[Cryptography] "Flip Feng Shui: Hammering a Needle in the Software Stack"

Tue Sep 6 14:17:24 EDT 2016

> At 06:14 PM 9/5/2016, dj at deadhat.com wrote:
>>> As layman I happen to know that there is a field in wireless
>>> communications named "physical layer security" which attempts with,
>>> among other means, certain ECCs to achieve information theoretic
>>> security. Could the works there eventually be relevant in the present
>>> context?
>>
>>I've worked on several security protocols, both wired and wireless that
>> are widely used and each time they have been an add on to existing
>> protocols, so there were lots of compromises.
>>
>>It seems each time that if they had decided to do security at the
>> physical layer, it would have been more secure and easier since it would
>> be easy to obfuscate the carried packet sizes, header contents and
>> timing.
>>
>>So if you are contemplating making a new mass market protocol with a
>> physical layer, please include the security protocol people in the
>> physical layer design.
>
> Could you please provide links to any articles about the design of a
> modern, robust wireless physical layer that has resistance not only to
> eavesdropping, but also to intentionally malformed packets, etc. ?
>
> I understand that typical wifi protocols are hopeless, but was curious
> about how one would design protocols that would be more robust.
>
>

Nope. I can't point to such articles. I know of none.

However I have plenty of ideas of my own.
In particular, framed protocols - many generations of cell phone
protocols, 802.16, WirelessUSB etc, where time is split into frames and
transmitters are granted slots within the frame. The downlink from the
base station dictates frame timing. You can consider 802.11 to be a bit
like this, but it's looser.

Go down one level and you find time split into big old OFDM symbols
containing a bunch-o-bits. Say 256.

The protocol over these frames is plaintext. The headers of packets within
slots within these frames is plaintext. The pack contents of the layer
above are encrypted and integrity protected. So there's plenty of scope
for meddling with the physical layer.

Simply by pushing the security protocol down a level and protecting
symbols instead of packets, all that identifying header stuff goes away.
The overhead of IVs and ICVs is not proportional to the inverse of the
packet size which is a problem with mac layer fragments in wireless
protocols - lots of little PDUs each with a 64 bit IV and 128 bit ICV?.

For 802.16 I proposed a scheme where you add IV_PDUs and ICV_PDUs and only
issue them at SDU boundaries. So fragmentation costs are avoided and all
the PDU contents, headers and all, are passed through the AEAD mode. Not
quite physical layer crypto, but it would be easier to do it at the
physical layer.

In other places, DSSS is an obvious model where you can make the spreading
code a secure random sequence. I understand the military like that, but I
don't design weapons and I haven't come across in things I do.

The additional robustness here is the MAC layer protocol is mostly
protected. There is no other magic that I'm aware of.