1. Fingerprints in the Ether: Using the Physical Layer for Wireless Authentication L. Xiao, L. Greenstein, N. Mandayam, W. Trappe ICC 2007 Glasgow, Scotland This work is supported in part by NSF grant CNS-0626439

2. Outline • Motivation & Main Idea • System Model & Hypothesis Test • Simulation & Results • Conclusion & Future Work

3. Motivation • Wireless networks more “exposed” to security problems: • Spoofing attacks • Passive eavesdropping • DoS attacks • And more…

4. Main Idea: Fingerprints in the Ether • “Fingerprints”: Distinguishes channel responses of different paths to enhance authentication • Other examples that benefit from multipath fading: • CDMA: Rake processing that transforms multipath into a diversity-enhancing benefit • MIMO: Transforms scatter-induced Rayleigh fading into a capacity-enhancing benefit

5. Typical indoor wireless channel is a frequency selective channel with spatial variability The channel response can be hard to predict and to spoof Main Idea: Fingerprints in the Ether

6. Narrow Pulse • Pilot Tones PHY-Authentication Scenario TIME: 0 Bob estimates channel response HAB from Alice at time 0 Bob HAB Alice Probe Signal u(.)

7. PHY-Authentication Scenario (Cont.) TIME: t Case 1: Alice is still transmitting. Bob estimates Ht at time t, and compares with HAB Bob Ht = HAB Eve Alice Probe Signal Desired result: Bob accepts the transmission.

8. PHY-Authentication Scenario (Cont.) Case 2: Eve is transmitting, pretending to be Alice. TIME: t Bob estimates Ht at time t, and compares with HAB Bob Ht = HEB Probe Signal Alice Eve Desired result: Bob rejects the transmission.

9. Measurement result at time 0 Measurement result at time t Receiver Thermal Noise Channel Model • Time-invariant channel (no terminal motion or other changes) • M measurement samples (tones) in the frequency domain with bandwidth W and center frequency f0

10. Hypothesis Testing • Simple Hypothesis H0: H1: • Test Statistic: • Solution for : • Rejection region of H0:

11. iid N(0, ) Real & Imaginary part of Hypothesis Analysis • Null Hypothesis H0: • Alternative Hypothesis H1:

12. Detection Metrics • False Alarm Rate, : • Threshold for given : • Miss Rate, : CDF of chi-square distribution

13. Simulation Scenario • Wireless Indoor environment • Frequency response for any T-R path obtained as FT of the impulse response • Impulse response obtained using the Alcatel-Lucent ray-tracing tool WiSE • Eve in the same room as Alice • 348*347/2=60,378 Alice-Eve pairs in Room #1 • 150*149/2=11,175 Alice-Eve pairs in Room #2

14. Thermal noise density Receiver noise figure Noise power per tone Noise bandwidth per tone Transmit power per tone Transmit power Simulation Assumptions • Default false alarm rate, • Receiver noise power:

15. Average Miss Rate,β (α=0.01) M=5 W = 100 MHz Room # 1

16. Average Miss Rate,β (α=0.01) M=5 W = 100 MHz Room # 2

17. Conclusion & Future Work • We proposed a PHY-layer authentication scheme • Channel frequency response measurement and hypothesis testing are used to discriminate between a legitimate user and a would-be intruder • Verified using a ray-tracing tool (WiSE) for indoor environment • Works well, requiring reasonable values of the measurement bandwidth (e.g., W > 10 MHz), number of response samples (e.g., M≤ 5) and transmit power (e.g., PT ~ 100 mW) • Ongoing and future work • Other buildings • Temporal changes (environment and terminal mobility) • Testing via measurements • Combining with existing higher-layer security protocols

18. Thank you! Questions?