Extracting a Secret Key from a Wireless Channel Suhas Mathur - - PowerPoint PPT Presentation

Extracting a Secret Key from a Wireless Channel

Suhas Mathur

suhas@winlab.rutgers.edu

• W. Trappe, N. Mandayam (WINLAB)

Chunxuan Ye, Alex Reznik (InterDigital)

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 1 / 28

Introduction

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 2 / 28

Alice & Bob have never met.

Alice Bob

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28

Alice & Bob have never met.

Alice They’d like to exchange a secret message. Bob

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28

Alice & Bob have never met.

Alice They’d like to exchange a secret message. Bob Eve

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28

Alice & Bob have never met.

Alice They’d like to exchange a secret message. But they don’t share a secret key. Bob Eve

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28

Alice

?

Bob Eve

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 4 / 28

Alice

← −

Diffie Hellman key exchange!

− →

Bob Eve

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 5 / 28

Alice

← −

Diffie Hellman key exchange!

− →

Bob Eve

Computational Secrecy (Computationally bounded Eve)

k = key, Y = Eve’s obervations It ’should be computationally infeasible’ to compute k from Y .

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 5 / 28

Alice Bob Eve

Unconditional secrecy (Computationally unbounded Eve)

H(k|Y ) = H(k). Y is useless to the attacker in computing any useful information about k.

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 6 / 28

Alice

RANDOMLY VARYING CHANNEL BETWEEN ALICE AND BOB

Bob Eve

Unconditional secrecy (Computationally unbounded Eve)

H(k|Y ) = H(k). Y is useless to the attacker in computing any useful information about k.

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 6 / 28

[Maurer ’93] and [Ahlswede & Csiszar ’93] showed correlated random variables can be used to derive keys by public discussion

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 7 / 28

[Maurer ’93] and [Ahlswede & Csiszar ’93] showed correlated random variables can be used to derive keys by public discussion ↓ Quantum Key Distribution

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 7 / 28

[Maurer ’93] and [Ahlswede & Csiszar ’93] showed correlated random variables can be used to derive keys by public discussion ↓ Quantum Key Distribution Everyday wireless channels can enable this!

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 7 / 28

Summary of fading wireless channels

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28

Summary of fading wireless channels

Fading is a multiplicative distortion h(t) due to the channel that is Random Time varying Reciprocal (Alice → Bob ≡ Alice ← Bob)

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28

Summary of fading wireless channels

Fading is a multiplicative distortion h(t) due to the channel that is Random Time varying Reciprocal (Alice → Bob ≡ Alice ← Bob)

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0.5 1 1.5 2

h(t)

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28

Summary of fading wireless channels

Fading is a multiplicative distortion h(t) due to the channel that is Random Time varying Reciprocal (Alice → Bob ≡ Alice ← Bob)

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0.5 1 1.5 2

h(t)

The fading parameter h(t) decorrelates in space and time Space: Over distances of ∼ λ/2 (= 6 cm @ 2.4 Ghz) Time: Over one coherence time Tc ∝ 1

fd (fd ≈ 10 Hz @ 1 m/s)

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28

So how do Alice and Bob actually obtain identical secret bits?

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 9 / 28

First, they probe the channel many times

Alice Bob

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

First, they probe the channel many times

Alice

h(t)

− →

Bob Y1

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

First, they probe the channel many times

X1 Alice

h(t)

− → ← −

Bob Y1

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

First, they probe the channel many times

X1 Alice

h(t)

− → ← − − →

Bob Y1 Y2

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

First, they probe the channel many times

X1 X2 Alice

h(t)

− → ← − − → ← −

Bob Y1 Y2

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

First, they probe the channel many times

X1 X2 . . . Xn

X n = {X1, . . . Xn}

Alice

h(t)

− → ← − − → ← −

Bob Y1 Y2 . . . Yn

Y n = {Y1, . . . Yn}

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

First, they probe the channel many times

X1 X2 . . . Xn

X n = {X1, . . . Xn}

Alice

h(t)

− → ← − − → ← −

Bob Y1 Y2 . . . Yn

Y n = {Y1, . . . Yn}

5 10 15 20 25 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6

Alice Bob

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

First, they probe the channel many times

X1 X2 . . . Xn

X n = {X1, . . . Xn}

Alice

h(t)

− → ← − − → ← −

Bob Y1 Y2 . . . Yn

Y n = {Y1, . . . Yn}

5 10 15 20 25 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6

Alice Bob

Eve overhears Z n, which is uncorrelated with X n and Y n

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

Then they each locally compute thresholds

Thresholds

q+ = median + α · SD q− = median − α · SD

= ⇒

One-bit quantizer

Q(x) = 1 if x > q+ if x < q−

q+ q−

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 11 / 28

Then they each locally compute thresholds

Thresholds

q+ = median + α · SD q− = median − α · SD

= ⇒

One-bit quantizer

Q(x) = 1 if x > q+ if x < q−

q+ q−

Positive Excursion Negative Excursion

m = Min # of points to be considered an excursion

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 12 / 28

10 20 30 40 50 60

q+ q−

Positive Excursions Negative Excursion

X n Y n

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

10 20 30 40 50 60

q+ q−

Positive Excursions Negative Excursion

X n

Find locations of excursions in X n of size ≥ m. e.g. {6, 27, 42, 52, 64, 98, . . .} Send a random subset to Bob L = {6, 42, 52, 98, . . .}

Y n

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

10 20 30 40 50 60

q+ q−

Positive Excursions Negative Excursion

X n

Find locations of excursions in X n of size ≥ m. e.g. {6, 27, 42, 52, 64, 98, . . .} Send a random subset to Bob L = {6, 42, 52, 98, . . .}

Y n

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

10 20 30 40 50 60

q+ q−

Positive Excursions Negative Excursion

X n

Find locations of excursions in X n of size ≥ m. e.g. {6, 27, 42, 52, 64, 98, . . .} Send a random subset to Bob L = {6, 42, 52, 98, . . .}

L

− → Y n

Find those indices ˜ L ⊆ L where Y n has

• excursions. ˜

L = {6, 52, . . .}

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

10 20 30 40 50 60

q+ q−

Positive Excursions Negative Excursion

X n

Find locations of excursions in X n of size ≥ m. e.g. {6, 27, 42, 52, 64, 98, . . .} Send a random subset to Bob L = {6, 42, 52, 98, . . .}

L

− → Y n

Find those indices ˜ L ⊆ L where Y n has

• excursions. ˜

L = {6, 52, . . .} If |˜ L|/|L| < 1

2 + ǫ for some 0 < ǫ < 1 2 ,

declare attack & abort.

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

10 20 30 40 50 60

q+ q−

Positive Excursions Negative Excursion

X n

Find locations of excursions in X n of size ≥ m. e.g. {6, 27, 42, 52, 64, 98, . . .} Send a random subset to Bob L = {6, 42, 52, 98, . . .}

L

− → Y n

Find those indices ˜ L ⊆ L where Y n has

• excursions. ˜

L = {6, 52, . . .} If |˜ L|/|L| < 1

2 + ǫ for some 0 < ǫ < 1 2 ,

declare attack & abort.

ELSE

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

10 20 30 40 50 60

q+ q−

Positive Excursions Negative Excursion

X n

Find locations of excursions in X n of size ≥ m. e.g. {6, 27, 42, 52, 64, 98, . . .} Send a random subset to Bob L = {6, 42, 52, 98, . . .}

L

− → Y n

Find those indices ˜ L ⊆ L where Y n has

• excursions. ˜

L = {6, 52, . . .} If |˜ L|/|L| < 1

2 + ǫ for some 0 < ǫ < 1 2 ,

declare attack & abort.

ELSE

Quantize Y n at indices in ˜ L {1011010..} First N bits = for MAC. Remaining bits = secret key.

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

10 20 30 40 50 60

q+ q−

Positive Excursions Negative Excursion

X n

Find locations of excursions in X n of size ≥ m. e.g. {6, 27, 42, 52, 64, 98, . . .} Send a random subset to Bob L = {6, 42, 52, 98, . . .}

L

− → Y n

Find those indices ˜ L ⊆ L where Y n has

• excursions. ˜

L = {6, 52, . . .} If |˜ L|/|L| < 1

2 + ǫ for some 0 < ǫ < 1 2 ,

declare attack & abort.

ELSE

Quantize Y n at indices in ˜ L {1011010..} First N bits = for MAC. Remaining bits = secret key. Send n ˜ L, MAC

• to Alice.

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

10 20 30 40 50 60

q+ q−

Positive Excursions Negative Excursion

X n

Find locations of excursions in X n of size ≥ m. e.g. {6, 27, 42, 52, 64, 98, . . .} Send a random subset to Bob L = {6, 42, 52, 98, . . .} Quantize X n at indices in ˜ L {1011010..} Verify MAC using first N bits

L

− →

˜ L,mac

← − Y n

Find those indices ˜ L ⊆ L where Y n has

• excursions. ˜

L = {6, 52, . . .} If |˜ L|/|L| < 1

2 + ǫ for some 0 < ǫ < 1 2 ,

declare attack & abort.

ELSE

Quantize Y n at indices in ˜ L {1011010..} First N bits = for MAC. Remaining bits = secret key. Send n ˜ L, MAC

• to Alice.

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

How well does this work?

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 14 / 28

How many secret bits / sec ?

Secre bit rate ≈ Rate of channel variation (Doppler)

At 2.4 Ghz, 1 m/s, Secret bit rate ≈ Doppler ≈ 10 s-bits/sec

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 15 / 28

How many secret bits / sec ?

Secre bit rate ≈ Rate of channel variation (Doppler)

At 2.4 Ghz, 1 m/s, Secret bit rate ≈ Doppler ≈ 10 s-bits/sec

Doppler = 10 Hz

1 2 3 4 5 2 4 6 8 10 12

Probes / sec x 103 Secret bits / sec

2 8 20

• Min. excursion size

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 15 / 28

How many secret bits / sec ?

Secre bit rate ≈ Rate of channel variation (Doppler)

At 2.4 Ghz, 1 m/s, Secret bit rate ≈ Doppler ≈ 10 s-bits/sec

Doppler = 10 Hz

1 2 3 4 5 2 4 6 8 10 12

Probes / sec x 103 Secret bits / sec

2 8 20

• Min. excursion size

What secret bit rate do we need?

Renew a 256 bit key every hour → 0.08 bits/sec

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 15 / 28

• Prob. of error

2 3 4 5 6 7 8 9 10 11 −8 −7 −6 −5 −4 −3 −2 −1

Value of m

• Prob. of error (log10 scale)

0 dB 10 dB 20 dB 30 dB 40 dB

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 16 / 28

• Prob. of error

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 17 / 28

What if Eve causes trouble? (Active attacks)

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 18 / 28

Attack 1: Fake L or ˜ L messages

1

The integrity of ˜ L is protected by msg auth. code (MAC)

Eve doesnt have the N bits needed for MAC But Alice does (from ˜ L and X n)

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28

Attack 1: Fake L or ˜ L messages

1

The integrity of ˜ L is protected by msg auth. code (MAC)

Eve doesnt have the N bits needed for MAC But Alice does (from ˜ L and X n)

2

Modification of L:

Can reveal Eve to Alice, by causing ˜ L L.

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28

Attack 1: Fake L or ˜ L messages

1

The integrity of ˜ L is protected by msg auth. code (MAC)

Eve doesnt have the N bits needed for MAC But Alice does (from ˜ L and X n)

2

Modification of L:

Can reveal Eve to Alice, by causing ˜ L L.

What if Eve plays a man-in-the-middle attack from the very beginning?

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28

Attack 1: Fake L or ˜ L messages

1

The integrity of ˜ L is protected by msg auth. code (MAC)

Eve doesnt have the N bits needed for MAC But Alice does (from ˜ L and X n)

2

Modification of L:

Can reveal Eve to Alice, by causing ˜ L L.

What if Eve plays a man-in-the-middle attack from the very beginning?

Man-in-the-middle

Cannot be protected against without mutual authentication.

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28

Attack 2: Eve inserts her own probes

1

Test each received probe for similarity against the last few probes [Xiao’08]

Hypothesis test Non-zero prob. of miss and false alarm

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 20 / 28

Attack 2: Eve inserts her own probes

1

Test each received probe for similarity against the last few probes [Xiao’08]

Hypothesis test Non-zero prob. of miss and false alarm

2

Use two separate one-way hash-chains

One-way hash chain (f (·) = one-way fn.)

build

− → wn

f (·)

− → wn−1

f (·)

− → . . .

f (·)

− → w1

reveal

← −

Apply f (·) to wi in probe i to verify source A simple but crypto-based solution

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 20 / 28

Experimental validation using 802.11 (Two methods)

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 21 / 28

Method 1: Using CIR from customized h/w

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 22 / 28

Method 1: Using CIR from customized h/w

1

64-point Channel Impulse Response from preamble

2

We use only tallest peak in CIR

3

Bob sends PROBE request every 110 msec

4

Alice sends PROBE response

5

Eve listens on to Alice

6

5.26 Ghz channel

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 22 / 28

Experimental setup for the CIR-method

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 23 / 28

Method 1: Using CIR from customized h/w

100 200 300 400 500 600 700 −0.4 −0.3 −0.2 −0.1 0.1 0.2 0.3 Alice’s CIR Bob’s CIR Eve’s CIR "1" bits "0" bits 150 160 170 180 190 200 210 220 230 240 250 −0.4 −0.3 −0.2 −0.1 0.1 0.2 0.3

Key generated by Alice: 10101011010011001011010010100100010010001010101101010101010 Key generated by Bob: 10101011010011001011010010100100010010001010101101010101010 Key inferred by Eve: 00100100101000101110010 101000110011010100001101101111011010

q+ q−

Indoors, 1.13 s-bits/sec error-free

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 24 / 28

Where can channel-based secret keys be used?

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 25 / 28

Some applications

Can be used to generate fresh session keys in 802.11:

Session keys in 802.11i are linked to authentication credentials. Keys for newer sessions are depend upon older sessions.

All messages prior to getting session keys are sent in the clear! In an ad-hoc network, Alice may not care who Bob is.

Building trust-based relationships.

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 26 / 28

Summary

The channel contains valuable info that can enhance confidentiality and authentication in a practical way. Existing wireless platforms already already have access to this info

But usually thrown away at PHY layer. Can instead be preserved & utilized at higher layers.

Future standards: MIMO, OFDM, TDD are ideally suited.

Channel info. readily available

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 27 / 28

Questions?

Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 28 / 28