Threats Identication and their Solution in Inter-Basestation Dynamic Resource

Sharing IEEE-802.22
Rakhshanda Shaukat
College of Signals, NUST
Rawalpindi Cantt, Pakistan
rakhshanda@mcs.edu.pk
Shoab Ahmed Khan
College of E & ME, NUST
Rawalpindi, Pakistan
kshoab@yahoo.com
Attiq Ahmed
College of Signals, NUST
Rawalpindi Cantt, Pakistan
attiq-mcs@nust.edu.pk
Abstract
Cognitive Radio based IEEE 802.22 deploys the concept
of maximum resource utilization through dynamic resource
sharing. Inter base station resource sharing is dynamic
process in IEEE 802.22 and is accomplished by exchange
of control messages between the neighboring base stations.
Insecure transmission of control channels open vulnerable
holes for the Denial of Service attacks on base station. First
the paper identies the rogue base station and replay at-
tacks during the resource sharing between the base stations
that can snatch the resources from the renter base station.
Then paper presents a hybrid approach of timestamp, nonce
and Digital Signature to authenticate the sender and avoid
the attacks.
1. Introduction
Inter-Base Station Dynamic Resource Sharing (IBDRS)
increases the network performance and provides maximum
opportunities to use TV band spectrum by utilizing unused
frequency bands [1]. The Base Stations (BS) share their free
channels for load balancing. It might be possible that a BS,
serving a specic region, is over loaded with the heavy traf-
c coming from the Consumer Premises Equipments (CPE)
in the form of upstream data. In this case, starvation of fre-
quency channels may occur at BS and there is a possibility
that some of the CPEs cannot be served properly.
Cognitive Radio (CR) based IEEE 802.22 provides the
facility for the BSs to share their available frequency bands.
A BS, having access of channels, can advertise the list of
free channels to its neighboring BSs, that can avail this op-
portunity to fulll their own requirements. In IEEE 802.22
the advertiser of the free channels is dened as Offerer
and the one that borrows the channels is called Renter.
The procedure to share bands dynamically should be fol-
lowed by the etiquettes to avoid interference with the chan-
nels used in neighboring cells [1].
There are different schemes proposed for the channel
sharing between adjacent cells like Fixed Channel Assign-
ment (FCA), Dynamic Channel Assignment (DCA) and
Hybrid Channel Assignment (HCA) [2]. Virtual Channel
Borrowing (VCB) is also proposed in [2] that allow virtual
resource sharing except moving the channel physically from
one cell to another.
Although there are different schemes and IEEE 802.22
is also utilizing these concepts but the channel sharing con-
trol messages between BSs are vulnerable to attacks. The
transmitted control messages do not contain security param-
eter and are unencrypted. They provide the opportunity to
the attacker to manipulate these messages for Denial of ser-
vice (DoS) attacks at the renter BS. In IEEE 802.22 IBDRS,
DoS attack degrades the network performance by creating
forged messages. This paper has presented a hybrid ap-
proach, combination of timestamp, nonce and Digital Sig-
nature (DS), to prevent the attacks.
This paper presents the frame structure of control mes-
sages, their weaknesses and possible attacks along with
their solution. Section 2 describes the frame structure and
ow of control messages for IBDRS. Section 3 elaborates
the control packet vulnerabilities that can be exploited by
the attackers. Section 4 presents solution to secure the con-
trol message exchange between BSs. Finally, the paper is
concluded in section 5.
2. MAC layer frames and their ow
Wireless Regional Area Network (WRAN) spectrum eti-
quettes in [1] has completely described the frame structure
and the IBDRS. During IBDRS four types of messages are
exchanged bewteen neighboring BSs.
Channel Advertisement
Rent Request
Resource Allocation
International Conference on Convergence and Hybrid Information Technology 2008
978-0-7695-3328-5/08 $25.00 2008 IEEE
DOI 10.1109/ICHIT.55
609
International Conference on Convergence and Hybrid Information Technology 2008
978-0-7695-3328-5/08 $25.00 2008 IEEE
DOI 10.1109/ICHIT.2008.208
609
Acknowledgement
The ow of these messages is shown in the Figure 1. The
Offerer BS (BSO), having excess of frequency channels, ad-
vertises the list of free channels to its neighbors. Here the
excess of channels means that the trafc load on the BS is
very low and it has free channels that can be consumed by
other over loaded BSs.
In answer to the advertisement, an overloaded BS re-
quests for the channel through the rent request. The Renter
BS (BSR) species the number of channels it requires.
Upon receiving the rent request the BSO grant the access
of the channels through Allocation message. Finally the
BSR acknowledges the response of BSO. This is a simple
scenario of the resource sharing between BSs.

ZZ
Z^ K ^
Z

Figure 1. Inter Base Station Dynamic Re-

source Sharing Message exchange
The channel advertisement is achieved through Resource
Sharing (RS) eld of Superframe Control Header (SCH) [3]
while the other messages are transmitted in separate frame
format that are available in [1].
Resource allocation is one step; the other step is to re-
lease the resources. Allocated resources can be released in
response of two types of requests.
Resource Return request message
Resource Collection request message
Resource Return request messages are initiated by the
BSR when it no longer needs the resource. In reply, BSO
sends resource return response and gets back the resources
from BSR. BSR completes the process through acknowl-
edgement message. While the resource collection request
message is initiated by the BSO when it is overloaded and
wants to utilize more channels to fulll its requirements. In
this case, BSR transmits the response message and BSO ac-
knowledges the response. The channels acquiring process
is same as explained in Figure 1. But the complete process
of resource release can be elaborated in Figure 2.
Resource Rent Request
RenterBS Offerer BS
ResourceRentRequest
ResourceReturnResponse
Acknowledgement
(a) Resource Return control message flow (a)ResourceReturncontrolmessageflow
ll i
RenterBS Offerer BS
ResourceCollectionRequest
Resource Collection Response ResourceCollectionResponse
Acknowledgement g
(b)ResourceCollectioncontrolmessageflow
Figure 2. Channel Release Requests
The security concern is not with the sequence of packet
transmission but with the message contents that are trans-
mitted. The resource release messages are transmitted in
the following format.
Resource Return Messages
Resource Return Request:
BS
R
= BS
O
: Message type |BS
R
ID| No. of chan-
nels
Resource Return Response
BS
O
= BS
R
: Message type |BS
O
ID| Conrma-
tion code
Resource Return Acknowledgement
BS
R
= BS
O
: Message type |BS
R
ID| Conrma-
tion code
Resource Collection Messages:
Resource Collection Request
BS
O
= BS
R
: Message type |BS
O
ID| No. of chan-
nels
610 610
Resource Collection Response
BS
R
= BS
O
: Message type |BS
R
ID| Conrma-
tion code
Resource Collection Acknowledgement
BS
O
= BS
R
: Message type |BS
O
ID| Conrma-
tion code
3. Potential attacks
In wireless communication it is very easy to sniff the
transmitted packets. The whole security lies at the packet
level protection so that no one can understand and manipu-
late them to spoil the network performance and this security
can be achieved through cryptographic factors. A number
of papers are published for the threats and security of wire-
less communication [4, 5, 6].
The above section has introduced the message ow and
the packet contents of transmitted messages for the resource
release request for IBDRS in IEEE 802.22. It can be seen
that the messages do not contain any security parameters
that can protect then from the attackers. This paper presents
two types of attacks at MAC layer channel release messages
to cause DoS attack on Renter BS.
Rogue Base station attack
Replay attack
The complete scenarios to carry out these attacks are ex-
plained as follow.
3.1. Rogue Base Station attack
Attacker in the middle of the communication between
BSO and BSR can transmit the release request in two ways.
The attacker can impersonate himself as a renter and can
send resource return message to the Offerer. In the other
way, he can impersonate as Offerer and can request for re-
source collection. For the attacker, generation and transmis-
sion of request messages is not an issue because of insecure
wireless media. He can generate the same packets with the
original BS-IDs and can forge the network. Figure 3 ex-
plains how the attacker can cause DoS attack by releasing
the resources from the Renter.
Insecure management messages make it easy for the at-
tacker to get the BS-IDs and number of channels negoti-
ated among Renter and Offerer during resource allocation
process. The attacker exploits this information and sends
counterfeit messages.
For example, during the channel negotiation process, at-
tacker sniffs the IDs of both BSO and BSR. After channel
allocation, when BSR starts using those channel to satisfy
his requirement, attacker generates a fake resource return
message using the BSR IDs and number of channels, he has
already sniffed, shared between the neighboring BSs (Of-
ferer and Renter) and transmits to the BSO. It is not pos-
sible for BSO to validate the authenticity of the received
packet because of decient security parameters. The BSO
generates the resource return response and transmits it to
the BSR. Attacker himself generates the acknowledgement
message and conrms the release of resources. The attacker
can pursue the same procedure as Offerer and can send
forge resource collection messages to Renter. The process
of forgery as forge BSO and BSR is explained in Figure 3.
3.2. Replay Attack
In replay attack, an attacker captures the packet and re-
transmits those packets maliciously after some time to mis-
use the network resources. Researchers have done great
work to circumvent replay attacks [4, 5, 6, 7] but unfortu-
nately, IBDRS in IEEE 802.22 encounters the same prob-
lem.
In the above mentioned attack, attacker has to generate
the packets at his own but replay attack facilitate the attacker
to store the transmitted packet and retransmit them after a
certain time to cause DoS in case of IBDRS. Let us take
an example, BS
O
and BS
R
negotiate with each other and
share the resources and after utilization of the resources,
BSR releases the channel through resource return request
at some time T
0
. The attacker accumulates the transmitted
request and its response. In future whenever resources are
shared between BS
O
and BS
R
, attacker replays the stored
packets of resource return request and BS
O
get back the
resources considering a valid request from the BS
R
.
Attacker can launch the replay attack even at BSR, send-
ing a resource collection request stored at some time T0,
and replayed later at some time T6. Figure 4 explains both
scenarios of replaying resource return request and resource
collection request.
4. Proposed solution
Unauthenticated Management messages introduce the
vulnerabilities for DoS attack in the form of rogue BS and
replay attacks. To prevail over these mentioned attacks, this
paper presents a crossbreed approach of three parameters to
secure the network resource sharing.
Timestamp
Nonce
Digital Signature
Introducing a single from the above mentioned param-
eters is also vulnerable to threats. However the combined
approach lowers the threat level and provides authenticated
resource sharing between neighboring BSs.
611 611

ZZ
Z

Z^
K ^ Z^

ZZ
Z

ZZ
ZZ

ZZZ
Z

Figure 3. Attacker impersonations as Offerer

to get back the resource from Renter on
right side Attacker impersonation as Renter
to give back the resource to Offerer after use
on left side
4.1. Timestamp
Timestamp [8] is combination of data and time of the
sender. It is helpful in avoiding replay attacks. On receiv-
ing the packet from the sender, receiver can check the times-
tamp to validate whether it is currently generated packet or
is an old one.
As shown in Figure 4, attacker rst stores the packets and
then retransmits after certain time. Introducing timestamp
in the release request packet format provides an edge for the
receiver to conrm that packet is newly generated. Packets
with old timestamps will be discarded by the receiver. As
timestamp is automatically generated by the system and do
not contain any interference of the user so cannot be ma-
nipulated by the attacker. Conclusively timestamp helps to
prevent replay attacks.
C A
k k
k A
A
k 8S
C 8S k 8S
A A
k C k
k k
A
C A
k k
k A
A
k k k
k C
A
1
1
1
C
k C k
k k
A
k k k
k C
A
1
1
1
Figure 4. Attacker replay attack as Offerer to
get back the resource fromRenter on left side
Attacker replay attack as Renter to give back
the resource to Offerer after use on right side
4.2. Nonce
Although timestamp is helpful to avoid replay attacks but
there is a possibility that attacker can synchronize his sys-
tem clock with the senders clock and replayed messages
seem to be new ones. To prevent such situation nonce is
helpful. Nonce can be generated in many ways but for the
proposed solution pseudo random nonce is recommended
so that nonce for upcoming packets cannot be predicted.
Nonce generation is a separate research issue and is ex-
plained in [9].
From the Figure 4, it can be seen that although attacker
can sniff and store the transmitted packets and he can also
retransmit these packets for the release request both to the
Offerer and to the Renter. Introducing the nonce helps to
detect such stored and repeated request. The main property
of the nonce is that it is not repeated and each upcoming
packet contains a new nonce. On receiving repeated nonce,
receiver will discard the packet and will be safe from the
fake resource release requests.
The packets format including timestamp and nonce
612 612
along with their ow during the resource release procedure
is as follow.
Resource Return Messages
Resource Return Request
BS
R
= BS
O
: N
R
|Timestamp| Message type
|BS
R
ID| No. of channels
Resource Return Reply
BS
O
= BS
R
: N
R
|N
O
| Timestamp |Messagetype|
BS
O
ID| No. of channels
Resource Return Acknowledgment
BS
R
= BS
O
: N
O
|N

R
| Timestamp |Messagetype|
BS
R
ID| No. of channels
Resource Collection Messages:
Resource Collection Request
BS
O
= BS
R
: N
O
|Timestamp| Message type
|BS
O
ID| No. of channels
Resource Return Reply
BS
R
= BS
O
: N
O
|N
R
| Timestamp |Messagetype|
BS
R
ID| No. of channels
Resource Return Acknowledgment
BS
O
= BS
R
: N
R
|N

O
| Timestamp |Messagetype|
BS
O
ID| No. of channels
4.3. Digital Signature
Digital Signatures are used to authenticate the sender and
to perceive the alteration of the received packet [10]. Im-
plementing DS based authentication of the sender is effec-
tive to avoid above mentioned attacks even if timestamp and
nonce are compromised by the attacker.
For example BS
O
wants to take the resources back. It
will hash [11] the complete packet and will sign it by en-
crypting the hashed packet with its private key. DS will be
appended with the packet and transmitted to the BS
R
. BS
R
will separate the DS from the received packet and decrypt
it with BS

O
s public key. BS
R
will also apply the same
hashing algorithm to the plain format packet and the result
of hashed packet should be the same as decrypted DS.
In this scenario, if an attacker succeeds to predict the
nonce and timestamp, even then BS
R
will discard the mes-
sage because the decrypted DS and hashed packet will not
be the same. This is because of the fact that the attacker
cannot have the private key of the BS
O
.
Similarly BS
R
will request for the resource return mes-
sage signed with its private key so that attacker cannot mis-
use the transmitted information. The complete frame format
of the resource release messages is shown in Figure 5.
Digital Nonce Time Stamp Management BS Identifier Number of Digital Nonce TimeStampManagementBS Identifier Numberof
Signature MessageType Channels
PlainManagementMessage
Figure 5. Transmitted Packet format signed
with private key of sender
5. Conclusion
The proposed solution provides a secure mechanism for
channel sharing negotiation process. It overcomes the vul-
nerabilities in inter-BS dynamic resource sharing. Although
the proposed solution has added up extra payload to the
message format but it saves a lot of resources that can be
dissipated by the attackers. The attacker can manipulate
the messages to cause DoS through rogue base station and
replay attacks. The proposed solution is effective because
the timestamp and nonce combination provide an ability to
the base station to distinguish newly generated and replayed
packets. Manipulation of nonce and timestamp can be de-
tected because the proposed solution in based on Public key
cryptography and for any attacker it is not possible to gen-
erate the DS of the authenticated sender.
References
[1] IEEE-802.22 draft standard, IEEE P802.22 Wire-
less RAN, Spectrum Ettiquates, doc.: IEEE 802.22-
07/23r01, JAN 2007.
[2] Khaldoun Al Agha, Guy Pujolle, VCB: An Efcient
Resource Sharing Scheme for Cellular Mobile Sys-
tems, University of Paris, France, JAN 2000.
[3] Carlos Cordeiro, Kiran Challapali, and Dagnachew
Birru IEEE 802.22: An Introduction to the First
613 613
Wireless Standard based on Cognitive Radios Philips
Research North America/Wireless Communication and
Networking Dept, USA, APRIL 2006.
[4] Changhua He John C Mitchell Security Analysis and
Improvements for IEEE 802.11i Stanford University,
Stanford.
[5] Paul Syverson Taxonomy of Replay Attacks Naval
Research Laboratory, Washington.
[6] Jamshed Hasan Security Issues of IEEE 802.16
(WiMAX) School of Computer and Information Sci-
ence, Edith Cowan University, Australia .
[7] Sen Xu, Chin-Tser Huang Attacks on PKM Protocols
of IEEE 802.16 and ItsLater Versions University of
South Carolina, USA.
[8] Timestamp http://en.wikipedia.org/wiki/Timestamp.
[9] Dean Rosenzweig, Davor Runje, Wolfram Schulte
Model-Based Testing of cryptographic protocols
University of Zagreb.
[10] Raymond G. Kammer, William M. Daley Digital
Signature Standard (DSS) U.S. Department of Com-
mence, National Institute of Standards and Technology.
[11] Fedral Informattion Processing Standards: Se-
cure Hash Standard Information Technology Labora-
tory National Institute of Standards and Technology
Gaithersburg, June 2007.
614 614