L. Xiao, L. Greenstein, N. Mandayam, W. TrappeWINLAB, Dept. ECE, Rutgers University
ICC 2008
This work is supported in part by NSF grant CNS-0626439
A Physical-Layer Technique to Enhance Authentication for Mobile
Terminals
WIRELESS INFORMATION NETWORK LABORATORY
Outline
Channel-based authentication Challenge: Terminal mobilityEnhanced channel-based
authenticationInter-burst authenticationIntra-burst authentication
Simulation resultsConclusion
04/20/23 2
PHY-based Security Techniques
3
Benefits of Multipath Fading • CDMA: Rake processing that transforms
multipath into a diversity-enhancing benefit
• MIMO: Transforms scatter-induced Rayleigh fading into a capacity-enhancing benefit
• Fingerprints in the Ether: Distinguishes channel responses of different paths to enhance authentication
04/20/234
AP(Bob)
Alice
Eve
Multipathpropagation
Reflectorcluster
Internet
4.9 4.95 5 5.05 5.110
-5
10-4
10-3
f (GHz)
|H(f
)|
Frequency response
Loc 1Loc 2Loc 3
Fingerprints in the EtherFingerprints in the Ether:
In typical indoor environments, the wireless channel decorrelates rapidly in space
The channel response is hard to predict and to spoof
5Top View of Alcatel-Lucent’s Crawford Hill Laboratory, Holmdel, NJ
Channel-Based AuthenticationWireless networks are vulnerable to various
identity-based attacks, like spoofing attacksSystem overhead can be large if every
message is protected by upper-layer authentication/encryption
Channel-based authentication: Detect attacks for each message, significantly
reducing the number of calls for upper-layer authentication
Works well under time-invariant channels and stationary terminals in spoofing detection
04/20/236
System ModelMulticarrier systems, e.g.,
OFDMAlso applies to single-carrier
systemsEach burst contains multiple
framesEach frame (with duration of
T) contains pilot symbols at M subbands
Reuse the existing channel estimation mechanism
04/20/23 7Data transmission
Alice sent the first messageIf Alice is silent, Eve may spoof her by using her
identity (e.g., MAC address) in the second message
Bob measures, stores and compares channel vectors in consecutive messages, “Who is the current transmitter, Alice or Eve?” Spatial variability of multipath propagation: HA HE
(with high probability)Time-invariant channel: Constant HA
Alice-Bob-Eve Model
04/20/238
HA
Eve
Alice
BobHE
Challenge: What If Alice Moves?
Channel response, HA, changes quickly as Alice moves
Alice may be mistakenly regarded as EveLarger false alarm rate Larger channel variation, for larger r
(displacement of Alice during one frame)Performance worsened by large intervals
between data bursts
9
HA
Alice BobH’Ar
Alice
Inter-Burst Authentication
04/20/23 10
To solve the problem of large channel time variations due to long inter-burst intervals
Authentication of the first frames in data bursts
Key generation at Alice Based on the channel
response at a specified frame in the previous data burst
Feedback from the receiver
Channel measurement in the TDD system
Intra-Burst AuthenticationAuthentication of the following frames in data burstsBased on channel vectors (each with M elements)
from channel estimation at M tones in consecutive framesHA (k-1), HA (k-2), … (Alice)Ht (k) (Maybe Alice, maybe Eve)
Channel model
Receiver thermal noise, AWGNPhase measurement drifts
04/20/23 11
2
( ) 2 2
2 2
( ) ( 1) 1 ( )
( ) ( ) ~ ( ( 1) ,( ) )
( ) ~ (0,( ) )
A A A
j k jA A A A N
E E N
H k H k k
H k H k e N CN H k e
H k CN
I
I
Intra-Burst Authentication -2Hypothesis testing:
H0:H1:
Test statistic: Rejection region of H0 :
False alarm rate, Miss rate,
04/20/23 12
Threshold, Z
0( )FA HP P Z
No Spoofing
Spoofing!!!
( ) ( )
( ) ( )
t A
t A
H k H k
H k H k
( ), ( 1),t AZ F H k H k
1( )m HP P Z
Intra-Burst Authentication -3Neyman-Pearson test-based scheme:
Given , Eve has much larger uncertainty of the channel response than Alice, at time k
Test statistic:
Recursive least-squares (RLS) adaptive filters-based scheme:M parallel independent RLS filters for channel estimationEve usually leads to larger RLS estimation error than
AliceTest statistic:
Larger system overhead: Ensure the previous 3L frames all came from Alice 13
2 22
1 1 1
( ( ), ( 1), ( )) | ( ) | / | ( ) | /M L M
t A A m mm l m
Z H k H k H k L e k H k l L
2 21 || || / || ||
Ht AjArg H H
t A AZ H H e H
( 1)AH k
Simulation Scenario Transmitter mobility in wireless Indoor environment Frequency response at 4.75, 5.0, and 5.25 GHz, for any T-
R path, as FT of the impulse response, obtained using the Alcatel-Lucent ray-tracing tool WiSE
Consider NE=1000 locations of Eve, NA=50 traces of Alice, each with Nx=100 frames. In each scenario, Nn=5 i.i.d. complex Gaussian thermal noise is generated.
04/20/23 14
Simulation Results
04/20/23
NP-based statistic has good performance if r<5 mm, corresponding to transmitter velocity of 1.43 mps, with frame duration of 3.5 ms
Adaptive filter-based statistic is less robust than NP-based scheme to terminal mobility
0 0.02 0.04 0.06 0.08 0.10.8
0.82
0.84
0.86
0.88
0.9
0.92
0.94
0.96
0.98
1
False Alarm Rate
Ave
rage
Det
ecti
on R
ate
r=1 mmr=2 mmr=3 mmr=4 mmr=5 mm
0 0.02 0.04 0.06 0.08 0.10.8
0.82
0.84
0.86
0.88
0.9
0.92
0.94
0.96
0.98
1
False Alarm Rate
Ave
rage
Det
ecti
on R
ate
r=1 mmr=2 mmr=3 mmr=4 mmr=5 mm
NP-based RLS-based 15
Alice moves faster Alice moves faster
We proposed an enhanced PHY-layer authentication schemeInter-burst authentication: Channel response in previous burst
is used as the key for the authentication of the first frame in the data burst
Intra-burst authentication: NP-based test vs. RLS adaptive filter based scheme
Verified using a ray-tracing tool (WiSE) for indoor environmentsNP-based test is more robust against terminal mobility,
and more efficient in terms of system overhead and implementation complexity
It correctly detects 96% of spoofing attacks, while reduces unnecessary calls of upper-layer authentications by 94%, with transmitters moving at a typical pedestrian speed (1.43 mps), and frame duration of 3.5 ms.
Conclusion
04/20/2316
Top Related