Sunteți pe pagina 1din 10

JOURNAL OF NETWORKS, VOL. 9, NO. 9, SEPTEMBER 2014

2299

A Physical Layer Key Negotiation Mechanism to Secure Wireless Networks

Jikang Xia, Lan Chen, Ying Li, and Endong Tong

Institute of Microelectronics, Chinese Academy of Sciences, Beijing 100029, China Email: {xiajikang, chenlan, liying1, tongendong}@ime.ac.cn

AbstractThe rapid technological developments in computing technology and the proliferation of wireless network nodes with light infrastructure, have emerged large quantities of security requirements of informational privacy in cyberspace. Due to the inherent nature of open medium, diversity and variability of network topology, wireless networks are greatly difficult to secure by traditional methods. A physical layer key negotiation mechanism to secure wireless networks is proposed to quickly exchange and establish conventional cryptographic keys by exploiting the wireless channel’s characteristics. The physical layer key negotiation mechanism and its supplementary exception handling caused by the variations in communication paths are both described step by step. The simulation results verify the consistency of the keys of legitimate users, robustness and feasibility of this mechanism. Furthermore this cross-layer security technology is an exemplary complement to existing wireless network protocols to improve their security and enhances the ability to resist replay attacks, brute-force attack and eavesdropping.

Index TermsNetwork Security; Informational Privacy; Wireless Communication; Physical Layer; Key Negotiation; Cryptography

I.

INTRODUCTION

The rapid technological developments in computing technology and the proliferation of wireless network nodes with light infrastructure, have led to the emergence of an information society capable of gathering, storing, and disseminating increasing amounts of data embedded the informational privacy of humans in need to secure. Compared to mature secure wired communications, secure wireless communications becomes a challenging problem due to the inherent nature of open medium, diversity and variability of network topology, and is greatly difficult to secure by traditional methods. In typical communication systems, security technologies assume the channel is error free and rely currently on cryptographic schemes implemented at the upper layers or protocol stacks [1]. The conventional cryptographic schemes are based on the amount of calculation that the eavesdroppers cannot crack the encrypted information within the limited time constraints. However, in any real application the channels for legitimate users and passive eavesdroppers are not error free. With the growing of computing power, the key system based on existing mathematical difficulties is severely threatened. Increasing the key length is not a

© 2014 ACADEMY PUBLISHER

doi:10.4304/jnw.9.9.2299-2308

permanent solution to improve the security based on the

key system with big overhead over the network [2], whereas introducing information-theoretic securities can

be fundamentally solving this problem.

Conventional security services are mainly located at application level (as Internet) and other solutions exist for link layer (as in Wi-Fi [3], Bluetooth [4] or ZigBee [5]) and at network layer (as in IPSEC [6]). The security protocols tend to be layer-specific but ignore the most fundamental of communication layersthe physical layer. More and more attentions are driven on utilizing the fundamentals of the physical layer to provide secure wireless communications [7]. The multiple characteristics of wireless channel in special (for multi-antenna system)

or frequency (for OFDM system) or time (for time-

varying channel) domain serve as a powerful basis to illume new security ideas at the physical layer. Emerging approaches generally use the received signal strength indicator (RSSI) [8], or the signal envelope [9] as the channel characteristics. The information theory security is based on Shannon’s

perfect secrecy theory [10] and is developed by Wyner as the secrecy capacity of the wiretap channel [11]. There exist channel codes guaranteeing both robustness to transmission errors and a prescribed degree of data confidentiality [12]. The secrecy capacity can be achieved for certain wire tap channels using codes [13].

A space-time signal processing technique for secure

communication over wireless channels is presented in [14]. The current theory about physical layer security is not well established and these methods are also discussed primarily in academia. However, cryptography is a core technology of information security and is relatively mature [15]. A cross-layer technology of secure communication combined with traditional cryptographic- based protocols is inspired by literature reviews and it is relatively practical in application. A physical layer key negotiation mechanism is proposed to quickly exchange and establish cryptographic keys from the legitimate channel’s characteristics of uniqueness, reciprocity and unpredictability. In a system with time division duplex (TDD), the forward and the reverse channels are identical by the propagation reciprocity, while the channel to eavesdropper is

independent to that of the legitimate users due to multipath or attenuation. The transmitted bits are scrambled using a shared secret key based on the channel

2300

between two nodes to secure the wireless link without key management. The key’s updating mechanism natively draws support from the characteristics of wireless channels with time. The main contribution of this paper is a physical layer key negotiation mechanism for wireless networks, which provides information theoretic security by exploiting the characteristics of wireless channels. The rest of the paper is organized as follows. Section II provides a description of the system model and design issues. Section III presents the physical layer key negotiation mechanism in detail. The simulation and results analysis are presented in section IV. And section V gives the conclusions.

II. SYSTEM MODEL AND DESIGN ISSUES

A. System Model The simplest network where problems of secrecy and confidentiality arise is a three-terminal system comprising a transmitter Alice, the intended (legitimate) receiver Bob, and an unauthorized receiver, wherein the transmitter wishes to communicate a private message to the receiver. The unauthorized receiver is a passive eavesdropper Eve. Eavesdropping at the physical layer refers to hiding the very existence of a node or the fact that communication was even taking place from an adversary. The legitimate users (Alice and Bob) can generate a secret key through public communication over an insecure channel. This wireless network system is shown as Fig. 1. A legitimate user Alice sends messages S k over the channel (the “main” channel) to another user Bob. Bob observes the output of a discrete-time Gaussian channel given by

(1)

where h M (t) denotes the main channel (zero-mean) complex Gaussian channel function, x(t) is the modulated signal to transmit from Alice and n M (t) denotes a zero- mean complex Gaussian noise random variable. Assume that a third party (Eve) is capable of eavesdropping Alice’s transmissions. Eve observes the output of another discrete-time channel (the “wiretap”

channel) given

(2)

where h W (t) is the wiretap channel (zero-mean) complex Gaussian channel function, x(t) denotes the encoded signal to transmit from Alice and n W (t) is also a zero- mean complex Gaussian noise random variable. Meanwhile, we review the basic information theoretic security principles of wireless communications, which is described as follow. For a random variable X with distribution probability P X , its Shannon entropy is denoted by H(X) and is obtained as (3).

(3)

entropy is denoted by H(X) and is obtained as (3). (3) y M (t) = h

yM (t) = hM (t) x(t)+nM (t)

by yW (t) = hW (t) x(t)+nW (t)

h M (t) x(t)+n M (t) by y W (t) = h W (t) x(t)+n W

H(X)= Ex log PX (x)

where E is the expected value of the finite set χ, xχ. Given another random variable Y such that (X,Y) has

© 2014 ACADEMY PUBLISHER

JOURNAL OF NETWORKS, VOL. 9, NO. 9, SEPTEMBER 2014

joint distribution P XY , their conditional entropy of X given Y is formulated as (4).

H(X|Y)= Ex,y log PX |Y (x | y)

(4)

In Alices transmission, S k can be considered as a random variable from an arbitrary set such that SXY forms a Markov chain. For random variables X and Y with joint distribution P XY , their (Shannon) mutual information is denoted by I(X;Y) and is defined as:

I(X;Y) =

E

x

,

y

log

(

)

P XY

(

P X

x

Y

,

x P

(

y

y

)

)

(5)

The equivocation of the source (the confidential messages to be sent) at the output of the wiretap channel (what Eve receives) is defined as:

=

1

k

H

(

S

k

|

Z

n

)

(6)

The secret capacity C S of this setup is defined as the maximum transmission rate at =1. More detailed derivation can be acquired from [12].

Alice

CS max[I(S;Y)  I(S;Z)] (7) h M k S n x Main y Ŝ k
CS
max[I(S;Y)  I(S;Z)]
(7)
h M
k
S
n
x
Main
y
Ŝ k
M
Encoder
Decoder
Bob
Channel
h W
Wiretap
y
Z n
W
Eve
Channel
Figure 1.
The wiretap channel model

B. Characteristics of Wireless Channels It is widely known that wireless channel characteristics depend heavily on the location, the environment, and the movement of the transmitter and the receiver. According to the propagation principle of wireless channels [16], the characteristics of legitimate channels are reciprocity, uniqueness and unpredictability. The reciprocity and uniqueness of wireless channel indicate that the transfer function between transmitter and receiver is the same and unique. In a short period of time (less than the channel coherence time), at the same carrier frequency the wireless channel function from Alice to Bob is the same as that from Bob to Alice. These two channel functions are the same as (8). hAB (t)=hBA (t) (8)

The channel characteristic is uniqueness and location- related. As shown in Fig. 2, the distance between the legitimate users Alice and Bob is R. Alice sends the more than half wavelength (λ/2) from the enough information to Bob. The eavesdropper Eve located at from legitimate users, the channel characteristic measured by the eavesdropper is the same. When the distance between the legitimate users and the eavesdropper is more than the half carries wavelength, the channel characteristics of them are different. Eve observes the output of an

JOURNAL OF NETWORKS, VOL. 9, NO. 9, SEPTEMBER 2014

independent discrete-time wiretap channel. Eve’s channel function is different from Bob’s as (9).

(9)

Due to the variations of channel environment, multipath effect, Doppler Effect and rapid signal attenuation, the measurement of wireless signal by receivers is random and unpredictable. Therefore, this papers basic principle of information- theoretic security calls for the combination of cryptographic schemes with key negotiation mechanism that exploit the reciprocity, uniqueness and unpredictability of the communication channels to guarantee that the sent messages cannot be decrypted by an eavesdropper during the transmission. And our scenario is TDD based wireless network applications with mobile terminals moving at walking speed, so both the main and the wiretap channels are quasi-static channels and the channel characteristic varies slowly with time. Consequently, the channel function can be essentially constant during the transmission of an entire frame.

hAB (t) hAE (t)

Eve >λ/2 R Alice Bob Figure 2. The spatial location of Alice, Bob and Eve
Eve
>λ/2
R
Alice
Bob
Figure 2.
The spatial location of Alice, Bob and Eve

C. Physical Layer Security The physical layer security is based on the observation that the channel experienced in both directions are similar, whereas the channel properties experienced by an eavesdropper non co-located with either side of the transmission would exhibit significant differences with the channels experienced by the intended users [17]. The secure physical layer system relies on the unpredictable path loss (channel gain) of given wireless transmission link to prevent unauthorized access to the information or message data transmitted. According to the principle of reciprocity, the measurement of channel characteristics at the same time is the same. The channel characteristics are variable over time. So, at different time or in different locations, the eavesdropper’s measurement is different from the legitimate users’. The path loss can generally be characterized by the distance of the reception node from the transmission node in relation to a path loss exponent. By extracting the same channel characteristic of communicating, the both communication parties can independently generate the same key from the same channel characteristics. The eavesdropper cannot generate or predict the same keys which provide secure communications for the legitimate users. An approach of security at the physical layer is to rely on the channel variations of the wireless environment and seeks to use the unique space, time and frequency properties of wireless channels as the secret information between transmitters and receivers. Secrecy extraction

© 2014 ACADEMY PUBLISHER

2301

technique is a particularly promising direction for using the physical layer to enhance security as the basic step, namely the probing of the wireless medium in order to obtain the channel estimation, is also a fundamental step at general communication, i.e., channel state information [18] estimation is already performed in the physical layer of most wireless systems. Information-theoretic security characterizes the fundamental ability of the physical layer to provide security.

D. Encryption in Networks In a typical wireless networks system, a session key is distributed among the transmitting and receiving communication devices. The session key is then used by the transmitter to perform encryption at an upper layer of the Open Systems Interconnection (OSI) model [19], such as the application and transport layers. The OSI model defines a networking framework to implement protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, and proceeding to the bottom layer, over the channel to the next station and back up the hierarchy. The layers are stacked this way: Application, Presentation, Session, Transport, Network, Data Link, and Physical. Nowadays the cryptographic software and hardware to

perform encryption are widely available. Cryptography is the core technology of information security, encryption during data transmission can ensure the confidentiality and integrity. In the existing cryptography [20], encryption is the process of encoding information in such a way that only authorized parties can read it. In an encryption scheme, the message or information (referred to as plaintext) is encrypted using an encryption algorithm, turning it into an unreadable cipher text. An authorized party is able to decode the cipher text using a decryption algorithm, which usually requires a secret decryption key. And the most frequently used and most secure encryption algorithm is Advanced Encryption Standard (AES) [21] which has been adopted by the United States (US) government’s National Institute of Standards and Technology (NIST) for its symmetric- key encryption standard. AES is popular in the field of communications and networks, and remains the preferred encryption standard for governments, banks and high security systems around the world. That can be concluded the encryption algorithms on networks are relatively mature. However, to prevent security violations, cryptography methods are unceasingly seeking to generate larger and more complex randomly chosen keys and codes as the basis for encryption. The complexity of the encryption scheme is directly proportional to the expense of the system required to support the encryption scheme. Thus, it is desired to provide physical layer security to supplement and support conventional higher layer encryption techniques. And an encryption algorithm can randomly generate keys from the physical layer. An exemplary embodiment of the method of providing physical layer security relies upon the channel characteristics of a given wireless communication link to

2302

induce unknown errors in the channel data received by an eavesdropper. Based on the above, a cross-layer technology of secure communication combined with traditional encryption method is a wise move and will be introduced in Section III. It is possible to ensure information-theoretic security if the key is used as a one-time pad, which requires high rate of the keys’ generation.

III. KEY NEGOTIATION MECHANISM

A. Frame Structure

The key of the physical layer used by the legitimate transmitter and receiver is extracted from the characteristics of the same wireless channel. Before introducing the mechanism, the ameliorative structure of the physical frame is formatted as shown in Table I. The frame structure of the current communication protocol is usually composed of header and payload. In order to extract the characteristics of the channel, the customized secure physical layer frame is ameliorated and consists of four parts: header, RSSI, sequence number and payload. The header still allows a receiving device to synchronize and derive the channel estimation. RSSI is measured by the RF (radio frequency) part of receivers and used to help the receiver calculate channel gains. One of the disadvantages of wireless networks is the initial data exchange in a non-secure radio channel or anyway by sharing a common known cryptographic key. At the moment, sequence number (No.) is introduced and used to prevent replay attacks, which is 0 at initialization of the mechanism. In the subsequent communication process the receiving node de-frames the sequence number, adds one (No.+1), and then sends the frame. The payload (PSDU) carries the MAC (Medium Access Control) layer frame of variable length.

B. Keys Generation from Physical Layer Seeds

The flow of physical layer key generation is described in Fig. 3. The key is generated in receivers, and used to encrypt information in transmitters. Firstly, the seeds are described which is provided for keys generation from the physical layer extraction. The seed consists of the measured value of channel gains and the pseudo random number. The channel gain (path loss) is the difference value between transmitting power and the receiving power (RSSI). There are some measuring errors and finite word length effects of quantization in the actual measurement [22]. And traditional channel quantization based methods for keys generation usually suffer from the quantization error which may decrease the consistency of keys of legitimate users. Quantization, which is a kind of projection from real numbers to integers, is expected to extract the same parameters between legitimate users but different parameters for eavesdroppers. An approximate treatment of the quantized fixed bit-width channel gain is needed to guarantee the gains estimated by both communication parties Alice and Bob is equal. Secondly, because the physical frame is unencrypted in the initialization phase of the physical layer key

© 2014 ACADEMY PUBLISHER

JOURNAL OF NETWORKS, VOL. 9, NO. 9, SEPTEMBER 2014

generation in following part C, in order to further strengthen the security in the initialization, an m-bit pseudo-random number (PN) is introduced and combined with high Li bit (low i bits are truncated) channel gain to generate the physical layer encryption and decryption keys used for the upper layers. For convenience the m-bit pseudo-random numbers generated by the method of shift registers [23] beforehand is stored in a pool. Setting a volume M of the pool is sensible to reduce the memory cost. As (10) the sequence number of each frame divided by M is the remainder n. The pseudo-random numbers is selected the n th number from the pool with overlap based on the remainder n. Finally, the seed of physical layer keys can be expressed as (11). For example, the quantized measured gain is 10-bit, and the approximate treated is 8- bit to ensure the gains estimated by Alice and Bob is equal g A [7:0] = g B [7:0]. Besides the 8-bit pseudo-random number based on the sequence number (n) can be selected from the pool as Table II.

(10)

seed = n {gain No.(mod [L: L-i], M) PN (n)}

(11)

Thirdly, the key length used in the cipher determines the practical feasibility of performing a brute-force attack, with longer keys exponentially more difficult to crack than shorter ones. According to Landauer limit [24], a 128-bit symmetric key is computationally secure against brute-force attack. The physical seed becomes an upper layer 128-bit key by this way to maintain its randomness and enhance security. The seed and the upper layer protocols key can be mixed by exclusive OR (XOR) operations without altering the bit-width of the original key in existing protocols. And another advisable method is spreading the seeds by popular hash functions [25] or linear mapping for bit-width extension.

TABLE I.

FORMAT OF THE SECURE PHYSICAL LAYER FRAME

Header RSSI Sequence number Payload Non-encrypted part Encrypted part by upper layers Measure the receiving
Header
RSSI
Sequence number
Payload
Non-encrypted part
Encrypted part by upper layers
Measure the receiving
signal and get RSSI
De-Frame and get the
sequence number (No.)
Channel gain = Last
transmitting power - RSSI
Calculate the
remainder n as (10)
Quantize the channel gain
(low i bits are truncated)
Selecte the PN from
the pool based on n
Combine the quantized channel gain
and the PN to get a seed as (11)
The seed XOR the protocols
key is the final key

Figure 3.

The flow of the physical layer key generation

C. Keys Negotiation Mechanism The approach for security at the physical layer is to rely on the channel variations of the wireless environment. Channel gains are obtained from the transmitting power and RSSI as the indicator of channel characteristics. Automatic Repeat reQuest (ARQ) [26] is introduced by a

JOURNAL OF NETWORKS, VOL. 9, NO. 9, SEPTEMBER 2014

pair of data frame and ACK (acknowledgement) frame which is an error-control method for data transmission that uses acknowledgements (messages sent by the receiver indicating that it has correctly received a data

frame) and timeouts (specified periods of time allowed to elapse before an acknowledgment is to be received) to achieve reliable data transmission over an unreliable channel. If the sender does not receive an ACK before the timeout, it usually re-transmits the frame until the sender receives an acknowledgment frame or exceeds a predefined number of re-transmissions. It is guaranteed that the time interval of ARQ is less than the channel coherence time, and the reciprocity still holds. The physical layer key negotiation mechanism for secure wireless networks between Alice and Bob is presented as follow. In Fig. 4, P A represents the Alice’s transmitting power; r B represents the measured RSSI value by Bob; g A represents the channel gain calculated from Alice’s P A and r B ; key A ={g A [L:Li],PN(No.)} represents the Alices physical layer key which consists of the channel gains and the pseudo random number; E(key,{No., PSDU}) represents the encryption of sequence number and PSDU by the physical layer key; k indicates the number of times of key confirmation in step

3 (at initialization k=0), K max is the maximum time Alice and Bob attempting to confirm their keys. The physical frame header in each frame is fixed, so the following description eliminates it.

TABLE II.

The Pool of 8-bit Pseudo-random Number

n

PN(n)

n

PN(n)

n

PN(n)

0

01010111

6

10101011

12

00010110

1

10101110

7

01010001

13

00101100

2

01011011

8

10100010

14

01011000

3

10110110

9

01000011

15

10110000

4

01101011

 

10 16

10000110

 

01100111

5

11010110

 

11

00001011

 

 

Distance=R

 
 

Alice

 

Bob

(0)

(1)

(2)

(3)

(4)

k=k+1 {0,PSDU 0 } r B0 P A0 r B0 ,{1,ACK} r A1 P B1
k=k+1
{0,PSDU 0 }
r B0
P A0
r B0 ,{1,ACK}
r A1
P B1
g A =P A0 -r B0
r A1 ,E(key A ,{2,ACK})
r B2
P A2
g B =P B1 -r A1
No
r B2 ,{3,NACK}
No
r A3
k>K max ?
key B =key A ?
P B3
g A =P A2 -r B2
Yes
Yes
Failure,Quit!
r B2 ,E(key B ,{3,PSDU 3 })
r A3
P B3
g A =P A2 -r B2
r A3 ,E(key A ,{4,PSDU 4 })
r B4
P A4
g B =P B3 -r A3

……

Figure 4.

The normal flow of the physical layer key negotiation mechanism

The description of the key negotiation mechanism is presented step by step in the light of Fig. 4. Step 1: Alice transmits the physical frame unencrypted with sequence number and payload PSDU 0 to Bob at any

© 2014 ACADEMY PUBLISHER

2303

power P A0 . Bob receives this physical frame, measures the RF signal strength RSSI and obtains the value r B0 . Step 2: Bob transmits the physical frame unencrypted with sequence number, ACK message and r B0 to Alice at

any power P B1 . Alice receives this physical frame, measures the RF signal strength RSSI and obtains the value r A1 . According to the last transmitting power P A0 and RSSI value r B0 fed back by Bob, the wireless channel gain is calculated g A = P A0 r B0 and is the seed of secure communication key. Step 3: Alice transmits the physical frame encrypted by key A with sequence number, ACK message and r A1 at any power P A2 . Bob receives this physical frame, measures the RF signal strength RSSI and obtains the value r B2 . According to the last transmitting power P B1 and RSSI value r A1 fed back by Alice, the wireless channel gain is calculated g B = P B1 r A1 and is the seed of secure communication key. Combined with the pseudo- random number selected from the pool based on the sequence number, the payload is decrypted by key B and is ACK message for key confirmation. The specific flow of physical layer key negotiation is: If key A = key B then Bob gets ACK message and achieves confirmation of both the physical layer keys, otherwise Bob transmits the physical frame unencrypted with sequence number, NACK (Negative Acknowledgement) message and r B2 to Alice at any power P B3 . NACK message is used to inform Alice confirm the physical layer key again from step 1. If the attempting time exceeds the maximum K max , Alice and Bob exits this physical layer key negotiation mechanism

and returns to primary communication. Step 4: Bob transmits the physical frame encrypted by key B with sequence number, payload PSDU 3 and r B2 to Alice at any power P B3 . Alice receives this physical frame, measures the RF signal strength RSSI and obtains the

value r A3 . According to the last transmitting power P A2

and RSSI value r B2 fed back by Bob, the wireless channel gain is calculated g A = P A2 r B2 and is the seed of secure

communication key to decrypt the payload

Step 5: Alice transmits the physical frame encrypted by key A with sequence number, payload PSDU 4 and r A3

at any power P A4 . Bob receives this physical frame, measures the RF signal strength RSSI and obtains the

value r B4 . According to the last transmitting power P B3

and RSSI value r A3 fed back by Alice, the wireless

channel gain is calculated g B = P B3 r A3 and is the seed of physical layer key to decrypt the payload PSDU 4 . The subsequent communication flow is iterating step 4

and step 5. The first two steps of this mechanism is the

initialization phase of physical layer key generation. To

guarantee the measurement time interval is short, the quick response ACK message of ARQ is introduced. The third step is the physical layer key confirmation by decrypting the payload ACK message to determine the keys of both sides to be verified correctly. The subsequent secure communication is repeating step 4 and 5 base on the physical layer key. This mechanism applies to wireless networks of TDD communication systems.

PSDU 3 .

2304

D. Exception Handling The above flow applies to the situation the userslocations and obstacles in the communication path are not changed that means the gains measured by Alice and Bob is equal g A = g B in the communication processing. If the distance or obstacles between Alice and Bob is changed, causing the channel gain variation cannot be correctly used to decrypt the received frame, the flow is upgraded by adding a NACK step to notify communication parties to update their keys and resent the physical frame between step 4 and 5 in Fig. 4. The period of transmitting a frame is generally very short (in milliseconds), so any variation of position or obstacles can be summarized in the following two situations. After Alice sends a frame to Bob, namely, after the n- th step the channel function h (t) is changed. The exception handling of first situation is presented step by step in the light of Fig. 5.

(n)

(n+1)

(n+2)

(n+3)

(n+4)

(n+5)

(n+6)

h(t)=g

of Fig. 5. (n) (n+1) (n+2) (n+3) (n+4) (n+5) (n+6) h(t)=g Alice B o b r
of Fig. 5. (n) (n+1) (n+2) (n+3) (n+4) (n+5) (n+6) h(t)=g Alice B o b r

Alice

Bob

r P An
r
P
An

An-1 ,E(key An-1 ,{n,PSDU n })

h(t)=g'

r Bn

g Bn =P Bn-1 -r An-1

}) h(t)=g' r Bn g Bn = P Bn-1 - r An-1 r B n ,E(key
}) h(t)=g' r Bn g Bn = P Bn-1 - r An-1 r B n ,E(key

r Bn ,E(key Bn ,{n+1,PSDU n+1 })

P Bn+1
P
Bn+1

r Bn+2

r An+1 g An+1 =P An -r Bn P An+2
r An+1
g An+1 =P An -r Bn
P An+2

r An+3

g' An+3 =P An+2 -r Bn+2

P An+4
P
An+4

r An+5

r

An+1 ,E(key An+1 ,{n+2,PSDU n+2 })

r A n + 1 ,E(key A n + 1 ,{n+2,PSDU n + 2 })

g' Bn+2 =P Bn+1 -r An+1

P Bn+3
P
Bn+3

r Bn+4

g' Bn+4 =P Bn+3 -r An+3

P Bn+5
P
Bn+5
Bn+4 g ' Bn+4 = P Bn+3 - r An+3 P Bn+5 r B n +

r Bn+2 ,E(key' Bn+2 ,{n+3,NACK})

r An+3 ,E(key' An+3 ,{n+4,PSDU n+2 })

r A n + 3 ,E(key' A n + 3 ,{n+4,PSDU n + 2 })

B n + 4 ,E(key' B n + 4 ,{n+5,PSDU n + 5 }) Bn+4 ,E(key' Bn+4 ,{n+5,PSDU n+5 })

g' An+5 =P An+4 -r Bn+4

P An+6
P
An+6

r An+5 ,E(key' An+5 ,{n+6,PSDU n+6 })

r A n + 5 ,E(key' A n + 5 ,{n+6,PSDU n + 6 })

r Bn+6

g' Bn+6 =P Bn+5 -r An+5

……

Figure 5.

The flow of dealing with the variation of channel function h(t) after Alice sends a frame to Bob

Step n: Alice transmits the physical frame encrypted by key An-1 with sequence number, payload PSDU n and r An-1 at any power P An . Bob receives this physical frame, measures the RF signal strength RSSI and obtains the value r Bn . According to the last transmitting power P Bn-1 and RSSI value r An-1 fed back by Alice, the wireless channel gain is calculated g Bn = P Bn-1 r An-1 and is the seed of secure communication key to decrypt the payload PSDU n . At this moment the distance between Alice and Bob is changed from R to R'. Step n+1: Bob transmits the physical frame encrypted by key Bn with sequence number, payload PSDU n+1 and r Bn to Alice at any power P Bn+1 . Alice receives this physical frame, measures the RF signal strength RSSI and obtains the value r An+1 . According to the last transmitting power P An and RSSI value r Bn fed back by Bob, the wireless channel gain is calculated g An+1 = P An r Bn and is the seed of secure communication key to decrypt the payload PSDU n+1 . At this step the Alice’s key is the old key

© 2014 ACADEMY PUBLISHER

JOURNAL OF NETWORKS, VOL. 9, NO. 9, SEPTEMBER 2014

before variation and it can be used to decrypt the Bobs payload. Step n+2: Alice transmits the physical frame encrypted by key An+1 with sequence number, payload PSDU n+2 and r An+1 at any power P An+2 . Bob receives this physical frame, measures the RF

signal strength

According to the last transmitting power P Bn+1 and RSSI value r An+1 fed back by Alice, the wireless channel gain is calculated g' Bn+2 =P Bn+1 r An+1 . The estimated channel gain from communicating parties is not equal g' Bn+2 ≠g An+1 and Bob cannot decrypt its current payload PSDU n+2 due to the variation of positions. Bob wants Alice to resend the

payload PSDU n+2

Step n+3: Bob transmits the physical frame encrypted by key' Bn+2 with sequence number, NACK message and r Bn+2 to Alice at any power P Bn+3 . Alice receives th is

physical frame, measures the RF signal strength RSSI and obtains the value r An+3 . According to the last transmitting power P An+2 and RSSI value r Bn+2 fed back by Bob, the new channel gain is calculated g' An+3 =P An+2 r Bn+2 and is

the seed of secure communication key to decrypt the

payload. At this step Alices key has been updated and

confirmed, can be used to decrypt the payload NACK

message by which Alice understands Bobs intention.

Step n+4: Alice transmits the physical frame encrypted

with sequence number, payload PSDU n+2 and

by key' An+3

r An+3 at any power P An+4 . Bob receives this physical frame, measures the RF signal strength RSSI and obtains the

value r Bn+4 . According to the last transmitting power P Bn+3 and RSSI value r An+3 fed back by Alice, the wireless

channel gain is calculated g' Bn+4 =P Bn+3 r An+3 and is the

seed of secure communication key to decrypt the payload

PSDU n+2 .

RSSI and obtains the value r Bn+2 .

and to update its key.

Step n+5: Bob transmits the physical frame encrypted

by new key' Bn+4 to Alice at power P Bn+5 .

The subsequent communication flow is iterating step n+5 and step n+6.

h(t)=g

flow is iterating step n+5 and step n+6. h(t)=g (n) Alice r An g An =
flow is iterating step n+5 and step n+6. h(t)=g (n) Alice r An g An =

(n)

Alice

r An

g An =P An-1 -r Bn-1

r Bn-1 ,E(key Bn-1 ,{n,PSDU n })

h(t)=g'

Bob

P Bn
P
Bn
B n - 1 ,{n,PSDU n }) h(t)=g' B o b P Bn (n+1) (n+2) (n+3)
B n - 1 ,{n,PSDU n }) h(t)=g' B o b P Bn (n+1) (n+2) (n+3)

(n+1)

(n+2)

(n+3)

(n+4)

(n+5)

(n+6)

r Bn+1 g Bn+1 =P Bn -r An P Bn+2
r Bn+1
g Bn+1 =P Bn -r An
P Bn+2

r Bn+3

g' Bn+3 =P Bn+2 -r An+2

P Bn+4
P
Bn+4

r Bn+5

g' Bn+5 =P Bn+4 -r An+4

P Bn+6
P
Bn+6
P An+1
P
An+1

r An+2

r An ,E(key An ,{n+1,PSDU n+1 })

r
r

Bn+1 ,E(key Bn+1 ,{n+2,PSDU n+2 })

g' An+2 =P An+1 -r Bn+1

P An+3
P
An+3

r An+4

r An+2 ,E(key' An+2 ,{n+3,NACK})

r A n + 2 ,E(key' A n + 2 ,{n+3,NACK})

r An+4 ,E(key' An+4 ,{n+5,PSDU n+5 })

r A n + 4 ,E(key' A n + 4 ,{n+5,PSDU n + 5 })
r
r

B n + 3 ,E(key' B n + 3 ,{n+4,PSDU n + 2 }) Bn+3 ,E(key' Bn+3 ,{n+4,PSDU n+2 })

g' An+4 =P An+3 -r Bn+3

P An+5
P
An+5

r An+6

g' An+6 =P An+5 -r Bn+5

Bn+5 ,E(key' Bn+5 ,{n+6,PSDU n+6 })

……

Figure 6.

The flow of dealing with the variation of channel function h(t) after Bob sends a frame to Alice

JOURNAL OF NETWORKS, VOL. 9, NO. 9, SEPTEMBER 2014

The above flow applies to these situations in which the transceivers locations and obstacles in communication paths are changed in the communication processing. If the distance between Alice and Bob is changed, the similar method to deal with the variation of channel gain is by inserting a NACK step between step 4 and 5 in Fig. 4 to notify communication parties update keys and resent the physical frame. The mechanism of solving the variation of channel function after Bob sends a frame to Alice is similar as shown in Fig. 6. Due to the limited space, we do not give the detailed description in here.

IV. SIMLATION AND RESULTS ANALYSIS

After all the detail illustration of the physical layer key negotiation mechanism and its supplementary exception handling, we could conclude that the significant factors impacting the mechanism’s performance are the transmitting power (Tx power) and the quantized number of bits (Precise) of channel gains. Therefore, a simulation platform for the physical layer key negotiation mechanism of secure communication is built by Matlab tool and implemented in full digital by Verilog HDL (hardware description language) [27] to evaluate the probability of successful decryption by the keys, robustness and feasibility of this mechanism.

A. Probability of Successful Decryption The consistency of the keys of legitimate users Alice and Bob generated by this mechanism is the pivotal factor of the probability of successful decryption and simulated with 100000 physical layer frames in additive white Gaussian noise (AWGN) channel and is evaluated with the probability of successful (P S ) decryption by these keys. The pseudo-random number of the physical layer frame is free from outside influence. So the consistency of the keys is mainly constituted by the channel ga ins consistency which is relevant to the transmitting power and the number of bits of quantizing the channel gains. In Fig. 7 the more transmitting power is, the more accurate channel gain estimation is. Because SNR is proportional to the transmitting power, big SNR weakens the noise disturbance and is conducive to channel estimation. Increasing the transmitting power makes the channel gain estimation precise along with the quantized number of bits increasing. And the ability to resist eavesdropping is correspondingly enhanced by the randomness of seed increasing exponentially. For instance, the quantized channel gain is N-bit, and the randomness of seed of physical layer key is 2 N . However, increasing the quantized number of bits of the channel gains makes the inconsistency of legitimate users’ physical layer keys and reduces the probability of successful decryption. The less consistency keys are, the lower successful rate is. The error between the actual value and the estimated is caused by the finite word length effect in quantizing process. The high consistency of the keys ensures the least number of times of legitimate users attempting to confirm the keys. So there is a tradeoff to make the keys negotiation mechanism quick and secure between the transmitting

© 2014 ACADEMY PUBLISHER

2305

power (Tx power) and the quantized number of bits (Precise) of channel gains. It is
power (Tx power) and the quantized number of bits
(Precise) of channel gains. It is necessary to emphasize
particularly on one side (speed or security) of this
mechanism in different practical application scenarios.
1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
15
10
Tx power(dB)
5
11
10
9
8
0
7
6
5
4
3
2
1
P
S

Figure 7.

Precise

The probability of successful (P S ) decryption at different quantizing precise and transmitting power

1 Bob@4-bit 0.9 Bob@6-bit Bob@8-bit 0.8 Eve 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0
1
Bob@4-bit
0.9
Bob@6-bit
Bob@8-bit
0.8
Eve
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
0
5
10
15
20
PER

Figure 8.

SNR(dB)

The PER of Bob and Eve at different SNR, where Bobs quantized channel gains are 4-bit, 6bit and 8bit

1 Bob@0dB power 0.9 Bob@3dB power Bob@7dB power 0.8 Bob@10dB power Eve 0.7 0.6 0.5
1
Bob@0dB power
0.9
Bob@3dB power
Bob@7dB power
0.8
Bob@10dB power
Eve
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
0
1
2
3
4
5
6
7
8
9
10
PER

Figure 9.

Precise

The PER of Bob and Eve at different precise, where SNR =

15dB; Alices transmitting power are 0dB, 3dB, 7dB and 10dB

2306

JOURNAL OF NETWORKS, VOL. 9, NO. 9, SEPTEMBER 2014

2306 JOURNAL OF NETWORKS, VOL. 9, NO. 9, SEPTEMBER 2014 Figure 10. The waveform of the

Figure 10. The waveform of the secure communication of Alice and Bob with the physical layer key negotiation mechanism by Modelsim

B. Robustness of This Mechanism The robustness of this mechanism is simulated and defined by the Packet Error Rate (PER) at different SNR (signal to noise ratio) where the key consistency refers to the same bits of the key generated by two communication parties. For the evaluation of the key consistency, a wireless network system as Fig. 1 is built by Matlab (m file). Only if the receivers key is the same as the physical layer negotiation key, the receiver will be able to decrypt and decode the correct frame from Alice. As Fig. 8 shows, with Bob’s quantized number of bits of the channel gains increasing (4-bit6-bit8-bit), the inconsistency of legitimate users’ physical layer keys results in PER. And with the SNR increasing, the PER of legitimate user Bob at whichever the quantized number of bits is, is rapidly decreasing indicates Bob has better robustness than eavesdropper Eve. As Fig. 9 shows, this mechanism is simulated at SNR = 15dB and coherence with the depiction in part A: Increasing the transmitting power can make the quantized number of bits increase at the same PER. The simulation results verify the robustness of the proposed mechanism and shows that in a typical indoor environment (SNR>15dB), the PER of legitimate users is lower than 5%. The legitimate users’ decrypting error probability tends to zero, while the PER of eavesdropper Eve tends to one. Practically, it means null or negligibly eavesdropping probability and the eavesdropper is impossible to crack the key generated from this secure channel.

C. Feasibility of Mechanism This physical layer key generation and negotiation mechanism was implemented in full digital, coded in Verilog HDL and passed functional verification by Modelsim tool. To demonstrate this secure intercommunication clearly, the length of physical layer frame shrink to 32 bits. The transmitting physical layer frame consists of header (8h00), 8-bit quantized RSSI, 8- bit sequence number and 8-bit payload. RSSI is emulated by random fluctuation so that the extracted key can be updated. In order to ease of understanding, the payload of Alice is fixed at 8ha1 and Bobs is 8hb0. The seed of the key consists of 8-bit channel gain and 8-bit pseudo- random number chose from the pool. An AES IP (Intellectual Property) module is integrated in this design

© 2014 ACADEMY PUBLISHER

for encryption and decryption with this negotiated 128-bit physical layer keys. In the simulation waveform of Fig. 10, wireless network nodes (Alice and Bob) use this mechanism to secure communication. First, Alice sends an unencrypted frame to Bob. Then Bob receives it and responds with RSSI immediately. At this moment, Alice gets the channel gain, generates a physical layer key and sends an encrypted frame by this key. After Bob receives the encrypted frame and decrypts ACK message successfully, the physical layer key confirmation is achieved. Therefore the simulation of implementation verifies the feasibility and demonstrates that this simple realized method just takes three steps to quickly exchange and establish the cross-layer cryptographic keys with the key negotiation mechanism. And the keys can be used as a one-time pad because the rate of the keys generation is quite high.

D. Advantages of This Mechanism An information-theoretically secure cryptosystem cannot be broken even when the adversary has unlimited computing power. The adversary simply does not have enough information to break the encryption, so these cryptosystems are considered cryptanalytically unbreakable. Compared with conventional cryptography, the advantages of this mechanism with respect to conventional secure methods can be important. Firstly, this mechanism solves the challenges of vast key distribution and updating with the node increasing exponentially. The key distribution and updating does not rely on other trusted third parties to guarantee the secrecy of the key distribution, because the key is generated and updated by the wireless channel which is everywhere. Secondly, the management frames and the command frames (generally communication protocols encrypt the data frames only) are also encrypted by this physical layer keys because the method proposed is from bottom to top. Thirdly, the physical layer key is provided for the upper layers encryption, so it is a cross-layer security technology and an exemplary complement to existing wireless network protocols (like IEEE 802.11 or 802.15) to improve the security. Fourthly, introducing this mechanism framework does not affect the current wireless communication systems.

JOURNAL OF NETWORKS, VOL. 9, NO. 9, SEPTEMBER 2014

V.

CONCLUSIONS

In this paper, a physical layer key negotiation mechanism to secure wireless networks is proposed. The wireless networks applied this mechanism can quickly exchange the keys and establish the security protocol by exploiting the legitimate channel’s characteristics of uniqueness, reciprocity and unpredictability. The formulating seeds of physical layer keys are extracted from the channel gain with ACK/NACK pairs. The key negotiation mechanism and its supplementary exception handling are both described in detail. The simulation results verify the consistency of the keys of legitimate users, robustness and feasibility of this mechanism. Furthermore this cross-layer security technology is an exemplary complement to a wide variety of existing wireless network protocols (like IEEE 802.11 or 802.15) to improve the security and does not affect the upper layers of wireless networks.

ACKNOWLEDGMENT

The authors are grateful to three referees for suggestions that have helped to improve the original version of this article. This work was supported in part by Strategic Priority Research Program of Chinese Academy of Sciences under Grant No. XDA06040400 and the National Science & Technology Major Projects of China under Grant No. 2012ZX03005.

REFERENCES

M. Bloch, J. Barros, M. Rodrigues, and S. W. McLaughlin, Wireless Information-Theoretic Security,Information Theory, IEEE Transactions on, vol. 54, no. 6, pp. 25152534, June 2008.

[2] A. Perrig, and J. D. Tygar, Secure Broadcast Communication in Wired and Wireless Networks, Norwell, Massachusetts: Kluwer Academic Publishers, 2003. [3] “IEEE Std. 802.11-1999/8802-11 (ISO/IEC 8802-

[1]

[4]

11:1999)”, IEEE Standard for Information Technology, LAN/MAN-Specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, 1999. “IEEE Std. 802.15.1-2002”, IEEE Standard for

[5]

Information Technology, Telecommunications and Information Exchange Between Systems, Local and Metropolitan Area Networks: Specific Requirements, Part 15.1: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Wireless Personal Area Networks, 2002. “IEEE Std. 802.15.4-2003”, IEEE Standards for

[6]

Information Technology Part 15.4: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Low-Rate Wireless Personal Area Networks (LRWPANs), 2003. S. Kent and K. Seo, “Security architecture for the Internet protocol,” Internet Engineering Task Force, RFC 4301,

2005.

[7]

R. Liu, and W. Trappe, Securing Wireless Communications

at the Physical Layer, Springer Publishing Company, 2009. [8] T. Aono, K. Higuchi, T. Ohira, B. Komiyama, and H.

Sasaoka, Wireless secret key generation exploiting reactance-domain scalar response of multi path fading

© 2014 ACADEMY PUBLISHER

2307

channels,IEEE Transactions on Antennas and Propagation, vol. 53, no. 11, pp. 37763784, Nov. 2005. [9] B. Azimi-Sadjadi, A. Kiayias, A. Mercado, and B. Yener, Robust key generation from signal envelopes in wireless networks,in Proceeding of the 14th ACM Conference on Computer and Communications Security, Alexandria, VA, pp. 401410, 2007. [10] C. E. Shannon, Communication theory of secrecy systems,Bell system technical journal, vol. 28, no. 4, pp. 656715, 1949. [11] A. D. Wyner, The wire-tap channel,Bell System Technical Journal, vol. 54, pp. 13551387, 1975. [12] I. Csiszár, and J. Korner, Broadcast channels with confidential messages,Information Theory, IEEE Transactions on, vol. 24, no. 3, pp. 339348, 1978. [13] A. Thangaraj, S. Dihidar, A. R. Calderbank, S. W. McLaughlin, and J. M. Merolla, Applications of LDPC codes to the wiretap channel,Information Theory, IEEE Transactions on, vol. 53, no. 8, pp. 29332945, 2007. [14] A. O. Hero, Secure space-time communication,Information Theory, IEEE Transactions on, vol. 49, no. 12, pp. 32353249, 2003. [15] C. Kaufman, R. Perlman, M. Speciner, Network security:

private communication in a public world , second edition, Prentice Hall Press, NJ, 2002. [16] D. Tse, Fundamentals of wireless communication, Cambridge university press, 2005. [17] A. Mukherjee, S. A. A. Fakoorian, J. Huang, and A. L. Swindlehurst, Principles of physical layer security in multiuser wireless networks: A survey,Computing Research Repository (CoRR), vol. abs/1011.3754, 2010. [Online]. Available: http://arxiv.org/abs/1011.3754 [18] T. L. Marzetta, and B. M. Hochwald. Fast transfer of channel state information in wireless systems,Signal Processing, IEEE Transactions on, vol. 54, no. 4, pp. 12681278, 2006. [19] H. Zimmermann, OSI reference model--The ISO model of architecture for open systems interconnection,Communications, IEEE Transactions on, vol. 28, no. 4, pp. 425432, 1980. [20] O. Goldreich, Foundations of Cryptography: Volume 2, Basic Applications, vol. 2, Cambridge university press,

2009.

[21] J. Daemen, and V. Rijmen, Rijndael, the advanced

encryption standard,Dr. Dobbs Journal, vol. 26, no. 3, pp. 137139, 2001. [22] C. A. Fuchs, and K. Jacobs, Information-tradeoff relations for finite-strength quantum measurements,Physical Review A, vol. 63, no. 6, pp. 062305, May, 2001. [23] S. W. Golomb, L. R. Welch, R. M. Goldstein, and A. W. Hales, Shift register sequences, Laguna Hills: Aegean Park Press, 1982. [24] C. H. Bennett, Notes on Landauers principle, reversible computation, and Maxwells Demon,Studies in History and Philosophy of Science Part B: Studies In History and Philosophy of Modern Physics, vol. 34, no. 3, pp. 501510,

2003.

[25] J. S. Coron, Y. Dodis, C. Malinaud, and P. Puniya, Merkle-Damgård revisited: How to construct a hash function,in Advances in CryptologyCRYPTO 2005, Springer Berlin Heidelberg, pp. 430448, 2005. [26] S. Lin, D. Costello, and M. Miller, Automatic-repeat- request error-control schemes,Communications Magazine, IEEE, vol. 22, no. 12, pp. 517, 1984. [27] D. E. Thomas, and P. R. Moorby, The Verilog® Hardware Description Language, vol. 2, Springer, 2002.

2308

Jikang Xia was born in Yunnan Province, China, in 1986. He received the B.S. degree in Electrical Engineering from Southeast University, Nanjing, China, in 2009. He is currently pursuing the M.S. and Ph.D. degree with the Institute of Microelectronics, Chinese Academy of Sciences (IMECAS), Beijing, China. His research interests include wireless networks, network security, cryptograph, and wireless communication system.

Lan Chen was born in Sichuan Province, China, in 1968. She received the B.S. degree from the Department of Computer Science, Sichuan University, Sichuan, China, in 1988, the M.S. degree from the Institute of China Aerospace Science and Technology Corporation, Xi’an, Shanxi, China, in 1991, and the Ph.D. degree from the Institute of Computing Technology, Chinese Academy of Sciences (ICTCAS), Beijing, China, in

2000.

She is a professor at the Institute of Microelectronics, CAS, where she also leads the Common Technology Research Department and the Electronic Design Automation Center of CAS. She is in the expert group of several national key projects including National Science and Technology Major Project of the Ministry of Science and Technology of China. She has contributed to several premier achievements including 65/45nm

DFM technology, Loogson, 802.11a/b/g, eFlash IP, Zigbee,

© 2014 ACADEMY PUBLISHER

JOURNAL OF NETWORKS, VOL. 9, NO. 9, SEPTEMBER 2014

WiMax chips and Body Area Networks (BAN) with over 40 journal and refereed international conference papers and over 100 patents applications in the area of microelectronics. Her research interests include design for manufacture (DFM), advanced EDA technology, Wireless Sensor Network and IoT key technologies.

Ying Li was born in Tianjin Province, China, in 1982. She received the B.S. degree in microelectronics from Nankai University in 2005, and the M.S. degree and Ph.D. degree in circuit design and methodology from Peking University in 2008 and 2010, respectively. She is currently an associate professor of the Institute of Microelectronics, CAS. Her current research interest includes internet of things, wireless sensor networks, underwater communication system, and secure embedded system design.

Endong Tong was born in Shandong Province, China, in 1986. He received the B.S. degree from Shandong University, the M.S. degree and Ph.D. degree from the Institute of Acoustics, Chinese Academy of Sciences (China). Now, he is a research associate working at EDA center, Institute of Microelectronics, Chinese Academy of Sciences. His research interests include service computing, low power communication system and Sensor Network.