On the Effectiveness of Secret Key Extraction from Wireless Signal Strength in Real Environments Suman Jana, Sriram Nandha Premnath Mike Clark, Sneha K. Kasera, Neal Patwari University of Utah Srikanth V. Krishnamurthy University of California, Riverside
Problem Definition wireless nodes, Alice & Bob, need to share secret key concerns with public key cryptography quantum cryptography too expensive less expensive solution - use inherent randomness in wireless channel to extract secret key bits 2
Wireless Channel Characteristics measured reciprocally at Alice, Bob when away by more than few multiples of wavelength, Eve cannot measure same channel channel varies with time 3
Use of Received Signal Strength (RSS) RSS Variations Alice Bob Alice Bob Probe Exchange & RSS Measurement Eve Alice, Bob expected to see identical RSS variations [Stutzman 82] realistically, they must deal with lack of perfect reciprocity RSS Variations Eve 4
Related Work Mathur 08, Li 06, Aono 05 extract single bit per measurement experimental results from limited indoor settings Alice, Bob do not communicate to handle mismatches will result in key disagreement in large number of cases Azimi-Sadjadi 07 suggested using 2 stages from quantum cryptography - information reconciliation, privacy amplification did not implement! 5
Our Contributions adaptive key extraction increases secret bit rate 4-fold implement information reconciliation to handle bit mismatch implement privacy amplification to reduce correlation between successive bits through extensive real world measurements, identify settings (un)suitable for key extraction expose new predictable channel attack in static settings 6
Overview adversary model secret key extraction real world measurements, results summary 7
adversary Eve Adversary Model listens to all communication between Alice, Bob can measure channel between herself and Alice, Bob separated from both parties by distance >> wavelength Eve not interested in disrupting communication between Alice, Bob Alice, Bob are not authenticated 8
Secret Bit Extraction RSS Measurements Quantization Information Reconciliation Privacy Amplification Secret Key Bits 9
Adaptive Quantization how to generate bits from RSS measurements? Upper Threshold Extract 1 Drop Drop adapt threshold for small blocks of measurements Lower Threshold Extract 0 Extracted Bits 1 1 1 0 1 10
Adaptive Quantization Extract Interval 4 Interval 3 Interval 2 Interval 1 10 11 01 00 adapt # intervals depending on range Extracted Bits - 11 10 11 10 10 11 01 00 01
Adaptive Quantization Extract Interval 8 Interval 7 Interval 6 Interval 5 Interval 4 Interval 3 Interval 2 Interval 1 111 110 101 100 011 010 001 000 adapt #intervals depending on range limit: N log [Range] Extracted Bits - 101 110 101 110 110 100 010 Adaptive Secret Bit Generation (ASBG)
Information Reconciliation [Brassard 06] differences in between bit streams of Alice, Bob arise due to noise/interference, wireless hardware limitations half-duplex nature of channel solution: exchange parity information of small blocks of bits locate, correct mismatches using binary search permute, iterate until probability [success] > threshold 13
Privacy Amplification [Impagliazzo 89] short-term correlation between subsequent bits when probing rate > (coherence time) -1 need to remove bits leaked during information reconciliation solution: apply 2-universal hash function h: {1 M} {1 m} for inputs x, y, probability [h(x) = h(y)] upper bounded by 1/m decreases output length, but increases entropy 14
laptops - Alice, Bob Implementation equipped with Intel PRO/Wireless 3945 ABG cards monitor mode for collecting RSS measurements use ipwraw driver for raw packet injection probes IEEE 802.11g beacon frames management frames prioritized over data frames allows better control over probing rate probing rate ~20 packets per second 15
Implementation privacy amplification 2-universal hash functions use BigNumber OpenSSL routines 16
Implementation 17
time RSS Measurement Protocol Initiator (Alice) Record RSS Record RSS Responder (Bob) Record RSS Record RSS packet losses handled by initiator 20 ms timeout for detecting packet loss responder discards last RSS if duplicate beacon sequence # 18
Measurement Goals in what kind of settings, key extraction works? how does device heterogeneity affect key extraction? 19
Experiments 1. Stationary Endpoints, Intermediate objects A. Underground concrete tunnel B. Ed Catmull Gallery C. Lawn 2. Mobile Endpoints D. Walk Indoors E. Walk Outdoors F. Bike Ride 3. Stationary Endpoints, Mobile Intermediate objects G. Crowded Cafeteria H. Across busy road 20
RSS Stationary Endpoints & Intermediate Objects -54-55 -56-57 -58-59 Underground Concrete Tunnel Experiment Probes Alice Bob snapshot of data collected for few seconds distance between Alice, Bob = 10 feet variations very small (range: ~2 db), exhibit poor reciprocity expect Alice s & Bob s bit streams to have very high mismatch small scale variations represent noise 21
RSS RSS Stationary Endpoints & Intermediate Objects -45-55 -65-75 -85 Gallery Experiment -62-64 Probes Alice Bob -66 distance = 30 ft -54-56 -58-60 Lawn Experiment Probes Alice Bob distance = 10 ft even typical stationary settings are no different from underground concrete tunnel! 22
RSS Mobile Endpoints -45-50 -55-60 -65-70 -75 Walk Indoors Experiment normal walk speed distance = 10-15 ft Probes Alice Bob large variations range ~25 db highly reciprocal hints that Alice s & Bob s bit streams will have very low mismatch 23
RSS RSS Mobile Endpoints Walk Outdoors Experiment Bike Ride Experiment -45-55 -65-75 -30-40 -50-60 -70-85 Probes Alice Bob -80 Probes Alice Bob normal walk speed slow bike ride 20-25 ft distance 10 ft or more distance more evidence - mobile devices likely to have very low mismatch effects of noise diminished by large scale variations 24
RSS RSS Mobile Intermediate Objects & Stationary Endpoints Crowded Cafeteria Experiment -46-50 -54-58 -62-66 Probes Alice Bob low speed mobility; distance = 10 ft Experiment Across Busy Road -69-71 -73-75 -77-79 Probes Alice Bob high speed mobility; distance = 25 ft intermediate variation range (~8-16 db), reciprocity hints - Alice s, Bob s bit streams will have moderate mismatch 25
Predictable Channel Attack novel attack in all stationary settings Eve can cause predictable channel variations by controlling movements of intermediate objects break key extraction schemes without spending compute power 26
RSS Predictable Channel Attack -43-48 -53-58 -63 Probes bits extracted: 0000 1111 0000 1111 no precision machinery required Eve can produce zigzag patterns, or any other pattern by controlling movements no post processing will ensure security of extracted key! 27
RSS Effect of Device Heterogeneity -40-45 -50-55 -60-65 -70-75 -80-85 Walk Indoors Experiment Probes Alice (Intel 3945 ABG) Bob (Atheros) greater mismatch than with homogeneous devices mismatch low enough to help establish secret key 28
Comparison of Key Extraction Approaches in Various Settings performance metrics entropy rate mismatch rate secret bit rate single bit, multiple bit extraction 29
Entropy Comparison of Key Extraction Approaches in various Settings 1.00 0.75 0.50 0.25 0.00 stationary mobile intermediate Experiments Aono Mathur Tope Azimi-Sadjadi ASBG secret bit stream from ASBG entropy close to 1 passes randomness tests of NIST test suite we conduct 30
Mismatch Rate Entropy Comparison of Key Extraction Approaches in various Settings 1.00 0.75 0.50 0.25 0.00 stationary mobile intermediate Experiments Aono Mathur Tope Azimi-Sadjadi ASBG 1.00 0.75 0.50 mobile settings yield bits with low mismatch rates 0.25 0.00 stationary mobile intermediate Experiments Aono Mathur Tope Azimi-Sadjadi ASBG 31
Mismatch Rate Entropy Secret bit rate Comparison of Key Extraction Approaches in various Settings 1.00 0.75 0.50 0.25 0.00 stationary mobile intermediate Experiments Aono Mathur Tope Azimi-Sadjadi ASBG 1.00 0.75 0.50 0.25 0.00 stationary mobile intermediate Experiments Aono Mathur Tope Azimi-Sadjadi ASBG 1.00 0.75 0.50 0.25 ASBG exhibits highest secret bit rate among those with entropy > 0.7 0.00 stationary mobile intermediate Experiments Aono Mathur Tope Azimi-Sadjadi ASBG 32
Secret bit rate Mismatch Rate 1.00 0.75 0.50 0.25 0.00 Multiple Bit Extraction 0.35 0.30 0.25 0.20 0.15 0.10 0.05 mobile intermediate 0.00 mobile intermediate Experiments 1 bit 2 bits Gray 3 bits Gray 4 bits Gray Experiments 2 bits Gray 3 bits Gray 4 bits Gray significant increase in secret bit rate at least 4 times (with N = 2) compared to single bit extraction bit mismatch rate increases with N Gray code assignment produces smaller mismatch rates 33
Summary mobile settings best suited for key extraction due to low mismatch don t depend solely on movements of limited intermediate objects beware of predictable channel attack! our environment adaptive quantization scheme + information reconciliation + privacy amplification generates high entropy bits at high rate 34