Weixi Gu,Zheng Yang,Longfei Shangguan,Xiaoyu Ji,Yiyang Zhao

DOI: https://doi.org/10.1109/trustcom.2014.34

2014-01-01

Abstract:Near field authentication is of great importance for a range of applications, and has attracted many research efforts in the past decades. Several approaches have been developed and demonstrated their feasibility. The state-of-art works, however, still have much room to improve their automation and usability. First, user assistance is required in most existing approaches, which will be easily observed and imitated by attackers. Second, the authentications of several works heavily depend on special hardware, e.g., Server or high resolution screen, which greatly restricts their application scenarios. In this paper, we present a near field authentication system Tooth that needs little human assistance and is compatible with most smart phones. ToAuth is based on the key insight that the acceleration traces are similar for a pair of smart phones when they are contacting physically and vibrating. The random vibration patterns are sufficiently uncertain to provide high entropy to generate a pair of cryptographic keys yet are inimitable for a third party who does not get in touch with the vibration source. ToAuth leverages the keys to make authentication for smart phones. We implement ToAuth on Android platform and evaluate its performance under various scenarios. Extensive experiments demonstrate ToAuth could achieve around 90% success rate in stable environment, and prevent attacks depended on vibration noise.

Y Lei,DR Chen,ZD Jiang

DOI: https://doi.org/10.1109/aina.2004.1283860

2004-01-01

Abstract:With the explosion of the mobile communication market, more and more handheld devices act as clients in the Internet. People use these devices to purchase books, play games, receive emails, etc. For protecting privacies, such applications should integrate digital signature schemes. Since handheld devices have poor computational capabilities and limited battery life, traditional computation intensive digital signature protocols that are based on asymmetric cryptographic algorithms are not suitable for mobile devices. In this paper we propose a Server Based Signature (SBS) scheme for mobile devices. Besides achieving the same security level of the traditional digital signature protocols, the SBS scheme also: 1) reduces the computation complexity on the mobile devices; 2) reduces the communication consumption between signer and verifier Application results show that our scheme is very useful for mobile communication systems.

Yuanchao Shu,Yu (Jason) Gu,Jiming Chen

DOI: https://doi.org/10.1109/tpds.2013.153

IF: 5.3

2014-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Access card authentication is critical and essential for many modern access control systems, which have been widely deployed in various government, commercial, and residential environments. However, due to the static identification information exchange among the access cards and access control clients, it is very challenging to fight against access control system breaches due to reasons such as loss, stolen or unauthorized duplications of the access cards. Although advanced biometric authentication methods such as fingerprint and iris identification can further identify the user who is requesting authorization, they incur high system costs and access privileges cannot be transferred among trusted users. In this work, we introduce a dynamic authentication with sensory information for the access control systems. By combining sensory information obtained from onboard sensors on the access cards as well as the original encoded identification information, we are able to effectively tackle the problems such as access card loss, stolen, and duplication. Our solution is backward-compatible with existing access control systems and significantly increases the key spaces for authentication. We theoretically demonstrate the potential key space increases with sensory information of different sensors and empirically demonstrate simple rotations can increase key space by more than 1,000,000 times with an authentication accuracy of 90 percent. We performed extensive simulations under various environment settings and implemented our design on WISP to experimentally verify the system performance.

Jinxin Zhang,Meng Wu

DOI: https://doi.org/10.3390/s23208497

IF: 3.9

2023-10-17

Sensors

Abstract:The key system serves as a vital foundation for ensuring the security of information systems. In the presence of a large scale of heterogeneous sensors, the use of low-quality keys directly impacts the security of data and user privacy within the sensor network. Therefore, the demand for high-quality keys cannot be underestimated. Random numbers play a fundamental role in the key system, guaranteeing that generated keys possess randomness and unpredictability. To address the issue of random number requirements in multi-sensor network security, this paper introduces a new design approach based on the fusion of chaotic circuits and environmental awareness for the entropy pool. By analyzing potential random source events in the sensor network, a high-quality entropy pool construction is devised. This construction utilizes chaotic circuits and sensor device awareness technology to extract genuinely random events from nature, forming a heterogeneous fusion of a high-quality entropy pool scheme. Comparatively, this proposed scheme outperforms traditional random entropy pool design methods, as it can meet the quantity demands of random entropy sources and significantly enhance the quality of entropy sources, ensuring a robust security foundation for multi-sensor networks.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yuchen Miao,Chaojie Gu,Zhenyu Yan,Sze Yiu Chau,Rui Tan,Qi Lin,Wen Hu,Shibo He,Jiming Chen

DOI: https://doi.org/10.1145/3596264

2023-01-01

Abstract:Secure device pairing is important to wearables. Existing solutions either degrade usability due to the need of specific actions like shaking, or they lack universality due to the need of dedicated hardware like electrocardiogram sensors. This paper proposes TouchKey, a symmetric key generation scheme that exploits the skin electric potential (SEP) induced by powerline electromagnetic radiation. The SEP is ubiquitously accessible indoors with analog-to-digital converters widely available on Internet of Things devices. Our measurements show that the SEP has high randomness and the SEPs measured at two close locations on the same human body are similar. Extensive experiments show that TouchKey achieves a high key generation rate of 345 bit/s and an average success rate of 99.29%. Under a range of adversary models including active and passive attacks, TouchKey shows a low false acceptance rate of 0.86%, which outperforms existing solutions. Besides, the overall execution time and energy usage are 0.44 s and 2.716 mJ, which make it suitable for resource-constrained devices.

Maryam Mehrnezhad,Ehsan Toreini,Siamak F. Shahandashti,Feng Hao

DOI: https://doi.org/10.1007/s10207-017-0369-x

2017-04-18

Abstract:In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose <a class="link-external link-http" href="http://PINlogger.js" rel="external noopener nofollow">this http URL</a> which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user's PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, <a class="link-external link-http" href="http://PINlogger.js" rel="external noopener nofollow">this http URL</a> is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users' perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks.

Cryptography and Security

Larysa Borysova,Odessa I I Mechnikov National University,Olga Kolesnik,Helen Shramko,Odesa Professional College of Trade аnd Economics,,,

DOI: https://doi.org/10.32782/infrastruct68-36

2022-01-01

Market Infrastructure

Abstract:The article discusses biometric technologies, which allow not only to ensure the proper level of security of financial transactions, but also to speed up the process of customer service both in traditional branches and through remote service channels. A few years ago, in order to attract new customers, it was enough for banks to offer them cheaper products and services. Today the situation is rapidly changing, users prefer convenience and reliability. The most common types of biometric data used in the financial sector include facial image, fingerprints, hand geometry and iris pattern. This data can be used to identify customers in online banking, to provide access to financial services on self-service devices and at bank branches, and to gain access to safe deposit boxes. The most popular in the banking sector is two-factor authentication using a PIN code or one-time password and biometrics, which ensures the highest level of data security and access control. The problem of internal fraud and unauthorized access to data through employee accounts is relevant for financial institutions around the world. Also biometrics is able to play an increasingly important role in the global fight against different forms of terrorism, namely in countering fraud, identity theft and other criminal offenses committed by terrorists in order to support their activities. Banks are looking for solutions that can protect their internal data infrastructure and are increasingly opting for biometric technologies. However, of course, biometric technologies’ usage can have more advantages than risks of using. The use of biometric technologies for employee authorization ensures the necessary level of data security and access control to sensitive information, and also provides enough opportunities for monitoring the work of employees of a financial institution. One of the most reliable means of user authentication is biometrics. Biometric data cannot be tampered with, stolen or otherwise used without the knowledge of the bearer. The use of biometric data for authentication on self-service devices provides a high level of security and reduces the time of the transaction, relieves users of the need to carry payment means with them, remember passwords or a PIN code from a card, etc.

Xuping Zhang,Li Qi,Zhiqiang Tang,Yixin Zhang

DOI: https://doi.org/10.1049/el.2014.2870

2014-01-01

Electronics Letters

Abstract:The true random number generator (TRNG) is an invaluable resource for many applications. Present TRNG methods all require specialised and expensive hardware, which are not suitable for personal use. A portable TRNG configuration is proposed, which is simply based on the camera of a commercial smartphone. No other auxiliary equipment except the mobile phone itself was needed, which offers a promising solution for personal encryption applications. With the flash lamp of the camera and the thumb of the operator, quasi-uniform illumination was obtained, setting the image sensor at a working point where the shot noise of the photocurrent dominates the overall characteristics of the sensor output noise. Random bits were first produced according to the shot noise and then entropy enhanced by vector-matrix multiplication. A sequence of 10(9) bits was produced and its randomness has been proved by the National Institute of Standards and Technology (NIST) tests.

Ho Bin Hwang,Jeyeon Lee,Hyeokchan Kwon,Byungho Chung,Jongshill Lee,In Young Kim

DOI: https://doi.org/10.3390/s24051556

IF: 3.9

2024-02-29

Sensors

Abstract:In modern society, the popularity of wearable devices has highlighted the need for data security. Bio-crypto keys (bio-keys), especially in the context of wearable devices, are gaining attention as a next-generation security method. Despite the theoretical advantages of bio-keys, implementing such systems poses practical challenges due to their need for flexibility and convenience. Electrocardiograms (ECGs) have emerged as a potential solution to these issues but face hurdles due to intra-individual variability. This study aims to evaluate the possibility of a stable, flexible, and convenient-to-use bio-key using ECGs. We propose an approach that minimizes biosignal variability using normalization, clustering-based binarization, and the fuzzy extractor, enabling the generation of personalized seeds and offering ease of use. The proposed method achieved a maximum entropy of 0.99 and an authentication accuracy of 95%. This study evaluated various parameter combinations for generating effective bio-keys for personal authentication and proposed the optimal combination. Our research holds potential for security technologies applicable to wearable devices and healthcare systems.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

KULESHOVA ELENA A.,,MARUKHLENKO ANATOLY L.,DOBRITSA VYACHESLAV P.,TANYGIN MAXIM O.,PLUGATAREV ALEXEY V.,,,,

DOI: https://doi.org/10.21672/2074-1707.2021.53.1.062-070

2021-01-01

Abstract:The article is devoted to the development of a linear system for generating a pseudo-random sequence based on cellular automata, the development of a model for several generators of nonlinear pseudo-random sequences with practical applications in symmetric data transformation systems. Such a model generates all solutions to linear binary difference equations. It is important to note that many of these solutions are pseudo-random keystream sequences. In the process of developing a linear system based on cellular automata, two main structures are considered: linear difference equations and one-dimensional linear hybrid cellular automata. This article shows that all solutions to linear binary difference equations can be implemented using linear models based on cellular automata using the "rule 90" and "rule 150". A model for generating pseudo-random bit sequences has been developed, which is most applicable in communication systems with a high transmission rate. The main difference of this model is that it is built on an exclusively sequential concatenation of a basic linear automaton, which determines the simplicity of the proposed model. Also, an algorithm for controlling the integrity and authenticity of block data was proposed based on the proposed algorithm for generating a pseudo-random sequence. The practical significance lies in the fact that the proposed model is simple and can be applied in information security systems in practice, including in authentication and data integrity control systems.

Luca Crocetti,Stefano Di Matteo,Pietro Nannipieri,Luca Fanucci,Sergio Saponara

DOI: https://doi.org/10.3390/e24020139

2022-01-18

Abstract:In the cybersecurity field, the generation of random numbers is extremely important because they are employed in different applications such as the generation/derivation of cryptographic keys, nonces, and initialization vectors. The more unpredictable the random sequence, the higher its quality and the lower the probability of recovering the value of those random numbers for an adversary. Cryptographically Secure Pseudo-Random Number Generators (CSPRNGs) are random number generators (RNGs) with specific properties and whose output sequence has such a degree of randomness that it cannot be distinguished from an ideal random sequence. In this work, we designed an all-digital RNG, which includes a Deterministic Random Bit Generator (DRBG) that meets the security requirements for cryptographic applications as CSPRNG, plus an entropy source that showed high portability and a high level of entropy. The proposed design has been intensively tested against both NIST and BSI suites to assess its entropy and randomness, and it is ready to be integrated into the European Processor Initiative (EPI) chip.

Yushi Cheng,Xiaoyu Ji,Wenyuan Xu,Hao Pan,Zhuangdi Zhu,Chuang-Wen You,Yi-Chao Chen,Lili Qiu

DOI: https://doi.org/10.1145/3321705.3329817

2019-01-01

Abstract:Mobile devices have emerged as the most popular platforms to access information. However, they have also become a major concern of privacy violation and previous researches have demonstrated various approaches to infer user privacy based on mobile devices. In this paper, we study a new side channel of a laptop that could be harvested by a commercial-off-the-shelf (COTS) mobile device, eg, a smartphone. We propose MagAttack, which exploits the electromagnetic (EM) side channel of a laptop to infer user activities, i.e., application launching and application operation. The key insight of MagAttack is that applications are discrepant in essence due to the different compositions of instructions, which can be reflected on the CPU power consumption, and thus the corresponding EM emissions. MagAttack is challenging since that EM signals are noisy due to the dynamics of applications and the limited sampling rate of the built-in magnetometers in COTS mobile devices. We overcome these challenges and convert noisy coarse-grained EM signals to robust fine-grained features. We implement MagAttack on both an iOS and an Android smartphone without any hardware modification, and evaluate its performance with 13 popular applications and 50 top websites in China. The results demonstrate that MagAttack can recognize aforementioned 13 applications with an average accuracy of 98.6%, and figure out the visiting operation among 50 websites with an average accuracy of 84.7%.

Maro Choi,Shincheol Lee,Minjae Jo,Ji Sun Shin

DOI: https://doi.org/10.3390/s21062242

2021-03-23

Abstract:Authentication methods using personal identification number (PIN) and unlock patterns are widely used in smartphone user authentication. However, these authentication methods are vulnerable to shoulder-surfing attacks, and PIN authentication, in particular, is poor in terms of security because PINs are short in length with just four to six digits. A wide range of research is currently underway to examine various biometric authentication methods, for example, using the user's face, fingerprint, or iris information. However, such authentication methods provide PIN-based authentication as a type of backup authentication to prepare for when the maximum set number of authentication failures is exceeded during the authentication process such that the security of biometric authentication equates to the security of PIN-based authentication. In order to overcome this limitation, research has been conducted on keystroke dynamics-based authentication, where users are classified by analyzing their typing patterns while they are entering their PIN. As a result, a wide range of methods for improving the ability to distinguish the normal user from abnormal ones have been proposed, using the typing patterns captured during the user's PIN input. In this paper, we propose unique keypads that are assigned to and used by only normal users of smartphones to improve the user classification performance capabilities of existing keypads. The proposed keypads are formed by randomly generated numbers based on the Mersenne Twister algorithm. In an attempt to demonstrate the superior classification performance of the proposed unique keypad compared to existing keypads, all tests except for the keypad type were conducted under the same conditions in earlier work, including collection-related features and feature selection methods. Our experimental results show that when the filtering rates are 10%, 20%, 30%, 40%, and 50%, the corresponding equal error rates (EERs) for the proposed keypads are improved by 4.15%, 3.11%, 2.77%, 3.37% and 3.53% on average compared to the classification performance outcomes in earlier work.

Chen Wang,Yan Wang,Yingying Chen,Hongbo Liu,Jian Liu

DOI: https://doi.org/10.1016/j.comnet.2020.107118

IF: 5.493

2020-04-01

Computer Networks

Abstract:<p>Mobile devices have brought a great convenience to us these years, which allow the users to enjoy the anytime and anywhere various applications such as the online shopping, Internet banking, navigation and mobile media. While the users enjoy the convenience and flexibility of the "Go Mobile" trend, their sensitive private information (e.g., name and credit card number) on the mobile devices could be disclosed. An adversary could access the sensitive private information stored on the mobile device by unlocking the mobile devices. Moreover, the user's mobile services and applications are all exposed to security threats. For example, the adversary could utilize the user's mobile device to conduct non-permitted actions (e.g., making online transactions and installing malwares). The authentication on mobile devices plays a significant role to protect the user's sensitive information on mobile devices and prevent any non-permitted access to the mobile devices. This paper surveys the existing authentication methods on mobile devices. In particular, based on the basic authentication metrics (i.e., knowledge, ownership and biometrics) used in existing mobile authentication methods, we categorize them into four categories, including the knowledge-based authentication (e.g., passwords and lock patterns), physiological biometric-based authentication (e.g., fingerprint and iris), behavioral biometrics-based authentication (e.g., gait and hand gesture), and two/multi-factor authentication. We compare the usability and security level of the existing authentication approaches among these categories. Moreover, we review the existing attacks to these authentication approaches to reveal their vulnerabilities. The paper points out that the trend of the authentication on mobile devices would be the multi-factor authentication, which determines the user's identity using the integration (not the simple combination) of more than one authentication metrics. For example, the user's behavior biometrics (e.g., keystroke dynamics) could be extracted simultaneously when he/she inputs the knowledge-based secrets (e.g., PIN), which can provide the enhanced authentication as well as sparing the user's trouble to conduct multiple inputs for different authentication metrics.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Maria Papaioannou,Georgios Zachos,Georgios Mantas,Emmanouil Panaousis,Jonathan Rodriguez

DOI: https://doi.org/10.3390/s24165193

2024-08-11

Abstract:As the number of European Union (EU) visitors grows, implementing novel border control solutions, such as mobile devices for passenger identification for land and sea border control, becomes paramount to ensure the convenience and safety of passengers and officers. However, these devices, handling sensitive personal data, become attractive targets for malicious actors seeking to misuse or steal such data. Therefore, to increase the level of security of such devices without interrupting border control activities, robust user authentication mechanisms are essential. Toward this direction, we propose a risk-based adaptive user authentication mechanism for mobile passenger identification devices for land and sea border control, aiming to enhance device security without hindering usability. In this work, we present a comprehensive assessment of novelty and outlier detection algorithms and discern OneClassSVM, Local Outlier Factor (LOF), and Bayesian_GaussianMixtureModel (B_GMM) novelty detection algorithms as the most effective ones for risk estimation in the proposed mechanism. Furthermore, in this work, we develop the proposed risk-based adaptive user authentication mechanism as an application on a Raspberry Pi 4 Model B device (i.e., playing the role of the mobile device for passenger identification), where we evaluate the detection performance of the three best performing novelty detection algorithms (i.e., OneClassSVM, LOF, and B_GMM), with B_GMM surpassing the others in performance when deployed on the Raspberry Pi 4 device. Finally, we evaluate the risk estimation overhead of the proposed mechanism when the best performing B_GMM novelty detection algorithm is used for risk estimation, indicating efficient operation with minimal additional latency.

Kirsten Crager,Anindya Maiti,Murtuza Jadliwala,Jibo He

DOI: https://doi.org/10.14722/eurousec.2017.23013

2017-01-01

Abstract:Smart phones and wearable devices have replaced personal computers and desktops as the primary platform for accessing online applications and services.However, these mobile devices bring forth new and additional forms of security and privacy risks, which were non-existent in traditional personal computers.For instance, several recent research efforts have shown that motion sensors such as accelerometer and gyroscope on-board these mobile and wearable devices can be maliciously used to infer private information from users' keystrokes (e.g., PINs and passwords).The problem is that, unlike traditional security and privacy risks that are typically associated with personal computers, most users may not be aware of these novel risks associated with mobile devices.An adversary may use this lack of user-awareness to target specific user-demographics for successfully carrying out such attacks.There has been some progress in the direction of protection mechanisms against such attacks, however, without user-awareness these protection mechanisms are unlikely to be used effectively (if at all).In order to further understand these issues, we conduct a structured and comprehensive user-study involving users from diverse demographic backgrounds to investigate userawareness and perceptions related to mobile motion sensor based privacy risks, and how these vary across different demographics.By means of our study, we also gain insight on users' expectations from defense mechanisms that can protect against such attacks.Results of our study can be used to increase awareness (about such risks) among the less-aware user demographies, and in designing effective and usable protection mechanisms as per user-expectations.

Michał Melosik,Mariusz Galan,Mariusz Naumowicz,Piotr Tylczyński,Scott Koziol

DOI: https://doi.org/10.3390/e25070976

2023-06-25

Abstract:This paper presents a prototype wearable Cryptographically Secure PseudoRandom Bit Generator CSPRBG (wearable CSPRBG). A vest prototype has been fabricated to which an evaluation board with a ZYBO (ZYnq BOard) Zynq Z-7010 has been mounted using tailoring technology. In this system, a seed generator and block cryptographic algorithms responsible for the generation of pseudo-random values were implemented. A microphone and an accelerometer recorded sound and acceleration during the use of the prototype vest, and these recordings were passed to the seed generator and used as entropy sources. Hardware implementations were made for several selected Block Cryptographic algorithms such as Advanced Encryption Standard (AES), Twofish and 3DES. The random binary values generated by the wearable CSPRBG were analyzed by National Institute of Standards and Technology (NIST) statistical tests as well as ENT tests to evaluate their randomness, depending on the configuration of the entropy sources used. The idea of possible development of the wearable CSPRBG as a System on Chip (SoC) solution is also presented.

Paul Jimenez,Raphael Cardoso,Maurìcio Gomes de Queiroz,Mohab Abdalla,Cédric Marchand,Xavier Letartre,Fabio Pavanello

2024-10-09

Abstract:The study of regularity in signals can be of great importance, typically in medicine to analyse electrocardiogram (ECG) or electromyography (EMG) signals, but also in climate studies, finance or security. In this work we focus on security primitives such as Physical Unclonable Functions (PUFs) or Pseudo-Random Number Generators (PRNGs). Such primitives must have a high level of complexity or entropy in their responses to guarantee enough security for their applications. There are several ways of assessing the complexity of their responses, especially in the binary domain. With the development of analog PUFs such as optical (photonic) PUFs, it would be useful to be able to assess their complexity in the analog domain when designing them, for example, before converting analog signals into binary. In this numerical study, we decided to explore the potential of the disentropy of autocorrelation as a measure of complexity for security primitives as PUFs, TRNGs or PRNGs with analog output or responses. We compare this metric to others used to assess regularities in analog signals such as Approximate Entropy (ApEn) and Fuzzy Entropy (FuzEn). We show that the disentropy of autocorrelation is able to differentiate between well-known PRNGs and non-optimised or bad PRNGs in the analog and binary domain with a better contrast than ApEn and FuzEn. Next, we show that the disentropy of autocorrelation is able to detect small patterns injected in PUFs responses and then we applied it to photonic PUFs simulations.

Cryptography and Security

Ram Soorat,Madhuri K.,Ashok Vudayagiri

DOI: https://doi.org/10.48550/arXiv.1510.01234

2015-10-06

Abstract:One of the key requirement of many schemes is that of random numbers. Sequence of random numbers are used at several stages of a standard cryptographic protocol. A simple example is of a Vernam cipher, where a string of random numbers is added to massage string to generate the encrypted code. It is represented as $C=M \oplus K $ where $M$ is the message, $K$ is the key and $C$ is the ciphertext. It has been mathematically shown that this simple scheme is unbreakable is key K as long as M and is used only once. For a good cryptosystem, the security of the cryptosystem is not be based on keeping the algorithm secret but solely on keeping the key secret. The quality and unpredictability of secret data is critical to securing communication by modern cryptographic techniques. Generation of such data for cryptographic purposes typically requires an unpredictable physical source of random data. In this manuscript, we present studies of three different methods for producing random number. We have tested them by studying its frequency, correlation as well as using the test suit from NIST.

Computational Physics,Cryptography and Security,Instrumentation and Detectors

Lin Wang,Haonan An,Haojin Zhu,Wenyuan Liu

DOI: https://doi.org/10.1109/jiot.2020.2986399

IF: 10.6

2020-08-01

IEEE Internet of Things Journal

Abstract:Consumer Internet-of-Things platforms, especially in smart home, have received widespread attention. A large number of end-to-end and edge-to-end wireless communication links are subject to significant security and privacy risks. Key generation using radio link side-channel information is a burgeoning technology to solve this problem. This article designs a symmetric key generation method without environmental constraints, namely, MobiKey. The basic idea is taking the human mobility in home or the swing of the antenna to generate symmetric keys based on channel reciprocity. We leverage the practical phase information as the channel feature to generate symmetric keys between two communicating parties. To overcome the effects of noise on both communication sides and get a better performance, MobiKey harnesses the adaptive quantization method to make the bit generation rate and bit matching rate higher. MobiKey also uses the adaptive inconsecutive samples to increase the confusion of the adversary. Moreover, we propose the D-Gray code to enhance the randomness of quantization. MobiKey is implemented on different commercial devices, and the results show that it has comparative advantages in key generation consistency, randomness, and security. In addition, the performance in preventing predictable channel attacks and eavesdropping attack is discussed.

computer science, information systems,telecommunications,engineering, electrical & electronic