Extraction from Wireless Signal Strength in Real Environments Suman - - PowerPoint PPT Presentation

On the Effectiveness of Secret Key Extraction from Wireless Signal Strength in Real Environments

Suman Jana, Sriram Nandha Premnath Mike Clark, Sneha K. Kasera, Neal Patwari University of Utah Srikanth V. Krishnamurthy University of California, Riverside

 wireless nodes, Alice & Bob, need to share

secret key

 concerns with public key cryptography  quantum cryptography – too expensive  less expensive solution - use inherent

randomness in wireless channel to extract secret key bits

Problem Definition

2

 measured reciprocally at Alice, Bob  when away by more than few multiples of

wavelength, Eve cannot measure same channel

 channel varies with time

Wireless Channel Characteristics

3

Use of Received Signal Strength (RSS)

4

 Alice, Bob expected to see

“identical” RSS variations [Stutzman „82]

 realistically, they must deal with

lack of perfect reciprocity

Probe Exchange & RSS Measurement

Alice Bob Eve

RSS Variations

Alice Bob

RSS Variations

Eve

Related Work

Mathur ‟08, Li ‟06, Aono ‟05

 extract single bit per measurement  experimental results from limited indoor settings  Alice, Bob do not communicate to handle mismatches

will result in key disagreement in large number of cases

Azimi-Sadjadi ‟07

 suggested using 2 stages from quantum

cryptography - information reconciliation, privacy amplification

 did not implement!

5

Our Contributions

• adaptive key extraction

increases secret bit rate 4-fold

• implement information reconciliation to handle bit

mismatch

• implement privacy amplification to reduce correlation

between successive bits

• through extensive real world measurements, identify

settings (un)suitable for key extraction

• expose new predictable channel attack in static

settings

6

Overview

 adversary model  secret key extraction  real world measurements, results  summary

7

Adversary Model

 adversary Eve

 listens to all communication between Alice, Bob  can measure channel between herself and Alice,

Bob

 separated from both parties by distance >>

wavelength

 Eve not interested in disrupting

communication between Alice, Bob

 Alice, Bob are not authenticated

8

Secret Bit Extraction

9 RSS Measurements Quantization Information Reconciliation Privacy Amplification Secret Key Bits

Adaptive Quantization

how to generate bits from RSS measurements?

Extracted Bits – 1 1 1 0 1 …

Extract “1” Drop Drop Extract “0”

Upper Threshold Lower Threshold 10

adapt threshold for small blocks of measurements

Adaptive Quantization

adapt # intervals depending on range

Extracted Bits - 11 10 11 10 10 11 01 00 01 …

Extract “10” “11” “01” “00”

Interval 1 Interval 2 Interval 3 Interval 4

Interval 1 Interval 2 Interval 3 Interval 4 Interval 5 Interval 6 Interval 7 Interval 8

Adaptive Quantization

Extracted Bits - 101 110 101 110 110 100 010 …

Extract “111” “110” “101” “100” “011” “010” “001” “000”

adapt #intervals depending on range limit: N ≤ log [Range] Adaptive Secret Bit Generation (ASBG)

Information Reconciliation [Brassard ’06]

differences in between bit streams of Alice, Bob arise due to

 noise/interference, wireless hardware limitations  half-duplex nature of channel

solution:

 exchange parity information of small blocks of bits  locate, correct mismatches using binary search  permute, iterate until probability [success] >

threshold

13

Privacy Amplification [Impagliazzo ’89]

 short-term correlation between subsequent bits

when probing rate > (coherence time)-1

 need to remove bits leaked during information

reconciliation

 solution:

 apply 2-universal hash function h: {1…M}  {1…m}  for inputs x, y, probability [h(x) = h(y)] upper bounded

by 1/m

 decreases output length, but increases entropy

14

Implementation

laptops - Alice, Bob

 equipped with Intel PRO/Wireless 3945 ABG

cards

 monitor mode for collecting RSS measurements  use ipwraw driver for raw packet injection

probes – IEEE 802.11g beacon frames

 management frames prioritized over data

frames

 allows better control over probing rate  probing rate ~20 packets per second

15

Implementation

privacy amplification

 2-universal hash functions  use BigNumber OpenSSL routines

16

Implementation

17

RSS Measurement Protocol

18

 packet losses

handled by initiator

 20 ms timeout for

detecting packet loss

 responder discards

last RSS if duplicate beacon sequence #

time

Initiator (Alice) Responder (Bob)

Record RSS Record RSS Record RSS Record RSS

Measurement Goals

• in what kind of settings, key extraction

“works”?

• how does device heterogeneity affect key

extraction?

19

Experiments

• A. Underground concrete

tunnel B. Ed Catmull Gallery C. Lawn

20

• D. Walk Indoors

E. Walk Outdoors F. Bike Ride

• G. Crowded Cafeteria
• H. Across busy road

1. Stationary Endpoints, Intermediate objects 2. Mobile Endpoints 3. Stationary Endpoints, Mobile Intermediate

• bjects

Stationary Endpoints & Intermediate Objects

 variations very small

(range: ~2 dB), exhibit poor reciprocity

 expect Alice‟s & Bob‟s

bit streams to have very high mismatch

 small scale variations

represent noise

21 Underground Concrete Tunnel Experiment distance between Alice, Bob = 10 feet

• 59
• 58
• 57
• 56
• 55
• 54

RSS Probes

Alice Bob

snapshot of data collected for few seconds

Stationary Endpoints & Intermediate Objects

22

Gallery Experiment Lawn Experiment

• even typical stationary settings are no different from

underground concrete tunnel!

distance = 30 ft distance = 10 ft

• 85
• 75
• 65
• 55
• 45

RSS Probes

Alice Bob

• 66
• 64
• 62
• 60
• 58
• 56
• 54

RSS Probes

Alice Bob

Mobile Endpoints

23

Walk Indoors Experiment

 large variations

 range ~25 dB  highly reciprocal

 hints that Alice‟s &

Bob‟s bit streams will have very low mismatch normal walk speed distance = 10-15 ft

• 75
• 70
• 65
• 60
• 55
• 50
• 45

RSS Probes

Alice Bob

Mobile Endpoints

24 Walk Outdoors Experiment Bike Ride Experiment

• more evidence - mobile devices likely to have very low

mismatch

• effects of noise diminished by large scale variations

normal walk speed 20-25 ft distance slow bike ride 10 ft or more distance

• 85
• 75
• 65
• 55
• 45

RSS Probes

Alice Bob

• 80
• 70
• 60
• 50
• 40
• 30

RSS Probes

Alice Bob

Mobile Intermediate Objects & Stationary Endpoints

25 Crowded Cafeteria Experiment Experiment Across Busy Road



intermediate variation range (~8-16 dB), reciprocity



hints - Alice‟s, Bob‟s bit streams will have moderate mismatch

low speed mobility; distance = 10 ft high speed mobility; distance = 25 ft

• 66
• 62
• 58
• 54
• 50
• 46

RSS Probes

Alice Bob

• 79
• 77
• 75
• 73
• 71
• 69

RSS Probes

Alice Bob

Predictable Channel Attack

 novel attack  in „all stationary‟ settings

Eve can cause predictable channel variations

 by controlling movements of

intermediate objects

 break key extraction

schemes without spending compute power

26

Predictable Channel Attack

 no precision machinery

required

 Eve can produce zig-

zag patterns, or any

• ther pattern by

controlling movements

 no post processing will

ensure security of extracted key!

27

• 63
• 58
• 53
• 48
• 43

RSS Probes

bits extracted:

0000 1111 0000 1111 …

Effect of Device Heterogeneity

 greater mismatch than

with homogeneous devices

 mismatch low enough

to help establish secret key

28

Walk Indoors Experiment

• 85
• 80
• 75
• 70
• 65
• 60
• 55
• 50
• 45
• 40

RSS Probes

Alice (Intel 3945 ABG) Bob (Atheros)

Comparison of Key Extraction Approaches in Various Settings

29

 performance metrics

 entropy rate  mismatch rate  secret bit rate

 single bit, multiple bit extraction

Comparison of Key Extraction Approaches in various Settings

30

• secret bit stream from

ASBG

• entropy close to 1
• passes randomness tests
• f NIST test suite we

conduct

0.00 0.25 0.50 0.75 1.00

Entropy Experiments

Aono Mathur Tope Azimi-Sadjadi ASBG

stationary mobile

intermediate

Comparison of Key Extraction Approaches in various Settings

31

• mobile settings yield bits

with low mismatch rates

0.00 0.25 0.50 0.75 1.00

Entropy Experiments

Aono Mathur Tope Azimi-Sadjadi ASBG

0.00 0.25 0.50 0.75 1.00

Mismatch Rate Experiments

Aono Mathur Tope Azimi-Sadjadi ASBG

stationary mobile

intermediate

stationary mobile

intermediate

Comparison of Key Extraction Approaches in various Settings

32

• ASBG exhibits highest

secret bit rate among those with entropy > 0.7

0.00 0.25 0.50 0.75 1.00

Entropy Experiments

Aono Mathur Tope Azimi-Sadjadi ASBG

0.00 0.25 0.50 0.75 1.00

Secret bit rate Experiments

Aono Mathur Tope Azimi-Sadjadi ASBG

0.00 0.25 0.50 0.75 1.00

Mismatch Rate Experiments

Aono Mathur Tope Azimi-Sadjadi ASBG

stationary mobile

intermediate

stationary mobile

intermediate

stationary mobile

intermediate

Multiple Bit Extraction

33

 significant increase in secret bit rate

• at least 4 times (with N = 2) compared to single bit extraction

0.00 0.05 0.10 0.15 0.20 0.25 0.30 0.35

Mismatch Rate Experiments

2 bits Gray 3 bits Gray 4 bits Gray

0.00 0.25 0.50 0.75 1.00

Secret bit rate Experiments

1 bit 2 bits Gray 3 bits Gray 4 bits Gray

 bit mismatch rate increases with N  Gray code assignment produces smaller mismatch rates

mobile

intermediate

mobile

intermediate

Summary

 mobile settings best suited for key extraction

due to low mismatch

 don‟t depend solely on movements of limited

intermediate objects

 beware of predictable channel attack!

 our environment adaptive quantization scheme

+ information reconciliation + privacy amplification generates high entropy bits at high rate

34