L. Xiao, L. Greenstein, N. Mandayam, W. TrappeWINLAB, Dept. ECE, Rutgers University

lxiao@winlab.rutgers.edu

CISS 2008

This work is supported in part by NSF grant CNS-0626439

MIMO-Assisted Channel-Based Authentication in Wireless Networks

WIRELESS INFORMATION NETWORK LABORATORY

Outline

Fingerprints in the Ether/channel-based authenticationHow to use the multipath fading to improve security?

MIMO-assisted authenticationFingerprints in the Ether + MIMO = ?

Simulation resultsConclusions

04/21/23 2

Benefits of Multipath Fading • CDMA: Rake processing that transforms

multipath into a diversity-enhancing benefit

• MIMO: Transforms scatter-induced Rayleigh fading into a capacity-enhancing benefit

• Fingerprints in the Ether: Distinguishes channel responses of different paths to enhance authentication

04/21/233

AP(Bob)

Alice

Eve

Multipathpropagation

Reflectorcluster

Internet

PHY-based Security Techniques

• Detections of attacks based on the received signal strength:• Identity-based attacks in wireless networks [Faria-

Cheriton 06] • Sybil attacks in sensor networks [Demirbas-Song 06]• Spoofing attacks [Chen-Trappe-Martin 07]

• Detections of attack based on the multipath channel information: • Fingerprints in the Ether: Authentication based on

channel frequency response [Xiao-Greenstein-Mandayam-Trappe 07]

• Location distinction based on channel impulse response [Patawari-Kasera 07]

• Encryption keys establishment [Wilson-Tse-Scholtz 07]

04/21/234

4.9 4.95 5 5.05 5.110

-5

10-4

10-3

f (GHz)

|H(f

)|

Frequency response

Loc 1Loc 2Loc 3

Fingerprints in the EtherFingerprints in the Ether:

In typical indoor environments, the wireless channel decorrelates rapidly in space

The channel response is hard to predict and to spoof

04/21/235

Channel-Based AuthenticationWireless networks are vulnerable to various

identity-based attacks, like spoofing attacksHuge system overhead if every message is protected

by upper-layer authentication/encryptionChannel-based authentication:

Detect attacks for each message, significantly reducing the number of calls for upper-layer authentication

Utilize the existing channel estimation mechanismLow system overheadPerformance in single-antenna systems has been

verified Here we will show the additional gain in MIMO links

04/21/236

Fingerprints + MIMO =?Eve must use the same number of transmit antennas

to spoof AliceBetter channel resolution: Additional dimension of

channel estimation samples provided by MIMOLess transmit power per antenna: Equal power

allocation of pilot symbols over transmit antennas (without a priori CSI)

Benefits of MIMO techniques:Diversity gain (tradeoff with Multiplexing gain)Security gain: More accurate detection of attacks, when

replacing SISO with MIMO

04/21/237

Alice sent the first messageIf Alice is silent, Eve may spoof her by using her

identity (e.g., MAC address) in the second message

Bob measures, stores and compares channel vectors in consecutive messages, “Who is the current transmitter, Alice or Eve?” Spatial variability of multipath propagation: HA HE

(with high probability)Time-invariant channel: Constant HA

System Model

04/21/238

HA

Eve

Alice

BobHE

Channel Estimation Channel estimation based on pilot symbols at

M tonesChannel vectors derived from consecutive

messages: H1 (Alice) and H2 (May be Alice, may be Eve)

In NT x NR MIMO systems, both H1 and H2 have MNTNR elements

Inaccurate channel estimation:AWGN receiver thermal noise model, Unknown phase measurement drifts

04/21/23 9

2~ CN(0, )N I expi i i iH H j N

MIMO-Assisted Spoofing DetectionHypothesis testing: H0: H1 = H2

H1: H1 H2

Test statistic:Rejection region of H0 : L > Test threshold, k

Performance criteriaFalse alarm rate, : The

probability of calling the upper-layer authentication unnecessarily

Miss rate, : The probability of missing the detection of Eve

04/21/23 10

No Spoofing

Spoofing!!!

0( )FA HP P L k

1( )m HP P L k

H 21 2 1 22

1|| exp ||L H H jArg H H

Performance Summary

Detection Performance

System BW, W

Noise BW, b (NarrowBand)

# of receive antennas, NR

# of transmit antennas, NT

Depends

Transmit power per tone, PT

Frequency sample size, M

04/21/2311

Simulation ScenarioVerified in a wireless indoor environment, with 405

spatial samples and half wavelength (3 cm) spacing for antennas

Frequency response for any T-R path, as FT of the impulse response, obtained using the Alcatel-Lucent ray-tracing tool WiSE

The received SNR per tone ranges from -16.5 dB to 53.6 dB, with a median value of 16 dB, when PT=0.1 mW, SISO systems.

04/21/23 12

Alice & Eve

Bob

1 1.5 2 2.5 3 3.5 4 4.5 510

-5

10-4

10-3

10-2

10-1

100

NT

Ave

rage

Mis

s R

ate

NR

=1

NR

=2

NR

=3

NR

=4

0.1mW

1mW

Simulation Results -1The use of more receive antennas is always

a benefit, while the impact of transmit antenna depends

04/21/2313 , # of transmit antennas

# of receive antennas

2 4 6 8 10 12 14 1610

-5

10-4

10-3

10-2

10-1

M

Ave

rage

Mis

s R

ate

SISOMISOSIMOMIMO

0.1 mW

1 mW

10 mW

Simulation Results -2MIMO security gain rises

with PT, under small M (e.g., M=1); while decreases with PT, o.w.

With high PT and small M, SISO systems have accurate but insufficient channel response samples.

With high PT and large M, SISO systems have performance too good to be significantly improved.

With low PT , the channel estimation is inaccurate, and thus more data are required for a right decision.

14 , frequency sample size

0 5 10 15 20 25 30 35 4010

-5

10-4

10-3

10-2

10-1

100

W (MHz)

Ave

rage

Mis

s R

ate

SISOMISOSIMOMIMO

0.1 mW

1 mW

10 mW

Simulation Results -3The miss rate decreases with the system

bandwidth, WLess-correlated frequency samples=> Better

resolution among users

04/21/2315

100

101

102

10-6

10-5

10-4

10-3

10-2

10-1

100

Measurement Noise Bandwidth, b (kHz)

Ave

rage

Mis

s R

ate

SISOMISOSIMOMIMO

Simulation Results -4The miss rate rises with the measurement noise

bandwidth, b, in narrowband systemsThe noise power in the channel estimation is

proportional to b

04/21/2316

We proposed a MIMO-assisted channel-based authentication scheme, and verified its performance in spoofing detection, using a channel-simulation software

Conclusion

04/21/2317

Detection Performance

System BW, W

Noise BW, b (NarrowBand)

# of receive antennas, NR

# of transmit antennas, NT

Depends

Transmit power per tone, PT

Frequency sample size, M

References [FC06] Faria, et al, “Detecting identity-based attacks in

wireless networks using signalprints,” WiSE, 2006 [DS06] Demirbas, et al, “An RSSI-based scheme for sybil

attack detection in wireless sensor networks,” 2006 [CTM07] Chen, et al, “Detecting and localizing wireless

spoofing attacks,” 2007 [WTS07] Wilson, et al, “Channel identification: secret

sharing using reciprocity in UWB channels,” 2007 [PK07] Patwari, et al, “ Robust location distinction using

temporal link signatures,” 2007 [XGMT07] Xiao, et al, “Fingerprints in the Ether: Using

the physical layer for wireless authentication,” ICC, 2007

04/21/2318