Table Of ContentDeniable Liaisons
Abhinav Narain, Nick Feamster, Alex C. Snoeren(cid:63)
GeorgiaTech (cid:63)UCSanDiego
{nabhinav,feamster}@cc.gatech.edu,[email protected]
Abstract at all. This latter type of communication is said to be not only
confidentialandanonymous, butalsodeniable, inthesensethat
Peoplesometimesneedtocommunicatedirectlywithoneanother despiteexchangingmessages,participantscanplausiblydenythat
whileconcealingthecommunicationitself. Existingsystemscan anysuchexchangesevertookplace.
allowuserstoachievethislevelofprivacyinthewide-areaInternet, In this paper, we consider scenarios where people congregate
but parties who are in close proximity (e.g., a public square or in common public spaces and want to communicate with others
coffeeshop)maywantalightweightcommunicationschannelwith in that same space, yet wish to keep their communications both
similarproperties.Today,covertexchangesinlocalsettingstypically confidential and deniable. We call such a message exchange a
requiretheexchangeofphysicalmediaorinvolveotherformsof deniableliaison. Moreover, itmaybethecasethatoneormore
directcommunication(e.g.,conversations,blinddrops);most,ifnot partiestothecommunicationwishtoremainanonymous.Consider,
all,oftheseexchangesareobservable:inotherwords,evenifthe for example, a covert message exchange between a spy and her
messageexchangesareconfidential,theyarenotcovertordeniable. handlerinacoffeeshop,awhistleblowerinanofficeenvironment,
Weconstructalocalcommunicationschannelthatisunobservable oragroupofactivistswhowishtocovertlyorganizeapublicprotest.
toeveryoneexceptthepartiesexchangingmessages.Todoso,we Thesescenariosrequirelocalcommunicationthatisconfidential,
takeadvantageoftheubiquitousphenomenonofpacketcorruption anonymous,anddeniable.
inwirelessnetworks, whichprovidedeniablecoverformessage
Covertagentshavelongemployedawiderangeoftechniquesin
exchangebetweenpartieswithinradiorange.Thecommunicating
thesescenarios,buttheytendtobeeitherlimitedinbandwidth(e.g.,
partiesuseasharedsecrettodifferentiatetrulycorruptedframes
anecessarilybrief,clandestineconversation)orinteractivity(e.g.,a
fromthosethathidemessages;tootherparties,messagesappearas
“deaddrop”ofaphysicalmessageorstoragedevice).Indeed,any
corruptedwirelessframes.Wetacklethechallengeofdesigningthe
real-worldinteractionbearssomeriskofobservation,andmostare
observablecorruptionpatternstoensurethatanobservercanneither
notreadilyapplicabletobroadcastscenarios. Hence,avarietyof
linksenderandreceiverofahiddenmessage(unlinkability),nor
anonymouselectroniccommunicationssystemshaveemergedto
determinesomuchastheexistenceofanyhiddenmessage(denia-
provideimportant—andoftenwidelyused—communicationschan-
bility). Wepresentthedesignandimplementationofaprototype
nels,butmostfocusprimarilyonwide-areacommunications(e.g.,
systemthatachievesthesepropertiesusingoff-the-shelf802.11hard-
Tor[7],whichsupportscommunicationsbetweenInternet-connected
ware,evaluateitsperformance,andassessitsresiliencetovarious
endhoststhatareoftenseparatedbygreatdistances)wheredenia-
attacks.
bilitycansometimesbeprovidedbyhidinginaverylargecrowd
ofInternetcitizens.Inthecircumstancesweconsider,awide-area
Categories and Subject Descriptors: C.2.1 [Computer-
anonymouscommunicationsystemnotonlyintroducesunnecessary
Communication Networks] Network Architecture and Design:
complexityandlatency,butexposesthepartiestoadditionalriskby
NetworkCommunications,WirelessCommunication
requiringthemtosendtheirmessagesoverthewide-areaInternet.
GeneralTerms:Algorithms,Design,Experimentation,Security We argue that such schemes are not always available due to the
widespreadInternetarmsraceofblockingsuchservicesandinstead
Keywords:censorship;wireless;covertchannels
apowerfullocalschemecanbeusedwhichleveragesthebroadcast
natureofwirelesscommunication.Wearguethatthesesettingscall
1 Introduction
insteadforananonymous,confidential,deniablecommunications
systemforthelocalareathattakesadvantageofcommunications
Theneedforprivatecommunicationsisperhapsgreaterthanever
devicesthatusersalreadyown(e.g.,laptops,smartphones,tablets),
before.Peoplehavelongneededtokeepthecommunicationsamong
withoutrequiringthatcovertmessagestraversethewide-areaInter-
themselvesprivate,but,increasingly,theymaywanttoconcealnot
net.
only the messages that they exchange, but also with whom they
WeintroduceDenaLi,alightweightcommunicationssystemto
arecommunicating—oreventhefactthattheyarecommunicating
supportdeniableliaisons. DenaLimakesitpossibleforpartiesto
exchange messages with one another in a local setting, without
Permissiontomakedigitalorhardcopiesofallorpartofthisworkforpersonalor ever exposing with whom they are communicating, or even the
classroomuseisgrantedwithoutfeeprovidedthatcopiesarenotmadeordistributed factthattheycommunicatedwithalocalpartyatall. Oursystem
forprofitorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitation
takesadvantageoftheubiquitousdeploymentof802.11wireless
onthefirstpage.CopyrightsforcomponentsofthisworkownedbyothersthanACM
mustbehonored.Abstractingwithcreditispermitted.Tocopyotherwise,orrepublish, communicationsnetworksand,inparticular,thepervasivenatureof
topostonserversortoredistributetolists,requirespriorspecificpermissionand/ora corruptedframesonthesenetworks.Framecorruptionisacommon
[email protected].
phenomenonthatinevitablyresultsfromavarietyoffactors,ranging
CCS’14,November3–7,2014,Scottsdale,AZ,USA.
Copyright2014978-1-4503-2957-6/14/11...$15.00. fromcollidingtransmissionstoanoisycommunicationsmedium.
http://dx.doi.org/10.1145/2660267.2660340 Traditionally,corruptedframesareviewedasasourceofinefficiency,
astheyrequirethesendertoretransmittheoriginalframe;yet,inour The rest of the paper proceeds as follows. Section 2 surveys
case,theyprovideanopportunitytohidecommunications.DenaLi related work in anonymous communication, detection of covert
createsspuriouscorruptframesbyinjectingcovertmessagesinto channels,andwirelesserrorsandcorruption.Section3definesour
framescarryingcovertrafficdirectedtowardinnocuousdestinations. expected usage scenario and outlines our basic approach, threat
Sincetheseframesareindeedcorrupt,theywillnotbeforwardedby model, and design goals. Section 4 describes the design of the
theaccesspointtotheirapparentdestination.Instead,othernodesin DenaLicommunicationchannelindetail.Section5describesour
theWiFinetworkthatoverheartheframeandpossestheappropriate prototypeimplementationsandexplainsthechangeswemadetothe
secretkeycanextractanddecrypttheinjectedpayload. wirelessdrivertoenableDenaLi.WeevaluateDenaLiinSection6,
DenaLiisconceptuallysimple,andachievinganonymityandcon- discusslimitationsandfutureworkinSection7,andconcludein
fidentialityiseasyenough—anyreasonableencryptiontechnique Section8.
willsuffice. Thechallengesentaildesigningthecommunications
channelsothattheresultingstreamofcorruptedframesisdeniable, 2 RelatedWork
whichrequiresbothunderstanding(andmodeling)thepropertiesof
biterrorsinan802.11wirelesscommunicationschannelandappro- Wefirstsurveyrelatedworkonrelatedanonymousanddeniable
priatelymodelingtheattacker.Todoso,webuildonpreviouswork communicationssystems.Wethendiscussvariousstudiesofwire-
thatstudiesbit-errorcharacteristicsinthewirelessmedium,andper- lessinterferenceandchannelpropertiestodesignDenaLi.
formourownmeasurementstounderstandtheseerrorcharacteristics
invarioussettingsandfordifferentencodings.Wedevelopamodi-
2.1 AnonymousCommunications
fied802.11wirelessdriverthatmodulatesthecovertmessageover
astreamofcovertrafficinsuchawaythattheresultingsequence DenaLi’sdesignisinspiredbyRivest’sproposalforchaffingand
ofcorruptedframesmimicstheexistingpatternofcorruptioninthe winnowing,wherebyasenderdisguisestherealmessageintended
wirelesschannel.DenaLitrafficmatchesnaturallyoccurringwire- fortherecipientbyincludingadditional“chaff”onthesamechan-
lesscorruptionbothintermsofthefrequencyofcorruptedframes nel [22]. With knowledge of a shared secret, the recipient can
andthebitpositionswithintheframesthatarecorrupted. identifyanddiscardthechaff,leavingonlythemessageinquestion.
DenaLiprovidesdeniabilityinasettingwhereanadversarycan UnlikeRivest,however,wefurtherencryptthemessagetomake
observewirelesscommunicationsinthelocalarea,butcannotget iteasiertoefficientlyinjectintothechaffwithoutdisturbingthe
veryclosetothesuspectedsender.Anadversarywhoobservestrans- statisticalpropertiesoftheaggregate.
missionssufficientlyclosetothesendercouldinferthepresence DenaLiisthefirstsystemtoprovideapoint-to-pointdeniable
ofahiddenmessagechannelduetothe(relatively)highlevelof communicationchannelinaWiFinetworkusingcommodityhard-
packetcorruptionnearthepointoftransmission.Weenvisionthat ware.Previousworkhassketchedsystemsthatusecorruptedwire-
intypicalcasesanadversarywouldnotbetargetinganindividual lessframestocreateacovertchannelover802.11frames[19,25]
senderbutwouldratheronlybeinapositiontomonitoragroup butnopreviousworkhasmovedbeyondpaperdesigns. Calhoun
ofusers(e.g.,inthemidstofalargergroup,perhapsclosetothe etal.designedandsimulatedacovertchannelbaseduponvarying
accesspoint). Inthesecases, wedemonstratethroughempirical thelinkrate[2].Thisworkispurelysimulation-basedanddevelops
measurementsthatdistinguishingDenaLitransmissionsfromnat- neitheraworkingprototypenoracommunicationprotocolforex-
urallyoccurringcorruptedwirelessframescanbemadearbitrarily changingmessages.Noneofthepreviousworkanalyzesdeniability
difficultformessageratesthatcaneasilysupporttheexchangeof inthepresenceofanadversarythatcanmonitorchannelquality.
shortcovertmessages.Weshowthroughextensivecontrolledexper- Manyexistinganonymouscommunicationssystemsaimtopro-
imentswithrealwirelesschipsetsthatwhenwecloselymatchthe videvariouslevelsofanonymityinthewidearea.Oneofthemost
frameerrorrateandbiterrordistributionsoftheexistingwireless widelyusedanonymouscommunicationssystemsisTor[7],which
channel,DenaLiachievesabiterrordistributionpatternthatisindis- allowscommunicatingpartiestoestablishanonymouscommuni-
tinguishablefromnaturallyoccurringerrors.Toachievethislevelof cationschannelsviaalayeredencryptiontechniquecalledonion
deniability,throughputisquitelow(sufficientforexchangingonly routing[10]. UsersofTorestablishcircuitstocommunicatewith
smallmessagesor“tweets”),butthesendercan,ofcourse,accept eachotheranonymouslyinthewide-area.Torprovidesanonymity
lessdeniabilityinexchangeforhigherthroughput,atradeoffthat butnotdeniability,inthesensethatusersofTorcanconcealwho
weexploreinourevaluation.Trafficthattheuserisalreadysending theyaretalkingto, butnotthefactthattheyarecommunicating
aspartofnormalcommunicationcanprovidethenecessarycover usingTor(infact,Torisblockedinmanycountriesoutright). De-
traffic,whichmeansthatDenaLidoesnotneedtocreateadditional naLi’sfocusisdifferentthanTor’s: itaimstoenableanonymous
covertrafficbutcanratherhideitsmessagesintheuser’sexisting anddeniablecommunicationinsettingswherethecommunicating
traffic. partiesarephysicallyclosetooneanother.
Ourworkpresentsseveralcontributions.First,werecognizethat DenaLibearssimilaritytoothercensorshipcircumventionsys-
theincreasingneedforanonymous,deniablecommunicationsin temsthataimtoachievedeniabilityandcovertnessinadditionto
settingswherepartiesarephysicallyclosetooneanothercallsfor confidentialityandanonymity.Twosuchsystemsthatoperatefrom
a new class of communications tools. Second, we observe that end systems are Infranet [9] and Collage [1]. These systems al-
inthesesettings,theubiquityofotherWiFicommunication(and lowparticipantstoestablishcommunicationsunderthecoverof
thecorrespondingwirelessframecorruption)canserveasuseful innocuousWebtraffic:thecensoronlyseesWebrequeststhatare
covertoconcealcommunications. Third,wedefinethenotionof statisticallyindistinguishablefromnormaluserbehavior,thuspro-
deniability in this context and design a modulation scheme that vidingtheuserwithanimportantdegreeofdeniability,inaddition
achievesdeniabilitybymatchingthecorruptionpropertiesofthe toconfidentiality. OtherrecentsystemssuchasTelex[28],Cirri-
deniablemessagestothatofthecovertraffic.Finally,weimplement pede[13],andDecoyRouting[15]aimtoachievesimilarlevelsof
andevaluateaprototypesystembasedonthisdesign. deniabilitybydeployinginfrastructureinthecoreofthenetwork
ratherthanatendsystems. Briar[23]providesasecure,point-to-
pointanonymousencryptedcommunicationschannelbetweenusers’
devices;likeDenaLi,Briarenablespoint-to-pointcommunication,
butBriardoesnotprovidedeniability.
2.2 Detection
Otherspointoutthatcovertchannelsmustbedetectableundersome
adversarialmodel,becausethemessagechannelintroducessome
statisticaldeviationtotheunderlyingnaturaldistribution.(Inother
words,thereisnosuchthingas“perfectsteganography”thatisanal-
ogoustoperfectsecurityforencryptioninpractice.) Provosetal.
demonstratethatstatisticalsteganalysisispossibleonJPEGimages
basedoncarefulanalysisoftheentropyoftheresultingcompressed
images[21].Previousworkevaluatestwomethodsfordetectingthe
anomaliesintrafficdistributionsgeneratedbycovertchannels(such
asthedeviationinducedbyDenaLi)bymeasuringthevariationin
thenumberofpacketswithinvalidchecksumvalue[19](thisanaly-
sisisbasedonsimulation.)Asinanymechanismthatperturbsthe
underlyingnaturaldistributionofthecovertraffic,DenaLicouldbe
Figure1:Basiccommunicationsetup.
detectediftheadversarybothcanobservethedistributiongenerated
byDenaLi,andisinapositiontomeasurethedeviation.Weexplain
inSection3whywebelievethistobegenerallydifficultinthecase
typicaladversarywhomighttrytodiscoverorthwartcommunication
ofDenaLi’smostlikelydeploymentscenarios.
withDenaLi.
DenaLi provides a different type of deniability than deniable
encryption[5],andthereforepresentsadifferentdetectionchallenge.
DenaLiaimstoconcealtheexistenceofcommunication,whereas 3.1 UsageScenarioandBasicApproach
deniableencryptionexplicitlyadmitshepresenceofcommunication:
theadversaryisprovidedwithanalternatekeytodecodethecipher DenaLiisdesignedforsettingswherethecommunicatingparties
texttoconvertitintoadifferentplaintextthantheactualone. arewithinwirelessrangeofoneanotherand,hence,canhearone
another’swirelesstransmissionstoalocalaccesspoint.Wefurther
presume that a DenaLi sender has some number of pre-existing
2.3 WirelessErrorsandCorruption
connectionstoinnocuousdestinationsontheInternetwhichwill
providecovertrafficforourcovertcommunicationchannel. Fig-
One of DenaLi’s goals is to transmit corrupted wireless frames
ure1showssuchabasicsetup. Anadversarymaybepositioned
whosestatisticalpropertiesmatchthosethatwouldoccurinanormal
anywhereinthewirelessnetworkandisabletoeavesdroponany
wireless communications channel. The properties of a wireless
transmissionsbytheparticipants. DenaLidoesnotemployorre-
medium can be both highly variable and difficult to model. In
quire link-layer encryption schemes (like WEP or WPA) for its
particular, the channel properties depend on a host of complex
confidentialityguarantees.
andtime-varyingfactorsrangingfromradiostobitrateadaptation
Inthisscenario,thesender,Alice,sendstraffictoherusualset
schemes.Ourgoalisnottodevelopamodelforwirelesschannels.
of wide-area Internet destinations via the access point. Due to
Rather,ifthechannel’serrorpropertiescanbeobserved,wecan
thenatureofthewirelesschannel, someframesmayexperience
developacommunicationschannelusingcorruptedwirelessframes
corruption,andtheaccesspointwillthusdiscardthoseframes.Alice
ascovertrafficinawaythatmimicsthepropertiesoftheerrorsthat
willsubsequentlyretransmittheseframesuntiltheyaresuccessfully
naturallyoccur.
receivedbytheAPandforwardedon.But,ifAliceandBobshare
Sinceerrorshaveplaguedwirelesscommunicationsinceitsin-
asecret, Alicecaninject additional, deliberately corruptframes,
ception,thereareanumberofstudiesthatfocusonthenatureof
such that the frames corrupted by the wireless channel serve as
sucherrorsinwirelessframes.TheMaranellostudy[12]measures
chafftoconcealthefactthatsomeofthecorruptframescontaina
erroneousframesinan802.11LAN;theirfindingscorroborateear-
hiddenmessage.IfAliceandBobshareasecret,Bobcandetermine
lierwork[14]thatobservesthatbiterrorsinwirelessframesoccur
whichcorruptedframesarechaffandcanretainonlythosecorrupted
inclusters,astheerrorprocessisnotmemoryless.Hanetal.also
framesthatcontainthehiddenmessage.
observethattheprobabilityoferrorincreaseswiththebitposition
Corruptframesnaturallyresultfromvariouswirelesseffects,in-
intheframe(i.e.,bitsfurtherintotheframearemorelikelytobe
cludinglowsignal-to-noiseratio(SNR),broadbandinterference,
corrupted)[11].DenaLiappliestheseobservationsbyinjectingbit
hiddenterminals,andmulti-pathfading,whichdependontherela-
errorsintoframesingroups—asopposedtoonebitatatime—at
tivepositionofthetransmittingdeviceandnearbywirelessdevices,
least100bytesintoanyframe.
materialsofnearbyobjects,andotherunknownfactors.Becausethe
causesofcorruptionarediverseandtime-varying,detectingthehid-
3 ProblemDescription denmessageswithcertaintyrequireseitherknowledgeofthesecret,
ortheabilitytomonitorframecorruptionratesandcomparethe
WenowexplorethescenariowherewebelievethatDenaLiismost measureddistributiontothecorruptionratesthatwouldbeexpected
likelytobeusedandthethreatmodel,intermsofthecapabilitiesofa asafunctionofbothspaceandtime.
Toconstructaprofilethatcloselymatchesthatofanormalwire- tiplelocations,theseobservationsstilldonotallowtheadversaryto
lesschannel,weexploittwoimportantobservationsaboutthecor- ascertainwhatbiterrorswouldlooklikeattheexactsenderandre-
ruptionofpacketsinabroadcastmedium,particularlythe802.11 ceiverlocations[17].Previousworksuggeststhatbiterrorpatterns
protocol.First,packeterrorsinpacketsoccurinchunksofbytes[12], withincorruptedframeswilldifferdependingontheadversary’s
notasindividualbits;mostofthechunksoferrorsareabout400 location[18].
bits,andoccurrenceoflargerchunksoferrorsisnotveryusual.This Inourempiricalevaluationsandsecurityanalysis(Section6),we
phenomenonmightoccurasaresultofinterference,orthelossof assumeanadversarywhocanobserveallthecorruptedframesfrom
synchronization.Thesecondobservationisthatthebiterrorsinside asinglelocationinthenetwork.Wenotethatevenifanadversary
wirelessframeshavespecificpatterns[11];forexample,bitsthat targetsaparticularsender(e.g.,basedonpreviousknowledge),the
arefartherfromthestartoftheframewillexperienceanincreasing sendercanalwaysmoveawayfromasuspectedadversaryormain-
probabilityofcorruption. tainenoughmobilitytoreducethelikelihoodofbeingmonitoredat
closerange.(Indeed,previousworkshowsthatsimplyrotatingthe
communicationdevicecandramaticallyimpactthechannelqual-
3.2 ThreatModel
ity[27].) Therefore,webelievethatitisextremelyunlikelythat
Theadversary’sprimarygoalistodetectthepresenceofhidden anadversarycouldsuccessfullytargetasenderandsuccessfully
communicationonasharedwirelessmedium. Iftheadversaryis monitorthesenderatcloseenoughrangeforanextendedperiodof
abletofurtherdeterminewhichtransmittedframescontainhidden timewithouttippingoffthesender.
communication,itmaybeabletouseexistingtechniquestodeter-
minetheidentityofthesender[8].Theadversary’smaincapability 3.3 DesignGoals
istolistentowirelessframeswithinitsradiorange.
Weassumethattheadversaryhasfinitecomputationresources Weaimtodevelopacovertchannelwithavarietyofproperties,in
andafinitenumberofnodesthatitcanusetomonitorthewireless additiontothestandardpropertiesofconfidentialityandcovertness.
channel. Inourprototype,weassumetheadversaryhasonlyone Undetectabilitysaysthattheadversarycannotdetectthepresence
nodewithwhichitcanmonitorandhasknowledgeofatleastone ofanymessages.Deniabilityisaslightlyweakerpropertythatsays
partywhichmaybecommunicatingusingDenaLi. Inapractical thatevenifthechannelisdetectable,theadversarycannotdetermine
scenario,theadversarymightknowtheidentityofthesenderbutnot withnon-negligibleprobabilitythataparticularuserorgroupof
hisMACaddress.Hewouldstillhavetoscanthechannelandapply usersisexchangingmessages.Unlinkabilitysaysthatanadversary
techniquestoidentifythesender’sdevice,whichmightbehardin maybeabletodetectthepresenceofcommunications,butcannot
densepublicplaceswheresignalstrengthofdevicevariesconsid- linkthesenderofamessagewithitsreceiver.Robustnesssaysthat
erablyduetothecommotion[27]. Iftheadversaryhasprevious theadversaryshouldnotbeabletodisruptthechannel.
knowledgeaboutwhichpartiesmaybeusingDenaLitocommuni- DenaLitechnicallydoesnotachievestrictundetectability,since
cate,itcouldpositionitsradio(s)closetooneofthesendersand theprocessofsendingamessagedoesperturbthewirelesschannel
attempttodetermineifthesender’swirelessinterfacewassending fromitsoriginalstate.Wedesigntheresultingbiterrorprofiletobe
corruptedframesataratethatexceedsthetypicalrateatwhicha statisticallysimilartoanormalprofile,however,makingitdifficult
wirelessradioemitscorruptedframes.Weassumethattheadversary foranadversarytodeterminewithcertaintythatthechannelhas
remainsatasufficientdistancethatitcannotconclusivelydetermine beenperturbed.Becauseframecorruptionisarandomprocessthat
thatsomeframesarealreadycorruptwhentheyaretransmittedby isitselfbasedonanon-stationarydistribution(e.g.,itisaffected
thesender; rather, itcanonlymonitortheframecorruptionrate. byavarietyoffactors,rangingfromthepresenceofothersenders,
As long as the adversary is sufficiently far away, the sender can tochangesinobstructionssuchaspeopleanddoors,totheuser’s
alwaysmakehischannelworsebystayingfarawayfromthepublic wirelessradio,tophysicalpropertiesoftheair),wecanperturbthe
accesspoint,therebylegitimatelyretransmittingatahigherratethan corruptionprofileofthechannelwithoutallowingtheadversaryto
normal. determinethatasenderisdefinitelysendingahiddenmessage.In
Evenwithoutknowledgeofcommunicatingparties,astronger thisway,weachievedeniability.
adversarycanmonitorandcollectwirelesstransmissionsfrommulti- Independently,DenaLiachievesunlinkabilitybecauseevenifthe
pleindependentlocationsinthenetworkandrunstatisticalanalysis adversarycoulddetectthepresenceofadditionalcorruptedframes,
onthecollectionofcapturedtraffic. Inthesecases,theadversary without having the key that Alice and Bob share, the adversary
mightbeabletodeterminethattheprofileofbit-errorcorruption cannotdeterminethatBobistheintendedrecipientoftheadditional
forcertainnodesinthenetworkdoesnotmatchthecorruptionpro- corruptedframes. Infact,byhavingmultipleparticipantssharea
fileforothersenders,orthattheframecorruptionprofiledoesnot groupkey,DenaLicanbeusedtosurreptitiouslybroadcastahidden
changewithincreasingdistancefromthesenderasonemightexpect. message.
Suchanadversarymightbeabletoperformananalysisoferror Finally,DenaLiachievespracticalrobustnessbyvirtueofthefact
patternswithatoolsuchasJigsaw[3],butevenwiththebenefit that an adversary cannot easily selectively disrupt the communi-
ofmultipleobservationpoints,ifthedistributionsarematchedap- cationofthewirelessframescontainingthehiddenmessage. An
propriately, theperturbationsthatDenaLiintroducesshouldstill adversarycouldjamtheentirewirelesschannel,butdoingsowould
providedeniabilityforsenders.Moreover,aglobaladversary,i.e., disruptcommunicationforlegitimatetrafficaswell.
onethatcanmonitoratmultiplelocationsinthewirelessnetwork— DenaLi does not rely on 802.11 encryption standards such as
butnotthesenderorreceiver—doesnotnecessarilyhaveabetter WEPandWPAtoachieveconfidentiality,asweassumethatmany
chanceatdetectingthepresenceofhiddencommunicationthana adversariesmaybepowerfulenoughtoeither(1)jointhechannel
localadversarywhoonlyhasonemonitoringpoint.Althoughthe with a known WEP or WPA2 keys (e.g., in the case where the
abilitytoobservetransmissionsatmultiplelocationsprovidesthe adversaryisthenetworkadministrator,suchasinapublicsquareor
opportunitytoobservecorruptionpatternsofthesamepacketatmul- acoffeeshop);or(2)breaktheWEPencryptionorWPA2encryption
Figure2:Injectionofadditionalcorruptedframesviaavirutalnetworkinterface(implementedasaLinuxTUNdevice).
thatthecovertchannelisautomaticallybrokenintosmallermessage
blocks.Figure2illustratesthecommunicationtunnelbetweenthe
senderandreceiver,includinghowthehiddenmessageiscombined
withchaffbeforebeingtransmittedovertheair;thereceiverhears
Figure3:Processofinjectingcorruptedframesatthesender;thereceiver allofthewirelesstrafficbutcandiscardthechaffbeforepassingthe
performsthereverseofthisprocess. messagetothereceiver.
Figure3showstheconstructionofthecombinedpacketstream
inmoredetail. Thehiddenmessageispassedthroughthevirtual
usingknowntechniques.Instead,DenaLiprovidesconfidentiality
networkinterface(aLinuxTUNdevice),whereuponitiscombined
byencryptingthemessagecontentsbeforeinjectingthemintothe
withacopyofanexistingframefromthechaffviabit-errorinjection.
corruptedframes.
Thecorruptedframeisthentransmittedverycloseintimetothe
unmodifiedchaffframe.Todecodethehiddenmessage,thereceiver
4 CommunicationsChannel performs the reverse of this process. Ideally, the entire stream
wouldbetransmittedviathesameoutgoinginterface,butlimitations
ThissectiondescribestheDenaLidesigninmoredetail.Thebasic ofcurrentwirelesschipsetspreventedusfromimplementingthe
approachisforthesendertoinjectcorruptedframesintoanexisting transmitterinthisfashion;Section5discussestheselimitationsin
encryptedapplicationtrafficstream(thechaff),sothatintheair, moredetail,andSection7explainshowweconcealthepresenceof
theadversaryseesasinglestreamofencryptedapplicationtraffic twoseparatetransmittinginterfaces.
withnon-corruptedandcorruptedframes.Thegoalistomakewhat
isseenontheairappearasaplausiblesequenceofframestothe
4.2 CommunicationProtocol
purporteddestinationtoanyoneobservingthetrafficpattern.Todo
so,thesenderoccasionallyduplicatesexistingframesandcorrupts Figure4showsthestepsthatareinvolvedinexchangingmessages
thembyinjectingaportionofthemessagetobecommunicated.The inatwo-partymessageexchange. Wenowexplainthesestepsin
senderandreceivermustalsodevelopacommonmeanstoidentify detail.
whichcorruptedframescontainhiddenmessages,andwhere(i.e.,at
EstablishingasharedsessionkeyThesenderandreceiverusethe
whatbyteoffset)withinacorruptedframethehiddenmessagelies.
DenaLichanneltoestablishasharedsessionkeyinamannerthat
isanalogoustohowsessionkeysareestablishedinmanyprotocols.
4.1 BasicMechanism: FrameInjection
IncaseofDenaLi, thecolludingpartiesshouldbeawareofthat
they are in proximity of each other and then instantiate the key
DenaLiconstructscorruptedframesandhidesthecorruptedframes
exchangeprocess.Thesendergeneratesasessionkeyandencrypts
amongalargerstreamofframesbeingtransmittedtotheaccess
thekeywiththereceiver’spublickey. Itthensendstheresulting
point.Someoftheseframes(perhapsincludingsomeofDenaLi’s
ciphertextovertheDenaLichannel,takingtheresultingciphertext
constructedframes)willbecorruptedbythewirelesschannel. In
and embedding it as corrupted bits in an outgoing sequence of
ordertomakeitmoredifficulttodeterminewhichcorruptedframes
frames.Thereceiverdecodesthemessagefromthecorruptedframes
containembeddedmessages, DenaLitransmitshiddenmessages
toretrievethesessionkey. Thesessionkeyistransmittedonthe
onlyinframesthatotherwisearepartofencryptedSSLconnections
DenaLichanneljustasanyothermessagewouldbe,exceptthatthe
(e.g.,topopularwebsiteslikeGmail).WechosetouseSSLconnec-
initialtransmissionandencodingisbasedonthereceiver’spublic
tionsasthebasisforDenaLi’scovertrafficbecausetheencrypted
key, instead of the session key itself. All transmissions on the
payloadoftheseframesactsasaone-timepadintowhichwecan
DenaLichannelinvolveaprocessofthesenderencodingthehidden
embedsimilarlyencryptedmessageswithoutobviouslydisturbing
message and the receiver decoding it upon receipt, as described
theirstatisticalproperties.
below.
AnSSLframewillnecessarilyhaveaTCPheader,whichDe-
naLiusestocomputetheoffsetintotheframeatwhichtoplace EncodingandtransmittingFirst,thesenderobtainsacoverframe
theembeddedmessage. Becausebitsthatarelocatedfurtherinto byduplicatingaframethatisabouttogooutofitswirelessinterface
aframe(i.e.,withagreateroffset)haveagreaterchanceofexperi- aspartofanexistingconnection. Itthencorruptsthisduplicate
encingcorruption[11],DenaLiskewstheprobabilitydistributions by injecting data from the covert channel. Before injecting the
on injecting message blocks to favor corrupting bits farther into hiddenmessageintoacorruptedframe, thesender: (1)encrypts
theframe.Obviously,themessagemustbe(substantially)smaller thehiddenmessagewiththesharedsessionkey(or,inthecaseof
thantheframeintowhichitisbeinginjected.Ourimplementation theinitialkeyexchange,thereceiver’spublickey)usingCBC-AES
exportsavirtualnetworkinterfacewithasmallMTU,whichensures 256-bitsymmetrickeyencryption;(2)computestheoffsetintothe
Figure5:Checkingtheintegrityofreceivedhiddenmessages.
Figure4:Stepsinvolvedinexchangingmessagesusingcorruptedframes.
lengthintheclearisnecessarybecausethenumberofbitscorre-
frame where the message should be inserted; and (3) computes sponding to the hidden message varies (both by design to make
anHMAC over themessage ciphertext. Thesender theninserts detectionmoredifficult,andasanaturalresultoftheoriginalmes-
bitscorrespondingtothehiddenmessagelength,theHMAC,and sagesizes).Becauseboththevalueofthemessagelengthandthe
thehiddenmessageitselfasablockintothecorruptedframe.We offsetwithintheframewherethebitsindicatingthemessagelength
describetheprocessofcomputingtheframeoffsetandtheHMAC varyper-frame,recognizingapatternwouldbedifficult.Asender
below. could,ofcourse,introducemoreentropyintothemessagelength
Inadditiontothesessionkey,thesenderusestheTCPsequence valuebyrandomizingtheblocksizeforeachblockthatitinjects
numberandacknowledgmentnumberassaltstocomputetheframe intoacorruptedframe,makingitessentiallyimpossibletoidentify
offsetforthehiddenmessage.Doingsohelpsrandomizetheoffset, thepresenceofthemessagelengthvalue,attheexpenseofchannel
sothattheinsertedbitsarenotalwaysinthesamelocationinthe throughput.
corruptedframe; randomizingtheoffsetmakesitdifficultforan Second,allofthecorruptedbitsareinjectedintotheframeasa
adversarywhoiseavesdroppingtoascertainthepresenceofahidden singleblockratherthaninterspersedatrandombitlocationsthrough-
message,sincethelocationofthecorruptedbitsthatcontainthe putthepacket.Previousworkhasestablishedthatwirelessbiterrors
hiddenmessagewillbedifferentforeachpacket. Weconsidered tendtooccurascorruptedblocks[12],notasindividualcorrupted
usingapseudo-randomnumbergeneratorwithaninitialseedto bits. Additionally, because the DenaLi sender injects ciphertext
allowthesenderandreceivertocomputethisoffset;theproblemin intootherciphertext(i.e.,theSSLstreamthatservesasthechaff),
doingsoisthatifanycorruptedframecontainingahiddenmessage interspersing the block throughput the packet does not increase
islost,reordered,oritselfcorrupted,thereceiverandsenderwill covertness:Becauseboththehiddenmessageandthechaffareen-
losesynchronization. Instead,DenaLiusestheoutputofapublic crypted,theadversarycanseethattheframeiscorrupted,buthasno
cryptographichashfunctionthatusestheTCPsequencenumber, straightforwardwayofdeterminingthebitpositionscorresponding
acknowledgmentnumber,andsharedsecret(or,inthecaseofthe tothecorruption,unlesshehasthecorrespondinguncorruptedver-
initial key exchange, the receiver’s public key) as the input for sionoftheframe.InjectinganencryptedmessageintoSSLpayload
computingtheoffset.Thus,alloftheinformationthatthereceiver makesthelikelihoodofeverybittobecorruptedtobe≈0.5.
needstoextractthehiddenmessagefromtheframeispresentinthe Receiving and decoding To receive the hidden message, the re-
frameitself. Unlesstheadversaryhasthesharedsecret,itcannot ceiverpollsthewirelessmediumforallthecorruptedframesand
determinetheoffsetoftheartificiallycorruptedburstsequence. attempts to decode and decrypt the bits in each corrupted frame
Becausetheinjectedframeiscorrupt(i.e.,itslayer-twochecksum thatarelocatedattheappropriateoffset,whichiscomputedasa
isinvalid),thereceivernolongerhasaninherentwaytodetermine functionofboththesessionkeyandtheTCPsequencenumberand
the integrity of the frame—or, more specifically, the embedded acknowledgmentnumbersinthepacketheader. Thereceivercan
DenaLimessagewithin—itreceives.Inlieuofthe(nowcorrupted) applythesamefunctiontodeterminetheappropriateoffsetofthe
framechecksum,aDenaLisenderalsoincludesanHMACcomputed messageinthecorruptedframetoextracttheciphertextanddecrypt
overthehiddenmessagecontentsthatiskeyedonthesessionkey, ittorecoverthesessionkey,whichwillbeusedtoencryptfuture
theTCPsequencenumber,andtheacknowledgment.Themessage’s messagesandasaninputforcomputingtheframeoffsets.
HMACisprependedtothehiddenmessagebeforetheresultingbits Upon hearing a corrupted frame in the wireless medium, the
areinsertedintotheframe. receiverextractsthegrainfromthechaffbycomputingtheoffset
Theastutereadermightobservetwonuancesaboutthewaythat wherethehiddenmessageisexpected(asafunctionofthekeyand
thesenderembedsthemessageintoacorruptedframe. First,the theTCPsequenceandacknowledgmentnumberscontainedinthe
messagelengthisincluded“intheclear”. Includingthemessage frame) on every corrupted frame, extracting the bits that should
correspondtothehiddenmessage,computingtheHMAConthe forgeneralpurposeusebynon-technicalperson.Weuseidentical
decodedanddecryptedmessage,andcomparingitwiththeHMAC AcerAspireOnelaptopswithIntelCeleronprocessorrunningat
value present in the packet. The receiver computes the HMAC 800MHz,withLinux3.2.0andstablecompat-wirelessnetworking
of the decoded message and compares it to the value of HMAC stack.
includedinthepacket,which(asmentionedabove)isprependedto
thetransmittedmessagebeforebeinginjectedintotheframe.Ifthe 5.3 DriverModificationsandSoftMAC
HMACiscorrect,thereceiverthenproceedstodecodeanddecrypt
thehiddenmessage. (Itisextremelyunlikelythatthebitsofthe Each wireless frame passes through multiple stages before it is
secretmessageandtheHMACwillbecorruptedsimultaneouslyin transmitted,manyofwhichoccurinhardwarebydefault(and,hence,
suchawaythattheHMACcalculatedoverthecorruptedframewill areinherentlychallengingtomodify),asshowninFigure6. The
bethesameasthecorruptedvalueoftheincludedHMAC.)Figure5 specificstagesdependonthearchitectureoftheparticularwireless
illustratesthisprocess. chipsetinuse, althoughweprovidearoughgeneraloutlinethat
manychipsetsfollow. First,anapplicationprovidesthepayload
to the operating system, which in turn copies the data to driver
5 PrototypeImplementation
memoryafteradding802.11MACheader.Thedriverthenencrypts
the packet and transmits it; the encryption keys are retained in
Inthissection,wedescribeaprototypeimplementation[6]ofDe-
software,buttheencryptionprocessitselfoccursinhardware.The
naLiusingoff-the-shelfwirelesschipsetsbasedonthedesignde-
transmissioncontrolunitmanagesthefine-grainedtimingof802.11,
tailedinSection4.
includinggeneratingtheframechecksumrightbeforetransmitting
theframe.
5.1 TheTUNInterface OurDenaLiprototypemakestwochangestothedefaultprocess-
ingpipeline:it(1)disablestheFCSchecksum;and(2)disablesthe
Intheinterestofsimplicity,ourprototypeimplementationofDenaLi
retransmissionoftheseframes,whichobviouslywillnevergenerate
providesaTUNinterfacethatallowsapplicationstousethecovert
link-layeracknowledgments. Figure6illustrateswherewemade
channeljustasanyothernetworkinterface.Itisavirtualinterface
thesemodificationsintheNICprocessingpipeline.
inLinux,implementedasaTUNneldevice,toexchangepackets
Tomodifythebehaviorofthewirelessinterface,weusetheSoft-
withuserspace.Ausercandeterminehowtodesignandimplement
MAC802.11wirelessMACimplementation[20],whichoffloads
applicationsthatcommunicateoverthechannel,orjustuseexisting
manyfunctionsofthewirelessdrivertothekernelsubsystem,thus
ones.
formingacleaninterfacewithvariousvenderdriversandallowing
OnceapacketistransmittedontheTUNinterface,DenaLien-
ustomodifyvariouspartsoftheprocess.
crypts it (including the headers and checksums), calculates the
HMACoftheencryptedmessage,computestheresultingmessage
length,andconcatenatesthemtoarriveatthebitsequencethatis 6 SecurityandPerformance
ultimatelyinsertedintoacorruptwirelessframe.Wecomputethe
HMACusingSHA-256. Inthissection,weevaluatethesecurityofDenaLirelativetothe
performancethatitachieves.AsdiscussedinSection3,ourprimary
5.2 DualWirelessInterfaces goalsforsecurityaredeniabilityandconfidentiality,wheredenia-
bilitysaysthattheresultingtrafficisstatisticallyindistinguishable
Mostexistingwirelesschipsetscalculatethelayer-twochecksum, fromnetworktrafficthatdoesnotcontainanyhiddenmessage.We
alsoknownastheframechecksequence(FCS),inhardware.Hence, beginwithadiscussionofthecharacteristicsoftheresultingwire-
even the “corrupted” frames created by injecting the encrypted lesstrafficthatshouldappearstatisticallyindistinguishabletoan
payloadwouldnormallybesentoutwithacorrectFCS,meaning adversary.Wethenformalizeourdefinitionofsecurityintermsof
the destination of the encapsulating chaff frame (i.e., the access theindistinguishabilityoftheresultingDenaLitrafficfromordinary
point)wouldreceivethepacketandattempttoprocessit.Whilethe wirelessframecorruption.
IPchecksumwouldstilllikelybeincorrect,itisfarlesscommon Weconductreal-worldexperimentswithourprototypeimplemen-
foranIPchecksumtobeinvalidonpurportedlycorrectlyreceived tationtoexplorethetradeoffsbetweendeniabilityandthroughput
frames,destroyingDenaLi’sdeniability. overtheDenaLichannel.Acrossallofourexperiments,ourproto-
Hence,wemustensurethatthecorruptedframeistransmitted typeconsumesanaverageof2%andmaximumof5%CPUtimeat
with an invalid FCS. Unfortunately, the current architectures of bothtransmitterandreceiverwhileitinjectsordecodescorrupted
most wireless chipsets do not expose an interface to manipulate wirelessframes.Weconfirmthatnopacketsaredroppedbykernel
theFCS.Instead,ourprototypeusesawirelessinterfacecardwith orsocketbuffersdespiteusingthepcaplibraryforpacketreception
theAtherosAR9485chipset,whichexportsaregisterthatdisables andinjection.
thecalculationoftheFCS(weareunawareofothervendorsthat
providethisfeature). Atherosath9kandath5kseriesofchipsets
6.1 TrafficCharacteristics
providethisfeatureavailablecommerciallyforLinux[16]. The
registersettingisnotselective,however:ifenabled,allpacketsare DetectingDenaLicommunicationrequirestheadversarytomake
transmittedwithoutaproperFCS.Hence,inordertotransmitthe observationsaboutperturbationstothenaturalerrorpatternsatone
chafftraffic,ourprototypeemploystwowirelessinterfaces: one oftwolevels:packeterrorsinthemedium,orpatternsofbiterrors
totransmitthechaffSSLtraffic,andonetotransmittheadditional withinindividualframes.
corruptedframesthatcontainthehiddenmessagewithacorrupted Thepacketerrorrateisthefractionoftransmittedframesinthe
FCS.Weareusingtwowirelesscardstofacilitateusabilityofthe wirelessmediumthatarecorrupt.Thisratedependsonthecharac-
prototype,assoftwaredefinedradiosarebulkyandhardtocarry teristicsandnatureoftheenvironmentwherethecolludingparties
Figure6: Processingofan802.11wirelessframeatthehost, andthetwomodificationsthatwemaketoenableDenaLi: (1)settingthenumberof
retransmissionstozerothroughtheSoftMACimplementation;(2)disablingtheframechecksumcomputationtoallowtheinterfacetotransmitthecorrupted
frame.
(andtheadversary)arelocated.Althoughtheinstantaneousframe thebiterrordistributionswithineachcorruptedframe. Suppose
errorratecannotbemodeledpreciselybecausethetypeandfre- that the adversary has two packet traces P and P(cid:48), where P is a
quencyofeventsthatcauseinterferenceorframelossareinherently packettracewithoutDenaLicommunicationandP(cid:48)isatracewith
random,wecancalculatetherateofcorruptionoftheframesina DenaLicommunication.Deniabilitysaysthattheadversarycannot
livecaptureofacollectedpackettraceandattempttomimicthat determinewhichtracehasDenaLicommunicationwithprobability
distribution.DenaLiusersmaintainstatisticsregardingthepacket greaterthan1/2+ε.Iftheadversarycancorrectlydetectthepres-
errorrateofnormalframessothattheycaninjectcorruptedframes enceofacovertchannelwithprobabilitygreaterthan1/2+ε,then
inawaythatmimicsthenaturallyoccurringpacketcorruptionin theadversarywins.
thecurrentenvironment.Inchannelsthataresubjecttocorruption Similarly,supposealsothattheadversaryrunsamaximumlike-
ratesthatarehigherormorevariable,DenaLiparticipantscaninject lihooddetectorbasedonobservationsofbiterrordistributionsin
hiddenmessageswithhigherfrequency.Weexploretherelationship corruptedframestodetectthepresenceofaDenaLichannelbased
betweentheamountofnoiseinthechannelandthethroughputthat ondeviationsintherespectivedistributions.Accordingtothedef-
wecanachievelaterinSection6.3. inition of deniability above, if ε is zero, the best threshold that
Thebiterrordistributionisthedistributionofthebiterrorsin anadversarycoulddesignwouldbeunabletodistinguishthetwo
specificpositionswithinacorruptedframe.Anadversarywhocap- distributionsofbiterrorpatternsdrawnfromPandP(cid:48). Theε pa-
turestheframesmayanalyzethecorruptedframestocomparethe rametermeasurestheextenttowhichthetwodistributionsdonot
errorpatterns.Wemodifythecontentsoftheintentionallycorrupted overlap.Wequantifythedegreetowhichthetwodistributionsdo
frameinsuchamannerthatitisdifficulttodifferentiateactually notoverlap(whichcorrespondstotheprobabilitythattheadver-
corruptedbitsfromthecraftedcorruptedframe.Ourgoalistoinject sarysucceeds)usingthePearsoncorrelationcoefficientbetween
biterrorsintopacketsinsuchawaythattheresultingdistributionof the two distributions [24]. ε is simply half times one minus the
biterrorsresemblesabit-errorpatternthatwouldresultfromthecor- correlationcoefficient. Formally,wedenotethebiterrordistribu-
ruptionofoneormoresymbolsinanencodedwirelesspacket.The tionfrompackettraceP(cid:48)as f(cid:48)(x),wherexisthebitpositioninthe
exactbit-errorpatternisdifficulttomodelbecausethesepatterns packet;similarly,thenormalbiterrordistributionfrompackettrace
dependonhowthesendermodulatespackets.Inlieuofconducting Pis f(x). Foreachofthedistributionsthatareparameterizedby
additionalexperimentsonbiterrorratesourselves,wefollowthe frameerrorrateandbytesinjectedperframe,wecomparethetwo
assumptionsfromtheMaranellostudy[12], whichsuggeststhat distributionsasfollows:
thebiterrorsinaframeoccurinchunks, duetothelossofsyn-
chronizationbetweenthesenderandreceiverortheburstynatureof cov(f(x),f(cid:48)(x))
ε=1/2−
interferenceinthewirelesschannel,unlikeuniformcorruptionof 2σf(x)σf(cid:48)(x)
bitsinthewholeframe.Inourevaluation,weuseDenaLitocorrupt
specificbiterrorpatternsinsuchawaythatmimicstheseobserved Notethatwecanmakeεarbitrarilysmall:IfDenaLiinjectsnobits
distributions.Wealsonotethatthefartherthatthesenderisfromthe fromthehiddenmessage,thenaturallyoccurringbiterrordistribu-
adversary,themorelikelythattheadversarywillobservenaturally tionisunperturbed,andthetwodistributionsareindistinguishable,
occurringframecorruption,whichshouldmakeitmoredifficultto bothbydefinitionandbyconstruction.Suchachannel,ofcourse,
distinguishnaturallyoccurringcorruptionfromartificialcorruption. isuselessbecauseitsthroughputiszero.Increasingthethroughput
ofthehiddenchannelbyinjectingadditionalcorruptedframesand
introducingbiterrorsthatdeviatefromthenaturallyoccurringbit
6.2 SecurityGoal
errorsperturbstheunderlyingdistribution.Thus,thereisatradeoff
The security ofDenaLi requires that: (1) sending a hiddenmes- betweenthedegreetowhichthebiterrordistributionisperturbed
sageusingDenaLicreatesaperturbationofthewirelesschannel’s (i.e.,thenumberofbitsfromthehiddenmessagethatweinjectinto
packeterrorrateandbiterrordistributionthatisstatisticallyindistin- anycorruptedframe)andtheresultingthroughput.
guishablefromifaDenaLimessagehadnotbeensent(deniability); Thepacketerrorratealsohasanaturallyoccurringvaluethat
(2)theadversarycannotrecoverthemessages(confidentiality).As variesovertime.Supposethatforagiventimeintervaliinpacket
theconfidentialityofDenaLireliesonthestrengthofexistingen- traceP, theadversaryobservesapacketerrorrate fi. Then, the
cryptiontechnologies,wefocusondefiningandevaluatingDenaLi’s adversarycanobserveadistributionF={f1,f2,...,fn}andacor-
deniabilityproperties. responding distribution F(cid:48) for packet trace P(cid:48). We say that the
Consideranadversarywhoobservesthepropertiesofthewireless packeterrorrateinducedbyrunningDenaLiachievesdeniability
channelfromaparticularlocation.Theadversarycanempirically iftheadversarycannotsucceedindistinguishingF andF(cid:48)witha
measureboththepacketerrorrateforasequenceofframes,and probabilitygreaterthan1/2+ε. Bydefiningε accordingtothe
0.08
0.07
r
o
rr 0.06
E
of 0.05
y 0.04
bilit 0.03
a
b
o 0.02
r
P
0.01
0.00
0 2000 4000 6000 8000 10000 12000
BitPosition
(a)Thebit-errordistributionfromtheperspectiveoftheDenaLisender,givena23KBmessageanda70-byteTUNMTU.
0.0005
r
o 0.0004
r
r
E
of 0.0003
y
bilit 0.0002
a
b
o
r 0.0001
P
0.000
0 2000 4000 6000 8000 10000 12000
BitPosition
(b)Naturalbiterrordistribution.
0.0005
r
o 0.0004
r
r
E
of 0.0003
y
bilit 0.0002
a
b
o
r 0.0001
P
0.000
0 2000 4000 6000 8000 10000 12000
BitPosition
(c)ThebiterrordistributionaftertheDenaLiperturbationfrom(a)isadded.
Figure7:Bit-errordistributioninaninjectedDenaLiframeatthesender,andbiterrordistributionsasviewedatamonitor,withandwithoutinjectedDenaLi
frames.
distancebetweenthesetwodistributions,wecandeterminethenum- 6.3 EvaluatingDeniabilityvs. Throughput
berofcorruptedpacketsthataDenaLisendercaninjectsubject
Inthissection, weevaluatethetradeoffbetweendeniabilityand
toanupperboundonε. Inprinciple,aDenaLisendercandetect
throughputoftheDenaLichannelusingourprototypeimplementa-
theaveragepacketerrorrateforsometimeintervalandtransmit
tion.Wefirstdescribetheexperimentalsetupandthenpresentthe
corruptedpacketsinawaythattracksthispacketerrorratewithin
results.
someboundofε.Forthepurposesofourevaluation,wehavefixed
thepacketerrorrate,butinpracticeitmightvary.Becausepacket
corruptionisalocalphenomenonthatiserraticandunpredictable, 6.3.1 Experimentalsetup
fine-grainedcontroloverthisstatisticmaynotbenecessaryoruseful
inpractice. We design an experiment with a sender, a receiver, and a single
adversary. Eachdeviceisalaptop,wherethesenderandreceiver
areconfiguredasdescribedinSection5.Thesendergeneratescover
trafficbybrowsingGmailoverasecureHTTPconnection. The
adversaryisathirdlaptopwithawirelessinterfacecardconfigured
inmonitormode.Welocatetheadversaryincloseproximitytothe
receiver,which,aswedescribedinSection3,istheplacewhere
0.008
theadversaryhasthehighestprobabilityofdetection.Weassume
thattheadversaryhasonlyasinglemonitor.Eachnodeinthesetup 0.007
collectspackettracesandrecordsthecorrespondingpacketerror
0.006
ratesandbiterrordistributions,allowingustoseethesestatisticsat
thesender,receiver,andtheadversary. 0.005
(cid:15)0.004
6.3.2 Results
0.003
Wefirststudythebit-errordistributionsthatresultfrominjecting
chunksofhiddenmessagesfora70-byteMTUfortheTUNdevice. 0.002
Next, we study how this injected error distribution looks when
viewedfromtheadversary,modeledasamonitorlocatednearthe 0.001
receiver.Finally,tomeasurehowthroughputvarieswithdeniability,
0.000
weexploretherelationshipbetweenthethroughputoftheDenaLi 300 MTU(bytes) 500 600
channelandthePearsoncorrelationcoefficientbetweenthenormal
Figure8:εvs.TUNMTU(i.e.,injectedframesize).WevariedMTUsizes
biterrordistributionandperturbedbiterrordistributionasseenat
toachievedifferentthroughput.LargeTUNMTUvaluesresultinlargerε
theadversaryandtheresultingthroughputofthehiddenmessage valuesandarelessdeniable.
correspondingforthecorrespondingperturbation.
Figure7ashowsthebit-errordistributionthatresultsfrominject-
ingabout23KBofahiddenmessageacrossasequenceofwireless BER PER Throughput(bps)
frames,assuminga70-byteMTUfortheTUNdevice.Wechoose 10−4 0.7 427.4
this size for the TUN MTU because previous studies [12] have 10−5 0.1 103.6
shownthatabout75%ofcorruptedpacketshavebiterrorsthatare 10−6 0.05 42.98
lessthan400bits,anda70-byteMTUand256-bitHMACcorrupts
atmost100bytes.
Table1: Biterrorrates, approximatecorrespondingpacketerrorrates
Figure7bshowstheoriginalbiterrordistributionforchafftraffic, assuming1500-bytepackets,andtheresultingDenaLithroughputgivena
asviewedfromthemonitor;Figure7cshowsasimilardistribution 70-byteTUNMTU.Wetestarangeofbiterrorratesthatareobservedin
afterDenaLihasinjectedahiddenmessage;asthefiguresshow, practice[14].
thetwodistributionsareessentiallyindistinguishable. Forsucha
configuration,given“chaff”trafficthroughputofabout2Mbpsand
PPRstudy[14]andconverttheseobservedratestothecorrespond-
apacketerrorrateofeverythousandthpacket,DenaLiachievesa
ingpacketerrorratesinthisoperatingregime.Forthisexperiment,
hidden message rate of about 6 bps. Although the two bit error
wefixtheMTUoftheTUNinterfaceto70bytesandsendSSL
distributionsarenotidentical,theyarereasonablyclosetooneother.
chafftrafficbyuploadingalargefiletoaGmailserverwhilevarying
ThePearsoncorrelationcoefficientbetweenthesetwodistributions
thepacketinjectionrate(i.e.,therateatwhichweinjectcorrupted
was0.99801,yieldinganεvalueontheorderof10−4.Partofthe
framescontaininghiddenmessages). Notethatfixingthepacket
reasonthatthetwodistributionsaresocloseistherelativelylow
errorrateandtheMTUsizeisaroughmechanismforcontrollingε,
throughputthatwehavechosenfortheDenaLichannel.Intherest
sincethedeviationiscontrolledbythesizeoftheDenaLiblocksize
ofthissection,wefurtherexplorethetradeoffbetweenthelevelof
(i.e.,theTUNMTU).Wethenmeasurethecorrespondingthrough-
deniabilitythattheDenaLichannelprovidesandthethroughputthat
put(whichisdirectlyproportionaltothethroughputofthechaff
itachieves.
traffic).Table1showshowthethroughputoftheDenaLichannel
Our goal in the first experiment was to demonstrate DenaLi’s
varieswithpacketerrorratesforarangeofoperatingregimes.The
abilitytoachievedeniabilitywithrespecttobiterrordistributions.
channelefficiencyissimilartopreviousexperiments;asexpected,
Wecontrolthefrequencyandtheextentofcorruptionsothatthe
thebitrateofthechannelincreasesasthechannelnoiseincreases,
corruption is natural. Because the channel may further corrupt
asanoisierchannelaffordsmoreopportunitiestoinjectcorrupted
bits in the frame, we are conservative in how we corrupt bits in
frameswithoutdeviatingfrom“normal”packetcorruptionprofiles.
theframe,whichnaturallyrestrictsthroughput. Wenowexplore
We caution that although traffic rates appear faster, the increase
howasendercanachievehigherthroughputinexchangeforless
comesatthecostofdeniability,asweshowedinFigure8.
deniability(i.e.,alargerε value). Weinjectonepacketforevery
10,000framesofcovertrafficThispacketinjectionratewhichclearly
7 Discussion
limitsthemaximumthroughputwecanachieveto(atmost)0.0001
ofthethroughputofthecovertraffic,makingthetwodistribution
Herewediscussopenissues,includingbothweaknesseswiththe
indistinguishabletotheadversary.Figure8showshowεvariesas
currentDenaLidesignandavenuesforfutureresearch.
weincreasetheTUNMTU(i.e.,throughputoftheDenaLichannel).
Naturally,ε increaseswithMTU.ThethroughputoftheDenaLi CopingwithlimitedwirelessbandwidthOurexperimentsshow
channelisalsodirectlyproportionaltoboththethroughputatwhich thatthecovertrafficoverheadforDenaLiisanywherefromabout
thechafftrafficisbeingsentandthepacketerrorrate. 10:1(forhighε)to100:1(forlowε),dependingontheburstof
Finally, we study how the throughput of the DenaLi channel errors introducedand the frequency oftheyare injected. In any
variesaswevarythepacketerrorrate.Toexplorearangeofpacket case,theamountofcovertrafficrequiredtoachievedeniabilityis
errorrates,wedrawfromtherangeofbiterrorratesreportedinthe significant,anditmaybeprohibitiveinsettingswhereusersbear
Description:but parties who are in close proximity (e.g., a public square or coffee shop) may . deniability by deploying infrastructure in the core of the network . group key, DenaLi can be used to surreptitiously broadcast a hidden message.
