Advanced Encryption Standard

The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data in 2001[11]. It is based on the Rijndael[6] cipher developed by

two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who submitted a proposal which was evaluated by the NIST during the AES selection process. In other words, the AES standard is a variant of Rijndael under the restriction that the block size is 128 bits using cipher key with lengths of 128,192,256 bits. AES now is available in many different encryption packages, and is the first publicly accessible and open cipher approved by the National Security Agency (NSA) for top secret information when used in an NSA approved cryptographic module.

AES operates on a 4×4 column-major order matrix of bytes, termed the state, although some versions of Rijndael have a larger block size and have additional columns in the state.

Most AES calculations are done in a special Galois field, GF(2⁸). Different key sizes used for an AES cipher lead different numbers of repetitions of transformation rounds that convert the plaintext into the ciphertext. For 128-AES, 192-AES, and 256-AES need 10, 12, 14 cycles of repetitions respectively and each cycle contains several processing stages, each consisting of

10

four steps, such as SubBytes, ShiftRows, MixColumns, and AddRoundKey.

2.2.3 CCMP

The CCMP is an encryption protocol designed for WLAN products that implement the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard[12]. CCMP is based on AES encryption algorithm using the Counter(CTR) Mode with CBC–MAC mode of operation to enhance data cryptographic encapsulation mechanism designed for data

confidentiality. It was created to address the flaws shown in WEP.

CCM also requires a unique nonce value for each frame protected by a given temporal key(TK), and CCMP uses a 48-bit packet number(PN) for the same purpose. Reuse of a PN with the same TK will make the mechanism insecure. CCMP contains two major parts: MIC computation and CTR-mode encryption for authentication and data confidentiality

respectively. Therefore, each message block requires two block cipher encryption operations.

In hardware, for large packets, the speed achievable for CCM is roughly the same as that achievable with the CBC encryption mode. Both the CCM encryption and CCM decryption operations require only the block cipher encryption function. In AES, the encryption and decryption algorithms have some significant differences. Thus, using only the encrypt operation can lead to a significant savings in code size or hardware size.

11

Fig. 4 CCMP MIC Calculation

12

Fig. 5 CCMP CTR-mode Encryption

13

Chapter 3.

Proposed Algorithm

3.1 Aggregated Hybrid-ARQ

Compared with the causal ARQ protocol, Stop-and-Wait(SW), Go-back-N(GBN) and Selective Repeat(SR), the most efficiency protocol is SR. SR avoid unnecessary

retransmissions by having the sender retransmit only those packets that it suspects were received in error, however, some factors in telecommunication such as burst-error due to fading and huge latency do not be taken into account.

For SR-ARQ, we need to retransmit whole the packet which can’t be recover by channel code (such as Hamming, Reed-Solomon or turbo code). It waste lots of efficacious

information we have sent before. Aggregated Hybrid-ARQ (AH-ARQ) divide the packet into several blocks with light overhead hb, which contains Forward Error Correction code (FEC) , Cyclic Redundancy Check (CRC) and some identical patterns (ID), and an

addressing overhead, ho(such as IP header, PLCP), for whole packet.

14

Fig. 6 AH-ARQ packet format

Over a noisy fading channel, some blocks may be corrupted more severely than others.

More corruption leads to higher probability of having error bits. When a packet which is recovered by correction code does not pass the CRC check , only those blocks which can’t be recovered are selected for retransmission instead of whole packet.

Fig. 7 Block corruption with AH-ARQ in noisy channel

15

Based on RS code, those blocks corrupted contain more than θ error symbols and SER represents the symbol error rate of a RS symbol defined in GF(2ⁿ), i.e., SER = 1-(1-Pe)ⁿ where the Pe is the bit error rate. Therefore,

Be

k , the block error probability after decoding with block length, can be illustrated as following :

1

Assume that we divide a data frame with length L into K blocks. R and T_CSMA are the transmitting rate and the expected time of latency for CSMA. The expected transmitting time of AH-ARQ is:

16

where PK(i) represents the probability that the i-th retransmission contains at least one error block science there are K blocks needed to be transmitted in the beginning, and PK(0) = 1 as the boundary condition. PK(i) can be considered as the summation of PK(i,j), the

probability that the i-th retransmission contains j error block(s) for transmitting K blocks as 0<j≦K, and can be formulated as :

1

where P_jt is the state probability that there is j error block(s) left after transmitting t block(s). The two-dimensional Markov chain model can be adopted as the baseline model to analyze this model.

and the transition probability P_jt can be calculated as

(1 ) ,

Now, we can estimate E_K, where E_K is the expected number of the transmitted packet which contains K RS blocks.

17

Combining (3.2) and (3.6), the expected transmitting time with K blocks can be obtained as

Therefore, the efficiency for AH-ARQ is shown below:

( )

CCMP is the replacement encryption protocol for the WPA2 for providing much more

18

secure than the WEP protocol and TKIP protocol of WPA. This protocol supports two main secure service: data confidentiality and authentication.

Data confidentiality is guaranteed by using the encryption part of AES and XOR operator. All data blocks can be decrypted respectively because all the cipher blocks are constructed within CTR(Counter-Mode). But on the other hand, CBC-MAC is applied for authentication in CCMP. Any data block which is needed for generating the MIC(Message Integrity Check) depends on all block(s) in the past of this packet. Therefore, it is impossible that calculating part of information in MIC before all data blocks are received.

In order to decrease the time consumption, we have modified some parts of the

CBC-MAC into FCBC-MAC(Fragment-CBC-MAC). The main difference is that we divide a long CBC chain into several shorter ones. Each chain Ci operates the CBC-MAC protocol and compute the result, MIC_i , and the final checksum, MIC, will be the XOR result of all MICi.

Assume that the MIC is used to authenticate L_B data blocks, we divide the chain into several groups, G1 ... Gp, which are disjoint sets and whose union is the whole LB blocks. The formula can be illustrated below:

1

19

propose and will be stated in the next two sections.

The best benefit is that we can compute some of the information of MIC before all the messages are received or decoded successfully. But the penalty of this architecture is security because of the shorter CBC block chain length. We replace some AES operations with faster and exchangeable XOR operator for higher efficiency. Because of the using of XOR operator, the calculation of MIC_i can be executed out of sequence. Therefore, we can calculate those MICi , whose required elements are all received, first even if there are some groups are not completely received.

In Chapter 3.3, each group is defined as all the encrypted block in a RS block, so we use this configuration to explain the cases of replay attack scenario and its corresponding solution in Chapter 3.2.1 and 3.2.1 .

3.2.1 Replay Attack in different packets in FCCMP

A replay attack is a form of network attack in which a valid data transmission is

maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it. The common solutions are

one-time key/password or timestamp. In CCMP architecture, PN (packet number), which is a 6-byte field, incorporated into the encryption and MIC calculations, provides replay

protection.

Because we separate the CBC-MAC into several fragments, the MIC_i must be generated including the PN information. Otherwise, there will be a security vulnerability with simple replacement of some RS blocks which is obtained from those packet transmitted before. For

20

example, if there is a packet which contains N RS blocks, RS1... RSN, the adversary can insert even block, RS_K^* , from another packet. Therefore, the new MIC value will be the same as the original one.

Fig. 9 Replay Attack in Different Packets Therefore, we can construct the IV with the PN:

( ( ( _ ) _ 1) _ 2)

IV  AES AES AES MIC IV  MIC HEADER  MIC HEADER

(3.13)

where MIC_IV includes the PN information (Fig. 4 CCMP MIC Calculation).

3.2.2 Replay Attack in the same packets in FCCMP

Because of the retransmission due to error occurrence, replay attack can be applied. The adversary can transmit the packet with RS blocks within incorrect sequence or more than one time.

21

Fig. 10 Replay Attack in the Same Packet - Type(A)

Fig. 11 Replay Attack in the Same Packet - Type(B)

For the situation stated in Fig. 10, the adversary swaps the position of two RS blocks, RS2 and RSK, and the MIC is identical to the primitive result.

Section 3.2.1. The adversary retransmits one of the RS block within X more times, where X is even, and then the information is different but the MIC is exactly the same.

 

22

To prevent this two problems, we should make every RS block's checksum, MICi, depends on its own sequence number.

( )

IV

i

 AES IV  i

(3.16)

3.2.3 FCCMP Algorithm

From what has been mentioned above, we can depict the MIC calculation process in the next three figures and the encryption process is the same as original CCMP process.

Fig. 12 IVi calculation

Fig. 13 MIC_i calculation

23

Fig. 14 Fragment-CBC-MAC

3.3 AH-ARQ with FCCMP

Typically, we obtain whole packet which is encrypted in plaintext within the following two phases: First, receive all the packet(s) and ensure that there is no errors after error correcting. Second, decrypt the ciphertext into plaintext and check if this packet is

authenticated or not. Therefore, the time that the receiver obtains a packet successfully is:

total AH dec

T  T   K T

(3.17)

where K is the number of RS block in a packet, Tdec is the decryption time of a RS block, and T_AH is the expected time of AH-ARQ.

But we can reduce the total service time to almost TAH by applying AH-FCCMP. The main idea of this structure is that we want to decrypt the packet not until whole bytes are received correctly. And the group, Gi, defined in FCCMP is RSi here in the MPDUs.

24

Fig. 15 AH-CCMP example

Fig. 16 AH-FCCMP example

Now we can calculate the service time, Ttotal*

, with the following formulation:

* *

25

where L_num is the expected block number of the last retransmitted packet. Obviously,

T_total^* is less than or equal to T_total and there is a high positive correlation between T_dec^* and

Lnum.

Fig. 17 L_num under different B_e

As the result shows above, we notice that Tdec*

increases when the Be is low, but TAH

decreases in the same condition. On the contrary, T_AH rises but T_dec^* descends under high B_e circumstance. Therefore, the growing rate of Ttatol*

decreases as Be declines, and Ttatol*

is close to T_AH when SNR is small.

As the structure we illustrate above, we can decrypt some blocks earlier after the first successful block and make the service time shorten if all RS blocks satisfies those two features below. First, all the information payload in each RS block contains D encryption

26

blocks at most and D must be an positive integer. Therefore, every RS block can be decrypted independently. Second, redundancy in RS block has better include FCS. Otherwise, we need to know if this block is cracked or not until it is been decrypted.

Fig. 18 RS block format in AH-FCCMP

The original RS block in AH-ARQ contains n_i bytes information and (4+2θ) bytes redundancy, including CRC-32 and FEC. But because of the first feature stated above, D

must be

255 (4 2 ) 16



   

 

  bytes. For RS(255,239) codec, there will be 11 bytes waste in each RS block. The solution of this situation is reduce θ from 8 bytes into 4 bytes, RS(255,247), enlarge the RS block length. These two cases will be simulated in next section.

27

Chapter 4.

Simulation

4.1 System configurations

In this section, the performance of the original AH-ARQ, AH-ARQ with CCMP, and AH-ARQ with FCCMP schemes will be validated and compared via simulations. For simulating the performance, we apply this system with Multi-mode RS-codec chip[5] for RS-codec, Motorola PowerPC G4 7410, referenced by [15], for (F)CCMP, respectively, and other MAC-defined parameters, which are described in 802.11n standard, are showing in Table. 2.

Table. 2 Simulation System Parameters

Parameter Value

Min / Max window size ( W_min / W_Max ) 7/31

Maximum back-off stage ( M ) 5

Maximum Retransmission ( RT ) 25

# of RS blocks in one MPDU ( R ) 16

28

4.2 Performance comparison under different numbers of MPDUs

In this section, we demonstrate the performance evaluation under different number of aggregated MPDUs within an A-MPDU, i.e., J = 1,10,20. The special case, J = 1, is shown for comparison purpose because it is also the same as the SR-ARQ, which transmits only one MPDU within each transmission. The rest configurations, RS-codec and MCS, are set by RS(255,239) and MCS(16QAM,3/4,180Mbps) respectively.

Fig. 19 Performance comparison among three architectures when J = 1

Fig. 20 Performance comparison among three architectures when J = 10

29

Fig. 21 Performance comparison among three architectures when J = 20

Fig. 19, Fig. 20, and Fig. 21 show the performance comparison for both throughput and mean service time under different Js consideration. As the result of these three figures, we notice that the throughput performance declines as the SNR is lower than 8 and eventually reaches the retransmission threshold when SNR is 6 due to high B_e. The maximum

throughput ratio of AH-ARQ to AH-FCCMP are 99.8%, 87.89%, and 86.096% respectively, and the ratio of AH-ARQ to AH-CCMP are 75.79%, 50.13%, and 47.99% respectively. The difference of output rate between AH-ARQ and AH-FCCMP are extremely close especially when the SNR is low and the reason is shown in Fig. 17 and Eq.(3.17) in Chapter 3. The mean service time of AH-CCMP is the highest one in these three figures due to the time wasting in the CCMP procedure. In AH-FCCMP scheme, the mean service time ratio of AH-ARQ decreases from 1.894 to 1.1105, 3.0812 to 1.3153, and 3.2195 to 1.3447 respectively.

30

Fig. 22 Performance comparison under different value of J with AH-FCCMP scheme

Fig. 22 provide performance compared to the SR-ARQ scheme, whose number of MPDU per packet is one, since frame aggregation can improve channel utilization effectively.

More MPDUs in one packet reduces the time consumptions by shared contention phase and PHY header. The maximum throughput enhancement to SR-FCCMP are 97.55% and

107.9% for J = 10 and 20 respectively. However, the mean service time increments are not the multiple of the number of MPDUs. In AH-FCCMP scheme, the mean service time ratio of J=1 to J = 10 and 20 are 5.896 and 11.382 respectively in high SNR circumstance. Based on the simulation result, we notice that the performances are close in J=10 and 20's schemes, so the configuration of J in the next two cases is set with 10.

4.3 Performance comparison under different RS-codec schemes

In this section, we demonstrate the performance evaluation under different RS coding rate. While the number of AES encrypted payloads must be an integer and the total payload should be lower than RS's information data, the payloads in a MPDU with AH-ARQ scheme with RS(255,223), RS(255,239), and RS(255,247) are 3300, 3556, and 3812 bytes

respectively as the number of RS blocks in one MPDU, R, is 16. Note that the 3556-byte MPDU is computed from (D Block _AES) R MAC_Header3556 bytes , where

31

239 4 16 14

D   , Block_AES = 16 bytes, and MAC_Header = 28 bytes. The rest configurations, J and MCS, are set by 10 and MCS(16QAM,3/4,180Mbps) respectively.

Fig. 23 Performance comparison among three architectures under RS(255,223)

Fig. 24 Performance comparison among three architectures under RS(255,239)

Fig. 25 Performance comparison among three architectures under RS(255,247)

32

Fig. 23, Fig. 24, and Fig. 25 show the performance comparison for both throughput and mean service time under different RS-codec consideration. As the result of these three figures, we notice that the throughput performance under RS(255,223), RS(255,239), and RS(255,247) FEC code declines as the SNR are lower than 6, 8, 10 and eventually reaches the

retransmission threshold when SNR are 4, 6, 8 due to high Be. The maximum throughput ratio of AH-ARQ to AH-FCCMP are 93.89%, 87.89%, and 85.53% respectively, and the ratio of AH-ARQ to AH-CCMP are 52.061%, 50.13%, and 48.35% respectively. In AH-FCCMP scheme, the mean service time ratio of AH-ARQ decreases from 2.928 to 1.165, 3.0812 to 1.3153, and 3.233 to 1.467 respectively in high SNR circumstance.

Fig. 26 Performance comparison under different RS-codec with AH-FCCMP scheme

Fig. 27 Performance comparison under different RS-codec with AH-ARQ scheme

33

Fig. 26, and Fig. 27 provide performance comparison within different RS-codec in AH-ARQ and AH-FCCMP scheme. The maximum throughput of AH-ARQ are 125.36, 135.148, and 144.958 Mbps and throughput of AH-FCCMP are 117.69, 118.78, and 119.64 Mbps in three schemes. In AH-FCCMP scheme, the mean service time ratio of RS(255,239) are 0.886 and 1.115 in high SNR condition and 0.47 and 1.498 in low SNR condition for RS(255,223) and RS(255,247) respectively. In addition, In addition, the values shown in AH-ARQ scheme are 1.0001 and 0.9994 in high SNR condition and 0.4889 and 1.5596 in low SNR condition for RS(255,223) and RS(255,247) respectively in AH-ARQ scheme.

The result shows that larger latency used for error correction leads to higher error tolerance under noisy channel quality but less efficiency when channel quality is good. But there is a special case showed in Fig. 26 when the SNR is high but the throughputs are all close to 118Mbps. It is because of the limitation of Motorola PowerPC G4 7410's

computational speed. Each AES received encrypted block needs two AES calculation, which are used for data confidentiality and authentication respectively, to recover the original information. This chip computational speed for AES and CCMP calculation are

approximated as 265Mbps and 120Mbps respectively. When the throughput of AH's is over 120Mbps, the system output rate will be saturated by cipher chip's speed. Upgrading the cipher chip is one of the solution, but the cost of each device will raise. It can be a consideration for trade-off between throughput and cost.

4.4 Performance comparison under different MCSs

In this section, we demonstrate the performance evaluation under different MCS configuration. Under the number of spatial streams is 2, the MCS for simulation are MCS(QPSK,1/2,60Mbps), MCS(16QAM,3/4,180Mbps), and MCS(16QAM,3/4,180Mbps)

34

respectively. The rest configurations, J and RS-codec, are set by 10 and RS(255,239) respectively.

Fig. 28 Performance comparison among three architectures under MCS(QPSK,1/2,60Mbps)

Fig. 29 Performance comparison among three architectures under MCS(16QAM,3/4,180Mbps)

Fig. 30 Performance comparison among three architectures under MCS(64QAM,5/6,300Mbps)

35

Fig. 28,

Fig. 29, and Fig. 30 show the performance comparison for both throughput and mean service time under different MCS consideration. As the result of these three figures, we notice that the throughput performance under MCS(QPSK,1/2,60Mbps), MCS(16QAM,3/4,180Mbps), and MCS(16QAM,3/4,180Mbps) declines as the SNR are lower than 5.5, 8, 12 and eventually reaches the retransmission threshold when SNR are 2.5, 6, 6.5 due to high B_e. The maximum throughput ratio of AH-ARQ to AH-FCCMP are 99.98%, 87.89%, and 57.73% respectively, and the ratio of AH-ARQ to AH-CCMP are 73.26%, 50.13%, and 39.74% respectively. In AH-FCCMP scheme, the mean service time ratio of AH-ARQ decreases from 1.749 to 1.0025, 3.0812 to 1.3153, and 4.225 to 2.5834 respectively in high SNR circumstance.

We notice that the mean service time increases as long as the SNR raises after the SNR is 10.5, and it is unusual from the other figures shown before. The reason of this rebound is the limitation of cipher chip's computational speed, and the detail is stated in Chapter 4.3.

The sender's strategy in simulation program is that transmitting a new packet as long as the previous packet is all received correctly within AH-ARQ but not take into account whether it is fully decrypted by CCMP or not. Therefore, higher input rate leads early initial time, but

The sender's strategy in simulation program is that transmitting a new packet as long as the previous packet is all received correctly within AH-ARQ but not take into account whether it is fully decrypted by CCMP or not. Therefore, higher input rate leads early initial time, but

在文檔中 一個802.11n通訊協定以WPA2加密之有效結構及其實現 (頁 17-0)