l. xiao, l. greenstein, n. mandayam, w. trappe winlab, dept. ece, rutgers university...
TRANSCRIPT
L. Xiao, L. Greenstein, N. Mandayam, W. TrappeWINLAB, Dept. ECE, Rutgers University
CISS 2008
This work is supported in part by NSF grant CNS-0626439
MIMO-Assisted Channel-Based Authentication in Wireless Networks
WIRELESS INFORMATION NETWORK LABORATORY
Outline
Fingerprints in the Ether/channel-based authenticationHow to use the multipath fading to improve security?
MIMO-assisted authenticationFingerprints in the Ether + MIMO = ?
Simulation resultsConclusions
04/21/23 2
Benefits of Multipath Fading • CDMA: Rake processing that transforms
multipath into a diversity-enhancing benefit
• MIMO: Transforms scatter-induced Rayleigh fading into a capacity-enhancing benefit
• Fingerprints in the Ether: Distinguishes channel responses of different paths to enhance authentication
04/21/233
AP(Bob)
Alice
Eve
Multipathpropagation
Reflectorcluster
Internet
PHY-based Security Techniques
• Detections of attacks based on the received signal strength:• Identity-based attacks in wireless networks [Faria-
Cheriton 06] • Sybil attacks in sensor networks [Demirbas-Song 06]• Spoofing attacks [Chen-Trappe-Martin 07]
• Detections of attack based on the multipath channel information: • Fingerprints in the Ether: Authentication based on
channel frequency response [Xiao-Greenstein-Mandayam-Trappe 07]
• Location distinction based on channel impulse response [Patawari-Kasera 07]
• Encryption keys establishment [Wilson-Tse-Scholtz 07]
04/21/234
4.9 4.95 5 5.05 5.110
-5
10-4
10-3
f (GHz)
|H(f
)|
Frequency response
Loc 1Loc 2Loc 3
Fingerprints in the EtherFingerprints in the Ether:
In typical indoor environments, the wireless channel decorrelates rapidly in space
The channel response is hard to predict and to spoof
04/21/235
Channel-Based AuthenticationWireless networks are vulnerable to various
identity-based attacks, like spoofing attacksHuge system overhead if every message is protected
by upper-layer authentication/encryptionChannel-based authentication:
Detect attacks for each message, significantly reducing the number of calls for upper-layer authentication
Utilize the existing channel estimation mechanismLow system overheadPerformance in single-antenna systems has been
verified Here we will show the additional gain in MIMO links
04/21/236
Fingerprints + MIMO =?Eve must use the same number of transmit antennas
to spoof AliceBetter channel resolution: Additional dimension of
channel estimation samples provided by MIMOLess transmit power per antenna: Equal power
allocation of pilot symbols over transmit antennas (without a priori CSI)
Benefits of MIMO techniques:Diversity gain (tradeoff with Multiplexing gain)Security gain: More accurate detection of attacks, when
replacing SISO with MIMO
04/21/237
Alice sent the first messageIf Alice is silent, Eve may spoof her by using her
identity (e.g., MAC address) in the second message
Bob measures, stores and compares channel vectors in consecutive messages, “Who is the current transmitter, Alice or Eve?” Spatial variability of multipath propagation: HA HE
(with high probability)Time-invariant channel: Constant HA
System Model
04/21/238
HA
Eve
Alice
BobHE
Channel Estimation Channel estimation based on pilot symbols at
M tonesChannel vectors derived from consecutive
messages: H1 (Alice) and H2 (May be Alice, may be Eve)
In NT x NR MIMO systems, both H1 and H2 have MNTNR elements
Inaccurate channel estimation:AWGN receiver thermal noise model, Unknown phase measurement drifts
04/21/23 9
2~ CN(0, )N I expi i i iH H j N
MIMO-Assisted Spoofing DetectionHypothesis testing: H0: H1 = H2
H1: H1 H2
Test statistic:Rejection region of H0 : L > Test threshold, k
Performance criteriaFalse alarm rate, : The
probability of calling the upper-layer authentication unnecessarily
Miss rate, : The probability of missing the detection of Eve
04/21/23 10
No Spoofing
Spoofing!!!
0( )FA HP P L k
1( )m HP P L k
H 21 2 1 22
1|| exp ||L H H jArg H H
Performance Summary
Detection Performance
System BW, W
Noise BW, b (NarrowBand)
# of receive antennas, NR
# of transmit antennas, NT
Depends
Transmit power per tone, PT
Frequency sample size, M
04/21/2311
Simulation ScenarioVerified in a wireless indoor environment, with 405
spatial samples and half wavelength (3 cm) spacing for antennas
Frequency response for any T-R path, as FT of the impulse response, obtained using the Alcatel-Lucent ray-tracing tool WiSE
The received SNR per tone ranges from -16.5 dB to 53.6 dB, with a median value of 16 dB, when PT=0.1 mW, SISO systems.
04/21/23 12
Alice & Eve
Bob
1 1.5 2 2.5 3 3.5 4 4.5 510
-5
10-4
10-3
10-2
10-1
100
NT
Ave
rage
Mis
s R
ate
NR
=1
NR
=2
NR
=3
NR
=4
0.1mW
1mW
Simulation Results -1The use of more receive antennas is always
a benefit, while the impact of transmit antenna depends
04/21/2313 , # of transmit antennas
# of receive antennas
2 4 6 8 10 12 14 1610
-5
10-4
10-3
10-2
10-1
M
Ave
rage
Mis
s R
ate
SISOMISOSIMOMIMO
0.1 mW
1 mW
10 mW
Simulation Results -2MIMO security gain rises
with PT, under small M (e.g., M=1); while decreases with PT, o.w.
With high PT and small M, SISO systems have accurate but insufficient channel response samples.
With high PT and large M, SISO systems have performance too good to be significantly improved.
With low PT , the channel estimation is inaccurate, and thus more data are required for a right decision.
14 , frequency sample size
0 5 10 15 20 25 30 35 4010
-5
10-4
10-3
10-2
10-1
100
W (MHz)
Ave
rage
Mis
s R
ate
SISOMISOSIMOMIMO
0.1 mW
1 mW
10 mW
Simulation Results -3The miss rate decreases with the system
bandwidth, WLess-correlated frequency samples=> Better
resolution among users
04/21/2315
100
101
102
10-6
10-5
10-4
10-3
10-2
10-1
100
Measurement Noise Bandwidth, b (kHz)
Ave
rage
Mis
s R
ate
SISOMISOSIMOMIMO
Simulation Results -4The miss rate rises with the measurement noise
bandwidth, b, in narrowband systemsThe noise power in the channel estimation is
proportional to b
04/21/2316
We proposed a MIMO-assisted channel-based authentication scheme, and verified its performance in spoofing detection, using a channel-simulation software
Conclusion
04/21/2317
Detection Performance
System BW, W
Noise BW, b (NarrowBand)
# of receive antennas, NR
# of transmit antennas, NT
Depends
Transmit power per tone, PT
Frequency sample size, M
References [FC06] Faria, et al, “Detecting identity-based attacks in
wireless networks using signalprints,” WiSE, 2006 [DS06] Demirbas, et al, “An RSSI-based scheme for sybil
attack detection in wireless sensor networks,” 2006 [CTM07] Chen, et al, “Detecting and localizing wireless
spoofing attacks,” 2007 [WTS07] Wilson, et al, “Channel identification: secret
sharing using reciprocity in UWB channels,” 2007 [PK07] Patwari, et al, “ Robust location distinction using
temporal link signatures,” 2007 [XGMT07] Xiao, et al, “Fingerprints in the Ether: Using
the physical layer for wireless authentication,” ICC, 2007
04/21/2318