Results 1 - 10
of
82
Radio-telepathy: extracting a secret key from an unauthenticated wireless channel
- In MobiCom ’08
, 2008
"... Securing communications requires the establishment of cryptographic keys, which is challenging in mobile scenarios where a key management infrastructure is not always present. In this paper, we present a protocol that allows two users to establish a common cryptographic key by exploiting special pro ..."
Abstract
-
Cited by 119 (3 self)
- Add to MetaCart
(Show Context)
Securing communications requires the establishment of cryptographic keys, which is challenging in mobile scenarios where a key management infrastructure is not always present. In this paper, we present a protocol that allows two users to establish a common cryptographic key by exploiting special properties of the wireless channel: the underlying channel response between any two parties is unique and decorrelates rapidly in space. The established key can then be used to support security services (such as encryption) between two users. Our algorithm uses level-crossings and quantization to extract bits from correlated stochastic processes. The resulting protocol resists cryptanalysis by an eavesdropping adversary and a spoofing attack by an active adversary without requiring an authenticated channel, as is typically assumed in prior information-theoretic key establishment schemes. We evaluate our algorithm through theoretical and numerical studies, and provide validation through two complementary experimental studies. First, we use an 802.11 development platform with customized logic that extracts raw channel impulse response data from the preamble of a format-compliant 802.11a packet. We show that it is possible to practically achieve key establishment rates of ∼ 1 bit/sec in a real, indoor wireless environment. To illustrate the generality of our method, we show that our approach is equally applicable to per-packet coarse signal strength measurements using off-the-shelf 802.11 hardware.
Wireless device identification with radiometric signatures
- in Proceedings of the 14th ACM international conference on mobile computing and networking, ser. MobiCom ’08
"... We design, implement, and evaluate a technique to identify the source network interface card (NIC) of an IEEE 802.11 frame through passive radio-frequency analysis. This technique, called PARADIS, leverages minute imperfections of transmitter hardware that are acquired at manufacture and are present ..."
Abstract
-
Cited by 111 (4 self)
- Add to MetaCart
(Show Context)
We design, implement, and evaluate a technique to identify the source network interface card (NIC) of an IEEE 802.11 frame through passive radio-frequency analysis. This technique, called PARADIS, leverages minute imperfections of transmitter hardware that are acquired at manufacture and are present even in otherwise identical NICs. These imperfections are transmitter-specific and manifest themselves as artifacts of the emitted signals. In PARADIS, we measure differentiating artifacts of individual wireless frames in the modulation domain, apply suitable machine-learning classification tools to achieve significantly higher degrees of NIC identification accuracy than prior best known schemes. We experimentally demonstrate effectiveness of PARADIS in differentiating between more than 130 identical 802.11 NICs with accuracy in excess of 99%. Our results also show that the accuracy of PARADIS is resilient against ambient noise and fluctuations of the wireless channel. Although our implementation deals exclusively with IEEE 802.11, the approach itself is general and will work with any digital modulation scheme. This research was performed under an appointment to the
Improving wireless privacy with an identifier-free link layer protocol
- In MobiSys ’08: 6th International Conference on Mobile Systems, Applications, and Services
, 2008
"... We present the design and evaluation of an 802.11-like wireless link layer protocol that obfuscates all transmitted bits to increase privacy. This includes explicit identifiers such as MAC addresses, the contents of management messages, and other protocol fields that the existing 802.11 protocol rel ..."
Abstract
-
Cited by 67 (11 self)
- Add to MetaCart
(Show Context)
We present the design and evaluation of an 802.11-like wireless link layer protocol that obfuscates all transmitted bits to increase privacy. This includes explicit identifiers such as MAC addresses, the contents of management messages, and other protocol fields that the existing 802.11 protocol relies on to be sent in the clear. By obscuring these fields, we greatly increase the difficulty of identifying or profiling users from their transmissions in ways that are otherwise straightforward. Our design, called SlyFi, is nearly as efficient as existing schemes such as WPA for discovery, link setup, and data delivery despite its heightened protections; transmission requires only symmetric key encryption and reception requires a table lookup followed by symmetric key decryption. Experiments using our implementation on Atheros 802.11 drivers show that SlyFi can discover and associate with networks faster than 802.11 using WPA-PSK. The overhead SlyFi introduces in packet delivery is only slightly higher than that added by WPA-CCMP encryption (10 % vs. 3 % decrease in throughput).
Information-theoretically secret key generation for fading wireless channels
- IEEE TRANS ON INFORMATION FORENSICS AND SECURITY
, 2010
"... The multipath-rich wireless environment associated with typical wireless usage scenarios is characterized by a fading channel response that is time-varying, location-sensitive, and uniquely shared by a given transmitter–receiver pair. The complexity associated with a richly scattering environment i ..."
Abstract
-
Cited by 52 (2 self)
- Add to MetaCart
(Show Context)
The multipath-rich wireless environment associated with typical wireless usage scenarios is characterized by a fading channel response that is time-varying, location-sensitive, and uniquely shared by a given transmitter–receiver pair. The complexity associated with a richly scattering environment implies that the short-term fading process is inherently hard to predict and best modeled stochastically, with rapid decorrelation properties in space, time, and frequency. In this paper, we demonstrate how the channel state between a wireless transmitter and receiver can be used as the basis for building practical secret key generation protocols between two entities. We begin by presenting a scheme based on level crossings of the fading process, which is well-suited for the Rayleigh and Rician fading models associated with a richly scattering environment. Our level crossing algorithm is simple, and incorporates a self-authenticating mechanism to prevent adversarial manipulation of message exchanges during the protocol. Since the level crossing algorithm is best suited for fading processes that exhibit symmetry in their underlying distribution, we present a second and more powerful approach that is suited for more general channel state distributions. This second approach is motivated by observations from quantizing jointly Gaussian processes, but exploits empirical measurements to set quantization boundaries and a heuristic log likelihood ratio estimate to achieve an improved secret key generation rate. We validate both proposed protocols through experimentations using a customized 802.11a platform, and show for the typical WiFi channel that reliable secret key establishment can be accomplished at rates on the order of 10 b/s.
Arraytrack: A fine-grained indoor location system.
- USENIX Symposium on Networked Systems Design and Implementation,
, 2013
"... Abstract Location systems are key to a rich experience for mobile users. When they roam outdoors, mobiles can usually count on a clear GPS signal for an accurate location, but indoors, GPS usually fades, and so up until recently, mobiles have had to rely mainly on rather coarse grained signal stren ..."
Abstract
-
Cited by 49 (3 self)
- Add to MetaCart
(Show Context)
Abstract Location systems are key to a rich experience for mobile users. When they roam outdoors, mobiles can usually count on a clear GPS signal for an accurate location, but indoors, GPS usually fades, and so up until recently, mobiles have had to rely mainly on rather coarse grained signal strength readings for location. What has changed this status quo is the recent trend of dramatically increasing numbers of antennas at the indoor AP, mainly to bolster capacity and coverage with multiple-input, multiple-output (MIMO) techniques. In the near future, the number of antennas at the access point will increase several-fold, to meet increasing demands for wireless capacity with MIMO links, spatial division multiplexing, and interference management. We thus observe an opportunity to revisit the important problem of localization with a fresh perspective. This paper presents the design and experimental evaluation of ArrayTrack, an indoor location system that uses MIMO-based techniques to track wireless clients in real time as they roam about a building. We prototype ArrayTrack on a WARP platform, emulating the capabilities of an inexpensive 802.11 wireless access point. Our results show that ArrayTrack can pinpoint 40 clients spread out over an indoor office environment to within an 30 cm location accuracy. Location systems are key to a rich experience for mobile users. When they roam outdoors, mobiles can usually count on a clear GPS signal for an accurate location, but indoors, GPS usually fades, and so up until recently, mobiles have had to rely mainly on rather coarsegrained signal strength readings for location. What has changed this status quo is the recent trend of dramatically increasing numbers of antennas at the indoor AP, mainly to bolster capacity and coverage with multipleinput, multiple-output (MIMO) techniques. In the near future, the number of antennas at the access point will increase several-fold, to meet increasing demands for wireless capacity with MIMO links, spatial division multiplexing, and interference management. We thus observe an opportunity to revisit the important problem of localization with a fresh perspective. This paper presents the design and experimental evaluation of ArrayTrack, an indoor location system that uses MIMObased techniques to track wireless clients in real time as they roam about a building. We prototype ArrayTrack on a WARP platform, emulating the capabilities of an inexpensive 802.11 wireless access point. Our results show that ArrayTrack can pinpoint 40 clients spread out over an indoor office environment to within an 30 cm location accuracy. UCL DEPARTMENT OF COMPUTER SCIENCE ArrayTrack
Advancing wireless link signatures for location distinction. In MobiCom ’08: Proceedings of the 14th ACM international conference on Mobile computing and networking
- and Ps = S ∗ (iTr) ∗ S(iTr
, 2008
"... Location distinction is the ability to determine when a device has changed its position. We explore the opportunity to use sophisticated PHY-layer measurements in wireless networking systems for location distinction. We first compare two existing location distinction methods- one based on channel ga ..."
Abstract
-
Cited by 40 (5 self)
- Add to MetaCart
(Show Context)
Location distinction is the ability to determine when a device has changed its position. We explore the opportunity to use sophisticated PHY-layer measurements in wireless networking systems for location distinction. We first compare two existing location distinction methods- one based on channel gains of multi-tonal probes, and another on channel impulse response. Next, we combine the benefits of these two methods to develop a new link measurement that we call the complex temporal signature. We use a 2.4 GHz link measurement data set, obtained from CRAWDAD [10], to evaluate the three location distinction methods. We find that the complex temporal signature method performs significantly better compared to the existing methods. We also perform new measurements to understand and model the temporal behavior of link signatures over time. We integrate our model in our location distinction mechanism and significantly reduce the probability of false alarms due to temporal variations of link signatures.
Attacks on physical-layer identification
- In Proc. of WiSec
, 2010
"... Physical-layer identification of wireless devices, commonly referred to as Radio Frequency (RF) fingerprinting, is the process of identifying a device based on transmission imperfections exhibited by its radio transceiver. It can be used to improve access control in wireless networks, prevent device ..."
Abstract
-
Cited by 23 (1 self)
- Add to MetaCart
(Show Context)
Physical-layer identification of wireless devices, commonly referred to as Radio Frequency (RF) fingerprinting, is the process of identifying a device based on transmission imperfections exhibited by its radio transceiver. It can be used to improve access control in wireless networks, prevent device cloning and complement message authentication protocols. This paper studies the feasibility of performing impersonation attacks on the modulation-based and transient-based fingerprinting techniques. Both techniques are vulnerable to impersonation attacks; however, transient-based techniques are more difficult to reproduce due to the effects of the wireless channel and antenna in their recording process. We assess the feasibility of performing impersonation attacks by extensive measurements as well as simulations using collected data from wireless devices. We discuss the implications of our findings and how they affect current device identification techniques and related applications.
Ensemble: Cooperative Proximity-based Authentication
"... Ensemble is a system that uses a collection of trusted personal devices to provide proximity-based authentication in pervasive environments. Users are able to securely pair their personal devices with previously unknown devices by simply placing them close to each other (e.g., users can pair their p ..."
Abstract
-
Cited by 22 (0 self)
- Add to MetaCart
(Show Context)
Ensemble is a system that uses a collection of trusted personal devices to provide proximity-based authentication in pervasive environments. Users are able to securely pair their personal devices with previously unknown devices by simply placing them close to each other (e.g., users can pair their phones by just bringing them into proximity). Ensemble leverages a user’s growing collection of trusted devices, such as phones, music players, computers and personal sensors to observe transmissions made by pairing devices. These devices analyze variations in received signal strength (RSS) in order to determine whether the pairing devices are in physical proximity to each other. We show that, while individual trusted devices can not properly distinguish proximity in all cases, a collection of trusted devices can do so reliably. Our Ensemble prototype extends Diffie-Hellman key exchange with proximity-based authentication. Our experiments show that an Ensemble-enabled collection of Nokia N800 Internet Tablets can detect devices in close proximity and can reliably detect attackers as close as two meters away.
Detecting Intra-Room Mobility with Signal Strength Descriptors
"... We explore the problem of detecting whether a device has moved within a room. Our approach relies on comparing summaries of received signal strength measurements over time, which we call descriptors. We consider descriptors based on the differences in the mean, standard deviation, and histogram comp ..."
Abstract
-
Cited by 16 (3 self)
- Add to MetaCart
(Show Context)
We explore the problem of detecting whether a device has moved within a room. Our approach relies on comparing summaries of received signal strength measurements over time, which we call descriptors. We consider descriptors based on the differences in the mean, standard deviation, and histogram comparison. In close to 1000 mobility events we conducted, our approach delivers perfect recall and near perfect precision for detecting mobility at a granularity of a few seconds. It is robust to the movement of dummy objects near the transmitter as well as people moving within the room. The detection is successful because true mobility causes fast fading, while environmental mobility causes shadow fading, which exhibit considerable difference in signal distributions. The ability to produce good detection accuracy throughout the experiments also demonstrates that our approach can be applied to varying room environments and radio technologies, thus enabling novel security, health care, and inventory control applications.
A Hybrid Rogue Access Point Protection Framework for Commodity Wi-Fi Networks
- Proc. IEEE INFOCOM
, 2008
"... Abstract—We develop a practical and comprehensive hybrid rogue access point (AP) detection framework for commodity Wi-Fi networks. It is the first scheme that combines the distributed wireless media surveillance and the centralized wired end socket level traffic “fingerprinting. ” The former is desi ..."
Abstract
-
Cited by 15 (1 self)
- Add to MetaCart
(Show Context)
Abstract—We develop a practical and comprehensive hybrid rogue access point (AP) detection framework for commodity Wi-Fi networks. It is the first scheme that combines the distributed wireless media surveillance and the centralized wired end socket level traffic “fingerprinting. ” The former is designed not only to detect various types of rogue APs, but also to discover suspicious activities so as to prevent the adversaries from turning victim APs into rogue devices. Moreover, the socket level traffic fingerprinting helps our frame work to achieve a finer granularity on rogue AP detection among the existing schemes. This framework has the following nice properties: i) it requires neither specialized hardware nor modification to existing standards; ii) the proposed mechanism greatly improves the rogue AP detection probability so that network resilience is improved; iii) it provides a cost-effective solution to Wi-Fi network security enhancement by incorporating free but mature software tools; iv) it can protect the network from adversaries capable of using customized equipment and/or violating the IEEE 802.11 standard; v) its open architecture allows extra features to be easily added on in the future. Our analysis and evaluation demonstrate that this hybrid
