-
1
Channel State Information Based Cryptographic KeyGeneration for
Intelligent Transportation Systems
Soheyb Ribouh, Kelvin Phan, Arnav Vaibhav Malawade, Yassin EL
Hillali, Atika Rivenq, Mohammad AbdullahAl Faruque
Abstract—Due to the sensitivity of the information exchangedin
Vehicle to Vehicle (V2V) and Vehicle to Infrastructure
(V2I)communication, generating secret keys is critical to secure
thesecommunications. As nature is open access, distributed keys
aremore vulnerable to attacks in the vehicular environment.
Physicallayer key generation methods using wireless channel
character-istics show promise in preventing such attacks,
generating keysindependently, and removing the need for
distribution. In thispaper, we present a novel key generation
approach in a real ve-hicular environment based on Channel State
Information (CSI),including a new algorithm for key bit extraction.
We implementedour algorithm using USRP B210 Software-Defined Radios
(SDR)and the industry-standard V2X communication protocol:
IEEE802.11p. The proposed key generation protocol uses the
CSIvalues of each sub-carrier as a source of randomness, from
whichbits are extracted using a new QAM demodulator
quantizer(QAM-Dem-Quan). We compared our technique to
state-of-the-art Received Signal Strength (RSS)-based approaches,
and showthat our method achieves better performance. Moreover,
wereached a min-entropy of approximately 70% for the generatedkeys
and a key generation rate of less than 150 µs/key for keylengths
ranging from 16 to 128 bits.
Index Terms—Channel State Information (CSI), IEEE
802.11p,Physical layer key generation, QAM-Dem-Quan, V2V
security,V2X communications.
I. INTRODUCTION AND RELATED WORK
CONNECTED vehicle technology is expected to seeprevalent usage
as part of intelligent transportation sys-tems (ITS), which
themselves are projected to be widelyimplemented in urban centers.
This expectation is supportedby industry trends, such as automakers
Volkswagen and Toyotadeclaring their intent to deploy
Vehicle-To-Everything (V2X)communication technology in 2021.
Moreover, it is furthersupported by policy trends like the proposed
mandate from theNational Highway Traffic and Safety Administration
(NHTSA)that would have required all vehicles to have V2X
capabilityby 2020 [1]. These trends themselves are likely motivated
bythe benefits promised by ITS, which would help resolve cur-rent
urban mobility issues. ITS have the potential to reduce theseverity
of up to 80 percent of non-impaired crashes accordingto the NHTSA
and the data collected from these systems caninform better traffic
flow management for decreased commutetimes and, as a result,
reduced emissions [2],[3]. Autonomousvehicles have also been the
focus of recent transportationadvancement, slated to make up 40
percent of vehicle trafficby the 2040s with the promise of better
safety, mobility, trafficflow, and energy usage [4]. Through
Vehicle-To-Vehicle (V2V)and Vehicle-To-Infrastructure (V2I)
communications, a fully
realized ITS composed of connected autonomous vehiclespromises
to be the future of transportation [5],[6],[7].
Given the critical role Vehicle-To-Everything (V2X) wire-less
communication plays in connected vehicle infrastructure,it thus
follows that the security of these communications isequally
important. ITS vehicles are highly mobile and so,exchange
information in an ad hoc fashion forming Vehi-cle Ad Hoc Networks
(VANETs) or Mobile Ad Hoc Net-works (MANETs); however, the growing
connectivity betweenvehicles and the external environments in these
VANETsmeans that there is an increase in attack surfaces and
vul-nerabilities [8]. As a result, various studies have affirmedthe
typical security concerns for VANET security
standards:authentication, ensuring messages are generated by
legitimateusers; availability, maintaining access to ITS services;
in-tegrity, preventing messages from being tampered with;
andprivacy/confidentiality, restricting message access to
relevantparties [9],[10],[11],[12],[13]. In these studies, current
VANETsecurity concerns are presented as unsolved and
maliciousparties are profiled as those intending to disrupt
transportationsystems since compromising the security of
transportationoften involves sabotaging the transmission of
critical safetydata; therefore, it follows that V2X security is an
open researchchallenge and necessary to the advancement of ITS. Of
thesesecurity challenges, our concern, and that of the related
workdescribed below, is the confidentiality of V2X
automotivewireless communications in ITS.
Currently, the most common methods for securing
V2Xcommunications utilize a public key infrastructure (PKI)
[14].However, encryption methods based on traditional PKI
presentsome risks [15] and incur significant latency while
performingthe necessary cryptographic operations of the ITS-S
[16].Furthermore, they require a significant amount of
computingresources and power [17]. For V2X applications where
safety-critical communications must be completed within 200 msand
embedded hardware with limited computing power isemployed, such
high latency and power requirements arenot viable[18]. These
restrictions led to the development ofa Vehicular Public Key
Infrastructure (VPKI) that mitigatesthese issues. The Security
Credential Management System(SCMS) is a leading candidate for
standardizing V2X securityin the United States because it can
provide data authenticationto preserve privacy and provides the
additional security mea-sure of being able to revoke of permissions
for misbehavingvehicles [19] [20]. Despite these security measures,
therisk assessment concluded that the SCMS is still vulnerableto
some types of attacks [20]. The current state-of-the-art
-
2
solutions in this research area are thus based on
quantumcryptography such as the quantum random number generator[21]
and quantum-SCMS [22], which uses quantum theoryto perform
cryptographic tasks, but this is a cost-prohibitivesolution [17].
Physical layer-based approaches that leverageshared wireless
channel characteristics in a Pre-Shared Key(PSK) infrastructure
have thus emerged as a cost-effective,practical solution to the
latency and power issues found intraditional approaches.
In this physical layer approach, measurements of the
sharedwireless channel are used to seed a key generator
individualto each communicating party on opposing sides of a
two-way communication link. The shared channel would mean
thatequivalent symmetric keys are generated without requiring akey
exchange step. Existing publications have explored differ-ent
channel attributes as sources of randomness. A majorityof these
methods are based on either the Received SignalStrength Indicator
(RSSI) or the Channel Impulse Response(CIR), which can be
characterized by the CSI values estimated.Existing key generation
methods based on entropy sourcessuch as RSSI or CIR are generally
assessed on the performanceof most, if not all, of the following
three components: Quanti-zation, Reconciliation, and Privacy
amplification. Compared toRSSI-based approaches, CIR-based
quantization methods havedemonstrated inherent advantages in the
level of secrecy andkey generation rate. However, the RSSI-based
approach is stilla viable method because it is reachable from
higher networklayers and is typically self-implemented in SDR
devices. Keygeneration rates based on RSSI and CSI have been
comparedin [23]. One example is the RSSI-based physical layer
keygeneration technique for V2V communication introduced in[24]. In
this methodology, RSSI values are measured from aprobe signal
exchanged between two communicating vehiclesthrough Bluetooth. The
RSSI values are then quantized usingthresholds to get a sequence of
binary values for key gen-eration. Additionally, this paper
proposes protocol algorithmsto support this key generation
technique including scenariomapping, optimization, and
cryptographic key derivation. Asimilar approach was proposed in
[25] for securing opticallight communication between vehicles.
However, RSSI valuesare not the only sources of entropy in
physical-layer applica-tions. The technique proposed in [25] was
expanded to theapplication of optical fiber link security in [26]
and [27],where Polarization Mode Dispersion (PMD) was used as
asource of randomness for generating keys from optical
signals.Similar to the RSSI-based approaches, the collected PMD
weredivided into many group sizes, then quantized using
differentupper and lower thresholds for each group size to get
binarysequences used for key generation.
In [28], a novel method of extracting bits using CSI-basedkey
generation from the OFDM-FDD system of 3G-LTE ispresented; it aims
to estimate the uplink CSI of the BS(base station) and UE (user
equipment) at the same time byexchanging a known, private probe
signal. The amplitude ofthe estimated CSI is then quantized via a
lower and upperthreshold to bit values ‘0’ and ‘1’ respectively to
generatea key. Simulation results show that this approach
supportsdifferent scenarios with low complexity. CSI-based
methods
are further explored in [29], where a new approach calledSKECE
is proposed. The CSI-based key extraction of thismethod has three
primary steps. First, CSI values are quantizedby fixing two
adaptive thresholds and assigning ”1” to valuesabove the upper
thresholds and ”0” to values below the lowerthresholds; CSI values
between the thresholds are dropped.Second, leakage-resilient
consistency validation is performedby using an SHA-1 to hash the
bitstreams. Finally, weightedkey recombination is used in case all
bit sequences have mis-matches. To resolve this, reconciliation is
performed to extracta consistent bitstream using a weighted key
recombinationmethod. SKECE was evaluated through various
experimentsusing off-the-shelf 802.11 devices in real-world
scenarios.
As an alternative to threshold-based quantization, a new
keyextraction mechanism called alternating channel quantizationwas
established in [30] and [31]. It is based on the use
ofnonequivalent quantization sectors on the space of
observablecomplex channels, by adapting the quantization map to
thechannel observation. This approach has been simulated andtested
in an indoor environment using a MIMO system andhas been shown to
achieve better performance than the grandband methods which use
equally probable quantization sectors.Similar to alternating
channel quantization, an intelligent keygeneration mechanism called
phase shifting is explored in[32]. It involves converting the
shifted phases of the CSIvalues to constellation points, with a
direct quantization after.The simulation results of a typical SISO
outdoor channelmodel show that this method can achieve high
efficiency.Nonetheless, all the previously explored methods have
somelimitations: first, they are not suitable for vehicular
fadingchannels; second, results show low entropy with the
decreaseof the key generation rate (KGR) at high vehicle
velocities;third, the security of these mechanisms has yet to be
validatedin real-world driving scenarios given that most were
tested insimulation or indoor environments.
The remainder of this paper is organized as follows: SectionII
describes the research challenges and our contributions tosolving
them, Section III describes our wireless communi-cation and
security model, Section IV gives an overview ofthe proposed key
generation process, Section V describes ourexperimental setups and
the experimental results, and SectionVI evaluates the success of
our proposed method.
II. RESEARCH CHALLENGES AND OUR CONTRIBUTIONSTo overcome the
limitations of the aforementioned
approaches, it is necessary to solve the following key
researchchallenges:
1) Minimizing performance overhead: For automotivewireless
communications or V2X communications, keygeneration must meet the
strict timing constraints ofsafety-critical messages while
operating within the com-putational limits of vehicular control
systems.
2) Selecting a reliable entropy source: The source ofentropy for
the key generator must preserve the sharedphysical layer
characteristics that produce matchingsymmetric keys while
simultaneously providing suffi-cient randomness to create secure
keys.
-
3
To address the previously cited challenges, our main
con-tributions in this paper are as follows:
1) We propose a new method of physical layer keygeneration for
802.11p-based V2X communication. Thebit sequences are extracted
from the shared wirelesschannel, characterized by the estimated CSI
values. Inthis context, we come up with a new quantizer basedon a
QAM demodulator quantizer (QAM-Dem-Quan)with the addition of a hash
function in the output toincrease the min-entropy of the key.
2) The proposed approach was implemented on industry-standard
software-defined radios (SDR). This solutionwas validated in
several real-world, dynamic vehicularenvironments (urban and
highway). Furthermore, theproposed key generation schema was
evaluated for per-formance and security, demonstrating comparable
resultsin both when compared to the state-of-the-art.
III. SYSTEM MODEL
Fig. 1: System Model
Given that CSI is the most accurate representation ofthe
wireless channel characteristics and the related researchhad
demonstrated its efficiency in generating secured keys,we establish
a wireless communication model centered onthe CSI values and their
associated characteristics. We usea half-duplex
transmitter/receiver pair of vehicular wirelesscommunication nodes
(Figure 1), where Vehicle 1 (Alice)represents a connected vehicle
that exchanges messages withVehicle 2 (Bob): another connected
vehicle or a Road SideUnit (RSU).These two vehicles generate a
secret symmetric key by exploit-ing the estimated CSI values to
encrypt their communications.The same symmetric key is generated in
each vehicle sepa-rately, without requiring a Pre-Shared Key
step.The proposed V2X network operates on the IEEE 802.11pstandard,
known by its industry label of WAVE in the UnitedStates and ITS-G5
in Europe. The physical layer of thisstandard is based on the
Orthogonal Frequency DivisionMultiplexing (OFDM) waveform, which
aims to divide the
transmitted signal over a large number of sub-carriers.
802.11puses 64 sub-carriers, where four of them are pilot symbols
usedfor channel estimation.The transmitted signal based on the OFDM
waveform isrepresented in the time domain as follows:
X(t) =
M−1∑K=0
X(k)e2πkt/T , 0 ≤ t < T (1)
Where X(k) are the transmitted data symbols, M is thenumber of
sub-carriers and T is the OFDM symbol time.However, the received
signal in frequency domain over thewireless channel can be written
as:
Y (k) = X(k)H +W (k) (2)
Where H is the wireless channel response and W is thenoise in
the receiver. After filtering the noise, the receiveddata symbols
in each vehicle can be written in the followingmatrix form:
Y1 = X2H (3)
Y2 = X1H (4)
Y1, Y2 and X1, X2 represent the received and transmitteddata
symbols at Vehicle 1 and Vehicle 2 respectively andH is the channel
matrix, where its coefficients are the CSIvalues. These CSI values
are obtained in the equalization partof the receiver, where they
are estimated based on the fourtransmitted pilot’s sub-carriers.
The information transmitted inthe pilot’s sub-carriers is known by
both the transmitter andthe receiver.
In existing research, there are various algorithms for
cal-culating the H matrix’s coefficients. For our model, we
haveused the least square estimator (LS).(see Equation 5)
HLS = Ypilot.X−1pilot (5)
By using an interpolation function between the resultingvalues
and the pilot symbols, we retrieve the remaining valuesof the H
matrix which compose the CSI values. The vehicularwireless channel
between the transmitter and the receiver isgiven as a double
selective fading propagation channel, whichis characterized by the
delay spread and the Doppler spread[33]. The base-band time-varying
response of the multi-pathchannel is given by:
h(t, τ) =
L−1∑l=0
Al(t)δ(τ − τl(t)) (6)
Where L, Al(t), and τl(t) represent the number of non-zero
paths, the time-varying complex amplitudes for eachpath l, and the
time-varying path delays, respectively. On theother hand, note that
in this case the phase of the complexamplitude Al(t) depends on the
variation of the Doppler shift.The propagation of the signal over
this channel can inducea Doppler shift to each path in addition to
the time delay.As a result, at the receiver side we observe the
superposition
-
4
of multiple different delayed and frequency shifted versionsof
the transmitted signal. Due to the reciprocity [34] of theshared
wireless channel at the physical layer, we assumethat two
communicating vehicles estimate the same channelcharacteristics
(CSI) if they are sending messages to each otherwithin the
channel’s coherence time Tc. (Tc is the time intervalover which the
channel response is considered not varying).
Tc ≈0.423
fd(7)
Where fd is the maximum Doppler frequency. In
vehicularcommunication,fd can be expressed by the speed
differencebetween the two communicating vehicles ∆V as shown
below:
fd =∆V
cf0
∆V = |V1 − V2|(8)
where c is the celerity (speed of light) and f0 is
thecommunication frequency. As such, the channel
characteristicschange every coherence time window: Tc. Therefore,
thehigher the ∆V is, the more frequently the channel is
changing.However, to extract matching bits to generate the key,
CSIvalues must be extracted within a given coherence
time,Tc,otherwise, the channel characteristics will change and it
willresult in non-matching keys.
A. Security Strength ModelFor cryptographic keys, security
strength is a measure of
the work required to break the encryption through brute
force.The formal definition of security strength then, as given
bythe National Institute of Standards and Technology (NIST),is that
an algorithm has ”X-bits security strength” if it takes”X” number
of attempted symmetric keys to guess the correctkey [35]. To
quantify the randomness and security of a key,we use the concept of
min-entropy which is a worst-caseentropy estimation that provides a
lower bound on the key’srandomness [36]. If K is the set of all
possible randomlygenerated keys, the equation for min-entropy is as
follows:
H∞ = Hmin = − log(maxk∈K
Pr[k = K]) (9)
Pr[k = K] refers to the probability of generating key k ∈K. As
an extension of this, we consider security strength tobe the
following:
Securitystr = Hmin/Keysize (10)
where Keysize is the key length and Securitystr is a
valuebetween 0 and 1. The higher the value the higher the
securitystrength as it provides more bits of entropy.
B. Attack ModelFor our methodology, we consider a non-intrusive
wireless
attack model in which the attacker (Eve) attempts to eaves-drop
on the communication between two legitimate partiesthrough a third
channel[36]. It is assumed that Eve can captureall the wireless
packets and is aware of the characteristics ofthe V2X network. In
this case, if Eve can obtain the samesymmetric key, then the system
is considered broken.
Fig. 2: Attack Model
IV. KEY GENERATION METHODOLOGY
RSSI-Based Algorithm 1 is sourced from [36] and beginsby taking
Gsizexτstep to collect RSS values from the wirelesschannel in lines
3-5. Once the RSS values are filtered toremove low-frequency noise
via a high-pass filter, thresholdsare calculated for RSSfiltered in
Lines 7-10. Subsequently,Lines 11-19 generate the Key after
quantizing the RSS whilealso recording the indices of used RSS
values. This will beused later in the reconciliation step to remove
bits associatedwith mismatched indices.
Our CSI based key generation process (see Algorithm 2)consists
of the following two main components: quantizationand privacy
amplification. In our proposed approach, thetypical reconciliation
step is not necessary.
A. Quantization
After CSI values are collected, Line 4 quantizes the CSIvalues
using a novel QAM demodulation technique to extractbits. Since CSI
values are complex numbers, we consider thequantization step as a
QAM demodulation problem, becausethe QAM demodulator’s normal
function is to transform eachdata complex number to a sequence of
bits according to itsresponding bits value in the constellation
diagram (Figure 3).In our proposed approach we use the same
functionality, butinstead of using QAM-modulated data, we use the
CSI valuesas the input. Multiple M-QAM demodulation orders (4,16and
64) were evaluated for the quantizer and we observedthat the 64QAM
demodulation results in the most random bitsequences.
B. Privacy Amplification
Once values are quantized, We apply a secure hash al-gorithm to
the extracted bits sequences in Line 11. This isdone to add
randomness and to avoid having repeated keysand sequences.
Moreover, the hash function can provide moresecrecy to the
generated keys.
-
5
Algorithm 1: Algorithm for RSSI-Based PhysicalLayer Key
Generation for a Wireless Automotive CPS
Input: Measured Signal Strength RSSInput: Sample Time Step:
τstepInput: Group Size: GsizeInput: Threshold parameter: αInput:
Required Key Length: LkeyOutput: Generated Key: Key
1 L = 0;Key = 0;RSSset = ∅;RSSfiltered =∅;Keyidx = ∅
2 while L ¡ Lkey do3 for i = 1 to Gsize do4 RSSset = RSSset
⋃RSS;
5 Wait(τstep)
6 RSSfiltered = RSSset ∗Hhighpass(t);7 MeanV alue = AverageV
alueofRSSfiltered;8 V ar = V ariationV alueofRSSfiltered;9 Thup =
MeanV alue+ α ∗ V ar;
10 Thlo = MeanV alue− α ∗ V ar;11 foreach RSSj ∈ RSSfiltered
do12 if RSSj > Thup then13 Key = (Key
-
6
Fig. 4: Experimental setup with Ettus B210 Boards and
carvehicles(Alice, Bob, and Eve)
A. Real Vehicle Tests for RSSI-Based Key Generation
1) RSSI Data Collection: As presented in Figure 5,
RSSImeasurements are calculated from raw input data that is
col-lected from a data recorder on the IEEE 802.11p
transceiver.Frame decoding refers to the process by which wireless
pack-ets are received, synchronized, and decoded. The raw inputdata
is in the form of complex power values that are processedby the
following functional blocks: Sync Short, Sync Long,and Frame
Equalizer. Sync Short and Sync Long, as noted inthe figure, are
responsible for detecting potential packet framesand aligning
frames respectively. These functional blocks aresynchronous GNU
Radio blocks, meaning that data is alwaysbeing periodically
received by the transceiver, and so, the datarecorder is programmed
to only sample complex power valueswhen Sync Short indicates it has
detected a frame. Using a cus-tom RSSI measurement function, these
complex power valuesare converted to RSSI values measured in
decibel-milliwatts(dBm), producing approximately 14 RSSI values per
packetreceived. Unlike the raw power values, these RSSI values
arescalar and can now be used as input data for Key Generationin
Algorithm 1. This RSSI calculation, however, introduceslatency as
it requires costly filters and transformations. Keysare generated
using every possible combination of thresholdparameter α and Group
Size Gsize listed in Table II.
Alpha 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9
Group Size 20, 40, 60, 80, 100
TABLE II: Key Generation parameters for RSSI-basedalgorithm
2) Correlation of RSSI Values: A subset of 5000 samplesfrom
902,870 RSSI values collected in a real driving scenariotest is
displayed in Figure 6. Based on the similar shape andamplitude of
displayed results, it is apparent that the RSSIvalues collected at
Vehicle A and Vehicle B for the wirelesschannel communications from
Vehicle A to Vehicle B wouldbe highly correlated if they were
aligned. This potential highcorrelation is a result of the shared
physical layer or the shared
ReceivedSignal
Sync Short(Frame
detection)
Sync Long(Frame
alignment)
Fast FourierTransform
FrameEqualizer
DecodeFrame
OutputReceived
Frame
complexpower
samples
High PassFilter
Fast FourierTransform
RSSICalculation
KeyGenerationAlgorithm
OutputEncryption
Key
Frame Decoding
Key Generation Process
Fig. 5: Flow chart describing RSSI-based key
generationprocess
0 1,000 2,000 3,000 4,000 5,000−10
−5
0
5
6
MisalignedMisaligned
Number of RSSI Values
RSS
IV
alue
s[dB
m]
Vehicle AVehicle B
Fig. 6: Collected RSSI values from Vehicles A and B in anUrban
Scenario.
wireless channel between Vehicle A and Vehicle B, whichmeans the
channel response should be similar, but the delayscaused by the
multi-path on the received signal can negativelyaffect the
correlation between the RSSI values collected atVehicle A and
Vehicle B. From [36], it is known that this
-
7
correlation allows for the generation of matching symmetrickeys
as seen when using the threshold-based quantizationtechnique in
Algorithm 1. RSSI measurements that are furthestfrom the mean dBm
value (i.e. large spikes in signal strength)are used to generate a
key. Cross-correlation techniques wereused to determine the delay
caused by packet reception timingdifferences and shift the delayed
set of RSSI values accord-ingly. The result of this is displayed,
but despite shifting thecorrelated values of the RSSI data closer,
the values are stillclearly not aligned. Potential reasons for this
misalignment areelaborated in Section VI.
16 32 64 128 256
0
2
4
6
8
10
7.75
7.3
2
6.64
6.3
7
6.37
1·1
0−3
0 0 0 0
Key Length (Number of Bits)
Perc
enta
geof
Mat
ched
Key
s
Successful AlignmentUnsuccessful Alignment
Fig. 7: Matched Key Rate for Vehicles A and B forSuccessful and
Unsuccessful Alignment.
3) Percentage of Matching Keys and Relevance of SignalAlignment:
After collecting RSSI values from tests conductedaccording to the
real driving scenarios described in Section V,the RSSI measurements
are used in Algorithm 1 to generatekeys in post-processing. Keys
are generated separately usingVehicle A values and Vehicle B values
independently beforeperforming a reconciliation step, at which
point matching keysare those without mismatched bits. In Figure 7,
the percent-age of matching keys for each key length after
generatingkeys with all possible parameter combinations is listed.
Theproportion of matching keys for all key lengths are found tobe
under 10% and demonstrates an inverse relationship withkey length,
meaning the matching rate decreases as key lengthincreases.
However, this relatively low matching rate is onlypossible in the
case that the correlated RSSI measurementsare aligned. If these
measurements are out of alignment, asseen in the matching rate for
unsuccessful alignment, thereare 0% matching keys. For these tests,
successful alignmentwas only achieved in the more static
urban/parking scenario atlow speeds of 15 - 20 mph and only after
manually aligningthe values in post-processing. Examples of
matching keyswith varying length achieved in this case can be found
inTable III, showing that wireless channel characteristics forV2X
communications can be a reliable entropy source forsufficiently
strong keys should the keys match. Nonetheless,
these matching keys were only produced under more
staticconditions, which cannot always be expected in normal
V2Xusage scenarios. At speeds of 40-50 mph in the dynamichighway
scenario, signal alignment could not be achieved evenin
post-processing, and accordingly, the matching rate of 0%follows
the previous trend of low matching for unsuccessfulalignment. Given
the apparent correlation between matchingrate and alignment, it
thus proves necessary that measures ofchannel characteristics
during packet activity must be aligned.
KeyLength
Generated Keys
16 0010000000000111
32 00000000001111111111111110010000
64
0000000000111111111111111001000000000011111111111111100100000000
128
00000000001111111111111110010000000000111111111111111001000000000011111111111111100100000000001111111111111110010000000000111111
256
0000000000111111111111111001000000000011111111111111100100000000001111111111111110010000000000111111111111111001000000000011111111111111100100000000001111111111111110010000000000111111111111111001000000000011111111111111100100000000001111111111111110010000
TABLE III: Keys Generated from RSSI Data in UrbanScenario
Tests
B. Real Vehicle Tests for CSI-Based Key Generation
1) CSI Data Collection: As shown in Figure 8, CSI valuesare
collected as output data from the Frame Equalizer func-tional
block, which performs the transceiver’s equalization stepby
estimating CSI values as described in Section III. Framedecoding is
described earlier in the RSSI Data Collectionpart of Subsection V-A
but is essentially the synchronizationand decoding of a frame’s
complex power values to bits.It is important to note that CSI
values are only generatedwhen a packet has been fully received
unlike data from SyncShort or Sync Long which sometimes produces
false positivesfor packet reception. Given this dependence on full
packetreception, CSI values are not collected from dead air
likeRSSI values, and, as stated in Section III, are a more
accurateestimate of channel characteristics while also providing 64
CSIValues per packet received. Using the QAM demodulation-based
quantization described in Section IV, the complex CSIvalues can be
converted to bits for generating keys as shownin Algorithm 2.
2) Correlation of CSI Values: A subset of 256 samplesfrom 3264
CSI values collected in a real-world drivingscenario test is
displayed in Figure 9. From the similarshape and amplitude of the
displayed results, it is apparentthat the CSI values collected at
Vehicle A and Vehicle Bfor the wireless channel communications
between Vehicle Aand Vehicle B are highly correlated. This high
correlation
-
8
ReceivedSignal
Sync Short Sync Long Fast FourierTransform
FrameEqualizer
DecodeFrame
OutputReceived
Frame
CSI ValuesCalculated
KeyGenerationAlgorithm
OutputSymmetric
Key
Frame Decoding
Key Generation Process
Fig. 8: Flow chart describing CSI-based key
generationprocess
0 20 40 60 80 100 120 140 160 180 200 220 240 260−3.5
−2
−1
0
1
2
3.5
Aligned
Aligned
Number of CSI Values
Phas
eA
ngle
ofC
SI(r
adia
ns)
Vehicle AVehicle B
Fig. 9: Collected CSI Values from vehicles and B inHighway
Scenario Tests.
of CSI values is likely a result of the shared wirelesschannel
between Vehicle A and Vehicle B, indicating that thecorrelated
characteristics of shared channels are representedin CSI
estimations; therefore, given that CSI values area measure of
channel characteristics like RSSI and RSSIhas demonstrated
potential as an entropy source [36], wecan reasonably conclude that
CSI values are a reliableentropy source for generating symmetric
keys. Alignment,in this case, is achieved without the use of
cross-correlationtechniques or the like. Given this successful
alignmentand the lack of accidental measurements from dead air,
allCSI values are produced by real packets and can act asinput data
for Algorithm 2. At 64 CSI values per packet,CSI estimations can be
considered a high yield entropy source.
Key Length Generated Keys
16 1100011110010110
32 11011011001111001101101101100101
64
1100101100011110010110100110010111010111001011100011001001110011
128
11001001100100110000111001001100011111000110001110010110100110101110001111000011001011100111010011001011101001110001100001110111
TABLE IV: Keys Generated from CSI Data in HighwayScenario
Tests
16 32 64 128
0
20
40
60
16
31
57
50
23
17
12
3
Key Length (Number of Bits)
Perc
enta
geof
Mat
ched
Key
s Urban/ParkingHighway
Fig. 10: Matched Key Rate for Urban and HighwayScenarios.
3) Percentage of Matched Keys in Urban and HighwayScenarios:
Once the CSI values have been collected from testsconducted
according to the real driving scenarios described inSection V, the
CSI values are used in Algorithm 2 to gen-erate keys in
post-processing. Keys are generated separatelyusing Vehicle A
values and Vehicle B values independentlybefore checking for
matching keys or keys that do not havemismatched bits. In Figure
10, the percentage of matchingCSI-based keys generated for each key
length is listed forboth a low-speed Urban Scenario and a
high-speed HighwayScenario. For the more static Urban Scenario with
low speedsof 15-20 mph, key length and matching rate have a
positivecorrelation wherein the matching rate increases with
keylength. The reverse is true for the more dynamic HighwayScenario
with higher speeds of 40-50 mph, where the matchingrate decreases
as key length increases. As described in SectionIV, our proposed
key generation methodology quantizes thereceived CSI values into a
stream of bits that is used toproduce the requested key. Each set
of keys in both realdriving scenarios are generated from a single
data set, meaning
-
9
that the keys for each scenario are generated from the
finitedata gathered in that test. Therefore, the positive trend in
theproportion of matched keys for the Urban Scenario is likelynot a
result of an increase in matching bits, but having thesame matching
bits for the fewer keys generated at longerkey lengths. However, in
the Highway Scenario, the moredynamic environment can result in
dropped packets or similarinterruptions. Given that CSI estimations
require fully receivedpackets, the instability of the channel
prevents the generationof longer keys and results in a lower
key-match rate for greaterkey lengths as shown in the figure.
Examples of the keysgenerated in the dynamic Highway Scenario are
displayed inTable IV, proving that CSI values capture the unique
physicalcharacteristics of shared channels and can thus, be used as
areliable entropy source.
4) Performance Overhead and Security Strength of CSI-Based Key
Generation: Regarding performance, the majorsources of overhead are
data sampling and quantization. Giventhat there are 64 CSI values
collected per packet, whichproduces a greater number of usable bits
after quantization,we ignore data sampling latency since only a few
packetsare needed to generate each key and the transmission timefor
few packets is negligible. Thus, we consider quantizationto be the
main source of performance overhead. As seenin Table V, our
proposed use of QAM Demodulation forquantization results in
execution times on a microsecondscale. Though this latency
increases with key length, all of thelisted quantization times meet
the 200 ms latency requirementfor V2X communication set in
[18][36].
Regarding security strength requirements, based on
testingresults, our proposed CSI-Based Physical Layer Key
Gen-eration Methodology meets the uniqueness and
min-entropyrequirements outlined in Section III-A. The basic
premisefor our proposed methodology is that separate channels
withseveral wavelengths distance between them are independent
ofeach other and thus, produce different keys even in the
samecoherence time. In [36], this premise is confirmed when
resultsdemonstrated that an attacker positioned several
wavelengthsdistance away experiences different wireless channel
charac-teristics and so, cannot generate the same secret key as
partiesin the legitimate channel. According to the results
outlinedin Table V, it is clear that keys generated from the
channelbetween Vehicle A and Vehicle C have a mismatch rate
greaterthan 50% with the keys generated from the channel
betweenVehicle A and Vehicle B. This meets the required
uniquenessstandard and supports the basic premise for our
methodologywherein an attacker that is at least several wavelengths
awaywill not be able to predict/generate the secret key due
toexperiencing different channel characteristics.
To estimate the min-entropy of our proposed key
generationalgorithm, we use Equation 9 in Section III-A. We
firstgenerate 46,352 8-bit keys from the CSI values collected inthe
Highway Scenario test to form a set of keys K that hasgreater than
or equivalent to 100∗28 = 25, 600 keys, which isthe number of keys
necessary to reasonably conclude that thecalculation produces an
average min-entropy. From this set ofkeys, the key with the most
frequent appearance is used togenerate Prmax or Pr[k = K].
Key Length Average Execution Time(µs)Average Bit MismatchRate
for Attacker C (%)
16 18.65 52.38
32 34.75 52.60
64 78.45 50.97
128 149.58 54.29
TABLE V: Average Execution Time for Key Generation andAverage
Bit Mismatch Rate for Keys Generated by Attacker
Vehicle C
As seen in Figure 11, our Key Generation Methodology hasan
average min-entropy of 70.52% which exceeds that of theRSSI-based
method in [36] and industry-standard methods in[38].
Pre-
dist
DFF
-PU
F
RSS
I-PH
Y
Our
tech
SRA
M-P
UF
0
20
40
60
80
100
0
50
67.69 70.52
87
Ave
rage
Min
-Ent
ropy
(Per
cent
age)
Fig. 11: Comparison of Our Average Min-Entropy
toState-of-the-Art
VI. DISCUSSION
A. Minimum Performance Overhead
Given that our proposed key generation algorithm is in-tended
for use in a time-critical setting, it is necessary for thekey
generation time to consistently meet latency requirementsin every
scenario. According to [39] qtd. in [36], this hard timelimit
typically falls within 50 to 200 milliseconds. Assumingno alignment
issues, the original RSSI-based Key Generationtechnique incurs
latency from its bit extraction rate metric,which means that it can
require more packets depending onthe environment and key length.
This bottleneck is due inpart to variations in the number of usable
RSSI values, whichresult from there being arbitrary RSSI formulas
and pollingrates across different RSSI hardware sensors.
Threshold-basedquantization exacerbates this issue because even
once all us-able RSSI values are collected, not all will be used to
generatea key. Multiple packets are commonly required for keys
of
-
10
greater length. Data sampling thus becomes a major sourceof
latency alongside the costly RSSI calculation that takesvaluable
milliseconds to complete. In contrast, our proposedCSI-based Key
Generation methodology has a demonstratedperformance measured
consistently in microseconds, wellunder the 50-200 ms operational
range as seen in the ex-perimental results. The source of this
successful performanceis likely the use of CSI estimations, which
provides 64usable values per packet and the use of the low-latency
QAMDemodulation that quantizes these values into 64 or more keybits
in microseconds. Due to these mechanisms, our proposedhas low
overhead in all scenarios as it only requires singularpackets for
most key lengths and efficiently uses all datacollected.
B. Reliable Symmetric Keys and Security Strength
As described under research challenges in Section II, match-ing
keys must be reliably generated in various driving sce-narios while
also having industry-standard security strength.Though it has
demonstrated comparable min-entropy to state-of-the-art methods,
RSSI-Based Key Generation has displayedsuccess in limited static
scenarios. This limited success isfurther exacerbated by the need
for signal alignment, whichhas been completed in post-processing
for this experiment butwould require real-time mechanisms in real
driving scenarios.Our CSI-Based Key Generation methodology does not
sufferfrom this need for signal alignment because it does not
mea-sure dead air or dropped packets, resulting in a
significantlyhigher matching rate and success in both scenarios.
Addition-ally, we have demonstrated that our methodology is safe
fromeavesdropping, as shown by the high mismatch rate betweenthe
eavesdropper, Vehicle C, and Vehicle A. Moreover, giventhis
method’s average-min entropy of 70.52%, it has securitystrength
comparable with state-of-the-art methods and thus,meets the minimum
security requirements outlined in [35].
C. Algorithm Complexity
We evaluate the Big-O complexity of our proposed algo-rithm in
terms of the input size (CSIset) and find that ouralgorithm has a
worst-case execution time on the order ofO(nlogn). Thus, we can say
that our algorithm is a superlinearalgorithm where the running time
grows approximately inproportion to the CSIset size. Our
experimental results shownin Table V match this assertion.
D. Brute Force Time
The brute force time is the worst-case time needed foran
attacker to break a secret key by trying every possiblepermutation.
A key of length k has (2k) possible values. Thegreater the key
length, the greater the brute force time andthe stronger the key.
The brute force time depends on the keylength and the attacker’s
capabilities (floating-point operationsper second). As a result,
longer key lengths are generallymore preferable as they are more
difficult to brute force. Asshown in Table VI, the brute force time
has been evaluated forvarious key sizes and levels of attacker
capabilities including
those of supercomputers (TaihuLight) and quantum computers.Since
our work focuses on practical, real-world attacks onindividual
vehicles, a brute force attack using a TaihuLightsupercomputer or a
quantum computer are extremely unlikely;however, we present them
here to demonstrate that our keylengths and rotation times ensure
security with conventionaland future computing hardware. From the
table, it is clearthat keys less than 64 bit are not very secure
against bruteforce attacks; however, we propose rotating 16 and
32-bitkeys for every single message to prevent the possibility ofan
attacker using the broken key to impersonate Alice orBob.
Additionally, confidential information could be reservedfor use
with 128-bit keys while smaller key sizes are usedfor immediate
safety-critical messages not containing sensitivedata.
E. NIST Random Bit Generator Classification
According to the National Institute of Standards and Tech-nology
(NIST) recommendations [40], there are two classes ofrandom bit
generators (RBGs). The first class uses dedicatedhardware or
physical experiments to generate random bits,where every bit of
output is based on a physical processthat is unpredictable; methods
in this class are known asNon-Deterministic Random Bit Generators
(NRBGs). Thesecond class consists of methods that compute bit
sequencesdeterministically based on pseudo-random number
generationmethods using specific algorithms; methods in this class
areknown as Deterministic Random Bit Generators (DRBGs).Thus our
proposed approach can be classified as an NRBG.From NIST
recommendations [41] the entropy source modelfor NRBGs is shown in
Figure 12. The entropy source blockincludes the following
components:
Fig. 12: Entropy Source Model
1) Noise Source: It is the root of security for the en-tropy
source and the RBG as a whole. It provides the non-deterministic
sequences (CSI values in our approach) fromthe physical process
which is the vehicular wireless channelin the setup of our
experiments. As shown in the figure, thesampling process includes
digitization to convert analog noiseto binary data. In our proposed
method, since the CSI valuesare complex numbers, the digitization
is performed by theQAM demodulator quantizer (QAM-Dem-Quan).
2) Optional Conditioning: This component aims to in-crease the
entropy of the resulting output bits. In our approach,we use a hash
function as our conditioning component asshown in Algorithm 2.
-
11
Key Size(bits)
Time Required at 106FLOPs
Time Required at 109FLOPs
Time Required at 1017FLOPs (TaihuLight)
Time Required at 1018FLOPs (quantum computer)
Keys Rotation Time(Validity Period)
16 65 ms 65 µs 6.5X10−4 ns 6.5X10−5 ns 1 message
32 1.17 hours 4.2 s 0.42 ns 0.42X10−1 ns 1 message
64 75.03X104 years 570.39 years 1.8X102 s 18 s 1 minute
128 1.08X1025 years 1.08X1022 years 1.08X1014 years 1.08X1013
years 15 minutes
TABLE VI: Brute Force Time vs Key Size.
F. Future WorkAs discussed in Section V, we validated our key
generation
methodology in multiple scenarios on a real-world testbed
ofthree vehicles equipped with industry-standard V2X
hardware.Although we demonstrated good results with our
real-worldtestbed, the practicality and feasibility of CSI-based
key gen-eration on larger-scale testbeds with more vehicles remains
anopen research problem. We leave this for future work.
VII. CONCLUSIONExploiting the randomness of the wireless channel
in the
form of estimated CSI, we have presented a physical layerkey
generation technique that can generate secret symmet-ric keys to
secure automotive wireless communications. Ourmethodology solves
the security challenge of preserving theconfidentiality of V2X
communications and solves the re-search challenge of selecting and
utilizing a reliable entropysource for generating keys from V2X
wireless channels. Theresults of our real-world tests have
demonstrated that ourmethodology has minimal performance overhead
measuredin microseconds, well within the expected operational
rangeacross various scenarios. These results also showed that
thekeys generated have an average min-entropy of 70.52% andthus,
have comparable security strength to current state-of-the-art
methods. In summary, we have validated our CSI-basedkey generation
technique as a practical solution to securingautomotive wireless
communications.
REFERENCES[1] S. Abuelsamid, “Toyota Has Big Plans To Get Cars
Talking To Each
Other And Infrastructure In The U.S..”[2] M. Alam, A. Rayes, X.
He, M. Atiquzzaman, J. Lloret, and K. F.
Tsang, “Guest Editorial Introduction to the Special Issue on
DependableWireless Vehicular Communications for Intelligent
Transportation Sys-tems (ITS),” IEEE Transactions on Intelligent
Transportation Systems,vol. 19, pp. 949–952, Mar. 2018.
[3] L. Greer, J. L. Fraser, D. Hicks, M. Mercer, and K.
Thompson, “Intel-ligent Transportation Systems Benefits, Costs, And
Lessons Learned :2018 Update Report,” Mar. 2018.
[4] S. Smith, J. Bellone, S. Bransfield, A. Ingles, G. Noel, E.
Reed, andM. Yanagisawa, “Benefits estimation framework for
automated vehicleoperations.,” Aug. 2015.
[5] K. Kockelman, S. Boyles, P. Stone, D. Fagnant, R. Patel, M.
W. Levin,G. Sharon, M. Simoni, M. Albert, H. Fritz, R. Hutchinson,
P. Bansal,G. Domnenko, P. Bujanovic, B. Kim, E. Pourrahmani, S.
Agrawal, T. Li,J. Hanna, A. Nichols, and J. Li, “An assessment of
autonomous vehicles: traffic impacts and infrastructure needs :
final report.,” Mar. 2017.
[6] L. Yue, M. Abdel-Aty, Y. Wu, and L. Wang, “Assessment of the
safetybenefits of vehicles’ advanced driver assistance,
connectivity and lowlevel automation systems,” Accident Analysis
& Prevention, vol. 117,pp. 55–64, Aug. 2018.
[7] E. Uhlemann, “Time for Autonomous Vehicles to Connect
[ConnectedVehicles],” IEEE Vehicular Technology Magazine, vol. 13,
pp. 10–13,Sept. 2018.
[8] B. Sheehan, F. Murphy, M. Mullins, and C. Ryan, “Connected
andautonomous vehicles: A cyber-risk classification framework,”
Trans-portation Research Part A: Policy and Practice, vol. 124, pp.
523–536,June 2019.
[9] R. Abassi, “VANET security and forensics: Challenges and
opportuni-ties,” Wiley Interdisciplinary Reviews: Forensic Science,
vol. 1, p. e1324,Mar. 2019.
[10] H. Hasrouny, A. E. Samhat, C. Bassil, and A. Laouiti,
“VANet securitychallenges and solutions: A survey,” Vehicular
Communications, vol. 7,pp. 7–20, Jan. 2017.
[11] Q. E. Ali, N. Ahmad, A. H. Malik, G. Ali, and W. U. Rehman,
“Issues,Challenges, and Research Opportunities in Intelligent
Transport Systemfor Security and Privacy,” Applied Sciences, vol.
8, p. 1964, Oct. 2018.
[12] M. Giordani, A. Zanella, T. Higuchi, O. Altintas, and M.
Zorzi, “Emerg-ing Trends in Vehicular Communication Networks,” in
Emerging Wire-less Communication and Network Technologies:
Principle, Paradigmand Performance (K. V. Arya, R. S. Bhadoria, and
N. S. Chaudhari,eds.), pp. 37–57, Singapore: Springer Singapore,
2018.
[13] F. Camacho, C. Cárdenas, and D. Muñoz, “Emerging
technologies andresearch challenges for intelligent transportation
systems: 5g, HetNets,and SDN,” International Journal on Interactive
Design and Manufac-turing (IJIDeM), vol. 12, pp. 327–335, Feb.
2018.
[14] M. Khodaei and P. Papadimitratos, “The key to intelligent
transporta-tion: Identity and credential management in vehicular
communicationsystems,” IEEE Vehicular Technology Magazine, vol. 10,
no. 4, pp. 63–69, 2015.
[15] C. Ellison and B. Schneier, “Ten risks of pki: What you’re
not beingtold about public key infrastructure,” Comput Secur J,
vol. 16, no. 1,pp. 1–7, 2000.
[16] F. Haidar, A. Kaiser, and B. Lonc, “On the performance
evaluation ofvehicular pki protocol for v2x communications
security,” in 2017 IEEE86th Vehicular Technology Conference
(VTC-Fall), pp. 1–5, IEEE, 2017.
[17] S. N. Premnath, S. Jana, J. Croft, P. L. Gowda, M. Clark,
S. K.Kasera, N. Patwari, and S. V. Krishnamurthy, “Secret key
extractionfrom wireless signal strength in real environments,” IEEE
Transactionson mobile Computing, vol. 12, no. 5, pp. 917–930,
2012.
[18] M. Boban, A. Kousaridas, K. Manolakis, J. Eichinger, and W.
Xu,“Connected Roads of the Future: Use Cases, Requirements, and
De-sign Considerations for Vehicle-to-Everything Communications,”
IEEEVehicular Technology Magazine, vol. 13, pp. 110–123, Sept.
2018.
[19] M. A. Simplicio, E. L. Cominetti, H. K. Patil, J. E.
Ricardini, andM. V. M. Silva, “The unified butterfly effect:
Efficient security credentialmanagement system for vehicular
communications,” in 2018 IEEEVehicular Networking Conference (VNC),
pp. 1–8, IEEE, 2018.
[20] B. Brecht, D. Therriault, A. Weimerskirch, W. Whyte, V.
Kumar,T. Hehn, and R. Goudy, “A security credential management
system forv2x communications,” IEEE Transactions on Intelligent
TransportationSystems, vol. 19, no. 12, pp. 3850–3871, 2018.
[21] X. Ma, X. Yuan, Z. Cao, B. Qi, and Z. Zhang, “Quantum
random numbergeneration,” npj Quantum Information, vol. 2, no. 1,
pp. 1–9, 2016.
[22] P. S. Barreto, J. E. Ricardini, M. A. Simplı́cio Jr, and H.
K. Patil,“qscms: Post-quantum certificate provisioning process for
v2x.,” IACRCryptology ePrint Archive, vol. 2018, p. 1247, 2018.
[23] Y. Liu, S. C. Draper, and A. M. Sayeed, “A secret key
generation systembased on multipath channel randomness: Rssi vs
cssi,” tech. rep., 2011.
[24] J. Wan, A. Lopez, and M. A. A. Faruque, “Physical layer key
gener-ation: Securing wireless communication in automotive
cyber-physical
-
12
systems,” ACM Transactions on Cyber-Physical Systems, vol. 3,
no. 2,pp. 1–26, 2018.
[25] I. U. Zaman, A. B. Lopez, M. A. Al Faruque, and O. Boyraz,
“A physicallayer security key generation technique for
inter-vehicular visible lightcommunication,” in Signal Processing
in Photonic Communications,pp. SpTu1F–3, Optical Society of
America, 2017.
[26] I. U. Zaman, A. B. Lopez, M. A. Al Faruque, and O. Boyraz,
“Polar-ization mode dispersion-based physical layer key generation
for opticalfiber link security,” in Optical Sensors, pp. JTu4A–20,
Optical Societyof America, 2017.
[27] I. U. Zaman, A. B. Lopez, M. A. Al Faruque, and O. Boyraz,
“Physicallayer cryptographic key generation by exploiting pmd of an
optical fiberlink,” Journal of Lightwave Technology, vol. 36, no.
24, pp. 5903–5911,2018.
[28] X. Wu, Y. Peng, C. Hu, H. Zhao, and L. Shu, “A secret key
generationmethod based on csi in ofdm-fdd system,” in 2013 IEEE
GlobecomWorkshops (GC Wkshps), pp. 1297–1302, IEEE, 2013.
[29] J. Zhao, W. Xi, J. Han, S. Tang, X. Li, Y. Liu, Y. Gong,
and Z. Zhou,“Efficient and secure key extraction using csi without
chasing downerrors,” arXiv preprint arXiv:1208.0688, 2012.
[30] J. W. Wallace, C. Chen, and M. A. Jensen, “Key generation
exploitingmimo channel evolution: Algorithms and theoretical
limits,” in 2009 3rdEuropean Conference on Antennas and
Propagation, pp. 1499–1503,IEEE, 2009.
[31] J. W. Wallace and R. K. Sharma, “Automatic secret keys from
reciprocalmimo wireless channels: Measurement and analysis,” IEEE
Transactionson Information Forensics and Security, vol. 5, no. 3,
pp. 381–392, 2010.
[32] Y. E. H. Shehadeh, O. Alfandi, K. Tout, and D. Hogrefe,
“Intelligentmechanisms for key generation from multipath wireless
channels,” in2011 Wireless Telecommunications Symposium (WTS), pp.
1–6, IEEE,2011.
[33] P. Alexander, D. Haley, and A. Grant, “Cooperative
intelligent transportsystems: 5.9-ghz field trials,” Proceedings of
the IEEE, vol. 99, no. 7,pp. 1213–1235, 2011.
[34] C. Ye, S. Mathur, A. Reznik, Y. Shah, W. Trappe, and N. B.
Mandayam,“Information-theoretically secret key generation for
fading wirelesschannels,” IEEE Transactions on Information
Forensics and Security,vol. 5, no. 2, pp. 240–254, 2010.
[35] E. Barker, “Recommendation for Key Management Part 1:
General,”Tech. Rep. NIST SP 800-57pt1r4, National Institute of
Standards andTechnology, Jan. 2016.
[36] J. Wan, A. B. Lopez, and M. A. Al Faruque, “Exploiting
wirelesschannel randomness to generate keys for automotive
cyber-physicalsystem security,” in 2016 ACM/IEEE 7th International
Conference onCyber-Physical Systems (ICCPS), pp. 1–10, IEEE,
2016.
[37] B. Bloessl, A Physical Layer Experimentation Framework for
Automo-tive WLAN. PhD thesis, Universitätsbibliothek, 2018.
[38] G. E. Suh and S. Devadas, “Physical Unclonable Functions
for DeviceAuthentication and Secret Key Generation,” p. 6.
[39] T. Schütze, “Automotive Security: Cryptography for Car2x
Communi-cation,” p. 16.
[40] E. Barker and J. Kelsey, “Nist special publication 800-90a
recommen-dation for random number generation using deterministic
random bitgenerators,” 2012.
[41] M. S. Turan, “Recommendation for the entropy sources used
for randombit generation,” NIST Special Publication, vol. 800, p.
90B, 2018.
Soheyb Ribouh received a B.S. degree in Electri-cal Engineering
and Computer Science, from theEngineering School of Technology
Algeria (ENT),in 2015 and an M.S. degree in Embedded Sys-tems and
Mobile Communications Systems, fromthe Polytechnic University of
the Hauts-de-France(UPHF) in 2017. Currently, he is a Ph.D. Student
onTelecommunications at the Polytechnic Universityof the
Hauts-de-France-UPHF. His research interestsinclude Hybrid V2X
communications using IEEE802.11p and cellular technology (4G and
5G), vehic-
ular wireless channel modeling, channel estimation, and resource
allocationschemes of OFDM.
Kelvin Phan received a B.S. in Computer Engineer-ing from the
University of California, Irvine in 2018and is currently an M.S.
Student at the University ofCalifornia, Irvine under the
supervision of ProfessorMohammad Al Faruque. His research interests
in-clude the security of wireless V2X communicationsand the design
of intelligent transportation systemsfor connected/autonomous
vehicles.
Arnav Vaibhav Malawade received a B.S. in Com-puter Science and
Engineering from the Universityof California, Irvine in 2018. He is
currently anM.S./Ph.D. Student studying Computer Engineeringat the
University of California, Irvine under thesupervision of Professor
Mohammad Al Faruque.His research interests include the design and
securityof cyber-physical systems in connected/autonomousvehicles,
manufacturing, IoT, and healthcare.
Yassin El Hillali was born in Chemaia, Morocco,in 1979. He
received an M.S degree in 2002, andthen a Ph.D. degree in 2005,
from the Universityof Valenciennes, France. Currently, he is an
As-sistant Professor at the electronics department ofthe
Polytechnic University of the Hauts-de-France(UPHF). He is
responsible for ITSCOM platforms(ITS Communications) in the
IEMN-DOAE Lab.His research interest includes: signal processing
andwireless communication systems (WAVE, ITSG55G) applied to
intelligent transportation, machine
learning dedicated to target detection and recognition using
heterogeneoussensors (UWB RADAR, cameras and Lidar) and currently
his working oncyber-security for ITS and industrial systems.
-
13
Atika Rivenq was born in Marrakech (Morroco)in 1970. She was
graduated Engineer from theENSIMEV engineering school in 1993,
received anM.S. degree in electronic engineering in 1993, andthen a
Ph.D. degree in 1996 from the Universityof Valenciennes (France).
She is a Full Professorat the Department of Electronic Engineering,
IEMNLab, Polytechnic University of the Hauts-de-France(UPHF),
France. She is the head of ComNum Groupand she is responsible for
the SYFRA platform (Sys-tems for smart road applications) with the
IEMN-
DOAE Lab. Her main activities are in digital communications
applied tointelligent transports systems: V2X communications
(4G/5G, UWB, ITS-G5,Full Duplex), Cybersecurity and Advanced
Perception (Radar, UWB, Detec-tion of vulnerable persons, Deep
learning). She Participates in many nationaland European projects
dedicated to C-ITS and inter-vehicle communicationsespecially using
ITS-G5 and Cellular systems. Pr. Rivenq has more than
100publications in international journals, conferences, and
workshops in the areaof digital communications. She has
participated as a General Chair, Memberof the Technical Committee,
Session Chair, or Program Committee Memberof numerous
conferences.
Mohammad Abdullah Al Faruque is currentlywith the University of
California Irvine (UCI), wherehe is an associate professor (with
tenure) and di-recting the Cyber-Physical Systems Lab. Prof.
AlFaruque is the recipient of the School of Engineer-ing Mid-Career
Faculty Award for Research 2019,the IEEE Technical Committee on
Cyber-PhysicalSystems Early-Career Award 2018, and the IEEECEDA
Ernest S. Kuh Early Career Award 2016. Heis also the recipient of
the UCI Academic SenateDistinguished Early-Career Faculty Award for
Re-
search 2017 and the School of Engineering Early-Career Faculty
Award forResearch 2017. He served as an Emulex Career Development
Chair fromOctober 2012 till July 2015. Before, he was with Siemens
Corporate Researchand Technology in Princeton, NJ. His current
research is focused on thesystem-level design of embedded systems
and Cyber-Physical-Systems (CPS)with special interest in
model-based design, multi-core systems, CPS security,etc.
Prof. Al Faruque received his B.Sc. degree in Computer Science
and En-gineering (CSE) from Bangladesh University of Engineering
and Technology(BUET) in 2002, and M.Sc. and Ph.D. degrees in
Computer Science fromAachen Technical University and Karlsruhe
Institute of Technology, Germanyin 2004 and 2009, respectively.
Prof. Al Faruque received the Thomas Alva Edison Patent Award
2016 fromthe Edison foundation, the 2016 DATE Best Paper Award, the
2015 DAC BestPaper Award, the 2009 IEEE/ACM William J. McCalla
ICCAD Best PaperAward, the 2016 NDSS Distinguished Poster Award,
the 2008 HiPEAC PaperAward, the 2015 Hellman Fellow Award, the 2015
Kane Kim FellowshipAward, the 2017 DAC Best Paper Award Nomination,
the 2012 DATE Best IPAward Nomination, the 2005 DAC Best Paper
Award Nomination, the EECSProfessor of the year 2015-16 Award, and
the 2015 UCI Chancellors Awardfor Excellence in Fostering
Undergraduate Research. Besides 80+ IEEE/ACMpublications in the
premier journals and conferences, Prof. Al Faruque holds8 US
patents.
Introduction and Related WorkResearch Challenges and Our
ContributionsSystem ModelSecurity Strength ModelAttack Model
Key Generation MethodologyQuantizationPrivacy Amplification
experimental setupReal Vehicle Tests for RSSI-Based Key
GenerationRSSI Data CollectionCorrelation of RSSI ValuesPercentage
of Matching Keys and Relevance of Signal Alignment
Real Vehicle Tests for CSI-Based Key GenerationCSI Data
CollectionCorrelation of CSI ValuesPercentage of Matched Keys in
Urban and Highway ScenariosPerformance Overhead and Security
Strength of CSI-Based Key Generation
DiscussionMinimum Performance OverheadReliable Symmetric Keys
and Security StrengthAlgorithm ComplexityBrute Force TimeNIST
Random Bit Generator ClassificationNoise SourceOptional
Conditioning
Future Work
ConclusionReferencesBiographiesSoheyb RibouhKelvin PhanArnav
Vaibhav MalawadeYassin El HillaliAtika RivenqMohammad Abdullah Al
Faruque