A Novel Approach for Physical Layer Cryptography in ... - Springer Link

7 downloads 501 Views 1MB Size Report
Mar 12, 2010 - Simulink software. The analytical results have ...... Wireless LAN medium access control (MAC) and physical layer. (PHY) specifications. 4.
Wireless Pers Commun (2010) 53:329–347 DOI 10.1007/s11277-010-9950-6

A Novel Approach for Physical Layer Cryptography in Wireless Networks L. Mucchi · L. S. Ronga · E. Del Re

Published online: 12 March 2010 © Springer Science+Business Media, LLC. 2010

Abstract Due to the enormous spreading of applied wireless networks, security is actually one of the most important issues for telecommunications. One of the main issue in the field of securing wireless information exchanging is the initial common knowledge between source and destination. A shared secret is normally mandatory in order to decide the encryption (algorithm or code or key) of the information stream. It is usual to exchange this common a priori knowledge by using a “secure” channel. Nowadays a secure wireless channel is not possible. In fact normally the common a priori knowledge is already established (but this is not secure) or by using a non-radio channel (that implies a waste of time and resource). The information is encrypted by means of a private key that must be known by both the transmitter and the receiver. One of the main weak point about security is the private key exchanging interval. The key cannot be public and cannot be known a priori. The problem is how to exchange this private key through a totally secure wireless channel. This contribution deals with the review of the main physical layer techniques for encrypting the information and the proposal of a new physical layer technique ensuring secure communication in a full wireless environment. The information is modulated, at physical layer, by the thermal noise experienced by the link between two terminals. A loop scheme is designed for unique recovering of mutual information. The probability of error/detection is analytically derived for the legal users and for the third unwanted listener (passive or active attacker). Both the case of passive and active attacks have also been implemented and simulated by using MatlabSimulink software. The analytical results have been compared to the simulated ones. All the results show that the performance of the proposed scheme yields the advantage of intrinsic

L. Mucchi (B) · E. Del Re Department of Electronics and Telecommunications, University of Florence, Via Santa Marta 3, 50139 Florence, Italy e-mail: [email protected] E. Del Re e-mail: [email protected] L. S. Ronga CNIT, University of Florence Unit, Via Santa Marta 3, 50139 Florence, Italy e-mail: [email protected]

123

330

L. Mucchi et al.

security, i.e., the mutual information cannot be physically demodulated (passive attack) or denied (active attack) by a third terminal. Keywords Physical layer security · Modulation · Key exchange · Cryptography · Noise loop · Wireless communications 1 Introduction Along with the rapid development of wireless communication networks, wireless security has become a critical concern. Unfortunately, security risks are inherent in any wireless technology. Some of these risks are similar to those of wired networks, some are exacerbated by wireless connectivity and some other are completely new. First, the most significant source of risks in wireless networks is that the technology’s underlying communications medium, the airwave, is open to intruders. Second, mobile and handheld wireless devices are resource constrained (e.g.: battery life); hence such devices have limited transmission power and may use weaker cryptographic mechanisms for saving power, thereby making them easy targets for powerful adversaries. Third, the lack of trusted third party (TTP) or certification authority (CA) in ad hoc wireless networks pose serious challenges to identity and trust management. Fourth, multi-hop wireless network inherently assumes cooperation between nodes for packet routing and forwarding, whereas a compromised node may refuse to cooperate (by being greedy or malicious). Fifth, handheld mobile devices cannot afford the same level of physical security as an enterprise server and thus, may be easily stolen. A direct consequence of these risks is the loss of data confidentiality and integrity and the threat of denial of service (DoS) attacks to wireless communications. Unauthorized users may gain access to agency’s system and information, corrupt the agency’s data, consume network bandwidth, degrade network performance, launch attacks that prevent authorized users from accessing the network, or use agency’s resources to launch attacks on other networks. These problems are even exacerbated in future unstructured sensors and ad-hoc networks with dynamically and rapidly varying topology. 1.1 Wireless is Different from Wired While many security techniques developed in wired networks can be applied, the special characteristics of wireless networks call for innovative wireless security design. Since physical-layer security techniques can address directly such special wireless characteristics, they are helpful to provide boundary control, to enhance efficiency, as well as to assist upper-layer security techniques for innovative cross-layer security designs. 1.2 Wireless Secret Channel One of the fundamental issues for physical-layer built-in security is the capacity of the transmission channel when built-in security is guaranteed without relying on upper layer data encryption. Such capacity is named secret channel capacity (SCC). The secrecy is defined as information-theoretic secrecy, i.e., the adversary’s received signal gives no more information for eavesdropping than purely guessing. Information-theoretic secrecy is in fact equivalent to perfect secrecy [1]. Practically, it means null or negligibly low interception probability (LPI). Many existing physical-layer secure transmissions either can not withstand

123

A Novel Approach for Physical Layer Cryptography in Wireless Networks

331

a strict LPI analysis, or rely on encryption keys so that the security is not in the physical layer. 1.3 Public and Private Keys In symmetric key cryptography, both parties must possess a secret key which they must exchange prior to using any encryption. Distribution of secret keys is problematic, because it involved face-to-face meeting, use of a trusted courier, or sending the key through an existing encryption channel. The first two are often impractical and always unsafe, while the third depends on the security of a previous key exchange. The distinguishing technique used in public key cryptography is the use of asymmetric key algorithms, where the key used to encrypt a message is not the same as the key used to decrypt it. Each user has a pair of cryptographic keys, i.e., a public key and a private key. The private key is kept secret, while the public key may be widely distributed. Messages are encrypted with the recipient’s public key and can only be decrypted with the corresponding private key. In public key cryptography, the key distribution of public keys is done through public key servers. When a user creates a key-pair, it keeps one key private and the other, public-key, is uploaded to a server where it can be accessed by anyone to send the user a private, encrypted, message. Unfortunately, all public-key schemes are susceptible to brute force key search attack, and cannot be said completely safe. 1.4 PHY Security Securing a wireless communication means providing a set of privacy services to a confined set of users. The services include Authentication, Authorization, Accounting (AAA) as well as Cyphering and Integrity. Security services are mainly located at application level (es. Internet) but some solutions exist for link layer (as in WiMAX [2], Wi-Fi [3,4] and Bluetooth [5]), at network layer (as in IPSEC [6]) and at physical layer. Security at physical layer is nowadays mainly intended as the use of a spread spectrum techniques (frequency hopping, direct sequence coding, etc.) in order to avoid the eavesdropping. Eavesdropping at the physical layer refers to hiding the very existence of a node or the fact that communication was even taking place from an adversary. This means that the communication of the legal user is already on, i.e., that the authentication of the legal user has been already performed. Moreover, scrambling the information data with a code does not assure a totally secure channel, but just a long-time activity before getting the code by an unwanted listener, i.e., the security is moved on the quantity of resources (hardware, time, etc.) that the unwanted listener must have in order to get the information. It is well known that classical encryption techniques have only unproven complexitybased secrecy [1]. We also know that strong information-theoretic secrecy or perfect secrecy is achievable by quantum cryptography based on some special quantum effects such as intrusion detection and impossibility of signal clone [7]. Unfortunately, the dependence on such effects results in extremely low transmission efficiency because weak signals have to be used. One of the recent attempts on specifying secret channel capacity is [8], where the MIMO secret channel capacity is analyzed under the assumption that the adversary does not know even his own channel. Unfortunately, such an assumption does not seem practical if considering deconvolution or blind deconvolution techniques. Moreover, such techniques are not low-complex, due to the fact that they need a high number of antennas on both sides of the radio link to correctly work. As a matter of fact, almost all existing results on secret

123

332

L. Mucchi et al.

channel capacity are based on some kinds of assumptions that appear impractical [9–11]. It has been a challenge in information theory for decades to find practical ways to realize information-theoretic secrecy. Moreover, one of the most weak point of wireless networks is the initial data exchange for authentication and access procedures. Initially some data must be exchanged in a non-secure radio channel or anyway by sharing a common known cryptographic key. At the moment, no physical layer techniques are present in the literature which can efficiently create a secure wireless channel for initial data exchanging between two network nodes/terminals without a priori common knowledge. The main need is to exchange cryptographic keys between two users along an intrinsically secure radio channel. As stated before, classical encryption techniques have only unproven complexity-based secrecy. Information-theoretic secrecy or perfect secrecy is achievable by quantum cryptography, but unfortunately this technique is suitable (when applicable) only to optical networks. Derived by the Ultra WideBand (UWB) communications, the radio channel identifier (RCI) is another promising technique. But, again, the information exchanging process is not absolutely secure. 1.5 A New PHY Technique for Encrypting Information A novel idea for low-complex intrinsic secure radio link without any a priori knowledge is here presented. One of the main advantages of this new technique is the possibility to have a physically secure radio channel for wireless systems without any a priori common knowledge between legal source and destination. This feature is particularly useful for future wireless pervasive network scenarios. The thermal noise, received from a radio channel, has the unique property to be perfectly adapted to the transmission environment. In a traditional communication system, the information is carried by an artificial signal that is usually designed to fully exploit the available radio channel. The technique described in this paper employs a scaled and delayed version of the received noise to carry mutual information between two terminals. 1.6 Potential Applications Potential applications of the proposed techniques are found in wireless communications systems where an initial shared secret is not available. In 4G systems as an example, roaming users accessing local services are usually able to provide a strong identity credential (via the manufacturer’s embedded certificate) but may not have any authorization agreement with the hosting system. In that case a secure channel cannot be established with ordinary techniques, while is possible with the proposed one. Moreover, since the initial coupling between terminals is obtained through delays, in a context where the desired user has a known geographical position (i.e. a tactical scenario), a secured channel can be established without any additional information. Once the secure channel is established, an unwanted listener is unable to decode the flowing information even if it reveals the user’s position. 1.7 Noise Loop: How it Works Due to the intrinsic unique nature of the thermal noise along each radio link between the specific transmitter and the specific receiver, this novel technique is particularly suitable for secure communications and privacy. Moreover, it acts at the physical layer level, reducing the

123

A Novel Approach for Physical Layer Cryptography in Wireless Networks

333

Fig. 1 Quantum cryptography

costs compared to the (sometimes) complex security algorithms that level 2 and 3 must apply to the information. Finally, it is important to highlight that the proposed technique does not assure any mechanism of identification of the user. The identification process must be controlled by the higher level, but nothing else than this because the information is made secure by the physical layer itself, i.e., the transmission cannot be demodulated by an unwanted user. The information is modulated, at physical layer, by the thermal noise experienced by the link between two terminals. A loop scheme is designed for unique recovering of mutual information. All results show that the mutual information exchanged by the two legal terminals cannot be demodulated or denied by a third terminal. At the same time the two legal users do not suffer from the presence or not of a third unwanted user from the performance point of view. A review of the main physical layer techniques for secret key distribution is reported in the following sections. Then the novel technique is described and detailed.

2 Quantum Cryptography The quantum cryptography [12], or quantum key distribution (QKD), method uses quantum mechanics to guarantee secure communication (Fig. 1). It enables two parties to produce a shared random bit string known only to them, which can be used as a key to encrypt and decrypt messages. The process of measuring a quantum system in general disturbs the system and thus render the information unreadable. A third party trying to eavesdrop on the key must in some way measure it, thus introducing detectable anomalies. Nowadays, quantum cryptography is only used to produce and distribute a key, not to transmit any message data. This method is suitable only for optical networks. If the optical network is wireless, a high-SNR line of sight is mandatory, which makes the method not properly flexible for real applications.

3 Channel Identifier This technique [13] is based on transmitting a short pulse and measuring the channel impulse response (Fig. 2). The impulse response of the channel between the two users can be the encryption key of the transmission. The procedure can be summarized as follows:

123

334

L. Mucchi et al.

Fig. 2 Channel identifier method

– Each radio terminal (the two legal users, for example) transmits an identical signal. – Each user observes the channel impulse response of the channel. – The users exchange some information about what they observed, e.g., part of the sampled channel impulse response that have been observed previously. – The users use a public channel to determine the channel identifier (the encryption key, i.e., the shared secret). – The users begin communicating data, encrypting it using the channel identifier as a key. Mainly, this method is based on the assumption that a third radio in a different location will observe a different channel impulse response, and that the channel is reciprocal. If two users transmit the same pulse and possess identical receivers, then the observed channel impulse response can act as a source of common randomness for secret key generation. The main drawbacks of this method is that the two users still have to share some information through a non-secure channel, and again the users have to share a common knowledge in other to build a secure shared secret.

4 MIMO One of the recent attempts on specifying secret channel capacity by using MIMO (Multiple Input Multiple Output) technique [14]. The mobile terminals are equipped with multiple antennas, N transmitting and M receiving (Fig. 3). The symbol is encrypted by using the matrix N × M of channel impulse responses provided by the multiple channels [15], [16]. A valid way to guarantee a high error rate for the eavesdropper is to prevent it from channel estimation. In terms of channel estimation, the legal receiver has no advantage over the eavesdropper. Therefore, our objective is to design a transmission scheme so that the legal receiver can detect signals without channel knowledge, which can be realized by shifting the channel estimation task from the receiver to the transmitter. Once the transmitter has the channel knowledge, it can adjust the MIMO transmission so that the receiver does not need to estimate channel in order for symbol estimation. Reciprocity of the forward and backward channels is normally used. The receiver first transmits a pilot signal to the transmitter using

123

A Novel Approach for Physical Layer Cryptography in Wireless Networks

335

Fig. 3 MIMO method

the same carrier frequency as the secret channel, during which the transmitter can estimate the backward channel, and use it for array transmission. Such techniques are not low-complex, due to the fact that they need a high number of antennas on both sides of the radio link to correctly and securely work. Moreover, the two legal hosts are forced to exchange information (the initial pilot channel, in a non-secure channel) which can be exploited by the eavesdropper.

5 The Noise-Loop Transmission Chain In order to illustrate the proposed technique, let us suppose two terminals exchanging information: terminal 1 and terminal 2. Two different channels are considered: one for the link from terminal 1 to terminal 2 and one for the reverse link. The two channels are considered on different frequency bands and the thermal noise on one link is considered uncorrelated with the other.1 Each link is modeled as a conventional AWGN channel. 5.1 Symbols in the Paper The following symbols have been adopted in the paper: bi binary antipodal (bi ∈ {−1; +1}) information signal originating form terminal i, n i (t) Gaussian, white, continuous time random processes modeling the received noise at the receiver on terminal i, characterized by zero mean and variance σn2 , αi global link gain (0 < α < 1) for the signal generated from terminal i. It includes transmission gain, path loss and channel response. It is also supposed to be known by the receivers, τ p propagation delay for the channel. It is assumed without loss of generality that both forward (1 to 2) and reverse (2 to 1) links have the same delay, yi (t) baseband received signal available at the terminal i 1 This is a very mild assumption in radio communications.

123

336

L. Mucchi et al.

forward RFchannel

b1

tx gain

channel delay

+

channel delay

y1(t)

n1(t)

n2(t)

+

y2(t)

tx gain

b2

reverse RF channel

TERMINAL 2

TERMINAL 1

Fig. 4 Noise-loop chain scheme. Two terminals communicates by using the noise loop. The parameters in the scheme are explained at the beginning of the Sect. 5.1

5.2 Transmission Chain In this simple transmission system the terminal operations are described in the Fig. 4. The signal from the inbound channel is modulated by the information and re-transmitted on the outbound channel. The reception is obtained by extracting the sign of the 2τ p -delayed autocorrelation term of the incoming signal, multiplied by the own informative bit. The whole process is detailed in the following sections. Let us focalize without loss of generality on the user terminal 1. The reception, i.e., the extraction of the information bit b2 , is obtained by extracting the sign of the 2τ p -delayed autocorrelation term of the incoming signal, multiplied by the own informative bit b1 . Hence, the instantaneous 2τ p -delayed auto-correlation term is given by : y1 (t)y1 (t − 2τ p ) ⎤ ⎡ ∞ ∞   (b1 b2 α1 α2 ) j b2 α2 n 2 (t − (2 j + 1)τ p )⎦ = ⎣ (b1 b2 α1 α2 ) j n 1 (t − 2 jτ p )+ ⎡

j=0

j=0

⎤ ∞ ∞   × ⎣ (b1 b2 α1 α2 ) j n 1 (t − 2( j + 1)τ p )+ (b1 b2 α1 α2 ) j b2 α2 n 2 (t − (2 j + 3)τ p )⎦ (1) j=0

j=0

5.3 Stationary Signal Analysis in Unlimited Bandwidth In this section a stationary condition on the system inputs is analysed.2 Due to the additive nature of the model, the received signals y1 (t) available at terminal 1, after infinite loop iterations, is defined by the following series: 2 By stationary we intend a constant behavior over time of the information bits b , of the link gains and of the i

statistic parameters of the random processes involved.

123

A Novel Approach for Physical Layer Cryptography in Wireless Networks

y1 (t) =

337

∞ ∞   (b1 b2 α1 α2 ) j n 1 (t − 2 jτ p ) + (b1 b2 α1 α2 ) j b2 α2 n 2 (t − (2 j + 1)τ p ) j=0

(2)

j=0

An analogue expression can be obtained for y2 (t) simply exchanging the subscript 1 and 2 in (2). The first term of (2) represents the recursive contribution of the received noise n 1 (t) through the transmission loop. The second series on the other hand, is due to the injection of the noise process n 2 (t) by the other terminal. It is important to note that each term appears with a different delay on the received signal. If the noise processes n i (t) are white on a unlimited bandwidth, then:  δ(τ )σn2 i = j E[n i (t)n j (t − τ )] = (3) 0 i = j The structure of the signal in (2) draw our attention in the shifted correlation term y1 (t − 2τ p )y1 (t)

(4)

By resorting the terms obtained by the expansion of the above expression, the expectation of the autocorrelation in (4) can be written as following E[y1 (t − 2τ p )y1 (t)] = b1 b2 σn2 (1 + α22 )

∞  (α1 α2 )2 j+1 j=0

+E[residual cross correlation terms]

(5)

The last term in (5) is null for an ideal AWGN channel, so the described autocorrelation term is dominated by the information bearing b1 b2 term, weighted by a term which is constant in the stationary case. The term contains the information of both terminals. Since terminal 1 is depicted to detect information bits of terminal 2, it is sufficient to perform a post-multiplication by b1 in order to estimate the sign of b2 . The receiver at terminal 1 is illustrated in Fig. 5.

forward RF channel

b1

b2

tx gain threshold detect

X

2 tau_p delay

y1(t)

+

Receiver 1

reverse RF channel

n1(t) TERMINAL 1

Fig. 5 Receiver scheme for terminal n.1. The first terminal demodulates the signal coming from terminal 2 (with who it is active the noise loop modulation) by using this receiver scheme colored in orange in the figure. The box named “2 tau p delay” simply acts as a delayer of 2τ p where τ p is the channel delay between terminal 1 and 2

123

338

L. Mucchi et al.

6 Performance Analysis on Ideal AWGN Channel The term in (4) represents the instantaneous decision metric for the mutual information term to be estimated: bˆ1 bˆ2 . The performance of the proposed receiver in terms of bit error probability is related to the first and second order statistics of (4). The distribution of the unpredictable noise process, however, is no longer Gaussian. The pdf of the stochastic process Z = X · Y , where X ∈ N (µx , σx ) and Y ∈ N (µ y , σ y ), is a zero-order modified K-Bessel function: 

+∞ p Z (z) =

pX Y −∞

y,

z y





∞

zρ σ 2 (1−ρ 2 )

1 e

dy = |y| 2πσ 2 1 − ρ 2

zρ  z e σ 2 (1−ρ 2 )

K0 2 = 2) 2 2 σ (1 − ρ πσ 1 − ρ

e

1 σ 2 (1−ρ 2 )

−∞



|y|

z2 2y 2

2



− y2

dy

(6)

where K 0 (·) is the second kind modified Bessel function of order zero and σ = σx = σ y is the standard deviation of the Gaussian processes. In our system, where x = y1 (t) and y = y1 (t − 2τ p ), it is easy to derive that ρ = b1 b2 α1 α2 . The decision term in (4) is characterized by a probability density function defined by (6). The mean value of the decision variable (4) is E[y1 (t)y1 (t − 2τ p )] = b1 b2 α1 α2

σn2 (1 + α22 ) 1 − α12 α22

(7)

where σn2 = var [n 1 (t)] = var [n 2 (t)] is the variance of the thermal noise processes involved in the loop. The relation between σn and σ is σ 2 = var [y1 (t)] = var [y1 (t − 2τ p )] =

σn2 (1 + α22 ) 1 − α12 α22

For the sake of simplicity, let us assume hereby that α1 = α2 = α, assumed that 0 < α < 1. Supposing a binary antipodal signalling (BPSK) modulation, the receiver 1 demodulates the bit b2 by deciding on the sign of the decision variable d = b1 · s where s = E[z] = E[y1 (t)y1 (t − 2τ p )] = b1 b2 |ρ|σ 2 . Thus, an error occurs when d > 0 but b2 = −1 and d < 0 but b2 = 1. Due to the symmetry of the pdfs, the total probability of error Pe for the receiver terminal 1 can be written as ∞ Pe = Pe (α) = 2 α2

−α 2 z   z e 1−α4 dz  K0 √ 1 − α4 π 1 − α4

(8)

As a first important result, it can be highlighted that the probability of error does not depend on the noise variance but only on the loop gain α.

7 Eavesdropping The main scope of an intrinsic secure communication is to provide that an unwanted third party is not able at all to demodulate the information exchanged by terminal 1 and 2. Normally this security is provided by complex cryptography and procedures at higher layers level. In

123

A Novel Approach for Physical Layer Cryptography in Wireless Networks

339

a wireless network the initial access of a user implies the exchange of a encryption key from the base station (BS) to the mobile terminal (MS). This private key is sent by BS by using a public key, during the initial period of authentication. Once the user is authenticated, he’ll use the private key to encode its information. The weak point is the authentication period and the exchanging of the private key. An unwanted third listener could steel the private key during that period. In a future full-wireless world, where the user is seen to be always connected and immerse in multiple wireless networks, the problem of secure authentication throughout different wireless systems is a hard task to be provided by a procedure. To solve this problem, a new approach is here proposed. The main idea is to render intrinsically secure the physical link by modulating using the noise loop as discussed in the above sections. Let us assume hereby that a third unwanted user is listening the transmission of terminal 1. The terminal 3 can be supposed, without loss of generality, to have a different propagation delay τ p3  = τ p and an independent thermal noise process n 3 (t)  = {n 1 (t), n 2 (t)}. The terminal 3 tries to demodulate the information bit b2 coming from terminal 2 to terminal 1 by using a receiver scheme similar to the one depicted in Fig. 6. The best choice of the unwanted user is to perform a correlation y1 (t)y1 (t − 2τ p3 ) and decide on the sign of its mean value E[y1 (t)y1 (t − 2τ p3 )]. The mean value of the 2τ p3 -shifted correlation y¯1 (t) y¯1 (t − 2τ p3 ) can be derived to be  E[ y¯1 (t) y¯1 (t − 2τ p3 )] =

b1k b2k σn2 (α1 α2 )k (1+α22 ) 1−α12 α22

0

if τ p3 = kτ p , k ∈ N if τ p3  = kτ p , k ∈ N

(9)

Another important result can be highlighted here: the decision variable of the third unwanted party depends on the multiplication of the information bits b1 and b2 , both unknown at the unwanted listener. In the best case (for user 3), i.e., when τ p3 = kτ p , the decision variable of the third user is z 3 =

b1k b2k σn2 (α1 α2 )k (1+α22 ) 1−α12 α22

= b1k b2k z¯ 3 .

This result means exactly that the third unwanted listener is not able at all to demodulate the information exchanged between user 1 and 2. This impossibility is intrinsic in the modulation method at physical layer level.

Fig. 6 Receiver scheme for the third unwanted listener. The unwanted user n.3 tries to demodulate the signal exchanged between legal user n.1 and n.2 by using the scheme depicted in this figure. In particular, we supposed that the user n.3 tries to demodulate the bit coming from user n.2, without loss of generality. The receiver scheme is similar to the one used by user n.1 (see Fig. 5)

123

340

L. Mucchi et al.

Due to the fact that the third unwanted party experiences a different delay τ p3  = τ p and a different noise process n 3 (t)  = n 1 (t)  = n 2 (t), the delayed (shifted) autocorrelation of the receiving signal has no possibility to take the knowledge of the information bit b2 or, symmetrically, b1 . In fact, the decision variable is permanently zero (that implies a probability of error equal to 1/2) or, in the lucky case, the decision variable is always dependent on the product between the unknown information bits b1 · b2 and hence to know an information stream (for example b2 ) is mandatory to know the other b1 .

8 Denial of Service Another very important task for wireless security is the avoidance of the denial of service by an unwanted third user. A third user could insert into the communication system and although it is not able to correctly detect the information exchanged between the two legal users, it could actively trying to communicate (in some ways) aiming to disturb/deny the radio link between the legal users. We have studied the case of a third unwanted user which actively starts a communication (using the noise loop itself) with one of the legal user. The scheme provides that the user n.3 (unwanted) tried to actively connect to the user n.1 in order to demodulate or deny the communication between legal user n.1 and n.2. The user n.3 tries to disturb as much as possible the radio link between legal users n.1 and n.2 by actively starting a noise loop modulated communication towards user n.1. The scheme of the system in this case is reported in Fig. 7. We aim to extract the decision variable of user n.1 R y1 y1 (2k) in order to see if the legal user n.1 suffers from the presence of the unwanted user n.3 communication. By solving the system we finally obtain ⎧ α α (1+α22 +α32 )(1+α12 α32 −α12 α22 ) 2 ⎪ ⎪ b1 b2 1 2 (1−α σn ⎪ 2 2 2 2 2 ⎪ 1 α2 −α1 α3 ) ⎪ ⎪ ⎨ σe2 b1 α1 (b2 α2 + b3 α3 ) 1−α 2 α 2 −α 2 α 2 R y1 y1 (2k) = 1 2 1 3 ⎪ σe2 ⎪ ⎪ b α α b 1 2 1 2 (1−b b α α )(1−α 2 α 2 −α 2 α 2 ) ⎪ ⎪ 1 3 1 3 1 2 1 3 ⎪ ⎩ 0

if h  = k, h  = 2k, h  = k/2 if h = k

(10)

if h = 2k if h = k/2

The sign of the first term of Eq. 10 depends on the sign of b1 b2 and not on b3 , so the legal user n.1 can correctly demodulate the information coming from user n.2 without any disturb σ2

from user n.3. The second term of Eq. 10 R y1 y1 (2k) = b1 α1 (b2 α2 + b3 α3 ) 1−α 2 α 2e−α 2 α 2 1 2

1 3

depends on the information bit b3 so invalidating the radio link 1–2, but it is valid only when the propagation delay of the radio link between users 1–2 and 1–3 is exactly the same. This condition is almost impossible in real wireless scenarios. The third term R y1 y1 (2k) = b1 b2 α1 α2 (1−b

σe2 2 2 2 2 b α α )(1−α 1 3 1 3 1 α2 −α1 α3 )

does not imply any denial of service, while the fourth

term does because the improbable condition h = k/2 causes the decision variable to be zero. The presence of two very particular points which can cause denial of service (DoS) should not create panic because those situations are incredibly improbable and moreover the two legal users, once the noise loop modulation is started, can exchange a locally generated additional delay in order to avoid such dangerous situations.

123

A Novel Approach for Physical Layer Cryptography in Wireless Networks

341

Fig. 7 Loop scheme for the third unwanted user: active attack case. The scheme shows the user n.3 which tries to actively connect to user n.1 in order to demodulate or deny the communication between legal user n.1 and n.2.

9 Simulation Results The noise loop depicted in Fig. 4 has been also implemented by using MATLAB-Simulink software. In particular, both the passive attack (the third unwanted user trying to simply demodulate the data exchanged by the two legal users and the active attack (the third unwanted user now actively transmits into the radio link of the two legal user in order to deny the service or demodulate the information have been simulated as they should be in the real. The simulation results have been compared to the analytical results previously illustrated. Simulations have been run with the following parameters: – a ratio between the bit time and the propagation delay equal to σn2

Tb τp

= 10,

– a thermal noise variance = 0.125, – a propagation delay for the third unwanted user τ p3 randomly chosen in the interval (τ p , 5τ p ) following a uniform distribution, – a number of bit equal to 80,000 and – 100 Monte Carlo runs for each simulation.

123

342

L. Mucchi et al.

The passive attack simulation has been built by simply feeding the signal exchanged between the two legal users, which are using the noise loop scheme (Fig. 4), to a third party receiver. The unwanted listener tried to demodulate the received signal. The active attack has been built by supposing that the third party tried to connect with one of the two legal user. The unwanted user in this case aims to demodulate or even deny the signal between the legal users. The analytical pdf of the variable z has been compared to the distribution of the simulated vector z, showing a perfect match between simulation and theory. In Fig. 8 the probability of error analytically derived is compared to the simulated one. Again, the simulated system performance significantly fits the theoretical analysis. A performance comparison between the traditional BPSK modulation and the proposed noise loop modulation has been also made by computer simulations. No third party is present in this case. The result is reported in Fig. 9. As it can be seen the noise loop scheme 10

0 NOISE LOOP (theory) NOISE LOOP (simulation)

-1

Pe NOISE LOOP

10

-2

10

-3

10

-4

10

-5

10

-6

10

0

0.1

0.2

0.3

0.4

0.5

α

0.6

0.7

0.8

0.9

1

Fig. 8 Simulated vs theoretical performance for the propose noise loop modulation 10

BPSK vs. Simulation of NOISE LOOP

0

−1

10

−2

10

−3

10

−4

10

BPSK Noise Loop α=0.5 Noise Loop α=0.2 Noise Loop α=0.6 Noise Loop α=0.75 Noise Loop α=0.9

−5

10

−6

10

0

1

2

3

4

5

6

7

8

9

10

E /N (dB) (Note: valid only for BPSK modulation) b

o

Fig. 9 Simulated performance comparison between the traditional BPSK and the proposed noise loop modulation. Note that noise loop scheme is independent of the noise power, but depends only of the noise loop gain α

123

A Novel Approach for Physical Layer Cryptography in Wireless Networks 10

Pe NOISE LOOP

10

10

10

10

10

10

343

0

−1

−2

−3

−4

NOISE LOOP (simulation) Unwanted Listener

−5

−6

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

α Fig. 10 Simulated performance comparison between the probability of error of the legal user using noise loop modulation, e.g. user n.1, and the third unwanted listener, user n.3

has a probability of error independent by the thermal noise power. Moreover, increasing the noise loop gain α the performance of the noise loop scheme can overcome the traditional modulations for low SNRs. When a third party is present in the system, it can be passive or active. If passive, it simply stores the signal exchanged between the two legal users and tries to demodulate it. In Fig. 10 the probability of error of the third party receiver is reported. The user n.3 experiences a constant probability of incorrect decision equal to 4.5 · 10−1 that means the impossibility of detection of the symbols. On the contrary, the legal user, e.g. user n.1, has a decreasing probability of error with the noise loop gain α. As it can be seen a third unwanted listener experiences an almost constant probability of error Pe3  0.5 for antipodal signalling, as depicted in Fig. 10. A probability of error equal to 0.5 means a probability of correct detection of the information equal to 0.5, that in the case of BPSK modulation (bit b = ±1 with probability 0.5) of the information means a total uncertain, i.e., a perfect SCC or information-theoretic secrecy. When the third party is active, it transmits its unwanted signal towards one of the two legal user in order to deny the service or degrade the demodulation of the signal by the other legal receiver. The performance of the legitimate receiver has been simulated with and without the active attacker. The results show that an active attacker does not cause the performance degradation of the legal user, i.e., no denial of service is possible. 10 FPGA Implementation The proposed TX/RX scheme has been implemented on a Xilinx Virtex II FPGA to evaluate the real computational complexity and to prove the validity of data detection on a fixed point signal processing system. The transmission, reception and baseband processing branches for two terminals have been implemented in VHDL using Xilinx System Generator tool. The

123

344

L. Mucchi et al. Noise Loop FPGA Experiments March 2008 System Generator

−1

z

UFix_1_0

cast

Bool

xnor

Bool

Out

−0

Convert2

z

double

led1_red

Delay1

Green Rect

Logical in_data in_signal

out_data

double RX data Ch1

reset

rx_frontend1 dout UFix_1_0

in_data out_signal

Fix_16_13 In1

Out1

Fix_17_13

−3

2

in_signal

LFSR

tx_frontend1

Fix_17_16

cast Fix_14_13 Convert4

Delayed_AWGN

double

DAC1 benONE

Scale

RX data Ch1

Signal Ch1

bit_enable

Bool

frame_clock

Scope

timings

Scope1

Signal Ch2

Rx data Ch2 in_signal out_signal

dout UFix_1_0

Fix_16_13 In1

Out1

Fix_17_13

−3

2

in_data

tx_frontend2 LFSR1

Fix_17_16

cast Fix_14_13 Convert1

Delayed_AWGN1

double

DAC2 benONE

Scale1

in_data in_signal

out_data

double Rx data Ch2

reset

rx_frontend2 xnor −1

z

UFix_1_0

cast Bool Convert3

Bool

Out

−0

z

double

led2_red Green Rect1

Logical1

Delay

Fig. 11 FPGA implementation: Simulink model of noise-loop transmission chain Signal Ch1

0.2 0.1 0 −0.1 −0.2

0

200

400

600

800

1000

1200

1400

1600

1800

2000

1400

1600

1800

2000

Signal Ch2

0.2 0.1 0 −0.1 −0.2

0

200

400

600

800

1000

1200

Time

Fig. 12 FPGA implementation: baseband signals for forward and reverse channel

Matworks Simulink model of the implemented chain is represented in Fig. 11. The model includes two PN-sequence generators to emulate the transmitted data from both terminals, a timing section, the TX and RX frontends, a delayed AWGN emulator, and other performance evaluating blocks. The baseband signal generated by the two noise-loop terminals are represented in Fig. 12 for both forward and reverse channels (respectively Ch1 and Ch2). The

123

A Novel Approach for Physical Layer Cryptography in Wireless Networks

345

RX data Ch1

2 1.5 1 0.5 0 −0.5 −1 0

200

400

600

800

1000

1200

1400

1600

1800

2000

1400

1600

1800

2000

Rx data Ch2

2 1.5 1 0.5 0 −0.5 −1

0

200

400

600

800

1000

1200

Time

Fig. 13 FPGA implementation: detected data from both receivers

Table 1 FPGA utilization (total and fraction of Xilinx Virtex II xc2vp30-5ff1152 resources)

FPGA resource

TX module

RX module

Multipliers (MULT) Look-up tables (FGs) Arithmetic logic (CYs) Storage Elements (DFFs)

1 (0.7%) 136 (0.4%) 75 (0.2%) 68 (0.2%)

3 (2.2%) 42 (0.1%) 40 (0.1%) 165 (0.6%)

detected data is reported in Fig. 13. No visible correlation can be found with the baseband signal of Fig. 12, confirming the assumptions made in the theoretical sections of this work. The complexity of the proposed implementation is reported in Table 1. As shown both the transmitter and receiver blocks use a very small portion of the used FPGA, though framing and synchronization have not been addressed yet.

11 Conclusions Potential applications of the proposed techniques are found in wireless communications systems where an initial shared secret is not available. In 4G systems as an example, roaming users accessing local services are usually able to provide a strong identity credential (via the manufacturers embedded certificate) but may not have any authorization agreement with the hosting system. In that case a secure channel cannot be established with ordinary techniques, while is possible with the proposed one. Moreover, since the initial coupling between terminals is obtained through delays, in a context where the desired user has a known geographical position (i.e. a tactical scenario), a secured channel can be established without any additional information. Once the secure channel is established, an unwanted listener is unable to decode the flowing information even if it reveals the users position.

123

346

L. Mucchi et al.

A novel modulation technique based on thermal noise loop between transmitter and receiver has been presented. The probability of error in the AWGN environment showed that the performance of the proposed scheme is very closed to the traditional BPSK transmission, but the thermal noise modulation offers an intrinsic secure information exchange at physical layer level. This new property can be used to create a secure radio channel between a source and a destination without any a priori common knowledge. A common a priori knowledge is normally mandatory in order to decide the encryption (algorithm or code or key) of the information stream. It is usual to exchange this common a priori knowledge by using a “secure” channel. Nowadays a secure wireless channel is not possible. In fact normally the common a priori knowledge is already established (but this is not secure) or by using a non-radio channel (that implies a waste of time and resource). The main advantages of the thermal noise modulation can be summarized as follows: – security, i.e., the information cannot be demodulated or denied by unwanted users; moreover, a wireless secure channel without any a priori knowledge between source and destination is possible; – multiple access, i.e., different users can be separated by a thermal noise basis (noise division multiple access); – applicability, i.e., thermal noise is always present independently by the environments, devices, etc.

References 1. Shannon, C. (1949). Communication theory of secrecy systems. Bell System Technical Journal, 29, 656–715. 2. IEEE 802.16-2004. (2004). IEEE standard for local and metropolitan area networks part 16: Air interface for fixed broadband wireless access systems. 3. ANSI/IEEE Std 802.11. (1999). Wireless LAN medium access control (MAC) and physical layer (PHY) specifications. 4. IEEE Std 802.11i. (2004). Part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications, amendment 6: Medium access control (MAC) security enhancements. 5. IEEE Std 802.15.1. (2005). IEEE standard local and metropolitan area networks–part 15.1: Wireless medium access control (MAC) and physical layer (PHY) specifications for wireless personal area networks (WPANs). 6. Kent, S., & Seo, K. (2005). Security architecture for the internet protocol, internet engineering task force, RFC 4301. 7. Bennett, C. H., & Brassard, G. (1984). Proceedings of IEEE international conference on computers systems and signal processing, Bangalore, India, pp. 175–179 8. Hero, A. O., III. (2003). Secure space-time communication. IEEE Transactions on Information Theory, 49(12), 3235–3249. 9. Maurer, U. (1993). Secret key agreement by public discussion from common information. IEEE Transactions on Information Theory, 39(3), 733–742. 10. Wyner, A. D. (1975). The wire-tap channel. Bell System Technical Journal, 54(8), 1355–1387. 11. Csiszar, I., & Korner, J. (1978). Broadcast channels with confidential messages. IEEE Transactions on Information Theory, 24(3), 339–348. 12. Sharbaf, M. S. (2009). Quantum cryptography: A new generation of information technology security system, information technology: New generations. ITNG ’09. Sixth international conference on, 27–29 April, pp. 1644–1648. 13. Wilson, R., Tse, D., & Scholtz, R. A. (2007). Channel identification: Secret sharing using reciprocity in ultrawideband channels. IEEE Transactions on Information Forensics and Security, 2(3), 270–275. 14. Hyungjin, K., & Villasenor, J. D. (2008). Secure MIMO communications in a system with equal numbers of transmit and receive antennas. IEEE Communications Letters, 12(5), 386–388. 15. Li, X., & Ratazzi, E. P. (2005). MIMO transmissions with information-theoretic secrecy for secret-key agreement in wireless networks. IEEE military communications conference (MILCOM’2005) Atlantic City, NJ, Oct. 17–20.

123

A Novel Approach for Physical Layer Cryptography in Wireless Networks

347

16. Mohammadi, M. S. (2009). MIMO minimum leakage—physically secure wireless data transmission, application of information and communication technologies. AICT 2009. International Conference on, 14–16, pp. 1–5.

Author Biographies L. Mucchi ([email protected]) received the M.S. Degree (Laurea) in Telecommunications Engineering from the University of Florence (Italy) in 1998 and the Ph.D. in Telecommunications and Information Society in 2001. His main research areas are spread spectrum techniques (UWB, CDMA, etc.), cooperative communication systems, cognitive radio, wireless security, MIMO and diversity techniques and multi-satellite communications. He has published a chapter in 3 international books, 13 papers in international journals and 55 papers in international conferences during his research activity. Lorenzo Mucchi is also a full member of the Institute of Electrical and Electronics Engineers (IEEE).

L. S. Ronga [IEEE S89-M94-SM04] received his M.S. degree in electronic engineering in 1994 and his Ph.D. degree in telecommunications in 1998 from the University of Florence, Italy. In 1997 joined the International Computer Science Institute of Berkeley, California, as a visiting scientist. In 1998 obtained a post-doc position in the engineering faculty of the University of Florence. In 1999 he joined Italian National Consortium for Telecommunications, where he is currently head of research. He has been leader of national and international research groups. He authored over 50 papers published in international journals and conference proceedings. He has been editor of EURASIP Newsletter for 4 years.

E. Del Re was born in Florence, Italy, since 1975 he has been with the Department of Electronics Engineering of the University of Florence, Florence, Italy, first as a Research Assistant, then as an Associate Professor, and since 1986 as Professor. His main research interest are digital signal processing, mobile and satellite communications and communication networks, on which he has published more than 150 papers, in international journals and conferences. He is the head of the Digital Signal Processing and Telematics Laboratory of the Department of Electronics and Telecommunications of the University of Florence. He is a member of the Executive Board of the Italian Interuniversity Consortium for Telecommunications (CNIT). Professor Del Re is a Senior Member of the IEEE.

123