Cryptographic CDMA code hopping (CH-CDMA) for signal security and anti-jamming Frank Hermanns Deutsches Zentrum fur¨ Luft- und Raumfahrt (DLR), German Aerospace Center Institute for Communications and Navigation, D-82234 Weßling, Germany and University of Armed Forces, Neubiberg b. Munchen,¨ Institute of Information Technology Email: [email protected] INTRODUCTION Today, military and commercial Spread Spectrum and CDMA transmission systems argue with security on the physical layer based on the secrecy of the seed values of static secure (and insecure) pseudorandom noise generators (PRNG). This should prevent eavesdropping and jamming [1, 2]. Confidentiality, data integrity and authenticity are usually realized in higher protocol layers [3]. Nevertheless, physical layer security is a valuable component of a high-end system security. Relying on one security layer alone is dangerous, because vulnerabilities are constantly discovered, compromising the overall system security (GSM, WLAN ...) [4]. With additional physical layer security measures, attacks on the upper security layers will be much more difficult. Furthermore, some security elements can only be realized on the physical layer (anti-jamming and low-detectability). Especially CDMA systems have a great potential to evolve their security strength with modifications proposed in this paper. According to [5], conventional LFSR long spreading-code generators are highly vulnerable (m-sequence linear feedback shift registers). The hidden 42 bit LFSR mask value of IS-95 can be reconstructed just by eavesdropping about 1 second of traffic. Better nonlinear generators (NLFG) are threatened by conditional correlation attacks [6]. Even when using highly secure PRNG based on good cryptographic generators, one could steal a communication device, read out the PRNG seed values and thus compromise the system security. Knowing the PRNG seed value, all the spreading factor security gain is lost. The attacker then can decode the signal just as the legitimate user. Jamming is most effective, if the attacker can exactly imitate the CDMA signal of a legitimate user. Far less jamming power is needed then, compared to broad- band jamming, the classical brute-force alternative. On the other side, repeat-back and partial band jamming is not very effective for spread spectrum with long scrambling codes. This paper proposes a new approach with dynamic spread spectrum sequences. These are not completely dependent on deterministic pseudorandom sequences any more, but are fed by true random generators as entropy sources. The following section presents the idea of the new code-hopping principle. One possible system architecture is designed and system properties are discussed. A simulation system is under construction to demonstrate the feasibility of this approach. FROM STATIC TO DYNAMIC SPREADING CODES, THE CODE-HOPPING PRINCIPLE The idea of code-hopping is to periodically feed the PRNG CDMA chip sequence generators with seed values from true random (entropy) sources. So, the spreading ”code” (the generated sequence) is changing in certain intervals. The ”code” hops from one instance to another when taking its seed value as the main characteristic and individual property. The underlying hardware or algorithm is of course constant, but securely parameterized by the seed value. This is only possible when using a hybrid cryptosystem in combination with a higher protocol layer. Asymmetric crypto algorithms are capable of synchronizing these true random sources between the distant communication partners. The resulting spreading code sequences therefore are highly non-deterministic for outside parties. Additional digital signatures can be introduced against man-in-the-middle attacks. But this man-in-the-middle would anyway have a hard job to break into the unknown spreading code sequence. If he would succeed after some cryptanalysis, the next hopping cycle would come very fast and give him a black-out again. The difference between static and dynamic SS/CDMA systems is shown in Fig. 1. Static spread spectrum methods are based on different orthogonalities in time, frequency and code domains (Fig.1(a)). They employ different code, pulse position or frequency hop patterns. Even synchronized chaotic systems are proposed to generate non-deterministic spread spectrum waveforms [7, 8], but they inherit some severe disadvantages concerning noise immunity [9] and cryptographic quality [10]. Although their non-deterministic waveform looks very dynamic, the security property is realized by individ- ual and static parameter settings. The Figures 1(b) and 1(c) show, how the code space of static and dynamic seed values (a) Conventional static SS/CDMA systems (b) Static SS/CDMA systems (DS/FH/TH-CDMA,CSK,CPPM...) em- ploy pseudo-random sequences, but leave their seed values constant (c) DS-CH-CDMA or FH-CH-CDMA code-hopping with dynamic seed (d) DS-FH-CH-CDMA, hybrid code-frequency-hopping values Figure 1: Static and dynamic SS/CDMA codes differ in time. With n bits of seed value, a code spans a space of 2n instances. The probability of accidental collisions (short interruption of communications) is reasonable small for standard seed sizes, e.g. 128 Bit as AES key. Using CH-CDMA with the basic FH-CDMA frequency hopping scheme, we can see hopping patterns in hierarchical lay- ers. The frequency hopping pattern is done with the highest hopping frequency, somehow related to the chip frequency. On the top, there is a code hopping scheme in the seed value (1(c)) of the generator that creates the frequency hopping pattern. This parametric hopping is operating at a relatively low frequency, covering several communication bursts be- tween the partners. Another possibility is a hybrid code-frequency-hopping named DS-FH-CH-CDMA (Fig.1(d)). The 2n possible seed values of the DS-code together with the 2m possible FH code generator seed values span a 2-dimensional code space of size 2nm over the time. All those states are determined by true random generators, which makes it practi- cally impossible for attackers to follow the state transitions. Every random point in this 2-dimensional code space realizes individual pseudo-random spreading codes. On the top of this physical layer security system, conventional end-to-end encryption systems can be used for perfect multi-layer protection. They cover different aspects of security. The purpose of physical layer protection is to hide the signal itself and make it resistant against jamming. End-to-end security protocols guarantee the secrecy between the distant communication partners even over relay hops and ensure their data integrity. Furthermore, the physical layer security will make attacks on the end-to-end cryptosystem much harder as it hides the cipher text in addition to the plain text. Active attacks are prevented by denying access to the correct spreading code. Drawbacks of this approach are performance and synchronization issues. Cryptographic secure PRNG generators are more complex and more limited in bandwidth than conventional LFSR generators. The efficiency on the transmission channel itself will not suffer, because randomness parameters of cryptographic secure sequences are in general better than Figure 2: CH-CDMA System Architecture those of simple LFSR sequences. The main challenge here is to keep the cryptographic synchronization of the spreading code sequences on sender and receiver side. SYSTEM ARCHITECTURE Hardware Architecture The idea of code-hopping can be realized in many ways. This paper will present a general system design. The hardware architecture of Fig. 2 is organized in cryptographic modules and traditional elements of digital communication designs. Every communication partner needs a separate and independent true random source for the secret variables a/b (Fig.2:3,4). These entropy sources are crucial for the system security, e.g. realized with thermal Johnson noise [11]. The true random sequences then provide seed for the secure pseudorandom chip sequence generators ”SYM PRNG” (Fig.2:5,6,19,20). As an example, Fig. 3 shows a SYM PRNG constructed from a secure symmetrical algorithm like the AES block cipher [12, 13] in an output-feedback (OFB) circuit. It actually takes 2 input parameters, the cryptographic key k and the initialization vector IV, both practically non-invertible one-way functions. For the sequence to start, the IV can be derived from the key k by a hash function (Fig.3:6). Later, the IV can be set to a certain value to start in the middle of a sequence or just used as an alternative parameterization input. The performance requirements for SYM PRNG are extremely high, because the generated binary stream has the CDMA chip rate. One of the advantages of the AES winner algorithm Rijndael was its capabilities for hardware-optimization. So, there are VHDL/RTL/EDIF designs available for ASIC and FPGA implementations with AES-128 bandwidths up to 4.64 GBit/s with 36.8 Kgates [14]. Higher rates can be achieved by pipelined designs. Applications from narrowband up to broadband are possible with this hardware, although extreme high data rates are not very common on secure wireless channels. The cryptographic strength of AES is high enough that, up to now, nobody claims to have a practical way of breaking AES better than the exhaustive search in the 2n key space. Theoretical algebraic attacks (F/XL) are proposed, that would revolutionize cryptanalysis on block ciphers in general, but in practice they failed on Rijndael/AES. The discussion is still going on [15] and cryptanalysis is constantly developing. In any case, if a symmetric algorithm gets compromised, the code-hopping system can replace SYM PRNG quite easily by a new algorithm. In FPGA implementations it requires just a new structure upload. Of course the terminals should be protected against using the FPGA upload interface to compromise the algorithm implementation itself (by replacing AES with a less secure one). In this architecture, the random values a/b cannot be used directly as parameters for the spreading code generators, because the transmitter code has to be synchronized with the receiver code.