+

WO2007031089A1 - A method for secure communication in a wireless communication system - Google Patents

A method for secure communication in a wireless communication system Download PDF

Info

Publication number
WO2007031089A1
WO2007031089A1 PCT/DK2006/000509 DK2006000509W WO2007031089A1 WO 2007031089 A1 WO2007031089 A1 WO 2007031089A1 DK 2006000509 W DK2006000509 W DK 2006000509W WO 2007031089 A1 WO2007031089 A1 WO 2007031089A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
access point
signals
antenna
secret key
Prior art date
Application number
PCT/DK2006/000509
Other languages
French (fr)
Inventor
Petar Popovski
Patrick Eggers
Hiroyuki Yomo
Frank Fitzek
Persefoni Kyritsi
Original Assignee
Aalborg Universitet
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aalborg Universitet filed Critical Aalborg Universitet
Publication of WO2007031089A1 publication Critical patent/WO2007031089A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • the following invention relates to a method for secure communication in a wireless communication system.
  • the considered scenario will in the following be described as a system consisting of an access point and terminals that communicate with the access point.
  • the access point and terminals can be any type of terminal or communication node.
  • B be a terminal, which tries to communicate with an access point AP.
  • E be another terminal, which attempts to eavesdrop on the communication between the access point AP and the terminal B. It is assumed that the communication takes part in a dispersive radio environment, such that the channel between the access point AP and any terminal is frequency selective due to the multipath delay spread.
  • the multipath delay spread causes randomization of the channel impulse response, and this randomization is accordingly reflected in the randomized fading patterns in the frequency domain.
  • One principle used for providing a secure communication between the access point AP and the terminal B, and which is not intercepted by the eavesdropper E is the utilization of the channel reciprocity. It is for the moment assumed that the access point AP and the terminal B have one antenna each and that the channel estimation is perfect. Then, due to the channel reciprocity, the impulse response that the access point AP observes from the transmission from the terminal B is identical to the impulse response that the terminal B observes from the transmission of the access point AP. Clearly, in the pres- ence of channel estimation errors, the impulse responses of the access point AP and the terminal ⁇ are highly correlated.
  • the eavesdropper E is sufficiently (many wavelengths) separated from both the access point AP and the terminal B. This implies that the impulse responses of the channels AP-E, B-E and AP-S are completely uncorrelated. Hence, the so-called shared randomness of the channel between the access point AP and the terminal B can serve as a means to generate random secret key, which cannot be uncovered by the eavesdropper E
  • the method proposed by Koorapaty et al. uses a single antenna at both the access point AP and the terminal B.
  • the communication between the access point AP and the terminal or node B is achieved in two steps.
  • the first step involves a transmission of M sinusoids f ⁇ ,f 2 ,:.,f M with equal energy from the access point AP to the terminal B.
  • the sinusoids are orthogonal and separated by the coherence bandwidth of the channel.
  • the terminal B observes the phase of each sinusoid 0 v 0 2 ,...,0 M and estimates M-
  • phase differences # 2 -O 1 , O 11 -O 1 ,... ⁇ M -O 1 phase differences # 2 -O 1 , O 11 -O 1 ,... ⁇ M -O 1 .
  • the terminal B wants to send the following X-PSK symbols: 0 x ,0 2 ,...0 M , where ⁇ i ⁇ ⁇ 0,f , ⁇ ,... ⁇ ?- ⁇ .
  • the signal at /-th subcarrier has a phase ⁇ i - ⁇ i - O 1 ) . Since the eavesdropper E does not know( ⁇ 9 ( . - O 1 ) , it will with high probability detect the message erroneously.
  • the method proposed by Mori et al. uses an ESPAR antenna and OFDM transmission in order to generate a secret key.
  • the access point AP equipped with the ESPAR antenna forms a beam pattern and sends a packet for measurement.
  • the terminal receives that packet with an omni-directional pattern and acquires a Received Signal Strength Indication (RSSI) value after averaging in order to equalize the influence of noise.
  • RSSI Received Signal Strength Indication
  • a packet for measurement is transmitted using the omnidirectional pattern by the regular user.
  • the access point AP receives that packet by a pattern, which is identical to the original pattern, and acquires the RSSI value after averaging. There are K different RSSI values acquired by repeating the measurement of the RSSI K times and changing the beam pattern of the AP.
  • An iteration K is simply set according to key length.
  • a threshold value is set up for the RSSI value of the K pieces, and it becomes 1, if it is higher than a threshold value and 0 if it is under the threshold value.
  • the same key is generated in the access point AP and the regular user and key agreement can be achieved. Even if an eavesdropper tries to generate a key, the same key shared by the AP and the regular user cannot theoretically be generated by an eavesdropper, since the RSSI value, which is measured in places different to the AP or the regular user, is a different one.
  • a forward error correcting (FEC) code can be applied. This code is agreed in advance by the nodes and it reduces the number of generated random bits to /C 1 , where - ⁇ - is the code rate of the FEC code.
  • the object of the invention is to provide a new and improved method for establishing secure communication between an access point and a terminal in a wireless communication system.
  • the method comprising the steps of: i) the first terminal transmitting at least one terminal pilot signal using the at least one terminal antenna to the access point via M subcarriers, so as to provide individual terminal pilot signals, said at least one terminal pilot signal having a coherence time, ii) the access point detecting at least first signals at the first antenna and second signals at the second antenna for each of the individual terminal pilot signals, iii) the access point within the coherence time of the at least one terminal pilot signals generating and transmitting at least one new pilot signal to the terminal via the
  • the M subcarriers so as to provide individual new pilot signals, said at least one new pilot signal being generated based on the first signals and the second signals detected in step ii) and carrying a secret key, which can be recovered by the access point locally, and iv) the terminal detecting the individual new pilot signals and extracting the secret key shared by the terminal and the access point based on the detected individual new pilot signals. Since the impulse response measured, i.e. the signals detected at the antennas of the access point, is different from the impulse response measured by an eavesdropper, the impulse response measured can be used to generate a random key, which is known only to the access point and the terminal.
  • the access point has essentially two ways of generating random secret key: (1) generate the secret key and based on that decide the linear combinations of the transmitted subcarriers, and (2) generate randomized linear combinations of subcarriers and extract a random key from them in a predefined way.
  • the use of two or more antennas at the access point makes the secret key ex- tremely difficult to decode by an eavesdropper.
  • the access point can be a regular terminal or communication node, i.e. the terminal (or Bob), the access point (or Alice) and the eavesdropper (or Eve) can all be terminals or communication nodes.
  • the access point in step ii) detects the amplitudes and/or the phases of the individual terminal pilot signals. This provides a simple method for providing variables for generation of the secret key.
  • the communication between the terminal and the access point is based on the OFDM protocol.
  • the method for generating the secret key is especially suited for this type of communication.
  • the detected individual terminal pilot sig- nals in step ii) are randomly generated signals. This can be achieved, since the impulse response of the transmission system is random due to the different path lengths of the different subcarriers.
  • the access point in step iii) generates the new pilot signals by making a linear combination of the first signals and the second signals.
  • the linear combination can be a simple addition of the individual signals, which may be complex.
  • the first signals and the second signals are linearly combined by the first and the second antenna retransmitting the detected first and second signal, respectively, to the termi- nal.
  • the terminal uses a predefined power level for transmitting the terminal pilot signal so as to generate a received power distribution across the antennas of the access point.
  • the individual new pilot signals are additionally multiplied with coefficients that correspond to the received power distribution.
  • the new individual pilot signals are phase shifted by a value corresponding to the phase difference of the first and the second signals.
  • the access point can by phase shifting control how the received signals at the terminal are superposed, and thereby it can determine the received amplitude at each subcarrier.
  • the phase shift corresponding to the phase difference of the detected first and second signals are applied to the retransmitted signal of the first antenna or the retransmitted signal of the second antenna.
  • the access point can in general control the phase and amplitude of each re- ceived subcarrier at the terminal through the proper choice of appropriate linear combination.
  • the access point in step iii) multiplies a power coefficient and/or applies a phase shift to the retransmitted signal and/or the retransmitted signal of the second antenna, said power coefficient and phase shift being chosen randomly.
  • These coefficients and phase shifts create a linear combination whose product is a complex number with a resulting amplitude and resulting phase.
  • the access point can extract a secret random key from the resulting amplitudes/phases of the M subcarriers, said extraction being done in a publicly known, pre- defined manner for generation of random integer (string of random bits) out of an ordered set of M complex numbers.
  • the random key is known only to the access point, which sent the secret key, and the terminal, which detects and extracts the secret key using the shared reciprocity of the communication channel as well as the said predefined manner for generation of random numbers, such as a string of random bits.
  • the secret key is first generated by the access point as a string of random bits, the string subsequently being used to decide scaling factors and phase shifts for the individual new pilot signals so as to produce a desired received response at the terminal.
  • the terminal applies a predefined procedure for generation of bit string out of an ordered set of M complex numbers. Since the access point knows the desired received response at the terminal, this can be used to generate a secret key, which is known only by the terminal and the access point.
  • the manner to obtain a secret random key from the ordered set of M complex numbers is to convert each complex symbol into a number of K bits.
  • the amplitude of each complex number is compared to a single threshold level, and a bit 1 is generated if the amplitude is larger than the threshold and bit 0 is generated otherwise.
  • the amplitude of each complex number is compared to 2 K -1 thresholds and thus each complex number generates K bits for the secret key.
  • each complex number can be compared against 2 K predefined decision regions in the complex plane and thus be interpreted as a K-QAM signal or K-PSK signal and thus be used to generate K bits.
  • the M complex numbers can be used to produce M-1 new complex numbers by dividing the adjacent complex numbers and then use the said M-1 complex numbers.
  • the secret key can be generated out of the set of M-1 complex numbers by using the identical methods described in the above paragraph.
  • the individual new pilot signals each have a correlation bandwidth
  • the compared subcarrier pilot signals of the new set of pilot signals are at least the correlation bandwidth apart. This can be necessary, since two adjacent subcarriers can be correlated, where the randomness of the transmission sys- tern only is achieved if using subcarriers that are separated by more than the correlation bandwidth. Therefore, generally the number of pilot subcarriers is less than the total number of subcarriers available for communication.
  • a forward error correction (FEC) code is applied to the secret key. If the secret key is generated such that the access point first generates randomly power coefficients and phases and extracts a string of random bits out of them, then the publicly known FEC decoder is applied to that string of random bits in order to produce a secret key with a shorter length than the string of random bits. Note that in this case only an FEC decoder (and not an FEC encoder) is used by both the terminal and the access point.
  • FEC forward error correction
  • the access point comprises an error-control encoder
  • the terminal comprises a corresponding error-control decoder
  • the error-control encoder adds redundant bits to the secret key
  • the error-control decoder decodes the new individual pilot signals with redundant bits.
  • the terminal comprises two or more terminal antennas, and the terminal sends pilot signals from said two or more terminal antennas sequentially.
  • the secrecy is scalable with the number of terminal antennas and access point antennas. For instance if there are M subcarriers, each subcarrier carries information of a complex number with an amplitude and a phase parameter, the terminal has two antennas and the access point has two antennas, then the total number of available complex random numbers to generate secret key is 2M, whereas the total number of available complex numbers is only M if using one terminal antenna and two access point antennas.
  • the secret key is generated via an explicit communication phase dedicated to the generation of the secret key. This is the simplest way for communication, where the random key first is generated, and the access point and terminal subsequently start data communication encrypted with the agreed key.
  • the secret key is transmitted together with data, which is to be sent between the access point and the terminal.
  • a secret key can be generated for each data packet transmission without interrupting the data communication process.
  • This can for instance be achieved by using one type of modulation, such as Amplitude Shift Keying (ASK), for the data and a second type of modulation, such as Phase Shift Keying (PSK), for the secret key.
  • ASK Amplitude Shift Keying
  • PSK Phase Shift Keying
  • the secret key can also be generated from data, which is to be sent between the access point and the terminal. That is, the random key is generated from at least a part of the user data, which inherently is random. Thereby, a throughput loss is avoided, since the secret key itself carries useful data.
  • Fig. 1 shows communication between two terminals with channel reciprocity
  • FIGs. 3a and 3b communication between an access point and a terminal in a communication system according to the invention
  • Fig. 4 the detected signal strength at the terminal and the eavesdropper as a function of the subcarrier number
  • Fig. 5a the generated key based on the detected signal at the terminal
  • Fig. 5b the generated key based on the detected signal at the eavesdropper
  • Fig. 6 code symbols as a function of the ratio between subcarrier signals
  • Fig. 8 a flow chart for generation of a secret key in a data-parallel operation mode
  • Fig. 9 a flow chart for generation of a secret key using a part of a data packet.
  • Figs. 1 and 2 show the principle of communication between terminals or nodes with channel reciprocity and how this can be used for generating a key or code shared only between these terminals.
  • Alice has an antenna and tries to communicate with Bob.
  • Bob also has an antenna.
  • Alice transmits a first signal 10, which has a certain amplitude and/or phase.
  • the first signal 10 is transmitted through a first communication channel 11 via a number of subcarriers to Bob. If the first signal 10 transmitted from Alice is a short burst, the signals 12 detected at Bob in effect correspond to the impulse re- sponse of the communication channel 11 between Alice and Bob.
  • the impulse response is randomized, since the subcarriers have different path length due to different paths caused by reflections, refractions and the like.
  • signals 22 detected by Alice will be identical to the signals 12 detected by Bob due to channel reciprocity.
  • the signals 22 detected by Alice once again correspond to the impulse response of the communication channel 21.
  • the impulse responses of the first communication channel 21 and the second communication channel 22 will be substantially identical, since Alice and Bob are unlikely to have moved much between transmitting the first signal 10 and the new signal 20. Therefore, the path lengths of the different subcarriers for the first and the second communication channel 21 , 22 will be substantially identical.
  • Eve is a terminal having an antenna and eavesdrops on the communication between Alice and Bob via a third communication channel 31 and fourth communication channel 41.
  • Eve uses the third communication channel 31 to eavesdrop on the communication from Alice to Bob.
  • the third communication channel 31 is not identical to the first communication 11 , Eve measures a different impulse response 32 due to the path lengths of the various subcarriers being different.
  • Eve uses the fourth communication channel 41 to eavesdrop on the communication from Alice to Bob.
  • the fourth com- munication channel 41 is not identical to the first communication 11 , Eve measures a different impulse response 42 due to the path lengths of the various subcarriers being different. Since Alice and Bob have different positions relative to the position of Eve, there is no correlation between the two measured impulse responses 32, 42 and Eve will in principle not be able to derive the impulse response of the communication chan- nel between Alice and Bob. Therefore the impulse response between Alice and Bob can be used to generate a secret code or key, which is shared only by Alice and Bob.
  • Figs. 3a and 3b illustrate a communication system according to the invention.
  • the communication comprises a terminal or node S having at least one terminal antenna 51 , an access point AP having at least a first antenna 52 and a second antenna 53, and an eavesdropper E having an eavesdropper antenna 54.
  • the access point AP has two antennas 52, 53, while the eavesdropper E and the terminal B have one antenna each.
  • the total number of subcarriers is N
  • N c denotes the coherence bandwidth in terms of number of subcarriers.
  • typically only a number of the subcarriers is used as pilot subcarriers.
  • the number of pilot subcarriers is M.
  • the generation of the secret key is done in two phases.
  • the terminal B as illustrated in Fig. 3a first transmits pilot signals (without any data) at all subcarriers.
  • the access point AP can control how the received signals at B are superposed, and thereby it can determine the received amplitude at each subcarrier.
  • the individual pilot signals sent from the terminal B have a total power P 1 , which is distributed across the antennas 52, 53 of the access point AP.
  • a ⁇ and ⁇ 2j ⁇ n other words indicate how the total power P 1 is distributed between the two access point antennas 52, 53 for the j'th subcarrier.
  • the access point AP has generated randomly a set of N phases v v v 2 ,...v N .
  • v ⁇ can have only two values, 0 or ⁇ .
  • the transmitted signal at the y-th subcarrier from the first antenna 52 is shifted by a phase ( ⁇ A j ⁇ 0 2j ) + v j > sucn tnat tne received amplitude of they-th subcarrier at B is:
  • the amplitude detected by the eavesdropper E at the eavesdropper antenna 54 and at the same subcarrier is uncorrelated with Gy.
  • here secrecy is enhanced also due to the combination of the randomness achieved by the channel response from both antennas 52, 53 of the access point AP.
  • the access point AP can locally synthesize the value of Gy, so that the access point AP knows the amplitude of each subcarrier at the terminal ⁇ . Thereby, the access point AP and the terminal B can both generate identical keys or codes.
  • N values G,- can be used to generate the random bits of the secret key shared between the access point AP and the terminal B.
  • One way to generate a string of N - 1 bits a v a 2 ,...a H _ x can be as follows: ro tf ⁇ k ⁇ ⁇ ⁇ t
  • T k 7 - 1 thresholds (T levels)
  • T k 7 - 1 thresholds
  • the total received signal, d ⁇ at the terminal B will have a given amplitude ⁇ d j ⁇ ,
  • the value d j e ⁇ ' can be a symbol of a K-QAM constellation that carries log2(K)>1 bits. Therefore, by using the random key, it is possible to choose the amplitudes a ⁇ J and a 2j as well as the phases T 1 , and ⁇ 2J of the signals transmitted from the access point so as to map more bits per pilot subcarrier from the random key.
  • the information can be encoded in a differential way, for instance by observ- d. e ⁇ j ing that the ratio also be interpreted as a symbol of an K-QAM constella- tion carrying log2(K) bits.
  • the access point can apply a FEC decoder in order to obtain the secret key from the random bits.
  • the same FEC encoder is applied by the terminal. With such a procedure, the probability for the access point and the terminal generating identical secret keys is increased, thus enhancing the reliability of the system.
  • the FEC encoding can also be applied in the other method for secret key generation, where the access point first generates a random secret key of U bits.
  • access point AP can contain an error-control encoder (ECC), in which case the terminal B has to contain the associated decoder.
  • ECC error-control encoder
  • the ECC adds V redundant bits to the generated secret key of U bits and thus maps the U bits to a string of U+V bits
  • the U+V bits are used to determine the values a ⁇ , a 2J , ⁇ ⁇ J and ⁇ 2J and to map the U+V bits to the M subcarriers.
  • the following is an example of how to use generation of multiple bits per subcarrier, differential bit encoding across subcarriers and an ECC.
  • the parameters a xp a 1 , , ⁇ Xj and ⁇ 2y are decided first, and then the secret key is determined at the access point AP side. This is done in the following way: By using the generated cc ⁇ , a 2j , ⁇ Xj and ⁇ 2J and knowing d . e Pj , the access point obtains d . e ⁇ ⁇ log2(Q) bits from the complex value: — J and by putting that value into the deci-
  • sion regions of predefined M-QAM, M-ASK or M-PSK constellations are publicly known.
  • the access point AP is comparing
  • the terminal ⁇ is trying to retrieve the key using analogous procedure, but starting from the noised observations y ⁇ .
  • the terminal B applies some kind of forward error correction (FEC) code in order to increase the probability that the generated keys by the access point AP and the terminal B are identical.
  • FEC forward error correction
  • the protocol of actual transmission from the antennas should be applied in such a way that the randomness of the generated key is preserved as much as possible.
  • the access point AP should transmit in a certain way so as to ensure the eavesdropper E is not able to determine the individual signals received from each antenna. That is, the eavesdropper E will receive a signal
  • This approach can be made scalable in a sense that the introduction of more antennas at the access point AP or the terminal B can further increase the secrecy of the gener- ated key. To see why this is the case, let us assume that the AP has M ⁇ antennas and the terminal S has M 2 antennas. Then the signal at the /7-th subcarrier that B receives at the /77 2 -th receive antenna is:
  • b m i m2n and ⁇ m - ⁇ m2n are the amplitude and the phase, respectively, of the signal, which is transmitted at the /7-th subcarrier from the m-i-th antenna of the access point AP to the /77 2 -th antenna of the terminal B.
  • the access point AP knows for all antennas /H 1 , m 2 and all subcarriers n, it can control the value of the amplitude ⁇ c m2n ⁇ received at the terminal B.
  • ⁇ c m2n ⁇ is determined by several different variables and these variables can be controlled by the access point AP by multiplying the signals with phase shifts, as it has been done in the simpler example above.
  • the receiver has M 2 > 1 different amplitudes ⁇ c m2n ⁇ for each subcarrier. This gives additional degrees of freedom to the design of the actual functions that are used in producing the secret key. To summarize, if the total number of subcarrier is M and the number of antennas at the terminal is M 2 , then there are in total M M 2 complex numbers available for generating the secret key. Due to these additional degrees of freedom, the secrecy of the produced key is proportional to the number of antennas.
  • the generation of the secret key can be generated in two different modes of operation, viz. data-sequential and data-parallel modes.
  • the access point AP and the terminal B run an explicit communication phase dedicated to generation of the random key that will be used in the subsequent communication.
  • the access point, AP and the terminal B start a phase of data communication, in which they send to each other data that is encrypted with the agreed key.
  • the agreed key is used for time T u , such that the time T 11 is sufficient to have at least one packet transmission from the ac- cess point AP to the terminal S.
  • the actual value of T 11 is an overall protocol/system design issue and is out of scope of the present invention.
  • the access point AP and the terminal B can agree to run a new communication phase for key generation.
  • the secret key having U bits is generated.
  • a packet containing user data and having L bits is being prepared for transmission.
  • the secret key is transformed into L bits and is XOR'ed with the data packet, which thus is encrypted using the secret key.
  • the encrypted data (in block E2) is then mapped to all the subcarrier except perhaps the pilot subcarriers in a way known per se from OFDM communication.
  • the secret key (in block E1) is at the same time mapped to the pilot subcarriers and thus determines the phases/amplitudes of all subcarriers.
  • the receiver (in block D1) extract the U bits of the secret key and (in block D2) decodes the encrypted data transmitted in the subcarriers.
  • the U bits of the secret key are transformed to L bits and XOR'ed with the received data, thereby ex- tracting the original packet of user data.
  • the modulations used in blocks E1 and E2 are affecting each other as they are operating over the same set of subcarriers. Therefore, in principle, the two modulation methods used should be different.
  • One viable pair of modulation schemes is that block E1 uses Amplitude Shift Keying (ASK) and block E2 using Phase Shift Keying (PSK).
  • ASK Amplitude Shift Keying
  • PSK Phase Shift Keying
  • the secret key can be encoded over several consecutive symbols and in each symbol the information about the secret key is in the amplitude of the subcarriers, while the encrypted data is in the phases of the subcarriers.
  • the total number of subcarriers S is usually larger than the number of pilot subcarriers M.
  • the en- crypted data is transmitted in the usual OFDM manner either: (i) over all S subcarriers, (ii) only over S-M subcarriers, where the pilot subcarriers are not carrying encrypted data and the terminal B uses them in the usual OFDM manner (to estimated amplitudes/phases), or (iii) the transformation T1 (U to L bits) is publicly known.
  • the secret key is assumed to be a string of U random bits.
  • the random bits are generated by using arbitrary random generator, then the communication system will have a throughput loss, because the key is consuming part of the available throughput, since the access point AP has to send it to the terminal B by the wireless transmission. Note that the random key itself does not carry useful information for the user.
  • Fig. 9 it is possible to generate the random key by using the user data, which is inherently random.
  • the user data D having a length of U+L bits is split into two parts.
  • the first U bits of D is used for generating the secret key, which is then transformed into L bits, which are XOR'ed with the last L bits from D.
  • This method can be used both for data-sequential and data-parallel transmission.
  • Figs. 4 and 5 show an example of generation of random bits.
  • Fig. 4 shows the absolute value of signals B k and E k received at the terminal B and the eavesdropper E in an OFDM system with 64 subcarriers.
  • the graph shows the absolute value of the signals in arbitrary units as a function of the k-th pilot subcarrier.
  • Fig. 5a shows the binary code or key generated by the terminal S by a simple comparison of adjacent pilot subcarriers as a function of the subcarrier number k.
  • Fig. 5b shows the corresponding binary code or key generated by the eavesdropper E by a simple comparison of adjacent pilot subcarriers as a function of the subcarrier number k.
  • Fig. 5c shows the difference between the generated key and it shows that 26 of the 63 individual code symbols are different.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to a method for secure communication in a wireless communica tion system comprising at least a first access point (AP) having at least a first antenna (52) and a second antenna (53), at least a first terminal (B) having at least one terminal antenna (51 ), and a number of subcarriers for communication between the access point (AP) and the terminal (B). The method comprises the steps of: i)the first terminal (B) transmitting at least one terminal pilot signal using the at least one terminal antenna (51 ) to the access point (AP) via M subcarriers, so as to provide individual terminal pilot signals, said at least one terminal pilot signal having a coherence time, ii) the access point (AP) detecting at least first signals at the first antenna (52) and second signals at the second antenna (53) for each of the individual terminal pilot signals, iii) the access point within the coherence time of the at least one terminal pilot signals generating and transmitting at least one new pilot signal to the terminal (B) via the M subcarriers, so as to provide individual new pilot signals, said at least one new pilot signal being gener ated based on the first signals and the second signals detected in step ii) and carrying a secret key, which can be recovered by the access point locally, and iv) the terminal (B) detecting the individual new pilot signals and extracting the secret key shared by the terminal (B) and the access point (AP) based on the detected individual new pilot signals.

Description

Title: A method for secure communication in a wireless communication system
Technical Field
The following invention relates to a method for secure communication in a wireless communication system.
Background Art
The considered scenario will in the following be described as a system consisting of an access point and terminals that communicate with the access point. However, in general, the access point and terminals can be any type of terminal or communication node.
Let B be a terminal, which tries to communicate with an access point AP. Let E be another terminal, which attempts to eavesdrop on the communication between the access point AP and the terminal B. It is assumed that the communication takes part in a dispersive radio environment, such that the channel between the access point AP and any terminal is frequency selective due to the multipath delay spread. The multipath delay spread causes randomization of the channel impulse response, and this randomization is accordingly reflected in the randomized fading patterns in the frequency domain.
One principle used for providing a secure communication between the access point AP and the terminal B, and which is not intercepted by the eavesdropper E is the utilization of the channel reciprocity. It is for the moment assumed that the access point AP and the terminal B have one antenna each and that the channel estimation is perfect. Then, due to the channel reciprocity, the impulse response that the access point AP observes from the transmission from the terminal B is identical to the impulse response that the terminal B observes from the transmission of the access point AP. Clearly, in the pres- ence of channel estimation errors, the impulse responses of the access point AP and the terminal β are highly correlated. Under very practical circumstances, it can be assumed that the eavesdropper E is sufficiently (many wavelengths) separated from both the access point AP and the terminal B. This implies that the impulse responses of the channels AP-E, B-E and AP-S are completely uncorrelated. Hence, the so-called shared randomness of the channel between the access point AP and the terminal B can serve as a means to generate random secret key, which cannot be uncovered by the eavesdropper E
The usage of the channel reciprocity for enabling secure communications has already been applied in H. Koorapaty, A. A. Hassan, and S. Channakeshu, "Secure information transmission for mobile radio," IEEE Commun. Lett, vol. 4, no. 2, pp. 52-55, February 2000 and in H. Mori, H. Sasaoka and T. Ohira, "Performance estimation of secret key agreement system exploiting an ESPER antenna and a received signal strength indicator," in Proc. ISSSE2004, August 2004. September 13, 2005.
The method proposed by Koorapaty et al. uses a single antenna at both the access point AP and the terminal B. The communication between the access point AP and the terminal or node B is achieved in two steps. The first step involves a transmission of M sinusoids fλ,f2,:.,fM with equal energy from the access point AP to the terminal B. The sinusoids are orthogonal and separated by the coherence bandwidth of the channel. The terminal B observes the phase of each sinusoid 0v02,...,0M and estimates M-
1 phase differences #2 -O1, O11 -O1,...ΘM -O1. It is now assumed that the terminal B wants to send the following X-PSK symbols: 0x,02,...0M , where ψi ε {0,f ,ψ,...^ψ?-} . Then the signal at /-th subcarrier has a phase ψi - {θi - O1) . Since the eavesdropper E does not know(<9(. - O1) , it will with high probability detect the message erroneously.
The method proposed by Mori et al. uses an ESPAR antenna and OFDM transmission in order to generate a secret key. In a key generation mode, the access point AP equipped with the ESPAR antenna forms a beam pattern and sends a packet for measurement. The terminal receives that packet with an omni-directional pattern and acquires a Received Signal Strength Indication (RSSI) value after averaging in order to equalize the influence of noise. Next, a packet for measurement is transmitted using the omnidirectional pattern by the regular user. The access point AP receives that packet by a pattern, which is identical to the original pattern, and acquires the RSSI value after averaging. There are K different RSSI values acquired by repeating the measurement of the RSSI K times and changing the beam pattern of the AP. An iteration K is simply set according to key length. Next, a threshold value is set up for the RSSI value of the K pieces, and it becomes 1, if it is higher than a threshold value and 0 if it is under the threshold value. After binarization, the same key is generated in the access point AP and the regular user and key agreement can be achieved. Even if an eavesdropper tries to generate a key, the same key shared by the AP and the regular user cannot theoretically be generated by an eavesdropper, since the RSSI value, which is measured in places different to the AP or the regular user, is a different one. In order to reduce the probability of key disagreement due to noise errors, a forward error correcting (FEC) code can be applied. This code is agreed in advance by the nodes and it reduces the number of generated random bits to /C1, where -§- is the code rate of the FEC code.
The object of the invention is to provide a new and improved method for establishing secure communication between an access point and a terminal in a wireless communication system.
Disclosure of Invention
According to the invention, this is obtained by a method for secure communication in a wireless communication system, said system comprising:
- at least a first access point having at least a first antenna and a second antenna,
- at least a first terminal having at least one terminal antenna, and - a number of subcarriers for communication between the access point and the terminal, said method comprising the steps of: i) the first terminal transmitting at least one terminal pilot signal using the at least one terminal antenna to the access point via M subcarriers, so as to provide individual terminal pilot signals, said at least one terminal pilot signal having a coherence time, ii) the access point detecting at least first signals at the first antenna and second signals at the second antenna for each of the individual terminal pilot signals, iii) the access point within the coherence time of the at least one terminal pilot signals generating and transmitting at least one new pilot signal to the terminal via the
M subcarriers, so as to provide individual new pilot signals, said at least one new pilot signal being generated based on the first signals and the second signals detected in step ii) and carrying a secret key, which can be recovered by the access point locally, and iv) the terminal detecting the individual new pilot signals and extracting the secret key shared by the terminal and the access point based on the detected individual new pilot signals. Since the impulse response measured, i.e. the signals detected at the antennas of the access point, is different from the impulse response measured by an eavesdropper, the impulse response measured can be used to generate a random key, which is known only to the access point and the terminal. The access point has essentially two ways of generating random secret key: (1) generate the secret key and based on that decide the linear combinations of the transmitted subcarriers, and (2) generate randomized linear combinations of subcarriers and extract a random key from them in a predefined way. The use of two or more antennas at the access point makes the secret key ex- tremely difficult to decode by an eavesdropper. It should be noted that the access point can be a regular terminal or communication node, i.e. the terminal (or Bob), the access point (or Alice) and the eavesdropper (or Eve) can all be terminals or communication nodes.
According to a preferred embodiment of the method according to the invention, the access point in step ii) detects the amplitudes and/or the phases of the individual terminal pilot signals. This provides a simple method for providing variables for generation of the secret key.
According to a preferred embodiment, the communication between the terminal and the access point is based on the OFDM protocol. The method for generating the secret key is especially suited for this type of communication.
According to another preferred embodiment, the detected individual terminal pilot sig- nals in step ii) are randomly generated signals. This can be achieved, since the impulse response of the transmission system is random due to the different path lengths of the different subcarriers.
In a preferred embodiment of the method according to the invention, the access point in step iii) generates the new pilot signals by making a linear combination of the first signals and the second signals. The linear combination can be a simple addition of the individual signals, which may be complex. According to a preferred embodiment, the first signals and the second signals are linearly combined by the first and the second antenna retransmitting the detected first and second signal, respectively, to the termi- nal. According to another preferred embodiment, the terminal uses a predefined power level for transmitting the terminal pilot signal so as to generate a received power distribution across the antennas of the access point. Preferably, the individual new pilot signals are additionally multiplied with coefficients that correspond to the received power distribution.
According to a preferred embodiment, the new individual pilot signals are phase shifted by a value corresponding to the phase difference of the first and the second signals. Generally, the access point can by phase shifting control how the received signals at the terminal are superposed, and thereby it can determine the received amplitude at each subcarrier. According to another preferred embodiment, the phase shift corresponding to the phase difference of the detected first and second signals are applied to the retransmitted signal of the first antenna or the retransmitted signal of the second antenna. The access point can in general control the phase and amplitude of each re- ceived subcarrier at the terminal through the proper choice of appropriate linear combination.
According to a particularly preferred embodiment, the access point in step iii) multiplies a power coefficient and/or applies a phase shift to the retransmitted signal and/or the retransmitted signal of the second antenna, said power coefficient and phase shift being chosen randomly. These coefficients and phase shifts create a linear combination whose product is a complex number with a resulting amplitude and resulting phase. The access point can extract a secret random key from the resulting amplitudes/phases of the M subcarriers, said extraction being done in a publicly known, pre- defined manner for generation of random integer (string of random bits) out of an ordered set of M complex numbers. Due to the randomness of the channel, it is ensured that the random key is known only to the access point, which sent the secret key, and the terminal, which detects and extracts the secret key using the shared reciprocity of the communication channel as well as the said predefined manner for generation of random numbers, such as a string of random bits.
According to another particularly preferred embodiment, the secret key is first generated by the access point as a string of random bits, the string subsequently being used to decide scaling factors and phase shifts for the individual new pilot signals so as to produce a desired received response at the terminal. In this case, the terminal applies a predefined procedure for generation of bit string out of an ordered set of M complex numbers. Since the access point knows the desired received response at the terminal, this can be used to generate a secret key, which is known only by the terminal and the access point.
According to a particularly preferred embodiment, the manner to obtain a secret random key from the ordered set of M complex numbers is to convert each complex symbol into a number of K bits. In one embodiment, the amplitude of each complex number is compared to a single threshold level, and a bit 1 is generated if the amplitude is larger than the threshold and bit 0 is generated otherwise. In another embodiment, the amplitude of each complex number is compared to 2K-1 thresholds and thus each complex number generates K bits for the secret key. In another embodiment, each complex number can be compared against 2K predefined decision regions in the complex plane and thus be interpreted as a K-QAM signal or K-PSK signal and thus be used to generate K bits.
In yet another embodiment, the M complex numbers can be used to produce M-1 new complex numbers by dividing the adjacent complex numbers and then use the said M-1 complex numbers. In this case the secret key can be generated out of the set of M-1 complex numbers by using the identical methods described in the above paragraph.
According to a preferred embodiment, the individual new pilot signals each have a correlation bandwidth, and the compared subcarrier pilot signals of the new set of pilot signals are at least the correlation bandwidth apart. This can be necessary, since two adjacent subcarriers can be correlated, where the randomness of the transmission sys- tern only is achieved if using subcarriers that are separated by more than the correlation bandwidth. Therefore, generally the number of pilot subcarriers is less than the total number of subcarriers available for communication.
According to a preferred embodiment, a forward error correction (FEC) code is applied to the secret key. If the secret key is generated such that the access point first generates randomly power coefficients and phases and extracts a string of random bits out of them, then the publicly known FEC decoder is applied to that string of random bits in order to produce a secret key with a shorter length than the string of random bits. Note that in this case only an FEC decoder (and not an FEC encoder) is used by both the terminal and the access point. According to an alternative embodiment, the access point comprises an error-control encoder, and the terminal comprises a corresponding error-control decoder, where the error-control encoder adds redundant bits to the secret key, and the error-control decoder decodes the new individual pilot signals with redundant bits. These two embodiments ensure that the secret key agreement between the access point and the terminal is further improved.
According to a preferred embodiment, the terminal comprises two or more terminal antennas, and the terminal sends pilot signals from said two or more terminal antennas sequentially. Thereby, more tunable parameters are added, thereby increasing the secrecy of the secret key. In general, the secrecy is scalable with the number of terminal antennas and access point antennas. For instance if there are M subcarriers, each subcarrier carries information of a complex number with an amplitude and a phase parameter, the terminal has two antennas and the access point has two antennas, then the total number of available complex random numbers to generate secret key is 2M, whereas the total number of available complex numbers is only M if using one terminal antenna and two access point antennas.
In a preferred embodiment according to the invention, the secret key is generated via an explicit communication phase dedicated to the generation of the secret key. This is the simplest way for communication, where the random key first is generated, and the access point and terminal subsequently start data communication encrypted with the agreed key.
According to an alternative embodiment, the secret key is transmitted together with data, which is to be sent between the access point and the terminal. Thereby a secret key can be generated for each data packet transmission without interrupting the data communication process. This can for instance be achieved by using one type of modulation, such as Amplitude Shift Keying (ASK), for the data and a second type of modulation, such as Phase Shift Keying (PSK), for the secret key.
The secret key can also be generated from data, which is to be sent between the access point and the terminal. That is, the random key is generated from at least a part of the user data, which inherently is random. Thereby, a throughput loss is avoided, since the secret key itself carries useful data.
Brief Description of the Drawings The invention is explained in detail below with reference to the drawings, in which
Fig. 1 shows communication between two terminals with channel reciprocity,
Fig. 2 communication between two terminals with channel reciprocity and a third terminal trying to eavesdrop on the communication,
Figs. 3a and 3b communication between an access point and a terminal in a communication system according to the invention,
Fig. 4 the detected signal strength at the terminal and the eavesdropper as a function of the subcarrier number,
Fig. 5a the generated key based on the detected signal at the terminal,
Fig. 5b the generated key based on the detected signal at the eavesdropper,
Fig. 5c the difference between the two generated keys,
Fig. 6 code symbols as a function of the ratio between subcarrier signals,
Fig. 7 subcarriers being divided into subchannels,
Fig. 8 a flow chart for generation of a secret key in a data-parallel operation mode, and
Fig. 9 a flow chart for generation of a secret key using a part of a data packet.
Best Modes for Carrying out the Invention
Figs. 1 and 2 show the principle of communication between terminals or nodes with channel reciprocity and how this can be used for generating a key or code shared only between these terminals. Alice has an antenna and tries to communicate with Bob. Bob also has an antenna. Alice transmits a first signal 10, which has a certain amplitude and/or phase. The first signal 10 is transmitted through a first communication channel 11 via a number of subcarriers to Bob. If the first signal 10 transmitted from Alice is a short burst, the signals 12 detected at Bob in effect correspond to the impulse re- sponse of the communication channel 11 between Alice and Bob. The impulse response is randomized, since the subcarriers have different path length due to different paths caused by reflections, refractions and the like.
If Bob within the coherence time of the first signal 10 transmitted from Alice transmits a new signal 20 having identical amplitude and/or phase as the first signal 10 through a second communication channel 21 , then signals 22 detected by Alice will be identical to the signals 12 detected by Bob due to channel reciprocity. The signals 22 detected by Alice once again correspond to the impulse response of the communication channel 21. The impulse responses of the first communication channel 21 and the second communication channel 22 will be substantially identical, since Alice and Bob are unlikely to have moved much between transmitting the first signal 10 and the new signal 20. Therefore, the path lengths of the different subcarriers for the first and the second communication channel 21 , 22 will be substantially identical.
Since the communication between Alice and Bob is wireless, it is possible for other terminals or nodes to eavesdrop on the communication. In Fig. 2 Eve is a terminal having an antenna and eavesdrops on the communication between Alice and Bob via a third communication channel 31 and fourth communication channel 41. Eve uses the third communication channel 31 to eavesdrop on the communication from Alice to Bob. However, since the third communication channel 31 is not identical to the first communication 11 , Eve measures a different impulse response 32 due to the path lengths of the various subcarriers being different. Eve uses the fourth communication channel 41 to eavesdrop on the communication from Alice to Bob. However, since the fourth com- munication channel 41 is not identical to the first communication 11 , Eve measures a different impulse response 42 due to the path lengths of the various subcarriers being different. Since Alice and Bob have different positions relative to the position of Eve, there is no correlation between the two measured impulse responses 32, 42 and Eve will in principle not be able to derive the impulse response of the communication chan- nel between Alice and Bob. Therefore the impulse response between Alice and Bob can be used to generate a secret code or key, which is shared only by Alice and Bob.
Figs. 3a and 3b illustrate a communication system according to the invention. The communication comprises a terminal or node S having at least one terminal antenna 51 , an access point AP having at least a first antenna 52 and a second antenna 53, and an eavesdropper E having an eavesdropper antenna 54. In order to illustrate the proposed approach, we will treat the simplest case, in which the access point AP has two antennas 52, 53, while the eavesdropper E and the terminal B have one antenna each. The total number of subcarriers is N, while Nc denotes the coherence bandwidth in terms of number of subcarriers. However, as later ex- plained in more detail, typically only a number of the subcarriers is used as pilot subcarriers. The number of pilot subcarriers is M.
The generation of the secret key is done in two phases. The terminal B as illustrated in Fig. 3a first transmits pilot signals (without any data) at all subcarriers. Let b^e1** de- note the complex representation of the y-th subcarrier received at the /-th antenna of the access point AP, where / = 1, 2 and j = 1...N. If the access point AP within the coherence time of the pilot signals uses the same power at both antennas 52, 53 to retransmit the pilot signal detected at the first antenna 52 and second antenna 53 and at they- th subcarrier, then the received signal at B is:
Figure imgf000012_0001
where z* is the noise and C is a constant, which depends on the actual value of the transmitted power from the access point AP (Clearly, the access point AP can apply power control and achieve C = 1). However, since the access point AP knows the phases φij and φ2j of the detected signals, it can apply a phase shift of (φ{J2j) t° the transmitted pilot at the first antenna 52, so that the received signal at B is:
Figure imgf000012_0002
More generally, by changing the phase of the transmitted signal at e.g. the first antenna 42, the access point AP can control how the received signals at B are superposed, and thereby it can determine the received amplitude at each subcarrier.
The individual pilot signals sent from the terminal B have a total power P1, which is distributed across the antennas 52, 53 of the access point AP. When the access point AP retransmits the received signals the amplitude coefficient corresponds to the distribution of the power P1 across the access point antennas 52, 53 - i.e. that bλJ = ^PxCC1J and t b2J = ^Pλcc2J , where aX] and a2J both have values between 0 and
1 , and the sum of aυ and a2J is 1. aυand α2j \n other words indicate how the total power P1 is distributed between the two access point antennas 52, 53 for the j'th subcarrier. Let us assume that the access point AP has generated randomly a set of N phases vvv2,...vN . In the simplest case, v} can have only two values, 0 or π . Then, the transmitted signal at the y-th subcarrier from the first antenna 52 is shifted by a phase (<Aj ~02j) + v j > sucn tnat tne received amplitude of they-th subcarrier at B is:
Figure imgf000013_0001
Note that the amplitude detected by the eavesdropper E at the eavesdropper antenna 54 and at the same subcarrier is uncorrelated with Gy. Hence, here secrecy is enhanced also due to the combination of the randomness achieved by the channel response from both antennas 52, 53 of the access point AP. Note that the access point AP can locally synthesize the value of Gy, so that the access point AP knows the amplitude of each subcarrier at the terminal β. Thereby, the access point AP and the terminal B can both generate identical keys or codes.
Now the N values G,- can be used to generate the random bits of the secret key shared between the access point AP and the terminal B. One way to generate a string of N - 1 bits ava2,...aH_x can be as follows: ro tfβ < βt
"' -{I i/Gm > Gt (4) where the amplitudes of adjacent subcarriers are compared.
As a further generalization, it is possible to generate M bits by using the relation between the amplitudes Gk and G^1 of adjacent subcarriers. To see how this can be achieved, the following value is observed:
Tk = log^- (5)
If the real axis is quantized with 7 - 1 thresholds (T levels), then the value Tk can be used to produce Iog2(7) bits. Clearly, with only one threshold set at Tk = 0, only one bit will be generated, equivalents to (4).
In general, the total received signal, d}, at the terminal B will have a given amplitude \dj\,
which can range from 0 to as well as an arbitrary phase, βy.
Figure imgf000013_0002
Hence, in general the value dj eβ' can be a symbol of a K-QAM constellation that carries log2(K)>1 bits. Therefore, by using the random key, it is possible to choose the amplitudes aλJ and a2j as well as the phases T1, and τ2Jof the signals transmitted from the access point so as to map more bits per pilot subcarrier from the random key.
Similarly, the information can be encoded in a differential way, for instance by observ- d. eβj ing that the ratio also be interpreted as a symbol of an K-QAM constella-
Figure imgf000014_0001
tion carrying log2(K) bits.
After obtaining a string of bits by appropriate mapping/thresholds of the M complex numbers, the access point can apply a FEC decoder in order to obtain the secret key from the random bits. The same FEC encoder is applied by the terminal. With such a procedure, the probability for the access point and the terminal generating identical secret keys is increased, thus enhancing the reliability of the system.
The FEC encoding can also be applied in the other method for secret key generation, where the access point first generates a random secret key of U bits. In order to increase the probability that the terminal B will reproduce the same key as generated by the access point AP, then access point AP can contain an error-control encoder (ECC), in which case the terminal B has to contain the associated decoder. In this case, the ECC adds V redundant bits to the generated secret key of U bits and thus maps the U bits to a string of U+V bits
The U+V bits are used to determine the values aυ , a2J , τλJ and τ2J and to map the U+V bits to the M subcarriers.
The following is an example of how to use generation of multiple bits per subcarrier, differential bit encoding across subcarriers and an ECC.
For each subcarrier j the following is carried out: (i) aυ '\s selected randomly and (X2J =l-aiJ is determined, and (ii) τXJ andr2Jare selected uniformly and randomly. In this case, the parameters axp a1 , , τXj andτ2y are decided first, and then the secret key is determined at the access point AP side. This is done in the following way: By using the generated ccυ , a2j , τXj and τ2J and knowing d . ePj , the access point obtains d . eβ< log2(Q) bits from the complex value: — J and by putting that value into the deci-
sion regions of predefined M-QAM, M-ASK or M-PSK constellations (the constellations are publicly known). For example, in case of 4-ASK, the access point AP is comparing
to 3 thresholds in order to see, in which of the four regions of 4-ASK this value
Figure imgf000015_0001
falls as for instance shown in Fig. 6. Hence, Alice can generate Q=2 bits out of such a single comparison. After this, the access point AP has generated a string of (M-I )Q bits.
The decoder of a predefined error correction code with rate U/(U+V) is used to map the U+V=(M-1 )Q bits to a string of U bits, which represents the secret key. The terminal β is trying to retrieve the key using analogous procedure, but starting from the noised observations y}.
In some situations, the channel responses of the adjacent subcarriers might be highly correlated. In such case, it is only possible to generate -$--1 bits according to (4) by picking only M = $- subcarriers, where each pair of subcarriers is at least Nc subcaπϊ- ers apart. This is illustrated in Fig. 7. In this figure, the subcarriers are represented by arrows 71 and pilot subcarriers are represented by dashed arrows 72. Since the coherence bandwidth is equal to Nc subcarriers, the subcarriers are bundled into subchannels, and only one pilot subcarrier 72 is used per subchannel. This is illustrated for the case where Nc = 5 and therefore the pilot subcarriers are spaced 5 subcarriers apart.
Additionally, it can be agreed in advance that the terminal B applies some kind of forward error correction (FEC) code in order to increase the probability that the generated keys by the access point AP and the terminal B are identical.
Finally, the protocol of actual transmission from the antennas should be applied in such a way that the randomness of the generated key is preserved as much as possible. For example, in this scenario, the access point AP should transmit in a certain way so as to ensure the eavesdropper E is not able to determine the individual signals received from each antenna. That is, the eavesdropper E will receive a signal
Ce[cυejβiJ + c2Jejβ2Jj+ Zj , but it should not be enabled to observe the individual signals cλJeiβiJ and c2JeJ^2J , since it makes it easier for E to break the secret key agreed between the access point AP and the terminal β.
This approach can be made scalable in a sense that the introduction of more antennas at the access point AP or the terminal B can further increase the secrecy of the gener- ated key. To see why this is the case, let us assume that the AP has M^ antennas and the terminal S has M2 antennas. Then the signal at the /7-th subcarrier that B receives at the /772-th receive antenna is:
Af1 c = V Λ g*w (R\
where bmim2n and φmm2n are the amplitude and the phase, respectively, of the signal, which is transmitted at the /7-th subcarrier from the m-i-th antenna of the access point AP to the /772-th antenna of the terminal B. Now, since the access point AP knows
Figure imgf000016_0001
for all antennas /H1, m2 and all subcarriers n, it can control the value of the amplitude \cm2n\ received at the terminal B. In this case \cm2n\ is determined by several different variables and these variables can be controlled by the access point AP by multiplying the signals with phase shifts, as it has been done in the simpler example above. In addition, the receiver has M2 > 1 different amplitudes \cm2n\ for each subcarrier. This gives additional degrees of freedom to the design of the actual functions that are used in producing the secret key. To summarize, if the total number of subcarrier is M and the number of antennas at the terminal is M2, then there are in total M M2 complex numbers available for generating the secret key. Due to these additional degrees of freedom, the secrecy of the produced key is proportional to the number of antennas.
The generation of the secret key can be generated in two different modes of operation, viz. data-sequential and data-parallel modes.
In the data sequential mode the access point AP and the terminal B run an explicit communication phase dedicated to generation of the random key that will be used in the subsequent communication. After the random key is generated, the access point, AP and the terminal B start a phase of data communication, in which they send to each other data that is encrypted with the agreed key. The agreed key is used for time Tu, such that the time T11 is sufficient to have at least one packet transmission from the ac- cess point AP to the terminal S. The actual value of T11 is an overall protocol/system design issue and is out of scope of the present invention. After the time Tu, the access point AP and the terminal B can agree to run a new communication phase for key generation.
The idea behind the data-parallel mode is that while the secret key is transmitted across the pilot subcarriers, the rest of the subcarriers (or possibly all) are used for transmitting data at the same time. The principle is illustrated in Fig. 8.
First the secret key having U bits is generated. At the same time a packet containing user data and having L bits is being prepared for transmission. The secret key is transformed into L bits and is XOR'ed with the data packet, which thus is encrypted using the secret key. The encrypted data (in block E2) is then mapped to all the subcarrier except perhaps the pilot subcarriers in a way known per se from OFDM communication. The secret key (in block E1) is at the same time mapped to the pilot subcarriers and thus determines the phases/amplitudes of all subcarriers.
At the receiver side, the receiver (in block D1) extract the U bits of the secret key and (in block D2) decodes the encrypted data transmitted in the subcarriers. The U bits of the secret key are transformed to L bits and XOR'ed with the received data, thereby ex- tracting the original packet of user data.
The modulations used in blocks E1 and E2 are affecting each other as they are operating over the same set of subcarriers. Therefore, in principle, the two modulation methods used should be different. One viable pair of modulation schemes is that block E1 uses Amplitude Shift Keying (ASK) and block E2 using Phase Shift Keying (PSK). In that case, the secret key can be encoded over several consecutive symbols and in each symbol the information about the secret key is in the amplitude of the subcarriers, while the encrypted data is in the phases of the subcarriers. The total number of subcarriers S is usually larger than the number of pilot subcarriers M. If S>M, then the en- crypted data is transmitted in the usual OFDM manner either: (i) over all S subcarriers, (ii) only over S-M subcarriers, where the pilot subcarriers are not carrying encrypted data and the terminal B uses them in the usual OFDM manner (to estimated amplitudes/phases), or (iii) the transformation T1 (U to L bits) is publicly known.
As mentioned previously, the secret key is assumed to be a string of U random bits. However, if the random bits are generated by using arbitrary random generator, then the communication system will have a throughput loss, because the key is consuming part of the available throughput, since the access point AP has to send it to the terminal B by the wireless transmission. Note that the random key itself does not carry useful information for the user.
Instead, as shown in Fig. 9, it is possible to generate the random key by using the user data, which is inherently random. The user data D having a length of U+L bits is split into two parts. The first U bits of D is used for generating the secret key, which is then transformed into L bits, which are XOR'ed with the last L bits from D. Thereby, it is possible to avoid the throughput loss, as the secret key is also useful data. This method can be used both for data-sequential and data-parallel transmission.
Figs. 4 and 5 show an example of generation of random bits. Fig. 4 shows the absolute value of signals Bk and Ek received at the terminal B and the eavesdropper E in an OFDM system with 64 subcarriers. The graph shows the absolute value of the signals in arbitrary units as a function of the k-th pilot subcarrier.
Fig. 5a shows the binary code or key generated by the terminal S by a simple comparison of adjacent pilot subcarriers as a function of the subcarrier number k. Fig. 5b shows the corresponding binary code or key generated by the eavesdropper E by a simple comparison of adjacent pilot subcarriers as a function of the subcarrier number k. Fig. 5c shows the difference between the generated key and it shows that 26 of the 63 individual code symbols are different.
The invention has been described with reference to a preferred embodiment. However, the scope of the invention is not limited to the illustrated embodiment, and alterations and modifications can be carried out without deviating from said scope of the invention.

Claims

Claims
1. A method for secure communication in a wireless communication system, said system comprising: - at least a first access point (AP) having at least a first antenna (52) and a second antenna (53),
- at least a first terminal (B) having at least one terminal antenna (51), and
- a number of subcarriers for communication between the access point (AP) and the terminal (B), wherein said method comprises the steps of: i) the first terminal (B) transmitting at least one terminal pilot signal using the at least one terminal antenna (51) to the access point (AP) via M subcarriers, so as to provide individual terminal pilot signals, said at least one terminal pilot signal having a coherence time, ii) the access point (AP) detecting at least first signals at the first antenna (52) and second signals at the second antenna (53) for each of the individual terminal pilot signals, iii) the access point within the coherence time of the at least one terminal pilot signals generating and transmitting at least one new pilot signal to the terminal (B) via M subcarriers, so as to provide individual new pilot signals, said at least one new pilot signal being generated based on the first signals and the second signals detected in step ii) and carrying a secret key, which can be recovered by the access point locally, and iv) the terminal (B) detecting the individual new pilot signals and extracting the secret key shared by the terminal (B) and the access point (AP) based on the detected individual new pilot signals.
2. A method according to claim 1, wherein the access point in step ii) detects the amplitudes and/or the phases of the individual terminal pilot signals.
3. A method according to claim 1 or 2, wherein the communication between the terminal (B) and the access point (AP) is based on the OFDM protocol.
4. A method according to any of the preceding claims, wherein the detected individ- ual terminal pilot signals in step ii) are randomly generated signals.
5. A method according to any of the preceding claims, wherein the access point (AP) in step iii) generates the new pilot signals by making a linear combination of the first signals and the second signals.
6. A method according to claim 5, wherein the first signals and the second signals are linearly combined by the first (52) and the second antenna (53) retransmitting the detected first and second signals, respectively, to the terminal (B).
7. A method according to any of the preceding claims, wherein the new individual pi- lot signals are phase shifted by a value corresponding to the phase difference of the first and the second signals.
8. A method according to any of the preceding claims, wherein the terminal (B) uses a predefined power level for transmitting the terminal pilot signal so as to generate a received power distribution across the antennas of the access point (AP).
9. A method according to claims 7 and 8, wherein the new individual pilot signals additionally is multiplied with coefficients that correspond to the received power distribution.
10. A method according to claims 6 and 7 or claims 6 and 7 together with claim 8 or 9, wherein the phase shift corresponding to the phase difference of the detected first and second signals are applied to the retransmitted signal of the first antenna (52) or the retransmitted signal of the second antenna (53).
11. A method according to claim 6 or claim 6 together with any of claims 7-10, wherein the access point in step iii) multiplies a power coefficient and/or applies a phase shift to the retransmitted signal of the first antenna (52) and/or the retransmitted signal of the second antenna (53), said power coefficient and phase shift being chosen randomly.
12. A method according to any of the preceding claims, wherein the secret key is first generated by the access point (AP) as a string of random bits, the string subsequently being used to decide scaling factors and phase shifts for the individual new pilot signal so as to produce a desired received response at the terminal (B).
13. A method according to claim 12, wherein the secret key is digitised by the access point (AP) comparing the received response to a threshold level.
14. A method according to claim 12, wherein the secret key is converted to symbols by the access point (AP) comparing the received response to a number of threshold levels.
15. A method according to one of the preceding claims, wherein the secret key shared between the access point (AP) and the terminal (B) in step iv) is generated by using the information contained in the individual detected new pilot signals from the M subcarriers.
16. A method according to claim 15, wherein the M individual new pilot signals are used to generate M-1 complex numbers by comparing adjacent individual new pilot sig- nals.
17. A method according to claim 15, wherein the individual new pilot signals each have a correlation bandwidth (Nc), and wherein the M compared subcarrier pilot signals of the new set of pilot signals are at least the correlation bandwidth (N0) apart.
18. A method according to any of the preceding claims, wherein a forward error correction (FEC) code is applied to the secret key.
19. A method according any of the preceding claims, wherein the access point (AP) comprises an error-control encoder, and the terminal (B) comprises a corresponding error-control decoder, and wherein the error-control encoder adds redundant bits to the secret key, and the error-control decoder decodes the new individual pilot signals with redundant bits.
20. A method according to any of the preceding claims, wherein the terminal (B) comprises two or more terminal antennas, and wherein the terminal sends pilot signals from said two or more terminal antennas sequentially.
21. A method according to any of the preceding claims, wherein the secret key is generated via an explicit communication phase dedicated to the generation of the secret key.
22. A method according to any of claims 1-22, wherein the secret key is transmitted together with data, which is to be sent between the access point (AP) and the terminal (B).
24. A method according to claim 22 or 23, wherein the secret key is generated from data, which is to be sent between the access point (AP) and the terminal (B).
PCT/DK2006/000509 2005-09-15 2006-09-15 A method for secure communication in a wireless communication system WO2007031089A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US71694505P 2005-09-15 2005-09-15
US60/716,945 2005-09-15
DKPA200501287 2005-09-15
DKPA200501287 2005-09-15

Publications (1)

Publication Number Publication Date
WO2007031089A1 true WO2007031089A1 (en) 2007-03-22

Family

ID=37250731

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DK2006/000509 WO2007031089A1 (en) 2005-09-15 2006-09-15 A method for secure communication in a wireless communication system

Country Status (1)

Country Link
WO (1) WO2007031089A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2154814A1 (en) * 2008-08-14 2010-02-17 Koninklijke Philips Electronics N.V. Scalable key distribution
CN104219252A (en) * 2014-09-28 2014-12-17 东南大学 Coding error correction based secret key forward direction consistency calibration method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1996022643A1 (en) * 1995-01-20 1996-07-25 Ericsson, Inc. Establishment of cryptographic keys in radio networks
WO2002054807A1 (en) * 2001-01-05 2002-07-11 Siemens Aktiengesellschaft Method and communication terminal for generating a key
EP1531558A1 (en) * 2002-09-19 2005-05-18 Matsushita Electric Industrial Co., Ltd. Transmitting apparatus, receiving apparatus, radio communication method, and radio communication system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1996022643A1 (en) * 1995-01-20 1996-07-25 Ericsson, Inc. Establishment of cryptographic keys in radio networks
WO2002054807A1 (en) * 2001-01-05 2002-07-11 Siemens Aktiengesellschaft Method and communication terminal for generating a key
EP1531558A1 (en) * 2002-09-19 2005-05-18 Matsushita Electric Industrial Co., Ltd. Transmitting apparatus, receiving apparatus, radio communication method, and radio communication system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HERSHEY J E ET AL: "UNCONVENTIONAL CRYPTOGRAPHIC KEYING VARIABLE MANAGEMENT", IEEE TRANSACTIONS ON COMMUNICATIONS, IEEE SERVICE CENTER, PISCATAWAY, NJ, US, vol. 43, no. 1, January 1995 (1995-01-01), pages 3 - 6, XP000487370, ISSN: 0090-6778 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2154814A1 (en) * 2008-08-14 2010-02-17 Koninklijke Philips Electronics N.V. Scalable key distribution
WO2010018493A1 (en) 2008-08-14 2010-02-18 Koninklijke Philips Electronics N.V. Cryptographic secret key distribution
JP2011530924A (en) * 2008-08-14 2011-12-22 コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ Cryptographic private key distribution
US8542828B2 (en) 2008-08-14 2013-09-24 Koninklijke Philips N.V. Cryptographic secret key distribution
JP2016174419A (en) * 2008-08-14 2016-09-29 コーニンクレッカ フィリップス エヌ ヴェKoninklijke Philips N.V. Distribution of encryption secret key
CN102132520B (en) * 2008-08-14 2017-04-19 皇家飞利浦电子股份有限公司 cryptographic secret key distribution
CN104219252A (en) * 2014-09-28 2014-12-17 东南大学 Coding error correction based secret key forward direction consistency calibration method

Similar Documents

Publication Publication Date Title
Hamamreh et al. Classifications and applications of physical layer security techniques for confidentiality: A comprehensive survey
Shehadeh et al. A survey on secret key generation mechanisms on the physical layer in wireless networks
Jorswieck et al. Broadcasting into the uncertainty: Authentication and confidentiality by physical-layer processing
Mukherjee et al. Principles of physical layer security in multiuser wireless networks: A survey
US11483704B2 (en) Physical layer secure communication against an eavesdropper with arbitrary number of eavesdropping antennas
Güvenkaya et al. On physical-layer concepts and metrics in secure signal transmission
Kang et al. A survey of security mechanisms with direct sequence spread spectrum signals
Lee et al. Secure index and data symbol modulation for OFDM-IM
CN111082933B (en) Multi-user physical layer safety communication method capable of resisting any plurality of cooperation eavesdroppers
CN114124186B (en) Multi-antenna wireless covert communication cooperative optimization method
US10735963B1 (en) Wireless communication method for secure side-channel signaling and authentication at the physical layer
Furqan et al. Adaptive OFDM‐IM for enhancing physical layer security and spectral efficiency of future wireless networks
Bang et al. Secure modulation based on constellation mapping obfuscation in OFDM based TDD systems
Ma et al. Physical layer security design for FDD IM-OTFS transmissions based on secure mapping
Zhang et al. Impact of imperfect angle estimation on spatial and directional modulation
Reşat et al. Improving physical layer security in Alamouti OFDM systems with subcarrier coordinate interleaving
Li et al. A distributed differentially encoded OFDM scheme for asynchronous cooperative systems with low probability of interception
Yusuf et al. Enhancing physical-layer security in wireless communications using signal space diversity
Chen et al. Enhancing communication resilience through fluid antenna index modulation
Tang et al. Secure multiple-mode OFDM with index modulation
CN110719126B (en) A covert communication method suitable for MIMO communication system
WO2007031089A1 (en) A method for secure communication in a wireless communication system
Wen et al. Framework for MIMO cross-layer secure communication based on STBC
Yao et al. A hybrid multi-domain index modulation for covert communication
CN111404587A (en) A method for acquiring symmetric channel characteristics of multi-user MIMO based on conjugate precoding

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06775994

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载