2014 IEEE Security and Privacy Workshops
Steganography in Long Term Evolution Systems
Iwona Grabska, Krzysztof Szczypiorski Institute of Telecommunications Warsaw University of Technology Warsaw, Poland e-mail: {i.grabska, ksz}@tele.pw.edu.pl
Abstract — This paper contains a description and analysis of a new steganographic method, called LaTEsteg, designed for II. LTE STANDARD LTE (Long Term Evolution) systems. The LaTEsteg uses The presented steganographic system uses the frequency physical layer padding of packets sent over LTE networks. division duplex (FDD) mode of LTE, where downlink and This method allows users to gain additional data transfer that uplink transmission takes place at the same time in a separate is invisible to unauthorized parties that are unaware of hidden frequency channel. Each FDD transmission frame communication. Three important parameters of the LaTESteg (Tframe = 10 ms) consists of two time slots (Tslot = 0.5 ms). In are defined and evaluated: performance, cost and security. the frequency domain such an FDD frame is divided into Keywords – 4G, LTE, Steganographic Algorithm, 15 kHz subcarriers. The maximum number of subcarriers is, Steganographic Channel, Steganography therefore, not a constant value but depends on the width of the available bandwidth ([2], [1]). I. INTRODUCTION AND STATE OF THE ART Every single time slot consists of 7 OFDM (Orthogonal LTE technology is currently enjoying huge popularity in Frequency-Division Multiplexing) symbols with the useful wireless networking and helps in introducing services that duration of 66.7 μs. In the frequency domain, such a slot could not be previously offered in cellular systems like high contains exactly 12 subcarriers with a total width of 180 kHz definition video transmission or VoD (Video on Demand) (12 * 15 kHz). This slot – resource block (RB) – is the basic ([8], [15], [19]). With growing popularity of these services unit for the allocation of the transmitted data. The network and the possibility of very fast wireless transmission, LTE assigns to its users not a single RB unit but a pair of units systems are becoming the perfect carriers for steganography belonging to one subframe. Therefore, NRB as used in this [12]. paper stands for the number of allocated RB pairs, rather There are many proposals for steganographic systems than their total number. designed for different types of networks. Most methods are Depending on the size of resources allocated to the user, based on the most popular and commonly used protocols the base station places data for that user in appropriate RBs. such as TCP/IP (Transmission Control Protocol/Internet Information about the localization of those RBs is sent via Protocol) or VoIP (Voice over Internet Protocol), which can another physical channel so that the user’s receiver is able to be combined with standard networks like WiFi (Wireless locate and read these blocks. The data size that the user can send using the resources Fidelity) [17]. One can observe first proposals of rd steganographic systems dedicated for LTE as can be found in assigned to him is well defined. 3 Generation Partnership [14], where usage of padding was used to develop additional Project (3GPP) standardization documents contain a list of covert channels. However, that steganographic systems available modulation and coding schemes (MCSs). Twenty- where not evaluated well, especially by network simulations. eight out of 31 defined proposals of these schemes are used. The idea of using the padding is also presented in this Each MCS with the index IMCS has an ITBS parameter paper, however, padding-based steganographic system for assigned. That parameter defines the size of a data block that can be sent in the channel – depending on the size of LTE were additionally tested and assessed for performance N and efficiency. The presented system was also implemented resources allocated to the user ( RB). Such a defined data in the simulation environment. block is called a transport block (TB) [3]. The idea of using padding for covert channels was also III. THE PROPOSAL OF LATESTEG presented for other types of wireless networks: WiFi (method called WiPAD) [18] and for WiMAX [13]. During the normal operation of the LTE system, padding Moreover, first implementation of LTE physical layer in fields consist of sequences of zeroes. Immediately after FPGA was presented [11] and gives the opportunity for receiving the frame, these sequences are rejected by the further work to implement presented steganographic system receiver as unnecessary bits without relevant user in the real network and make them evaluated not only in information. The principle of the presented steganographic simulation environment. system is to create a hidden transmission channel by placing an additional amount of information in the padding field – instead of the zeroes.
© 2014, Iwona Grabska. Under license to IEEE. 92 DOI 10.1109/SPW.2014.23 The LTE system is based on packet transmission with the TBSIZE – the size of the TB. It depends on the use of an IP protocol [4]. Each of the IP packets (of a resources assigned to the user and on the currently variable length) that should be delivered to users is properly used MCS (in bytes); formatted in the transmitter of the base station. Each IP Depending on the size LIP of the currently transmitted IP packet is, therefore, processed by the packet data packet, that packet is appropriately formatted so it can be convergence protocol (PDCP) [7], radio link control (RLC) transmitted in the radio channel and delivered to the receiver. [6] and medium access control (MAC) [5] layers, having an If the following condition is satisfied: important impact on the final size of the padding. Estimations of the effectiveness of the presented + ≤͎̼ , (4) steganographic system were based on a number of assumptions: where: the LTE system works in the unacknowledged mode (UM) and acknowledged mode (AM); = + + for ͢ = 1, ͠ = 1, =0, there is no IP header compression in the PDCP layer; fragmentation in the RLC layer is used only when so the length of IP packet with all basic headers added in the total size of the MAC protocol data unit (MAC each layer does not exceed the available TB, then PDU) is larger than the available TB; fragmentation of the IP packet is not needed. concatenation of the RLC service data units (RLC SDU) is used only in cases where adding the whole IP packet IP packet IP packet next SDU unit (without its fragmentation) does not PDCP cause the unit to exceed the available TB size. PDCP PDCP PDCP The scheme of the creation of the TBs in the transmitter, Header Header Header RLC with the padding field marked, is presented in Figures 1 and RLC RLC 2. Header Header In this paper the following designations are used: MAC MAC MAC PAD PAD LIP – the size of the currently transmitted IP packet Header Header (in bytes); PHY LH-PDCP – the size of header added to the PDCP SDU Transport Block Transport Block
in PDCP layer (LH-PDCP = 2 bytes); L H-RLC – the size of the header added in the RLC Figure 1. Construction of the transmitted TBs – using RLC SDU layer: concatenation (source: [8])
2, for = 1 The maximum number of IP packets NMAX that are = 2,5 + 1,5 ∗ , for = {3, 5, 7, … }, (1) 2 + 1,5 ∗ , for = {2, 4, 6, … } included in the given TB equals:
ČĂēþ āĆúü āċąü where k is the number of RLC SDU units included in ͈ =ʴ ʵ, (5) Ăĉͮ āĉýüĉ one RLC PDU unit; L H-MAC – the size of the header added in the MAC where ⌊͒⌋ is the floor of X. layer. It consists of MAC subheaders designed for It is necessary to verify the obtained NMAX value. If the individual MAC SDU units contained in the MAC size of the newly received unit + is equal to ͎̼ : PDU unit and padding field (if there is one):