ProxiMate : Proximity Based Secure Pairing using Ambient Wireless Signals Suhas Mathur AT&T Security Research Group Rob Miller, Alex Varshavsky, Wade Trappe, Narayan Madayam Suhas Mathur (AT&T) firstname AT att.com ACM Mobisys, 30 June 2011
Overview 1 The Secure Pairing problem 2 How wireless channels can help 3 ProxiMate in detail Suhas Mathur (AT&T) firstname AT att.com ACM Mobisys, 30 June 2011
The Secure Pairing problem
Alice & Bob have no prior trust relationship Alice Bob
Alice & Bob have no prior trust relationship They d like to exchange a secret message. Alice Bob
Alice & Bob have no prior trust relationship They d like to exchange a secret message. Alice Bob Eve
But they don t share a key Alice Bob Eve
Alice? Bob Eve
Alice Diffie Hellman key exchange Bob Eve
Alice Diffie Hellman key exchange Bob Eve Computational Secrecy (Computationally bounded Eve) k = key, Y = Eve s observations It is computationally infeasible to compute k from Y.
Alice Diffie Hellman key exchange Bob Eve But how does Alice know that she is talking to Bob? Easy to spoof identity on the wireless channel, when there is no prior trust relationship.
How can Wireless Channels help?
What is a Wireless Channel?
What is a Wireless Channel? It is the distortion h(t) produced by environment between transmitter and receiver = a randomly varying complex number (= a + j.b)
What is a Wireless Channel? It is the distortion h(t) produced by environment between transmitter and receiver = a randomly varying complex number (= a + j.b)
What is a Wireless Channel? It is the distortion h(t) produced by environment between transmitter and receiver = a randomly varying complex number (= a + j.b) h(t) decorrelates in space and time: Space: Over distances of λ/2 (= 6 cm @ 2.4 GHz) Time: Over one coherence time T c ( 100s of msec @ 2.4 GHz)
ProxiMate: Use a public RF source for secure pairing
ProxiMate: Use a public RF source for secure pairing
ProxiMate: Use a public RF source for secure pairing Assumption: Alice-Bob closer to each other than to Eve
Provides Alice & Bob (but not Eve) with a continuous, private source of randomness
Provides Alice & Bob (but not Eve) with a continuous, private source of randomness ProxiMate: 1 Use this source to generate a secret key at Alice and Bob
Provides Alice & Bob (but not Eve) with a continuous, private source of randomness ProxiMate: 1 Use this source to generate a secret key at Alice and Bob 2 If K alice = K Bob, then Alice & Bob know they are in proximity
Provides Alice & Bob (but not Eve) with a continuous, private source of randomness ProxiMate: 1 Use this source to generate a secret key at Alice and Bob 2 If K alice = K Bob, then Alice & Bob know they are in proximity 3 Use the key for encrypting all further communication.
ProxiMate in detail
Example trace 6 5 x 10 4 Alice Bob Amplitude 4 3 2 1 0 0 5 10 15 20 25 Time (Sec) Peter-to-Alice and Peter-to-Bob channels FM radio, 88.7 MHz Alice and Bob are 34 cm = wavelength 10 apart.
A & B locally compute quantizer threshold (e.g. median) 6 5 x 10 4 Alice Bob Amplitude 4 3 2 1 0 0 5 10 15 20 25 Time (Sec) Peter-to-Alice and Peter-to-Bob channels FM radio, 88.7 MHz Alice and Bob are 34 cm = wavelength 10 apart.
Quantize at intervals > Coherence time 6 5 x 10 4 Alice Bob Amplitude 4 3 2 1 0 0 5 10 15 20 25 Time (Sec) Bits obtained by Alice and Bob: A s Bits: 101001010101011010100100101 = w. B s Bits: 101000010101011110100100101 = w
A & B want identical keys, of which Eve knows nothing
A & B want identical keys, of which Eve knows nothing A s Bits: 101001010101011010100100101 = w. B s Bits: 101000010101011110100100101 = w
A & B want identical keys, of which Eve knows nothing A s Bits: 101001010101011010100100101 = w. B s Bits: 101000010101011110100100101 = w 1 A sends B code-offset P of w wrt a codeword c 1 in known code C.
A & B want identical keys, of which Eve knows nothing A s Bits: 101001010101011010100100101 = w. B s Bits: 101000010101011110100100101 = w 1 A sends B code-offset P of w wrt a codeword c 1 in known code C. 2 B uses P along with w to determine w.
A & B want identical keys, of which Eve knows nothing A s Bits: 101001010101011010100100101 = w. B s Bits: 101000010101011110100100101 = w 1 A sends B code-offset P of w wrt a codeword c 1 in known code C. 2 B uses P along with w to determine w. 3 Eliminate information leaked out to Eve via P by discarding H(P) bits.
Experimental evaluation
Experimental evaluation
Experimental evaluation 1 USRP/GNUradio - bridges the physical & software worlds.
Experimental evaluation 1 USRP/GNUradio - bridges the physical & software worlds. 2 TV channels ( 600 MHz) and FM channels ( 100 MHz)
Experimental evaluation 1 USRP/GNUradio - bridges the physical & software worlds. 2 TV channels ( 600 MHz) and FM channels ( 100 MHz) 3 Metrics of interest:
Experimental evaluation 1 USRP/GNUradio - bridges the physical & software worlds. 2 TV channels ( 600 MHz) and FM channels ( 100 MHz) 3 Metrics of interest: Rate (secret bits per sec)
Experimental evaluation 1 USRP/GNUradio - bridges the physical & software worlds. 2 TV channels ( 600 MHz) and FM channels ( 100 MHz) 3 Metrics of interest: Rate (secret bits per sec) Bit-error-rate (fraction of bits that differ at A & B)
Experimental evaluation 1 USRP/GNUradio - bridges the physical & software worlds. 2 TV channels ( 600 MHz) and FM channels ( 100 MHz) 3 Metrics of interest: Rate (secret bits per sec) Bit-error-rate (fraction of bits that differ at A & B) Mutual Information: Statistical dependence between two quantities
Bit-error-rate Vs. distance between two receivers Fraction of bits that differ (ε) 0.5 0.4 0.3 0.2 0.1 TV FM 0 0 0.2 0.4 0.6 Distance between receivers (in λ)
Shaking devices helps Rate
Shaking devices helps Rate 1 Coherence time T c 1/Rate estimated using level crossing rate.
Shaking devices helps Rate 1 Coherence time T c 1/Rate estimated using level crossing rate. 2 T c can be increased if Alice and Bob physically shaken together.
Shaking devices helps Rate 1 Coherence time T c 1/Rate estimated using level crossing rate. 2 T c can be increased if Alice and Bob physically shaken together. Coherence time estimates Time (sec) 0.35 0.3 0.25 0.2 0.15 0.1 0.05 0 Stationary moving slowly moving fast Time (Sec) 1.45 1.25 1.05 0.85 0.65 0.45 Stationary moving slowly moving fast TV FM
Shaking devices helps Rate 1 Coherence time T c 1/Rate estimated using level crossing rate. 2 T c can be increased if Alice and Bob physically shaken together. Coherence time estimates Time (sec) 0.35 0.3 0.25 0.2 0.15 0.1 0.05 0 Stationary moving slowly moving fast Time (Sec) 1.45 1.25 1.05 0.85 0.65 0.45 Stationary moving slowly moving fast TV FM 2x in rate by shaking.
Shaking devices helps Rate 1 Coherence time T c 1/Rate estimated using level crossing rate. 2 T c can be increased if Alice and Bob physically shaken together. Coherence time estimates Time (sec) 0.35 0.3 0.25 0.2 0.15 0.1 0.05 0 Stationary moving slowly moving fast Time (Sec) 1.45 1.25 1.05 0.85 0.65 0.45 Stationary moving slowly moving fast TV FM 2x in rate by shaking. Shaking also provides resistance to passive attackers within λ/2!
Monitoring multiple sources
Monitoring multiple sources
Monitoring multiple sources
Monitoring multiple sources Rate # of Independent sources of randomness.
Number of seconds needed for a 128-bit key with 10 sources Stationary Moving slow Moving fast TV 11 4.2 3.3 FM 33.62 18.3 15 Prob(Key mismatch) 10 4
What if Eve controls the transmitter? (i.e. Eve = Peter)
What if Eve controls the transmitter? (i.e. Eve = Peter) 1 Eve free to vary the transmit signal however she wants
What if Eve controls the transmitter? (i.e. Eve = Peter) 1 Eve free to vary the transmit signal however she wants 2 Can Alice & Bob extract bits about which Eve has no information?
What if Eve controls the transmitter? (i.e. Eve = Peter) 1 Eve free to vary the transmit signal however she wants 2 Can Alice & Bob extract bits about which Eve has no information? 3 Using Magnitude: No!
What if Eve controls the transmitter? (i.e. Eve = Peter) 1 Eve free to vary the transmit signal however she wants 2 Can Alice & Bob extract bits about which Eve has no information? 3 Using Magnitude: No!
What if Eve controls the transmitter? (i.e. Eve = Peter) 1 Eve free to vary the transmit signal however she wants 2 Can Alice & Bob extract bits about which Eve has no information? 3 Using Magnitude: No! 4 Using Phase: Yes! Because phase wraps around after 2π
What if Eve controls the transmitter? (i.e. Eve = Peter) 1 But Local Osciallators @ Alice and Bob are not synchronized. Thus, only change in phase at A & B will be similar in value.
What if Eve controls the transmitter? (i.e. Eve = Peter) 1 But Local Osciallators @ Alice and Bob are not synchronized. Thus, only change in phase at A & B will be similar in value. 2 Approach: We use differential phase across T c
What if Eve controls the transmitter? (i.e. Eve = Peter) 1 But Local Osciallators @ Alice and Bob are not synchronized. Thus, only change in phase at A & B will be similar in value. 2 Approach: We use differential phase across T c 3 To test, we let Eve transmit a recorded FM signal
What if Eve controls the transmitter? (i.e. Eve = Peter) 1 But Local Osciallators @ Alice and Bob are not synchronized. Thus, only change in phase at A & B will be similar in value. 2 Approach: We use differential phase across T c 3 To test, we let Eve transmit a recorded FM signal 4 Eve knows almost nothing about diff-phase at Alice & Bob.
Summary 1 ProxiMate: secure pairing of wireless devices based on just proximity.
Summary 1 ProxiMate: secure pairing of wireless devices based on just proximity. 2 Secure against even a computationally unbounded adversary.
Summary 1 ProxiMate: secure pairing of wireless devices based on just proximity. 2 Secure against even a computationally unbounded adversary. 3 Prob. of key mismatch can be driven to 0.
Summary 1 ProxiMate: secure pairing of wireless devices based on just proximity. 2 Secure against even a computationally unbounded adversary. 3 Prob. of key mismatch can be driven to 0. 4 Rate at which a common key is generated:
Summary 1 ProxiMate: secure pairing of wireless devices based on just proximity. 2 Secure against even a computationally unbounded adversary. 3 Prob. of key mismatch can be driven to 0. 4 Rate at which a common key is generated: # of sources monitored
Summary 1 ProxiMate: secure pairing of wireless devices based on just proximity. 2 Secure against even a computationally unbounded adversary. 3 Prob. of key mismatch can be driven to 0. 4 Rate at which a common key is generated: # of sources monitored frequency monitored
Summary 1 ProxiMate: secure pairing of wireless devices based on just proximity. 2 Secure against even a computationally unbounded adversary. 3 Prob. of key mismatch can be driven to 0. 4 Rate at which a common key is generated: # of sources monitored frequency monitored E.g.: 4-digit PIN in 0.34 sec with 10 TV sources.
Summary 1 ProxiMate: secure pairing of wireless devices based on just proximity. 2 Secure against even a computationally unbounded adversary. 3 Prob. of key mismatch can be driven to 0. 4 Rate at which a common key is generated: # of sources monitored frequency monitored E.g.: 4-digit PIN in 0.34 sec with 10 TV sources. 5 ProxiMate s complexity is O(n) while Diffie-Hellman is O(n 3 ).
Summary 1 ProxiMate: secure pairing of wireless devices based on just proximity. 2 Secure against even a computationally unbounded adversary. 3 Prob. of key mismatch can be driven to 0. 4 Rate at which a common key is generated: # of sources monitored frequency monitored E.g.: 4-digit PIN in 0.34 sec with 10 TV sources. 5 ProxiMate s complexity is O(n) while Diffie-Hellman is O(n 3 ). 6 ProxiMate can generate a secret key even if RF source is adversarial.
Questions/Comments
Backup Slides
Related work 1 Low power communications not secure: Susceptible to eavesdropping using a high gain directional antenna Bluetooth can be sniffed from over a mile away [Wright06] NFC is convenient but not secure by itself [Haselsteine06] 2 Existing approaches are cumbersome Human intervention (cables, entering PINs) Faraday cage [Perrig07] 3 Ambient wireless signals like WiFi can help establish proximity [AMIGO-Varshavsky07]
Where does the randomness and the spatial & temporal de-correlation come from?
Synchronizing Alice & Bob 1 Alice and Bob demodulate their signals 2 Alice sends Bob a snippet of the demodulated signal to indicate t = 0
How many secret bits / second? 1 Suppose Alice & Bob generate R bits/sec that differ with prob. ɛ
How many secret bits / second? 1 Suppose Alice & Bob generate R bits/sec that differ with prob. ɛ BSC with crossover prob. = ɛ (capacity = 1 Hb (ɛ))
How many secret bits / second? 1 Suppose Alice & Bob generate R bits/sec that differ with prob. ɛ BSC with crossover prob. = ɛ (capacity = 1 Hb (ɛ)) 2 For high ɛ, long codes are needed for reasonable rate Long delay.
How many secret bits / second? 1 Suppose Alice & Bob generate R bits/sec that differ with prob. ɛ BSC with crossover prob. = ɛ (capacity = 1 Hb (ɛ)) 2 For high ɛ, long codes are needed for reasonable rate Long delay. Fraction of bits that differ (ε) 0.6 0.5 0.4 0.3 0.2 0.1 Theoretical curve Rate 1/4 LDPC code, n = 1008 P e = 3.5 * 10 3 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 Distance (in units of λ)
How many secret bits / second? 1 Suppose Alice & Bob generate R bits/sec that differ with prob. ɛ BSC with crossover prob. = ɛ (capacity = 1 Hb (ɛ)) 2 For high ɛ, long codes are needed for reasonable rate Long delay. Fraction of bits that differ (ε) 0.6 0.5 0.4 0.3 0.2 0.1 Theoretical curve Rate 1/4 LDPC code, n = 1008 P e = 3.5 * 10 3 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 Distance (in units of λ) 3 Can we do better overall by ɛ at the cost of a lower R?
How many secret bits / second? 1 Suppose Alice & Bob generate R bits/sec that differ with prob. ɛ BSC with crossover prob. = ɛ (capacity = 1 Hb (ɛ)) 2 For high ɛ, long codes are needed for reasonable rate Long delay. Fraction of bits that differ (ε) 0.6 0.5 0.4 0.3 0.2 0.1 Theoretical curve Rate 1/4 LDPC code, n = 1008 P e = 3.5 * 10 3 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 Distance (in units of λ) 3 Can we do better overall by ɛ at the cost of a lower R? 4 We can trade R for ɛ. Let effective rate: R = R (1 H b (ɛ)) bits per sec
Copyrights disclaimer The Tux logo, the Adium duck and the BSD devil may be trademarks of their respective owners. They are used in this presentation only for illustrative purposes. No personal financial gain was made from this presentation.