Methodologiesof Secret-Key Agreement Using Wireless Channel Characteristics

Syed Taha Aliand Vijay Sivaraman

(School of Electrical Engineeringand Telecommunications,University of New South Wales,NSW 2052,Australia)

Abstract In this article,we give an overview of current research on shared secret-key agreement between two parties.This agree⁃ment is based on radio wirelesschannel characteristics.We discuss the advantages of this approach over traditional cryp⁃tographic mechanisms and present the theoretical background of this approach.We then give a detailed description of the key-agreement process and the threat model,and we summarize the typical performance metrics for shared se⁃cret-key agreement.Therearefour processesin shared secret-key agreement:sampling,quantization,information recon⁃ciliation,and privacy amplification.We classify prior and current research in this area according to innovation on these four processes.Weconcludewith adiscussion of existingchallengesand directionsfor futurework.

Keyw ords physical-layer security;secret key generation

1 Introduction

The Diffie-Hellman key exchange protocol is the de facto mechanism for cryptographic secret-key agreement[1].Relying on the intractability of the discrete logarithm problem,two partieswith no pri⁃or knowledgeof each other areabletoexchangepublic messag⁃es over an insecure communications channel and arrive at a shared secret key that is safe from an eavesdropper and that can be used for encrypting communications between them⁃selves.Research interest has recently revived an alternative approach to secret-key agreement.Two parties(Alice and Bob)who are communicating using radios can exploit unique spatio-temporal properties of the wireless channel between them to generate a shared secret.Due to the highly unpredict⁃able and symmetric nature of multipath propagation,the wire⁃less channel that Alice and Bob share is unique to them.It is reciprocal and cannot be deduced in detail by an eavesdropper(Eve).The wireless channel is also highly sensitive to motion and changes in the environment,and variations can be quan⁃tized independently by Alice and Bob to yield a shared secret key that Eve has no accessto.

This approach has several advantages.First,security imple⁃mented at higher layers in the protocol stack can be under⁃mined at the lower layers,and an argument has been made that security should be implemented at multiple layers,if possible.An early research effort in this domain[2]strongly emphasized that physical layer security can complement existing crypto⁃graphic solutions and help build systems that are more secure overall.The physical layer has,thus far,mostly been neglected in the stack.This is unfortunate because the physical wireless link can be a rich source of randomness,(due to signal noise and highly sensitive channel states).The physical wireless link is also a means of deriving shared secrets because of the high correlation in channel characteristics at two ends of a link.These advantages can be easily harnessed because most radios today already have hardware support for performing basic chan⁃nel estimates,such asmeasuringradiosignal strength.

Second,prevailing cryptographic techniques are based on difficult number theory problems,i.e.these techniques rely on certain assumptions about the adversary's computing power.In contrast,physical layer approaches offer information-theoretic security,also referred to as unconditional security.Even with unlimited computing power,advances in number theory,and the advent of quantum computing,an adversary still cannot break information-theoretic schemes.

Third,traditional cryptographic mechanisms can be re⁃source-intensive and impractical to implement in hardware.This is especially critical for newly emerging computing para⁃digms,such as Smart Dust,RFID chips,body area networks,and the Internet of Things,which are all based on miniatur⁃ized,resource-constrained wireless devices.Devices such as wireless sensors are not typically equipped with secure clocks or powerful pseudorandom number generators,in which casethe Diffie-Hellman key exchange may not lead to truly random keys.Furthermore,research indicates that the Diffie-Hellman key exchange is not very practical to execute on sensor devices[3].

Secret-key agreement using wireless channel characteris⁃tics is essentially a four-step process.Alice and Bob first sam⁃ple the wireless channel to obtain correlated estimates of the channel state.They individually quantize these estimates to yield closely matching bit sequences,or bitstrings.This is fol⁃lowed by an information reconciliation process in which Alice and Bob identify and correct mismatching bits in their bit⁃strings.Then,there is a privacy amplification step in which a transform operation is used to minimize Eve′s knowledge of the shared bitstring.The result is a secret key shared by Alice and Bob that they can use to encrypt communications between themselves.Research in this domain has mostly focused on in⁃novating at different steps of the key-agreement process,and this technique has been validated using different wireless tech⁃nologiesand in variousenvironments.

In section 2,we briefly introduce secret-key agreement us⁃ing wireless channel characteristics.We discuss the threat model,and we summarize the performance metrics most com⁃monly used.In section 3,we give an overview of existing re⁃search in this domain,categorized as per the four steps of the process,i.e.sampling,quantization,information reconciliation,and privacy amplification.In section 4,we discuss alternative methods of using the wireless channel for secret-key agree⁃ment.We also discuss potential attacks in this space and out⁃line possible directions for future work.Section 5 concludes thepaper.

2 Basic Principles

The groundwork for physical layer security was laid in 1975,when Wyner introduced the classic wiretap model[4]and dem⁃onstrated that two parties(Alice and Bob)could communicate securely without a shared secret key and assuming that theille⁃gal channel that Eve uses for eavesdropping is a noisier ver⁃sion of the legitimate Alice-Bob channel.The trick here is for Alice and Bob to use sufficiently large code words to encode their messages and to prevent Eve from successfully decipher⁃ing the noisier version of data that she receives.In the early nineties,Maurer[5],[6]proved that Alice and Bob could com⁃municate securely with even fewer restrictions.Even if Eve has access to a less noisy channel than the Alice-Bob channel,Alice and Bob can still agree on a shared secret key if they generated correlated random sequences and then harmonized their observations by exchanging public messages on an er⁃ror-free channel.The process could be devised using obfusca⁃tion techniques so that even if Eve were to access these public messages,her knowledge of the shared secret would still be negligible.

The concept of two parties generating correlated random se⁃quences,perfected via public discussion and obfuscated from third parties,is very applicable to the wireless medium.The wireless channel has an intrinsic symmetry because of the reci⁃procity of electromagnetic propagation.If Alice and Bob were totransmit identical signalstoeach other,usingidentical trans⁃ceivers and antennas and in the absence of interference and noise,they would receive perfectly identical signals.Radio sig⁃nals take multiple paths from the source to the destination where,depending on the particular path,they undergo reflec⁃tion,diffraction,and scattering.The signals also experience different amounts of delay,attenuation,and phase distortion.Alice and Bob can both therefore measure a set of parameters defined by the cumulative effects of all these paths on the sig⁃nal at their ends.In ideal conditions,these measurements agree.

If Alice and Bob collect a time series of these channel state measurements over a period of sufficient variation,the channel state profile(or envelope)can be directly quantized into a shared secret key that isunique to their positionsin that partic⁃ular environment at that point in time.If Eve is located more than one radio wavelength away from either Alice or Bob,she will be limited to measuring an entirely different channel and will not be able to deduce the legitimate channel spectra or the shared secret.This concept,is shown in Fig.1 and described by a Jake uniform scattering model[7],which is well-known in the field.According to this model,there is a rapid decorrela⁃tion in the signal over a distance of approximately half a wave⁃length,and for a separation of one to two wavelengths or more,the signals can be assumed to be independent.In the 2.4 GHz range,our threat model would require Eve to be situated 6.25 cmor moreaway from Aliceand Bob.

▲Figure1.Multipath propagation in indoor setting.

Fig.2 shows an indoor office environment at the Faculty of Electrical Engineering,University of New South Wales.A base station(Bob)communicates with a wearable mobile device(Al⁃ice)walking along the path illustrated.Multiple stationary eavesdroppers(Eve 1 and Eve 4)are in close to the base sta⁃tion,separated by a distance of 15 cm on either side.Alice and Bob send messages at a rate of 1 packet per second,sampling the channel in succession,and all parties record the received signal strength indication(RSSI)as an estimation of the chan⁃nel state.Fig.3 shows the channel state measured over a one minute interval.Alice and Bob are in very good agreement with slight discrepancies with regard to the channel profile.Furthermore,the eavesdroppers drop a large number of pack⁃ets and are unable to replicate the channel profile in signifi⁃cant detail.This confirms that Alice and Bob can use these measurementstogenerateshared secret keys.

▲Figure 2.Mobile node,base station,and experimental layout for in⁃door environment.

In practice,all parties experience low-amplitude asymmet⁃ric components in their channel measurements because of fac⁃tors such as random noise,transceiver differences,interfer⁃ence,motion,or sampling delay(caused by half-duplex radi⁃os).Quantizing these channel estimations may therefore result in discrepancies in the generated bit sequence.Informa⁃tion-reconciliation protocolsareused toresolve thesedisagree⁃ments.In these protocols,Alice and Bob publicly exchange da⁃ta about their bit sequences(through,for example,parity checks)to identify and correct mismatching bits.This is fol⁃lowed by a privacy amplification step,which eliminates the partial information that Eve has deduced about the shared se⁃cret.This step usually involves a transformation operation,such asusingahash function.

Typically,key agreement,secret bit generation rate,entro⁃py,and implementation costs and overheads are the perfor⁃mance metrics used to measure the efficiency of wireless chan⁃nel-based key agreement.

Key agreement is the fraction of matching bits in the se⁃quences generated by Alice and Bob.Ideally,this should be 100%,and whatever mismatches occur(due to practical con⁃siderations)are resolved using information reconciliation.Very high agreement rates,i.e.greater than 99%,have been achieved in the literature[8].Eavesdroppers,on the other hand,should match in about 50%of the bits they generate by listening to the Alice-Bob transmissions.The probability of eavesdroppers guessing the right bit is equivalent to a fair coin toss,i.e.thereisnoadvantageat all.

The secret bit generation rate is the average number of us⁃able secret key bits extracted from the wireless channel per unit time.This value depends on various factors,such as the channel sampling rate,quantization parameters,deployment scenario,and channel variability.Bit generation ratesin the lit⁃eraturerangefrom1 bit/s[2]to40 bits/s[9].

Entropy is a measure of the uncertainty or inherent random⁃ness in the generated bits.Typically,the entropy of a random variable X over a set of n symbols x1,x2,...,xnisgiven by

where p(xi)is the probability of the occurrence of symbol xi.For binary symbols,a value close to 1 indicates high entropy.In the literature,the NIST test suite[10]is typically used to validatetheentropy for thegenerated bits.

Implementation cost and overheads depend on the particular mechanism used to generate bits.Whereas this technique has been demonstrated to work with off-the-shelf hardware,in in⁃stances such as that in[11],specialized hardware is required.Furthermore,information reconciliation mechanisms,such as Cascade,requirestorage and repeated manipulation of largear⁃rays of data.Large-scale data transmission involves significant processing costs[12],which is a serious consideration for re⁃source-constrained devices,such aswirelesssensors.

3 Process

▲Figure3.Measurementscomparing RSSIin an indoor office environment.

In this section,we describe current research on shared se⁃cret key agreement usingthe wirelesschannel.A pictorial sum⁃mary is shown in Fig.4.

3.1 Channel Sampling

Various wireless channel characteristics have been investi⁃gated in the literature.Radio signal strength(RSS),discussed in[2],[13]and[14],is the most popular characteristic because it already exists in most off-the-shelf radios.Schemes using signal phase[15],angle of arrival[11],and deep fades[16]have also been successfully used for secret-key agreement.

▲Figure4.Classification of methodologiesfor secret-key agreement.

It is imperative that there is sufficient fluctuation in the channel over a period of time so that the generated key has ac⁃ceptable entropy.This can be a problem in static deployments,and motion on the part of Alice or Bob has been recommended in several research efforts[13],[17].An alternative approach to generating signal variation in a static setting is channel-hop⁃ping.The wireless channel is also frequency-sensitive,so channel characteristics can be measured over a range of fre⁃quenciestogenerateashared secret[14].

Non-identical hardware may result in Alice and Bob having different channel state measurements.Experiments performed by Jana et al.[13]have shown that heterogeneous hardware may result in a consistent value offset at the two ends,and the resulting channel profile is relatively consistent for Alice and Bob.For this reason,instead of encoding absolute channel measurements,the profile or envelope is quantized to produce secret-key bit sequences.

3.2 Quantization

Quantization is the process by which the sampled channel estimates are mapped to a specific bit sequence.Common ap⁃proachesto quantizing the channel profileinclude ranking,lev⁃el crossing,and using signal extrema.Rank quantization in⁃volves“bucketizing”the channel estimates in a manner that ensures an equally probable bit distribution.The buckets can be assigned single or multiple bits,and in the case of the lat⁃ter,Gray coding is used to demarcate adjacent buckets.Gray coding is a binary numbering system where successive values differ in only one bit.It is used instead of binary coding so that discrepancies in measurements,which may cause a value to be assigned to a different bucket between Alice and Bob,will at most lead to a disagreement in only one bit.This process is shown in Fig.5.Rank quantization is performed in[17]and[9].

The level-crossing technique involves superimposing cer⁃tain thresholds onto the channel profile and assigning bit val⁃ues whenever a threshold is crossed.Variations on this basic concept have been developed to suit application requirements.For example,Mathur et al.[2]propose a quantizer(Fig.6)that uses a moving window in which each block is assigned two threshold values:

▲Figure5.Rank quantization.

whereμisthemean,σis the standard deviation,andα≥0 is an adjustable parameter.If an RSSIreading within a window is greater than q+,it is encoded as 1.If an RSSIreading within a window is less than q-,it is encoded as 0.The thresholds de⁃fine a censor zone,and values lying within this zone are dis⁃carded.This concept is similar to a guard band.The rationale for discarding such values is to filter out random noise effects or asymmetric components that are typically low-amplitude and liabletocausebit disagreement between thetwoparties.

▲Figure6.Level-crossing quantization.

3.3 Information Reconciliation

Much of the research on information reconciliation has been done in the context of quantum cryptography.Discrepancies in the bitstrings generated over the quantum channel occur be⁃cause of eavesdropping or imperfections in the transmission media.Researchers have sought secure and efficient mecha⁃nisms to reconcile these bitstrings.Information reconciliation attempts a form of error correction using the public channel.To reconcile their bit sequences,Alice and Bob exchange metadata(usually parity information)to identify mismatching bits.At the same time,they simultaneously try to minimize the potential leakage of information to an eavesdropper.If mis⁃matching bits are identified,they are either discarded or cor⁃rected.This concept is similar to the cyclic redundancy check used to detect data corruption and is also probabilistic,which means only a specific class of errors can be handled.Various error-correction codes,including BCH[11]and LDPC[18],have been used for reconciliation.

Cascade[19]is the most popular information-reconciliation protocol and works iteratively in an interactive manner.Alice permutes her bit sequence randomly,divides it into blocks,computes the parity on each block,and sends the permutation and parity information to Bob,who then performs the same pro⁃cess at his end.If parity does not match for certain blocks,Bob performs a binary search to identify the minimum number of bits that he can change to match the parity check.This process is then repeated multiple times with different permutations of the bit sequence to identify which bits need to be corrected.The probability of success can be fine-tuned by specifying an adequateblock sizeand thenumber of passesof theprotocol.

3.4 Privacy Amplification

Privacy amplification is necessary because successive wir e⁃less channel estimates may be correlated in time,and this leads to predictability in portions of the bit sequence.Privacy amplification is also necessary because the information recon⁃ciliation process may reveal some information about the se⁃quence to eavesdroppers.To effectively decorrelate successive bits in the sequence and nullify any knowledge an eavesdrop⁃per may have about parts of the key,an obfuscation operation is performed.Typically,Alice and Bob use universal hash functions chosen from a public set of such functions.This re⁃sults in smaller,fixed-size bit sequences that can be used as a secret key.

4 Future Directions

In this section,we briefly discuss a few promising directions for future work in secret-key agreement using wireless chan⁃nel characteristics.

Several research efforts have already resulted in proof-of-concepts for wireless-channel-based secret-key agreement in different environments.Jana et al.[13]investigat⁃ed the efficacy of this approach in buildings,cafeterias,and tunnels as well as on a lawn or road.The authors also investi⁃gated the efficacy of this approach for various modes of activi⁃ty,such as a sitting,walking,or riding a bike.Wilhelm et al.[14]characterize the channel frequency response for static con⁃figurations.In[8],we adapted this mechanism for wearable health monitoringdevicesand presented experimental results.

However,significant work still needs to be done before se⁃cret-key agreement using wireless channel characteristics can actually be deployed in everyday,usable technology.Thus far,research on this technique has mostly relied on offline analysis of trace data,and there is a lack of actual prototype solutions implemented on user platforms,such as mobile phones and sensor devices.Running these solutions on user devices would require significant engineering and optimization,which has yet tobedone.

Furthermore,wireless channel-based attacks have only just begun to be examined seriously.An early attack,also called a predictable channel attack,was described by Jana et al.in[13].The authors demonstrated that,in a stationary environ⁃ment,an attacker may be able to cause predictable variations in RSSby repeatedly blocking the line of sight between Alice and Bob.Likewise,Mathur et al.[2]discuss an attack where Eve might spoof Alice and Bob.The authors show how that can be detected easily using RSSauthenticators.These attacks are relatively simpleand can beeasily avoided by taking afew pre⁃cautions.However,some very recent research indicates that multiple eavesdroppers might be able to collude to obtain a greater portion of the quantized bit sequence,even up to ap⁃proximately 70%agreement with Alice and Bob.This is a seri⁃ousconcern.Such attacks,detailed in[20]and[21],are ad hoc in nature and have so far only been experimentally demonstrat⁃ed.We suggest there needs to be a thorough inquiry into the theoretical basis for such attacks before solutions can be sought.There also needs to be corresponding research on ade⁃quate privacy amplification mechanisms in this domain.So far,thisareahasbeen neglected.

5 Conclusion

In this paper,we have briefly introduced current research on wireless channel-based secret-key agreement.We have highlighted the advantages of and challenges related to this technique.We have provided the requisite theoretical back⁃ground and elaborated on the component processes,sampling,quantization,information reconciliation,and privacy amplifica⁃tion of this technique.We have also summarized certain chal⁃lenges in this domain,such as the urgent need for practical im⁃plementations and the lack of comprehensive theory on threats and attacks.We believe there is great potential for wire⁃less-channel-based secret-key agreement,especially with the advent of new resource-constrained computing paradigms,such as body area networks,mobile computing,and the inter⁃net of things.