SHAKE: Single HAsh key establishment for resource constrained devices

doi:10.1016/j.adhoc.2012.05.013

Ad Hoc Networks

Volume 11, Issue 1, January 2013, Pages 288-297

https://doi.org/10.1016/j.adhoc.2012.05.013 Get rights and content

Abstract

Pairwise secret key establishment leveraging properties of the wireless channel, is an effective security means in scenarios where no common secret or PKI is available. Related work has shown that secret bit streams can be extracted from, e.g., signal strength ratio measurement between two peers. However, they all require a considerable amount of computing resources by the two parties.

In this paper we present SHAKE, a novel algorithm to establish a key using the physical properties of the wireless channel.

SHAKE is particularly suitable for scenarios where the two peers have very diverse computational resources. For example, SHAKE can be used to establish a key between a sensor and the sink in a Wireless Sensor Network. We show that a secret key can be established shifting the computational burden on one peer while the other party only require one hash evaluation, what can be afforded by any resource constrained device.

We evaluate SHAKE through theoretical analysis and provide validation through real world measurements. According to our experiments, the proposed protocol generates high-entropy bit at remarkable rates and enjoys minimal computational complexity requirements at one of the two parties.

Introduction

The increasing ubiquity of wireless computing devices is calling for effective security measures, e.g., confidentiality and authentication to cite a few. Traditional methods to establish a confidential communication channel fall into two categories. On one side, symmetric key cryptography requires both communication endpoints (e.g., a laptop and an access point) to share a common secret key. In this context, researches have proposed probabilistic key distribution protocols [1], [2] or user-aided pairing protocols (in case of commodity devices, e.g., a smartphone and a bluetooth headset) [3], [4]. On the other side, public key cryptography [5] uses devices public keys and requires an ubiquitous Public Key Infrastructure (PKI) to endorse key authenticity.

In scenarios where no common secret nor PKI is available, a secret key between wireless devices can be established leveraging the inherent randomness of the wireless communication channel [6]. Reciprocity and spatial variation of radio wave propagation guarantee that multipath properties of the radio channel (e.g., gains, phase shifts, and delays) are (1) identical on both directions of a link at any point in time and (2) unique to the location of the two endpoints.

If two devices, say $A$ lice and $B$ ob, exchange packets and sample their communication link (for, e.g., angle of arrival, phase, received signal strength, etc.), collected measurements can be used to agree on a secret key. Due to spatio-temporal uniqueness of the channel properties, any other party, say $E$ ve, located at a reasonable distance from the two peers, will measure a different, uncorrelated radio channel and will not be able to learn the key. In reality, protocols for key establishment through sampling of the wireless channel must face a number of practical issues. As $A$ and $B$ cannot sample the channel at the same time, their respective measurements (hence, the key each of them will compute) might be slightly different. Moreover, if the environment is static, collected measurements might not have enough entropy to be used to bootstrap a good cryptographic key. Most protocols to establish a secret key leveraging the properties of the wireless channel, address measurement mismatches and low entropy in three steps:

•
Quantization is used to smooth the difference of the measurements at $A$ and $B$ .
•
Information Reconciliation guarantees that the two parties converge on each measurement. Most key establishment protocols use Cascade [7], an interactive, multiple-round mechanism.
•
Privacy Amplification is used to extract high entropy information from the collected measurements. Most key establishment protocols afford high entropy bits leveraging the “leftover hash lemma” [8].

In this paper we propose SHAKE, a novel key establishment protocol for wireless devices that leverages the properties of the wireless channel. Among the properties of the wireless channel that can be used to compute a key, we use the received signal strength (RSS) as it can be easily measured on a multitude of low-cost devices. We investigate the challenging scenario where one resource-constrained device needs to compute a pairwise key with a non-constrained peer (e.g., a sensor and a laptop).

Our protocol shifts the burden of key establishment on the non-constrained device; as a result, the constrained peer enjoys secret key establishment at the computational cost of one hash evaluation, what can be afforded by virtually any device.

Our protocol enjoys non-interactive Information Reconciliation. To guarantee that $A$ and $B$ agrees on a key, we use one of the simplest way of authentication. That is, $B$ sends the hash of his key to $A$ and the latter tries to find the pre-image of the received hash via bruteforcing. Bruteforcing might not be feasible if the search-space (i.e., the set of all possible inputs to the hash function) is large. Indeed, any security protocol that leverages the one-wayness property of hash functions requires a large search-space to guarantee that no malicious party can find the pre-image of the hash. However, we claim that, if the key computed by $B$ is based on his channel measurements and if $A$ leverages her measurements and statistical knowledge of the channel to sample the search-space, the complexity of bruteforcing is considerably reduced and $A$ can eventually invert the hash (i.e., agree on $B$ ’s key). In other words, $A$ ’s measurements become a trapdoor that allow her to efficiently sample the search-space and invert the hash. As long as $E$ ve sits reasonably far away from the two peers, her channel measurements will not allow her to efficiently sample the search-space, so she will not be able to learn the secret key.

Finally we do not require privacy amplification. We claim that if the environment is crowded and exhibit high mobility of people/objects (e.g., the canteen of our institute where all experiments were carried out) collected measurements show enough entropy to establish a good cryptographic key.

The paper is organized as follow. Section 2 surveys related work, while Section 3 provides an high-level view of the proposed solution. Section 4 presents the measurement scenario and the adversarial model, while Section 5 depicts the details of our protocol. Section 6 Security analysis, 7 Performance analysis show the security analysis and the performance of the proposed approach. Concluding remarks are presented in Section 8.

Section snippets

Related work

In this paper we study how to extract secret bits from the wireless channel using commodity wireless-enabled hardware. For this reason, we do not survey related work based on special hardware, e.g., accelerometers [9], UWB transceiver [10] or electronically steerable antennas [11].

Authors in [12] present a key establishment algorithm that leverages multiple channels in order to maximize the bit-stream entropy. In fact, their key-generation scheme is based on using frequency-hopping as a source

Our solution in brief

Our key establishment protocol uses the power associated to each received packet, i.e. received signal strength (RSS), collected by $A$ and $B$ when exchanging packets.¹ Once “enough” measurements have been collected, their hash is computed by $B$ and sent to $A$ . Without any auxiliary information, $A$ should perform an

Scenario and adversarial model

We assume that $A$ is a non-constrained computing device such as a laptop while $B$ has both limited memory and computational power (e.g., a sensor). Both devices are equipped with 802.15.4 compliant radio.

We set up several experiments in the canteen of our institute: measurements were taken during lunch-time, in order to guarantee a crowded environment and benefit from high-entropy measurements. Experiments were carried out using 802.15.4 compliant Iris sensor motes [20] and a laptop computer.

SHAKE

In this section we provide details of the proposed key establishment protocol and the rationale behind our design. Table 1 summarizes the notation used throughout the paper. As shown below, a preliminary communication phase maps raw RSS measurements into a sequence of “symbols” and is used to smooth the differences of the measurements at $A$ and $B$ . Sequences of symbols collected at the two endpoints are expected to have only a few differences and with very low probability. Hence, $B$ hashes his

Security analysis

The envisioned adversary, $E$ , is a global eavesdropper. She can estimates the RSS values for the packets transmitted by both $A$ and $B$ . Moreover, $E$ is aware of the key establishment protocol and the parameters used within it, i.e., w, b_w, and M.

Our goal is to design a protocol that is at least as secure as the encryption scheme that will use the established key for further communication. If the encryption scheme is secure and bruteforcing the key is the only viable strategy, we consider

Performance analysis

Smart sampling algorithm. Recall from Section 5.3 that $A$ agrees on $S_{B}$ with probability $P_{K} (M, R, t)$ if she starts with $S_{A}$ and performs $T_{K} (M, R, t)$ trials.

Fig. 8 shows the performance of the smart sampling algorithm, plotting the sequence agreement probability versus the number of trials. Errorbars in Fig. 8 show quantile 5, 50 and 95 of the experimental results when the protocol is run with sequences of $M = 18$ symbols. The dot-dashed line represents the performance of a bruteforcing algorithm that

Conclusions

In this paper we have presented a novel key establishment protocol based on physical properties of the wireless channel. Our protocol is particularly suited to establish a secret key between devices with very diverse computational resources. In particular, one of the devices enjoys secret key establishment at the cost of one hash computation and a few hundreds of transmissions, what can be afforded by any resource constrained device. The other device can tune the amount of committed resources

Acknowledgements

Paolo Barsocchi has been supported by EU FP7 universAAL project (contract no. 247950). Gabriele Oligeri has been supported by the project "Autonomous security", sponsored by the Italian Ministry of Research under the PRIN 2008 Programme. The authors would like to thank Antonio De Maglio for his valuable help during the measurement campaign.

Paolo Barsocchi received his MSc and PhD degrees in Information Engineering from the University of Pisa, Italy, in 2003 and 2007, respectively. Since 2003 he is Assistent Researcher at the ISTI/CNR Institute. He has coauthored more than 40 papers published on international journals and conference proceedings and he has been member of international program committees of conferences. His research interests are also related to wireless mobile systems and architectures, wireless channel modeling,

References (24)

A.W. Dent
Choosing key sizes for cryptography
Information Security Technical Report
(2010)
H. Chan, A. Perrig, D.X. Song, Random key predistribution schemes for sensor networks, in: Security and Privacy, 2003....
L. Eschenauer, V.D. Gligor, A key-management scheme for distributed sensor networks, in: ACM Conference on Computer and...
C. Soriente, G. Tsudik, E. Uzun, Hapadep: human-assisted pure audio device pairing, in: 11th International Conference...
N. Saxena, J.-E. Ekberg, K. Kostiainen, N. Asokan, Secure device pairing based on a visual channel (short paper), in:...
A. Liu, P. Ning, Tinyecc: a configurable library for elliptic curve cryptography in wireless sensor networks, in: 7th...
J.E. Hershey et al.
John e. hershey, amer a. hassan, and rao yarlagadda
IEEE Transactions on Communications
(1995)
G. Brassard, L. Salvail, Secret-key reconciliation by public discussion, in: EUROCRYPT, 1993, pp....
R. Impagliazzo, L.A. Levin, M. Luby, Pseudo-random generation from one-way functions (extended abstracts), in: 21st...
R. Mayrhofer et al.
Shake well before use: intuitive and secure pairing of mobile devices
IEEE Transactions on Mobile Computing
(2009)

R. Wilson et al.

Channel identification: secret sharing using reciprocity in ultrawideband channels

IEEE Transactions on Information Forensics and Security

(2007)

T. Aono et al.

Wireless secret key generation exploiting reactance-domain scalar response of multipath fading channels

IEEE Transactions on Antennas and Propagation

(2005)

Cited by (10)

A survey on secure communication techniques for 5G wireless heterogeneous networks
2020, Information Fusion
Citation Excerpt :
The mathematical analysis was also carried out, which confirmed the protection, reliability and the robustness of the proposed schemes. It has been concluded that the hybrid approach prevents the strong attacks without degradation of the system performance in terms of latency and energy consumption [235,163,21,262,60]. Chunka et al. proposed an efficient mechanism to generate dynamic keys based on genetic algorithm.
With the increasing number of emerging robust networks, the challenges to design new security protocols and techniques are never ending. With the enlargement of 5G paradigm, there is a remarkable makeshift in how the distributed devices perform to achieve a common goal. The 5G technology has been significantly revolutionized by the advent of the Internet of Things, and its quick and pervasive evolution. However, it remains imperative that all these devices work in a sequential manner to execute a collective and secure operation. Despite computing being focused around cloud infrastructures in the last two decades, the 5G networks and the huge amount of data it generates is presently inverting this trend, shifting computing power back to where data is generated from. To encompass different autonomous and collaborative systems with functions of data sensing and authentication between such systems in a predictive and adaptive manner is a challenging task. Wireless network design in 5G is expected to emphasize broadly on three facets: security, privacy and energy efficiency. Therefore, this paper investigates the role of various data security and privacy techniques for different generation networks, but emphasis is on 5G. It addresses encryption schemes with the focus on the challenges faced such as side channel and ciphertext attacks, inherent key generation, sharing and distribution, key escrow, analysis of various overheads, and potential techniques, and solutions to address such challenges by leveraging 5G network devices. With the proliferation of ubiquitous computing and wide adoption of hybrid encryption techniques, various attacks will be circumvent in an intelligent manner.
EXCHANge: Securing IoT via channel anonymity
2019, Computer Communications
Establishing confidentiality between communicating peers is still an issue in contexts where solutions based on asymmetric keys are not viable, such as in dynamic Internet of Things (IoT) systems made up of heterogeneous and resource constrained devices.
From the current literature, channel anonymity emerges as a promising methodology able to support key-establishment protocols. But, to the best of authors’ knowledge, no works already demonstrated its practical adoption over a concrete communication technology. To bridge this gap, we experimentally show that a lightweight key-establishment protocol based on channel anonymity is viable.
The contributions of this work are mainfold. First, we introduce EXCHANge, a protocol that achieves key-establishment exploiting channel anonymity despite the presence of either a passive or active global-eavesdropper adversary. Second, we evaluate the performance of EXCHANge through an extensive experimental campaign involving real world IoT devices (OpenMote-CC2538). Our results demonstrate that the proposed solution introduces a limited overhead, thus being able to meet the requirements of resource constrained devices Finally, we experimentally demonstrate the security of the EXCHANge protocol against passive and active adversaries. Overall, this paper proves that channel anonymity can be a powerful tool in the IoT setting, to achieve a secure, effective, and efficient key-establishment.
Enabling broadcast communications in presence of jamming via probabilistic pairing
2017, Computer Networks
This paper presents a thorough analysis of Freedom of Speech (FoS): a lightweight, fully distributed, and probabilistic protocol that assures the delivery of a message to be broadcast notwithstanding the presence of a jammer.
FoS enjoys several features when compared to competing schemes: (i) it requires each node to store only N symmetric pairwise keys; (ii) node joining and node eviction require just minimal intervention on the already operating nodes; and, finally, (iii) it is overall highly efficient in terms of required computation and message exchange.
We provide a detailed theoretical analysis of our solution supported by extensive simulations considering different operating scenarios: we start from a simplified network assumption of one only transmitter that wants to broadcast a message and we subsequently move to a realistic scenario where nodes that have received the message act themselves as a proxy.
We propose a theoretical framework to model the protocol performance starting by a benign scenario (no jamming activities). Later, we extend the model to more hostile environments considering firstly a jammer with no knowledge of the nodes’ secret keys (external jammer) and subsequently, a jammer aware of a fraction of the nodes’ secret keys (internal jammer). The experimental results do confirm our theoretical analysis and show the overall viability of our solution. In particular, FoS outperforms competitor solutions for deployment scenarios characterized by even a moderated degree of node volatility.
Secure key design approaches using entropy harvesting in wireless sensor network: A survey
2017, Journal of Network and Computer Applications
Citation Excerpt :
In this case, the combination of a strong decorrelation of the wireless channel in time and space and the variability of the environment itself (for example due to the presence of moving people or objects) makes the RSS readings vary in an unpredictable way. This fact, combined with the reciprocity properties of the wireless channel makes a pair of RSS readings collected at the same time by two communicating sensors highly related as well as opens the way for a number of methods that extract randomness from the RSS readings to generate secret keys (Barsocchi et al., 2013a, 2013b; Ali et al., 2012; Liu et al., 2012). These methods leverage on the reciprocity of the wireless channel to facilitate the key's sharing, and they rely on the unpredictability of the RSS fluctuations to make the keys hardly identifiable by other sensors.
Physical layer based security design in wireless sensor networks have gained much importance since the past decade. The various constraints associated with such networks coupled with other factors such as their deployment mainly in remote areas, nature of communication etc. are responsible for development of research works where the focus is secured key generation, extraction, and sharing. Keeping the importance of such works in mind, this survey is undertaken that provides a vivid description of the different mechanisms adopted for securely generating the key as well its randomness extraction and also sharing. This survey work not only concentrates on the more common methods, like received signal strength based but also goes on to describe other uncommon strategies such as accelerometer based. We first discuss the three fundamental steps viz. randomness extraction, key generation and sharing and their importance in physical layer based security design. We then review existing secure key generation, extraction, and sharing mechanisms and also discuss their pros and cons. In addition, we present a comprehensive comparative study of the recent advancements in secure key generation, sharing, and randomness extraction approaches on the basis of adversary, secret bit generation rate, energy efficiency etc. Finally, the survey wraps up with some promising future research directions in this area.
ESC: An efficient, scalable, and crypto-less solution to secure wireless networks
2015, Computer Networks
Citation Excerpt :
Another solution comes from asymmetric cryptographic primitives, such as [16], nevertheless, asymmetric crypto is computationally expensive, and therefore, not suitable for massive devices deployment such as wireless sensor networks or devices that, once deployed, will be substantially unattended—operating life being at premium. On-line key establishment without leveraging asymmetric crypto is a challenging issue that can be solved in mainly two ways: RSS based key establishment [7] or by means of anonymous channels [1,11,12]. The former solves the key establishment issue by transforming the observation of the RSS values in a shared secret: it has been proved that the received signal power estimated at both the peers of a communication link can be “transformed” on a shared secret between the two peers.
In this paper we present ESC: an efficient, scalable, and crypto-less solution for the establishment of a secure wireless network (that is, a network where, for any pair of nodes, there exists a path composed of encrypted links).
ESC guarantees the security of the 90% of the network scenario in the presence of 4 global eavesdropper adversaries with about 370 local peer-to-peer communications avoiding both pre-shared secrets and cryptographic functions.
The founding block of our proposal is inspired by COKE [1], where the bits of the secret key associated to a link are generated via a multi-round protocol that, at each round, leverages just channel anonymity.
Starting from this founding block, we further provide several relevant contributions: we devise a theoretical model and prove a lower bound for the probability to establish a safe-link in the presence of a global eavesdropper adversary. Further, we study the emergent property of network security achieved via the local property of safe-link establishment. To characterize this feature, we introduce two intuitive and useful metrics: network safety and largest safe component, both aimed at capturing the security features provided by ESC.
The thorough theoretical analysis of our proposal, the security proof (under the Canetti–Krawczyk model) supporting our key establishment protocol, as well as our extensive simulations showing the effectiveness and efficiency of our protocol for a wide range of network configuration parameters, make our proposal a viable solution to enforce the security of real networks, other than paving the way for further research in this field.
Performance-optimizing secure GBAS over LDACS
2021, Integrated Communications, Navigation and Surveillance Conference, ICNS

View all citing articles on Scopus

Gabriele Oligeri is a Postdoctoral researcher at Department of Information Engineering and Computer Science of the University of Trento. He received the Master Thesis degree and the PhD in Computer Engineering from the University of Pisa (Italy) in 2005 and 2010, respectively. He was with the Wireless Network Laboratory at the Italian National Research Council (ISTI-CNR) from 2005 to 2011. His research focuses mainly on privacy and security in wireless networks.

Claudio Soriente holds a Ph.D. in Networked Systems from the University of California at Irvine. He is currently a post-doctoral researcher at ETH Zurich. His research interests include security and privacy of distributed systems.

View full text