Secret key extraction from level crossings over unauthenticated wireless channels

Many of the risks associated with securing wireless systems stem from challenges associated with operating in a mobile environment, such as the lack of a guaranteed infrastructure or the ease with which entities can eavesdrop on communications. Traditional network security mechanisms rely upon cryptographic keys to support confidentiality and authentication services. However, in a dynamic mobile wireless environment, with peer-to-peer associations being formed on-the-fly between mobile entities, it is difficult to ensure availability of a certificate authority or a key management center. Since such scenarios are likely to become more prevalent, it is necessary to have alternatives for establishing keys between wireless peers without resorting to a fixed infrastructure. We explore an alternative for building cryptographic services by exploiting an untapped resource-the wireless channel itself. The specificity of the radio channel between two wireless devices, and its rapid decorrelation with distance, provide a basis for the creation of shared secret information, such as cryptographic keys, even in the presence of an eavesdropper. In typical multipath environments (see Fig. 9.1), the wireless channel between two users, Alice and Bob, produces a time-varying, stochastic mapping between the transmitted and received signals. This mapping varies with time in a manner that is location-specific and reciprocal, i.e., the mapping is the same whether Alice is the transmitter with Bob as the receiver or vice-versa. The time-varying mapping, commonly termed fading, decorrelates over distances of the order of half a wavelength, λ. Thus, an adversary, Eve, who is more than λ/2 away from both Alice and Bob, experiences fading channels to Alice and to Bob that are statistically independent of the fading between Alice and Bob. These properties allow us to generate a common, secret cryptographic key at Alice and Bob such that Eve gets no information about the generated key. For example, at 2.4 GHz, we only require that Eve be roughly λ/2 = 6.25 cm away from Alice and Bob to ensure that she gets no useful information. Thus, while fading is typically considered harmful, we profitably exploit it to extract perfectly secret bits without leaking information to an adversary. The extraction of secret bits from the wireless channel can be viewed as a 'blackbox' that can be advantageous in various ways, putting to good use information that is already available from the channel. For example, in the current 802.11i standard, session keys for communication between a station and an AP are derived by hashing together authentication credentials and nonces exchanged in the clear. This ties the confidentiality of future messages to the authentication credentials, and if these credentials are ever compromised then an adversary will be able to derive the session keys and decrypt past encrypted messages. If the nonces can be derived in an information-theoretically secret manner from the channel between two users, then a passive adversary has no means to derive the session keys even if it learns the authentication credentials[1]. Further, session keys can be updated using these secret bits derived from the channel, instead of relying on previously existing keys [1], thus ensuring that the confidentiality of each new session is protected independently of earlier sessions. Yet another vulnerability in 802.11i stems from the fact that during the establishment of a secure link between a station and an AP, all messages exchanged over the air, including management frames, are sent unencrypted until both parties have obtained the session key (c.f. the temporal key (TK) in 802.11) and are therefore susceptible to eavesdropping and to spoofing by other users. While the 802.11w amendment seeks to protect some management frames from such attacks, it too fails to protect messages exchanged before the the establishment of TKs. Unfortunately, securing the initial exchanges between the parties requires them to share a key that is not established until later. Our key extraction mechanism provides a natural solution by allowing the parties to generate a temporary key that protects the interim exchanges before the formal keys are in place. Ad hoc or peer-to-peer networks present another avenue where our technique can be useful. Alice may not care to establish Bobs identity if she merely wishes to employ his forwarding services. In such a scenario, she may nevertheless wish to establish a confidential link with Bob by using the channel to form a key prior to encrypting subsequent data, thereby preventing eavesdropping. Prior work in information theory has noted the potential of using the wireless channel for generating shared secret bits (see Sect. 9.7), but most of this work has been aimed at computing theoretical limits and has not provided practical algorithms, nor a demonstrable and quantifiable impact on security. Our contribution may be summarized as follows: 1. We translate prior information-theoretic ideas into a practical protocol applied to wireless channels; 2. We build a new algorithm for key extraction that, unlike prior schemes, does not require an authenticated channel, and study performance for typical fading; 3. We validate our algorithm using channel impulse responses measured using the 802.11a packet preamble on a customized FPGA-based 802.11 development platform and a second study that uses only coarse per-packet RSSI information readily available to off-the-shelf 802.11 platforms. Existing mobile radio platforms already provide the information we need, but such data are normally discarded after physical layer processing and can be profitably exploited to benefit security. The approach we present augments, rather than replaces existing cryptographic security mechanisms-it provides a new approach to establishing keys that is useful when there is no key management infrastructure. In Sect. 9.2 we describe our system model and the design issues relevant to our problem, in Sect. 9.3 we describe our key-extraction algorithm in detail, in Sect. 9.4 we evaluate its performance and in Sect. 9.5 we present two experimental studies that validate our algorithm using 802.11a hardware. In Sect. 9.6, we present a discussion on the tradeoffs and security of our key-extraction method, in Sect. 9.7 we review the related literature, and we conclude in Sect. 9.8.