Professional Documents
Culture Documents
Manuscript Draft
Title: MuGKeG: Secure Multi-channel Group Key Generation Algorithm for Wireless Networks
Order of Authors: Naumana Ayub, MS-EE`; Mamoon Raja; Saad Saleh, MS-EE; Muhammad U Ilyas, PhD
Title: MuGKeG: Secure Multi-channel Group Key Generation Algorithm for Wireless Networks
1. Naumana Ayub
Department of Electrical and Electronic Engineering,
School of Mathematics, Computer Science and Engineering, City University London, UK
Email: naumana.ayub.1@city.ac.uk
2. Mamoon Raja
Department of Computer Science, Tufts University, Medford, Massachusetts-02155, US
Email: mamoon.raja@tufts.edu
4. Muhammad U. Ilyas
School of Electrical Engineering and Computer Science (SEECS),
National University of Sciences and Technology (NUST),
Sector: H-12, Islamabad-44000, Pakistan.
Email: usman.ilyas@seecs.edu.pk
Disclaimer: I, Saad Saleh, as corresponding author of this paper, certify on behalf of all co-authors that
the paper is novel (unpublished) and has not been submitted for publication anywhere else. It will not
be submitted to a different journal until a decision has been made by Journal of Computers and
Electrical Engineering.
[1]
Ph: +92-344-5188421, Permanent (Postal) Address: House-5, Street-11, Sector-F, DHA-2, Islamabad.
*Manuscript
Click here to view linked References
Abstract
Preprint submitted to Journal of Computers and Electrical Engineering October 20, 2014
1. Introduction
2
locations and channel conditions. The basic idea is to “overwhelm” the eaves-
dropper(s) by concurrently transmitting random sequences over more channels
at the same time than there are eavesdroppers. Our proposed approach does
not require any artificial / controlled jamming and is capable of key generation
for millions of nodes in any wireless network. The efficacy of the proposed al-
gorithm drops significantly when the number of eavesdroppers increases beyond
the number of channels.
1.4. Results
An analytical model is developed for the entropy of the group key generated
by the Secure MuGKeG algorithm and verified by simulations. Our model
keeps a track of the number of bits that remain unknown to the eavesdroppers.
We used the network simulator-3 (ns-3) platform [12] for generating simulation
results. Our findings show that MuGKeG provides upto 76 kbps secrecy rate
for a key size of 256 bits for IEEE 802.11b radio. Moreover, unlike the previous
strategies, key size for MuGKeG is highly scalable. We show that MuGKeG
provides reasonable transmissions depending upon the number of nodes and
transmission rounds per node only.
1.5. Contributions
1. An algorithm that creates a shared group key among at least three nodes.
2. An analytic derivation of the entropy of the shared secret for general
problem settings.
3. Verification of the shared group secret generation algorithm by simulating
a wireless sensor network with an IEEE 802.11b PHY / MAC using the
ns-3 platform.
3
model, including the attacker model. Section 4 describes the proposed group
key generation algorithm using a base case of three nodes and an eavesdropper.
Section 5 presents the possible attack strategies for the eavesdropper. Section 6
presents a generalized group key generation algorithm and presents the scaling
of MuGKeG for large number of channels and nodes. Section 7 gives an ana-
lytical derivation of the entropy of the group key. Section 8 shows the results
of multiple ns-3 simulations of the group key generation algorithm. Section 9
lists the limitation of MuGKeG algorithm. Section 10 presents a comparison of
MuGKeG’s performance with previous schemes. Finally, Section 11 concludes
the paper.
2. Related Work
Many previous works such as Jana et al. [3], Croft et al. [4], and Wang et
al. [5] used errors inherent in wireless channels between communicating nodes
to generate shared secret keys. However, the efficiency of all these methods
depends solely on variations in channel conditions. On more static channels,
the entropy of shared keys is low, which makes it relatively easier for Eve to
‘guess’ the correct key. Xiao et al. [13] proposed an approach that exploits the
frames transmitted only once between legitimate nodes for secret generation, but
stops short of determining the entropy of shared keys created by this method.
Another group of approaches are classified as cooperative jamming methods.
Sankararaman et al. [10] describe a cooperative jamming technique for RFID
systems to secure communication between RFID reader and transponder (RFID
tag) in a warehouse. Dong et al. [11] employed relay nodes for achieving secure
communication. Vasudevan et al. [7] used artificial noise to counter eavesdrop-
pers. The principal disadvantage of all these schemes is the requirement of
additional nodes.
Among the techniques that do not depend on channel variations is the chan-
nel hopping method employed by Zan and Gruteser [14]. However, the proba-
bility of two nodes listening to the same channel at the same time is very small
4
and becomes smaller with increasing number of channels. There is also a signif-
icant cost in terms of number of transmissions per unit bit of key entropy. Tsai
et al. [15] used sequences of random bits to generate keys but this approach
only applies to storage bound adversaries which is usually not the case. Miller
and Vaidya [16] exploited channel diversity for secret key generation but their
approach requires a trusted third party to pre-load keys in each node’s memory
as a pre-requisite requirement. Basilico et al. [17] utilized non-cooperative game
theory approach to identify malacious nodes. However, their technique requires
extra nodes and verifiers to perform verifiable multilateration calculations to
locate the attacker.
Cooperative jamming also falls in the category of techniques in which key
generation is independent of channel variations. Arora and Sang [6] used jam-
ming to generate secret key. However, jamming is carried out by the receiver
here, instead of collegial nodes. In iJam [8], Gollakota and Katabi used the
same technique discussed by Arora and Sang [6] but adapted it for orthogonal
frequency division multiplexing (OFDM). iJam is specifically designed to work
on links using OFDM on the physical layer. Otherwise eavesdroppers may be
able to distinguish between jammed and clear signals. Safaka et al. [9] proposed
a more general approach, independent of the physical layer and applicable in
a broad range of wireless systems. However, it requires sufficient noise in the
channel to make eavesdropper miss some of the packets transmitted between
communicating nodes. Safaka et al. [18] further improved on their earlier tech-
nique in [9] by making it independent of the eavesdropper’s location.
Recently, Zhu et al. [19] have utilized received signal strength indication for
key extraction in vehicular networks. Their technique addresses the problem of
securing the link between two moving vehicles and depends on channel dynamics.
In another study [20], Hu et al. proposed a key generation scheme named as
ordered physiological feature based key agreement (OPFKA). Overlap among
the physiological signal features is used to generate key among sensor and is only
applicable in body area networks. In [21], Liu et al. used the key extraction
method by using channel state information obtained from OFDM subcarriers.
5
However, it is physical layer technology dependent, especially not suitable for
wireless networks with power constraints.
It should be noted that majority of the above mentioned techniques assumed
or made an effort to ensure that the eavesdropper’s channel conditions are worse
than the channel between communicating nodes.
3. System Model
4. Proposed Algorithm
6
Three nodes, Alice, Bob and Calvin want to establish secure communications
amongst themselves and generate a secret group key. Also present is a user Eve
who is eavesdropping on transmissions between Alice, Bob and Calvin. As we
mentioned previously in Section 3.1, Eve may receive transmissions with even
fewer errors than the actual intended recipient of a transmission. Alice, Bob and
Calvin will securely generate a secret group key using a two-phase algorithm in
six stages as shown in Appendix Fig. A.6.
7
Table 1: Information sharing between Alice, Bob and Calvin during Phase I and information
eavesdropped by Eve.
KAC KBC K0 K0
1 [KAC ] [KBC ] [ 2 , 2 ] [ AC
2 , BC
2 ] [KAC ]
KAB KCB K0 K0
2 [KAB ] [ 2 , 2 ] [KCB ] [ AB
2 , CB
2 ] [KAB ]
K K K0 K0
3 [ BA
2 , CA
2 ] [KBA ] [KCA ] [ BA
2 , CA
2 ] [KCA ]
K0 K0 K0
Aggre. [KAC , KAB , [KBC , KBA , [KCB , KCA , [ AC , BC , AB , [KAC , KAB ,
2 2 2
8
have a separate key to encrypt and decrypt transmissions to and from each of
its neighbors.
Alice, Bob and Calvin each generate long sequences SA , SB and SC , re-
spectively. Alice uses pairwise symmetric keys [ KAB KBA KAC KCA
2 , 2 ] and [ 2 , 2 ] to
encrypt and transmit SA to Bob and Calvin, respectively. Similarly, Bob uses
pairwise symmetric keys [ KBC KCB KAB KBA
2 , 2 ] and [ 2 , 2 ] to encrypt and transmit
spectively. After these exchanges Alice, Bob and Calvin will all be in possession
of sequences SA , SB and SC . The sum of entropies of these three sequences is
the entropy of the shared group secret. Similar to Phase I, the concatenated
sequences [SA SB SC ] are passed to a hash function that returns a new bit string
that is used as a symmetric group key GKA,B,C shared between Alice, Bob and
Calvin.
Now we consider Phase I from Eve’s perspective and consider two different
attack strategies. We call the first strategy the random strategy, denoted by Eve
(rand) and Er in Tab-1. When Eve follows this strategy it also follows a random
switching schedule in the hope of selecting a schedule that will match that of the
receiver. This means that during stage one, Eve will also receive approximately
half the transmissions made by Alice and half the transmissions made by Bob.
0 0
KAC KBC
The sequences overheard by Eve are denoted by 2 and 2 and may or may
not be identical to the ones received by Calvin. If the number of rounds R in
each stage is sufficiently large, the probability that Eve’s received sequences will
match those of Calvin will progressively decrease with higher values of R. As
can be seen from Tab-1, the aggregate information obtained by Eve at the end
9
of the third stage will most likely not be enough for it to compromise any of the
three pairwise links.
An alternative strategy that Eve may adopt is called the fixed strategy de-
noted by Eve (fixed) Ef . When it uses the fixed strategy, Eve chooses one of
the two channels in use during a stage and listens to all transmissions on it.
While the entropy of the sequences overheard by Eve using either strategy is
the same, there is a qualitative difference between what can be achieved with
the eavesdropped sequences. The result of deploying the fixed strategy on the
information eavesdropped by Eve is shown in the last column of Tab-1. We
also assume that Eve is able to eavesdrop on the channel switching schedule
vectors communicated by receiving users at the end of each stage. However,
unlike in the random strategy, when Eve adopts the fixed strategy it is able to
breach one of the three links. In the example depicted in Appendix Fig. A.6
and Tab-1, Eve will be able to reconstruct the pairwise key between Alice and
Calvin. Thus, if Eve adopts the fixed strategy it will be able to compromise at
most one of the three links between Alice, Bob and Calvin.
When following the random strategy, Eve is unlikely to breach and eavesdrop
on any of the encrypted communications progressing in Phase II. However, if
Eve follows the fixed strategy Eve may be able to compromise one out of three
links (see Appendix Fig. A.6). In this example that is the link between Alice and
Calvin. This may become possible if the set of packets on the channel between
Alice and Eve’s are a subset of the packets between the Alice and Calvin in that
stage, and the same also needs to be true for the stage when Calvin transmits
and Alice receives. Together with the information Eve overhears in the channel
switching schedules of Alice and Calvin, Eve is now able to reconstruct KAC
and KCA . That means, Eve will be able to eavesdrop on all communications
between Alice and Calvin (SA and SC ) that are encrypted using these symmetric
keys. Note, however, that sequence SB remains unknown to Eve because each
time its transmission is encrypted using keys [ KBC KCB KAB KBA
2 , 2 ] or [ 2 , 2 ], both
10
of which are unknown to Eve. This way, when Alice, Bob and Calvin create
GKA,B,C , one of the three sequences SA , SB and SC will be unknown to Eve.
Therefore, the entropy of the group secret is limited by the length / entropy of
one of the sequences SA / SB / SC .
We now expand the MuGKeG algorithm to the case of a group of more than
N ≥ 3 users with C channels where C ≥ N − 1. The generalized algorithm is
described in Alg. 1 and Alg. 2 in Appendix.
As before, the algorithm is structured into two Phases. In Alg. 1, phase-I
of MuGKeG occurs by transmission of all N nodes to all receiver nodes one by
one through all C channels. Transmitted streams from every node follow an R
rounds process so that there is a minimum chance of getting same receptions by
Eavesdropper following a random strategy. At end of Phase-I, all nodes bear a
unique set of keys between all other nodes.
In Alg. 2, phase-II of group key generation occurs by transmission of N
sequences using respective key encryption between pair of nodes. At the end of
phase-II, every node generates the unique key using a hash function from the
combination of N sequences. A single application of the MuGKeG algorithm
can be used to establish a shared secret between at most as many nodes as there
are available channels.
11
6.2. Scaling Up MuGKeG for Large Groups of Nodes
One of the major advantage of MuGKeG is its application for large network
containing thousands or millions of nodes in the wireless network. In this sub-
section, we firstly present a base case (with 9 nodes) and then a generalized case
for scaling MuGKeG for large number of nodes. We show that the MuGKeG
algorithm can be applied repeatedly to include successively more nodes.
Fig. 1 presents a base case of nine nodes N 1 − N 9 with multiple passive
attackers. Each node is equipped with IEEE 802.11b radio with atleast two
channels used for group key generation. Based upon the MuGKeG algorithm,
three groups of nodes (N 1 − N 3, N 4 − N 6 and N 7 − N 9) each comprising of
three nodes are formed in the network as shown in Fig. 1. After the individual
key generation inside the three group of nodes, nodes N 3, N 6 and N 9 make a
cluster to generate a group key inside this cluster. Hence, after two iterations
of MuGKeG algorithm, all nodes bear a secret group key.
N1 N2
N3
N5 N6 N9 N8
N4 N7
For generalization, let us assume that every node has C channels available in-
side a million node network. Based upon the number of eavesdroppers (depend-
ing upon the system’s vulnerability), a maximum of N nodes with N ≤ C + 1
can participate in the first application of the MuGKeG algorithm. At the end
the N nodes will share a shared secret that can be used to generate a group
key. Next, each of these nodes will create a new group of N nodes with secure
12
communication channels between them. This will add another N × (N − 1)
nodes to the N securely communicating nodes, bringing the total to N 2 . After
i steps, this will grow the number of nodes communicating securely to N i . After
j iterations, N j can cover millions of nodes in any network.
7.1. Phase I
13
R r
pR (r) = p × pR−r
r s f
R N −i−1
h i
= (1 − ΠMi=1 {1 − (1 − T x,Rx )(1 − T x,i )} )r
r N −i (2)
N −i−1
h i
M
× (Πi=1 {1 − (1 − T x,Rx )(1 − T x,i )} )R−r
N −i
h(1)
(1)
pH (1) h = pR R−
B (3)
Fig. 2 shows the PMF of entropy H (1) for vary number of bits (b) with 10,
20, 30 and 40 rounds, respectively. Trends of entropy show that small number of
rounds require small number of bits to produce large entropy while large number
of rounds require large number of bits for large entropy. Probability with which
Eve can listen to a particular channel is 0.5 in case of three nodes, which implies
that the probability of entropy will have a maxima when it intercepts half of
the shared info and a minimum value when it listens the complete shared info.
Pairwise Key-level: The shared, pairwise key between any two nodes
i and j of the N nodes has entropy denoted HP K (i, j) and is given in Eq.
4. Since the pairwise key is a shared key between nodes i and j, therefore,
HP K (i, j) = HP K (j, i).
H (1)
HP K (i, j) = 2 ×
N −1 (4)
14
0.4
R = 10
R = 20
0.2
0.1
0
0 1 2 3 4 5 6 7
Total bits for R rounds (B) x 10
5
Figure 2: PMF of entropy (H (1) ) with different rounds (R) for varying number of bits for all
rounds (B).
7.2. Phase II
In the second phase, the pairwise keys are used for encrypting communica-
tions between the pair of nodes that share the key. The sequence Si shared by
node i with node j, one of its N − 1 peers, is encrypted using HP K (i, j). The
entropy HGK of the shared group key depends on two things:
(rand)
HGK = N × HS
(5)
15
(f ixed)
HGK = (N − M − 1) × HS
(6)
8. ns-3 Simulations
Parameter Value
16
8.1. Entropy of Pairwise Keys
For the base case the number of nodes N was set to three and number
of rounds R in Phase I exchanged during each stage was set to 10. During
each round, the number of bits b transmitted is set to 2312. Here we provide
a comparison between our simulation results and the analytical model of the
MuGKeG algorithm. Fig. 3 plots the PMF of the entropy HP K of pairwise keys
against different values of pairwise key entropies for N = 3 and one eavesdropper
(M = 1), for the case when Eve employs the random channel switching strategy.
0.35
N=3,M=1,Analytical
0.3 N=3,M=1,Simulated
0.25
PMF of HPK
0.2
0.15
0.1
0.05
0
0 10 20 30 40 50
Entropy of Pairwise Key (HPK)
Figure 3: Comparison of PMF of entropy of intercepted pairwise key at Eve (ns-3 simulation)
for N = 3. This is plotted against the PMF entropy predicted by our analytical model.
17
6
x 10
1.5
Entropy H (1)
1
Error Rate = 5%
0.5 Error Rate = 10%
Error Rate = 20%
0
100 150 200 250 300 350
Number of Rounds (R)
Figure 4: Scatter plot of entropy H (1) vs number of rounds at various packet loss rates.
We now separately analyze the entropy of the group key that is obtained
by concatenating sequences SA , SB and SC for the base case in Section 4.
Fig. 5 plots the PMF of the entropy of the group key for the base case with
a group of N = 3 nodes trying to establish a group key in the presence of
M = 1 eavesdropper. PMF predicted by the analytical model as well as the one
obtained by simulations follow the basic trends with minor variations.
0.2
N=3,M=1,Analytical
N=3,M=1,Simulated
0.15
PMF of HGK
0.1
0.05
0
0 50 100 150
Entropy of Group Key (HGK)
Figure 5: Comparison of PMF of entropy of intercepted group key at Eve (ns-3 simulation)
for N = 3. This is plotted against the PMF entropy predicted by our analytical model.
18
9. Limitations
For a group of three nodes, MuGKeG requires atleast two wireless channels
simultaneously. Absence of atleast two channels can hinder the algorithm from
its working and it can also make the system vulnerable to eavesdropper. More-
over, error free communication occurs only for two non-overlapping channels
otherwise key generation is not only vulnerable but also time-consuming due to
retransmissions.
19
10. Discussion
Technique Zan and Gruteser [14] IJam [8] Safaka et al. [9] Safaka et al. [18] MuGKeG
Performance Parameters Key generation time BER Eve’s C.E* + Ef.**Eve’s C.E* + Ef.**Eve’s C.E* + Ef.**
Jamming No Yes No No No
* Conditional Entropy (C.E). ** Efficiency (Ef) = Key Size (bits) / Transmission Size (bits) *** P = Pkts per round
20
11. Conclusions
This paper presents the MuGKeG algorithm to create a shared group key
among a group of N wireless nodes. Repeated applications of the MuGKeG
algorithm to different sets of nodes can be used to scale up the size of the group
of nodes communicating securely. The time required to include a total of T
nodes can be achieved in logN T times the time required to run one iteration of
the MuGKeG on a single set of N nodes. The MuGKeG algorithm is able to
generate a group key even in the presence of large number of nodes (greater than
the number of available channels) and can scale up to use all available channels
for a given number of nodes. The MuGKeG algorithm makes no assumptions
and places on pre-conditions on the channel conditions or positions of the eaves-
droppers. The MuGKeG algorithm is scalable in the sense that it can be used
in any group of three or more wireless nodes and is able to guarantee security
as long as both the following conditions hold true:
21
12. Bibliography
[1] S. Singh, The code book: The science of secrecy from ancient egypt to
quantum cryptography. anchor books, EDICION, ISBN 744962333.
[2] T. A. PRESS, TJX Says Theft of Credit Data Involved 45.7 Million Cards,
The New York Times.
[5] Q. Wang, H. Su, K. Ren, K. Kim, Fast and scable secret key generation
exploiting channel phase randomness in wireless networks, in: Proceed-
ings of the IEEE International Conference on Computer Communications
(INFOCOM), 2011.
[6] A. Arora, L. Sang, Dialog codes for secure wireless communications, in:
Proceedings of the IPSN Conference, 2009.
[8] S. Gollakota, D. Katabi, Physical layer wireless security made fast and
channel independent, in: Proceedings of the IEEE International Conference
on Computer Communications (INFOCOM), 2011.
22
[10] S. Sankararaman, K. Abu-Affash, A. Efrat, S. D. Eriksson-Bique, V. Pol-
ishchuk, S. Ramasubramanian, M. Segal, Optimization schemes for pro-
tective jamming, in: Proceedings of the ACM international symposium on
Mobile Ad Hoc Networking and Computing, 2012, pp. 65–74.
[14] B. Zan, M. Gruteser, Random channel hopping schemes for key agreement
in wireless networks, in: IEEE International Symposium on Personal, In-
door and Mobile Radio Communincations, 2009.
[15] S.-C. Tsai, W.-G. Tzeng, K.-Y. Zhou, Key establishment schemes against
storage-bounded adversaries in wireless sensor networks, in: IEEE Trans-
actions on Wireless Communications, 2009.
[17] N. Basilico, N. Gatti, M. Monga, S. Sicari, Security games for node localiza-
tion through verifiable multilateration, IEEE Transactions on Dependable
and Secure Computing 11 (1) (2014) 72–85.
23
[19] X. Zhu, F. Xu, E. Novak, C. C. Tan, Q. Li, G. Chen, Extracting secret
key from wireless link dynamics in vehicular environments, in: Proceed-
ings of the IEEE International Conference on Computer Communications
(INFOCOM), IEEE, 2013, pp. 2283–2291.
[21] H. Liu, Y. Wang, J. Yang, Y. Chen, Fast and practical secret key extraction
by exploiting channel response, in: Proceedings of the IEEE International
Conference on Computer Communications (INFOCOM), 2013, pp. 3048–
3056.
24
Appendix A. Flow Chart and Algorithms for MuGKeG
Tx Phase I Rx
A R 3 2 1
C [KAC/2, KBC/2]
Stage 1
CA
KAC 1
2
3 Er [KAC'/2, KBC'/2]
KBC
R CB
B Ef [KAC]
A R
CA
3 2 1 B [KAB/2, KCB/2]
Stage 2
KAB 1
2 [KAB'/2, KCB'/2]
3 Er
KCB
R CC
C Ef [KAB]
B R
CB
3 2 1 A [KBA/2, KCA/2]
Stage 3
KBA 1
2
3 Er [KBA'/2, KCA'/2]
KCA
R CC
C Ef [KCA]
Tx Phase II Rx
Stage 4
SA
A [KAB,KBA]/2 B
Compromised
SA [KAC,K
CA]/2
SA
C
Link
B A SB
Stage 5
[KAB,KBA]/2
SB [KBC,K
CB]/2
Ef
C SB
Compromised
Link
C [KCA,KAC]/2 A
Stage 6
SC
SC [KCB,KB
C]/2
B SC
Figure A.6: Flow chart for MuGKeG for base case description between Alice (A), Bob (B),
Calvin (C), Eve-fixed (Ef ) and Eve-random (Er ).
25
Algorithm 1 Multi-channel Secure Group Key Generation
Ensure: Every node n is assigned a home channel Cn
1: PHASE I:
2: for Stage n = [1..N ] do
3: Vn = [ ]
4: for Node m = [1..N ] do
5: for Round r = [1..R] do
6: Node n initializes Rm [r] := [ ]
7: end for
8: end for
9: for Node m = [1..N ], m 6= n do
10: Node m initializes Tm := [ ]
11: end for
12: for Round r = [1..R] do
13: Node n randomly picks a number from {{1, 2, . . . , N } − {n}} and stores it in Vn [r].
14: Node n switches to channel ChVn [r] to receive.
15: Nodes {{1, 2, . . . , N }−{n}} generate, save and simultaneously transmit b bit random
sequences Tm [r] on respective home channels.
16: Node n stores received b bit transmission as P .
17: if P passes CRC then
18: Rn [r] := P
19: else
20: Vn [r] := 0
21: end if
22: end for
23: Transmit vector Vn to nodes {{1, 2, . . . , N } − {n}}.
24: end for
25: for Node n = [1..N ] do
26: for Node m = [1..N ], m 6= n do
27: Node n creates shared key P Kn,m = [Rn [Index(Vn == m)]Tn [Index(Vm == n)]].
28: end for
29: end for
26
Algorithm 2 Multi-channel Secure Group Key Generation
Ensure: Every node n is assigned a home channel Cn
1: PHASE II:
2: for n = [1..N ] do
3: Node n selects a random sequence Sn .
4: for m = [1..N ], m 6= n do
5: Node n encrypts Sn using pairwise key P Kn,m .
6: Node n transmits encrypted message P Kn,m (Sn ) to m.
7: end for
8: end for
9: for n = [1..N ] do
10: Create shared Group key GK by concatenating GK := [S1 S2 ..SN ].
11: end for
27