L. Xiao, L. Greenstein, N. Mandayam, W. TrappeWINLAB, Dept. ECE, Rutgers University

lxiao@winlab.rutgers.edu

ICC 2008

This work is supported in part by NSF grant CNS-0626439

A Physical-Layer Technique to Enhance Authentication for Mobile

Terminals

WIRELESS INFORMATION NETWORK LABORATORY

Outline

Channel-based authentication Challenge: Terminal mobilityEnhanced channel-based

authenticationInter-burst authenticationIntra-burst authentication

Simulation resultsConclusion

04/20/23 2

PHY-based Security Techniques

3

Benefits of Multipath Fading • CDMA: Rake processing that transforms

multipath into a diversity-enhancing benefit

• MIMO: Transforms scatter-induced Rayleigh fading into a capacity-enhancing benefit

• Fingerprints in the Ether: Distinguishes channel responses of different paths to enhance authentication

04/20/234

AP(Bob)

Alice

Eve

Multipathpropagation

Reflectorcluster

Internet

4.9 4.95 5 5.05 5.110

-5

10-4

10-3

f (GHz)

|H(f

)|

Frequency response

Loc 1Loc 2Loc 3

Fingerprints in the EtherFingerprints in the Ether:

In typical indoor environments, the wireless channel decorrelates rapidly in space

The channel response is hard to predict and to spoof

5Top View of Alcatel-Lucent’s Crawford Hill Laboratory, Holmdel, NJ

Channel-Based AuthenticationWireless networks are vulnerable to various

identity-based attacks, like spoofing attacksSystem overhead can be large if every

message is protected by upper-layer authentication/encryption

Channel-based authentication: Detect attacks for each message, significantly

reducing the number of calls for upper-layer authentication

Works well under time-invariant channels and stationary terminals in spoofing detection

04/20/236

System ModelMulticarrier systems, e.g.,

OFDMAlso applies to single-carrier

systemsEach burst contains multiple

framesEach frame (with duration of

T) contains pilot symbols at M subbands

Reuse the existing channel estimation mechanism

04/20/23 7Data transmission

Alice sent the first messageIf Alice is silent, Eve may spoof her by using her

identity (e.g., MAC address) in the second message

Bob measures, stores and compares channel vectors in consecutive messages, “Who is the current transmitter, Alice or Eve?” Spatial variability of multipath propagation: HA HE

(with high probability)Time-invariant channel: Constant HA

Alice-Bob-Eve Model

04/20/238

HA

Eve

Alice

BobHE

Challenge: What If Alice Moves?

Channel response, HA, changes quickly as Alice moves

Alice may be mistakenly regarded as EveLarger false alarm rate Larger channel variation, for larger r

(displacement of Alice during one frame)Performance worsened by large intervals

between data bursts

9

HA

Alice BobH’Ar

Alice

Inter-Burst Authentication

04/20/23 10

To solve the problem of large channel time variations due to long inter-burst intervals

Authentication of the first frames in data bursts

Key generation at Alice Based on the channel

response at a specified frame in the previous data burst

Feedback from the receiver

Channel measurement in the TDD system

Intra-Burst AuthenticationAuthentication of the following frames in data burstsBased on channel vectors (each with M elements)

from channel estimation at M tones in consecutive framesHA (k-1), HA (k-2), … (Alice)Ht (k) (Maybe Alice, maybe Eve)

Channel model

Receiver thermal noise, AWGNPhase measurement drifts

04/20/23 11

2

( ) 2 2

2 2

( ) ( 1) 1 ( )

( ) ( ) ~ ( ( 1) ,( ) )

( ) ~ (0,( ) )

A A A

j k jA A A A N

E E N

H k H k k

H k H k e N CN H k e

H k CN

I

I

Intra-Burst Authentication -2Hypothesis testing:

H0:H1:

Test statistic: Rejection region of H0 :

False alarm rate, Miss rate,

04/20/23 12

Threshold, Z

0( )FA HP P Z

No Spoofing

Spoofing!!!

( ) ( )

( ) ( )

t A

t A

H k H k

H k H k

( ), ( 1),t AZ F H k H k

1( )m HP P Z

Intra-Burst Authentication -3Neyman-Pearson test-based scheme:

Given , Eve has much larger uncertainty of the channel response than Alice, at time k

Test statistic:

Recursive least-squares (RLS) adaptive filters-based scheme:M parallel independent RLS filters for channel estimationEve usually leads to larger RLS estimation error than

AliceTest statistic:

Larger system overhead: Ensure the previous 3L frames all came from Alice 13

2 22

1 1 1

( ( ), ( 1), ( )) | ( ) | / | ( ) | /M L M

t A A m mm l m

Z H k H k H k L e k H k l L

2 21 || || / || ||

Ht AjArg H H

t A AZ H H e H

( 1)AH k

Simulation Scenario Transmitter mobility in wireless Indoor environment Frequency response at 4.75, 5.0, and 5.25 GHz, for any T-

R path, as FT of the impulse response, obtained using the Alcatel-Lucent ray-tracing tool WiSE

Consider NE=1000 locations of Eve, NA=50 traces of Alice, each with Nx=100 frames. In each scenario, Nn=5 i.i.d. complex Gaussian thermal noise is generated.

04/20/23 14

Simulation Results

04/20/23

NP-based statistic has good performance if r<5 mm, corresponding to transmitter velocity of 1.43 mps, with frame duration of 3.5 ms

Adaptive filter-based statistic is less robust than NP-based scheme to terminal mobility

0 0.02 0.04 0.06 0.08 0.10.8

0.82

0.84

0.86

0.88

0.9

0.92

0.94

0.96

0.98

1

False Alarm Rate

Ave

rage

Det

ecti

on R

ate

r=1 mmr=2 mmr=3 mmr=4 mmr=5 mm

0 0.02 0.04 0.06 0.08 0.10.8

0.82

0.84

0.86

0.88

0.9

0.92

0.94

0.96

0.98

1

False Alarm Rate

Ave

rage

Det

ecti

on R

ate

r=1 mmr=2 mmr=3 mmr=4 mmr=5 mm

NP-based RLS-based 15

Alice moves faster Alice moves faster

We proposed an enhanced PHY-layer authentication schemeInter-burst authentication: Channel response in previous burst

is used as the key for the authentication of the first frame in the data burst

Intra-burst authentication: NP-based test vs. RLS adaptive filter based scheme

Verified using a ray-tracing tool (WiSE) for indoor environmentsNP-based test is more robust against terminal mobility,

and more efficient in terms of system overhead and implementation complexity

It correctly detects 96% of spoofing attacks, while reduces unnecessary calls of upper-layer authentications by 94%, with transmitters moving at a typical pedestrian speed (1.43 mps), and frame duration of 3.5 ms.

Conclusion

04/20/2316