physical layer security in a 5g settingkom.aau.dk/~nup/wunder-talk-mcc_1.pdf · 5g security...

Physical Layer Security in a 5G Setting

G. Wunder R. Fritschek R. KhanFreie Universitat Berlinhttp://www.mi.fu-berlin.de/en/inf/groups/ag-comm/index.html

in cooperation with Francois Delaveau, Christiane-Laurie Kmeni Ngassa(both Thales Group, France)

Outline

5G Security Requirements & Enablers

Motivation

The Wiretap Scenario - Secrecy Coding & Secret Key Generation

Advanced SKG Setting: Secret keys ’on the fly’

6Doku Demonstrator

Conclusions

,

FU Berlin, PHYSec in 5G, July 6, 2016 2

Outline


Motivation



6Doku Demonstrator

Conclusions

,


5G Security Landscape

I 5GPPP ’5GEnsure’: Reference project for 5G security, privacy and trust

I Goal: Produce a 5G security architecture and use cases

I Initial set of security enablers

I Mainly core network related procedures

I IoT enablers for AAAI Improved identity protection (IMSI, UICC, (V)MNOs etc.)I Trust builders, metrics, VNF certificationI Network virtualization isolationI Monitoring tools (access control, bootstrapping etc.)I ...

I Potential ’cross projects’ topic Phase II

,


Phase II

I Open consultation on 5G security among stakeholders:

I Faster handling of security procedures for extremely low latency applicationI Data authenticity, confidentiality and integrity for resource-constrained divesI Seamless authentication over multiple devices, access networks, servicesI Protection against DOS attacks to core and radioI Security mechanisms for NFV infrastructure

I Remedies (particularly privacy/security trade-offs):

I Secret sharing (no single point of trust and failure)I Practical homomorphic encryptionI Privacy-preserving profilingI IoT: Lightweight encryptionI IoT: PuFsI IoT: Physical layer security

,


Physical Layer Security: Approaches

Definition: Physical Layer Security

Security is handled on PHY layer by exploiting PHY layer parameters (e.g. channel,noise, ...) and controlled (of course) by MAC protocol.

I Advantages:

I Faster procedures: Algorithms run on PHY/MAC level, no packets are given tohigher layers

I ScalableI Energy/computation-efficient with lightweight ciphersI Improved usabilityI Improved securityI The ’radio advantage’I ...

I Approaches:

I Secrecy codingI Secret key generationI Secure pairing

,


Outline


Motivation



6Doku Demonstrator

Conclusions

,


Motivation: Notions of Security

Encoder Decoder

Decoder

Xn Y nM M

Zn

Alice Bob

Eve

p(y|x)

p(z|x)

k-bit message M

Computational Complexity

I Alice uses encryption scheme (e.g.RSA)

I Assumption: Some things hard tocompute (factorization (RSA), etc.)

I However: Quantum computing will bea threatExample: Factor 193 digits

I Conventional Computer: 30 CPUyears at 2.2 GHz

I Quantum Computer: 0.1 seconds!

Physical Layer Security(Information-Theoretical Sec.)

I Strictest notion of security

I Prob[M | Eve’s Knowledge]≈ Prob[M ]H(M |Zn) = H(M) or I(M ;Zn) = 0

I However: How to realize?

I Approaches: Secrecy Coding,Jamming, Key Generation

,



Encoder Decoder

Decoder

Xn Y nM M

Zn

Alice Bob

Eve

p(y|x)

p(z|x)

k-bit message M




I However: Quantum computing will bea threat

Example: Factor 193 digitsI Conventional Computer: 30 CPU

years at 2.2 GHzI Quantum Computer: 0.1 seconds!






,



Encoder Decoder

Decoder

Xn Y nM M

Zn

Alice Bob

Eve

p(y|x)

p(z|x)

k-bit message M




I However: Quantum computing will bea threatExample: Factor 193 digits

I Conventional Computer: 30 CPUyears at 2.2 GHz

I Quantum Computer: 0.1 seconds!






,


Secure Key Generation: State-of-the-Art

Enc / Dec Enc / Dec

Xn

1 Yn

1

Xn

2Y

n

2

Eve

Alice Bob

H H

N1K1

K2N2

MA MB

MB MA

I Pilot signaling to estimate channel gain K

I Utilizes reciprocity: K1 = K2

I Public Discussion to reconcile

I Key Rate I(K1;K2), secure because Eve’s channel is different

I Do we need the pilot signals?

,



Enc / Dec Enc / Dec

Xn

1 Yn

1

Xn

2Y

n

2

Eve

Alice Bob

H H

N1K1

K2N2

MA MB

MB MA

Y1 = X1K1 +N1






,



Enc / Dec Enc / Dec

Xn

1 Yn

1

Xn

2Y

n

2

Eve

Alice Bob

H H

N1K1

K2N2

MA MB

MB MA

Y1 = X1K1 +N1

Y2 = X2K2 +N2






,



Enc / Dec Enc / Dec

Xn

1 Yn

1

Xn

2Y

n

2

Eve

Alice Bob

H H

N1K1

K2N2

MA MB

MB MA

Y1 = X1K1 +N1

Y2 = X2K2 +N2

Z2 = X2H2 +N3Z1 = X1H1 +N4






,



Enc / Dec Enc / Dec

Xn

1 Yn

1

Xn

2Y

n

2

Eve

Alice Bob

H H

N1K1

K2N2

Pilot Pilot

K2 K1






,



Enc / Dec Enc / Dec

Xn

1 Y n

1

Xn

2Y n

2

Eve

Alice Bob

H H

N1K1

K2N2

Pilot Pilot

K2 K1

f(K ′) =Key g(K1) =Key

Public Discussion






,


Secure Key Generation: A New Direction

Enc / Dec Enc / Dec

Xn

1 Yn

1

Xn

2Y

n

2

Eve

Alice Bob

H H

N1K1

K2N2

ωA ωB

X2K2X1K1

I Idea: Estimate the product XK instead of K

I Key rate I(Y1, X2;Y2, X1) achievable?

I How to do in practice?

I However: hard to analyse key rate expressions: I(Y1X2;X1Y2) =?

I What about security? I(Key;Eve’s Information) ?

,



Enc / Dec Enc / Dec

Xn

1Y

n

1

Xn

2Y

n

2

Eve

Alice Bob

H H

N1K1

K2N2

ωA ωB

X2K2X1K1

f(X2K,X1)=Key g(X1K,X2)=Key

Public Discussion

I Idea: Estimate the product XK instead of K

I Key rate I(Y1, X2;Y2, X1) achievable?

I How to do in practice?



,



Enc / Dec Enc / Dec

Xn

1Y

n

1

Xn

2Y

n

2

Eve

Alice Bob

H H

N1K1

K2N2

ωA ωB

X2K2X1K1

f(X2K,X1)=Key g(X1K,X2)=Key

Public Discussion

I Simple preliminary Soln.: Use the product!

I f(X2K,X1) = X2KX1, g(X1K,X2) = X1KX2

I Simple to implement



,


Outline


Motivation



6Doku Demonstrator

Conclusions

,


The Wiretap Scenario

Encoder Decoder

Decoder

Xn

YnM M

Zn

Nn

m

Nn

e

Alice Bob

Eve

I Alice wants to communicate a message M via X to Bob, and Bob receivesY = X +Nm

I But a Wiretapper can see the message through another channel e

I The wiretapper Eve receives Z = X +Ne

I Question: Can Alice communicate secretly to Bob?

,


Secrecy Coding (SC)

Definition: Secrecy Capacity

For a (2nR, n) code Cn, which is known by Alice, Bob and Eve

I Code rate: 1nH(M) = R+ δ

I Reliability measure: Pe(Cn) = Pr[M 6= M |Cn]I Secrecy measure - Equivocation: H(M |Zn, Cn) (as high as possible)

I Secrecy measure - Information leakage: I(M ;Zn|Cn) (as low as possible)

Wyner 75′, Csizar and Korner 78′

Cs(PY Z|X) = maxPUX

[I(U ;Y )− I(U ;Z)] ≥ maxPX

[I(X;Y )− I(X;Z)]

Intuitively: Alice uses ’radio advantage’ over Eves channel to send ’perfectly’ securedmessages to Bob

,


SC: How to practically use the advantage?

Polaror RMouter

encoder

FEC

innerencoder

RadioChannel

FEC

innerdecoder

Polaror RMouter

decoder

I Use concatenation of two codes(Thales WinnCOMM 2016)

I Inner Forward-Error-Correction code(FEC) for sufficient error correction(e.g. LDPC)

I Outer secrecy code to use theadvantage of Bob (Polar orReed-Muller code)

-1 0 1 2 3 4 5 6 7

100

SINR (in dB)

BER

of U

D b

its

10-1

10-2

10-3

10-4

10-5

10-6

LDPC decoderPolar, SC1 rate: 0.4Polar, SC2 rate: 0.3Polar, SC3 rate: 0.23RM, SC4 rate: 0.33RM, SC5 rate: 0.25

BER -> 0.2

BER = 0.5

TargetBERforBob

Bob’sside

TargetBERforEve

Eves’side

Radio Advantage

2,7 dB

I Outer code is partitioned into several parts ranked for channel goodness; Goodparts are used for information transfer, Eve just gets bad parts

,


Secrecy Coding - Challenges

I However: SC based on better Channel to Bob

Question 1: Is this a practical requirements?

→ No ”warranty” for Alice-to-Bob ”radio advantage”!

Question 2: What can we do if Eve got the better channel?

Several approaches exist:I For example:

I Jamming / alignment strategies [ISIT16-Paper]I Secret key generation (SKG) schemes [PIMRC16-Paper]

,


The Wiretap Scenario with Public Discussion

Encoder Decoder

Decoder

Xn

YnM M

Zn

Nn

m

Nn

e

Alice Bob

Eve

public noiseless channel

I Public Discussion can be used to transform the channel

I New channel meets previous requirements for Eve

I Paradigm shift: From secrecy capacity to secret key rate

,


Secret Key Generation

Definition: Secret Key Rate

A secret key rate Rs is said to be achievable (for all ε > 0) if

I Alice and Bob agree on the key: P{S 6= S} ≤ εI While keeping Eve in the dark: 1

nI(S;Eve) ≤ ε

I But still achieving a key rate: 1nH(S) ≥ Rs − ε

Maurer, Ahlswede and Csiszar 93′

I(X;Y )−min(I(X;Z), I(Y ;Z)) ≤ Cs ≤ min(I(X;Y ), I(X,Y |Z))

Even if Eve got the better channel, using a public channel can ensure secrecy!However, Alice and Bob communicate over the publice channel

,


Two-Way Secret Key Generation

Enc / Dec Enc / Dec

Xn

1 Yn

1

Xn

2Y

n

2

S S

EveΦt Ψt

ωA ωB

Alice Bob

H H

Z1K1

K′

1Z2

I Use two-way communication for key generation and exploit channel entropy

I ”Generate” source of common randomness at both terminals

I Extract secret key from common randomness: channel gains K1, K′1 are highlycorrelated random variables, i.e. K1 ≈ K′1 (reciprocity & fading)

,


Two-Way Secret Key Generation

How to get a key?

I Idea: Send pilot signals and measure the channel gain at Alice and Bob

I Measured signals get quantized at both terminals

I Alice and Bob reconcile via Public Discussion to agree on a keyI Reconciliation can be done such that Eve gains no knowledge of the key

I Example: Difference of both msg’s viewed as ”channel noise impairment”I Error correction codes can be used: Alice calculates parity Bits; sends them to Bob

so that Bob can reconstruct the same measurement

Drawback:

I Dependent on channel gain randomness: static scenarios yield less key rate

Altogether:

Both SC and (two-way) SKG cannot provide security warranties which limits theirapplication so far.

,


Outline


Motivation



6Doku Demonstrator

Conclusions

,


SKG: Using Local Sources

Channel Model:

YB = KX1 + Z1

YA = KX2 + Z2

I X1, X2 are send codewords and K is the channel gain

I Bob has access to (KX1 + Z1, X2) and Alice to (KX2 + Z2, X2)

I Ahlswede & Cszizar: Keyrate = I(YA, X2;YB , X1) (no side-info at Eve)

But

I What is the key rate?

I How to achieve it in practices?

I What about side-information at Eve?

,


SKG: Using Local Sources

Theorem

The key rate for local and global randomness sources is split up in contributions fromboth.

I(YA, X1;YB , X2)

= I(X1;YB) + I(YA;X2) + I(YA;YB |X2, X1)

I I(X1;YB), I(YA;X2) is the capacity for a non-coherent fading channelI I(YA;YB |X2, X1) is the key rate for the channel gain randomness conditioned on

the input signalsI Therefore: Exactly the standard achievable key rate!

I Result: Using local and global sources has a positive effect on key rate

I But: how to achieve it?

,


SKG: A Multiplication Scheme

Enc / Dec Enc / Dec

Xn

1KnX

n

2SA SB

EveΦt Ψt

ωA ωB

Alice Bob

Xn

2KnX

n

1

X1X2K

Idea:

Assume noiseless channel: Bob gets (KX1, X2), Alice gets (KX2, X2)So just multiply it, Key= KX1X2

Noisy channel:

I Ahlswede & Cszizar: Keyrate = I(YAX1;YBX2)

But

I Sub-optimal: I(YAX1;YBX2) ≤ I(YA, X2;YB , X1) (Due to Fano’s Ineq.)

I Hard to actually calculate I(YAX1;YBX2)

,


SKG: Deterministic Model

Lets look at I(YAX1;YBX2) and approximate it!

YBX2 = KX1X2 +X2Z1

YAX1 = KX2X1 +X1Z2

I Assume that K = 2Nk with N ∈ N and k ∈ [1, 2)

I Also assume peak power constraints on X1, X2 and Z1, Z2 of 1.

YBX2 = 2NkX1X2 +X2Z1

YAX1 = 2NkX2X1 +X1Z2

I Use binary expansion on kX1X2, X2Z1 and X1Z2

I Observe that the ”coarse” channel gain 2N shifts kX1X2 = 1.b1b2 . . . bn to theright 2NkX1X2 = bNbN−1 . . . b1.b0b−1

I Cut-of at noise level (decimal point) to get deterministic approximation

,


SKG: Deterministic Model

Resulting Model is deterministic:

Alice Bob Eve

1

2

N

b1 b1

b2 b2

bN bN

dN

cN

d2

d1

I Due to reciprocity: Same number of bit-levels at Alice & Bob

I New results can be derived in dependence on K,X1 and X2

I ”Inbuilt” quantization → simple key results follow immediately

,


Outline


Motivation



6Doku Demonstrator

Conclusions

,


Implementation:Setup (Hardware)

Alice

USB Host connector

USB Cable

Bob

Android tablet

< 1m

,


Implementation:Setup (Software)

Smartphone

(Mother Duck)

Android

TelosB Mote

(Duckling)TelosB Mote

(Dongle)

Contiki

6doku app 6doku dongle

USB OTG

TelosB Mote

(Duckling)

Contiki

6doku APP

802.15.4

,


Implementation:steps

,


Experimental Results: Part 1

i0 5 10 15 20 25 30

RS

SI(

dB

m)

-90

-85

-80

-75

-70

-65

-60

Figure: Uncorrelated RSSIs for closely located (<1m) Mother and Duckling

,


Experimental Results: Part 2

Figure: RSSIs are highly correlated after transmission power randomization for two closelylocated (<1m) nodes: Alice and Bob

,


Outline


Motivation



6Doku Demonstrator

Conclusions

,


I Security is a key to the 5G (IoT, Tactile Internet, CPS, SDN etc. ) market!

I Research investment on new security (and authentication) schemes highlynecessary

I Physical Layer security promising path for 5GPPP Phase II

,


physical layer security in a 5g settingkom.aau.dk/~nup/wunder-talk-mcc_1.pdf · 5g security...

Documents