop DATA from S and ACK frame from ACK. If no frame errors occur, they can validate DATA frame just like S do. Shorter loss sync time means less information lost. Simulations are conducted to measure loss sync time in the topology used in previous simulation, except that an adversary is included. The adversary is placed much closer to the AP to capture DATA frames from AP to its clients. The results are shown in Figure 10.

Figure 10

Mean time for first error frame.

Simulations results show loss sync time within 1.2 s irrespective of the frame size. Further analyses on the trace file of the simulation show that frame error are mainly introduced by collisions. As the adversary is placed much closer to the sender, there are less error frames introduced by weak signals. Note that Sec-ARQ is designed to protect conventional security schemes such as WPA2 from being brute-force attacked. Such brute-force attacks are based on key frames such as four-way handshakes for WPA2. Therefore, the transmitter can send information without key frames to protect information during loss sync time.

6. Conclusion

Sec-ARQ solves open channel problem at data link layer, which implies that no hardware modification is necessary. As wireless devices are widely used, this is particularly important. Sec-ARQ requires checksum calculation only, which is characterized by low computation complexity and easy implementation. Sec-ARQ cannot achieve wireless security alone; it is used to prevent other security schemes such as WPA2 from being brute-force attacked. Simulation results show that Sec-ARQ can improve wireless security by defending against passive attacks through cumulated checksum.

Footnotes

Competing Interests

The author declares that he has no competing interests.

References

Miller

S. K.

Facing the challenge of wireless security

Computer 2001 34 7 16 18

10.1109/2.933495

2-s2.0-0035395659

Lashkari

A. H.

Danesh

M. M. S.

Samadi

A survey on wireless security protocols (WEP, WPA and WPA2/802.11i)

Proceedings of the 2nd IEEE International Conference on Computer Science and Information Technology (ICCSIT '09)

August 2009

Beijing, China

IEEE

48 52

10.1109/iccsit.2009.5234856

2-s2.0-70449123717

Wolfe

Vulnerability of wireless network security due to parallelized brute force attacks

Proceedings of the 12th Winona Computer Science Undergraduate Research Symposium

April 2012

Winona, Minn, USA

Tague

Slater

Rogers

Poovendran

Evaluating the vulnerability of network traffic using joint security and routing analysis

IEEE Transactions on Dependable and Secure Computing 2009 6 2 111 123

10.1109/TDSC.2008.60

2-s2.0-67649198136

Mehta

Liu

Wright

Protecting location privacy in sensor networks against a global eavesdropper

IEEE Transactions on Mobile Computing 2012 11 2 320 336

10.1109/TMC.2011.32

2-s2.0-84555189295

Florencio

Herley

A large-scale study of web password habits

Proceedings of the 16th International World Wide Web Conference (WWW '07)

May 2007

Banff, Canada

657 666

10.1145/1242572.1242661

2-s2.0-35348884906

Fan

Jiang

Zhu

Chen

Shen

X. S.

Network coding based privacy preservation against traffic analysis in multi-hop wireless networks

IEEE Transactions on Wireless Communications 2011 10 3 834 843

10.1109/twc.2011.122010.100087

2-s2.0-79952992733

Claveirole

Dias De Amorim

Abdalla

Viniotis

Securing wireless sensor networks against aggregator compromises

IEEE Communications Magazine 2008 46 4 134 141

10.1109/MCOM.2008.4481352

2-s2.0-42649115167

Mahmoud

M. M. E. A.

Shen

A cloud-based scheme for protecting source-location privacy against hotspot-locating attack in wireless sensor networks

IEEE Transactions on Parallel and Distributed Systems 2012 23 10 1805 1818

10.1109/TPDS.2011.302

2-s2.0-84865699114

10.

Liu

K. J. R.

Defense against injecting traffic attacks in wireless mobile ad-hoc networks

IEEE Transactions on Information Forensics and Security 2007 2 2 227 239

10.1109/tifs.2007.897269

2-s2.0-34249336750

11.

Deng

Han

Mishra

Decorrelating wireless sensor network traffic to inhibit traffic analysis attacks

Pervasive and Mobile Computing 2006 2 2 159 186

10.1016/j.pmcj.2005.12.003

2-s2.0-32644437991

12.

Deng

Han

Mishra

Intrusion tolerance and anti-traffic analysis strategies for wireless sensor networks

Proceedings of the International Conference on Dependable Systems and Networks

June-July 2004

Florence, Italy

637 646

2-s2.0-4544298056

13.

Deng

Han

Mishra

Countermeasures against traffic analysis attacks in wireless sensor networks

Proceedings of 1st the International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM '05)

September 2005

IEEE

113 126

10.1109/securecomm.2005.16

2-s2.0-33847297141

14.

Luo

Park

M.-S.

Location privacy against traffic analysis attacks in wireless sensor networks

Proceedings of the International Conference in Information Science and Applications (ICISA '10)

April 2010

10.1109/icisa.2010.5480564

2-s2.0-77954429311

15.

Sperandio

Flikkema

P. G.

Wireless physical-layer security via transmit precoding over dispersive channels: optimum linear eavesdropping

Proceedings of the IEEE Military Communications Conference (MILCOM '02)

October 2002

Anaheim, Calif, USA

1113 1117

10.1109/MILCOM.2002.1179633

16.

Gollakota

Katabi

Physical layer wireless security made fast and channel independent

Proceedings of the IEEE INFOCOM

April 2011

Shanghai, China

1125 1133

10.1109/INFCOM.2011.5934889

17.

Crainicu

Sobh

Elleithy

Mahmood

Karim

M. A.

Wireless LAN security mechanisms at the enterprise and home level

Novel Algorithms and Techniques in Telecommunications, Automation and Industrial Electronics 2008

Springer Netherlands

306 310

18.

Gerla

Bae

How effective is the IEEE 802.11 RTS/CTS handshake in ad hoc networks?

Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM '02)

November 2002

72 76

2-s2.0-0036969998

19.

Black

Halevi

Krawczyk

Krovetz

Rogaway

Wiener

UMAC: fast and secure message authentication

Advances in Cryptology—CRYPTO '99 1999 1666

Berlin, Germany

Springer

216 233 Lecture Notes in Computer Science

10.1007/3-540-48405-1_14

20.

Anderson

Biham

Gollmann

Tiger: a fast new hash function

Fast Software Encryption 1996

Berlin, Germany

Springer

89 97

21.

Dai

Speed Comparison of Popular Crypto Algorithms 2004 5

Crypto++ Library

22.

Ted

UMAC: Message Authentication Code Using Universal Hashing 2006 https://tools.ietf.org/html/rfc4418

23.

Rayanchu

Mishra

Agrawal

Saha

Banerjee

Diagnosing wireless packet losses in 802.11: separating collision from weak signal

Proceedings of the 27th IEEE Conference on Computer Communications (INFOCOM '08)

April 2008

Phoenix, Ariz, USA

1409 1417

10.1109/infocom.2007.124

2-s2.0-50649083129

24.

Zeng

Bagrodia

Gerla

GloMoSim: a library for parallel simulation of large-scale wireless networks

Proceedings of the 12th Workshop on Parallel and Distributed Simulation (PADS '98)

May 1998

Banff, Canada

154 161

10.1109/PADS.1998.685281

Cumulated Checksum and Dynamic Addresses for Secure Wireless Sensor Networks

Abstract

1. Introduction

2. Related Work

3. Attack Model and Introduction of ARQ

4. Description of Sec-ARQ

4.1. Basic Idea

4.2. Checksum Protection

4.3. Defend Brute-Force Attacks against Cumulated Checksum

4.4. Last Frame Problem in Sec-ARQ

4.5. Dynamic Addresses in Sec-ARQ

4.6. Formal Description of Sec-ARQ

Algorithm 1

5. Performance Analysis and Evaluation

6. Conclusion

Footnotes

Competing Interests

References