on the effectiveness of secret key extraction from ...suman/docs/presentation.pdf · on the...
TRANSCRIPT
On the Effectiveness of Secret Key Extraction from Wireless Signal Strength in Real Environments
Suman Jana, Sriram Nandha Premnath
Mike Clark, Sneha K. Kasera, Neal Patwari
University of Utah
Srikanth V. Krishnamurthy
University of California, Riverside
wireless nodes, Alice & Bob, need to share secret key
concerns with public key cryptography
quantum cryptography – too expensive
less expensive solution - use inherent randomness in wireless channel to extract secret key bits
Problem Definition
2
measured reciprocally at Alice, Bob
when away by more than few multiples of wavelength, Eve cannot measure same channel
channel varies with time
Wireless Channel Characteristics
3
Use of Received Signal Strength (RSS)
4
Alice, Bob expected to see “identical” RSS variations [Stutzman „82]
realistically, they must deal with lack of perfect reciprocity
Probe Exchange &
RSS Measurement
Alice Bob
Eve
RSS Variations AliceBob
RSS Variations
Eve
Related Work
Mathur ‟08, Li ‟06, Aono ‟05 extract single bit per measurement
experimental results from limited indoor settings
Alice, Bob do not communicate to handle mismatches will result in key disagreement in large number of cases
Azimi-Sadjadi ‟07 suggested using 2 stages from quantum
cryptography - information reconciliation, privacy amplification
did not implement!
5
Our Contributions
• adaptive key extraction increases secret bit rate 4-fold
• implement information reconciliation to handle bit mismatch
• implement privacy amplification to reduce correlation between successive bits
• through extensive real world measurements, identify settings (un)suitable for key extraction
• expose new predictable channel attack in static settings
6
Overview
adversary model
secret key extraction
real world measurements, results
summary
7
Adversary Model
adversary Eve
listens to all communication between Alice, Bob
can measure channel between herself and Alice, Bob
separated from both parties by distance >> wavelength
Eve not interested in disrupting communication between Alice, Bob
Alice, Bob are not authenticated
8
Secret Bit Extraction
9
RSS
Measurements
Quantization
Information
Reconciliation
Privacy
Amplification
Secret Key
Bits
Adaptive Quantization
how to generate bits from RSS measurements?
Extracted Bits – 1 1 1 0 1 …
Extract “1”
Drop
Drop
Extract “0”
Upper Threshold
Lower
Threshold
10
adapt threshold for small blocks of measurements
Adaptive Quantization
adapt # intervals depending on range
Extracted Bits - 11 10 11 10 10 11 01 00 01 …
Extract
“10”
“11”
“01”
“00” Interval 1
Interval 2
Interval 3
Interval 4
Interval 1
Interval 2
Interval 3
Interval 4
Interval 5
Interval 6
Interval 7
Interval 8
Adaptive Quantization
Extracted Bits - 101 110 101 110 110 100 010 …
Extract
“111”
“110”
“101”
“100”
“011”
“010”
“001”
“000”
adapt #intervals depending on range
limit: N ≤ log [Range]
Adaptive Secret Bit Generation (ASBG)
Information Reconciliation [Brassard ’06]
differences in between bit streams of Alice, Bob arise due to noise/interference, wireless hardware limitations
half-duplex nature of channel
solution: exchange parity information of small blocks of bits
locate, correct mismatches using binary search
permute, iterate until probability [success] > threshold
13
Privacy Amplification [Impagliazzo ’89]
short-term correlation between subsequent bits when probing rate > (coherence time)-1
need to remove bits leaked during information reconciliation
solution: apply 2-universal hash function h: {1…M} {1…m}
for inputs x, y, probability [h(x) = h(y)] upper bounded by 1/m
decreases output length, but increases entropy
14
Implementation
laptops - Alice, Bob
equipped with Intel PRO/Wireless 3945 ABG cards
monitor mode for collecting RSS measurements
use ipwraw driver for raw packet injection
probes – IEEE 802.11g beacon frames
management frames prioritized over data frames
allows better control over probing rate
probing rate ~20 packets per second 15
Implementation
privacy amplification
2-universal hash functions
use BigNumber OpenSSL routines
16
Implementation
17
RSS Measurement Protocol
18
packet losses handled by initiator
20 ms timeout for detecting packet loss
responder discards last RSS if duplicate beacon sequence #
tim
e
Initiator
(Alice)
Responder
(Bob)
Record
RSS
Record
RSS
Record
RSS
Record
RSS
Measurement Goals
• in what kind of settings, key extraction “works”?
• how does device heterogeneity affect key extraction?
19
Experiments
A. Underground concrete tunnel
B. Ed Catmull Gallery
C. Lawn
20
D. Walk Indoors
E. Walk Outdoors
F. Bike Ride
G. Crowded Cafeteria
H. Across busy road
1. Stationary Endpoints, Intermediate objects
2. Mobile Endpoints
3. Stationary Endpoints, Mobile Intermediate objects
Stationary Endpoints & Intermediate Objects
variations very small (range: ~2 dB), exhibit poor reciprocity
expect Alice‟s & Bob‟s bit streams to have very high mismatch
small scale variations represent noise
21
Underground Concrete Tunnel Experiment
distance between Alice, Bob = 10 feet
-59
-58
-57
-56
-55
-54
RSS
Probes Alice Bob
snapshot of data collected for few seconds
Stationary Endpoints & Intermediate Objects
22
Gallery Experiment Lawn Experiment
• even typical stationary settings are no different from underground concrete tunnel!
distance = 30 ft distance = 10 ft
-85
-75
-65
-55
-45
RSS
Probes Alice Bob -66
-64
-62
-60
-58
-56
-54
RSS
Probes Alice Bob
Mobile Endpoints
23
Walk Indoors Experiment large variations
range ~25 dB
highly reciprocal
hints that Alice‟s & Bob‟s bit streams will have very low mismatch
normal walk speed
distance = 10-15 ft
-75
-70
-65
-60
-55
-50
-45
RSS
Probes Alice Bob
Mobile Endpoints
24
Walk Outdoors Experiment Bike Ride Experiment
• more evidence - mobile devices likely to have very low mismatch
• effects of noise diminished by large scale variations
normal walk speed
20-25 ft distance
slow bike ride
10 ft or more distance
-85
-75
-65
-55
-45
RSS
Probes Alice Bob
-80
-70
-60
-50
-40
-30
RSS
Probes Alice Bob
Mobile Intermediate Objects & Stationary Endpoints
25
Crowded Cafeteria Experiment Experiment Across Busy Road
intermediate variation range (~8-16 dB), reciprocity
hints - Alice‟s, Bob‟s bit streams will have moderate mismatch
low speed mobility; distance = 10 ft high speed mobility; distance = 25 ft
-66
-62
-58
-54
-50
-46
RSS
Probes Alice Bob-79
-77
-75
-73
-71
-69
RSS
Probes Alice Bob
Predictable Channel Attack
novel attack
in „all stationary‟ settings Eve can cause predictable channel variations by controlling movements of
intermediate objects
break key extraction schemes without spending compute power
26
Predictable Channel Attack
no precision machinery required
Eve can produce zig-zag patterns, or any other pattern by controlling movements
no post processing will ensure security of extracted key!
27
-63
-58
-53
-48
-43
RSS
Probes
bits extracted: 0000 1111 0000 1111 …
Effect of Device Heterogeneity
greater mismatch than with homogeneous devices
mismatch low enough to help establish secret key
28
Walk Indoors Experiment
-85-80-75-70-65-60-55-50-45-40
RSS
Probes
Alice (Intel 3945 ABG) Bob (Atheros)
Comparison of Key Extraction Approaches in Various Settings
29
performance metrics entropy rate
mismatch rate
secret bit rate
single bit, multiple bit extraction
Comparison of Key Extraction Approaches in various Settings
30
• secret bit stream from ASBG
entropy close to 1
passes randomness tests of NIST test suite we conduct
0.00
0.25
0.50
0.75
1.00
Entr
op
y
Experiments Aono Mathur Tope Azimi-Sadjadi ASBG
stationary
mobile
intermediate
Comparison of Key Extraction Approaches in various Settings
31
• mobile settings yield bits with low mismatch rates
0.00
0.25
0.50
0.75
1.00
Entr
op
y
Experiments Aono Mathur Tope Azimi-Sadjadi ASBG
0.00
0.25
0.50
0.75
1.00
Mis
mat
ch R
ate
Experiments Aono Mathur Tope Azimi-Sadjadi ASBG
stationary
mobile
intermediate
stationary
mobile
intermediate
Comparison of Key Extraction Approaches in various Settings
32
• ASBG exhibits highest secret bit rate among those with entropy > 0.7
0.00
0.25
0.50
0.75
1.00
Entr
op
y
Experiments Aono Mathur Tope Azimi-Sadjadi ASBG
0.00
0.25
0.50
0.75
1.00
Secr
et b
it r
ate
Experiments Aono Mathur Tope Azimi-Sadjadi ASBG
0.00
0.25
0.50
0.75
1.00
Mis
mat
ch R
ate
Experiments Aono Mathur Tope Azimi-Sadjadi ASBG
stationary
mobile
intermediate
stationary
mobile
intermediate
stationary
mobile
intermediate
Multiple Bit Extraction
33
significant increase in secret bit rate at least 4 times (with N = 2) compared to single bit extraction
0.00
0.05
0.10
0.15
0.20
0.25
0.30
0.35
Mis
mat
ch R
ate
Experiments 2 bits Gray 3 bits Gray 4 bits Gray
0.00
0.25
0.50
0.75
1.00
Secr
et b
it r
ate
Experiments
1 bit 2 bits Gray 3 bits Gray 4 bits Gray
bit mismatch rate increases with N
Gray code assignment produces smaller mismatch rates
mobile
intermediate
mobile
intermediate
Summary
mobile settings best suited for key extraction due to low mismatch
don‟t depend solely on movements of limited intermediate objects beware of predictable channel attack!
our environment adaptive quantization scheme + information reconciliation + privacy amplification generates high entropy bits at high rate
34