Efficient Physical-Layer Secret Key Generation and Authentication Schemes Based on Wireless Channel-Phase
Efficient Physical-Layer Secret Key Generation and Authentication Schemes Based on Wireless Channel-Phase
Longwang Cheng,1 Li Zhou,1,2 Boon-Chong Seet,3 Wei Li,1 Dongtang Ma,1 and Jibo Wei1
1School of Electronic Science and Engineering, National University of Defense Technology, Changsha, China
2Science and Technology on Information Transmission and Dissemination in Communication Networks Laboratory, Shijiazhuang, China
3Department of Electrical and Electronic Engineering, Auckland University of Technology, Auckland, New Zealand
Correspondence should be addressed to Li Zhou; nc.ude.tdun@5302iluohz
Received 3 February 2017; Accepted 30 April 2017; Published 10 July 2017
Academic Editor: Wei Tan
Copyright © 2017 Longwang Cheng et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Exploiting the inherent physical properties of wireless channels to complement or enhance the traditional security mechanisms has attracted prominent attention recently. However, the existing secret key generation schemes suffer from miscellaneous extracting procedure. Many PHY-layer authentication schemes assume that the knowledge of the shared key is preknown. In this paper, we propose PHY-layer secret key generation and authentication schemes for orthogonal frequency-division multiplexing (OFDM) systems. In the secret key generation scheme, to simplify the extracting procedure, only one legitimate party is chosen to probe the channel and quantize the measurements to obtain the preliminary key. The preliminary key is masked by the channel-phase after the mapping and before equalization and distributed to the other party. The final shared key is used for the PHY-layer authentication scheme in which random signals and the shared key masked by the channel-phase are exchanged at the PHY-layer. Then, a binary hypothesis test is formulated for authentication. Simulation results show that the proposed secret key generation scheme outperforms the existing schemes. For the PHY-layer authentication scheme, it is immune to various passive and active attacks and a high successful authentication rate is acquired even at low signal-to-noise ratio region.
With the continuous development of the wireless communications, people pay more and more attention to the security issue. The security mechanisms of traditional communications networks mainly rely on symmetric or asymmetrical encryption algorithms to achieve confidentiality and authentication. However, due to the lack of key management infrastructures and limited resources of the devices, the conventional security mechanisms may be inapplicable in wireless communications. In addition, the broadcasting nature of the wireless channels causes the wireless communication channel easily to be eavesdropped on or intercepted by an adversary [1, 2]. Therefore, the interest in exploiting the characteristics of the wireless channels at the PHY-layer to enhance and complement the conventional security mechanisms is growing, such as the secret key extraction from the characteristics of wireless channels [3–19] and PHY-layer authentication [20–27].
From an information-theoretic perspective, the authors of [3, 4] demonstrated that it is possible to extract secret key bits from the correlated random sources. Fortunately, with the properties of randomness, location-specific, and reciprocity, the wireless channels can be seen as natural correlated random sources. In , Hassan et al. firstly introduced the idea of generating secret keys from the characteristics of the wireless channels. Since then, many investigators pay attention to extract secret keys from received signal strength (RSS) [6–9], since the RSS is easy to acquire from the off-the-shelf wireless cards. However, these methods suffer from scalability and low secret key generation rate (KGR) which is defined as the average amount of secret key bits produced in one measurement/second [10–12]. To resolve these issues, researchers exploit the channel state information (CSI) to extract secret keys [13–15]. Besides, to increase the KGR, the orthogonal frequency-division multiplexing (OFDM) [18, 19] and multi-input-multi-output (MIMO) techniques in the PHY-layer are adopted.
Various efforts also have been made towards PHY-layer authentication, which can be recognized as a complement or an enhancement to the higher layer authentication mechanisms. In general, according to whether a shared secret key between the legitimate parties is utilized to authenticate each other or not, the existing PHY-layer authentication schemes can be divided into key based or keyless . In some practical cases, it might be difficult to implement the keyless authentication schemes [21–23]. This is because the features of either the transmitting device or the specific channel between the legitimate users, which are exploited to authenticate the transmission, are required to be identified. Instead, the authentication schemes based on the shared key between two legitimate users [25–27] are closer to the conventional challenge-response authentication protocols. In , the specific spatial and temporal multipath fading channel between the transmitter and the receiver was exploited for an authentication algorithm. The authors of  proposed a PHY-layer challenge-response authentication mechanism (PHY-CRAM) where the randomness and reciprocity of the wireless signal amplitude are exploited for authentication. In , a PHY-layer phase challenge-response authentication scheme (PHY-PCRAS) was proposed. It exploited the randomness and reciprocity of the channel-phase response to protect shared key from possible eavesdropping and achieve authentication.
However, the existing secret key generation schemes suffer from miscellaneous extracting procedure which may lead to a high secret key bits mismatched rate (BMR, defined as the ratio of the number of bits unmatched between Alice and Bob’s preliminary keys to the number of the preliminary key ) and an inefficiency in secret key generation. The key based authentication schemes assume that the knowledge of the shared key is preknown between the authenticated parties, but how to implement the secret key distribution is not given. In this paper, we propose PHY-layer secret key generation and authentication schemes for OFDM systems. Both schemes exploit the randomness and reciprocity of the channel-phase response that is very sensitive to the distance between the legitimate parties. In the secret key generation scheme, to simplify the extracting procedure, only one legitimate party is chosen to probe the channel and quantize the measurements to obtain the preliminary key. After mapping and before equalizing, the preliminary key is masked in the channel-phase and then distributed to the other legitimate party. The final shared key is used for the PHY-layer authentication scheme in which random signals and the generated shared key masked by the channel-phase through mapping and before equalizing are exchanged at the physical layer. Then, a binary hypothesis test is formulated for the authentication procedure.
The security strength of our proposed schemes relies heavily on the randomness of the fading channel and the relative geographic location of the attacker and legitimate users, because the channel-phase response is sensitive to the distance between the legitimate parties. That is, even when the attacker’s computational power is increased, the security of our schemes is guaranteed.
The major contributions of this paper are summarized as follows:(i)To simplify the secret key extraction procedure, we propose a secret key generation scheme based on the channel-phase response in which only one node is chosen to generate the preliminary key and further the preliminary key is masked by the channel-phase after mapping and before equalizing and distributed to the other node.(ii)Extensive simulations are conducted to compare the secret key generation performance of the prior works with the proposed scheme and the security of the keys is evaluated under passive attack.(iii)With the aid of the secret keys extracted in the proposed secret key generation scheme, we propose a PHY-layer authentication scheme based on the channel-phase response in which the shared key masked by the channel-phase is exchanged at the PHY-layer.(iv)The judgement of the authentication is transformed into a binary hypothesis test and the security strength is analyzed under various types of attacks.
The remainder of this paper is organized as follows. In Section 2, we introduce the system model for the two proposed schemes. The procedure and performance of the proposed secret key generation scheme are analyzed in detail in Section 3. In Section 4, the proposed PHY-layer authentication is presented and the security and performance of the scheme are evaluated. Finally, concluding remarks are made in Section 5.
2. System Model2.1. System Model Description
As shown in Figure 1, an OFDM network with three nodes, in which Alice and Bob are legitimate nodes and Eve is an adversary, is considered. Each node is equipped with a single antenna. All nodes work in half-duplex mode and a time-division duplex (TDD) system is employed. The forward and reverse propagation channels are identical during coherence time by reciprocity. The distance from Eve to both Alice and Bob is more than /2, where is the wavelength of the radio waves; thus the wiretap channels and the legitimate channel are uncorrelated .
Figure 1: The system model.
2.2. The Assumptions
It is assumed that the subcarriers are well separated for ensuring independent fading, which ensures the randomness of the extracted secret keys and the independence of the subchannels.
For the secret key generation case, Alice and Bob want to build a shared secret key. Eve, a passive adversary who tries to obtain the key by eavesdropping, can monitor all the communications during the secret key extraction and neither modify any messages exchanged between Alice and Bob nor jam the legitimate channel. For the PHY-layer authentication case, Alice and Bob try to authenticate each other. Eve is an active attacker who not only can listen to the communications for authentication but also perform various active attacks.
The procedures and parameters of the secret key generation scheme and the PHY-layer authentication scheme adopted by Alice and Bob are assumed to be open to Eve.
2.3. Channel Reciprocity
The principle of the short-term reciprocity of the radio channel is the basis of the two proposed schemes. As discussed in , this is guaranteed because, in the real environments compared to channel coherence time , the processing time of channel probing or authentication can be much smaller. For example, we consider the 2.4 GHz radio frequency carrier. For a mobile scenario, the channel variation is mainly due to Doppler effects and when the relative speed between the transmitter and receiver is , the Doppler frequency is . Empirically, the channel coherence time which is related to the maximum Doppler frequency shift can be calculated as . In our proposed schemes, the processing time, which demands for channel coherence, includes double propagation time and transmitting time and one operation delay . For 5 MHz sampling rate, it takes about to transmit an OFDM symbol with 64 subcarriers and 16 cyclic prefix samples. When the distance is 3000 m, the propagation time . In general, the transmitting time is in the same order of the operation delay. Then the total processing time is much smaller than the coherence time in our two proposed schemes.
3. Secret Key Generation and Performance Analysis3.1. The Proposed Secret Key Generation Scheme
Compared to single carrier systems, OFDM systems can provide extra randomness in view of the use of multiple subchannels. In this paper, we propose a secret key generation scheme based on the channel-phase response of OFDM systems in frequency domain.
In general, a secret key generation scheme consists of the following four steps:(1)Channel probing: Alice and Bob alternately and periodically send the probe signals to each other to obtain the characteristics of channel between them.(2)Measurement quantization: Alice and Bob separately quantize the collected channel characteristics into bit vector to obtain a preliminary secret key bits.(3)Information reconciliation: due to the nature of half-duplex and noise, a small number of Alice and Bob’s preliminary keys may be mismatched. They exchange messages to agree on a synchronized key.(4)Privacy amplification: since the messages exchanged in the information reconciliation phase are open to Eve, they may be exploited by Eve to infer the generated keys. To address this issue, Alice and Bob apply privacy amplification method to eliminate Eve’s partial information about the key and obtain a shared key.
We can find that, for half-duplex mode, the legitimate nodes have to transmit probe signals alternately to characterize the channel, which means they cannot probe the channel simultaneously. After collecting sufficient measurements, they quantize the measurements into preliminary keys separately. These phases may bring estimation error and quantization error, which may lead to many mismatched bits between the preliminary keys generated by the legitimate parties. Thus, the cost to reconcile the mismatched bits is high.
In this paper, to address this problem, we propose a scheme in which only one of the legitimate nodes is chosen to perform the channel probing and measurement quantization. This simplifies the procedure of secret key generation and eliminates the estimation error and quantization error.
Under the principle of reciprocity, we set . To maintain the reciprocity requirement, for each of Alice to Bob’s channel probes, the corresponding Bob to Alice’s channel probe event must be conducted within the coherence time of the channel. The process of the proposed secret key generation scheme is depicted in Figure 2 and the detailed steps are as follows. (Note that throughout this paper, the signals and equations are in frequency domain.)
Figure 2: The process of the secret key generation.
Step 1 (channel probing). The experiments in  revealed that, in certain environments, due to lack of variations in the wireless channel, the extracted bits have very low entropy making these bits unsuitable for a secret key, which can cause predictable key generation by an adversary in these static environments. To prevent this, during channel probing, we utilize random signals to probe the channel. Suppose that Bob is chosen to probe the channel and quantize the channel measurements. Thus, Alice transmits the random probe signal to Bob, where , for , and is the number of the subcarriers of the OFDM system. The random signal is unknown to Bob and Eve.
Without loss of generality, we only take the th () subcarrier, for example. Thus, the received signal at Bob can be expressed as where denotes the th subchannel response of the legitimate channel in frequency domain and is the underlying subchannel-phase response. The subchannels are independent and identically distributed (i.i.d.) and . is the i.i.d. complex Gaussian noise with zero mean and variance .
Based on the received signal, Bob gets the subchannel-phase response estimation as where is the phase estimation error. Note that the phase of the random probe signal is contained in the subchannel-phase response estimation, so we treat as equivalent subchannel-phase response estimation.
If Eve is in close proximity to Bob (here the “close” means that the distance between Eve and Bob is much smaller than , which may lead to highly correlated and ), she may infer the preliminary key easily based on her observations. To reduce the risk, Bob adds a stochastic coefficient to as where is uniformly distributed over and . Bob obtains the vector records as .
Step 2 (measurement quantization and preliminary key distribution). Bob quantizes the vector records into bit vector to obtain the preliminary key. Firstly, Bob divides the interval into subintervals, where is the number of quantization levels, which is bounded by the mutual information between Alice and Bob . Thus each can be quantized to binary bits. The th () subinterval is . Secondly, gray code is used to assign a binary code word with bits to each subinterval. A quantization example with is illustrated in Figure 3.
The th record can be quantized as After quantization, Bob obtains the preliminary key as .
Then, Bob sends “probe signal” to Alice. Different from the constant probe signal and , this probe signal, in fact, is the preliminary key after mapping and before equalizing. Thus, the probe signal can be expressed as where denotes the mapping operation on the preliminary key and is the th input secret key sequence with length (). When , a mapping function can be designed asThe mapping function is known to Alice. The subtraction term in (5) denotes the preequalization process using the equivalent subchannel-phase response estimation. In fact, the preequalization process can be seen as an encryption operation; thus the preliminary key is masked by the subchannel-phase response estimation.
Alice’s received signal can be expressed as where is the i.i.d. complex Gaussian noise. Based on the reciprocity between the forward and reverse links and substituting with (2), (7) can be simplified as As observed in (8), during the receiving, Alice completes the subchannel-phase equalization and eliminates the encryption based on the channel reciprocity. Alice further multiplies (8) by the random probe signal and gets Then, Alice performs unmapping on the phase of to acquire the preliminary key transmitted by Bob.
In conclusion, in this step, Bob firstly obtains the preliminary key by quantizing the vector records and randomly chooses key bits from the preliminary key as the input key sequences of the mapping function. Secondly, these key sequences are mapped, preequalized, and transmitted to Alice. Lastly, Alice acquires these key sequences based on the channel reciprocity. So the preliminary key is distributed from Bob to Alice.
Figure 3: A quantization example with .
Step 3 (information reconciliation and privacy amplification). Note that, in our scheme, we assume that the length of the preliminary key is . In practical systems, this length may be much longer, which in turn may require more rounds of channel probing and secret key distribution. Alice and Bob need to update the random probe signal vector and the stochastic coefficient vector , respectively, after each round.
Due to the noise, a small number of mismatched bits may exist in the preliminary keys of Alice and Bob. Then, the mismatched bits are reconciled by using BCH codes to get synchronized keys. The privacy of the synchronized keys is subsequently enhanced by using a hash function to obtain a secure and common key.
During the secret key generation process, Alice and Bob should do Steps 1 and 2 fast enough to ensure that is not more than the coherence time. We can observe that due to the random probe signal, the randomness of the channel is ensured even if the environments are static. So it also can address the highly correlated and unsecure key bits problem in stationary environments .
3.2. Performance Analysis
In this subsection, we will analyze the proposed secret key generation scheme and evaluate its performance in terms of the secret key capacity, bits mismatched, and key generation rates.
3.2.1. Security Analysis
Eve is a passive attacker and only can listen to the communications during secret key generation. For ease of analysis, we neglect the effect of noise in Step 1 so that Eve’s received signal from Alice is where is the th subchannel from Alice to Eve. In Step 2, Eve’s received signal from Bob can be expressed as where is the th subchannel from Bob to Eve. We can find that the factors which influence Eve to derive the key bits are the phases of , , , and , that is, , , , and . Besides, the stochastic coefficient also impairs Eve’s inference to some extent.
To reduce the factors, Eve can multiply (10) by (11) and obtains Then, the factors are reduced to , , and . Note that since the phase of the signals transmitted by Alice and Bob in Steps 1 and 2 is random, it is hard for Eve to estimate the phases of and . Thus, it is difficult for Eve to derive the generated keys and we will analyze various cases in the following.
Firstly, both Alice and Bob are far away from Eve, so that the wiretap channels (i.e., and ) and the legitimate channel (i.e., ) are uncorrelated, along with the random signal and stochastic coefficient ; for Eve, it is almost impossible to obtain the generated secret keys from her measurements.
Then, an aggressive case, where Eve is close to Bob, is considered. In this case, . Then (10) can be approximately simplified as Then the phase of is approximately equal to Bob’s equivalent subchannel-phase response estimation . So for Eve it is possible to infer the preliminary key by the same quantization approach. However, due to the random coefficient , which is unknown to Eve, the probability of obtaining the key based on is low. In (11) and (12), since is uncorrelated with , for Eve it is improbable to derive the distributed preliminary key.
Lastly, we consider that Eve is close to Alice. Under this circumstance, , so (11) becomes Since is random and unknown to Eve, she cannot infer the key based on . In this situation, is uncorrelated with , so it is obvious that Eve cannot obtain the key based on (10) and (12).
In conclusion, when Eve is a passive attacker, the secret key cannot be derived only by her observations and Alice and Bob can still establish a secure key. In fact, the channel-phase response is sensitive to the distance between Alice and Bob, so for Eve it is more difficult to infer the secret key bits from her measurements of the channel-phase. In addition, in , the authors pointed out that applying error-correcting codes on the preliminary key with reasonable rate can ensure the correct preliminary key for Alice in theory, while ensuring useless information for Eve. It means that we can design an error-correcting code with proper rate to further ensure the security of the proposed scheme.
3.2.2. The Secret Key Generation Performance
Firstly, the secret key capacity which is defined as the maximum available key generation rate  is considered. Since the subchannels are independent, for ease of analysis, we only take one of the subchannels, for example. Our proposed scheme can be approximatively modeled as Bob generating a random source and Alice observing the random source as , where is one of the subchannel responses and is the observed noise. Alice and Bob extract secret keys from the phases of and , that is, and , respectively. Assuming that Eve’s observations are uncorrelated with Alice’s, the secret key capacity can be expressed as  where symbol denotes the mutual information between two random variables. Since the joint probability density function of and is difficult to calculate, we adopt the information theoretical estimators (ITE) toolbox to estimate the secret key capacity . The input of the ITE is , where , ], and is the length of the input. In the simulations, the signal-to-noise ratio (SNR) is defined as
The secret key capacity of the proposed secret key generation scheme is compared with the existing channel-phase based secret key generation scheme  and channel-gain based secret key generation scheme  in Figure 4. During channel probing, the channel condition of these three schemes is identical. We can clearly observe that, in contrast to the channel-phase based and channel-gain based schemes, our proposed scheme achieves a greater secret key capacity. For example, when SNR is 10 dB, the secret key capacity of the proposed scheme is 34% and 170% greater than the channel-phase based scheme and channel-gain based scheme, respectively. Note that the secret key capacity of the discussed OFDM systems is times of those shown in Figure 4.
Figure 4: The secret key capacity of different schemes.
Secondly, we analyze the secret key bits mismatched and key generation rates. The BMR and KGR of the proposed scheme are evaluated through Monte-Carlo simulations under multipath channels and further are compared with the channel-phase based and channel-gain based schemes. Since it does not need to estimate the CSI during channel probing, in the simulations, the probe signal contains two OFDM symbols, that is, one pilot symbol for synchronization and one symbol for signal phase estimation. The carrier frequency of the OFDM system is 2.4 GHz and the number of the subcarriers is . We consider the multipath Rayleigh fading channel with 2 us constant delay time and the maximum Doppler frequency is 0 Hz (suppose that Alice and Bob remain static in the simulations). The sample interval is 0.25 us.
These three schemes adopt the same quantization method, that is, equal interval quantization method, in which the characteristics space is divided on average into subspaces. The same information is reconciled and privacy amplification approaches are employed. Note that, theoretically, the bit length of the resulting quantization should be bounded by the mutual information between Alice and Bob . In other words, the quantization level should not be higher than the secret key capacity, that is, . However, for ease of analysis, the quantization levels for the three schemes are all set as .
Figures 5 and 6 show the BMR and KGR performance of these schemes, respectively. From these two figures, we can observe that the BMRs of these schemes decrease, while the KGRs increase as SNR increases. The primary reason is that the accuracy of the channel estimates obtained in the channel probing phase increases as SNR increases. The BMR and KGR performances of the proposed scheme exhibit apparent superiority to the other schemes. For example, when SNR = 10 dB, the BMR and KGR of the proposed scheme decreases by 41% and increases 6.6%, respectively, compared to the channel-phase based scheme.
Figure 5: The BMR performance of different schemes.
Figure 6: The KGR performance of different schemes.
Lastly, the randomness of the secret key is analyzed. A cryptographic key should be substantially random; otherwise, an adversary can crack the key with low cost. A widely used randomness test suite NIST  is employed to verify the randomness of our generated secret key bits. The NIST test suite is a statistical package consisting of 16 tests which were developed to test the randomness of binary sequences. To pass the test, all the values of the 16 tests should be at least greater than 0.01. We randomly select 10-bit sequences generated from our simulations at SNR = 10 dB. Due to the limitation of bit length, we run eight typical tests. The results in Table 1 shows that our generated bit sequences pass the NIST test and their average entropy is close to that of a truly random sequence.
Table 1: The evaluation of randomness test.
4. PHY-Layer Authentication Scheme and Performance Analysis4.1. PHY-Authentication Scheme
In the proposed secret key generation scheme, the legitimate parties establish a shared key which can be used for the encryption and authentication. The existing key based authentication schemes assume that the knowledge of the shared key is preknown between the authenticated parties, but how to achieve the secret key distribution is not given. Consider that the shared key between the authenticated parties is generated by our proposed secret key generation scheme.
After establishing a shared key and a period of time without communication, if Alice and Bob want to establish a communication, they need to authenticate each other. In this section, we propose a challenge-response PHY-layer authentication scheme for OFDM systems, which exploits the short-term reciprocity and randomness of the channel-phase response in TDD mode. Generally, Alice and Bob need a two-way authentication process to achieve the mutual authentication. However, the one-way authentication process is enough to describe the process, since both directions of the two-way authentication employ the same regulation. We assume that Alice wants to communicate with Bob, who in turn needs to verify the identity of “Alice” based on the proposed challenge-response PHY-layer authentication scheme (here Bob is assumed to be legitimate, while, for the illegitimate Bob, it will be analyzed later). The process of the proposed PHY-layer authentication scheme is shown in Figure 7 and the detailed stages are as follows.
Figure 7: The process of the PHY-layer authentication.
Stage 1. Alice transmits an authentication request signal to Bob. The authentication request signal contains the frame type, time stamp information, media access control address, and so forth.
Stage 2. After receiving the authentication request, Bob contemplates that “Alice” wants to communicate with himself. Then Bob generates a response signal vector and sends to “Alice,” where and for . is the number of the subcarriers. The random response signal vector is unknown to Alice and Eve.
Stage 3. The received signal of the th subcarrier in frequency domain at Alice is where denotes the th subchannel response from Bob to Alice and is the underlying subchannel-phase response. The subchannels are i.i.d. and . is the i.i.d. complex Gaussian noise with zero mean and variance . Alice is not concerned with what Bob transmits but only estimates the phase of the received signal. The estimation can be expressed as where is the phase estimation error.
Then, to generate a tagged signal vector for authentication, Alice processes her shared secret key by using the mapping function and preequalizes the mapped key by subtracting the phase estimation vector (here the length of the shared key is assumed to be long enough). The tagged signal at the th subcarrier is Alice sends the tagged signal to Bob. As processed in (18), the secret key for authentication is masked by phase estimation and it is difficult for a passive attacker to crack the authenticated secret key.
Stage 4. Bob’s received signal is where denotes the th subchannel response from Alice to Bob, and is the underlying subchannel-phase response. is the i.i.d. complex Gaussian noise. Alice and Bob perform these steps fast enough to ensure the time interval from Stages 2–4 is smaller than the coherence time; thus . Then (19) can be simplified as We can find that the channel-phase equalization has been completed during the receiving. Bob multiplies by his response signal and gets , where denotes element-wise multiplication.
The th element of can be expressed as Then Bob obtains the signal which only contains the mapped secret key from Alice and estimation error. Based on , combining his shared key, Bob needs to judge whether the other party is Alice or not. There are two solutions for this judgement. A straightforward solution is to check the difference between the obtained authenticated key from “Alice” and his own secret key , where . The difference is defined as , where is the XOR operation. If , Bob determines that the other party is Alice; otherwise it is not, where is a constant real number. However, it is hard to determine in practical systems. Thus, we provide another solution in which the authentication judgement is formulated as a binary hypothesis test.
From (21), we can find that the phase of is mainly affected by the mapped authenticated key. In order to eliminate the influence of the authenticated key, similar to , we generate a variable with the expression as where denotes transpose operation. Thus, the binary hypothesis test can be expressed as where denotes the authenticated key possessed by “Alice.” For and , the corresponded and areBased on (24), Bob makes a final decision by comparing with a threshold . If is true, then Bob judges that the other party is Alice; otherwise, it is not.
Now, it is essential to find the threshold . We can see that, in both hypotheses, is the sum of dependent normally distributed random variables. The resulting sum is still normally distributed ; thus its amplitude obeys Rice distribution. The probability density function of is where , . and denote the mean and variance of , respectively. is the zero-order modified Bessel function of the first kind. Based on , we can calculate the false acceptance rate (the rate that the attacker passes the authentication) as where . is Marcum function. Thus, for a given false acceptance rate , the threshold value can be calculated by (27). Furthermore, we can get the successful authenticate rate (the rate that the legitimate user passes the authentication) as
4.2. Security Analysis
To evaluate the security of the proposed scheme, in this section, we analyze various types of attackers.
Eve, as the adversary, knows Alice and Bob’s PHY-layer authentication scheme. When Eve is a passive attacker, she only can listen to all the communications inside the network and attempts to learn the shared key from the information that she eavesdropped. In Section 3.2, we have analyzed that it is almost impossible for Eve to crack and infer the shared key during the secret key generation. Thus, during the authentication, it is also difficult for Eve to derive the shared key and pass the authentication as a passive attacker, and the analysis process is similar. Therefore, we mainly consider the case that Eve is an active attacker. When Eve is an active attacker, she can perform three types of attacks, namely, impersonation attacks, jamming attacks, and replay attacks.
4.2.1. Impersonation Attacks
Eve can impersonate Alice or Bob under impersonation attacks. If Eve initiates Stage 1 (sends authentication request to Bob), she can hardly succeed. The reason is that Bob’s response contains no information about the shared key in Stage 2. If Eve impersonates Alice in Stage 3 and sends a tagged signal to Bob, she will not be authenticated by Bob as she has no information about the authenticated key. Compared to the other two stages, Stage 2 is more vulnerable, since, during Stage 1, Alice does not know the legitimacy of its counterpart. In this case, Eve impersonates Bob and may steal the authenticated key from the tagged signal of Alice. To solve this problem, the authors in  proposed a mutual authentication approach by sharing two distinguished keys, and , between Alice and Bob. However, the keys of Alice and Bob generated by the secret key generation scheme are identical in our scheme, which means that the mutual authentication approach cannot be applied directly. To solve this problem in our scheme, after Alice has been authenticated by Bob, they drop the authenticated key. When Alice authenticates Bob, they choose new authenticated key from the remaining shared key. If Bob cannot provide a valid tagged signal, Alice would consider that this “Bob” is impersonated. Thus, Eve cannot actively steal the shared key and pass the authentication under impersonation attacks.
4.2.2. Jamming Attacks
As discussed in , Eve can attempt to disrupt the authentication procedure by jamming attacks. When she performs jamming in Stage 2, it may make Bob unable to authenticate Alice, which means the denial of service. However, the frequent jamming in Stage 2 is apt to be detectable. When Eve jams Stages 1 and 3, the jamming signal may be viewed as interference, and, if the jamming signal is not AWGN-like, it can be suppressed through conventional interference rejection techniques.
4.2.3. Replay Attacks
In Stages 2 and 3, Eve’s received signals in the noiseless setting are, respectively, given by where and are the th subchannel from Bob to Eve and Alice to Eve, respectively. In a signal replay attack, Eve can store the waveforms as shown in (29) and (30) and simply replay the waveforms (since the signal in Step 1 contains no information about the shared key, we ignore Eve’s replay of this signal). If the waveform in (29) is replayed, Alice will send the tagged signal since Alice does not know the legitimacy of its counterpart. Then Eve can get the authenticated key from the tagged signal. This case is similar to the impersonation attack in which Bob is impersonated by Eve, so we can employ the mutual authentication approach to address this problem. If the waveform in (30) is replayed, since the channel-phase response between two legitimate users is unique and cannot be revealed to Eve, the signal received by Bob will be It is obvious that Bob will not accept it.
From the analysis above, we can find that, under various active attacks, it is nearly impossible for Eve to obtain the authenticated secret key or be authenticated by Alice or Bob.
4.3. Performance Evaluation
In this subsection, we present extensive simulations to demonstrate the effectiveness of the proposed scheme.
In the simulations, assuming that the receiver achieves ideal synchronization, so that the response message and tagged message contain only one OFDM symbol, respectively. The carrier frequency of the OFDM system is 2.4 GHz. The propagation environment is simulated by Rayleigh fading with 2 us constant delay time and the maximum Doppler frequency is 10 Hz. The sample interval is 0.25 us. The length of the mapping function input bits is set to be 2, so key bits are needed for the simulations.
Extensive Monte-Carlo simulations are conducted to investigate the PDFs of under two hypothesis and , which can be utilized to evaluate false acceptance rate and successful authentication rate. Furthermore, the appropriate choice of the threshold also can be determined by these PDFs.
Figures 8 and 9 show the empirical PDFs of and at SNR = 5 dB for and , respectively. As claimed in Section 4.1, and obey Rice distribution. Hence, Rice distributions according to (26) are also given in both figures, where the mean and variance are directly estimated through Monte-Carlo simulations . From these two figures, we can find that the empirical distributions are coincided well with the theoretical Rice distributions. We also note that the PDFs of and are distinguished clearly in Figure 8 and in Figure 9 and the PDF of is far apart from that of even at SNR = 5 dB. Thus, it is easy to calculate threshold if the successful authentication rate and false acceptance rate are given.
Figure 8: PDFs of and at SNR = 5 dB for .
Figure 9: PDFs of and at SNR = 5 dB for .
The receiver operating characteristic (ROC) describes the correlation between the false acceptance rate and the successful authentication rate. Figure 10 plots the ROC performance for different when SNR = 5 dB. From these four subfigures, we can find that the ROC performance becomes better as increases. Furthermore, when , the ROC are nearly ideal even at SNR = 5 dB.
Figure 10: Successful authentication rate versus false acceptance rate for different when SNR = 5 dB.
4.4. Comparison with PHY-CRAM and PHY-PCRAS
The PHY-layer authentication schemes PHY-CRAM  and PHY-PCRAS  were shown to be simple and feasible. In the following, we will compare our proposed scheme with these two schemes.
As illustrated in Figure 11, for ROC performance, our scheme is better than PHY-CRAM and very similar to PHY-PCRAS. The reason is that our proposed scheme and PHY-PCRAS employ the channel-phase response, while amplitude modulation is employed in PHY-CRAM, which in performance is usually worse than phase modulation. Since the amplitude of all the subcarriers are not the same, the received performance may be impacted due to different SNR at each subchannel. Furthermore, in PHY-CRAM, high-peak fluctuations may occur, and in practice it is required to suppress the high peak with additional complexity. However, since OFDM technique is employed, compared to PHY-CRAM, our proposed scheme and PHY-PCRAS are more sensitive to the frequency offset.
Figure 11: The ROC performance comparisons of the proposed authentication scheme, PHY-CRAM, and PHY-PCRAS at SNR = 5 dB with = 64.
As discussed in [26, 27], for impersonation attacks, our proposed scheme and PHY-PCRAS are more secure than PHY-CRAM. This can be explained by the better ROC performance and the fact that the channel-phase response is more sensitive than channel-amplitude response to the distance between Alice and Bob.
The shared key of our proposed scheme is obtained from the proposed secret key generation scheme, while the other two schemes suppose that the shared key is preknown.
In this paper, to simplify the secret key extracting procedure based on the characteristics of the wireless channels and reduce the secret key bits mismatched rate, we propose a secret key generation scheme based on the channel-phase response. In the scheme, only one node is chosen to probe the channel and perform the quantization phase. Then the preliminary key is distributed after mapping and before equalizing. Further a PHY-layer authentication scheme is proposed utilizing the extracted secret key. This scheme exploits the short-term reciprocity of the channel-phase response and the sensitivity to the distance between the legitimate parties. The simulation results reveal that the proposed secret key generation scheme achieves a better performance compared to the existing scheme in terms of KGR, BMR, and secret key capacity. Besides, the extracted key passes the NIST randomness test. For the PHY-layer authentication scheme, the numerical results show that it performs better than existing work even at SNR = 5 dB when the shared key is obtained from the proposed secret key generation scheme, ensuring the randomness and security.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
This work was supported in part by the National Natural Science Foundation of China (Grants nos. 61601482, 61601516, 61601480, and 61502518) and sponsored by the Foundation of Science and Technology on Information Transmission and Dissemination in Comm. Networks Lab, National Key Laboratory of Anti-Jamming Communication Technology.
References W. Li, M. Ghogho, B. Chen, and C. Xiong, “Secure communication via sending artificial noise by the receiver: outage secrecy capacity/region analysis,” IEEE Communications Letters, vol. 16, no. 10, pp. 1628–1631, 2012. View at Publisher · View at Google Scholar · View at ScopusW. Li, Y. Tang, M. Ghogho, J. Wei, and C. Xiong, “Secure communications via sending artificial noise by both transmitter and receiver: optimum power allocation to minimise the insecure region,” IET Communications, vol. 8, no. 16, pp. 2858–2862, 2014. View at Publisher · View at Google Scholar · View at ScopusU. M. Maurer, “Secret key agreement by public discussion from common information,” IEEE. Transactions on Information Theory, vol. 39, no. 3, pp. 733–742, 1993. View at Publisher · View at Google Scholar · View at MathSciNetR. Ahlswede and I. Csisz\'ar, “Common randomness in information theory and cryptography. I. Secret sharing,” IEEE. Transactions on Information Theory, vol. 39, no. 4, pp. 1121–1132, 1993. View at Publisher · View at Google Scholar · View at MathSciNetA. A. Hassan, W. E. Stark, J. E. Hershey, and S. Chennakeshu, “Cryptographic key agreement for mobile radio,” Digital Signal Processing, vol. 6, no. 4, pp. 207–212, 1996. View at Publisher · View at Google Scholar · View at ScopusS. Mathur, W. Trappe, N. Mandayam, C. Ye, and A. Reznik, “Radiotelepathy: extracting a secret key from an unauthenticated wireless channel,” in Proceedings of the 14th Annual International Conference on Mobile Computing and Networking (MobiCom '08), pp. 128–139, San Francisco, Calif, USA, September 2008. View at Publisher · View at Google Scholar · View at ScopusS. Jana, S. N. Premnath, M. Clark, S. K. Kasera, N. Patwari, and S. V. Krishnamurthy, “On the effectiveness of secret key extraction from wireless signal strength in real environments,” in Proceedings of the 15th Annual ACM International Conference on Mobile Computing and Networking (MobiCom '09), pp. 321–332, Beijing, China, September 2009. View at Publisher · View at Google Scholar · View at ScopusX. Hu, X. Li, E. C.-H. Ngai, V. C. M. Leung, and P. Kruchten, “Multidimensional context-aware social network architecture for mobile crowdsensing,” IEEE Communications Magazine, vol. 52, no. 6, pp. 78–87, 2014. View at Publisher · View at Google Scholar · View at ScopusX. Hu, J. Zhao, B.-C. Seet, V. C. M. Leung, T. H. S. Chu, and H. Chan, “S-aframe: agent-based multilayer framework with context-aware semantic service for vehicular social networks,” IEEE Transactions on Emerging Topics in Computing, vol. 3, no. 1, pp. 44–63, 2015. View at Publisher · View at Google Scholar · View at ScopusL. Cheng, W. Li, D. Ma, J. Wei, and X. Liu, “Moving window scheme for extracting secret keys in stationary environments,” IET Communications, vol. 10, no. 16, pp. 2206–2214, 2016. View at Publisher · View at Google ScholarL. Cheng, W. Li, L. Zhou, C. Zhu, J. Wei, and Y. Guo, “Increasing secret key capacity of OFDM systems: a geometric program approach,” Concurrency and Computation: Practice and Experience, 2016. View at Publisher · View at Google ScholarL. Zhou, Z. Sheng, L. Wei et al., “Green cell planning and deployment for small cell networks in smart cities,” Ad Hoc Networks, vol. 43, pp. 30–42, 2016. View at Publisher · View at Google Scholar · View at ScopusK. Zeng, “Physical layer key generation in wireless networks: challenges and opportunities,” IEEE Communications Magazine, vol. 53, no. 6, pp. 33–39, 2015. View at Publisher · View at Google Scholar · View at ScopusE. Zhang, P. Yuan, and J. Du, “Verifiable rational secret sharing scheme in mobile networks,” Mobile Information Systems, vol. 2015, Article ID 462345, 7 pages, 2015. View at Publisher · View at Google Scholar · View at ScopusQ. Wang, H. Su, K. Ren, and K. Kim, “Fast and scalable secret key generation exploiting channel phase randomness in wireless networks,” in Proceedings of the IEEE INFOCOM, pp. 1422–1430, Shanghai, China, April 2011. View at Publisher · View at Google Scholar · View at ScopusX. Hu, T. H. S. Chu, V. C. M. Leung, E. C.-H. Ngai, P. Kruchten, and H. C. B. Chan, “A survey on mobile social networks: applications, platforms, system architectures, and future research directions,” IEEE Communications Surveys & Tutorials, vol. 17, no. 3, pp. 1557–1581, 2014. View at Publisher · View at Google ScholarL. Zhou, X. Hu, E. C.-H. Ngai et al., “A dynamic graph-based scheduling and interference coordination approach in heterogeneous cellular networks,” IEEE Transactions on Vehicular Technology, vol. 65, no. 5, pp. 3735–3748, 2016. View at Publisher · View at Google Scholar · View at ScopusH. Liu, Y. Wang, J. Yang, and Y. Chen, “Fast and practical secret key extraction by exploiting channel response,” in Proceedings of the 32nd IEEE Conference on Computer Communications (INFOCOM '13), pp. 3048–3056, April 2013. View at Publisher · View at Google Scholar · View at ScopusX. Wu, Y. Peng, C. Hu, H. Zhao, and L. Shu, “A secret key generation method based on CSI in OFDM-FDD system,” in Proceedings of the IEEE Globecom Workshops (GC Wkshps '13), pp. 1297–1302, December 2013. View at Publisher · View at Google Scholar · View at ScopusX. Wu, Z. Yang, C. Ling, and X. G. Xia, “Artificial-noise-aided physical layer phase challenge-response authentication for practical OFDM transmission,” IEEE Transactions on Wireless Communications, vol. 15, no. 10, pp. 6611–6625, 2016. View at Publisher · View at Google ScholarW. Hou, X. Wang, J.-Y. Chouinard, and A. Refaey, “Physical layer authentication for mobile systems with time-varying carrier frequency offsets,” IEEE Transactions on Communications, vol. 62, no. 5, pp. 1658–1667, 2014. View at Publisher · View at Google Scholar · View at ScopusX. Hu, T. H. S. Chu, H. C. B. Chan, and V. C. M. Leung, “Vita: a crowdsensing-oriented mobile cyber-physical system,” IEEE Transactions on Emerging Topics in Computing, vol. 1, no. 1, pp. 148–165, 2013. View at Publisher · View at Google ScholarA. Ferrante, N. Laurenti, C. Masiero, M. Pavon, and S. Tomasin, “On the error region for channel estimation-based physical layer authentication over rayleigh fading,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 5, pp. 941–952, 2015. View at Publisher · View at Google Scholar · View at ScopusL. Zhang, Q. Wu, A. Solanas, and J. Domingo-Ferrer, “A scalable robust authentication protocol for secure vehicular communications,” IEEE Transactions on Vehicular Technology, vol. 59, no. 4, pp. 1606–1617, 2010. View at Publisher · View at Google Scholar · View at ScopusL. Xiao, L. J. Greenstein, N. B. Mandayam, and W. Trappe, “Using the physical layer for wireless authentication in time-variant channels,” IEEE Transactions on Wireless Communications, vol. 7, no. 7, pp. 2571–2579, 2008. View at Publisher · View at Google Scholar · View at ScopusD. Shan, K. Zeng, W. Xiang, P. Richardson, and Y. Dong, “PHY-CRAM: physical layer challenge-response authentication mechanism for wireless networks,” IEEE Journal on Selected Areas in Communications, vol. 31, no. 9, pp. 1817–1827, 2013. View at Publisher · View at Google Scholar · View at ScopusX. Wu and Z. Yang, “Physical-layer authentication for multi-carrier transmission,” IEEE Communications Letters, vol. 19, no. 1, pp. 74–77, 2015. View at Publisher · View at Google Scholar · View at ScopusW. C. Jakes Jr., Microwave Mobile Communications, Wiley-IEEE Press, Piscataway, NJ, USA, 1994. View at Publisher · View at Google ScholarX. Du, D. Shan, K. Zeng, and L. Huie, “Physical layer challenge-response authentication in wireless networks with relay,” in Proceedings of the 33rd IEEE Conference on Computer Communications (INFOCOM '14), pp. 1276–1284, IEEE, Ontario, Canada, May 2014. View at Publisher · View at Google Scholar · View at ScopusR. Wilson, D. Tse, and R. A. Scholtz, “Channel identification: secret sharing using reciprocity in ultrawideband channels,” in Proceedings of the IEEE International Conference on Ultra-Wideband (ICUWB '07), pp. 270–275, September 2007. View at Publisher · View at Google Scholar · View at ScopusQ. Dai, H. Song, L. Jin, and K. Huang, “Physical layer authentication and secret key distribution mechanism based on euivalent channel,” Science China, vol. 44, no. 12, pp. 1580–1592, 2014. View at Google ScholarZ. Szabó, “Information theoretical estimators toolbox,” Journal of Machine Learning Research, vol. 15, pp. 283–287, 2014. View at Google Scholar · View at ScopusK. Zeng, D. Wu, A. Chan, and P. Mohapatra, “Exploiting multiple-antenna diversity for shared secret key generation in wireless networks,” in Proceedings of the IEEE (INFOCOM '10), pp. 1–9, San Diego, Calif, USA, March 2010. View at Publisher · View at Google Scholar · View at ScopusA. Rukhin, J. Sota, J. Nechvatal et al., “A statistical test suite for random and pseudorandom number generators for cryptographic applications,” Special Publication NIST 800-22, National Institute of Standards and Technology, 2010. View at Publisher · View at Google ScholarX. Wu, Z. Yang, C. Ling, and X. G. Xia, “A Physical-Layer Authentication Assisted Scheme for Enhancing 3GPP Authentication,” 2015, http://arxiv.org/abs/1502.07565v1. T. R. Benedict and T. T. Soong, “The joint estimation of signal and noise from the sum envelope,” IEEE Transactions on Information Theory, vol. 13, no. 3, pp. 447–454, 1967. View at Publisher · View at Google Scholar · View at Scopus