Beruflich Dokumente
Kultur Dokumente
WAQAS TAHIR
REG ID # 151053
Guidance and Evaluation
2
Committee (GEC)
Dr Liauqat Ali Khan Dr Ammar Masood
Department of Avionics HOD, Department of
Engineering, Institute of Avionics Engg, Institute of
Avionics and Aeronautics Avionics and Aeronautics
(IAA) Air University (IAA) Air University
Bi
ISM Band
directional
LoRa
3~5 Kms Upto 25
Urban KMs Rural
areas areas
50Kbps with
255 bytes
Max
LoRa Network Architecture 5
FRM
DevAddr FCtrl FCnt FOpts F HDR F Port MAC HDR MAC PAYLOAD MIC
PAYLOAD
• All End Devices are deployed with unique 128-bit App key (AppKey)
• The Node sends Join Request message containing following fields
• AppEUI Unique Global application 8 bytes ID that uniquely identifies the
application provider of the end-device
• DevEUI is a globally unique end-device identifier (8 bytes)
• DevNonce is a randomly generated 02 bytes value
CMAC = AES128_cmac(AppKey, MHDR|AppEUI|DevEUI|DevNonce)
MIC = CMAC [0...3] (4 byte)
• CalculateCalculate
& Verify an App
& Verify MIClevel MIC thattomay
of all messages beData
ensure included
Integrityin payload
of Application specific data messages
Encrypt / decrypt Frame Payload field (FRMPayLoad) of App specific data msgs
Over the Air Activation (OTAA) – Join Accept 16
Bytes 3 3 4 1 1 16(optional)
Join Accept AppNonce NetID DevAddr DLSettings RxDelay CFList
OTAA – Join Accept Encryption & MIC 17
Net Srv uses AES decrypt operation in ECB mode to encrypt the JA message
ED use AES Encrypt to decrypt, only implement AES encrypt operation
Over the Air Activation (OTAA) - Completed 18
FPort K FRMPAYLOAD
0 NwkSKey Payload is either empty or contains MAC commands only
• FCntUp
Frames
Frames sent
sent Uplink to Net
Downlink fromServer incremented
Net Server, by theby
incremented end-device
Net Serv
• FCntDown
• After JA completion, Frame counters on both sides reset to 0
• Subsequently FCntUp & FCntDown are incremented at sender side by 1 for
each data frame sent in respective direction & synched at other end
Bytes 1 4 1 4 4 1 1
The direction field (Dir) is 0 for uplink frames and 1 for downlink frames
• ABP differs from OTAA , In ABP mode the End Devices are shipped
with
• Unique Device address (DevAddr)
• Keys stored in ED & Net Serv for life time without being updated
• In ABP mode, the session keys are permanent keys
• In OTAA mode, Session keys generated from permanent AppKey
Single Root Key & App Key Info 26
• A trust relationship is assumed to exist between Net Serv & App Serv
• Net Serv has root AppKey which further generates session keys, contents of App
specific data is accessible to Net Server
• Beacon contain following information for Class-B type LoRa WAN devices
• Net ID For identification of Gateway for the nodes
• Time In seconds from 00:00 , 01 Jan, 1970
• GW Specific Gateway Specific GPS Coordinates
• Beacon pld is transmitted in plain without any signatures or encryption
• The attacker can use information to locate the gateway for any malicious attempt
i.e Jamming, Physical access, traffic analysis, Replay attacks etc
• Transmit fake beacon De-synch, opening of receive windows, battery exhaustion
• Incorrect / Inconsistent information about device location
Implementation of AES in ECB Mode with 32
Stream Cipher – Known Plain Text Attack
• LoRaWAN implements Confidentiality through AES in CTR mode
• Upon device reset, the counters also reset
• With same key, the block cipher will recreate exactly same key material
• Two messages P1 and P2 encrypted under the same keystream
P1 ⊕ K = C1, P2 ⊕ K = C2
• Adversary can eliminate Secret key or Recover key if part of PT is known
C1 ⊕ C2 = (P1 ⊕ K) ⊕ (P2 ⊕ K)
= P1 ⊕ P2 ⊕ (K ⊕ K)
= P1 ⊕ P2 or
P1 ⊕ C1 = K
Misc Issues 33
• Dev Nonce is sent in plain in JR msg, can be replayed again later stage
• In Case JR is received with old nonce value then either
Dev Nonce stored by Net
• Rejected, Net Serv waits for other JR or ED is permanently blocked Serv to avoid Replay attack
• LoRa specification does not specify
fj = Number of valid Join procedures / node / day Time duration
Number forNonce
of Dev which
DevNonce stored
stored by by NS
Net Serv
ND = Number of previously used device nonce stored by NetSrv
Tr = Time in days the attacker waits to perform replay attack
• Objective of attacker, send a previously captured JR with a DevNonce not
yet stored by Net Serv
Tr [days] = ND / fj ideally we want Tr to be max by increasing ND
OTAA Joint Request Problem 35
• The App Nonce value generated and sent by the Net Srv is not
stored by the End device and is discarded after calculating
Session keys
• Any old recorded message if replayed against a valid JR can lead
to calculation of incorrect session keys, Net ID & Dev Address
• No parameter to confirm JA message freshness
• ED specific AES 128 bit two root keys introduced instead of single key for
OTAA type devices
• App Serv & Net Serv segregated & treated as separate entities
• Join Server introduced to handle Join Requests only
LoRaWAN v1.1 Modified Join Procedure 40
• Net Session Enc Key, to encrypt / decrypt MAC commands (CCM Counter with CBC-MAC)
N2
N1
NNN111 NN222
N
RSSI
RSSI
RSSI RSSI
RSSI
RSSI
-10
-10
-10 -6
-10
-6
Modified Model 63
N2
N1
NN
1N11 NNN
222
RSSI
RSSI
RSSI RSSI
RSSI
RSSI
-10,-10
-10-10 -10
-6,-12
-6
Node Profiling for Detection of Replay & IBAs in
LoRaWAN using Signal Footprint
Simulation of LoRa Network Environment 65
(4 𝝅 d)2
Pr (dBm) = 10 Log 10 (Pr in watts)
Pr = Received Power ; RSSI in Watt
Pt = Transmitted Power ; 0.1 Watt
Gt = Gain of Transmitting antenna ; assumed 1
Gr = Gain of Receiving antenna ; assumed 1
d = Distance between Node and Gateway
Simulation of LoRa Network Environment – 67
Signal Propagation Modelling
• Empirical path loss HATA model for large cities, in a more realistic
and complex signal environment
PL (dB) = [69.55 + 26.16 Log10 (f) − 13.82 Log10 (ht) –A (hr) + {44.9 −
6.55 Log10 (ht)} Log10 (d)]
• A (hr) = Correction factor for antenna height based on the size of the
coverage area. For larger cities and f > 300 MHz, it is computed as
A (hr) = 3.2 (Log10 (11.75 hr))2 − 4.97 dB
Pr (dBm) (RSSI) = PTr - PL (dB)
ht = Height of transmitter antenna, 100m assumed
hr = Height of receiver antenna, 5m assumed
Simulation of LoRa Network Environment 68
72
Friis Model Case 2, R1
73
Friis Model Case 2, R2
74
Friis Model Case 2, R3
75
Friis Model Case 2, R4
76
Friis Model Case 2, R5
77
Hata Model Case 1
78
Hata Model Case 2, R1
79
Hata Model Case 2, R2
80
Hata Model Case 2, R3
81
Hata Model Case 2, R4
82
Hata Model Case 2, R5
83
Hata Model Case 1 – Special Case
84
Experimental Analysis & Application 85
• Eef van Es, Harald Vranken, Arjen Hommersom, Open University of the Netherlands,
Heerlen, 13th International Conference on Availability, Reliability and Security 2018,
“The Netherlands “Denial of Service Attack on LoRaWAN”.
• Ismail Butun, Nuno Pereira, Mikael Gidlund, Information Systems and Technology, Mid
Sweden University, Sweden, Security Risk Analysis of LoRaWAN and Future Directions,
MDPI Journal, 21 December 2018
• Stefano Tomasin, Simone Zulian, Lorenzo Vangelista, “Security Analysis of LoRaWAN
Join Procedure for the Internet of Things Networks”, IEEE Wireless Communications
and Networking Conference Workshops, 2017
• Ahmad Raza Cheema, Malek Alsmadi, Salama Ikki, Department of Electrical
Engineering, Faculty of Engineering, Lakehead University, Thunder Bay, Ontario,
Canada, Survey of Identity-based Attacks Detection Techniques in Wireless Networks
Using Received Signal Strength, 2018 IEEE Canadian Conference on Electrical &
Computer Engineering
References 89
Used to reset a device context including all radio parameters (devAddr, session keys, frame
0
counters, radio parameters)
Equivalent to the initial Join-Request message. Used to restore a lost session context (Example,
1
Network Server has lost the session keys and cannot associate the device to a JoinServer)
Used to rekey a device or change its DevAddr (DevAddr, session keys, frame counters). Radio
2
parameters are kept unchanged, can only be transmitted following a ForceRejoinReq MAC command
LoRaWAN 1.1 Re-Join Request Type – 0, 2 99
MIC = cmac[0..3]
• The Network Server may or may not respond with the Join Accept
message
LoRa 1.1 Encrypt for MAC Commands in FOpts 101
• Key K is a function of FPort value for both Uplink & Downlink frames
If FPort = 0 then K = NwkSEncKey Contains MAC commands only as payload
for i = 1…...k
with k = ceil ( len (pld) / 16)
The blocks Ai are encrypted to get a sequence S of blocks Si:
Si = AES 128_encrypt (K, Ai)
S = S1 | S2 | ….. | Sk
• Encrypt / Decrypt by truncating (pld | pad16) XOR S to the first length (pld)
octets
LoRa 1.1 MIC Calculation for Frame Payload 104
• For MIC of Uplink Frames, LoRaWAN 1.1 defines two blocks Bo & B1
1 4 1 4 4 1 1
Bo
0x 49 0x0000 Dir = 0x00 Dev Addr FCnt Up 0x00 Len (msg)
1 2 1 1 1 4 4 1 1
B1
0x 49 ConfFCnt TxDr TxCh Dir = 0x00 Dev Addr FCnt Up 0x00 Len(msg)
TxDr = D/rate for Trx & TxCh = Channel Index for Trx
If Net Srvr is Lora 1.1 & ACK bit of D/link Frame = 1 (ACK of last Uplink confirmed frame)
ConfFCnt = | FCnt | mod 216 else Conf FCnt = 0 x 0000
CMAC S = AES 128_cmac (SNwkSIntKey, B1 | msg)
CMAC F = AES 128_cmac (FNwkSIntKey, Bo | msg)
MIC = cmac S [0..1] | cmac F [0..1]
If the device is connected to a LoRaWAN 1.0 Net Srvr then MIC = cmac F [0..3]
Replay Attack through Selective Jamming JRs 106