skip to main content

Title: Evaluation of Physical Layer Secret Key Generation for IoT Devices
As aspects of our daily lives become more interconnected with the emergence of the Internet of Things (IoT), it is imperative that our devices are reliable and secure from threats. Vulnerabilities of Wi-Fi Protected Access (WPA/WPA2) have been exposed in the past, motivating the use of multiple security techniques, even with the release of WPA3. Physical layer security leverages existing components of communication systems to enable methods of protecting devices that are well-suited for IoT applications. In this work, we provide a low-complexity technique for generating secret keys at the Physical layer to enable improved IoT security. We leverage the existing carrier frequency offset (CFO) and channel estimation components of Orthogonal Frequency Division Multiplexing (OFDM) receivers for an efficient approach. The key generation algorithm we propose focuses on the unique CFO and channel experienced between a pair of desired nodes, and to the best of our understanding, the combination of the features has not been examined previously for the purpose of secret key generation. Our techniques are appropriate for IoT devices, as they do not require extensive processing capabilities and are based on second order statistics. We obtain experimental results using USRP N210 software defined radios and analyze the performance more » of our methods in post-processing. Our techniques improve the capability of desired nodes to establish matching secret keys, while hindering the threat of an eavesdropper, and are useful for protecting future IoT devices. « less
Authors:
; ; ;
Award ID(s):
1816387 1723606 1717088
Publication Date:
NSF-PAR ID:
10118765
Journal Name:
2019 IEEE 20th Wireless and Microwave Technology Conference (WAMICON)
Page Range or eLocation-ID:
1 to 6
Sponsoring Org:
National Science Foundation
More Like this
  1. Our everyday lives are impacted by the widespread adoption of wireless communication systems integral to residential, industrial, and commercial settings. Devices must be secure and reliable to support the emergence of large scale heterogeneous networks. Higher layer encryption techniques such as Wi-Fi Protected Access (WPA/WPA2) are vulnerable to threats, including even the latest WPA3 release. Physical layer security leverages existing components of the physical or PHY layer to provide a low-complexity solution appropriate for wireless devices. This work presents a PHY layer encryption technique based on frequency induction for Orthogonal Frequency Division Multiplexing (OFDM) signals to increase security against eavesdroppers. The secure transceiver consists of a key to frequency shift mapper, encryption module, and modified synchronizer for decryption. The system has been implemented on a Virtex-7 FPGA. The additional hardware overhead incurred on the Virtex-7 for both the transmitter and the receiver is low. Both simulation and hardware evaluation results demonstrate that the proposed system is capable of providing secure communication from an eavesdropper with no decrease in performance as compared with the baseline case of a standard OFDM transceiver. The techniques developed in this paper provide greater security to OFDM-based wireless communication systems.
  2. Post-quantum schemes are expected to replace existing public-key schemes within a decade in billions of devices. To facilitate the transition, the US National Institute for Standards and Technology (NIST) is running a standardization process. Multivariate signatures is one of the main categories in NIST's post-quantum cryptography competition. Among the four candidates in this category, the LUOV and Rainbow schemes are based on the Oil and Vinegar scheme, first introduced in 1997 which has withstood over two decades of cryptanalysis. Beyond mathematical security and efficiency, security against side-channel attacks is a major concern in the competition. The current sentiment is that post-quantum schemes may be more resistant to fault-injection attacks due to their large key sizes and the lack of algebraic structure. We show that this is not true. We introduce a novel hybrid attack, QuantumHammer, and demonstrate it on the constant-time implementation of LUOV currently in Round 2 of the NIST post-quantum competition. The QuantumHammer attack is a combination of two attacks, a bit-tracing attack enabled via Rowhammer fault injection and a divide and conquer attack that uses bit-tracing as an oracle. Using bit-tracing, an attacker with access to faulty signatures collected using Rowhammer attack, can recover secret key bitsmore »albeit slowly. We employ a divide and conquer attack which exploits the structure in the key generation part of LUOV and solves the system of equations for the secret key more efficiently with few key bits recovered via bit-tracing. We have demonstrated the first successful in-the-wild attack on LUOV recovering all 11K key bits with less than 4 hours of an active Rowhammer attack. The post-processing part is highly parallel and thus can be trivially sped up using modest resources. QuantumHammer does not make any unrealistic assumptions, only requires software co-location (no physical access), and therefore can be used to target shared cloud servers or in other sandboxed environments.« less
  3. A secret key generation scheme is proposed for generating keys to be used for one-time pad encryption. This type of encryption is suitable for e.g., short packet communication in distributed inference in IoT. The scheme exploits the phase of the channel fading coefficient in a Rayleigh fading channel to extract highly correlated key bits at two legitimate parties. Compared to other existing methods, the proposed scheme trades off higher bit error probabilities in the keys for lower error correction communication requirements. The bit error of generated keys is characterized via an approximate upper bound, which is shown to be fairly tight for reasonable signal-to-noise ratios.
  4. Motivated by the rise of quantum computers, existing public-key cryptosystems are expected to be replaced by post-quantum schemes in the next decade in billions of devices. To facilitate the transition, NIST is running a standardization process which is currently in its final Round. Only three digital signature schemes are left in the competition, among which Dilithium and Falcon are the ones based on lattices. Besides security and performance, significant attention has been given to resistance against implementation attacks that target side-channel leakage or fault injection response. Classical fault attacks on signature schemes make use of pairs of faulty and correct signatures to recover the secret key which only works on deterministic schemes. To counter such attacks, Dilithium offers a randomized version which makes each signature unique, even when signing identical messages. In this work, we introduce a novel Signature Correction Attack which not only applies to the deterministic version but also to the randomized version of Dilithium and is effective even on constant-time implementations using AVX2 instructions. The Signature Correction Attack exploits the mathematical structure of Dilithium to recover the secret key bits by using faulty signatures and the public-key. It can work for any fault mechanism which can inducemore »single bit-flips. For demonstration, we are using Rowhammer induced faults. Thus, our attack does not require any physical access or special privileges, and hence could be also implemented on shared cloud servers. Using Rowhammer attack, we inject bit flips into the secret key s1 of Dilithium, which results in incorrect signatures being generated by the signing algorithm. Since we can find the correct signature using our Signature Correction algorithm, we can use the difference between the correct and incorrect signatures to infer the location and value of the flipped bit without needing a correct and faulty pair. To quantify the reduction in the security level, we perform a thorough classical and quantum security analysis of Dilithium and successfully recover 1,851 bits out of 3,072 bits of secret key $s_{1}$ for security level 2. Fully recovered bits are used to reduce the dimension of the lattice whereas partially recovered coefficients are used to to reduce the norm of the secret key coefficients. Further analysis for both primal and dual attacks shows that the lattice strength against quantum attackers is reduced from 2128 to 281 while the strength against classical attackers is reduced from 2141 to 289. Hence, the Signature Correction Attack may be employed to achieve a practical attack on Dilithium (security level 2) as proposed in Round 3 of the NIST post-quantum standardization process.« less
  5. Trusted Platform Module (TPM) serves as a hardwarebased root of trust that protects cryptographic keys from privileged system and physical adversaries. In this work, we perform a black-box timing analysis of TPM 2.0 devices deployed on commodity computers. Our analysis reveals that some of these devices feature secret-dependent execution times during signature generation based on elliptic curves. In particular, we discovered timing leakage on an Intel firmwarebased TPM as well as a hardware TPM. We show how this information allows an attacker to apply lattice techniques to recover 256-bit private keys for ECDSA and ECSchnorr signatures. On Intel fTPM, our key recovery succeeds after about 1,300 observations and in less than two minutes. Similarly, we extract the private ECDSA key from a hardware TPM manufactured by STMicroelectronics, which is certified at Common Criteria (CC) EAL 4+, after fewer than 40,000 observations. We further highlight the impact of these vulnerabilities by demonstrating a remote attack against a StrongSwan IPsec VPN that uses a TPM to generate the digital signatures for authentication. In this attack, the remote client recovers the server’s private authentication key by timing only 45,000 authentication handshakes via a network connection. The vulnerabilities we have uncovered emphasize the difficultymore »of correctly implementing known constant-time techniques, and show the importance of evolutionary testing and transparent evaluation of cryptographic implementations. Even certified devices that claim resistance against attacks require additional scrutiny by the community and industry, as we learn more about these attacks.« less