Extracting a Secret Key from a Wireless Channel Suhas Mathur suhas@winlab.rutgers.edu W. Trappe, N. Mandayam (WINLAB) Chunxuan Ye, Alex Reznik (InterDigital) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 1 / 28
Introduction Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 2 / 28
Alice & Bob have never met. Alice Bob Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28
Alice & Bob have never met. They d like to exchange a secret message. Alice Bob Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28
Alice & Bob have never met. They d like to exchange a secret message. Alice Bob Eve Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28
Alice & Bob have never met. They d like to exchange a secret message. Alice But they don t share a secret key. Bob Eve Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28
Alice? Bob Eve Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 4 / 28
Alice Diffie Hellman key exchange! Bob Eve Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 5 / 28
Alice Diffie Hellman key exchange! Bob Eve Computational Secrecy (Computationally bounded Eve) k = key, Y = Eve s obervations It should be computationally infeasible to compute k from Y. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 5 / 28
Alice Bob Eve Unconditional secrecy (Computationally unbounded Eve) H(k Y ) = H(k). Y is useless to the attacker in computing any useful information about k. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 6 / 28
Alice RANDOMLY VARYING CHANNEL BETWEEN ALICE AND BOB Bob Eve Unconditional secrecy (Computationally unbounded Eve) H(k Y ) = H(k). Y is useless to the attacker in computing any useful information about k. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 6 / 28
[Maurer 93] and [Ahlswede & Csiszar 93] showed correlated random variables can be used to derive keys by public discussion Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 7 / 28
[Maurer 93] and [Ahlswede & Csiszar 93] showed correlated random variables can be used to derive keys by public discussion Quantum Key Distribution Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 7 / 28
[Maurer 93] and [Ahlswede & Csiszar 93] showed correlated random variables can be used to derive keys by public discussion Quantum Key Distribution Everyday wireless channels can enable this! Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 7 / 28
Summary of fading wireless channels Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28
Summary of fading wireless channels Fading is a multiplicative distortion h(t) due to the channel that is Random Time varying Reciprocal (Alice Bob Alice Bob) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28
Summary of fading wireless channels Fading is a multiplicative distortion h(t) due to the channel that is Random Time varying Reciprocal (Alice Bob Alice Bob) 2 h(t) 1.5 1 0.5 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28
Summary of fading wireless channels Fading is a multiplicative distortion h(t) due to the channel that is Random Time varying Reciprocal (Alice Bob Alice Bob) 2 h(t) 1.5 1 0.5 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 The fading parameter h(t) decorrelates in space and time Space: Over distances of λ/2 (= 6 cm @ 2.4 Ghz) Time: Over one coherence time T c 1 f d (f d 10 Hz @ 1 m/s) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28
So how do Alice and Bob actually obtain identical secret bits? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 9 / 28
First, they probe the channel many times Alice Bob Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
First, they probe the channel many times Alice h(t) Bob Y 1 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
First, they probe the channel many times X 1 Alice h(t) Bob Y 1 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
First, they probe the channel many times X 1 Alice h(t) Bob Y 1 Y 2 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
First, they probe the channel many times X 1 X 2 Alice h(t) Bob Y 1 Y 2 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
First, they probe the channel many times X 1 X 2. X n X n = {X 1,... X n} Alice h(t) Bob Y 1 Y 2. Y n Y n = {Y 1,...Y n} Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
First, they probe the channel many times X 1 X 2. X n X n = {X 1,... X n} Alice h(t) Bob Y 1 Y 2. Y n Y n = {Y 1,...Y n} 1.6 Alice 1.4 1.2 1 0.8 0.6 Bob 0.4 0.2 5 10 15 20 25 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
First, they probe the channel many times X 1 X 2. X n X n = {X 1,... X n} Alice h(t) Bob Y 1 Y 2. Y n Y n = {Y 1,...Y n} 1.6 Alice 1.4 1.2 1 0.8 0.6 Bob 0.4 0.2 5 10 15 20 25 Eve overhears Z n, which is uncorrelated with X n and Y n Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
Then they each locally compute thresholds Thresholds q + q = median + α SD = median α SD = One-bit quantizer { 1 if x > q+ Q(x) = 0 if x < q q + q Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 11 / 28
Then they each locally compute thresholds Thresholds q + q = median + α SD = median α SD = One-bit quantizer { 1 if x > q+ Q(x) = 0 if x < q q + Positive Excursion q Negative Excursion m = Min # of points to be considered an excursion Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 12 / 28
Positive Excursions Negative Excursion q + q X n 10 20 30 40 50 60 Y n Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 Y n Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 Y n Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < 1 2 + ǫ for some 0 < ǫ < 1 2, declare attack & abort. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < 1 2 + ǫ for some 0 < ǫ < 1 2, declare attack & abort. ELSE Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < 1 2 + ǫ for some 0 < ǫ < 1 2, declare attack & abort. ELSE Quantize Y n at indices in L {1011010..} First N bits = for MAC. Remaining bits = secret key. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < 1 2 + ǫ for some 0 < ǫ < 1 2, declare attack & abort. ELSE Quantize Y n at indices in L {1011010..} First N bits = for MAC. Remaining bits = secret key. o Send n L,MAC to Alice. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} 10 20 30 40 50 60 L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < 1 2 + ǫ for some 0 < ǫ < 1 2, declare attack & abort. ELSE Quantize X n at indices in L {1011010..} Verify MAC using first N bits L,mac Quantize Y n at indices in L {1011010..} First N bits = for MAC. Remaining bits = secret key. o Send n L,MAC to Alice. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
How well does this work? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 14 / 28
How many secret bits / sec? Secre bit rate Rate of channel variation (Doppler) At 2.4 Ghz, 1 m/s, Secret bit rate Doppler 10 s-bits/sec Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 15 / 28
How many secret bits / sec? Secre bit rate Rate of channel variation (Doppler) At 2.4 Ghz, 1 m/s, Secret bit rate Doppler 10 s-bits/sec Secret bits / sec 12 10 8 6 4 2 2 8 20 Doppler = 10 Hz Min. excursion size 0 0 1 2 3 4 5 Probes / sec x 10 3 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 15 / 28
How many secret bits / sec? Secre bit rate Rate of channel variation (Doppler) At 2.4 Ghz, 1 m/s, Secret bit rate Doppler 10 s-bits/sec Secret bits / sec 12 10 8 6 4 2 2 8 20 Doppler = 10 Hz Min. excursion size 0 0 1 2 3 4 5 Probes / sec x 10 3 What secret bit rate do we need? Renew a 256 bit key every hour 0.08 bits/sec Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 15 / 28
Prob. of error Prob. of error (log 10 scale) 0 1 2 3 4 5 6 0 db 10 db 20 db 30 db 40 db 7 8 2 3 4 5 6 7 8 9 10 11 Value of m Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 16 / 28
Prob. of error Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 17 / 28
What if Eve causes trouble? (Active attacks) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 18 / 28
Attack 1: Fake L or L messages 1 The integrity of L is protected by msg auth. code (MAC) Eve doesnt have the N bits needed for MAC But Alice does (from L and X n ) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28
Attack 1: Fake L or L messages 1 The integrity of L is protected by msg auth. code (MAC) Eve doesnt have the N bits needed for MAC But Alice does (from L and X n ) 2 Modification of L: Can reveal Eve to Alice, by causing L L. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28
Attack 1: Fake L or L messages 1 The integrity of L is protected by msg auth. code (MAC) Eve doesnt have the N bits needed for MAC But Alice does (from L and X n ) 2 Modification of L: Can reveal Eve to Alice, by causing L L. What if Eve plays a man-in-the-middle attack from the very beginning? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28
Attack 1: Fake L or L messages 1 The integrity of L is protected by msg auth. code (MAC) Eve doesnt have the N bits needed for MAC But Alice does (from L and X n ) 2 Modification of L: Can reveal Eve to Alice, by causing L L. What if Eve plays a man-in-the-middle attack from the very beginning? Man-in-the-middle Cannot be protected against without mutual authentication. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28
Attack 2: Eve inserts her own probes 1 Test each received probe for similarity against the last few probes [Xiao 08] Hypothesis test Non-zero prob. of miss and false alarm Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 20 / 28
Attack 2: Eve inserts her own probes 1 Test each received probe for similarity against the last few probes [Xiao 08] Hypothesis test Non-zero prob. of miss and false alarm 2 Use two separate one-way hash-chains One-way hash chain (f ( ) = one-way fn.) build f ( ) w n 1... f ( ) w 1 w n f ( ) reveal Apply f ( ) to w i in probe i to verify source A simple but crypto-based solution Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 20 / 28
Experimental validation using 802.11 (Two methods) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 21 / 28
Method 1: Using CIR from customized h/w Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 22 / 28
Method 1: Using CIR from customized h/w 1 64-point Channel Impulse Response from preamble 2 We use only tallest peak in CIR 3 Bob sends PROBE request every 110 msec 4 Alice sends PROBE response 5 Eve listens on to Alice 6 5.26 Ghz channel Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 22 / 28
Experimental setup for the CIR-method Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 23 / 28
Method 1: Using CIR from customized h/w 0.3 0.2 0.1 0 0.1 Alice s CIR 0.2 Bob s CIR Eve s CIR 0.3 "1" bits "0" bits 0.4 0 100 200 300 400 500 600 700 0.3 0.2 q + 0.1 0 0.1 0.2 q Key generated by Alice: 10101011010011001011010010100100010010001010101101010101010 0.3 Key generated by Bob: 10101011010011001011010010100100010010001010101101010101010 Key inferred by Eve: 00100100101000101110010 101000110011010100001101101111011010 0.4 150 160 170 180 190 200 210 220 230 240 250 Indoors, 1.13 s-bits/sec error-free Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 24 / 28
Where can channel-based secret keys be used? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 25 / 28
Some applications Can be used to generate fresh session keys in 802.11: Session keys in 802.11i are linked to authentication credentials. Keys for newer sessions are depend upon older sessions. All messages prior to getting session keys are sent in the clear! In an ad-hoc network, Alice may not care who Bob is. Building trust-based relationships. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 26 / 28
Summary The channel contains valuable info that can enhance confidentiality and authentication in a practical way. Existing wireless platforms already already have access to this info But usually thrown away at PHY layer. Can instead be preserved & utilized at higher layers. Future standards: MIMO, OFDM, TDD are ideally suited. Channel info. readily available Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 27 / 28
Questions? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 28 / 28