Project PHYLAWS (Id ) PHYsical LAyer Wireless Security. Deliverable D.4.4

Transcription

1 Project PHYLAWS (Id ) PHYsical LAyer Wireless Security Deliverable D.4.4 NETSEC upgrades of existing RATs - simulation and analyses complements Version / 11 / page 1 /

2 Change History Version Date Description Affected Sections First version All List of Contributors Partner Contributors Reviewers TCS Christiane Kameni, editor François Delaveau, Renaud Molière, VTT Sandrine Boumard Adrian Kotelba CEL TPT ICL Nir Shapira page 2 /

3 Project Summary Wireless communications have become a universal way to access information for nearly every human around the world. This domination also presents major risks to society, owing to the widely recognized leaks and unsafe technologies in the current wireless networks. Basically all of the security today relies on bit level cryptographic techniques and associated protocols at various levels of the data processing stack, but these solutions have drawbacks and they are often not sufficiently secure. This difficulty is a major retarder to the progress of the digital society. In the recent years therefore, new approaches have been investigated in order to exploit security opportunities offered by the handling signals operating at the physical layer level. These works have been based on a fundamental analysis of the notion of security in the context of information theory. In a more concrete manner, the potential leaks and possible ways to avoid them have also started to be seriously addressed. The objective of the PHYLAWS project is to elaborate on this knowledge basis in order to develop focused and synthetic ways to benefit from wireless physical layer opportunities in order to enhance the security of wireless communications in an affordable, flexible and efficient manner. Efficient here means simple to implement, requiring easily developed and easily validated algorithms, but it also means techniques that will consume less resources, in terms of energy (especially at the terminal level) and in terms of data consumption overhead (i.e. acting on the overall net spectral efficiency). The project outputs will thus benefit to a variety of existing and future standards for a large set of needs. This objective will be reached through a suitably sized consortium combining an excellent academic expertise in order to address information theory fundamentals, to design optimal codes, to design furtive signal waveforms and versatile radio access protocols; a major research center for the development and test of several competing techniques; a SME involvement perfectly aligned with the application targets; and a strong industrial involvement highly motivated by security in wireless networks as a manufacturer, as an end-user and as a provider of wireless communication services. The complementary skills inside the consortium will ensure both innovation and impact towards industrial applications, and they will assess validation of the commercial goals and validation of the society use relevance. The project takes many benefits from recommendations and advices by an international Advisory Board (AB), constituted of very high level personalities from governmental bodies, standardization bodies or academia. This Board will be one of the cornerstones of the project, based on the recognition that excellent technical developments and demonstrations will not be enough to ensure their wide spreading. Clearly, the project impact will largely benefit from a proper vision, aided by the AB, in order to penetrate standards and existing systems and ensure support from the major stakeholders. Ultimately, PHYLAWS will facilitate the penetration of wireless technologies in the personal and professional sphere, by guaranteeing a more efficient safe access to the digital world through the future internet. This achievement will strongly impact the lives of citizens and will very much contribute to trustworthy ICT in the following years page 3 /

4 Administrative and contract references [PHYLAWS_GA-A] PHYLAWS Grant Agreement, referenced FP7-ICT PHYLAWS version date , part A [PHYLAWS_GA-WP] PHYLAWS Grant Agreement, referenced FP7-ICT PHYLAWS version date , Work Plan [PHYLAWS_GA-AM] PHYLAWS Amendment n 1 to Grant Agreement FP7-ICT PHYLAWS version date , Description of Work (part B of the Grant Agreement). [PHYLAWS_GA-DOW2] PHYLAWS Grant Agreement, referenced version V2.2 date (revised Description of Work - part B of the Grant Agreement). [PHYLAWS_GA-WP2] PHYLAWS Grant Agreement, referenced FP7-ICT PHYLAWS version date (revised Work Plan). [PHYLAWS_D.1.1v2] PHYLAWS Management plan updated version V2 version date [PHYLAWS_D.2.1] PHYLAWS Study report Privacy threats for the radio interface of public wireless networks version 2.0 date [PHYLAWS_D.2.2] PHYLAWS Study report Secure architectures and protocols for privacy enhancement of radio terminals version V1.0 date [PHYLAWS_D.2.3] PHYLAWS Study report State of the art of physical layer security version V1.1 date [PHYLAWS_D.2.4] PHYLAWS Study report New opportunities provided by modern wave forms new security protocols and sensing of radio environments revised version V3.0 date [PHYLAWS_D.3.1] PHYLAWS Study report Channel based random generators interm. report version V1.0 date [PHYLAWS_D.3.2] PHYLAWS Study report Channel based random generators final report version V2.1 date [PHYLAWS_D.3.3] PHYLAWS Study report Coding techniques and algorithms for secrecy coding and secret key generation version V2.0 date [PHYLAWS_D.3.4] PHYLAWS Study report CIR measurements and modeling in ISM 2,4 GHz band & 5 GHz band draft version V0 date [PHYLAWS_D.4.1] PHYLAWS Study report TRANSEC upgrades of existing RATs - study report revised version V2.0 date [PHYLAWS_D.4.2] PHYLAWS Study report TRANSEC upgrades of existing RATs - simulation and analyses complements version V1.0 date [PHYLAWS_D.4.3] PHYLAWS Study report NETSEC upgrades of existing RATs - study report version V1.0 date [PHYLAWS_D.4.5] PHYLAWS Study report New RATs and waveforms taking benefit of Physec upgrades interim report version V1.0 date [PHYLAWS_D.4.6] PHYLAWS Study report New RATs and waveforms taking benefit of Physec upgrades final report to be published November page 4 /

5 [PHYLAWS_D5.1] Study report "WiFi Testbed Setup Development: preliminary report" [PHYLAWS_D5.2] PHYLAWS Study report "WiFi Testbed Experiment Campaign Plan [PHYLAWS_D5.3] PHYLAWS Study report "WiFi Testbed - Intermediate Report on WiFi Interceptor Experiments with the Testbed - report to be published M 46. [PHYLAWS_D6.1] Study report " Modelling of LTE-based cellular system Version 2.0, date [PHYLAWS_D6.2] PHYLAWS Study report "Simulation of interception of waveform signals in LTE-based cellular system version V1.0 date [PHYLAWS_D6.3] PHYLAWS Study report " LTE-based cellular system simulations - Concluding report including simulation results and proposals for standardization, date [PHYLAWS_WS] Phylaws Web site: Other references [PHYLAWS_D.1.12_AB] PHYLAWS Advisory Board Meeting report version V1 date [PHYLAWS_D.1.13_AB] PHYLAWS Advisory Board Meeting report version V1 date Scientific references are all included in section page 5 /

6 Table of contents PROJECT SUMMARY... 3 ADMINISTRATIVE AND CONTRACT REFERENCES... 4 OTHER REFERENCES INTRODUCTION Context of this deliverable Purpose of the deliverable Scope of the deliverable DEFINITIONS AND RECALLS Terminology and definitions Recall of the typical scenario of PHYSEC RECALL OF THE SECURE PAIRING PROTOCOL SECRET KEY GENERATION Recall of the proposed Secret Key Generation scheme New channel de-correlation algorithm Brief recall of the results presented in Deliverable D PHYLAWS test bed and the signal acquisition Recall of previous results Impact of the channel coefficient de-correlation pre-processing Mismatch between Alice s and Bob s keys BER between Eve and Bob NIST Statistical tests of computed keys Summary of the simulation results presented in Deliverable D Complementary results on Secret Key Generation Entropy estimation and analysis from single sense real field CSI (Alice to Bob + Eve) Entropy and mutual Information Min-entropy NIST s tests for Estimating the Min-Entropy of non-iid sources Entropy estimate results in real field environments SKG Simulation results with LTE signals Simulators Channel coefficient estimates Simulations scenarios and parameters Simulation results Discussion Experimental results from real field bi-directional CSI achieved at WiFi carriers page 6 /

7 Wifi test bed and measurement environment in dual sense Description of a bi-directional sounding exchange Measured CSI in dual sense Key extraction from bi-directional CSI Results when no channel de-correlation is performed Results when channel de-correlation is performed Entropy computation for dual sense CSI estimated at real field WiFi FWD and RTN signals Security opportunities provided by secret key generation to standardization of future Radio Access Technologies Existing Vulnerabilities of public radio networks Proposed solutions for securing radio access protocols with Secret Key Generation Practical implantation perspectives of Secret Key Generation into Radio Access Technologies SECRECY CODES Recall on the design of proposed secrecy codes The secrecy coding scheme Construction of the inner code Construction of the outer code using polar codes Construction of the outer code using Reed-Muller codes Recall of the performance of designed secrecy codes Proposed secrecy codes Performance of proposed secrecy codes Complementary results on secrecy code decoding performance Results with real field recorded WiFi signals and processed in a WiFi simulator Impact of the polar decoding algorithm Design and performance of new secrecy codes Simulation results on LTE signals Configuration of simulations Simulation of transmitting and processing of the secret en-coded LTE signals Results of simulations under LTE carrier Transmission mode TM7- Discussion Experimental results of secrecy codes on WiFi signals Configuration of experiments Transmitting and processing of the secret en-coded Wifi signals Results of experiments in Line of Sight geometry (LOS) Discussion Tuning of the Radio Advantage for OFDM/QPSK wave forms such as Wifi and LTE signals considerations on radio engineering Security opportunities provided by secrecy codes to standardization of future Radio Access Technologies Recall of the existing means to provide a reliable radio advantage Arguments in favor of Secrecy Coding Practical implantation perspectives of Secrecy Coding into Radio Access Technologies CONCLUSION ON THE STUDY ACTIVITIES RELEVANT TO NETSEC PROTECTIONS REFERENCES References mentioned in the footnotes General references page 7 /

8 List of Figures Figure 1: Basic configuration of legitimate link and eavesdropper link Figure 2: Protocol for secure pairing and communication combining tag signal and artificial jamming Figure 3: Communication scenario Figure 4: PHYLAWS testbed Figure 5: propagation environments Figure 6: Resulting key bits after quantization of all available channel coefficients Figure 7: Resulting key bits after channel de-correlation Figure 8: Mismatch between Alice and Bob at a low SNR value of legitimate link Figure 9: Mismatch between Alice and Bob for a high SNR value Figure 10: BER between Eve and Bob after each SKG step Figure 11: BER of Bob and Eve s keys compared to Alice s keys for various environments, Bob-Eve distances and SNR values Figure 12: Secrecy coding scheme Figure 13: Performance of secrecy codes Figure 14: Performance of the WiFi simulator with LDPC codes Figure 15: Performance of the WiFi simulator with BCC codes Figure 16: Impact of the decoding algorithm Figure 17: Simulation results with new polar-based secrecy codes Figure 18: Configuration, parameters and results of LTE simulations Figure 19: configuration of the AN-BF and SC experiments in Indoor Line Of Sight (LOS) environment Figure 20: Experimental results of the secrecy coded schemes in LOS environment - Comparison between AN-BF alone and AN-BF + S for several values of the power ratio List of Tables Table 1: Frequency mono-bit test results Table 2: Run test results Table 3: Min-entropy estimates for LTE and WiFi recorded signals Table 4: Mutual information estimates for LTE and WiFi recorded signals Table 5: Entropy and mutual information estimates Table 6: Designed Secrecy Codes Table 7: New polar-based secrecy codes page 8 /

9 1 Introduction 1.1 Context of this deliverable This deliverable D4.4 NETSEC upgrades of existing RATs simulation and analyses complements completes the deliverable D4.3 NETSEC upgrades of existing RATs - study report on studies regarding practical enhancements of security into Wireless devices and networks. More precisely, deliverable D4.4 provides added analyzes and development issued from outputs of experiments performed in WP5 and simulations performed in WP6. Deliverables D4.3 and D4.4 are relevant to task T4.1 of Work Package WP4, which is input by results of WP2 (State of the Art, and especially deliverables D2.3 and D2.4) and by academic studies and signal records performed in WP3, especially deliverables D3.1 and D3.2 and D3.3). WP4 is organized in relation to the main aspects of these activities: Security Enhancement of transmitted signal (Transmission Security) concerns deliverables D4.1 and D4.2 Security Enhancement of network and devices signaling (network Security) concerns deliverables D4.3 and D4.4 A special focus on new RATs and on future standards concerns Deliverable D Purpose of the deliverable Deliverable D4.4 provides additional analysis and simulations to complete the work carried on in deliverable D4.3 which proposed improvements of Network Security (Netsec) in existing public wireless standards by exploiting the channel randomness. More precisely D4.3 focused on the combination of several radio technologies introduced in WP2 Tag Signals (TS) Secret Key Generation Artificial Noise (AN) and Beam-Forming (BF) and Secrecy Coding (SC) and provides new analyzes and results driven by our latest experiments and simulations (see [PHYLAWS_D5.3] [PHYLAWS_D6.3]), recently published 1,2 in a dedicated Workshop organized by the Phylaws team and hosted in the PIMRC 2016 Valencia, Spain. In deliverable D4.4 we propose the following improvements: An enhanced channel de-correlation algorithm in the pre-processing step A new statistical test to evaluate the randomness of secret keys Computation of entropy estimates for each user or antenna Simulation results with LTE signals Experimental results from bi-directional WiFi signals Implementation of a faster decoding algorithm for polar and Reed-Muller codes with better error-correcting performance Extended simulation results of Secrecy Coding Simulation results of secrecy codes with LTE signals Experimental results from WiFi chipsets 1 N. Shapira, C.L. Kameni Ngassa, F. Delaveau, R.Molière Implantation and experimentation of Physec security schemes into Wi-Fi radio links - Results and relevant standardization perspectives PIMRC invited paper 5 of work shop W8 (4/09/2016). 2 A. Kotelba, S. Boumard, Jani Suomalainen Implantation and simulation of Physec security schemes into LTE cellular links - Results and relevant standardization perspectives PIMRC invited paper 4 of work shop W8 (4/09/2016) page 9 /

10 1.3 Scope of the deliverable This deliverable D4.4 first recalls study and implementation work carried out in deliverable D4.3 [PHYLAWS_D4.3]. It also provides simulation results achieved in deliverable D4.3, and it is therefore self-consistent for a complete reading. Then, it presents new material and complimentary results performed during the period 3 of the Phylaws project. Deliverable D4.4 is organized as follows. Section 1 introduces the context, the scope and the content of the deliverable. Section 2 recalls terminology and the main notions and concepts relevant to Physec, and the attacker models. Section 3 briefly recalls our innovative protocol for security pairing and PHYSEC implementation using tag signals and artificial noise (this protocol is detailed and deeply investigated in deliverables D4.1 and D4.2 [PHYLAWS_D4.1] [PHYLAWS_D4.2]). Section 4 first recalls developments of the Phylaws project about the complete implementation of a Secret Key Generation scheme (SKG) based on full Channel State Information (CSI). It then provides entropy analysis of the communication channel, new randomness test to evaluate the quality of secret keys, new simulation results for LTE signals and new experimental results from dual sense WiFi signals. Finally, Section 0 highlights the security upgrades provided by SKG schemes to future generation Radio Access Technologies, in a standardization perspective. Security analyses, standardization initiatives and relevant perspectives of SKG will be detailed in deliverables D4.5 and D4.6 [PHYLAWS_D4.5] [PHYLAWS_D4.6]. Section 5 first recalls the secrecy coding scheme developed by the Phylaws team. It then proposes a new decoding algorithm which leads to better performance. New secrecy codes are also designed. New simulation results from LTE signals and experimental results from WiFi signals are provided. Finally, Section 5 highlights the security upgrades provided by SC schemes to future generation Radio Access Technologies, in a standardization perspective. Security analyses, standardization initiatives and relevant perspectives of Secrecy Coding will be detailed in deliverables D4.5 and D4.6 [PHYLAWS_D4.5] [PHYLAWS_D4.6]. Section 6 concludes this deliverable by recalling main results, and relevant promising consequences for enabling and implementing PHYSEC-based protection schemes. Section 7 includes the references which are external to the Phylaws project page 10 /

11 2 Definitions and recalls 2.1 Terminology and definitions Term AES AN BER CCDF CFR CIR COMSEC CSI DH DL DSS DSSS Entropy Definition Advanced Encryption Standard Artificial Noise Bit Error Rate Complementary cumulative distribution function Channel Frequency Response (of the radio-propagation filter). CFR = FFT(CIR). Channel Impulse Response (of the radio-propagation filter). CIR = FT -1 (CFR). Communication Security: is relevant to the protection of the content of the user messages (voice, data). COMSEC applies either at the radio interface or at upper layer. COMSEC techniques involve ciphering, authentication and integrity control of signaling and users data at several protocol layer and interfaces (examples are point to point ciphering of each user data flux, ciphering of IP packets, ciphering of artery, etc.). Channel State Estimation Diffie-Hellman (asymmetric key computation protocol) Down Link Nominal sense of the communication from a network/base Station/Access Point toward a terminal Direct-Spread-Sequence Direct-sequence Spread Spectrum A measure of randomness and disorder. Quantifies the uncertainty involved in predicting the value of a random variable. In communication systems, entropy is typically expressed as the average number of bits needed to store or communicate one symbol in a message. In communication system, entropy is caused by different channel specific characteristics including fading and interference. For instance, symbol coded with A bits can accurately be received on in channels with entropy A or lower. Equalization Finding a balance between frequency components within a signal by strengthening or weakening energy of particular frequency bands. FDD FEC FHSS FT FuDu FWD FWS Half-duplex IFF IID IJ INFOSEC/C SS LDPC Frequency-division duplexing (communicating devices operate in different carrier frequencies) Forward Error Correction Frequency Hopping Spread Spectrum Fourier Transform Full-duplex = Two directional communication where both parties transmit simultaneously ForWarD sense of transmission (Alice to Bob) Frequency White Space Two directional communication where transmission takes turns Identification Friend or Foe (radio system and protocols for enabling identification of devices and users, used in civilian domain ADSB-, and in military -mode S, mode 5). Independent Identically Distributed Intelligent Jamming, meaning jamming with protocol aware strategy and signals and transmission pattern compliant to victim signals. Information security Module/Cryptographic Sub-System: The INFOSEC/CSS module manages the generation of pseudo-random data that are used for TRANSEC NETSEC or COMSEC protection Low Parity Density Check page 11 /

12 LOS LTE MAC MCS MIMO MISO MITM Modem Modulation NETSEC NFC NLOS OFDM PER PHYSEC RAT RF RFID RNG RSSI RTN SATCOM SC-FDMA SDR Security architecture SER SF Line Of Sight Long term evolution Mobile phone network standard is developed by the 3GPP (3rd Generation Partnership Project). Message Authentication Code. The MAC is a field inside frame header that is dedicated to integrity control of a transmitted Frame Modulation and Coding Scheme Multi-input multi-output (use of multiple antennas at both the transmitter and receiver) Multi-input single-output (use of multiple antennas at the transmitter) Man-in-the-middle Modulator Demodulator Process of placing a message signal, for example a digital bit stream, into another (carrier) signal that can be physically transmitted. That is changing one or more properties (amplitude, phase, and frequency) of periodic waveform (carrier) with a modulating signal (containing information to be transmitted) Network Transmission Security: NETSEC is relevant to the protection of the signaling of the network. NETSEC applies mainly at the radio interface and at the medium access protocol layer, with request to upper protocol layers. NETSEC techniques involve mainly transmitter authentication protocols, integrity control and ciphering of signaling data. Near Field Communication Non Line Of Sight Orthogonal frequency division multiplex Modulation technology where a signal is split into several narrowband channels at different frequencies. Packet Error rate Physical Layer Security is generic term that will be used in this project to design all kind of protection techniques that are based on the use of the physical layer sensing and/or measurement. Radio Access Technology (e.g. FDMA, TDMA, CDMA, OFDM) Radio Frequency Radio Frequency Identification Device Random Number Generator Received Signal Strength Intensity ReTurN sense of transmission (Bob to Alice) SATellite COMmunication Single-carrier frequency division multiple access Software Defined Radio Security architecture is a collection of techniques, which collectively protects security and privacy of a system. It defines the necessary components and elements needed for protection as well as dependencies and relations between these components. Security architecture for a wireless communication system provides high level answers to various questions such as: which interactions are secured, end-to-end protection or only restricted secured protocol layers, which security algorithms, how are encryption keys managed, how to manage security policies, etc. Symbol Error Rate Spreading factor of DSSS signals at chip period T and rate 1/T. The following convention is applied in the document. - When the DSSS code is applied to a symbol stream at symbol period T (rate 1/T), SF is the ratio of the rate of the modulated signal and of the rate of the symbol stream: SF = T/T - When the DSSS code is pure (i.e. when the symbol stream under the DSSS code is identically equal to the same value), SF is the processing gain linked the integration duration T I of the receiving page 12 /

13 SFN SIM SIMO SINR SIR SISO SNR SP SPP STBC STF Superimpos ed Tag signal TDD TDMA TKIP TNR TPM TRANSEC Trustworthy 3 TSNR TSR UDS UE UFH UL USIM USS UTH processing: SF=T I /T. Single Frequency Mode (frequency planning of OFDM bases RAT that consist to transmit the same content at the same career, with controlled time delays at the receiver part (less than the guard time duration) so that classical OFDM coherent demodulation is achieved with transmit diversity. In usage especially in broadcast networks (DAB, DVB-T/H, Wimax, LTE) Self-Interference Mitigation Single-Input Multi-Output (use of multiple antennas at the receiver) Signal-to-noise and interference ratio Signal-to-interference ratio Single-input single-output (use of single antennas at both the transmitter and receiver) Signal-to-Noise Ratio Secure Pairing (of node Alice and terminal Bob) Secure Pairing Protocol (of node Alice and terminal Bob) Space Time Bloc Coding Short Training Field Placed or set over or above on something else. In communication, a signal transmitted at the same time and at the same frequency as another. Low power signal, which is transmitted at the same time, at the same frame or slot, and at the same carrier than the user signal. Can be used e.g. to identify the sender. Time-division duplexing Time Division Multiple Access Temporal Key Integrity Protocol (security protocol in Wi-Fi WPA/WPA2) Tag to Noise Ratio Trusted Platform Module Transmission Security: TRANSEC is relevant to the protection of the wave form face to interception/direction Finding of the transmitted radio signal, to jamming of the user receiver, and to intrusion attempts into the radio-communication access protocol. Applies mainly at the radio interface. Secure, reliable and resilient to attacks and operational failures; guarantees quality of service; protects user data; ensures privacy and provides usable and trusted tools to support the user in his security management. Tag to Signal + Noise Ratio Tag to Signal Ratio Uncoordinated Direct Spectrum User Equipment Uncoordinated Frequency Hopping Up Link Nominal sense of a communication from a terminal to a network/base Station/Access Point Universal Subscriber identity Module Uncoordinated Spread Spectrum Uncoordinated Time Hopping 3 According to the European Commission Work Programme for ICT page 13 /

14 2.2 Recall of the typical scenario of PHYSEC Figure 1 presents the typical radio scenario considered in PHYSEC and also recalls important information-theoretic notions. Indeed, Alice and Bob are the two legitimate users who want to communicate securely over a legitimate radio channel. Alice is the legitimate node. Bob is the legitimate terminal. Eve is the eavesdropper or attacker. Figure 1: Basic configuration of legitimate link and eavesdropper link We consider any kind eavesdropper. More precisely, Eve can adopt the following strategies. Eve can is only passive, Eve can is active and can perform o o Protocol aware (Intelligent) jamming, Man-in-The-Middle attacks. When Eve is passive, she is trying to intercept, demodulate and decode the legitimate communication. When Eve is active, she is trying to impeach the enabling of protections and/or to impersonate legitimate devices, by combining RAT awareness jamming, interception of legitimate signals, decoding/encoding of the legitimate messages, relay of true messages, transmission of false messages, etc. The relevant models are described with more details in deliverables 4.1 [PHYLAWS_D4.1] and D4.3 [PHYLAWS_D4.3] page 14 /

15 3 Recall of the secure pairing protocol. See Figure 2 below. While D4.3 provides a synthesis of the SP protocol, more details on the design and processing of Tag Signals s algorithm and can be found in deliverables D4.1 and D4.2 [PHYLAWS_D4.1] [PHYLAWS_D4.2] and the complete IAS protocol is described in annex of deliverable D4.5 [PHYLAWS_D4.5]. I- AUTHENTICATION AND CIR ESTIMATION BY TAG SIGNALS I-1) Forward Tag Signal TS FWD, randomly chosen in a public set (USS scheme) Alice transmits TS FWD Bob dispreads TS FWD and estimates CIR FWD I-2) Return Tag Signal TS RTN, randomly chosen in public set (USS) Bob transmits TS RTN = f(ts FWD ) Alice dispreads TS RTN and estimates CIR RTN ALICE I-3) Forward TS FWD, propagation dependent Alice acknowledges TS RTN by sending TS FWD dependent on estimated CIR RTN Additionally, Alice can inform Bob about CIR RTN (with protected FWD message) Bob dispreads C FWD and estimates CIR FWD I-4) Return tag DSSS TS RTN propagation dependent Bob acknowledges TS FWD by sending TS RTN dependent on estimated CIR FWD Additionally, Bob can inform Alice about CIR FWD (with protected RTN message) Alice dispreads TS RTN and estimates CIR RTN BOB ALICE II- ARTIFICIAL JAMMING INITALIZED FROM ESTIMATED CIR II-1) Artificial Jamming Forward sense Alice extracts orthogonal directions from CIR FWD (CIR reciprocity of returned by Bob) Alice selects user stream direction, Alice beamforms data stream towards Bob Alice transmits noise on orthogonal direction. II-2) Artificial Jamming return sense Bob extracts orthogonal directions from CIR RTN (CIR reciprocity or returned by Alice) Bob selects user stream direction Bob beamforms data stream towards Alice Bob transmits noise on orthogonal direction BOB III- UNDER CHANNEL RECIPROCITY (CIR FWD = CIR RTN ) OR WHEN CIR KNOWLEDGE IS SHARED: ADDED PHYSEC SCHEME ALICE Forward and return Secret Keys and Secrecy Codes BOB Figure 2: Protocol for secure pairing and communication combining tag signal and artificial jamming page 15 /

16 4 Secret Key Generation 4.1 Recall of the proposed Secret Key Generation scheme The SKG scheme developed by Phylaws consortium is composed of the following steps: Channel Estimation: the first step of the SKG scheme estimates the radio channel and computes CSI or CFR Channel pre-processing (e.g. channel coefficient de-correlation): in this second step, we apply a new algorithm to select channel coefficients with low cross correlation. This optimizes the randomness quantized key bits in stationary environments. Quantization: this step uses the Channel Quantization Alternate (CQA) algorithm introduced by Wallace to quantize selected channel coefficients [1]. The CQA minimizes the key mismatch between the legitimate users Alice and Bob. Information Reconciliation: this step corrects the remaining mismatch between Alice and Bob keys. We employ secure sketch and error correcting codes to correct Bob s errors on Alice s key. To do so, Alice has to send the secure sketch over the public channel, possibly leaking a controlled amount of information to the eavesdropper Eve. Privacy Amplification: this step improves the randomness of the secret key and removes the redundant information that could be used by Eve. To do so, we use hash functions and, when necessary, reduce key length. This final step guarantees that the generated secret key is fully de-correlated from the key computed by the eavesdropper. Figure 3: Communication scenario In order to evaluate the performance of our scheme (quality of the generated keys, complexity of the processing), we applied in deliverable D4.3 our secret key generation protocol on single sense real field WiFi and LTE networks. In this deliverable D4.4 we applies the SKG scheme on simulated LTE signals and on dual sense real WiFi signals). Signals are captured in several indoor and outdoor locations, keys and estimates of channel entropy are computed from Channel Frequency Responses extracted from these real field records. 4.2 New channel de-correlation algorithm Secret key bits should be completely random to keep them unpredictable by Eve, therefore any deterministic component in the radio propagation channel should be removed. Same apply to any time or frequency correlation between quantized bits: the quantization algorithm should not only generate bits with equal probability but also the channel coefficients that are quantized to generate these bits should be as random and de-correlated as possible. The goal of this step is to decrease the negative effect of channel correlation by a careful selection of the channel coefficient to be quantized page 16 /

17 First, time correlation is decreased between channel coefficients. To do so: Channel coefficients computed at a given acquisition time constitute a frame. Cross-correlation coefficients are computed between the two first frames Only frames with low cross-correlation coefficient (under a given threshold ) are selected. Cross-correlation coefficients are computed between the previous selected frame and the next frame. Then, same procedure applies to frequency correlation: Cross-correlation coefficients are computed between two consecutive frequency carriers Only frequency carriers for which the cross-correlation coefficient is below a given threshold are selected. In addition, lowest and highest frequency carriers are dropped. Finally, Alice sends to Bob the position of the channel coefficients over the public channel. Hence, Eve also knows which coefficients were dropped and which ones were selected but she does not have any information on their value. Therefore there is no information leakage during the channel de-correlation step. The main difference between this algorithm and channel coefficient selection of deliverable D4.3 is that crosscorrelation coefficients are computed only between a current frame and the previous selected frames. This yields to a more efficient selection algorithm. 4.3 Brief recall of the results presented in Deliverable D PHYLAWS test bed and the signal acquisition We recall simulation results of our SKG scheme applied on real LTE and WiFi signals acquired using the PHYLAWS test bed shown in Figure 4 and precisely described in deliverable D5.1. Figure 4: PHYLAWS testbed Figure 5 shows the various propagation environments where signal acquisitions were carried out. A typical office open space where WiFi signals were acquired. Outdoor measurements were performed in a street in Paris with mobile cars and people. An empty tennis court bordered by building, which can be seen as an indoor/outdoor environment. A classroom and its corridor where WiFi and LTE signals were acquired page 17 /

18 36 bits 122 bits FP7-ICT-2011-call8 PHYLAWS (Id ) Deliverable 4.4 version 1.0 Figure 5: propagation environments More details on the testbed, on LTE and WiFi signal acquisition and on the computation of Channel Frequency responses can be found in deliverable Recall of previous results In this section we briefly recall simulation results presented in deliverable D Impact of the channel coefficient de-correlation pre-processing 1000 frames in 5s Figure 6: Resulting key bits after quantization of all available channel coefficients 268 frames in 5s Figure 7: Resulting key bits after channel de-correlation page 18 /

19 Mismatch Mismatch Mismatch FP7-ICT-2011-call8 PHYLAWS (Id ) Deliverable 4.4 version Mismatch between Alice s and Bob s keys Mismatch between Alice and Bob keys after each SKG step quantization reconciliation amplification key block number Figure 8: Mismatch between Alice and Bob at a low SNR value of legitimate link Mismatch between Alice and Bob keys after each SKG step quantization reconciliation amplification Key Block key block number Number Figure 9: Mismatch between Alice and Bob for a high SNR value page 19 /

20 BER BER FP7-ICT-2011-call8 PHYLAWS (Id ) Deliverable 4.4 version BER between Eve and Bob BER between Eve and Bob keys after each SKG step BER between Eve and Bob keys after each SKG step, Eve also performes reconciliation and amplification steps quantization reconciliation amplification key block number Key Block Number Figure 10: BER between Eve and Bob after each SKG step NIST Statistical tests of computed keys Table 1: Frequency mono-bit test results LTE Indoor (2.6GHz) Outdoor (2.6GHz) WIFI LOS (2.4 GHz) NLOS (2.4 GHz) Quantization 98% (48/49) 99% (281/284) Quantization 87% (132/152) 100% (171/171) Amplification 100% (49/49) 100% (284/284) Amplification 99% (151/152) 100% (171/171) Table 2: Run test results LTE Indoor (2.6GHz) Outdoor (2.6GHz) WIFI LOS (2.4 GHz) NLOS (2.4 GHz) Quantization 27% (13/49) 80% (228/284) Quantization 84% (128/152) 99% (169/171) Amplification 100% (49/49) 100% (284/284) Amplification 98% (149/152) 99% (170/171) More details and explanations of those results can be found in deliverable D4.3 [PHYLAWS_D4.3] page 20 /

21 Summary of the simulation results presented in Deliverable D4.3 The main results of the practical implantation of our SKG scheme were the following. In non-stationary environments (with some scatterers and some mobility), a significant number of keys (of hundreds of bits each) can be extracted in a very short time under WiFi carriers and under LTE carriers, and these keys have basically low cross correlation at the output and are quite robust to correlation attacks since the quantification step. In stationary environments (with very few scatterers and no mobility, such as encountered in some Machine-Type Communication scenarios) and when no channel coefficient de-correlation algorithm is applied, the extracted keys may be highly correlated and this vulnerability can be exploited by Eve to recover Bob s key. Still in stationary environments, the quantization processing takes a large benefit of our channel coefficient decorrelation algorithm: the key rate is decreased but the extracted keys present low cross correlation and are robust to a correlation attack. In any case, the proposed reconciliation step with classical FEC codes provides a significant resilience of the key agreement between Alice and Bob. In any case, the proposed amplification step with classical 2-Universal hash functions provides significant resilience of the key randomness against Eve s attacks, with a limited reduction of the Key lengths. NIST statistical tests were used to show that the keys shared by Alice and Bob are random. BER between Bob and Eve was computed to show that the secret keys computed by Alice and Bob were not correlated to the keys extracted by Eve. 4.4 Complementary results on Secret Key Generation Entropy estimation and analysis from single sense real field CSI (Alice to Bob + Eve) The aim of this section is to evaluate the percentage of entropy extractable from the radio channel in realistic radio environment. To do so, we have to estimate the entropy at Alice, Bob and Eve s receivers. Then we have to compute the mutual information between Alice and Bob, between Alice and Eve, and finally between Bob and Eve Entropy and mutual Information The entropy of a random variable measures the uncertainty in a realization of. The mutual information between two random variables and measures the common uncertainty between and. We denote,, and the entropy at Alice, Bob and Eve s receivers respectively. The mutual information between Alice and Bob is where is Alice s conditional entropy (entropy at Alice side conditioned on Bob s side). Similarly, and. Since we can estimate entropy at each receiving antenna and joint entropy between antennas, we compute the mutual information using the following expression: The maximum number of information bits extractable from channel measurements is the mutual information between Alice and Bob channel measurements. When we take into account the presence of Eve, the maximum number of information bits extractable from the channel but non accessible to Eve is the mutual information Alice and Bob conditioned on Eve s side. It can be computed as:. Using the chain rule of mutual information, we can also write: page 21 /

22 Min-entropy The computation of exact values of entropy and mutual information from experimental source is cumbersome especially when the experimental source is not Independent and Identically Distributed (IID). The computation of the min-entropy is usually preferred. The min-entropy is the most conservative measure of the uncertainty of a set of outcomes. The min-entropy is always lower than the (Shannon) entropy. The National Institute of Standards and Technology (USA) introduced several tests to compute the min-entropy for entropy source even in non-iid cases. In this deliverable, we estimate the min-entropy at each receiver by applying NIST s tests for estimating the min- Entropy of non-iid Sources described in [2] on key bits obtained at the output of the quantization step of the SKG scheme without applying the channel de-correlation pre-processing step. We also compute very conservative estimates of joint entropy and mutual information between pairs of receivers in order to evaluate the percentage of information shared by two distinct users. Finally, for a given pair of receiver, the entropy and the mutual information can provide us an experimental insight on the percentage of secure entropy bits NIST s tests for Estimating the Min-Entropy of non-iid sources NIST provides a battery of tests in order to estimate the min-entropy of non-iid sources. The final min-entropy is the minimum of the min-entropy computed by each test. The tests used to compute the min-entropy are the following More details on these tests can be found in [2]. Most common value Estimate Collision Estimate Markov Estimate Compression Estimate t-tuple Estimate LRS Estimate MultiMCW Prediction Estimate Lag Prediction Estimate MultiMMC Prediction Estimate LZY8Y Prediction Estimate Entropy estimate results in real field environments NIST s tests for Estimating the Min-Entropy of non-iid sources were applied on Bob and Eve s antennas. Recall that Bob has 2 antennas whereas Eve has 4 antennas. All antennas are close to each other. Table 3 and Table 4 provide min-entropy and mutual information estimates for two propagation environments. The first one, very stationary, is an empty tennis indoor court surrounded by building and a LTE e-node, the geometry is fixed and LOS. The second one, much less stationary is an indoor office where antennas where slightly mobile and WiFi signals come from by NLOS access points. The results show that there are at least 20% of entropy bits in the first (worst) case and around 70% of entropy bits in second (better) case. In addition, the computed maximum value of the mutual information between pairs of antennas reveals that one antenna on Eve s array only shares around 20% of information with one antenna on Bob s array page 22 /

23 Table 3: Min-entropy estimates for LTE and WiFi recorded signals Min-entropy estimates Antennas LTE LOS 2.6 GHz 19.5% 50% 32.4% 22.6% 28.9% 32.4% WiFi NL0S 2.4 GHz 63.1% 65.2% 74% 69.7% 76.2% 74% Table 4: Mutual information estimates for LTE and WiFi recorded signals Mutual information estimates Antennas LTE LOS 2.6 GHz 19.7% 16.5% 38.6% 24.9% 84% 73.9% WiFi NLOS 2.4 GHz 19.8% 18% 20.6% 19.4% 79.7% 85% Note that some experimental values of mutual information between two antennas are higher than the entropy of one of the corresponding antenna. This is because we estimate the minimum mutual information as which is not really accurate but allows us to have an insight on the share entropy between two antennas SKG Simulation results with LTE signals The application of the practical Secret Key Generation scheme to LTE is straightforward as the scheme only needs access to the channel estimates in the frequency domain, which are readily available in the physical layer. In order to assess its performance in a LTE system, Monte-Carlo simulations have been performed using MATLAB Simulators For performance assessment, we use the MATLAB-based LTE link-level simulators [3] developed by Technical University of Vienna. The simulators implement standard-compliant LTE downlink and LTE uplink transceivers with their main features, i.e., basic channel models, modulation and coding, multiple-antenna transmission and reception, channel estimation, multiple-user scenarios, and scheduling. The LTE link-level simulators include, among other basic channel models, the QuaDRiGa channel model [4], which can model realistic distance-dependent correlation of radio propagation between Alice-Bob, Alice-Eve, and Bob-Eve channels. In the simulations indeed, only the large-scale channels parameters are spatially correlated Channel coefficient estimates Estimates of the channel coefficients are computed for each subcarrier carrying known sequences and each transmit and receive antenna pair, then averaged over the subframe to provide only one coefficient per sub-frame and per subcarrier per antenna pair. In the downlink, Bob (and Eve) can use the downlink Reference Signals (RS) over the whole bandwidth and the channel estimates are obtained by dividing the received signal at the pilot tones or reference sequence location by the known transmitted signal. In the uplink, the situation can be different as the Sounding Reference Signals (SRS) are not mandatory and one cannot rely on them. The De-Modulation Reference Signals (DMRS) are used to estimate the channel at Alice. Alice thus has knowledge of the channel limited to the resource allocated for the uplink transmission for Bob. The subcarriers in the frequency domain are selected such that they hold estimates in both DownLink (DL) and Uplink (UL) directions. However, in the simulations herein, all the resource blocks are allocated to Bob and the bandwidth limitation is not taken into account page 23 /

24 Considering now the Time Division Duplex (TDD) configuration of LTE RAT, we need to ensure that the reciprocity assumption is still valid. For this, the channel estimates obtained at adjacent downlink and uplink sub-frames should be used, which happens when the system switched from uplink to downlink. The sub-frame indexes at which the channel coefficients are extracted at Alice and Bob/Eve depend on the TDD configuration. We assume here a TDD configuration that allows us to extract two sets of channel coefficients per frame Simulations scenarios and parameters The simulations process is such that the QuaDRiGa channel coefficients are created and then used first in the downlink LTE simulator and second in the uplink LTE simulator. At the end of this run, the secret keys generated by Alice, Bob, and Eve are compared. A simulation run is set to last 100 frames. Alice is a fixed base station. Bob and Eve are mobile and follow the same track at the same speed, which in the simulations is a straight line. The speed depends on the radio environment. Alice uses a 4-antennas spatially-uniform linear array and both Bob and Eve use a 2-antennas array. The signal bandwidth is set to 10 MHz and the carrier frequency is 2.6 GHz. The channel model is block-fading and the channel estimation uses the least-square methods as provided in the LTE simulators. The SNR is defined as the average SNR at Bob for the duration of the simulation. Several standard radio propagation environments have been tested: A1 indoor office, B1 urban micro-cell, and C2 urban macro-cell [5]. The minimum distance between Bob and Alice has been set to 1, 10, and 50 m, respectively. The mobiles speed has been set to 1 m/s, 2 m/s and 14 m/s in A1, B1, and C2, respectively. Eve can be placed at various distance from Bob. The radio propagation can either be LOS or NLOS. The SKG algorithm outputs a fixed key length of 127 bits. Time and frequency decorrelations are always used. After several tests, the de-correlation thresholds and have been set to value 0.5, that achieves a suitable trade-off between the number of extracted keys and their randomness quality. Results with and without spatial decorrelation are presented. When spatial decorrelation is used in a LOS environment, the LOS component is removed. The quantization of the real and imaginary part of the pre-processed channel coefficients produces one bit each, i.e., two regions are used. The coding rate of the reconciliation BCH code varies in order to correct the errors between Bob s and Alice s keys. This coding rate needs to be tailored to the SNR on the channel estimates in order to correct errors between Bob s and Alice s keys while preventing Eve from correcting the errors in her keys. In other words, the coding rate is set such that Bob is able to correct the maximum number of errors at each simulation. For each separation distance between Bob and Eve and each SNR values, 100 channel realizations, corresponding to 100 simulation runs, are processed and statistical distributions over those channel realizations can be extracted Simulation results An example of simulation results is shown in Figure 11 which is relevant to the urban micro-cell environment B1 for Bob and Eve moving on a straight line at 2 m/s. Figure 11 represents the cumulative distribution functions (CDF) of the BER of Bob s keys (column 1) and Eve s keys (columns 2 to 4) compared to Alice s keys. The first column, which shows the results at Bob s side, evaluates the key agreement efficiency. The next columns, which show the results at Eve s side (for increasing distances between Bob and Eve) evaluate the key security.the main items relevant to these simulations are the following : For good SKG performance, Eve should not be able to estimate the key that Alice and Bob have extracted from the channel estimates, Alice and Bob should agree on the same keys, and these keys should have good entropy quality. When considering the security of the keys, the BER between the keys extracted at Alice and Eve is the main figure-of-merit to be measured. When considering the key agreement, the mismatch between the keys estimated at Alice and Bob will also be measured in order to assess the effect of the channel estimation error, after each step of SKG algorithm (quantization, reconciliation, amplification). When considering the keys quality, the intrinsic randomness of the key will also be assessed by using the NIST randomness tests (frequency mono-bit and run tests). These tests are performed on all keys obtained by Bob for a specific SNR value over all channel realizations page 24 /

25 Figure 11: BER of Bob and Eve s keys compared to Alice s keys for various environments, Bob-Eve distances and SNR values page 25 /

26 On Figure 11 above, the impact of the value of the SNR is represented in each environment and Bob-Eve distance case (4 curves per sub-figure corresponding to 4 SNR values). The first line shows the results for the LOS scenario with no spatial de-correlation and the second line shows the results for the LOS scenario with spatial de-correlation. The third and fourth lines replicate the results of the first and second line for the NLOS scenario. The results of Figure 11 show the following trends: The mismatch between Bob and Alice reduces as the SNR increases. In the NLOS case, a separation distance of one wavelength ( ) between Eve and Bob is enough to ensure the key s security against Eve. However in the LOS case, the use of spatial decorrelation might be required to achieve the same security. When spatial de-correlation is performed, a higher SNR is needed for Bob to estimate the right key. The use of channel de-correlation increases the number of keys extracted with correct quality, particularly in LOS configuration. In terms of key quality, more than 99% of the keys passed randomness tests after amplification, with or without spatial de-correlation, and for both LOS and NLOS Discussion The SKG algorithms implemented in the LTE simulator has proven to work well in most of the simulated radio propagation environments. The minimum distance between Bob and Eve in order to protect the keys extracted at Alice and Bob depends on the radio environments (A1, B1, C2), whether there is LOS or NLOS, and on the use of spatial de-correlation. Particularly in A1, and in B1 too, the distance of one wavelength ( ) is enough to prevent Eve from recovering the secret key in both NLOS and LOS cases, when SKG includes spatial de-correlation in LOS cases. This has an impact on the needed working SNR, as spatial de-correlation needs a higher SNR to lead to the same match between Alice and Bob compared to the situation when it is not used. NLOS leads to more keys and does not require the use of spatial de-correlation. In LOS cases of C2, the algorithm still does not protect well Alice s and Bob s keys (against Eve s attempts to recover the keys) at a distance between Bob and Eve of 10, even when using spatial decorrelation. However, in NLOS, the keys are protected already at a distance of 10. In C2, spatial de-correlation and channel de-correlation pre-processing improve the secrecy Bob s and Alice s keys in both LOS and NLOS cases. In all simulations, the quality of the key was high after amplification, leading to more than 99% of key satisfying the used randomness tests. Extended analysis and simulation results of SKG schemes with LTE signals can be founded in deliverable D Experimental results from real field bi-directional CSI achieved at WiFi carriers In this section we generate keys from dual sense real signals emitted and received by Celeno WiFi chipsets. We then evaluate the randomness and secrecy of generated keys Wifi test bed and measurement environment in dual sense The test bed depicted in Figure 16 is based on a state of the art 4x4 MIMO chipsets made by Celeno. Each Chipset is based on a Software Defined Radio architecture, using a Digital Signal Processing core that enables to implement algorithms in the physical layer on top a real WiFi system. The test bed supports operation in both 5GHz and 2.4GHz bands by using two different chips: the CL2440 is a 4x4 AP chip supporting 5GHz operation (for up to 80 MHz bandwidth), while the CL2442 is a 4x4 AP chip supporting 2.4GHz operation (for up to 40 MHz bandwidth). The test bed is also hooked to the local network via Ethernet for control and for data extraction page 26 /

27 A typical placement of the antennas for transmitter (Tx) and receiver (Rx) boards is shown in Figure 16. The antenna spacing on the test bed is always more than half of a wave length (2.7cm in 5.5 GHz and 6.25 cm in 2.4 GHz) to provide adequate diversity. Experiments are carried out in Celeno's testing apartment. The apartment provides a clean testing environment that is relatively interference free. Various indoor NLOS and LOS scenarios can be emulated. Figure 16: 4x4 WiFi chipsets and measurement environment Description of a bi-directional sounding exchange Alice and Bob exchange WiFi sounding frames (2462 MHz, Bandwidth: 20 MHz). Alice first sends a sounding frame which is captured by Bob (and Eve). Bob sends back to Alice a sounding frame. Alice, Bob and Eve extract 4x4 channel estimates. CSI estimates are then processed in Matlab offline. In the first phase Alice Bob and Eve compensate their channel estimation for timing errors and normalizes each channel coefficient. In the second phase, a Matlab processing script involves secret key extraction from channel estimates and evaluation of the generated keys. The main steps of the SKG scheme are recalled below. CSI coefficient selection in a pre-processing step. Dual sense CSI quantization using CQA algorithm. Information reconciliation with BCH codes. Privacy amplification using two-universal family of hash functions and, when necessary, key length reduction avoiding any capability for Eve to exploit the FEC reconciliation code redundancy page 27 /

28 Generated keys are evaluated as follows: Test of key randomness by using the Intel Health Check applied on keys after quantization and privacy amplifications steps. Computation of the mismatch between Alice and Bob s keys. Computation of the BER between Bob and Eve Measured CSI in dual sense Figures 17 and 18 plot the amplitude and phase of CSI computed by Alice, Bob and Eve. These figures show that Alice and Bob s channel measurements are quite similar (channel reciprocity) whereas they differ significantly from Eve s measurements (channel spatial diversity). Figure 17: Amplitude channel measurements for Alice, Bob and Eve page 28 /

29 Figure 18: Phase of channel measurements for Alice, Bob and Eve Key extraction from bi-directional CSI After channel measurements, a Matlab script runs the SKG scheme on three consecutive channel sounding exchanges between Alice and Bob. Eve also captures the signal sent by Alice in order to compute her keys. The SKG protocol at Alice s side can be described as follows. Pre-processing : selection of low correlated CSI frames Quantization of CSI to get secret keys of 127 bits length Computation of secure sketches used by Bob for information reconciliation using BCH (127,15,27) Privacy amplification of the secret keys Key concatenation (final 256-bits) Test of the key randomness after quantization and amplification with the Intel Heath Check [6] Selection of amplified version of successful 256-bits secret keys both after quantization and amplification. Note that all keys should pass the test after privacy amplification since a hash function is used during this step page 29 /

30 Alice also sends over the public channel a message containing indexes of the selected CSI frames and quantization map, secure sketches, hashing parameters and indexes of successful 256-bit secret keys. Although this message helps Bob s to compute same secret keys than Alice, secure sketches sent for reconciliation might leak some information to Eve as it allows her to correct errors she made on Alice s keys. This leaked information is mitigated by reducing the length of extracted keys during the privacy amplification step. The SKG protocol at Bob s side can be summarized as follows. Pre-processing : selection of CSI frames according to the indexes sent by Alice Quantization of CSI using the quantization map indexes sent by Alice but his quantization maps are computed using his own channel measurements. Information reconciliation step using secure sketches sent by Alice and using BCH (127,15, 27). Privacy amplification of the keys using the hashing parameters sent by Alice. Key concatenation to 256-bits. Selection of successful 256-bit secret keys according to the indexes sent by Alice. In our simulation, Eve performs exactly the same SKG steps as Bob Results when no channel de-correlation is performed Figure 19 shows the keys extracted after quantization by Alice from channel measurements when no pre-processing step is performed. 78 keys of length 127-bits were generated but none of them passed the NIST runs test. 38 keys of length 256-bits were obtained by concatenating previous keys and none of them passed the Intel health Check. Figure 19 also shows the mismatch between Alice and Bob, and the BER between Bob and Eve s keys at the end of the SKG processing when amplitude and phase of CSI are quantized using the CQA algorithm with 4 regions, information reconciliation and amplification being achieved. According to the results, Bob often computes different keys than Alice while Eve manages to recover some of the secret keys : SKG performances are poor in this case. Figure 19: SKG results with no pre-processing step page 30 /

31 Results when channel de-correlation is performed Figure 20 shows the keys extracted after quantization by Alice from channel measurements when the pre-processing step is performed with thresholds values T t = 1 (no selection in time domain in this particular test case, because only 3 time instances were available in the records) T f = 0.4. Here, 5 keys of length 127-bits were generated and 4 of them passed the NIST runs test. 2 keys of length 256-bits were obtained by concatenating previous keys and both of them passed the Intel health Check. After privacy amplification, all keys passed both NIST runs test and Intel Health Check. Figure 20: SKG results with pre-processing step Figure 20 also shows the mismatch between Alice and Bob, and the BER between Bob and Eve s keys. As previously, amplitude and phase of CSI are quantized using the CQA algorithm with 4 regions. Information reconciliation is achieved using the BCH (127, 15, 27) code. Here, Bob successfully computes the same keys than Alice while Eve s BER is always close to 0.5. Thus, Eve has no information on the secret keys computed by Alice and Bob. Finally the SKG perfectly works. These results show that although the channel de-correlation pre-processing step reduces the number of generated keys, it not only improves the agreement between Alice and Bob, but also reduces the number of vulnerable key bits. By selecting only frames with low cross-correlation, the pre-processing step increases the available entropy and decreases the mutual information between Alice and Eve s channel measurements, leading finally to more secure random keys Entropy computation for dual sense CSI estimated at real field WiFi FWD and RTN signals The goal of this section is to estimate the secure entropy available in the channel for Alice and Bob. To do so, we compute the entropy at Alice, Bob and Eve s receivers. We also compute the mutual information between Alice and Bob, Alice and Eve, and between Bob and Eve. We use NIST s tests for estimating the min-entropy of non-iid sources and obtain conservative values of the min-entropy. The computed min-entropy is the guaranteed amount of entropy of the non-iid source page 31 /

32 Table 5: Entropy and mutual information estimates min-entropy estimates mutual information estimates Alice Bob Eve Alice - Bob Alice - Eve Bob - Eve 24% 25% 28% 26% 14% 14% The results above show that: In one hand, the minimum amount of available entropy in the channel is 24% for Alice and 25% for Bob. In addition, Alice and Bob share at least 26% of information. Therefore, in absence of calibration problems, the selection of 24% of the lowest correlated channel will provide us random key bits with a mismatch between Alice and Bob close to zero. In the other hand, Alice or Bob shares 14% of information with Eve. Hence, in the worst case, Eve share 14% of information with Alice and Bob and the key length has to be reduced of at least 14% during the privacy amplification step to ensure the complete privacy of the secret key computed by Alice and Bob. 4.5 Security opportunities provided by secret key generation to standardization of future Radio Access Technologies Existing Vulnerabilities of public radio networks In the current architectures, no protection is applied on the transmission of several crucial parameters that are exchanged during the first access stages with the network (and during roaming procedures). These parameters are used for performing the authentication with privacy, and setting up the integrity and the confidentiality protections of the user and control planes. Concerning the authentication procedure, the following crucial messages are exchanged in clear text: in 2G: RAND, SRES and TMSI; in 3/4G: RAND, RES, AUTN, KSI ASME and TMSI. Radio access of public networks is managed with identification procedures, involving subscriber and network identification numbers, authentication procedures, involving dual sense exchanges of random input parameters, parallel computation and output check at mobile and at core network. In radio-cell networks and in WLAN networks, this processing is performed very early (before the establishment of ciphering keys). Several crucial parameters (such as IMSI, IP or MAC address) transmitted over the physical layer are not encrypted during the attach or roaming procedures (especially international roaming). Furthermore, subscriber s and equipment s parameters are used for performing the authentication, setting up the integrity and the confidentiality protections (of both user and control protocol layers). Unfortunately, they are transmitted in clear text with significant temporization times in their transmission procedures. Finally they are very vulnerable to many kind of attacks such as passive monitoring, active hacking (denial of service, replay attack), man in the middle and spoofing. Concerning the identification procedure of radio-cells, the following crucial subscriber or equipment parameters are exchanged in clear text. In 2G, 3G and 4G radio cellular networks: usually TMSI, and when requested (because of international roaming or failure of conventional TMSI identity check), IMSI, IMEI, IMEISV or GUTI In WLAN standards: IP Address, SSID, and even the MAC address in first attach procedures and in many other dedicated procedures page 32 /

33 Concerning the authentication procedure of radio-cells, the following crucial messages are exchanged in clear text In 2G radio cellular networks: random parameter RAND, SRES at the input and output of the single terminal authentication check by the network In 3/4G radio cellular networks: random parameter RAND, RES, AUTN and KSI ASME at the input and output of the dual sense authentication check. In general, the interception of identifiers (such as mentioned above) reveals sensitive information such as subscriber identity and location. It thus allows Eve to focus on the monitoring of target messages of given subscribers, to build replay attacks, to spoof and impersonate terminals and nodes, etc. See deliverable D2.1 and [7] for more details. Moreover, as mentioned in introduction, the hacking of long term secret keys K/Ki by cyber attackers have been recently reported. Therefore, it becomes easy for a passive eavesdropper to retrieve the other necessary parameters by monitoring the signaling and access messages. First, Eve can recover authentication and cipher keys, then Eve can break all protections (such as the integrity control and the confidentiality of an on-going communication). Finally, a major security enhancement of existing and future radio-networks would be achieved by preventing the decoding capability by third parties of sensitive message exchanged at the radio air interface between nodes infrastructure and terminals. In particular, the protection of the identification procedures, authentication protocols and cipher establishment should be reinforced, by removing any capability for Eve to intercept and decode the associated parameters that are today given for free at the radio layer. This would strongly enhance privacy and confidentiality, and this would significantly mitigate the consequences of a leakage of K/Ki keys Proposed solutions for securing radio access protocols with Secret Key Generation We recall that the principle of SKG is to re-use radio-channel sounding outputs as common random sources of legitimate radio-devices under an assumption of reciprocity, without any shared secret. For any radio access using a Time Division Duplex protocol (such as defined in WLAN, 4G radiocells and expected 5G networks), the SKG technology thus appears very suitable at early stages. As soon as radio channel measurements are enabled from prior frame and slot synchronization, reception of signaling, transmission and reception of access messages, initialization of equalization and Quality of Services procedures etc., their outputs could be re-used of SKG purposes. SKG can also apply to Frequency Division Duplex (FDD) if the user equipment and the node have the ability to operate on the same carrier frequencies for the access stages. Moreover, Tag Signals, through Interrogation and Acknowledgement Sequences (IAS) between terminals and nodes provide dual sense paired CIR very early in the radio access. These CIR are output by the synchronization and equalization procedures of the dual sense Tag Signals at Alice and Bob while they ensure the secure pairing of Alice s and Bob s devices by checking the CIR. Secret key generation can be input by these paired CIR. Moreover, the exchanges of paired Tag Signals would offer a native authenticated public channel for exchanging information during the SKG processing: frame index in channel de-correlation preprocessing, plane index in quantization algorithm, secure sketch into reconciliation procedure, etc Practical implantation perspectives of Secret Key Generation into Radio Access Technologies As seen before, the output keys of 128 or 256 bits, could protect early messages exchanged between Alice and Bob as a direct protection of signaling and access messages, as a private key (shared only by Alice and Bob) to be used in a traditional cipher scheme applied to sensitive contents of the signaling and access messages page 33 /

34 Keys can be stored in terminal memory and network data base and changed over time when necessary (during ongoing communications by using the output or equalization procedures). Many other potential usages appear for WLAN and radio cellular are listed below. To facilitate new attach procedures and new roaming procedures in idle mode. To input and facilitate secure schemes of upper protocols layers during ongoing communication. Some examples relevant to WLAN and radio cellular network are: protection of the headers of IP packets, protection of control frames, protection of return information messages in explicit artificial Noise and Beam forming schemes defined in some WLAN (802.11n/ac), input of the integrity control and cipher schemes of data stream with non-mathematical random. Usage of generated keys as temporal identifier Usage as integrity control check to prevent intrusion of messages, rogue and man in the middle attacks of on-going communications Detection of intrusion attempts (including false authentication requests): if the node and the terminal receive in parallel similar messages with uncorrelated keys generated from different channel instances. Usage as a pre-shared key or header input in existing ciphering scheme. The use of the secret key to protect ultra-low latency transmission expected in the future, where current stream ciphers are too slow. To protect the un-ciphered near field communication. To cope with the problem of distribution and management of secret keys with the deployment of massive Internet-of-Things. Final note: The discussion above is completed in Deliverable D4.6 [PHYLAWS_D4.6], which details the content of our standardization proposal, while Deliverable D1.11 [PHYLAWS_D1.11] reports all the initiatives of the Phylaws consortium towards standardization bodies page 34 /

35 5 Secrecy codes 5.1 Recall on the design of proposed secrecy codes The secrecy coding scheme Our goal is to design a low-complexity and practical secrecy coding scheme for current and next-generation Radio Access Technologies. We propose a security scheme which is initially composed of a LDPC code as inner code and of a polar code as outer code. The inner code can also be any FEC codes employed currently for practical wireless communications such as Turbo codes or Binary Convolutional Codes (BCC). The design of the inner code is therefore straightforward as we only follow the requirements defined in standards. In this work we consider particularly LDPC codes defined in the standard (WiFi). Figure 12: Secrecy coding scheme Construction of the inner code The inner code can be any FEC codes employed currently for practical wireless communications such as LDPC codes or Turbo codes. The design of the inner code is therefore straightforward as we only follow the requirements defined in those standards. In this work we consider particularly LDPC codes defined in standard (WiFi) Construction of the outer code using polar codes We first consider two nested polar codes as the outer code of length. The rate of the first polar code is the target rate for Eve denoted rate for Bob, denoted. and the rate of the second polar code is the target Since we suppose that legitimate users have a radio advantage over Eve,. Therefore Eve can perfectly decode bits and Bob. In order to confuse Eve and to ensure error probability at her side, we send random bits over perfect bit-channels. In other words, over the bit-channels for which Battacharyya parameters are zeros. The design strategy of the outer code is then the following. Battacharyya parameters are computed for Bob target s error probability at the output of the inner decoder Bit-channels are sorted in ascending order of their Battacharyya parameters Random bits are sent over the first bit-channels. Information bits are sent over the following bit-channels Frozen bits (i.e. zeros) are sent over the remaining bit-channels page 35 /

36 5.1.4 Construction of the outer code using Reed-Muller codes The constructions of Reed-Muller codes and polar codes are similar. The main difference is the selection of bitchannels over which information bits are sent. Indeed, for polar codes the selection criteria is the Battacharrya parameter while the selection criteria for bit-channels for the Reed-Muller codes is the Hamming weight of rows of the generator matrix. Consequently, for a given code length, the Reed-Muller code usually a larger minimum distance and, usually, better performance than the corresponding polar code for small and moderate code length. We propose to use Reed-Muller codes as an alternative to polar codes in the design of the outer code. The design strategy of the outer code is then modified as follows. The Hamming weights of generator matrix s rows are computed Bit-channels are sorted in ascending order of their Hamming weight Random bits are sent over the first bit-channels. Information bits are sent over the following bit-channels Frozen bits (i.e. zeros) are sent over the remaining bit-channels Recall of the performance of designed secrecy codes For our simulations, we use the LDPC code of length 1296 and rate 5/6 defined in the standard for the inner code. The outer is either a polar code of length 2 10 = 1024 or a Reed-Muller code of the same length. For simulation purpose, five outer codes were designed using polar and Reed-Muller codes of different rates. Simulations were carried out using MATLAB and messages sent over an AWGN channel with QPSK modulation Proposed secrecy codes The parameters of the five secrecy codes we consider are the following. Note that R, I and F denote respectively the number of random bits, information bits and frozen bits. Table 6: Designed Secrecy Codes SC1 SC2 SC3 SC4 SC5 Inner code LDPC code of length 1296 and rate 5/6 defined in the standard Outer code Polar code Polar code Polar code Reed-Muller Reed-Muller code code Eve s target rate Bob s target rate (R,I,F) (102, 512, 410) (102, 409, 513) (102, 307, 615) (56, 430, 538) (56, 330, 638) Secrecy code rate page 36 /

37 BER FP7-ICT-2011-call8 PHYLAWS (Id ) Deliverable 4.4 version Performance of proposed secrecy codes Figure 13 shows the performance of the designed secrecy codes. The black curve represents the Bit Error Rate (BER) at the output of the LDPC decoder Red curves represent the BER at the output of polar code decoders Blue curves represent the BER at the output of secrecy Reed-Muller decoders Performance comparison of concatenated wiretap codes LDPC decoder Polar, SC rate: 0.4 Polar, SC rate: 0.3 Polar, SC rate: 0.23 RM, SC rate: 0.33 Polar, SC rate: SNR (in db) Figure 13: Performance of secrecy codes The results show that: When SNR db, the BER at the output of the five secrecy codes is equals to. Meaning that, all secrecy codes guarantee no information leakage if Eve s SNR is less than db. Only the polar based secrecy code with rate (SC1) guarantees no information leakage until db. All Reed-Muller based secrecy codes have better reliability performance than polar based secrecy codes. For a target error probability of at Bob side, the require radio advantage is only db to db These simulation results show that Eve cannot retrieve any transmitted information when a slight radio advantage ( db) is provided to legitimate users. The secrecy is achieved at the cost of a limited increase in coding and decoding complexity. 5.2 Complementary results on secrecy code decoding performance Results with real field recorded WiFi signals and processed in a WiFi simulator We have added the designed secrecy codes in a WiFi link simulator implemented with Matlab according to the standard. The simulator first emulates the inner decoding of WiFi signals which were first recorded at carrier 2.46 GHz by using USRP devices in the PHYLAWS test bed described in Figure 4, then adds encoding and decoding by following our secrecy code scheme at transmitter and receiver. Thus, we now take into account the real WiFi RAT and realistic propagation channels over radio devices and physical layer page 37 /

38 We selected two secrecy codes of comparable secrecy rate: SC2, with an outer polar code and secrecy rate of 0.3; and SC4, with an outer RM code and secrecy rate of Figure 14 and Figure 15 provide the performance of the entire WiFi demodulation/decoding process, when inner codes are the LDPC and the Binary Convolutional Codes (BCC) defined in the WiFi standard respectively. For both inner LDPC and BCC, the required Radio Advantage is around 7 db for the outer polar code and 5 db for the outer RM code. Figure 14: Performance of the WiFi simulator with LDPC codes Figure 15: Performance of the WiFi simulator with BCC codes page 38 /

39 5.2.2 Impact of the polar decoding algorithm When Arikan introduced polar codes, he also proposed a low-complexity decoding algorithm named the successive cancellation (SC) decoding algorithm [8]. However, the SC decoder has limited performance at moderate block length. However, since polar codes can be represented as graph codes, the Belief Propagation was used for polar code decoding in deliverable D4.3 was the performance of polar codes is not optimal when using BP decoding algorithm. The goal in deliverable D4.4 is to implement a more efficient decoding algorithm for both polar codes and Reed-Muller codes. In [9], Tal and Vardy proposed an improved version of the SC decoder referred to as successive cancellation list (SCL) decoder. Reference [10] proposes a LLR-based (Log Likelihood Ratio) version of the SCL decoding algorithm. Since LLR are also used in BP decoding, we use in this deliverable D4.4 the LLR-based SCL decoding algorithm for comparison purpose with a list size of 8. We have also chosen secrecy codes of comparable secrecy rate, SC2 and SC4 described in Table 6. Figure 16 shows that SCL decoding algorithm significantly improves the performance of the polar decoder and allows a gain of about 3 db. The SCL decoder also improves the performance of the RMC decoder but leads only to 1.5 db gain. This is because the SCL decoder was designed to optimize the polar decoding performance. For both polar and RM codes, the SCL decoder has a limited impact on the required Radio Advantage. Indeed for the polar-based secrecy code, the required Radio Advantage increases from 4.1 db to 4.5 db. For the RM-based secrecy code, the required Radio Advantage decreases from 3.9 db to 3.8 db. Figure 16: Impact of the decoding algorithm page 39 /

40 5.2.3 Design and performance of new secrecy codes In this section, we propose the design of new polar-based secrecy codes taking into account the performance of the SCL decoding algorithm. Table 7: New polar-based secrecy codes Inner code SC4 SC5 SC6 SC7 LDPC code of length 1296 and rate 5/6 defined in the standard Outer code Reed-Muller code Reed-Muller code Polar code Polar code Eve s target rate Bob s target rate (R,I,F) (56, 430, 538) (56, 330, 638) (51, 512, 461) (133, 399, 492) Secrecy code rate Figure 17 shows the performance of SC4, SC5, SC6 and SC7 when the Belief Propagation algorithm is used for LDPC decoders and the LLR-based successive cancellation list decoding algorithm is used for polar and Reed-Muller decoders. The black curve represents the Bit Error Rate (BER) at the output of the LDPC decoder. Red curves represent the BER at the output of secrecy polar decoders. Blue curves represent the BER at the output of secrecy Reed-Muller decoders. Figure 17: Simulation results with new polar-based secrecy codes page 40 /

41 The results above show that: Polar-based secrecy codes have better reliability performance than RM-based secrecy codes of similar rates. When SINR 1 db, the BER at the output of the four secrecy codes is equal to 0.5. Meaning that, all secrecy codes guarantee no information leakage if Eve s SINR is less than -1 db. When SINR 0 db, the BER at the output of secrecy codes SC4 and SC5 is equal to 0.5 while the BER at the output of secrecy codes SC6 and SC7 is above Meaning that if Eve s SINR is less than 0 db, SC4 and SC5 guarantee no information leakage while only a limited amount of information (less than 5%) is leaked for SC6 and SC7. For a target error probability of for Bob, the required Radio Advantage to ensure no information leakage is limited to 4.4 db to 4.7 db. These simulation results demonstrate that Eve cannot retrieve any transmitted information when a slight Radio Advantage (< 5 db) is provided to legitimate users. The secrecy is achieved with a limited increase in coding and decoding complexity. 5.3 Simulation results on LTE signals Configuration of simulations The simulations described below are relevant to LTE cellular based links at frequency 2.6 GHz in the downlink transmission direction mode referred as Transmission Mode 7 (TM7) which support Beam Forming. For performance assessment of the proposed secrecy-coding scheme, we use MATLAB-based LTE link-level simulators [3] developed by Technical University of Vienna. The simulators implement standard-compliant LTE downlink and LTE uplink transceivers with their main features, i.e., basic channel models, modulation and coding, multiple-antenna transmission and reception, channel estimation, and scheduling. For reliable performance assessment, the channels seen by Bob and Eve need to show a distance-dependent correlation, which WINNER II model cannot model. For that reason, the QuaDRiGa channel model [4], which can produce correlation between Alice-Bob, Alice-Eve, and Bob-Eve channels, is used. The configuration of the simulation and its main parameters are synthesized Figure 18. The LTE carrier frequency is 2.6 GHz and the channel bandwidth is 10 MHz. Alice transmits data to Bob using QPSK modulation with coding rate 602/1024, which corresponds to channel quality indicator (CQI) value of 6. Bob s SNR is assumed to be 10 db. We consider an outdoor urban micro-cell radio environment with line-of-sight component, so called B1 [5], with LOS component (delay spread: 36 ns, shadow fading: 3 db) and NLOS component (delay spread: 76 ns, shadow fading: 4 db). Alice uses a 4-element circular antenna array circular antennas array, Bob and Eve are single antenna each and they use the same processing for CM estimation (least-squares method). Similarly, in the uplink direction, Alice and Eve use least-squares method to estimate, respectively, Bob-Alice and Bob- Eve channels. Distance between Alice and Bob is 15 m and the distance between Bob and Eve is 11.5 m, which corresponds to 100 wavelengths at carrier frequency of 2.6 GHz, Eve being located at one of four possible locations denoted by P1, P2, P3, and P4 lying on the circle of radius 11.5 m (100 wavelength) centred at Bob s position page 41 /

42 Figure 18: Configuration, parameters and results of LTE simulations page 42 /

43 5.3.2 Simulation of transmitting and processing of the secret en-coded LTE signals Assuming Time-Division-Duplexing (TDD) transmission mode, the BF coefficients are determined from the Channel Matrix (CM) estimated by the enodeb Alice from the uplink transmission of reference signals by intended User Equipment (UE) Bob. A single BF coefficient is used per resource block. The AN signal is generated such that it lies in the null space of the Alice-to-Bob CM and it is added to all symbols. The AN signal lies 6 db above informationbearing signal to reduce any eavesdropping risk. Besides, in LTE systems, turbo codes are used for forward-error correction. Thus, the secrecy-coding scheme is implemented by concatenating an outer Reed-Muller code with the inner standard compliant turbo code. We use the Reed-Muller based secrecy code SC5 (56, 330, 638) recalled in Table Results of simulations under LTE carrier Transmission mode TM7- Discussion At each Eve s location, we take 100 independent snapshots of channel model, and for each of them, we simulate the transmission of 20 LTE sub-frames. The observed figures-of-merit include Eve s and Bob s bit-error rate as well as established radio advantage of Bob over Eve. In Figure 18b we plot of the empirical complementary cumulative distribution function (CCDF) of Bob s radio advantage over Eve as well as Eve s bit error rate as a function of the radio advantage. These results first demonstrate that radio advantage of 5 db is sufficient to preclude Eve from reliably decoding the transmitted signal. Nevertheless, the location of Eve with respect to Alice and Bob significantly affects the radio advantage. For example, if Eve is closer to Alice than Bob (P4), her signal is obviously stronger than Bob s signal and the probability of achieving a sufficient RA is significantly reduced. For example, when Eve is in position P2 or P3, the probability of achieving at least 5 db of radio advantage is above 90%, when Eve is in position P4 the respective probability drops to 60% only. Furthermore, establishing and maintaining sufficient radio advantage is a challenging engineering task in fading channels, because fading can affect the CM measurement and the BF establishment: while channel state is changing, any channel estimation errors reduce the effectiveness of the AN-BF processing. Thus the AN-BF and secrecy coding scheme should be designed for the worst-case scenario and applied for high mean SNR regimes where channel estimation errors are smaller, whatever is the fading into the transmission. It can thus be expected that non-line-of-sight long range radio propagation should be more difficult to handle in LTE networks than short range propagation because the AN and the BF values are fixed for the whole resource block (performance suffers when channel changes occur during the block). Nevertheless, in any case, the power control can contribute to the AN-BF + SC scheme by ensuring that the SINR Rx,Bob at Bob s side is sufficiently large over the block to allow successful CM estimation, efficient BF establishment at Alice s side and reliable decoding at Bob s side, while AN still prevents Eve s decoding attempts. Finally, the simulation results above demonstrate that the secrecy schemes of Figure 18 should well apply to real world radio-cellular networks (significant performances with limited RA value). Besides, to achieve significant performances in most difficult NLOS propagation conditions, these results also show that the network engineering (SINR threshold of the legitimate link, power control, etc.) has to be adapted in the same time of the tuning of the AN- BF + SC scheme page 43 /

44 5.4 Experimental results of secrecy codes on WiFi signals Configuration of experiments The experiments described below are relevant to ac WiFi links at frequency 5.2 GHz, with standard modulation coding schemes at transmitter Alice and at receivers Bob and Eve (Figure 19). The geometry is indoor and Line of Sight (LOS). The access point Alice is implemented on a 4-antenna dedicated chipset (CL 2400), developed by Celeno Communications. Through the IPERF test application (commonly used to generate TCP and USP traffic), Alice transmits a pre-defined bit pattern as User Signal (US) to facilitated Bit Error Rate (BER) Evaluations. In addition, Alice adds Artificial Noise (AN) to the data part of the US bit pattern and Beam Forms it towards Bob. Bob is implemented by using a single-antenna Smartphone device (XIAOMI s MI5). Eve is implemented by using a 3-antennas MacBook Pro, working in sniffer mode with the Wireshark application. The Wireshark application outputs Packet Error Rates and stores Rx signals frames. The BER at Eve side is then computed offline (using a Matlab script) by comparing the stored received packets to the known transmitted pattern. The overall geometry and locations of Alice Bob and Eve are represented into Figure 19a. The overall hardware and software components hosting the AN-BF application are represented Figure 19b (CL 2400 wifi chipsets and host board). The AN-BF processing is based on a Spatial Multiplexing (SM) transmit matrix which is computed from an Single Value Decomposition (SVD) of the Channel Matrix (CM) issued from channel sounding exchanges. Note that when antennas are calibrated at Alice and Bob s side, AN-BF can be based on channel reciprocity assumption, without any added information exchanged over the air. During computations, Alice has to restrict Rx or Tx operations and match numerous technological constraints. Thus, several compressions, acceleration and parametrization capabilities are added to support AN-BF: QR decomposition and size reduction of the matrix involved in the computations, adjustment of the number of noise spatial streams (NAN=3 among 4) and user spatial stream (NSS=1 among 4), adjustment of the power ratios between the data and the noise streams, uniform distribution of independent noise samples over all transmitting antennas, gain scaling of the entire signal to ensure that the total Tx power matches the required digital back-off level and avoids saturation of the Digital to Analog Converter, etc. The Wifi transmitting and receiving radio parameters are recalled Figure 19d. Figure 19d provides the values of the power ratios and the relevant values of Packet Error Rates (PER at Bob s Side) that lead to the experimental results shown in the following paragraphs page 44 /

45 Figure 19: configuration of the AN-BF and SC experiments in Indoor Line Of Sight (LOS) environment page 45 /

46 5.4.2 Transmitting and processing of the secret en-coded Wifi signals To experiment the decoding of secrecy codes by Eve and Bob, a fixed frame is still sent by Alice over repeated transmissions (by using the same IPERF application as above). This frame is then off-line pre-computed from the initial bit pattern and one of the designed secrecy encoder. The parameters of the secrecy code used in the experiments results below is the polar-based secrecy code SC2 with (R,I,F) = (102, 409, 513). Note that the code-word length of 1024 bits perfectly matches the Wifi Frame length. Secret Code parameters are While the new secret en-coded bit pattern now replaces the initial one, the decoding at Bob s and Eve s side is done offline from signal frames records by using a Matlab script. The whole procedure enables the estimation of the efficiency of Secrecy Coding through BER estimates at Eve s side. Moreover, comparison of Eve s BER when using the native the WiFi FEC scheme (either LDPC or BCC) concatenated to nested polar codes or Reed-Muller codes, allow to analyze the basic protection of the Radio Advantage provided by AN-BF alone and the security enhancement due to the secrecy coding scheme itself. Recall that Eve has 3 receiving antennas and is supposed to have the complete information about the secret code. Moreover, she can test any Modulation and Coding Scheme in her attempts to recover parts of the legitimate user information, MCS2 being the best for Eve regarding the resilience of her decoding when facing Artificial Noise Results of experiments in Line of Sight geometry (LOS) Discussion Figure 20 shows the results of the AN-BF scheme and of the combined AN-BF + SC scheme on recorded Wifi frames. Two (low and middle) values of the power ratio are taken into account: = 3 in figure 5a while the AN power is 25 percent of the total power, = 1 in figure 5b while the AN power is 50 percent of the total power. In any cases, Bob uses the MCS4 decoder with PER Bob 0, BER Bob 0.1, SINR Rx,Bob 12.5 db while Eve attempts to decode the signal frames by using the MCS2 decoder, providing her an advantage by decreasing the radio Advantage of Bob over Eve gets about 4 db more compared to the MCS4. The Radio Advantage indications in the figure are given with respect of one received antenna at Eve s side. Considering the particular propagation properties of Indoor LOS configurations and considering the low and medium values of power ratio, we can note the following trends: - At far Eve s locations, even in LOS geometry when the power ratio remains low, the radio advantage is very significant. This very favorable situation for security occurs mainly thanks to the Beam Forming (BF) that achieves significant BF rejection performances. - We can be confident that similar trends would occur in any NLOS environments, whatever is Eve s location, because the BF rejection should be enhanced thanks to the positive effects of propagation reflectors in the neighborhood of Alice and Bob. - When coming back to LOS configuration and considering now Eve locations closer to Bob. One has to interpret the decreasing performances of the AN-BF + SC scheme in the following sense. First, a main lobe is most often the result of LOS propagation impact to BF processing. Second, this main lobe can be intercepted by Eve. In addition, the 3 Rx of Eve in our experimental configuration can provide some array discrimination and processing gain on the data user signal. Finally the effect of BF at Alice side can be partially mitigated by Eve close to Bob. To counter this, the power ratio should be decreased down to value =1/4 (that correspond to an AN power that is 6 db over the US power), and the antenna aperture at Alice s side should be enlarged to decrease the main lobe size and improve the rejection performances of BF page 46 /

47 Figure 20: Experimental results of the secrecy coded schemes in LOS environment - Comparison between AN-BF alone and AN-BF + S for several values of the power ratio Finally, the experimental results above are evidence that the secrecy schemes of Figure 12 well applies to real world WLAN chipsets and propagation with limited AN power in most of practical NLOS and LOS configurations. Even, when very adverse conditions occur (LOS configurations, Eve very close to Bob or very close to Alice), secrecy efficiency should be achieved through a suitable tuning of the radio parameters (increasing of the AN noise, enlarging of the Alice antenna array, etc.). 5.5 Tuning of the Radio Advantage for OFDM/QPSK wave forms such as Wifi and LTE signals considerations on radio engineering Analysis and experimental results show that the Bit Error Rate at the output of the polar decoder is 0.5 up to a given attacker threshold of the Signal to Interference + Noise Ratio (SINR RxEve ), depending on the modulation and concatenated coding scheme, that ensures no information leakage. When the SINR RxBob increases, the bit error rate at the output of the polar decoder vanishes. When SINR RxBob is high enough (greater than a user threshold SINR user ) the bit error rate at the output of the polar decoder approaches zero. In all the presented simulation and tests, only a few db of Radio Advantage (typically 3 db to 5 db) is required to provide both reliability and secrecy to legitimate users. These reasonable values ensure the compatibility of Secrecy Code schemes with exiting AN-BF schemes and other means for providing the Radio Advantage (such as Directive Antennas for transmission, Full Duplex communications technologies) For these Secrecy Coding schemes, the typical value of SINR=-1 db (0.8 in linear scale) should be considered as the maximum SIR RxEve tolerated (By Alice and Bob) at Eve s receiver page 47 /