SHARED SECRET KEY ESTABLISHMENT USING WIRELESS CHANNEL MEASUREMENTS
by
Jessica Erin Dudley Croft
A dissertation submitted to the faculty of The University of Utah in partial fulfillment of the requirements for the degree of
Doctor of Philosophy
Department of Electrical and Computer Engineering
The University of Utah
July 2011 Copyright c Jessica Erin Dudley Croft 2011
All Rights Reserved THE UNIVERSITY OF UTAH GRADUATE SCHOOL
SUPERVISORY COMMITTEE APPROVAL
of a dissertation submitted by
Jessica Erin Dudley Croft
This dissertation has been read by each member of the following supervisory committee and by majority vote has been found to be satisfactory.
Chair: Neal Patwari
Sneha K. Kasera
Rong-Rong Chen
Cynthia Furse
John Regehr ACKNOWLEDGEMENTS
Very rarely does a project like this come together based solely upon the work of the author. Here is where I get to say thank you: Neal Patwari has put a great deal to time into explanations, editing and encour- agement. He is unfailingly optimistic and patient and I feel very fortunate to have had him as an advisor. The SPAN lab he created produces exciting ideas and inventions and he has fostered a distinctly collegial and collaborative spirit among its members. I am grateful to have found friends among my colleagues within the SPAN lab: Yang, Dustin, Piyush, Joey and Merrick. My parents, Jerry and Diana Croft, gave me a love of learning and a solid place to rest. They taught me that building or growing or creating something useful can be a source of great joy and satisfaction. Thank you. For a hug, or a laugh or a push when I need it, I thank my partner, Todd Bailey. He listened to me explain the same problem in different ways (some much better than others) a thousand times in the last few years and never stopped trying to understand. ABSTRACT
Secret key establishment (SKE) is a method that allows two users, Alice and Bob, to obtain shared secret keys using randomness inherent in the wireless channel. Alice and Bob sample the channel many times, extract bits from those measurements and then use the bits to encrypt further communications. Even if an eavesdropper, Eve, were to overhear Alice and Bob measure the channel, she would still have no knowledge of the secret key because she does not measure the same channel as Alice and Bob. While the channel is reciprocal and random, measurements of the channel are temporally correlated and can include non-reciprocities caused by differing transceiver characteristics and the inability of Alice and Bob to measure the channel simultaneously. The thesis aims to reduce or remove the non-idealities and noise of the reciprocal channel measurement process in order to increase secret key bit rate while maintaining an uncorrelated bit stream.
The first contribution of this thesis addresses correlated received signal strength (RSS) measurements and differing transceiver characteristics in the context of sensor nodes. Because typical sensor nodes are constrained both by available energy and computational power, balancing the decorrelation method with node resources and changing wireless environments is also addressed. Ranking and fractional delay inter- polation are used to mitigate non-reciprocities associated with differing transceiver characteristics and the inability of the two nodes to measure the channel at identical points in time.
Second, bit extraction is applied to channel impulse response (CIR) measure- ments. We develop a novel, inexpensive switching system that allows existing single receiver/single transmitter channel sounding equipment to make bi-directional mea- surements. With this system it is possible to investigate non-reciprocal interference and experimentally evaluate bit extraction for CIR that takes advantage of both the time and spatial diversity of the wireless channel. Finally, non-uniform sampling caused by non-deterministic packet delay when sharing a wireless channel with other users is detrimental to bit extraction yet very common in practical wireless networks, especially for IEEE 802.11-based devices. Interpolation and regression are used to estimate the reciprocal fading signal given the non-uniform samples at Alice and Bob and the non-reciprocities caused by non- simultaneous channel measurements.
iii CONTENTS
ACKNOWLEDGEMENTS ...... i ABSTRACT ...... ii LIST OF FIGURES ...... vii LIST OF TABLES ...... x
CHAPTERS 1. INTRODUCTION ...... 1 1.1 Three General Extraction Methods ...... 4 1.2 Channel Measurements ...... 5 1.2.0.1 Received Signal Strength ...... 6 1.2.0.2 Channel Impulse Response ...... 6 1.3 Adversary Model ...... 7 1.4 Contributions ...... 7 2. ROBUST UNCORRELATED BIT EXTRACTION METHODOLOGIES FOR WIRELESS SENSORS ...... 11 2.1 Abstract ...... 11 2.2 Introduction ...... 11 2.3 Adversary Model ...... 14 2.4 Methodology ...... 14 2.4.1 Interpolation ...... 16 2.4.2 Ranking ...... 17 2.4.2.1 Motivation ...... 17 2.4.2.2 Algorithm ...... 18 2.4.3 Decorrelation ...... 19 2.4.4 Quantization ...... 20 2.5 Experimental Data Collection ...... 22 2.6 Enabling Channel Adaptation ...... 23 2.6.1 Previous Approach ...... 23 2.6.2 Selection of N ...... 24 2.6.3 Covariance Matrix and Correlation Coefficient Estimation . . . . . 26 2.7 ARUBE Protocol ...... 29 2.7.1 Packet Transmissions ...... 31 2.7.2 Computational Complexity ...... 32 2.8 Results ...... 34 2.9 Discussion ...... 36 2.10 Conclusion ...... 37 3. BIT EXTRACTION FROM CIR USING A BI-DIRECTIONAL RADIO CHANNEL MEASUREMENT SYSTEM ...... 39 3.1 Abstract ...... 39 3.2 Introduction ...... 39 3.3 Related Work ...... 42 3.3.1 RF CIR Measurement ...... 43 3.3.2 Secret Key Establishment ...... 43 3.4 Analysis ...... 45 3.4.1 Power Loss ...... 46 3.4.2 Leakage ...... 46 3.4.3 System Design ...... 47 3.4.4 Example Realization ...... 49 3.5 Bi-Directional CIR Measurements ...... 51 3.5.1 Software Radio ...... 51 3.5.2 Measurements Collected ...... 53 3.6 Secret Key Extraction ...... 55 3.6.1 Adversary Model ...... 56 3.6.2 Method ...... 56 3.6.3 Results ...... 60 3.6.4 Discussion ...... 64 3.7 Conclusion ...... 66 4. RECIPROCAL FADING SIGNAL ESTIMATION METHODS FOR SECRET KEY ESTABLISHMENT ...... 68 4.1 Abstract ...... 68 4.2 Introduction ...... 68 4.3 Related Research ...... 70 4.4 Problem Statement ...... 71 4.5 Estimation Methods ...... 73 4.5.1 Polynomial Interpolation ...... 73 4.5.2 Fractional Delay Interpolation ...... 75 4.5.3 Gaussian Processes Regression ...... 76 4.5.3.1 Covariance Function ...... 77 4.5.4 Gaussian Processes Regression with Side Information ...... 78 4.5.4.1 Public Exchange of Side Information ...... 79 4.5.4.2 Setting γ2(i)...... 80 4.6 Experiment ...... 80 4.6.1 PHY layer and RSS Measurement ...... 80 4.6.2 Sample Variance ...... 81 4.6.3 Sampling Non-uniformity ...... 82 4.7 Results ...... 83 4.7.1 Performance Metrics ...... 83 4.7.2 GPRSI Parameter Selection ...... 84 v 4.7.3 Example ...... 84 4.7.4 Filter Response ...... 84 4.7.5 Normalized Root Mean Square Error ...... 85 4.7.6 Bit Extraction ...... 86 4.7.6.1 802.15.4 Sensor Nodes ...... 86 4.7.6.2 802.11 Smartphones ...... 87 4.8 Conclusion ...... 87 5. CONCLUSION ...... 100 5.1 Key Findings ...... 100 5.2 Future Work ...... 102 REFERENCES ...... 105
vi LIST OF FIGURES
1.1 Received signal strength measurements taken over time. Alice and Bob’s RSS measurements are correlated...... 10
2.1 ARUBE bit extraction ...... 15
2.2 Areas of bit agreement and bit disagreement for m(i) = 1...... 15
2.3 Spatial correlation vs. Pbd and m ...... 15
2.4 t-statistics for max ρzi,zj vs. N for three datasets and the threshold, γ.. 27
2.5 t-statistics for ρz, vs. N for three datasets and the threshold, γ...... 27 2.6 Packets sent for channel probing (—¿) and data transfer (- - -¿), com- putation (boxes) at either node, for overhead and bit extraction...... 30
2.7 Target Pbd vs. secret key bits per sample for ARUBE (black lines) and K HRUBE (gray lines), for N ∈ {17, 35}, K ∈ {128, 256}, and D = 2 , for averages of the best three datasets (-•-), the worst three (--), and the remaining 19 (-N-)...... 35 3.1 Redirecting the transmitted and received signals to measure both direc- tions of the radio channel between antennas A1 and A2...... 50
3.2 Labeled switch diagram in state 1. The correct path for the signal is {G,I,J,L,F,D,B,A}, however three incorrect paths are possible: directly from transmitter to receiver (-.), {G,H,E,D,B,A}(- -), and {G,I,J,K,C,A} (..)...... 51
3.3 One RF switch. RF common can be connected to either RF 1 of RF 2. 52
3.4 Possible linear ranges of four sets of parameters. Given baseline Ipole = 50 dB, Iopen = 45 dB, Lcable = 2 dB, Lswitch = 2 dB and Itr = 111 dB, each plot other than baseline changes one parameter...... 52
3.5 Known attenuation between junctions F and L plotted against received power. Note that measurements and calculations were made assuming a transmitter frequency of 2.44 GHz...... 52
3.6 TX, RX, A1 and A2 locations. The TX and RX are next to opposite walls of a rectangular room. The two antennas centered between them along the two remaining walls...... 53 3.7 Bi-directional measurements for two data sets. Plots 3.7(a)and 3.7(c) and show 10 pairs of measurements. Power in dB is relative to transmit power. The dark plots are measurements from antenna A1 to A2. The light plots are measurements from antenna A2 to A1. The time between each measurement was 0.11s. Plots 3.7(b) and 3.7(d) show the mean and the mean plus and minus the standard deviation of 175 pairs of measurements...... 54 3.8 Example bi-directional measurements in the frequency domain for (a) dataset A and (b) dataset B...... 61 3.9 (a) When interference source is off, subsequent CIR measurements be- tween A2 to A1 (tn = 37.4s) and from A1 to A2 (tn = 37.51s) are nearly identical. (b) When interference source is on, CIR measurements between A2 to A1 (tn = 48.84s) are unchanged while those from A1 to A2 (tn = 48.95s) show interference...... 62 3.10 Secret key bit extraction from CIR measurements involves synchroniza- tion (phase and time delay), interpolation (using fractional delay filter sc), decorrelation (across time delay τ and time t), and quantization (using multi-bit adaptive quantization)...... 63 3.11 Two CIR measurements made by Alice and Bob. Aligning the indices of the dominant multipath does not always align the signals...... 64 3.12 CIR measurements showing the random rotation which must be removed before bits can be extracted...... 64
3.13 (a) Number of bits extracted per measurement from |H| for various Pbd (b) Number of bits extracted per measurement from ∠H...... 65
3.14 Number of bits extracted per RSS measurement for various Pbd ...... 66 4.1 Diagram shows placement of Alice’s () and Bob’s ( ) measurements at times tc with the placement of interpolated values t∗ (k). (a) Fraction delay interpolation interpolates a value half way between Alice’s and Bob measurements if the sample period is constant. (b) With non- uniform measurements fractional delay interpolation results in unaligned interpolated time instants. (c) Polynomial interpolation and Gaussian processes regression are able to interpolate measurements at identical time instants...... 88 4.2 Distribution of measured RSSI values for datasets collected (a) by 802.15.4 2 based devices and (b) 802.11 based devices. The sample variance,σ ˆw for (a) is larger than that of the measurements of (b)...... 89 4.3 Distribution of sample periods for (a) two datasets made with 802.15.4 based wireless sensors and (b) two datasets from 802.11 based devices. . 90
4.4 NRMSE betweeny ˆa andy ˆb for GPRSI with different values for Pa and Pd. Overall, GPRSI for 802.11 RSS measurements performs best with Pa ≈ 0.5 and Pd ≈ 15...... 92 viii 4.5 (a) Fractional delay interpolation used to estimate the reciprocal fading channel from non-uniformly sampled RSS measurements made by two 802.11 devices. (b) Polynomial interpolation. (c) Gaussian processes regression. Solid lines are the estimated signaly ˆc(t∗), dotted lines are the RSS measurements wc...... 93 4.6 Filter response for (a) fractional delay interpolation, (b) polynomial interpolation and (c) Gaussian processes regression at interpolated time instant t∗(i) = 0.60...... 94 4.7 (a) Polynomial interpolation used to estimate the reciprocal fading sig- nal for 802.11 RSS measurements (b) Estimation using GPRSI. Root mean square error (RMSE) for the displayed data is (a)0.627 and (b)0.222. 95 4.8 Normalized root mean square error (NRMSE) for error between the original measurements at Alice, wa, and Bob, wb and error between the estimations of the reciprocal fading signal using polynomial inter- polation (PI), fractional delay interpolation (FDI), Gaussian processes regression (GPR) and Gaussian processes regression with side informa- tion (GPRSI) for (a) 11 802.11 datasets and (b) 20 802.15.4 datasets . . 96 4.9 Plot of NRMSE as the probability of dropping a packet, p, increases for FDI (- -), GPR (..) and GPRSI (–), then plotting the average of the top seven datasets (?), middle six datasets (•) and bottom seven datasets (I) with respect to NRMSE ...... 97 4.10 Comparison of PI, FDI and GPR with (a) highest, (b) middle and (c) 2 lowest sample varianceσ ˆw. GPR is an improvement over FDI only at lower sample variances...... 98
4.11 Bits extracted per second vs. probability of bit disagreement (Pbd) for 13 datasets. Data processed using GPR (..), GPRSI ( - ) or FDI ( - - ) then plotting the average of the top four datasets (?), middle five datasets (•) and bottom four datasets (I) with respect to bits extracted per second. (a) Compares GPR and GPRSI (b) Compares FDI and GPRSI ...... 99
ix LIST OF TABLES
2.1 m =1bitMAQ ...... 27 2.2 t-statistics by method ...... 33 2.3 Number of Packets Transmitted ...... 33 2.4 Computational Complexity ...... 33 2.5 Bits per sample–Mathur et al...... 38 2.6 Average and Minimum Entropy Rates...... 38 2.7 Percentage of bits Eve gets correct...... 38 3.1 Switching System Components ...... 50 3.2 NIST p-values...... 61 3.3 Bits per Sample Comparison ...... 65 4.1 Datasets of decreasing sample variance ...... 88 CHAPTER 1
INTRODUCTION
Secret key establishment (SKE) is a method that allows two users, Alice and Bob, to obtain shared secret keys using randomness inherent in the wireless channel between them without an eavesdropper being able to obtain the key. Because the radio channel between Alice and Bob is reciprocal and varies randomly over space and time, Alice and Bob are able to measure some characteristic of the wireless channel many times then extract bits from those measurements to create matching secret keys. Even if a passive eavesdropper, Eve, were listening to Alice and Bob make measurements of the channel, she would be unable to measure the same channel as Alice and Bob and unable to create a matching secret key. Interest in SKE as an alternate method to ensure data privacy is due in part to perceived weaknesses in traditional public key cryptography which relies on as- sumptions about the computational strength of an attacker. One of the advantages of shared secret keys extracted from channel measurements is that such keys offer the possibility of information theoretic security as long as it is possible to obtain more bits in the secret key than there is information to send [64]. Such keys are considered secure even if an adversary is in possession of a computer with unbounded computing power [12] while keys created using traditional cryptographic methods, such as Diffie-Hellman key exchange, are considered secure only if the adversary has bounded computing power. This is the same impetus driving research in quantum cryptography, but because channel measurement methods are much less expensive, bit extraction is currently possible with common consumer wireless devices. Shared secret keys from channel measurements could also have advantages for resource constrained sensor nodes. Various methods of adapting traditional cryp- tography to sensor nodes have included predistribution of shared keys [13],[41] to 2 adapt to sensor node’s typical constrained power and exploration of elliptical curve cryptography [44] to adapt to a small storage area and limited computational power. Given that secret keys from channel measurements are cryptographically stronger than traditional methods, they might require less on-node storage space. For instance 112-bit key extracted from channel measurements is equivalent in cryptographic strength to a 2048-bit Diffie-Hellman key [39]. In addition, some SKE methods are less computationally complex than traditional cryptographic methods. Given these reasons for proceeding, SKE faces it’s own challenges and require- ments. First, the radio channel must be changing. SKE would not work in a static free-space environment since it depends upon the presence of multipath fading as the source for randomness in the shared secret keys. This is counterintuitive since for most wireless communication applications fading is detrimental. Also, in an otherwise static channel, an attacker would be able to induce motion into the channel and thereby gain knowledge about the secret key The second major challenge is that while the wireless channel is reciprocal, mea- surements of the channel include non-reciprocities from many sources including:
• interference
• thermal noise
• quantization noise
• differing transceiver characteristics
• time-division duplex (TDD) sampling
Many of these non-reciprocities can be seen in Figure 1.1. Because the channel is TDD, Alice and Bob are unable to sample the channel simultaneously and instead must take turns. During the time spent waiting to sample the channel can change resulting in differing measurements at Alice and Bob. Quantization noise is also a source of non-reciprocities. The devices used to measure RSS in Figure 1.1 quantize 1 dBm to 1 RSSI and while the major features of the fading signal are captured, 3 many smaller features are not. In addition, while an effort is made on the part of the hardware manufacturer to ensure 1 dBm is always quantized to 1 RSSI, some quantization bins are larger than others. Even with identical hardware, as was the case in Figure 1.1, differences in transceiver hardware are common. On average, Alice’s RSS measurements, always report just slightly less received power than Bob’s mea- surements. In practical applications, identical hardware cannot be assumed. These non-reciprocities have been addressed by a number of signal processing techniques including windowed filters [45, 71], interpolation [53], ranking [20] and Gaussian processes regression. Thirdly there are requirements about the characteristics of the secret key itself. Ideally the extracted bits would have a high entropy rate, no disagreement between the bits extracted at Alice and the bits extracted at Bob and because sampling the channel requires a packet to be transmitted, it is advantageous to be able to extract a large number of bits from each sample especially for energy poor devices. Also, in the context of information theoretic security every bit of information requires one secret key bit. The high entropy rate requirement is a heuristic for randomness. At minimum, the bits in the secret key need to be independent, but as shown in Figure 1.1, the measurements are temporally correlated. One way to ensure independence is to increase the sampling period, but this in many cases increases the time required to create a secret key. Another method is to decorrelate the measurements before extracting bits. While a high entropy is required to ensure a random key, it is not sufficient. The National Institute of Standards (NIST) has published a series of probabilistic tests [60] which can be used to verify the randomness of shared secret keys. It is difficult to have both a low probability of bit disagreement and a high bit extraction rate. Both of these factors influence the time required to perform SKE and the number of packets that must be transmitted. In order for encryption/decryption to work, the bits in the shared secret key at Alice and Bob must match perfectly. In the event that they do not, information reconciliation is performed where Alice and 4
Bob exchange information publicly to correct disagreements [11]. As the probability of bit disagreement increases, more information is leaked to an eavesdropper, Eve. Removing non-reciprocities before bits are extracted from the measurements can increase the number of bits that can be extracted while lowering the probability of bit disagreement. How these requirements and challenges and the resources needed to meet them are balanced is unique to each bit extraction method. In the remainder of this introduction I briefly describe three bit extraction approaches and explain how the wireless channel is measured for bit extraction. I will then list describe the adversary model before listing my own contributions and the structure of the dissertation.
1.1 Three General Extraction Methods The simplest and least computationally complex bit extraction methods quantize the measured channel characteristic into two bins, one bin for values less than the mean and one bin for values greater than the mean, and then assign a 1 or a 0 to each measurement based upon the bin it falls in. While this is easy to implement, the trade-off is very low entropy. Modifications have been made that create high entropy keys, at the cost of a low bit extraction rate[45]. These methods aim to have no bit disagreement. A second general method [53] uses the Karhunen–Lo´eve transform (KLT) to remove the correlation between measurements before extracting a secret key. The number of bits extracted from each measurement is determined by a target percent of disagreeing bits and the correlation between Alice’s and Bob’s measurements. While this method is significantly more computationally complex than the first, by allowing a certain number of bits to disagree many more bits can be extracted. The bit disagreement is rectified in a later information reconciliation step such as Cascade [11]. This second general method has the advantage of a tunable probability of bit disagreement and high entropy secret keys at the cost of higher computational complexity. The third general method is composed of three steps: advantage distillation, 5 information reconciliation, and privacy amplification [9],[8]. Advantage distillation is another way to say that the two nodes sample some characteristic of the channel that is known to them, but not an adversary. This is identical to what the first two general methods do, but while the second method removes correlation between bits before quantization, this general method quantizes and performs information reconciliation before addressing the correlation between bits. The privacy amplification step is then used to ensure the key has a high entropy. Reported rates of extraction using this method are nearly 1 bits per sample for 802.11 based devices [30]. One of the disadvantages is that since the percentage of bit disagreements is not tunable, the information reconciliation step can be expensive in terms the amount of information potentially revealed to an eavesdropper.
1.2 Channel Measurements
The channel can be viewed as a reciprocal filter that varies over time and space. In general more information collected about the channel means a larger number of bits can be extracted, but some measurements require more time to take or the measurement equipment is expensive. Regardless of the equipment or measured statistic, however, all of these measurements are time-division duplex (TDD). To measure any characteristic, Alice must transmit to Bob who measures the channel and then transmits to Alice who also measures the channel. During the time be- tween measurements, the channel has changed introducing non-reciprocities into the measurements.
Since Hershey first proposed the idea of bit extraction for shared secret keys in [28], a large number of channel measurement types have been explored including angle of arrival [6], phase [28] [61] and received signal strength [45] [30] [53],[74],[56] which can include signal envelopes [7] [71] and level crossings [45]. In addition to these one-dimensional measurements, channel impulse response (CIR) has also been explored as a source for shared secret keys [79], [26], [75], [18]. 6
1.2.0.1 Received Signal Strength
Received signal strength (RSS) is by far the most commonly measured channel characteristic because RSS measurement capability is built in to most consumer wireless devices such as smartphones and laptops. Academic research has also focused on RSS bit extraction using 802.15.4 based sensor nodes [2, 56, 53, 20] due to the ease of access to wireless parameters. Hardware in the transceiver measures received power which is the squared magnitude of the complex baseband power. RSS, then, is the average received power over a single packet that is then converted to an integer number or RSS integer (RSSI). The conversion from the RSS measurement which is commonly in decibels (dB) varies depending up on the radio hardware. Often an increase in 1 dBm with respect to the mean received power corresponds to an increase of 1 RSSI.
Not all RSS measurements are created equal in terms of the number of bits it is possible to extract. A wider channel bandwidth has a detrimental effect on the bit extraction rate. For instance, in IEEE 802.11 based devices, the RSS is calculated for a signal over a bandwidth 4 times as wide as IEEE 802.15.4 based devices, so the channel gain is not as affected by narrowband fading. This reduces the number of bits it is possible to extract. Similarly, devices operating at higher frequencies are more susceptible to narrowband fading so the higher the frequency the more bits can be extracted all other parameters being equal.
Because RSS is an average of magnitude it does not provide any information about the phase of the signal nor about the individual multipath components. While RSS measurements are one-dimensional, they have been used them as part of a MIMO-like bit extraction algorithm using many cooperating nodes [56].
1.2.0.2 Channel Impulse Response
Another channel statistic used for shared secret keys is channel impulse response (CIR). Unlike RSS, CIR provides information about the magnitude, phase and arrival time of each multipath component. As such, many more bits can be extracted from each measurement. Simulated (CIR) measurements have been studied for use 7 with SKE [42, 75, 78, 73, 72]. Given the expense of the measurement equipment, however, very few truly bi-directional experiments have been conducted. Rather, many researchers use uni-directional measurements by making a CIR measurement in one direction and then swapping the position of the transmitter and receiver before making the second measurement in the reverse direction [79], [26], [75]. While this captures the spatial features for bit extraction, any time-related diversity in the channel is treated as noise. This is a very large compromise because in real-world situations the channel is changing over time and it would be greatly advantageous to use that randomness in the secret key.
1.3 Adversary Model The adversary model is very similar across SKE methods. First, we assume that there is a passive attacker, Eve, who is able to overhear legitimate users, Alice and Bob, making measurement of the channel between themselves. Eve is able to measure the channel between herself and Bob and measure the channel between herself and Alice, but is otherwise unable to interfere. Eve cannot jam the channel nor can she impersonate a legitimate user. Furthermore, Eve must be at least one half wavelength away from Alice and Bob. At 2.4 Ghz one wavelength is 12.5 cm. We assume that Eve has knowledge of the bit extraction method in use, any parameters used in the bit extraction method and that Eve can obtain any information publicly exchanged between Alice and Bob. This adversary model is very similar to that used in Diffie-Hellman key agreement in that neither Diffie-Hellman nor SKE natively offer authentication.
1.4 Contributions This research aims to reduce or remove the non-idealities and noise of the re- ciprocal channel measurement process in order to increase secret key bit rate while maintaining an uncorrelated bit stream. The following publications have resulted: 8
J. Croft, N. Patwari, and S.K. Kasera. Robust uncorrelated bit extraction methodologies for wireless sensors. In Proceedings of the 9th ACM/IEEE International Conference on Information Processing in Sensor Networks, pages 70–81. ACM, 2010.
J. Croft and N. Patwari. Bit extraction from CIR using a bi-directional radio channel measurement system. IEEE Transactions on Mobile Com- puting, 2010. (submitted).
J. Croft and N. Patwari. Estimation methods for bit extraction. IEEE Transactions on Mobile Computing, 2011. (to be submitted).
J. Croft, N. Patwari, and S.K. Kasera. Demonstration abstract: Bit extraction from received signal strength, 2010.
N. Patwari, J. Croft, S. Jana, and S.K. Kasera. High rate uncorrelated bit extraction for shared secret key generation from channel measurements. IEEE Transactions on Mobile Computing, pages 17–30, 2009.
The structure of this dissertation is as follows: Chapter 2 explores mitigation of non-reciprocities associated with differing hardware characteristics and how to adapt bit extraction to changing wireless environments. The cost of bit extraction is found in terms of computational complexity and the total number of packets exchanged for a given key length. This method is applied to RSS measurements taken with 802.15.4-based sensor nodes. This method improved the bit extraction rate by 25 to 60% compared to a previous bit extraction method. Chapter 3 applies bit extraction to channel impulse response (CIR) measurements. In order to obtain bi-directional CIR measurements an inexpensive novel switching system was designed to allow existing single transmitter/single receiver hardware to make bi-directional measurements. A description and analysis of the system is included so that similar systems can be built. A new algorithm for CIR bit extraction is described and applied to the bi-directional CIR measurements. 9
Chapter 4 addresses problems found during the demonstration [19] of bit extrac- tion in a very busy wireless environment using 802.11 devices. Ideal conditions for bit extraction ie. two users uniformly sampling a quickly varying channel, cannot be assumed. An estimation method using Gaussian processes regression with public discussion was found to improve the number of bits extracted by up to 50% in adverse conditions for 802.11 RSS measurements. Chapter 5 forms the conclusion and presents avenues for future research into shared secret keys from wireless channel measurements. 10
15
10
5
0 RSSI
−5
−10 Alice Bob −15 Eve 10.8 10.9 11.0 11.1 11.2 11.3 11.4 11.5 11.6 time (s)
Figure 1.1. Received signal strength measurements taken over time. Alice and Bob’s RSS measurements are correlated. CHAPTER 2
ROBUST UNCORRELATED BIT EXTRACTION METHODOLOGIES FOR WIRELESS SENSORS
2.1 Abstract This paper presents novel methodologies which allow robust secret key extraction from radio channel measurements which suffer from real-world non-reciprocities and a priori unknown fading statistics. These methodologies have low computational complexity, automatically adapt to differences in transmitter and receiver hardware, fading distribution and temporal correlations of the fading signal to produce secret keys with uncorrelated bits. Moreover, the introduced method produces secret key bits at a higher rate than has previously been reported. We validate the method using extensive measurements between TelosB wireless sensors.
2.2 Introduction For many applications of wireless sensor networks, data privacy is a key require- ment. Since sensor nodes may be collecting private data, for example, in patient health monitoring networks, users must have guarantees of privacy. Without data privacy, patients will not be willing to participate and hospitals will not be in com- pliance with confidentiality regulations. However, because of the limited energy and computational resources of sensor nodes, realistic methods for secure authentication and privacy face special challenges. 1
1This chapter first appeared as J. Croft, N. Patwari, and S.K. Kasera. ”Robust uncorrelated bit extraction methodologies for wireless sensors” In Proceedings of the 9th ACM/IEEE International Conference of Information Processing in Sensor Networks. ACM, 2010. 12
To meet the critical need for secure communications, existing research has devel- oped methods to address these multiple challenges. Existing work uses predistributed shared secret keys and public key methods adapted for use on resource constrained sensor nodes. Various methods of probabilistic predistribution [13] [41] have balanced security and limited on-device storage space. Public key methods have used elliptic curve cryptography [44] to create public keys within sensor node resources. Unlike traditional cryptography methods, we address the problem of secret key establishment between two wireless sensor nodes for secure communication using the time and space variations in the time-division duplex channel. The radio channel offers a unique opportunity to build alternate robust security solutions in a resource efficient manner. A key generated from radio channel characteristics [6] [30] [61] reflects the uniqueness of the time and space in which it was created. Two nodes, Alice and Bob, are able to measure a characteristic of the channel between them, each generates a key from those measurements, and then uses that key to encrypt further communications. Even if Eve, an attacker, were able to overhear legitimate users Alice and Bob during the collection of channel measurements, Eve would be unable to duplicate the key because she would not have measured the same channel as that between Alice and Bob. Using temporal and spatial variation in channel characteristics for secret key establishment is not a new idea. Key generation from channel characteristics was first described in [28]. Since then several existing efforts including our own have designed and evaluated bit extraction schemes using many different channel characteristics. Some of these characteristics are angle of arrival [6], phase [28] [61], received signal strength [45] [30] [53], signal envelopes [7] [71] and level crossings [45]. Of these, received signal strength (RSS), or channel gain, is most commonly available because of the low device cost and the requirement for inexpensive sensor nodes. To keep the cost low and to be able to use off-the-shelf hardware, we also use RSS in this paper. Unfortunately, existing methods have significant problems achieving high bit gen- eration rates when required to achieve (1) a low probability of bit disagreement and (2) uncorrelated bits. Existing methods sacrifice bit generation rate to achieve low 13 bit disagreement rates. A low bit generation rate leads to high energy consumption as nodes repeatedly probe the channel to extract sufficient bits. This severely limits the lifetime of the node. The high rate uncorrelated bit extraction (HRUBE) method can achieve a high rate of uncorrelated bits with a reliably low probability of bit disagreement. However, it requires precise knowledge of the distribution and the temporal statistics of the radio channel. Sensor nodes are deployed in a wide variety of environments so such a priori knowledge is unrealistic. Further, if statistical assumptions are made that are incorrect, the benefits of the method are lost.
Here we present a method which comprehensively addresses these limitations. Our scheme implements a ranking method to remove the non-reciprocities that are inevitable as a result of wireless sensors having differing transceiver hardware charac- teristics. Ranking is more robust because even when the measured values at different nodes are of a different scale, the order of the measurements will be the same. For example, the method avoids the disagreements caused by differing transmit powers and RSSI circuit variations. Even in identical hardware, variations of scale exist, and with different hardware, differences will be greater. Ranking also makes the bit extraction process independent of fading distribution. Further, we test and develop protocols which adaptively determine the covariance structure of the measured data in order to reliably extract high entropy rate secret keys with a tunable probability of bit disagreement.
We experimentally test our method using TelosB wireless motes. We evaluate and compare schemes using data collected in three different environments in 25 data sets, totaling 450,000 RSS samples. The extensive data collection allows accurate characterization of important figures of merit, including extracted bits per sample and entropy rate. While the design of a robust and practical scheme is the main objective of this work, we also find that our scheme improves the rate at which secret bits can be extracted. The tested method can extract 40 bits per second at a probability of bit disagreement of 0.04. Compared to the HRUBE bit extraction method, this method is more robust to differences in hardware, adapts to the channel environment, can be implemented on a wireless mote and produces 30% more bits per 14 sample. The tested method produces the highest secret key extraction rate reported to date. The rest of this paper is organized as follows. Section 2.3 lays out the adversary model used in this paper. In Section 2.4 we will describe the Ranking HRUBE method. Section 2.5 describes our data collection process. In Sections 2.6 and 2.7 we address issues related to implementation on wireless sensors. Sections 2.8 and 2.9 contain a summary and discussion of our findings. Section 2.10 forms a conclusion.
2.3 Adversary Model We assume that the adversary, Eve, can listen to all the communication between Alice and Bob. Eve can also measure both the channels between herself and Alice and between herself and Bob at the same time when Alice and Bob measure the channel between them for key extraction. We assume that Eve is more than a few wavelengths away from Alice or Bob. We also assume that Eve knows the key extraction algorithm and the values of the parameters used in the algorithm. We assume that Eve cannot jam the communication channel between Alice and Bob. We also assume that Eve cannot cause a man-in-the-middle attack, i.e., our methodology does not authenticate Alice or Bob. In this aspect, the technique of key extraction from RSS is comparable with classical key establishment techniques such as Diffie-Hellman [22], which also use message exchanges to establish keys and do not authenticate Alice or Bob.
2.4 Methodology Key extraction benefits from the reciprocity of the channel gain (or loss) between two antennas and the fluctuations of the channel gain in a non-static channel. In a reciprocal channel, the multipath properties including gain, phase shifts and delays are identical in both directions of a link at any point in time. However, successful key extraction must account for the sources of non-reciprocities present in measurements of the channel gain, such as additive noise, and differences in hardware. These non- reciprocities are the source of bit disagreement, i.e. bits that do not match between the two generated keys. In addition, a good key has uncorrelated bits, despite the fact that fading is a temporally-correlated random process. The adaptive ranking- 15
Figure 2.1. ARUBE bit extraction
Figure 2.2. Areas of bit agreement and bit disagreement for m(i) = 1.
−1 10
−2 10
m=4 m=3 −3 m=2 10
Probability of Bit Disagreement m=1
0.9 0.99 0.999 Correlation Coefficient ρ
Figure 2.3. Spatial correlation vs. Pbd and m 16
based uncorrelated bit extraction (ARUBE) method uses four tools to address these challenges:
1. Interpolation removes non-reciprocities caused by the half-duplex nature of the channel.
2. Ranking reduces non-reciprocities caused by differing hardware characteristics and outputs data with an a priori known distribution.
3. Decorrelation removes temporal correlation from the RSS fading signal.
4. Quantization extracts bits from interpolated, ranked and decorrelated RSS measurements.
A block diagram is shown in Figure 2.1. We expand upon these steps in the following sections.
2.4.1 Interpolation The half-duplex nature of the PHY layer (e.g., in 802.15.4) means that Alice and Bob are unable to simultaneously measure the channel gain. To compensate we use a finite impulse response (FIR) fractional delay filter, which interpolates to obtain an estimate of the channel gains in both directions of the link at a single point in th th time. The fractional delay between the i measurement by Alice, wa(i), and the i measurement made by Bob, wb(i), is,
1 τ (i) − τ (i) µ = b a (2.1) 2 T
th where τb(i) and τa(i) are the arrival times of the i packet at Bob and Alice respec- tively. We implement two fractional delay filters, one each at Alice and Bob. W.l.o.g. we th assume that τa(i) < τb(i) so that µ > 0. If we interpolate points in wa so that the i th sample is delayed by (1 + µ)T and interpolate points in wb so that the i sample is 17 delayed by (1−µ)T , we would have nearly simultaneous measurements. These delays can be broken down into fractional, µ, and integer, n, delays. At each node:
µa = µ µb = 1 − µ na = 1 nb = 0 (2.2)
We implement the cubic Farrow filter [24]. For c ∈ {a, b}:
3 3 2 hc = µc /6 − µc/6, −µc /2 + µc /2 + µc, 3 2 3 2 T µc /2 − µc + 1, −µc /6 + µc /2 − µc/3
The filtered signal, xc, becomes the input to the next step in the bit extraction process.
2.4.2 Ranking Ranking is used to remove the differences in the unknown transmitter and receiver characteristics which differ between the two directions. As its output ranking also produces values with a uniform distribution.
2.4.2.1 Motivation As we note above, the channel gain is reciprocal, but each receiver actually measures RSSI, a voltage in the receiver IC. The RSSI has an affine relationship with channel gain, denoted CG,
RSSI = c1CG + co (2.3) and c1, c0 ∈ R depend on the two nodes. The parameter c0 will vary due to differing transmit powers or differing battery voltages at the two nodes. Both c0 and c1 vary because the devices use different hardware or because manufacturing differences in identical hardware [52].
The device parameters c0 and c1 can be considered to be constant over the short periods time required to generate a secret key from the channel (tens of seconds). If the channel gain is reciprocal and the RSSI is given by (2.3), ranking will recover identical signals. 18
The ranking process also homogenizes the output distribution. As will be dis- cussed in Section 2.4.4, it is required to know the distribution of the data input into the quantizer. Ranking does not provide a uniform distribution as input to the quantizer because decorrelation is performed in between ranking and quantization; however, ranking does eliminate the changes that would occur based on the particular environment. For example, narrowband fading statistics may be Ricean, Rayleigh, or Weibull distributed [27], however, the distribution of the output of the ranking operation will remain uniform.
2.4.2.2 Algorithm Next, we describe how to perform ranking for the ARUBE method. In short, we take each segment of K values from the continuous-valued, interpolated channel measurements and output discrete-valued numbers which indicate their order within the group of K. We also use a set of known “dummy values” to increase the randomness of the output of the ranking. However, for introductory purposes, we first introduce ranking without dummy values, and then define the process of ranking with dummy values. (t) The input to the ranking operation are the K-length sub-vectors xc , for c ∈ {a, b}.
By sub-vectors, we mean that channel interpolated channel measurements, {xc(i)}i, are input to a serial-to-parallel converter that outputs sub-vectors of length K, which we denote xc(t). Specifically,
(t) T xc = [xc((t − 1)K + 1), . . . , xc(tK)] (2.4)
k K Ranking is a function R : Z → K0 , where K0 is a set of finite size with minimum
1 and maximum K. When there are no “ties” in input data, K0 = {1,...,K}, and th th xc(t) is ranked such that the j element of the t ranked sub-vector is
(t) (t) (t) rc (j) = |{k : xc (j) > xc (k)}| + 1 1 + |{k 6= j : x(t)(j) = x(t)(k)}| 2 c c (t) (t) When there are no ties in the input data, rc (j) is simply the order of xc (j) in a (t) (t) sorted list of xc . When there are ties, the value of rc (j) is the average of the order 19
of the tied values in the sorted list. For example, for K = 5 and this particular xc,
the vector rc would be output from the ranking method,
xc(i)i = [13, 11, 10, 14, 11, 12, 16, 17, 19, 15, 18, 17] | {z } | {z } x(1) x(2) c c (2.5) rc(i)i = [4, 2.5, 1, 5, 2.5, 1, 3, 4, 5, 2] | {z } | {z } (1) (2) rc rc
If the number of input values of {xc(i)}i cannot be evenly divided by K, the left over values are not used. Next we describe the introduction of “dummy values” to add randomness to the output of our ranking method. Ranking the measurements directly introduces non- randomness that could possibly be exploited by an attacker. If the first K − k measurements are known or guessed, for k K, it would be less difficult to accurately determine the ranks of the remaining k measurements. To avoid this problem, we introduce D dummy values into the input stream. The ranking with dummy values k K is a function R : Z → KD , where KD is a set of finite size with minimum 1 and
maximum K + D. When there are no ties in input data, KD = {1,...,K + D}. In the ARUBE method, we determine D dummy values from D evenly spaced quantiles of the distribution of {x (i)} . Specifically, we use F −1 n−0.5 for n = c i xc D
1,...,D, where Fxc (x) is the cumulative distribution function (CDF) of xc. Note that values are found independently at each node c ∈ {a, b}. th th (t) The j element of the t ranked sub-vector, rc , becomes,
(t) (t) (t) rc (j) = |{k : xc (j) > dc (k)}| + 1 1 + |{k 6= j : x(t)(j) = d(t)(k)}| 2 c c where T T 0.5 D − 0.5 d(t) = x(t) ,F −1 ,...,F −1 (2.6) c c xc D xc D
2.4.3 Decorrelation
Adjacent channel measurements in rc are correlated. In this paper we use the discrete Karhunen-Lo´eve transform (KLT) to convert the measured, interpolated, 20
ranked channel measurements in ra and rb into uncorrelated components. Given the covariance matrix of correlated data the KLT looks for an orthogonal basis that decorrelates the data. If the data is Gaussian, the decorrelated data will also be independent.
Assume that the input vector at node c ∈ {a, b}, rc, has mean µc, covariance ma- trix Rr and length N. The singular value decomposition (SVD) of Rr can be written, T 2 2 Rr = USU , where U is the matrix of eigenvectors, and S = diag{σ1, ..., σN }, is a diagonal matrix of the corresponding eigenvalues. We assume that the eigenvectors 2 2 2 have been sorted in order of decreasing eigenvalue, so that σ1 ≥ σ2 ≥ ... ≥ σN ≥ 0. T Note that U U = IN , where IN is the N × N identity matrix. The discrete KLT calculates yc as
T yc = U (rc − µc). (2.7)
It can be shown that Ry, the covariance matrix of yc is equal to S. Because S is
diagonal, yc has uncorrelated elements.
In Section 2.6 we discuss the online determination of Rr and the setting of parameter N.
2.4.4 Quantization
There is a tradeoff between the probability of bit disagreement, Pbd, and the number of bits generated. Multi-bit adaptive quantization [53] (MAQ) achieves a
high rate of bits per sample for a desired Pbd. W.l.o.g. we choose Alice to be the ‘leader’ and Bob to be the ‘follower’. We first
mi+2 mi quantize ya(i) into one of J , 2 = 4 × 2 equally likely quantization levels. We
determine the quantization levels based on the CDF of ya(i), Fi(y) = P [ya(i) ≤ y].
The thresholds, ηj, are calculated as,
−1 j ηj = Fi , for j = 1,...,J − 1. (2.8) 4 × 2mi
and η0 = −∞ and ηJ = ∞. 21
The quantization bins are then defined by the thresholds. The jth quantization bin is the interval (ηj−1, ηj) for j = 1,...,J, so j(i) is given by
j(i) = max[j : ya(i) > ηj−1] (2.9) j
Next, we define the following binary variables:
• Define e(j), for j = 1,...,J as
1, (j mod 4) ≥ 2 e(j) = (2.10) 0, otherwise
mi • Create a Gray codeword with mi bits, that is, an ordered list of 2 possible
mi-bit codewords.
j−1 mi • Let f1(j) = b 4 c. Define d1(j) ∈ {0, 1} to be equal to the f1(j)th Gray codeword.
j+1 mod J mi • Let f0(j) = b 4 c. Define d0(j) ∈ {0, 1} to be equal to the f0(j)th Gray codeword.
These variables are shown in Table 2.1 for m(i) = 1. Multi-bit adaptive quantization proceeds as follows. The leader node, Alice in this case, quantizes ya(i) in the correct quantization k(i) for all components i. Alice then transmits the bit vector e = [e(j(1)), . . . e(j(N))]T to the follower node, Bob.
Both nodes encode their secret key using codeword d0 when e = 0, and codeword d1 when e = 1. Specifically the secret key for node c is
zc = [de(j(1))(j(1)), . . . , de(j(N))(j(N))] (2.11) where j(i) is given in Eq. 2.9. Figure 2.2 shows a graphic representation of the m(i) = 1-bit case.
The Pbd in MAQ is related to the correlation coefficient between components and the number of bits extracted from each decorrelated component, ya(i). The correlation 22
th coefficient of the i component, denoted ρi, can be determined from the covariance matrix of the decorrelated components. s [Ry]i,i ρi = 2 (2.12) σi
From the areas of bit disagreement in Figure 2.2, the analytical approximation of bit disagreement rate vs. correlation coefficient in Figure 2.3 is derived [53]. The greater the correlation between components the more bits that can be ex- tracted or the lower the percentage of bit disagreement. The total number of bits ex- PN tracted from each group of decorrelated measurements, yc is denoted M = i=1 m(i).
2.5 Experimental Data Collection For purposes of evaluation, we implement three wireless sensors capable of col- lecting RSS measurements. The TelosB mote is a low power wireless sensor module equipped with an IEEE 802.15.4 compliant RF transceiver (the TI CC2420), built-in antenna and a micro-controller. TinyOS/NesC software is written for the TelosB motes for measurement and communication. Nodes Alice (a) and Bob (b) take turns transmitting probing packets. Each probing packet contains a counter value and a unique node id number. When
node c ∈ {a, b} receives the ith packet, it (1) obtains the RSS of the packet, wc,i; (2)
stores the received counter value i and the RSS value wc,i; (3) increments its local counter value and (4) builds a new data packet containing the new counter value and its own node ID and sends it over the radio to nodec ¯ wherec ¯ ∈ {a, b} andc ¯ 6= c. The packet transmission rate of the device, and thus the RSS sampling rate, is 50 per second. The third node, Eve, designated the attacker node, overhears all of the packets being transmitted between the other two nodes, estimates the RSS of each packet and stores the data. Eve’s TelosB mote does not transmit any packets. Data is collected on a laptop to enable arbitrary application of the RSS measurements in secret key establishment. We collected 25 datasets with a total of 443, 600 samples. Most datasets had between 10,000 and 20,000 RSS samples while a few datasets had more than 50,000 23
or less than 5,000. At 50 samples per second it takes 5 minutes to collect 15,000 samples. The nodes were arranged in various geometries to evaluate the ability of Eve to obtain the same key as Alice and Bob and to see how the signal to noise ratio (SNR) might affect the methods. For all datasets, Alice and Eve were placed on a flat surface while Bob was rotated and moved randomly by an experimenter to introduce random fading into the channel. In the 16 datasets where Eve was present, she was λ at most 45cm from Alice and in few cases she was less than 6.25cm or 2 from Alice. Six datasets were collected where Bob was more than 1.5m from Alice and Eve. All signal processing was done in Python.
2.6 Enabling Channel Adaptation In [53] the authors presented HRUBE, a framework for bit extraction from channel measurements, but did not have a realistic method for implementation. This section presents methods to select the parameters of the ARUBE method. These parameters include the number of decorrelated components, N, the decorrelation matrix, U, and the number of bits per component, {m(i)}i. The selection of these parameters depends upon the radio channel between Alice and Bob. For example, in a quickly varying channel we would expect the covariance matrix to be different than in a slowly varying channel. Also, the number of bits extracted from the channel would increase with signal to noise ratio.
2.6.1 Previous Approach
In the HRUBE method, the covariance matrix, Rx, was estimated as
C 1 X X T Rˆ = (x(i) − µˆ )(x(i) − µˆ ) (2.13) xc,xc 2C − 1 c c c c c∈{a,b} i=1
(i) th where xc is the i N-length measured RSS vector at node c, C is the total number of vectors and C 1 X µˆ = x(i). (2.14) c C c i=1 The N × N decorrelation matrix U is found by the SVD. The values, m(i), were
determined from the covariance matrix of xa and xb. The secret key, zc, was then 24
extracted from the same measurements as were used to estimate the covariance matrix.
2.6.2 Selection of N The computational complexity of estimating the covariance matrix and calculating the SVD are both dependent upon N as will be discussed in Section 2.7. Increasing N will decrease temporal correlation between bits in the secret key because more samples are simultaneously decorrelated. For example, setting N = 50 produced sufficiently decorrelated bits for the HRUBE method [53]. Because of the tradeoff between computational complexity and temporal decorrelation, finding a minimum range or value for N could significantly reduce the number of calculations. In order to test for uncorrelated bits, we look at two types of correlation coeffi- cients:
1. Pair-wise bit correlation coefficients. We denote ρzi,zj as the correlation coeffi- th th cient between the i and j component of vector zc (Eq 2.11), for any particular M combination (i, j) where i 6= j. There are 2 different values of ρzi,zj .
2. Global bit correlation coefficient. We denote ρz as the correlation coefficient
between any pair of different components of zc. Here we assume that the correlation coefficient is identical across all combinations of (i, j) and we use
our data to estimate the single value of ρz.