SEVILLE: SEcuring wireless VIa Lower Layer Enforcements aka' Alice and Bob get Physical

1
SEVILLE SEcuring (wireless) VIa Lower Layer
Enforcements(aka. Alice and Bob get Physical)

• Wade Trappe
• Collaborators Narayan Mandayam, Larry
  Greenstein, Roy Yates
• Students
• Liang Xiao Wenyuan Xu
• Zang Li Rob Miller
• Suhas Mathur Ozge Aliye Kaya

Research supported by NSF, DARPA
2
Overview and Objective

• Wireless networks have repeatedly been a source
  of bad news when it comes to security
• Although conventional cryptographic and network
  security techniques are essential to securing
  wireless networks, they are not a complete
  solution
• We believe lower-layer information associated
  with the wireless channel can be used to enhance
  wireless security
• The typical wireless multipath transmit-receive
  channel is frequency-selective (or in the time
  domain, dispersive) in a way that is
  location-specific with rapid decorrelation
  properties
• The channel response between a transmitter and a
  receiver can be a unique, shared, non-predictable
  source of secret information
• This secret information is a fingerprint in the
  ether we propose to use to develop cross-layer
  Authentication Services and Confidentiality
  Services
• We are encouraged by two notable parallel
  paradigm shifts in wireless systems
• (1) code division multiple access (CDMA) systems,
  where the use of Rake processing transforms
  multipath into a diversity-enhancing benefit
• (2) multiple-input multiple-output (MIMO) antenna
  techniques, which transform scatter-induced
  Rayleigh fading into a capacity-enhancing benefit

3
Alice, Bob and Eve get Physical !!!

• All security problems need actors
• Alice (A) The transmitter
• Bob (B) The receiver
• Eve (E) The evil adversary
• Their roles depend on the type of security
  objective we have

4
PHY-101

• RF Signals transmitted from Alice to Bob are
  affected by a variety of different factors
  attenuation, large-scale and small-scale fading
• Fading arises as a signals multipaths
  constructively destructively combine at the
  receiver
• System Model For input u(t), the received signal
  is
• Under the wide-sense stationary uncorrelated
  scatter (WSSUS) model, the channel response
  becomes a tapped-delay line
• Under Rayleigh Fading assumptions hi(t) are
  zero-mean complex Gaussian

5
PHY-101

• The channel response is itself time-varying and
  stochastic
• There is temporal, spectral and spatial
  variability of the channel response
• Coherence Time Difference in time needed for
  fading correlation to drop below a threshold
• Coherence Bandwidth Separation in frequency
  needed for fading correlation to drop below a
  threshold
• Additionally, we may examine the instantaneous
  fading correlation between locations
• Jakes showed under uniform scattering that the
  fading correlation (amplitude correlation in
  received signal) drops off rapidly over a
  distance of half a wavelength
• Separate by 2 wavelengths and independence is a
  reasonable assumption (under Rayleigh WSSUS)

6
SEVILLE Authentication

• Authentication in the PHY-sense is about
  verifying a transmission came from a particular
  transmitter useful for spoofing detection!!!
• Wireless devices can authenticate themselves
  based upon
• Ability to produce an appropriate received
  signal/channel estimate at the recipient
• Location information can be extracted to
  authenticate a transmitter relative to its
  previous location

• Estimates channel
• hAB (t,t)
• Compares against
• hAB (t-1,t)
• Accepts transmission if match

Bob

• Estimates channel
• hEB (t,t)
• Verification fails!!!
• Does not accept Eve as Alice!

Alice
Eve
7
Channel Probing Types

• The probing signal u(t) can take many forms
• Pulse-type probing The signal u(t) is a pulse
• Usually very short in duration? by time-bandwidth
  product, implies broad bandwidth
• Multi-tone probing The signal u(t) is several
  simultaneous carrier waves
• Usually, carrier frequencies are separated by the
  channel coherence bandwidth
• Can be realized with OFDM-style receivers
• For all essential purposes, they are functionally
  the same
• The bandwidth W should be small relative to the
  temporal width of the impulse response in order
  to resolve multipaths
• This is all reminiscent of UWB transceiver
  design

8
PHY-Authentication Via Significance Test

• Sample frequency response at M frequencies
• Two complex frequency response vectors
• Simple Hypothesis
• H0
• H1
• Test Statistic
• Phase measurement error due to changes of
  receiver local oscillator
• Channel measurement assumed to be noisy

9
Hypothesis Analysis

• Null Hypothesis H0
• Alternative Hypothesis H1

10
Simulation Study

• Used ray-tracing tool WiSE (Wireless System
  Engineering) to generate channel responses for
  specified real environments
• Eve in the same room as Alice
• 348347/260,378 Alice-Eve pairs

11
Case 1 Time-Invariant Channel

• Average miss rate , for required false alarm
  rate

Sample Size (M)5
Bandwidth (W) 100 MHz
Room 1
12
Case 2 Time-Variant Channel

• Channel response
• Tap-delay model for the inverse Fourier transform
  of
• Single-sided exponential model as power delay
  profile
• AR-1 Model for the time correlation
• W10 MHz, M10

More time variation
13
Experimental Validation via USRP

• Initial validation efforts are underway using
  USRP and ultimately the WINLAB/GaTechLucent
  Cognitive Radio Platform
• Initial Experiments
• USRP/GnuRadio, 420/450/480MHz carriers used to
  probe channel response
• Amplitude response characterized (i.e. phase not
  used)
• Experiments conducted after midnight
• Experiment 1 Examine stationarity of channel
  (fixed location G )
• Experiment 2 Examine spatial properties by
  successive measurements across all spatial
  locations
• Experiment 3 Examine temporal variability under
  motion
• Experiment 4 Use Experiment-2 Traces to
  illustrate authentication and confidentiality

14
Authentication and Confidentiality Prototyping

• Using vectors of amplitude response on 3
  carriers, we synthesize a spoofing scenario
• A change point detector was used to detect
  spoofing

• Vector of amplitude responses on 3 carriers was
  quantized via an 8-bit quantizer
• Keys were formed for all locations via