physical layer security in a 5g settingkom.aau.dk/~nup/wunder-talk-mcc_1.pdf · 5g security...
TRANSCRIPT
Physical Layer Security in a 5G Setting
G. Wunder R. Fritschek R. KhanFreie Universitat Berlinhttp://www.mi.fu-berlin.de/en/inf/groups/ag-comm/index.html
in cooperation with Francois Delaveau, Christiane-Laurie Kmeni Ngassa(both Thales Group, France)
Outline
5G Security Requirements & Enablers
Motivation
The Wiretap Scenario - Secrecy Coding & Secret Key Generation
Advanced SKG Setting: Secret keys ’on the fly’
6Doku Demonstrator
Conclusions
,
FU Berlin, PHYSec in 5G, July 6, 2016 2
Outline
5G Security Requirements & Enablers
Motivation
The Wiretap Scenario - Secrecy Coding & Secret Key Generation
Advanced SKG Setting: Secret keys ’on the fly’
6Doku Demonstrator
Conclusions
,
FU Berlin, PHYSec in 5G, July 6, 2016 3
5G Security Landscape
I 5GPPP ’5GEnsure’: Reference project for 5G security, privacy and trust
I Goal: Produce a 5G security architecture and use cases
I Initial set of security enablers
I Mainly core network related procedures
I IoT enablers for AAAI Improved identity protection (IMSI, UICC, (V)MNOs etc.)I Trust builders, metrics, VNF certificationI Network virtualization isolationI Monitoring tools (access control, bootstrapping etc.)I ...
I Potential ’cross projects’ topic Phase II
,
FU Berlin, PHYSec in 5G, July 6, 2016 4
Phase II
I Open consultation on 5G security among stakeholders:
I Faster handling of security procedures for extremely low latency applicationI Data authenticity, confidentiality and integrity for resource-constrained divesI Seamless authentication over multiple devices, access networks, servicesI Protection against DOS attacks to core and radioI Security mechanisms for NFV infrastructure
I Remedies (particularly privacy/security trade-offs):
I Secret sharing (no single point of trust and failure)I Practical homomorphic encryptionI Privacy-preserving profilingI IoT: Lightweight encryptionI IoT: PuFsI IoT: Physical layer security
,
FU Berlin, PHYSec in 5G, July 6, 2016 5
Physical Layer Security: Approaches
Definition: Physical Layer Security
Security is handled on PHY layer by exploiting PHY layer parameters (e.g. channel,noise, ...) and controlled (of course) by MAC protocol.
I Advantages:
I Faster procedures: Algorithms run on PHY/MAC level, no packets are given tohigher layers
I ScalableI Energy/computation-efficient with lightweight ciphersI Improved usabilityI Improved securityI The ’radio advantage’I ...
I Approaches:
I Secrecy codingI Secret key generationI Secure pairing
,
FU Berlin, PHYSec in 5G, July 6, 2016 6
Outline
5G Security Requirements & Enablers
Motivation
The Wiretap Scenario - Secrecy Coding & Secret Key Generation
Advanced SKG Setting: Secret keys ’on the fly’
6Doku Demonstrator
Conclusions
,
FU Berlin, PHYSec in 5G, July 6, 2016 7
Motivation: Notions of Security
Encoder Decoder
Decoder
Xn Y nM M
Zn
Alice Bob
Eve
p(y|x)
p(z|x)
k-bit message M
Computational Complexity
I Alice uses encryption scheme (e.g.RSA)
I Assumption: Some things hard tocompute (factorization (RSA), etc.)
I However: Quantum computing will bea threatExample: Factor 193 digits
I Conventional Computer: 30 CPUyears at 2.2 GHz
I Quantum Computer: 0.1 seconds!
Physical Layer Security(Information-Theoretical Sec.)
I Strictest notion of security
I Prob[M | Eve’s Knowledge]≈ Prob[M ]H(M |Zn) = H(M) or I(M ;Zn) = 0
I However: How to realize?
I Approaches: Secrecy Coding,Jamming, Key Generation
,
FU Berlin, PHYSec in 5G, July 6, 2016 8
Motivation: Notions of Security
Encoder Decoder
Decoder
Xn Y nM M
Zn
Alice Bob
Eve
p(y|x)
p(z|x)
k-bit message M
Computational Complexity
I Alice uses encryption scheme (e.g.RSA)
I Assumption: Some things hard tocompute (factorization (RSA), etc.)
I However: Quantum computing will bea threatExample: Factor 193 digits
I Conventional Computer: 30 CPUyears at 2.2 GHz
I Quantum Computer: 0.1 seconds!
Physical Layer Security(Information-Theoretical Sec.)
I Strictest notion of security
I Prob[M | Eve’s Knowledge]≈ Prob[M ]H(M |Zn) = H(M) or I(M ;Zn) = 0
I However: How to realize?
I Approaches: Secrecy Coding,Jamming, Key Generation
,
FU Berlin, PHYSec in 5G, July 6, 2016 8
Motivation: Notions of Security
Encoder Decoder
Decoder
Xn Y nM M
Zn
Alice Bob
Eve
p(y|x)
p(z|x)
k-bit message M
Computational Complexity
I Alice uses encryption scheme (e.g.RSA)
I Assumption: Some things hard tocompute (factorization (RSA), etc.)
I However: Quantum computing will bea threatExample: Factor 193 digits
I Conventional Computer: 30 CPUyears at 2.2 GHz
I Quantum Computer: 0.1 seconds!
Physical Layer Security(Information-Theoretical Sec.)
I Strictest notion of security
I Prob[M | Eve’s Knowledge]≈ Prob[M ]H(M |Zn) = H(M) or I(M ;Zn) = 0
I However: How to realize?
I Approaches: Secrecy Coding,Jamming, Key Generation
,
FU Berlin, PHYSec in 5G, July 6, 2016 8
Motivation: Notions of Security
Encoder Decoder
Decoder
Xn Y nM M
Zn
Alice Bob
Eve
p(y|x)
p(z|x)
k-bit message M
Computational Complexity
I Alice uses encryption scheme (e.g.RSA)
I Assumption: Some things hard tocompute (factorization (RSA), etc.)
I However: Quantum computing will bea threatExample: Factor 193 digits
I Conventional Computer: 30 CPUyears at 2.2 GHz
I Quantum Computer: 0.1 seconds!
Physical Layer Security(Information-Theoretical Sec.)
I Strictest notion of security
I Prob[M | Eve’s Knowledge]≈ Prob[M ]H(M |Zn) = H(M) or I(M ;Zn) = 0
I However: How to realize?
I Approaches: Secrecy Coding,Jamming, Key Generation
,
FU Berlin, PHYSec in 5G, July 6, 2016 8
Motivation: Notions of Security
Encoder Decoder
Decoder
Xn Y nM M
Zn
Alice Bob
Eve
p(y|x)
p(z|x)
k-bit message M
Computational Complexity
I Alice uses encryption scheme (e.g.RSA)
I Assumption: Some things hard tocompute (factorization (RSA), etc.)
I However: Quantum computing will bea threat
Example: Factor 193 digitsI Conventional Computer: 30 CPU
years at 2.2 GHzI Quantum Computer: 0.1 seconds!
Physical Layer Security(Information-Theoretical Sec.)
I Strictest notion of security
I Prob[M | Eve’s Knowledge]≈ Prob[M ]H(M |Zn) = H(M) or I(M ;Zn) = 0
I However: How to realize?
I Approaches: Secrecy Coding,Jamming, Key Generation
,
FU Berlin, PHYSec in 5G, July 6, 2016 8
Motivation: Notions of Security
Encoder Decoder
Decoder
Xn Y nM M
Zn
Alice Bob
Eve
p(y|x)
p(z|x)
k-bit message M
Computational Complexity
I Alice uses encryption scheme (e.g.RSA)
I Assumption: Some things hard tocompute (factorization (RSA), etc.)
I However: Quantum computing will bea threatExample: Factor 193 digits
I Conventional Computer: 30 CPUyears at 2.2 GHz
I Quantum Computer: 0.1 seconds!
Physical Layer Security(Information-Theoretical Sec.)
I Strictest notion of security
I Prob[M | Eve’s Knowledge]≈ Prob[M ]H(M |Zn) = H(M) or I(M ;Zn) = 0
I However: How to realize?
I Approaches: Secrecy Coding,Jamming, Key Generation
,
FU Berlin, PHYSec in 5G, July 6, 2016 8
Motivation: Notions of Security
Encoder Decoder
Decoder
Xn Y nM M
Zn
Alice Bob
Eve
p(y|x)
p(z|x)
k-bit message M
Computational Complexity
I Alice uses encryption scheme (e.g.RSA)
I Assumption: Some things hard tocompute (factorization (RSA), etc.)
I However: Quantum computing will bea threatExample: Factor 193 digits
I Conventional Computer: 30 CPUyears at 2.2 GHz
I Quantum Computer: 0.1 seconds!
Physical Layer Security(Information-Theoretical Sec.)
I Strictest notion of security
I Prob[M | Eve’s Knowledge]≈ Prob[M ]H(M |Zn) = H(M) or I(M ;Zn) = 0
I However: How to realize?
I Approaches: Secrecy Coding,Jamming, Key Generation
,
FU Berlin, PHYSec in 5G, July 6, 2016 8
Motivation: Notions of Security
Encoder Decoder
Decoder
Xn Y nM M
Zn
Alice Bob
Eve
p(y|x)
p(z|x)
k-bit message M
Computational Complexity
I Alice uses encryption scheme (e.g.RSA)
I Assumption: Some things hard tocompute (factorization (RSA), etc.)
I However: Quantum computing will bea threatExample: Factor 193 digits
I Conventional Computer: 30 CPUyears at 2.2 GHz
I Quantum Computer: 0.1 seconds!
Physical Layer Security(Information-Theoretical Sec.)
I Strictest notion of security
I Prob[M | Eve’s Knowledge]≈ Prob[M ]H(M |Zn) = H(M) or I(M ;Zn) = 0
I However: How to realize?
I Approaches: Secrecy Coding,Jamming, Key Generation
,
FU Berlin, PHYSec in 5G, July 6, 2016 8
Motivation: Notions of Security
Encoder Decoder
Decoder
Xn Y nM M
Zn
Alice Bob
Eve
p(y|x)
p(z|x)
k-bit message M
Computational Complexity
I Alice uses encryption scheme (e.g.RSA)
I Assumption: Some things hard tocompute (factorization (RSA), etc.)
I However: Quantum computing will bea threatExample: Factor 193 digits
I Conventional Computer: 30 CPUyears at 2.2 GHz
I Quantum Computer: 0.1 seconds!
Physical Layer Security(Information-Theoretical Sec.)
I Strictest notion of security
I Prob[M | Eve’s Knowledge]≈ Prob[M ]H(M |Zn) = H(M) or I(M ;Zn) = 0
I However: How to realize?
I Approaches: Secrecy Coding,Jamming, Key Generation
,
FU Berlin, PHYSec in 5G, July 6, 2016 8
Motivation: Notions of Security
Encoder Decoder
Decoder
Xn Y nM M
Zn
Alice Bob
Eve
p(y|x)
p(z|x)
k-bit message M
Computational Complexity
I Alice uses encryption scheme (e.g.RSA)
I Assumption: Some things hard tocompute (factorization (RSA), etc.)
I However: Quantum computing will bea threatExample: Factor 193 digits
I Conventional Computer: 30 CPUyears at 2.2 GHz
I Quantum Computer: 0.1 seconds!
Physical Layer Security(Information-Theoretical Sec.)
I Strictest notion of security
I Prob[M | Eve’s Knowledge]≈ Prob[M ]H(M |Zn) = H(M) or I(M ;Zn) = 0
I However: How to realize?
I Approaches: Secrecy Coding,Jamming, Key Generation
,
FU Berlin, PHYSec in 5G, July 6, 2016 8
Motivation: Notions of Security
Encoder Decoder
Decoder
Xn Y nM M
Zn
Alice Bob
Eve
p(y|x)
p(z|x)
k-bit message M
Computational Complexity
I Alice uses encryption scheme (e.g.RSA)
I Assumption: Some things hard tocompute (factorization (RSA), etc.)
I However: Quantum computing will bea threatExample: Factor 193 digits
I Conventional Computer: 30 CPUyears at 2.2 GHz
I Quantum Computer: 0.1 seconds!
Physical Layer Security(Information-Theoretical Sec.)
I Strictest notion of security
I Prob[M | Eve’s Knowledge]≈ Prob[M ]H(M |Zn) = H(M) or I(M ;Zn) = 0
I However: How to realize?
I Approaches: Secrecy Coding,Jamming, Key Generation
,
FU Berlin, PHYSec in 5G, July 6, 2016 8
Secure Key Generation: State-of-the-Art
Enc / Dec Enc / Dec
Xn
1 Yn
1
Xn
2Y
n
2
Eve
Alice Bob
H H
N1K1
K2N2
MA MB
MB MA
I Pilot signaling to estimate channel gain K
I Utilizes reciprocity: K1 = K2
I Public Discussion to reconcile
I Key Rate I(K1;K2), secure because Eve’s channel is different
I Do we need the pilot signals?
,
FU Berlin, PHYSec in 5G, July 6, 2016 9
Secure Key Generation: State-of-the-Art
Enc / Dec Enc / Dec
Xn
1 Yn
1
Xn
2Y
n
2
Eve
Alice Bob
H H
N1K1
K2N2
MA MB
MB MA
Y1 = X1K1 +N1
I Pilot signaling to estimate channel gain K
I Utilizes reciprocity: K1 = K2
I Public Discussion to reconcile
I Key Rate I(K1;K2), secure because Eve’s channel is different
I Do we need the pilot signals?
,
FU Berlin, PHYSec in 5G, July 6, 2016 9
Secure Key Generation: State-of-the-Art
Enc / Dec Enc / Dec
Xn
1 Yn
1
Xn
2Y
n
2
Eve
Alice Bob
H H
N1K1
K2N2
MA MB
MB MA
Y1 = X1K1 +N1
Y2 = X2K2 +N2
I Pilot signaling to estimate channel gain K
I Utilizes reciprocity: K1 = K2
I Public Discussion to reconcile
I Key Rate I(K1;K2), secure because Eve’s channel is different
I Do we need the pilot signals?
,
FU Berlin, PHYSec in 5G, July 6, 2016 9
Secure Key Generation: State-of-the-Art
Enc / Dec Enc / Dec
Xn
1 Yn
1
Xn
2Y
n
2
Eve
Alice Bob
H H
N1K1
K2N2
MA MB
MB MA
Y1 = X1K1 +N1
Y2 = X2K2 +N2
Z2 = X2H2 +N3Z1 = X1H1 +N4
I Pilot signaling to estimate channel gain K
I Utilizes reciprocity: K1 = K2
I Public Discussion to reconcile
I Key Rate I(K1;K2), secure because Eve’s channel is different
I Do we need the pilot signals?
,
FU Berlin, PHYSec in 5G, July 6, 2016 9
Secure Key Generation: State-of-the-Art
Enc / Dec Enc / Dec
Xn
1 Yn
1
Xn
2Y
n
2
Eve
Alice Bob
H H
N1K1
K2N2
Pilot Pilot
K2 K1
I Pilot signaling to estimate channel gain K
I Utilizes reciprocity: K1 = K2
I Public Discussion to reconcile
I Key Rate I(K1;K2), secure because Eve’s channel is different
I Do we need the pilot signals?
,
FU Berlin, PHYSec in 5G, July 6, 2016 9
Secure Key Generation: State-of-the-Art
Enc / Dec Enc / Dec
Xn
1 Y n
1
Xn
2Y n
2
Eve
Alice Bob
H H
N1K1
K2N2
Pilot Pilot
K2 K1
f(K ′) =Key g(K1) =Key
Public Discussion
I Pilot signaling to estimate channel gain K
I Utilizes reciprocity: K1 = K2
I Public Discussion to reconcile
I Key Rate I(K1;K2), secure because Eve’s channel is different
I Do we need the pilot signals?
,
FU Berlin, PHYSec in 5G, July 6, 2016 9
Secure Key Generation: State-of-the-Art
Enc / Dec Enc / Dec
Xn
1 Y n
1
Xn
2Y n
2
Eve
Alice Bob
H H
N1K1
K2N2
Pilot Pilot
K2 K1
f(K ′) =Key g(K1) =Key
Public Discussion
I Pilot signaling to estimate channel gain K
I Utilizes reciprocity: K1 = K2
I Public Discussion to reconcile
I Key Rate I(K1;K2), secure because Eve’s channel is different
I Do we need the pilot signals?
,
FU Berlin, PHYSec in 5G, July 6, 2016 9
Secure Key Generation: State-of-the-Art
Enc / Dec Enc / Dec
Xn
1 Y n
1
Xn
2Y n
2
Eve
Alice Bob
H H
N1K1
K2N2
Pilot Pilot
K2 K1
f(K ′) =Key g(K1) =Key
Public Discussion
I Pilot signaling to estimate channel gain K
I Utilizes reciprocity: K1 = K2
I Public Discussion to reconcile
I Key Rate I(K1;K2), secure because Eve’s channel is different
I Do we need the pilot signals?
,
FU Berlin, PHYSec in 5G, July 6, 2016 9
Secure Key Generation: State-of-the-Art
Enc / Dec Enc / Dec
Xn
1 Y n
1
Xn
2Y n
2
Eve
Alice Bob
H H
N1K1
K2N2
Pilot Pilot
K2 K1
f(K ′) =Key g(K1) =Key
Public Discussion
I Pilot signaling to estimate channel gain K
I Utilizes reciprocity: K1 = K2
I Public Discussion to reconcile
I Key Rate I(K1;K2), secure because Eve’s channel is different
I Do we need the pilot signals?
,
FU Berlin, PHYSec in 5G, July 6, 2016 9
Secure Key Generation: A New Direction
Enc / Dec Enc / Dec
Xn
1 Yn
1
Xn
2Y
n
2
Eve
Alice Bob
H H
N1K1
K2N2
ωA ωB
X2K2X1K1
I Idea: Estimate the product XK instead of K
I Key rate I(Y1, X2;Y2, X1) achievable?
I How to do in practice?
I However: hard to analyse key rate expressions: I(Y1X2;X1Y2) =?
I What about security? I(Key;Eve’s Information) ?
,
FU Berlin, PHYSec in 5G, July 6, 2016 10
Secure Key Generation: A New Direction
Enc / Dec Enc / Dec
Xn
1 Yn
1
Xn
2Y
n
2
Eve
Alice Bob
H H
N1K1
K2N2
ωA ωB
X2K2X1K1
I Idea: Estimate the product XK instead of K
I Key rate I(Y1, X2;Y2, X1) achievable?
I How to do in practice?
I However: hard to analyse key rate expressions: I(Y1X2;X1Y2) =?
I What about security? I(Key;Eve’s Information) ?
,
FU Berlin, PHYSec in 5G, July 6, 2016 10
Secure Key Generation: A New Direction
Enc / Dec Enc / Dec
Xn
1Y
n
1
Xn
2Y
n
2
Eve
Alice Bob
H H
N1K1
K2N2
ωA ωB
X2K2X1K1
f(X2K,X1)=Key g(X1K,X2)=Key
Public Discussion
I Idea: Estimate the product XK instead of K
I Key rate I(Y1, X2;Y2, X1) achievable?
I How to do in practice?
I However: hard to analyse key rate expressions: I(Y1X2;X1Y2) =?
I What about security? I(Key;Eve’s Information) ?
,
FU Berlin, PHYSec in 5G, July 6, 2016 10
Secure Key Generation: A New Direction
Enc / Dec Enc / Dec
Xn
1Y
n
1
Xn
2Y
n
2
Eve
Alice Bob
H H
N1K1
K2N2
ωA ωB
X2K2X1K1
f(X2K,X1)=Key g(X1K,X2)=Key
Public Discussion
I Simple preliminary Soln.: Use the product!
I f(X2K,X1) = X2KX1, g(X1K,X2) = X1KX2
I Simple to implement
I However: hard to analyse key rate expressions: I(Y1X2;X1Y2) =?
I What about security? I(Key;Eve’s Information) ?
,
FU Berlin, PHYSec in 5G, July 6, 2016 10
Secure Key Generation: A New Direction
Enc / Dec Enc / Dec
Xn
1Y
n
1
Xn
2Y
n
2
Eve
Alice Bob
H H
N1K1
K2N2
ωA ωB
X2K2X1K1
f(X2K,X1)=Key g(X1K,X2)=Key
Public Discussion
I Simple preliminary Soln.: Use the product!
I f(X2K,X1) = X2KX1, g(X1K,X2) = X1KX2
I Simple to implement
I However: hard to analyse key rate expressions: I(Y1X2;X1Y2) =?
I What about security? I(Key;Eve’s Information) ?
,
FU Berlin, PHYSec in 5G, July 6, 2016 10
Secure Key Generation: A New Direction
Enc / Dec Enc / Dec
Xn
1Y
n
1
Xn
2Y
n
2
Eve
Alice Bob
H H
N1K1
K2N2
ωA ωB
X2K2X1K1
f(X2K,X1)=Key g(X1K,X2)=Key
Public Discussion
I Simple preliminary Soln.: Use the product!
I f(X2K,X1) = X2KX1, g(X1K,X2) = X1KX2
I Simple to implement
I However: hard to analyse key rate expressions: I(Y1X2;X1Y2) =?
I What about security? I(Key;Eve’s Information) ?
,
FU Berlin, PHYSec in 5G, July 6, 2016 10
Secure Key Generation: A New Direction
Enc / Dec Enc / Dec
Xn
1Y
n
1
Xn
2Y
n
2
Eve
Alice Bob
H H
N1K1
K2N2
ωA ωB
X2K2X1K1
f(X2K,X1)=Key g(X1K,X2)=Key
Public Discussion
I Simple preliminary Soln.: Use the product!
I f(X2K,X1) = X2KX1, g(X1K,X2) = X1KX2
I Simple to implement
I However: hard to analyse key rate expressions: I(Y1X2;X1Y2) =?
I What about security? I(Key;Eve’s Information) ?
,
FU Berlin, PHYSec in 5G, July 6, 2016 10
Secure Key Generation: A New Direction
Enc / Dec Enc / Dec
Xn
1Y
n
1
Xn
2Y
n
2
Eve
Alice Bob
H H
N1K1
K2N2
ωA ωB
X2K2X1K1
f(X2K,X1)=Key g(X1K,X2)=Key
Public Discussion
I Simple preliminary Soln.: Use the product!
I f(X2K,X1) = X2KX1, g(X1K,X2) = X1KX2
I Simple to implement
I However: hard to analyse key rate expressions: I(Y1X2;X1Y2) =?
I What about security? I(Key;Eve’s Information) ?
,
FU Berlin, PHYSec in 5G, July 6, 2016 10
Outline
5G Security Requirements & Enablers
Motivation
The Wiretap Scenario - Secrecy Coding & Secret Key Generation
Advanced SKG Setting: Secret keys ’on the fly’
6Doku Demonstrator
Conclusions
,
FU Berlin, PHYSec in 5G, July 6, 2016 11
The Wiretap Scenario
Encoder Decoder
Decoder
Xn
YnM M
Zn
Nn
m
Nn
e
Alice Bob
Eve
I Alice wants to communicate a message M via X to Bob, and Bob receivesY = X +Nm
I But a Wiretapper can see the message through another channel e
I The wiretapper Eve receives Z = X +Ne
I Question: Can Alice communicate secretly to Bob?
,
FU Berlin, PHYSec in 5G, July 6, 2016 12
Secrecy Coding (SC)
Definition: Secrecy Capacity
For a (2nR, n) code Cn, which is known by Alice, Bob and Eve
I Code rate: 1nH(M) = R+ δ
I Reliability measure: Pe(Cn) = Pr[M 6= M |Cn]I Secrecy measure - Equivocation: H(M |Zn, Cn) (as high as possible)
I Secrecy measure - Information leakage: I(M ;Zn|Cn) (as low as possible)
Wyner 75′, Csizar and Korner 78′
Cs(PY Z|X) = maxPUX
[I(U ;Y )− I(U ;Z)] ≥ maxPX
[I(X;Y )− I(X;Z)]
Intuitively: Alice uses ’radio advantage’ over Eves channel to send ’perfectly’ securedmessages to Bob
,
FU Berlin, PHYSec in 5G, July 6, 2016 13
SC: How to practically use the advantage?
Polaror RMouter
encoder
FEC
innerencoder
RadioChannel
FEC
innerdecoder
Polaror RMouter
decoder
I Use concatenation of two codes(Thales WinnCOMM 2016)
I Inner Forward-Error-Correction code(FEC) for sufficient error correction(e.g. LDPC)
I Outer secrecy code to use theadvantage of Bob (Polar orReed-Muller code)
-1 0 1 2 3 4 5 6 7
100
SINR (in dB)
BER
of U
D b
its
10-1
10-2
10-3
10-4
10-5
10-6
LDPC decoderPolar, SC1 rate: 0.4Polar, SC2 rate: 0.3Polar, SC3 rate: 0.23RM, SC4 rate: 0.33RM, SC5 rate: 0.25
BER -> 0.2
BER = 0.5
TargetBERforBob
Bob’sside
TargetBERforEve
Eves’side
Radio Advantage
2,7 dB
I Outer code is partitioned into several parts ranked for channel goodness; Goodparts are used for information transfer, Eve just gets bad parts
,
FU Berlin, PHYSec in 5G, July 6, 2016 14
Secrecy Coding - Challenges
I However: SC based on better Channel to Bob
Question 1: Is this a practical requirements?
→ No ”warranty” for Alice-to-Bob ”radio advantage”!
Question 2: What can we do if Eve got the better channel?
Several approaches exist:I For example:
I Jamming / alignment strategies [ISIT16-Paper]I Secret key generation (SKG) schemes [PIMRC16-Paper]
,
FU Berlin, PHYSec in 5G, July 6, 2016 15
The Wiretap Scenario with Public Discussion
Encoder Decoder
Decoder
Xn
YnM M
Zn
Nn
m
Nn
e
Alice Bob
Eve
public noiseless channel
I Public Discussion can be used to transform the channel
I New channel meets previous requirements for Eve
I Paradigm shift: From secrecy capacity to secret key rate
,
FU Berlin, PHYSec in 5G, July 6, 2016 16
Secret Key Generation
Definition: Secret Key Rate
A secret key rate Rs is said to be achievable (for all ε > 0) if
I Alice and Bob agree on the key: P{S 6= S} ≤ εI While keeping Eve in the dark: 1
nI(S;Eve) ≤ ε
I But still achieving a key rate: 1nH(S) ≥ Rs − ε
Maurer, Ahlswede and Csiszar 93′
I(X;Y )−min(I(X;Z), I(Y ;Z)) ≤ Cs ≤ min(I(X;Y ), I(X,Y |Z))
Even if Eve got the better channel, using a public channel can ensure secrecy!However, Alice and Bob communicate over the publice channel
,
FU Berlin, PHYSec in 5G, July 6, 2016 17
Two-Way Secret Key Generation
Enc / Dec Enc / Dec
Xn
1 Yn
1
Xn
2Y
n
2
S S
EveΦt Ψt
ωA ωB
Alice Bob
H H
Z1K1
K′
1Z2
I Use two-way communication for key generation and exploit channel entropy
I ”Generate” source of common randomness at both terminals
I Extract secret key from common randomness: channel gains K1, K′1 are highlycorrelated random variables, i.e. K1 ≈ K′1 (reciprocity & fading)
,
FU Berlin, PHYSec in 5G, July 6, 2016 18
Two-Way Secret Key Generation
How to get a key?
I Idea: Send pilot signals and measure the channel gain at Alice and Bob
I Measured signals get quantized at both terminals
I Alice and Bob reconcile via Public Discussion to agree on a keyI Reconciliation can be done such that Eve gains no knowledge of the key
I Example: Difference of both msg’s viewed as ”channel noise impairment”I Error correction codes can be used: Alice calculates parity Bits; sends them to Bob
so that Bob can reconstruct the same measurement
Drawback:
I Dependent on channel gain randomness: static scenarios yield less key rate
Altogether:
Both SC and (two-way) SKG cannot provide security warranties which limits theirapplication so far.
,
FU Berlin, PHYSec in 5G, July 6, 2016 19
Outline
5G Security Requirements & Enablers
Motivation
The Wiretap Scenario - Secrecy Coding & Secret Key Generation
Advanced SKG Setting: Secret keys ’on the fly’
6Doku Demonstrator
Conclusions
,
FU Berlin, PHYSec in 5G, July 6, 2016 20
SKG: Using Local Sources
Channel Model:
YB = KX1 + Z1
YA = KX2 + Z2
I X1, X2 are send codewords and K is the channel gain
I Bob has access to (KX1 + Z1, X2) and Alice to (KX2 + Z2, X2)
I Ahlswede & Cszizar: Keyrate = I(YA, X2;YB , X1) (no side-info at Eve)
But
I What is the key rate?
I How to achieve it in practices?
I What about side-information at Eve?
,
FU Berlin, PHYSec in 5G, July 6, 2016 21
SKG: Using Local Sources
Theorem
The key rate for local and global randomness sources is split up in contributions fromboth.
I(YA, X1;YB , X2)
= I(X1;YB) + I(YA;X2) + I(YA;YB |X2, X1)
I I(X1;YB), I(YA;X2) is the capacity for a non-coherent fading channelI I(YA;YB |X2, X1) is the key rate for the channel gain randomness conditioned on
the input signalsI Therefore: Exactly the standard achievable key rate!
I Result: Using local and global sources has a positive effect on key rate
I But: how to achieve it?
,
FU Berlin, PHYSec in 5G, July 6, 2016 22
SKG: A Multiplication Scheme
Enc / Dec Enc / Dec
Xn
1KnX
n
2SA SB
EveΦt Ψt
ωA ωB
Alice Bob
Xn
2KnX
n
1
X1X2K
Idea:
Assume noiseless channel: Bob gets (KX1, X2), Alice gets (KX2, X2)So just multiply it, Key= KX1X2
Noisy channel:
I Ahlswede & Cszizar: Keyrate = I(YAX1;YBX2)
But
I Sub-optimal: I(YAX1;YBX2) ≤ I(YA, X2;YB , X1) (Due to Fano’s Ineq.)
I Hard to actually calculate I(YAX1;YBX2)
,
FU Berlin, PHYSec in 5G, July 6, 2016 23
SKG: Deterministic Model
Lets look at I(YAX1;YBX2) and approximate it!
YBX2 = KX1X2 +X2Z1
YAX1 = KX2X1 +X1Z2
I Assume that K = 2Nk with N ∈ N and k ∈ [1, 2)
I Also assume peak power constraints on X1, X2 and Z1, Z2 of 1.
YBX2 = 2NkX1X2 +X2Z1
YAX1 = 2NkX2X1 +X1Z2
I Use binary expansion on kX1X2, X2Z1 and X1Z2
I Observe that the ”coarse” channel gain 2N shifts kX1X2 = 1.b1b2 . . . bn to theright 2NkX1X2 = bNbN−1 . . . b1.b0b−1
I Cut-of at noise level (decimal point) to get deterministic approximation
,
FU Berlin, PHYSec in 5G, July 6, 2016 24
SKG: Deterministic Model
Resulting Model is deterministic:
Alice Bob Eve
1
2
N
b1 b1
b2 b2
bN bN
dN
cN
d2
d1
I Due to reciprocity: Same number of bit-levels at Alice & Bob
I New results can be derived in dependence on K,X1 and X2
I ”Inbuilt” quantization → simple key results follow immediately
,
FU Berlin, PHYSec in 5G, July 6, 2016 25
Outline
5G Security Requirements & Enablers
Motivation
The Wiretap Scenario - Secrecy Coding & Secret Key Generation
Advanced SKG Setting: Secret keys ’on the fly’
6Doku Demonstrator
Conclusions
,
FU Berlin, PHYSec in 5G, July 6, 2016 26
Implementation:Setup (Hardware)
Alice
USB Host connector
USB Cable
Bob
Android tablet
< 1m
,
FU Berlin, PHYSec in 5G, July 6, 2016 27
Implementation:Setup (Software)
Smartphone
(Mother Duck)
Android
TelosB Mote
(Duckling)TelosB Mote
(Dongle)
Contiki
6doku app 6doku dongle
USB OTG
TelosB Mote
(Duckling)
Contiki
6doku APP
802.15.4
,
FU Berlin, PHYSec in 5G, July 6, 2016 28
Implementation:steps
,
FU Berlin, PHYSec in 5G, July 6, 2016 29
Experimental Results: Part 1
i0 5 10 15 20 25 30
RS
SI(
dB
m)
-90
-85
-80
-75
-70
-65
-60
Figure: Uncorrelated RSSIs for closely located (<1m) Mother and Duckling
,
FU Berlin, PHYSec in 5G, July 6, 2016 30
Experimental Results: Part 2
Figure: RSSIs are highly correlated after transmission power randomization for two closelylocated (<1m) nodes: Alice and Bob
,
FU Berlin, PHYSec in 5G, July 6, 2016 31
Outline
5G Security Requirements & Enablers
Motivation
The Wiretap Scenario - Secrecy Coding & Secret Key Generation
Advanced SKG Setting: Secret keys ’on the fly’
6Doku Demonstrator
Conclusions
,
FU Berlin, PHYSec in 5G, July 6, 2016 32
I Security is a key to the 5G (IoT, Tactile Internet, CPS, SDN etc. ) market!
I Research investment on new security (and authentication) schemes highlynecessary
I Physical Layer security promising path for 5GPPP Phase II
,
FU Berlin, PHYSec in 5G, July 6, 2016 33