Extracting a Secret Key from a Wireless Channel

Similar documents
Information-theoretically Secret Key. Generation for Fading Wireless Channels

Lecture 28: Public-key Cryptography. Public-key Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Practice Assignment 2 Discussion 24/02/ /02/2018

Secret-Key Generation from Channel Reciprocity: A Separation Approach

Lecture 1: Introduction to Public key cryptography

Keyless authentication in the presence of a simultaneously transmitting adversary

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Secret-Key Generation over Reciprocal Fading Channels

Information-Theoretic Security: an overview

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Secret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Group Secret Key Agreement over State-Dependent Wireless Broadcast Channels

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Password Cracking: The Effect of Bias on the Average Guesswork of Hash Functions

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Quantum Wireless Sensor Networks

Secret Key Establishment Using Wireless Channels as Common Randomness in Time-Variant MIMO Systems

Discrete Logarithm Problem

Message Authentication Codes (MACs)

Lecture V : Public Key Cryptography

VEHICULAR networks have attracted much research

arxiv:quant-ph/ v1 27 Dec 2004

RSA RSA public key cryptosystem

Security Implications of Quantum Technologies

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

arxiv:quant-ph/ v1 6 Dec 2005

Entanglement and Quantum Teleportation

Introduction to Cryptography. Lecture 8

Public Key Cryptography

INTEGERS. In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes.

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Quantum threat...and quantum solutions

The odd couple: MQV and HMQV

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

A Genetic Algorithm to Analyze the Security of Quantum Cryptographic Protocols

MATH 158 FINAL EXAM 20 DECEMBER 2016

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

On the Simulatability Condition in Key Generation Over a Non-authenticated Public Channel

Lecture 7: Boneh-Boyen Proof & Waters IBE System

ECS 189A Final Cryptography Spring 2011

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Ping Pong Protocol & Auto-compensation

Quantum key distribution for the lazy and careless

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Introduction to Quantum Cryptography

Lecture 10: Zero-Knowledge Proofs

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Exam Security January 19, :30 11:30

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Cryptographical Security in the Quantum Random Oracle Model

Fundamentals of Modern Cryptography

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

3F1: Signals and Systems INFORMATION THEORY Examples Paper Solutions

Ground-Satellite QKD Through Free Space. Steven Taylor

Cryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures

Automatic, computational proof of EKE using CryptoVerif

Asymmetric Encryption

A FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington

Cryptographic Protocols. Steve Lai

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

AN INTRODUCTION TO SECRECY CAPACITY. 1. Overview

Network Security Based on Quantum Cryptography Multi-qubit Hadamard Matrices

Technical Report Communicating Secret Information Without Secret Messages

CPSC 467b: Cryptography and Computer Security

PERFECTLY secure key agreement has been studied recently

CPSC 467b: Cryptography and Computer Security

LECTURE NOTES ON Quantum Cryptography

Cryptography and Security Final Exam

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Week 12: Hash Functions and MAC

Public-Key Cryptosystems CHAPTER 4

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

2 Message authentication codes (MACs)

Verification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method

Introduction to Quantum Key Distribution

Quantum Key Distribution. The Starting Point

1 Number Theory Basics

ASPECIAL case of the general key agreement scenario defined

Sharing a Secret in Plain Sight. Gregory Quenell

Bound Information: The Classical Analog to Bound Quantum Entanglement

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Public Key Cryptography

HIMMO. Oscar Garcia-Morchon, Ronald Rietman, Ludo Tolhuizen. July PHILIPS RESEARCH

A NOVEL APPROACH FOR SECURE MULTI-PARTY SECRET SHARING SCHEME VIA QUANTUM CRYPTOGRAPHY

Other Public-Key Cryptosystems

Quantum Cryptography

Secret Key Agreement Using Asymmetry in Channel State Knowledge

Lecture Notes, Week 6

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

9. Distance measures. 9.1 Classical information measures. Head Tail. How similar/close are two probability distributions? Trace distance.

Transcription:

Extracting a Secret Key from a Wireless Channel Suhas Mathur suhas@winlab.rutgers.edu W. Trappe, N. Mandayam (WINLAB) Chunxuan Ye, Alex Reznik (InterDigital) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 1 / 28

Introduction Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 2 / 28

Alice & Bob have never met. Alice Bob Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28

Alice & Bob have never met. They d like to exchange a secret message. Alice Bob Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28

Alice & Bob have never met. They d like to exchange a secret message. Alice Bob Eve Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28

Alice & Bob have never met. They d like to exchange a secret message. Alice But they don t share a secret key. Bob Eve Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28

Alice? Bob Eve Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 4 / 28

Alice Diffie Hellman key exchange! Bob Eve Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 5 / 28

Alice Diffie Hellman key exchange! Bob Eve Computational Secrecy (Computationally bounded Eve) k = key, Y = Eve s obervations It should be computationally infeasible to compute k from Y. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 5 / 28

Alice Bob Eve Unconditional secrecy (Computationally unbounded Eve) H(k Y ) = H(k). Y is useless to the attacker in computing any useful information about k. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 6 / 28

Alice RANDOMLY VARYING CHANNEL BETWEEN ALICE AND BOB Bob Eve Unconditional secrecy (Computationally unbounded Eve) H(k Y ) = H(k). Y is useless to the attacker in computing any useful information about k. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 6 / 28

[Maurer 93] and [Ahlswede & Csiszar 93] showed correlated random variables can be used to derive keys by public discussion Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 7 / 28

[Maurer 93] and [Ahlswede & Csiszar 93] showed correlated random variables can be used to derive keys by public discussion Quantum Key Distribution Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 7 / 28

[Maurer 93] and [Ahlswede & Csiszar 93] showed correlated random variables can be used to derive keys by public discussion Quantum Key Distribution Everyday wireless channels can enable this! Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 7 / 28

Summary of fading wireless channels Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28

Summary of fading wireless channels Fading is a multiplicative distortion h(t) due to the channel that is Random Time varying Reciprocal (Alice Bob Alice Bob) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28

Summary of fading wireless channels Fading is a multiplicative distortion h(t) due to the channel that is Random Time varying Reciprocal (Alice Bob Alice Bob) 2 h(t) 1.5 1 0.5 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28

Summary of fading wireless channels Fading is a multiplicative distortion h(t) due to the channel that is Random Time varying Reciprocal (Alice Bob Alice Bob) 2 h(t) 1.5 1 0.5 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 The fading parameter h(t) decorrelates in space and time Space: Over distances of λ/2 (= 6 cm @ 2.4 Ghz) Time: Over one coherence time T c 1 f d (f d 10 Hz @ 1 m/s) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28

So how do Alice and Bob actually obtain identical secret bits? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 9 / 28

First, they probe the channel many times Alice Bob Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

First, they probe the channel many times Alice h(t) Bob Y 1 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

First, they probe the channel many times X 1 Alice h(t) Bob Y 1 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

First, they probe the channel many times X 1 Alice h(t) Bob Y 1 Y 2 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

First, they probe the channel many times X 1 X 2 Alice h(t) Bob Y 1 Y 2 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

First, they probe the channel many times X 1 X 2. X n X n = {X 1,... X n} Alice h(t) Bob Y 1 Y 2. Y n Y n = {Y 1,...Y n} Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

First, they probe the channel many times X 1 X 2. X n X n = {X 1,... X n} Alice h(t) Bob Y 1 Y 2. Y n Y n = {Y 1,...Y n} 1.6 Alice 1.4 1.2 1 0.8 0.6 Bob 0.4 0.2 5 10 15 20 25 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

First, they probe the channel many times X 1 X 2. X n X n = {X 1,... X n} Alice h(t) Bob Y 1 Y 2. Y n Y n = {Y 1,...Y n} 1.6 Alice 1.4 1.2 1 0.8 0.6 Bob 0.4 0.2 5 10 15 20 25 Eve overhears Z n, which is uncorrelated with X n and Y n Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28

Then they each locally compute thresholds Thresholds q + q = median + α SD = median α SD = One-bit quantizer { 1 if x > q+ Q(x) = 0 if x < q q + q Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 11 / 28

Then they each locally compute thresholds Thresholds q + q = median + α SD = median α SD = One-bit quantizer { 1 if x > q+ Q(x) = 0 if x < q q + Positive Excursion q Negative Excursion m = Min # of points to be considered an excursion Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 12 / 28

Positive Excursions Negative Excursion q + q X n 10 20 30 40 50 60 Y n Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 Y n Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 Y n Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < 1 2 + ǫ for some 0 < ǫ < 1 2, declare attack & abort. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < 1 2 + ǫ for some 0 < ǫ < 1 2, declare attack & abort. ELSE Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < 1 2 + ǫ for some 0 < ǫ < 1 2, declare attack & abort. ELSE Quantize Y n at indices in L {1011010..} First N bits = for MAC. Remaining bits = secret key. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < 1 2 + ǫ for some 0 < ǫ < 1 2, declare attack & abort. ELSE Quantize Y n at indices in L {1011010..} First N bits = for MAC. Remaining bits = secret key. o Send n L,MAC to Alice. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < 1 2 + ǫ for some 0 < ǫ < 1 2, declare attack & abort. ELSE Quantize X n at indices in L {1011010..} Verify MAC using first N bits L,mac Quantize Y n at indices in L {1011010..} First N bits = for MAC. Remaining bits = secret key. o Send n L,MAC to Alice. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28

How well does this work? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 14 / 28

How many secret bits / sec? Secre bit rate Rate of channel variation (Doppler) At 2.4 Ghz, 1 m/s, Secret bit rate Doppler 10 s-bits/sec Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 15 / 28

How many secret bits / sec? Secre bit rate Rate of channel variation (Doppler) At 2.4 Ghz, 1 m/s, Secret bit rate Doppler 10 s-bits/sec Secret bits / sec 12 10 8 6 4 2 2 8 20 Doppler = 10 Hz Min. excursion size 0 0 1 2 3 4 5 Probes / sec x 10 3 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 15 / 28

How many secret bits / sec? Secre bit rate Rate of channel variation (Doppler) At 2.4 Ghz, 1 m/s, Secret bit rate Doppler 10 s-bits/sec Secret bits / sec 12 10 8 6 4 2 2 8 20 Doppler = 10 Hz Min. excursion size 0 0 1 2 3 4 5 Probes / sec x 10 3 What secret bit rate do we need? Renew a 256 bit key every hour 0.08 bits/sec Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 15 / 28

Prob. of error Prob. of error (log 10 scale) 0 1 2 3 4 5 6 0 db 10 db 20 db 30 db 40 db 7 8 2 3 4 5 6 7 8 9 10 11 Value of m Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 16 / 28

Prob. of error Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 17 / 28

What if Eve causes trouble? (Active attacks) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 18 / 28

Attack 1: Fake L or L messages 1 The integrity of L is protected by msg auth. code (MAC) Eve doesnt have the N bits needed for MAC But Alice does (from L and X n ) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28

Attack 1: Fake L or L messages 1 The integrity of L is protected by msg auth. code (MAC) Eve doesnt have the N bits needed for MAC But Alice does (from L and X n ) 2 Modification of L: Can reveal Eve to Alice, by causing L L. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28

Attack 1: Fake L or L messages 1 The integrity of L is protected by msg auth. code (MAC) Eve doesnt have the N bits needed for MAC But Alice does (from L and X n ) 2 Modification of L: Can reveal Eve to Alice, by causing L L. What if Eve plays a man-in-the-middle attack from the very beginning? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28

Attack 1: Fake L or L messages 1 The integrity of L is protected by msg auth. code (MAC) Eve doesnt have the N bits needed for MAC But Alice does (from L and X n ) 2 Modification of L: Can reveal Eve to Alice, by causing L L. What if Eve plays a man-in-the-middle attack from the very beginning? Man-in-the-middle Cannot be protected against without mutual authentication. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28

Attack 2: Eve inserts her own probes 1 Test each received probe for similarity against the last few probes [Xiao 08] Hypothesis test Non-zero prob. of miss and false alarm Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 20 / 28

Attack 2: Eve inserts her own probes 1 Test each received probe for similarity against the last few probes [Xiao 08] Hypothesis test Non-zero prob. of miss and false alarm 2 Use two separate one-way hash-chains One-way hash chain (f ( ) = one-way fn.) build f ( ) w n 1... f ( ) w 1 w n f ( ) reveal Apply f ( ) to w i in probe i to verify source A simple but crypto-based solution Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 20 / 28

Experimental validation using 802.11 (Two methods) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 21 / 28

Method 1: Using CIR from customized h/w Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 22 / 28

Method 1: Using CIR from customized h/w 1 64-point Channel Impulse Response from preamble 2 We use only tallest peak in CIR 3 Bob sends PROBE request every 110 msec 4 Alice sends PROBE response 5 Eve listens on to Alice 6 5.26 Ghz channel Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 22 / 28

Experimental setup for the CIR-method Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 23 / 28

Method 1: Using CIR from customized h/w 0.3 0.2 0.1 0 0.1 Alice s CIR 0.2 Bob s CIR Eve s CIR 0.3 "1" bits "0" bits 0.4 0 100 200 300 400 500 600 700 0.3 0.2 q + 0.1 0 0.1 0.2 q Key generated by Alice: 10101011010011001011010010100100010010001010101101010101010 0.3 Key generated by Bob: 10101011010011001011010010100100010010001010101101010101010 Key inferred by Eve: 00100100101000101110010 101000110011010100001101101111011010 0.4 150 160 170 180 190 200 210 220 230 240 250 Indoors, 1.13 s-bits/sec error-free Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 24 / 28

Where can channel-based secret keys be used? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 25 / 28

Some applications Can be used to generate fresh session keys in 802.11: Session keys in 802.11i are linked to authentication credentials. Keys for newer sessions are depend upon older sessions. All messages prior to getting session keys are sent in the clear! In an ad-hoc network, Alice may not care who Bob is. Building trust-based relationships. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 26 / 28

Summary The channel contains valuable info that can enhance confidentiality and authentication in a practical way. Existing wireless platforms already already have access to this info But usually thrown away at PHY layer. Can instead be preserved & utilized at higher layers. Future standards: MIMO, OFDM, TDD are ideally suited. Channel info. readily available Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 27 / 28

Questions? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 28 / 28

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback