user within the range of two access points, AP1 and AP2. The. APs are assumed to ... A wireless network where the two nodes Bob and Carol are connected via an alternative secure ..... with WLAN has some advantages. First the two access ...
Shout to Secure: Physical–Layer Wireless Security with Known Interference Morten Lisborg Jørgensen, Boyan Radkov Yanakiev, Gunvor Elisabeth Kirkelund, Petar Popovski, Hiroyuki Yomo, and Torben Larsen Department of Electronic Systems, Aalborg University, Niels Jernes Vej 12, DK-9220 Aalborg, Denmark Email: {mljo, boyany, geki04, petarp, yomo, tl}@es.aau.dk Abstract— This paper proposes a physical–layer security scheme for wireless networks, aiming to achieve communication secrecy by making the eavesdropper incapable of decoding the secret wireless message. The considered scenario features one user within the range of two access points, AP1 and AP2. The APs are assumed to be connected through an alternative secure (e.g. wired) connection. The goal is to secure the wireless link between the user and AP1. While the user transmits to AP1, AP2 simultaneously transmits an interfering signal, which is a priori provided to AP1, such that AP1 is likely the only node capable of decoding the user’s entire transmission. Evaluation is done through simulation by measuring the upper bound of the information–theoretic secrecy and error performance. In the latter case it is shown that the eavesdropper experiences significantly higher error rates than the intended receiver, thus providing evidence of practical security.
I. I NTRODUCTION Wireless networks are, due to their broadcast nature, always less secure than a wired alternative. Traditionally this problem has been solved by adding security protocols to layers two and up in the OSI model [1]. A major problem with this is the key distribution, which can be solved by using asymmetric encryption. This, however, does not provide information– theoretic security because the private part of the asymmetric key can, in principle, be obtained from the public part with sufficient computational power [2]. Information theoretic security is only obtained when a potential eavesdropper is provided with insufficient information about the secret message by overhearing the coded message. The current methods for physical–layer security aim at making the signal unrecognizable for the eavesdropper, i.e. after attempting to decode the message, the eavesdropper will likely have a residual amount of uncertainty about the actual transmitted information. In such way, parts of the communication are secret in an information–theoretic sense. For example, consider the Shannon capacity of a Gaussian channel: C = W · log2 (1 + γ)
receiving the message, then some of the information remains irretrievable for the eavesdropper. For practical (finite) coding methods, this results in a higher error rate. Regarding information–theoretic secrecy, [3] introduces the wire–tap channel, i.e. the channel that the eavesdropper observes. In [4] it is shown that to obtain secrecy, the channel capacity of the intended receiver must be increased, while lowering the channel capacity of the eavesdropper. The same paper introduces the term secrecy capacity as a measure of how much higher the capacity of the main channel is, compared to the capacity of the wire–tap channel. In [5] the idea is further extended by showing that if both channels are subject to fading, the average SNR of the main channel can be lower than the wire–tap, while still obtaining a positive secrecy capacity at certain time instants. Other related recent works are [6] and [7], which investigate MIMO scenarios for physical layer security, where multiple transmitted signals are manipulated in such a way that they cancel each other at the intended receiver. Only the information bearing component remains to be decoded. At the same time the signals create noise– like, interference everywhere else. [8] analyzes the concept of cooperative jamming in a network of multiple users, which
(1)
where W is the bandwidth available for transmission, and γ is the Signal–to–Noise Ratio (SNR) observed at the data receiver. If the transmitted signal has a data rate that is higher than the capacity of the channel over which the eavesdropper is
Fig. 1. A wireless network where the two nodes Bob and Carol are connected via an alternative secure channel, Alice wants to send a confidential message to Bob. Eve, the eavesdropper, tries to intercept this message. All nodes have omni-directional antennas.
1930-529X/07/$25.00 © 2007 IEEE This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2007 proceedings.
shows that it is feasible for users with excess capacity to transmit random codewords in order to confuse eavesdroppers. The approach proposed here is based on the induction of noise–like intentional interference. In Fig. 1 the considered scenario is illustrated. Bob (B) and Carol (C) are connected via an alternative secure connection. Alice (A) is an authorized and authenticated user that needs to transmit securely, and Eve (E) is the eavesdropper trying to intercept the signal. In this set–up Carol first provides a random sequence to Bob and then “shouts out” the same signal, while Alice transmits. As a consequence, interference is created in the entire coverage area. This increases the probability that Bob is the only node capable of extracting Alice’s signal. Notice that the key exchange has been moved from a problem between Alice and Bob to a problem between Bob and Carol. The key distribution is completely secure, and the key can be as long as necessary, without encryption and decryption delays. This approach could be applied with use of quantum cryptography for the alternative secure connection [9], a method which has previously been proposed albeit for true one-time-pads. Alice can be completely ignorant to the key, and even to the fact that her transmission is secure since she is not involved in the adding and subtraction of noise from the channel. Hence, the general idea of the approach is to induce a deterministic noise–like interference to the undesired receivers. A priori knowledge of the symbol sequence allows the intended receiver to extract the information from the interfering signals. The information–theoretic model is related to the wire-tap channel [3], but in this case, there is (partial) control over the channel degradation toward the eavesdropper. The proposed security mechanism is evaluated by simulation of a representative scenario. The secrecy of the introduced mechanism is assessed in two ways. With an informationtheoretic assessment, an upper bound is evaluated of the information that is missing at the eavesdropper in order to decode the desired signal. The second type of assessment is error performance: It is shown that the eavesdropper has a higher error rate in receiving the signal, which implies practicality of the proposed method. II. S YSTEM M ODEL The message wA from Alice (see Fig. 2) is encoded into the codeword xA = (xA [1], xA [2], ..., xA [i], ..., xA [n]), where xA [i] is a symbol from a chosen constellation with N symbols. Carol generates a random bit stream constituting the message wC , which is represented by a codeword (packet) of m symbols through possibly different coding and modulation of M symbols; xC = (xC [1], xC [2], ..., xC [i], ..., xC [m]). n = m is assumed, such that the user’s transmission is fully covered in length by the intentional interference. For both symbol streams, x[i] is a complex number with E{x[i]} = 0, ∀i ∈ {1, 2, ..., n}. Further on, the wireless channel has a normalized bandwidth W = 1 [Hz], such that the time is measured in terms of number of symbols and the bit rate [bps] is directly equivalent to the spectral efficiency [bps/Hz]. If not explicitly stated otherwise, it is assumed that the signals xA and xC
Fig. 2. The channel model of the network. ENC and DEC represent the encoding/decoding and constellation mapping procedures.
are created by using Gaussian codebooks [10], by which the capacity of the Gaussian channel is achieved. The wireless transmissions of Alice and Carol are done in such a way that symbol synchronization is achieved at the intended receiver. The channels between each pair of nodes are assumed to be independent, quasi–static, Rayleigh fading and memoryless, described by the complex channel gains hAB , hAC , hAE , and hCE (with e.g. hAB denoting the channel between Alice and Bob). Since quasi–static channels are assumed, the channel gains are constant during the transmission of a single codeword and the instantaneous SNR is constant during � All channels are power limited, such that �n the�packet. 1 2 = E, where E is the average transmit signal E |x[i]| i=1 n power, and x[i] is the complex channel input. Fig. 2 shows a model of the medium. At time i Bob receives yB [i] = hAB xA [i] + hBC xC [i] + zB [i] where zB is zero-mean, circularly symmetric, complex Gaussian noise, z ∼ CN (0, σ 2 ). It is assumed that Bob knows hAB and hBC . Similarly Eve receives yE [i] = hAE xA [i] + hCE xC [i] + zE [i] Both Bob and Eve try to decode xA error-free. Eve is assumed passive (receive only) with an omnidirectional antenna. This paper makes one assumption which is favorable for Eve: It is assumed that Eve knows the channel gains, and the signals of Alice and Carol are synchronized at Eve, thus facilitating Eve’s decoding. III. I NFORMATION - THEORETIC A SSESSMENT OF S ECRECY In the information-theoretic assessment, the idea is to measure how much information is missing at Eve in order for her to decode the signal from Alice. Such a missing information is a measure of the information that can be communicated securely between Alice and Bob. However, here it is not discussed which codebooks should be used to actually achieve such a secret communication, as it is, for example, done in [3].
1930-529X/07/$25.00 © 2007 IEEE This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2007 proceedings.
Restricting the definition of secrecy capacity in [4] to positive values, the secrecy capacity is defined as � log2 (1 + γM ) − log2 (1 + γT ) ifγM ≥ γT (2) Cs = 0 ifγM < γT where γM and γT are the SNRs of the main and wire-tap channels respectively corresponding to the channel capacities CM and CT respectively. The secrecy capacity can be increased in two ways, either by increasing CM or by decreasing CT . The objective of the proposed approach is to decrease CT by inducing interference to the eavesdropper. For this assessment it is assumed that the noise sequence is white Gaussian noise. This is an unfavorable assumption for Eve thus making the results an upper bound on the amount of secrecy which can be obtained. The proposed method has two phases: 1) Bob and Carol agree on the random sequence xC through the alternative secure connection. In the information-theoretic evaluation, this part will be treated as white Gaussian noise when it is transmitted over the air. 2) Carol and Alice transmit simultaneously; Carol sends xC and Alice sends the secret message xA . Bob receives a combination of the signals and uses his prior knowledge of xC to obtain xA , symbol for symbol. The SNR of the wiretap is thus γT
=
|hAE |2 |xA |2 |hCE |2 |xC |2 + σz2
(3)
where σz2 is the average noise energy. Assuming that the interference signal is white Gaussian noise, is equivalent to assuming that the information rate of the signal is infinite and that each symbol has infinite information content. In reality, and in the simulations in the following chapters, the interference has a finite rate and finite information content pr. symbol. However the interference does not represent a packetized/decodable information, which is unfavorable for Eve (e.g. successive interference cancellation cannot be used).
As a consequence Eve cannot be closer than 1 m to any of the transmitting nodes, for the simulations to be valid. This is implemented in the simulation by setting the distance of Eve to one meter whenever she is closer than that to a sender. As all signal processing involved, is linear in nature, the average background noise power is normalized to σz2 = 1 without loss of generality. All transmission powers are scaled to achieve an average SNR of 20 dB at a distance of 30 m. The positions of the nodes are as follows: A(0,0), B(-2,-2), and C(2,2). In the simulation A, B and C are kept stationary at all times, while E is moving around. For each position the distances between E and the sending nodes are calculated. These distances give the average SNR for the given position. a number of exponentially distributed SNRs are generated around the mean corresponding to the distance representing the average SNR for each packet. The number of iterations is chosen so that statistical significance is obtained. In the secrecy capacity simulation these SNR’s are then used to calculate the secrecy capacity for each channel sample, the average of which is plotted on the graph. In the Bit Error Rate (BER) and Packet Error Rate (PER) simulations a 100 bit packet is generated, modulated and transmitted by adding Gaussian noise and then the packet is decoded. For each packet the number of bit errors is counted, the average of which is returned for the BER simulations. If one or more bits are in error, the uncoded packet is marked erroneous and the number of bad packets is used to calculate the PER. In all simulations the BER and PER for Bob were insignificant. B. Secrecy Capacity The secrecy capacity is calculated from eqs. 2 and 3. However in the simulation a number of iterations calculates the secrecy capacity without restricting it to be positive, the average is then calculated and if it is below zero, zero is returned. The result is shown in Fig. 3. Fig. 4 shows a cut through Fig. 3 for Eve moving along y = 1. The secrecy capacity is low when Eve is close to Alice and high when Eve is close to Carol, as would be expected.
IV. E VALUATION OF S ECRECY A. Scenario and Model
C. Eavesdropper Error Rates
In order to evaluate the secrecy performance of the proposed method, the following scenario is considered. The simulations are modeled using a WLAN indoor propagation model as described in [11] and [12]. Independent channels with no line of sight are considered, therefore the channel coefficients are considered Rayleigh distributed. This setting corresponds to a common environment in most office buildings. The path loss exponent is set to α = 4 [13, Cha. 3]. The propagation model used assumes that all nodes are in the far field of the antennas. The wavelength of the electromagnetic wave in free space for WLAN is λ ≈ 12.3 cm at f = 2.45 GHz, or λ ≈ 6 cm at f = 5 GHz. Therefore a reference distance of d0 = 1 m is chosen to represent the far fields which applies to all receivers.
For the BER simulations, the symbols are synchronized, meaning that each pair of symbols arrives at the same time and has the same duration, but with a uniformly distributed phase. Fig. 5 shows the BER in the 2D plane. In Fig. 6 the bit error rate for Eve is simulated for two different modulations from Carol: BPSK and QAM-64. The results show that there is a tendency that BPSK gives higher BER. The BER is above 5% for all positions within the simulated range, except when Eve is closer than approximately 2.5 m to Bob. Figs. 7 and 8 show the packet error rates for the same simulations. Notice that the QAM-64 interference corresponds to a higher packet loss than BPSK interference despite the slightly lower BER.
1930-529X/07/$25.00 © 2007 IEEE This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2007 proceedings.
Normalized Secrecy Capacity
Packet Error Rate
15
15 24 90
10
16
5
Distance [m]
18 0
80 70
20
5
Distance [m]
10
22
60 0
50 40
−5
−5 14
30 20
−10
12
−10
10 10 −15 −15
−10
−5
0
5
10
−15 −15
15
−10
Distance [m]
0
5
10
15
Distance [m]
Fig. 3. Simulated secrecy capacity. Alice is at A(0,0), Carol is at C(2,2). The rate of the signal from Alice, is set to the channel capacity of Bob for every instantaneous SNR at Bob. Normalized Secrecy Capacity
Fig. 5. Simulated BER for Eve. The position of Alice is A(0,0) and Carol is at C(2,2). The signal from A and C is modulated with BPSK and QAM-64 respectively. Bit Error Rate
24
45
40
BPSK QAM−64
22 35 20
Bit Error Rate [%]
Normalized Secrecy Capacity [bits/transmission]
−5
18
16
30
25
20
15
10 14 5 12 −15
−10
−5
0
5
10
15
Distance [m]
Fig. 4.
0 −15
−10
−5
0
5
10
15
Distance [m]
A cut through Fig. 3, Eve is moving along y = 1 .
Fig. 6. A cut through Fig. 5 for two modulations of the signal from Carol, E is moving along y = 1.
V. D ISCUSSION A. Discussion of Numerical Results The BER results seen in Figs. 5 and 6 do not suggest a significant increase in security when the rate of the interfering signal is increased. The reason is that Eve does not try to decode the interference, thus only the energy contained in the interference has an influence on Eve’s ability to decode. Figs. 7 and 8 show the PER. In Fig. 8 the PER is higher for QAM-64 opposite to the BER-results of Fig. 6. To explain this, first consider the case where the interfering signal and the information signal are in phase. In this case the BPSK interfering signal has, in average, more energy parallel to the information signal, than QAM-64. A separate simulation (not included here), showed much higher BER and PER in this case. In the other case, the interference signal is phase shifted 90 degrees which makes the two signals completely orthogonal, which causes no errors. Since the phase shift is constant for each packet, full packets are erroneous with BPSK and some are completely error free. With QAM-64 only a few
bits are in error in each packet, but all packets have a potential to contain errors. This causes a higher PER for QAM-64. B. Synchronization and Practical Implementation The results discussed above are obtained under the assumption that the two signals, secret message and interfering signal, are synchronized at symbol level. In order to achieve such a synchronization at the receiver side, the previous example with WLAN has some advantages. First the two access points can be assumed static and the only mobile elements are the user and the eavesdropper. This is an important advantage when it comes to synchronization as the channel between the APs will be more or less predictable and the propagation delay can be within narrow limits. Additionally, since there exists an independent channel, different timing advance/delay parameters can be exchanged. Regarding implementation, the receiver is the most important part and will pose some hardware limitations. An
1930-529X/07/$25.00 © 2007 IEEE This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2007 proceedings.
Bit Error Rate 45
15
40 10 35
Distance [m]
5
30
25 0 20 −5
15
10 −10 5 −15 −15
−10
−5
0
5
10
15
Distance [m]
Fig. 7. Simulated PER for Eve in the setting of Fig. 5, 100 bit packets are simulated for each instantaneous SNR. Packet Error Rate 100 90
BPSK QAM−64
Packet Error Rate [%]
80 70 60 50
D. Optimization of the Interference Signal
40 30 20 10 0 −15
solution is scaled by adding more A nodes and (B,C)-pairs the network. However in the simulations, the distance between A and C is chosen to be low compared to the interference radius, in this case the effect is minor. However separate work on the effect of the distance between A and C needs to be conducted to find the optimal distance. The spatial efficiency could be improved by letting the signal from Carol be useful downstream data to a third node Dave. However, in this case Eve can do successive interference cancellation and as such the analysis differs from what is done in this paper. In the scenario with one Bob and one Carol, more Alicenodes could be added to the network without adding more Carols since only one Alice transmits at any one point in time. The scheme could work the standard MAC-techniques, DCF, of 802.11. With the basic mode (which is a CSMA/CA protocol) Bob detects that one of the Alice-nodes is sending by observing a packet-header, and he notifies Carol, and she starts transmitting before Alice has finished transmitting the header information. It would be easier if RTS/CTS is employed: When Bob has sent the CTS signal to Alice, Carol can overhear it and easily estimate the transmission timing of the data packet, for which she starts transmitting interference. In both cases the entire payload is secured, given that Bob and Carol can keep up with the timing requirements.
−10
−5
0
5
10
15
Distance [m]
Fig. 8. Simulated PER for Eve in the setting of Fig. 6, 100 bit packets are simulated for each instantaneous SNR.
important feature is keeping track and estimation of two independent channels (possibly by introducing more pilot signals in the case of WLAN). Additionally, advanced protocol handling should be deployed overriding the WLAN’s CSMA/CA algorithm [14]. The timing can be adjusted by appropriate signalling. Note that these are mainly software changes, and it might be possible to operate the scheme only by replacing the access points in the network and keeping the existing user equipment. Of course, additional pilot channels for synchronization, signaling, and delays will lower the network throughput, but this should be negligible since the extra transmission takes place in the time slot that is occupied by the useful data. C. Scalability Since B and C are not in the same position, the spatial efficiency of the described networks is lower compared to the same network without node C because of the enlarged interference area. This could lead to problems when the
The following properties characterize a good interfering signal: 1) Interfere irrespective of phase shift in the channel. 2) Maximize the secrecy capacity. 3) Contain as little information as possible. Item 1 could be obtained by M-PSK for any M ≥ 3. This way, no matter the phase shift, the projection of the interfering signal onto the information signal is larger than zero with nonzero probability. Item 2 can be obtained by maximizing the rate of the signal from Alice, so that the information transfer to Bob is maximized e.g. by choosing modulation so that the data rate is maximized. Item 3 concerns the strain on the connection between Bob and Carol. To minimize the bandwidth usage in the alternative connection, Carol needs to minimize the information contained in the signal. If the connection is wired, this property is clearly less significant. E. Directive Antennas This scheme has a weakness when the eavesdropper is equipped with a directed antenna. Assuming that Eve’s directed antenna can only pick up the signal from a single node during some time period consider the following scenario in which the data flow is in the opposite direction. First, the aforementioned method is used with the change that Alice’s message is a secret key. Second, Bob uses the secret key to encrypt a secret message to Alice by traditional means, which is then transmitted. By examining this protocol it is clear that Eve is only able to receive either the key or the coded message thus not obtaining the secret message. If Eve could use her directed antenna to pick up the signals from two nodes e.g. by
1930-529X/07/$25.00 © 2007 IEEE This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2007 proceedings.
placing herself on line formed by the two nodes, then she could pick up both the key and the coded message. This could be countered by randomly shifting the roles of B and C in a way that is transparent to A. In short, directive antennas can give the eavesdropper higher probability of decoding but certain methods can be employed to mitigate this threat. VI. C ONCLUSION The present paper introduces a physical layer security scheme for wireless networks. This scheme can provide information theoretic security, which is widely regarded as the strictest notion of security. In the proposed scheme, two nodes agree on an interfering signal which is then transmitted by one of them, while the other receives. During this transmission a third node can securely transmit. The security is obtained without losing bandwidth and the user can be ignorant of the added security. The model has been simulated and the results show that in practical settings it is possible to obtain security with this approach. A possible implementation of the method could be in wireless access networks, where one user is often in range of several access points. In this setup, the proposed scheme could be used for securing the uplink, which is then used to transfer a secret key. The method requires only hardware changes in the access network and not on the client. Additionally the scheme can work as an extension to existing technologies adding and subtracting noise transparently. Thus an implementation in 802.11 could be relevant. Future work for this method is the development of a transceiver capable of separating the message signal from the mixed signals, as well as protocol extension/evaluation with multiple users and multiple access points.
R EFERENCES [1] A. S. Tanenbaum and M. V. Steen, Distributed Systems: Principles and Paradigms. Prentice Hall, Inc, Upper Saddle River, NJ, USA, 2002. [2] R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, vol. 21, no. 2, pp. 120–126, 1978. [3] A. D. Wyner, “The wire-tap channel,” The Bell System Technical Journal, vol. 54, no. 8, pp. 1355–1387, October 1975. [4] S. K. Leung-Yan-Cheong and M. E. Hellman, “The gaussian wire-tap channel,” IEEE Trans. on Inform. Theory, vol. 24, no. 4, pp. 451–456, July 1978. [5] J. Barros and M. R. D. Rodrigues, “Secrecy capacity of wireless channels,” in 2006 IEEE International Symposium on Information Theory, Seattle, July 2006. [6] R. Negi and S. Goel, “Secret communication using artificial noise,” in Vehicular Technology Conference 2005-fall, Dallas, vol. 3, September 2005, pp. 1906–1910. [7] ——, “Secret communication in presence of colluding eavesdroppers,” in Military Communications Conference, Atlantic City, vol. 3, October 2005, pp. 1501–1506. [8] E. Tekin and A. Yener, “The gaussian multiple access wire-tap channel: wireless secrecy and cooperative jamming,” IEEE transactions on Information Theory -Special Issue on Information Theoretic Security, Submitted Feb. 2007. [9] H.-K. Lo and N. L¨utkenhaus, “Quantum cryptography: from theory to practice,” eprint arXiv:quant-ph/0702202, Submitted Feb. 2007. [10] T. M. Cover and J. A. Thomas, Elements of Information Theory. John Wiley & sons, Inc, Hoboken, NJ, USA, Second edition, 2006. [11] J. C. Stein, “Indoor radio wlan performance part ii: Range performance in a dense office environment,” white Paper. [Online]. Available: http://whitepapers.silicon.com/0,39024759,60016337p39000370q,00.htm [12] G. J. M. Janssen, P. A. Stigter, and R. Prasad, “Wideband indoor channel measurements and ber analysis of frequency selective multipath channels at 2.4, 4.75, and 11.5 GHz,” IEEE Transactions on Communications, vol. 44, no. 10, pp. 1998–2003, October 1996. [13] T. S. Rappaport, Wireless Communications: Principles and Practice. Prentice Hall, Inc., Upper Saddle River, NJ, USA, 2002. [14] A. S. 802.11, “Part 11: Wireless lan medium access control (mac) and physical layer (phy) specifications,” 1999 Edition (R2003).
1930-529X/07/$25.00 © 2007 IEEE This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2007 proceedings.
