Low Mismatch Key Agreement Based on Wavelet-Transform Trend and Fuzzy Vault in Body Area Network

Abstract

Body area network (BAN) is an emerging branch of wireless sensor networks for personalized applications in many fields, such as health monitoring. The services in BAN usually have a high requirement on security, especially for the medical diagnosis, which involves private information. With limitations of power and computation capabilities, one of the main challenges to ensure security in BAN is how to generate or distribute a shared key between nodes for lightweight symmetric cryptography. The current research almost exploits the randomness and distinctiveness (characteristics) of physiological signals to solve the key generation problem. However, it needs the help of additional hardware support and has the constraint on positions deployment, to acquire vital signals, which will bring the high cost and hardness to implementation of real system. To avoid the above problems, this paper presents a novel key generation scheme and a key distribution protocol, both of which are only based on wireless modules equipped on sensors. By exploiting the high correlation of received signal strength index (RSSI) between peer-to-peer communications, our scheme can provide a shared symmetric cryptographic key under the presence of an eavesdropper. We conduct experiments on the real Telosb nodes, and the results demonstrate that our proposed methods have a good performance on security.

1. Introduction

With the aged tendency of global population, people pay more attention to the healthcare requirements. Due to the advances of wireless communication and medical sensing technologies, many researchers focus on the applications of body area network (BAN), which can provide individual healthcare services. BANs consist of small and intelligent wireless medical sensors, worn or implanted in the human bodies, to sample vital physiological signals and send the records to a basestation (usually a portable device such as PDA or mobile phone) for real-time analysis or remote diagnosis. When a disaster or ailment comes up, BANs could offer an emergency response. Recently, some BAN platforms have been put into market. Fujitsu has developed inductively powered ring sensor [1], which works in conjunction with Fujitsu's developing sensor network system to tie into a healthcare monitoring of patients application for Apple's iPhone. Shimmer [2] has designed a wearable sensor platform to monitor a subject's EMG, ECG, and GSR. Due to the strong privacy and liability concerns of health data, these devices and communications between them need to be secured. “Lack of adequate security features may not only lead to a breach of patient privacy, but also potentially allow adversaries to compromise patient safety by modifying actual data resulting in wrong diagnosis and treatment [3].”

Given limited power and computation capabilities of BAN, asymmetric cryptography is not suitable. The only left option is symmetric encryption, which however has a significant challenge in dynamically sharing a secret key between devices (both sensors and base station). There are two traditional approaches to address the problem: predeployment or a key management infrastructure (a trusted third party), written in IEEE 802.15.6 standard for body area networks [4]. As to predeployment, if the initial key is preconfigured in hardware by manufactures, sensors from different companies could not work together. When using something like SD card or USB stick instead, stick may be cracked. Some predeployment techniques for key distribution such as [5] will lead to network reconfiguration when new nodes join. Towards key management infrastructure, a trusted third party which stores the keys is seldom present in BAN scenarios. Even though a trusted third party exists, it still carries the risk of compromise and associated liability. In some instances, Diffie-Hellman (DH) and its variants [6] such as ECDH (Elliptic Curve Diffie-Hellman) have been used for key exchange. However, based on computational security, they are not cost effective for resource-constrained sensors [7].

In order to overcome the limitations mentioned above, an information-theoretical secure solution has been developed, which is based upon the distinct subjective property from environment that nodes can observe. Since the environment around human body is dynamic and complex, physiological signals are quite unique at a given time. Therefore, the idea using physiological signals for securing intersensor communications was first introduced by Cherukuri et al. [8]. Motivated by this initial idea, [9–12] exploited interpulse interval (IPI) to generate cryptographic keys. Though physiological signals measured from different areas of the body have high correlation, these signals do not possess the exact same values [3]. Consequently, when symbols in the keys get reordered, different values could be produced by translational and rotational errors [13]. To avoid the errors, [3] used physiological signals to facilitate key agreement instead of generating keys. Nevertheless, nodes in the same BAN need to measure the same physiological signals, which unavoidably lead to an additional hardware cost and restrained deployed positions (ECG needs to be measured near cardiovascular).

The above difficulties are real challenges faced by researchers attempting to find another subjective property. Recent works such as [14, 15] have indicated that wireless channel could be the next common property to share a secret. In wireless environment, multipath is a basic character, which brings in a rapid decorrelation with distance. Therefore, the wireless channel between two nodes, Alice and Bob, can produce a special mapping between transmitted and received signals for a shared secret key agreement. Based on the dependence from position and motion, the channel can not be inferred by an eavesdropper, Eve, who is more than half of wavelength away from both Alice and Bob. Obviously, BAN could easily satisfy the condition of location and movement because of human activity. Considering resource-constrained condition, BAN requires periodic reasonably key renewal with a minimum hardware and software overhead. Exiting channel property based key-sharing solutions are established to extract secret keys at a high rate with high bit mismatch rate or generate secret keys at a low rate with acceptable bit mismatch rate. The former needs reconciliation phase to exchange the mismatch information, which consumes resources. The latter is not time effective. It is challenging to optimize two metrics at the same time and balance the trade-off between them.

In this paper, we propose wavelet-transform trend-based key extraction (WTKE) scheme and fuzzy vault based key distribution (FVKD) protocol, which use the received signal strength (RSS) variations for a pairwise key agreement to secure BAN communications. WTKE exploits wavelet transform for more accurate trend to achieve a lower bit mismatch rate than previous work, and it also has an acceptable secret key rate. FVKD, which combines channel property features and fuzzy vault [13] together, could distribute a secret key derived by one end of communication link to the other end. Through experiments, we validate its cost is less than that of DH and ECDH.

The rest of the paper is organized as follows. Section 2 briefly introduces some fundamentals of our paper. Section 3 is devoted to the basic aspects of our key generation scheme WTKE, experimental results, and analysis. Section 4 elaborates on fuzzy vault based key distribution protocol FVKD and further analyses security and performance. Section 5 generally introduces the related work. In Section 6, we come to the conclusion and discuss some possible future directions.

2. Preliminary

In this section, we will introduce channel models in BAN, the fundamentals of key agreement based on channel property, wavelet transform, and fuzzy vault.

2.1. Channel Model in Body Area Network

As sensors' positions are on or inside the body, the BAN channel models need to consider the impact of human body and activities. In [16], IEEE 802.15.6 group defines 3 types of nodes as follows: (1) implant node: a node that is placed inside the human body; (2) Body surface node: a node that is placed on the surface of the human skin or at most 2 centimeters away; (3) external node: a node that is not in contact with human skin. Based on the different node types, [16] gives 4 channel models (CM) shown in Table 1. In this paper, with the hardware constraints, we focus on the latter two channel models (on-body and off-body).

Table 1

Channel models.

Description	Channel model
Implant to implant	CM1 (in-body)
Implant to body surface or external	CM2 (in-body)
Body surface to body surface	CM3 (on-body)
Body surface to external	CM4 (off-body)

2.2. Key Generation Based on Channel Property

There are three reasons why channel is regarded as secret information. (1)

Reciprocity of electromagnetic propagation: as wireless channel is symmetric, the multipath characters of the radio channel (gains, phase shifts, polarisation distortions, and delays), which Alice and Bob can get from the received signal, are identical.

(2)

Temporal variations in the radio channel: The motion by either Alice, Bob, or other objects in the environment near the link would make the channel change over time. Evidently, the security mechanism can reap the full benefit of the randomness resulting from channel variations.

(3)

Spatial variations: the radio channel depends on the location of Alice and Bob. Only if another node Eve is more than half a wavelength away from both of them, she will get a different channel.

Therefore, we can take the wireless channel as a time- and space-varying filter. The combination of channel properties (gains, phase shifts, polarisation distortions, and delays) can represent different channels uniquely. Among those channel properties, received signal strength (RSS), which can be measured by most of the off-the-shelf wireless cards, is widely used. According to [17], the on-body BAN wireless channel exhibits reciprocity. From [15], we can infer that the off-body BAN wireless channel will reveal reciprocity if mobility is brought in.

When Alice and Bob are sampling the channel with Eve locating more than half a wavelength away, the valid samples are limited by the rate of time variation. And this variation can be approximately analyzed by using the level-crossing rate (LCR): for a Rayleigh fading process, $LCR = \sqrt{2 π} f_{d} ρ e^{- ρ^{2}}$ [18], where $f_{d}$ is the maximum Doppler frequency and ρ is the threshold level. Setting $ρ = 1$ gives $LCR ~ f_{d}$ . Thus, the time variation can be quantified by $f_{d}$ , which could be calculated as

\begin{matrix} f_{d} = \frac{v}{λ} . \end{matrix}

(1)

In (1), v is a measure of the effects of dynamic change by sensors and environment, but, as opposed to other dynamic changes, sensors' motion mostly plays a dominant role in BAN. Thus, we use relative movement velocity between two nodes to signify dynamic change here. And λ is the wavelength of the carrier wave, which can be easily gotten from (2):

\begin{matrix} λ = \frac{c}{f_{0}}, \end{matrix}

(2)

where c is the speed of light. Taking 2.4 GHz frequency and

v = 1

m / s

as an example,

λ = 0.125 m

and

f_{d} = 8

Hz, implying that the maximum useful probes are 8 in a second and Eve should be at least

6.25

cm away from Alice and Bob. As a result, if Alice is sender, Bob should send ACK back in channel coherence time period (a rough estimate is

1 / f_{d} = 125

ms) after received Alice's signal. Even if Alice and Bob sample the channel at a higher rate, it would be a waste because of many consecutive duplicated RSS values. These duplicate RSS values do not make a contribution to shared information between Alice and Bob. In [19], channel coherence time is defined as the period when the autocorrelation coefficient is above 0.7. In [20], temporal on-body channel coherence time is calculated. According to [21], the longer Bob's response delays during channel coherence time period, the lower correlation of the RSS values measured by Alice and Bob will be. Furthermore, based on [15], channel variation and the reciprocity between Alice's and Bob's RSS values are related. The correlation is the foundation for Alice and Bob to get a common secret key, which can be quantified by using the Pearson correlation coefficient r

\begin{matrix} r = \frac{\sum_{i = 1}^{n} (X_{i} - \bar{X}) (Y_{i} - \bar{Y})}{\sqrt{\sum_{i = 1}^{n} {(X_{i} - \bar{X})}^{2}} \sqrt{\sum_{i = 1}^{n} {(Y_{i} - \bar{Y})}^{2}}}, \end{matrix}

(3)

where

X_{i}

and

Y_{i}

are the RSS values of the ith packet of Alice and Bob and

\bar{X}

(

\bar{Y}

) is the mean RSS values of Alice (Bob). When r is equal to 1, it means Alice's RSS values match Bob's perfectly. But there is no chance for ideal situation to be achieved in practice for reasons including random noise, asymmetrical interference, or transceiver differences. The offset often leads to mismatch in key generation. Traditional approaches to solve this problem are information reconciliation and exploiting a lossy quantization like [14, 21–23]. However, due to the channel reciprocity, Alice's and Bob's measurements should have similar fading trend, which is analyzed for key extraction through wavelet transform, and it turns out that the probability of mismatch decreases but still exists. To address this drawback, a fuzzy method called fuzzy vault is used in this paper.

2.3. Wavelet Transform

Wavelet transform is the representation of a function by wavelets, which is mathematical functions used to divide a given function or continuous-time signal into different scale components. Wavelet transforms are classified into discrete wavelet transform (DWT) and continuous wavelet transform (CWT). Take CWT to illustrate the definition: for a given signal $f (t) \in L^{2} (R)$ , its CWT is

\begin{matrix} W T_{ψ} {f} (a, b) = 〈 f, ψ_{a, b} 〉 = \int_{R} ‍ f (t) ψ_{a, b} (t) d t, \end{matrix}

(4)

where

\begin{matrix} ψ_{a, b} (t) = {| a |}^{- 1 / 2} ψ (\frac{t - b}{a}) . \end{matrix}

(5)

ψ of the above formula is called a mother wavelet, and it is also in

L^{2} (R)

, while a is positive and defines the scale and b is any real number and defines the shift.

The wavelet transform is often compared with the Fourier transform, in which signals are represented as a sum of sinusoids. The main difference is that wavelets are localized in both time and frequency whereas the standard Fourier transform is only localized in frequency. In other words, wavelet transforms have advantages over traditional Fourier transforms for representing functions that have discontinuities and sharp peaks, and for accurately deconstructing and reconstructing finite, nonperiodic, and/or nonstationary signals. And the discrete wavelet transform is also less computationally complex, taking $O (n)$ time as compared to $O (n \log n)$ for the fast Fourier transform. Since the channel changes randomly, our RSS measurements compose an aperiodic signal. Obviously, wavelet transform is better than Fourier transform in our case.

2.4. Fuzzy Vault

The fuzzy vault was first presented by [13] as a cryptographic construction where one can hide a secret (S) in a vault by using the set A. Others can get the secret only when the vault is unlocked on the condition that their set B is closed to set A (B has enough number of values in common with A). The procedure of locking is as follows. (1) Create a v degree polynomial p over the variable x; (2) Use set A as the values of x to compute the values of p and create a set $R = {(a_{i}$ , $p (a_{i}))}$ , where $a_{i} \in A, 1 \leq i \leq | A |$ ; (3) randomly generate a set $C = {(c_{i}, d_{i})}$ , where $d_{i} \neq p (c_{i})$ , and then add C to R. It is depicted in Algorithm 1, where $p \leftarrow S$ means hide the secret S into polynomial p (e.g., taking S to be the coefficients of p).

Algorithm 1: Fuzzy vault lock.

Public Parameters: field F

Input: set $A = {a_{i}}_{i = 1}^{t}$ , secret S, chaff number r

Output: vault R

(1) $R \leftarrow \emptyset$ ;

(2) $p \leftarrow S$ ;

(3) $i = 1$ ;

(4) while $i \leq t$ do

(5) $(x_{i}, y_{i}) \leftarrow (a_{i}, p (a_{i}))$ ;

(6) $R \leftarrow R \cup (x_{i}, y_{i})$ ;

(7) end while

(8) while $t + 1 \leq i \leq r$ do

(9) $x_{i} \in F - A$ ;

(10) $y_{i} \in F - {p (a_{i})}$ ;

(11) $R \leftarrow R \cup (x_{i}, y_{i})$ ;

(12) end while

To unlock the above vault, others use their set B to recall the specified point of set A in R. If B gets more than $v + 1$ right points, the right polynomial p can be reconstructed to obtain the secret S. Process is showed in Algorithm 2.

Algorithm 2: Fuzzy vault unlock.

Public Parameters: field F

Input: set $B = {b_{i}}_{i = 1}^{t}$ , vault $R = {(x_{i}, y_{i})}_{i = 1}^{r}$

Output: set Q

(1) $Q \leftarrow \emptyset$ ;

(2) $i = 1$ ;

(3) while $i \leq t$ do

(4) $(x_{i}, y_{i}) \leftarrow$ search R at $(b_{i}, 0)$ ;

(5) $Q \leftarrow Q \cup (x_{i}, y_{i})$ ;

(6) end while

FVKD can map this scheme through setting the channel property obtained at the sender to set A, those obtained at the receiver to set B, and the secret key that needs to be shared to polynomial coefficients.

3. Wavelet-Transform Trend-Based Key Extraction

In this section, we will propose basic idea of wavelet-transform trend-based key extraction, analyze the security of the scheme, and evaluate the performance of the scheme using real collected data.

3.1. Scheme Description

As shown in Figure 1, the complete process is divided into the following steps.

Figure 1

Flow chart of key extraction.

3.1.1. Sampling

First, both Alice and Bob should obtain common information based on RSS value. Alice sends a probe message periodically for Bob to get RSS values, and after Bob receives message, he sends back probe message as soon as possible for Alice to sample the channel. As a result, Alice and Bob get related almost-exact values, respectively. The sample process lasts for a fixed duration at a specific rate to get enough samples, and all of samples must be obtained on the condition that channel is changing to keep the reciprocity as described in Section 2.

3.1.2. Wavelet Analysis

As a number of factors such as random noise, asymmetrical interference, transceiver differences, and half-duplex communication bring in some mismatches between the original RSS readings of both sides, but they have the same fading trend. In order to accurately evaluate the trend, we use wavelet transform. Through wavelet transform, signal is decomposed into multiresolution levels; thus the corresponding detail and approximation signals are obtained. At the same level, approximation signal represents the low frequency part, and detail signal shows the high frequency part. Clearly, we can use approximation signal to get the same trend. There are many mother wavelet functions for different purposes or signals. Here we use Haar wavelet because of its advantage for the analysis of signals with sudden transitions. In addition, we choose 4-level wavelet transform, and the reasons are given in the following experiments and performance evaluation.

3.1.3. Quantization

Through Haar wavelet transform, signal will have sudden changes. We can therefore detect those changes and make binary quantization. For an RSS measurement $r (k)$ , we detect sudden transitions through function as follows:

\begin{matrix} Φ = r (k + 1) - r (k) . \end{matrix}

(6)

Φ > 0

, which means the wave rises, we extract a 1 from the measurements. When

Φ < 0

, which means the wave declines, a 0 is generated.

3.2. Experiments

We conduct our experiments in typical indoor environments. Our experiments were divided into two parts. In scenario 1, we verify our scheme through on-body channel by using two sensors in the same BAN. In this situation, sensors provide real time service, so sensors need to probe the channel frequently. In scenario 2, we exploit sensor-to-basestation communications to test our scheme on off-body channel, and sensors on the body keep a low-data-rate communication with basestation. For this reason, we can use the scheduled communication to measure RSS value.

In the existing hardware system, the RSS values are reported as integers through wireless card, but different products from different companies calculate RSS values with deviations. “For example, Atheros devices report RSS values from −35 dBm to −95 dBm, Symbol de-vices report RSS values from −50 dBm to −100 dBm, in 10 dB steps, and Cisco devices report RSS values in the range −10 dBm to −113 dBm [15].” To avoid the impact of different manufactures, we use products from the same corporation.

Our experiments used Telosb nodes running TinyOS and operating in the 2.4 GHz band. With logarithmic units, their radio antennas (CC2420) can measure signal power and output a received signal strength indicator (RSSI). Our setup is listed in Table 2. For scenario 1, Alice and Bob are mounted on the body (here we take them in hand), shown in Figure 2(a). And Alice transmits a probe packet every 40 ms, and Bob sends message back once he receives the packet. For scenario 2, Alice is still a body-worn node, but the probe interval is changed to 80 milliseconds. The basestation 1 (Bob, shown in Figure 2(b)) still replies an acknowledgement immediately after he receives the packet. The settings above allow the two endpoints of the communication link to sample the channel alternately in quick succession to ensure the high reciprocity between their measurements.

Table 2

Experimental setup.

	Scenario 1	Scenario 2
Sensor in the left hand	Alice	Alice
Sensor in the right hand	Bob	—
Basestation 1	—	Bob
Basestation 2	Eve	Eve
Channel description	On-body	Off-body
Probe interval	40 ms	80 ms

Figure 2

Mobile node and basestations.

The layout of our indoor environment experiments is depicted in Figure 3 showing the location of the basestations (as shown in Figure 2(c)). The room is covered by multiple WiFi networks, which may result in interference. The subject walked around the table to ensure that the channel between two parties of the link varies. In scenario 1, the on-body channel varies with arm swinging. In scenario 2, it is obvious that movement of the subject can bring in changes to the off-body channel between Alice and Bob (basestation 1). In both experiments, the subject walked and waved just as we normally do in real life.

Figure 3

Experimental layout for indoor environment.

For scenario 1, we show the signal strengths measured by Alice, Bob, and Eve in Figure 4. It can be obviously observed that the eavesdroppers are not able accurately to replicate the channel measurements between Alice and Bob, and it can also be noticed that Alice's and Bob's RSS values have a similar trend. As a result, the RSS measurements are the distinct information shared between Alice and Bob to generate secret key or channel features. However, we find that even though Alice' RSS values are close to Bob's, their values are not exactly the same and discrepancies may result in mismatches of secret key extraction (our channel feature generation). The discrepancies between channel properties measurements are similar to deviation between the physiological signal measurements, which reminds us of using trend- and fuzzy-based methods. The result of experiment in scenario 2 is shown in Figure 5, which seems similar to that of scenario 1. As the channel between Bob (basestation 1) and Eve (basestation 2) is almost steady, the RSS trace of Eve from Bob is not painted.

Figure 4

Experiments results in scenario 1.

Figure 5

Experiments results in scenario 2.

Figure 6 shows the autocorrelation coefficients for Alice and Bob in two scenarios. As the definition is mentioned in Section 2, the channel coherence time is about 140 ms in scenario 1 (on-body channel) and 50 ms in scenario 2 (off-body channel) based on the observations of Figures 6(a) and 6(b). We denote the link Alice to Bob as $h_{a b}$ and the link Bob to Alice as $h_{b a}$ . Figures 7 and 8 illustrate the scatter plots and the histograms of link power difference $h_{b a} - h_{a b}$ with normal density in two scenarios, respectively. Exact reciprocity occurs when $h_{b a} = h_{a b}$ , and the difference between Alice's and Bob's measurements is small, which validates the reciprocity of the on-body and off-body channels. Parts of approximation signals in scenario 1 are exhibited in Figure 9. Obviously, after 4-level wavelet transform, most changes have been removed. It will make Eve's trend more similar to legitimate devices. That is one of the reason why we choose 4-level wavelet transform.

Figure 6

Autocorrelation for Alice and Bob in two scenarios.

Figure 7

Channel gain scatter plot $h_{b a}$ versus $h_{a b}$ in two scenarios.

Figure 8

Histogram of channel gain $h_{b a}$ versus $h_{a b}$ with normal density in two scenarios.

Figure 9

Parts of approximation signals from Haar wavelet transform in scenario 1.

3.3. Security Analysis

For our threat model, our first assumption is the adversary Eve own unlimited computation capability. Eve can eavesdrop all the traffic between Alice and Bob and can also sample the channel at the same time when Alice and Bob measure the channel, but she only gets information about the channels between herself and either Alice or Bob. Another assumption is that Eve knows the algorithm and settings. However, Eve cannot be less than half of wavelength close to either Alice or Bob. This assumption is reasonable in BAN as human can easily detect the illegal node a few centimeters away. We do not concern the issue about authentication, for it is another distinct problem, and it should be done in the start-up phase. There are many solutions such as [24–26] to authentication. Those solutions can be used in conjunction with our scheme. Based on the measurements of our experiments, all devices generate keys by using WTKE, and the results of bit mismatch rate are shown in Figure 10. The bit mismatch rate between Eve and legitimate devices is nearly 0.5, much higher than that between legitimate devices themselves. Obviously, our key extraction scheme, fading trend-based wavelet key extraction, has the high security to generate secret key through channel properties measurements.

Figure 10

Bit mismatch rate for legitimate devices and Eve under different scenarios.

3.4. Performance Evaluation

It is important to ensure the randomness of a secret key. Therefore, we test our keys generated from two scenarios in the NIST test suite [27]. Because of limitation of the bit length, we only run some tests, and the results are listed in Table 3. To pass a test, the value for that test must be greater than 0.01, and our results meet the requirement.

Table 3

NIST statistical test suite results.

Test	Scenario 1	Scenario 2
Frequency	0.25	0.34
Block frequency	0.04	0.24
Cumulative sums (Fwd)	0.17	0.03
Cumulative sums (Rev)	0.16	0.19
Runs	0.97	0.19
Longest run	0.44	0.22
Approx. entropy	0.87	0.83
Serial	0.74 0.41	0.74 0.41

We compare our method with typical amplitude quantization scheme [14] and previous trend quantization work [28] through three performance metrics: (1) secret bit rate: the average number of secret bits extracted per second; (2) bit mismatch rate: the ratio of the number of bits that do not match between Alice and Bob (3) entropy: The entropy of a random variable X is defined as

\begin{matrix} H (X) = - \sum_{i = 1}^{n} ‍ p (x_{i}) lo g_{2} p (x_{i}), \end{matrix}

(7)

where X is a set of n symbols

{x_{1}, \dots, x_{n}}

and

p (x_{i})

signifies the probability of the symbol

x_{i}

[29].

In [14], Mathur et al. construct a quantizer, which calculates two thresholds $q +$ and $q -$ through

\begin{matrix} q + = μ + α * σ, q - = μ - α * σ . \end{matrix}

(8)

Here, μ and σ are mean and standard deviation, and α is a parameter which can be configured dynamically on the condition of $0 < α < 1$ . And the samples are dropped, if their values are between $q +$ and $q -$ . Furthermore, a single 1 or 0 is produced when m consecutive samples' values are greater than $q +$ or less than $q -$ . We choose $α = 0.2$ and $m = 5$ in this paper.

In [28], Liu et al.'s scheme contains both trend and amplitude multilevel quantization. Since WTKE is a single bit extraction scheme, we only take fading trend estimation from Liu et al.'s scheme into account. Fading trend estimation runs as follows For an RSS measurement $r (k)$ , it defines $Φ^{1} = r (k) - r (k - 1)$ and $Φ^{2} = r (k + 2) - r (k)$ . If $Φ^{1}$ and $Φ^{2}$ are positive or negative at the same time, a single secret bit could be extracted.

The performances of all three schemes in two scenarios are exhibited in Figures 11, 12, and 13. Though Liu et al.'s scheme has the highest secret bit rate, they get the highest bit mismatch rate. Our WTKE scheme is better than Mathur et al.'s scheme in both aspects of secret bit rate and bit mismatch. All the schemes produce bit streams with nearly the same high entropy. In a word, both trend-based methods are better than Mathur's amplitude-based methods. Compared to Liu's scheme, our method accurately gets the trend through wavelet analysis, which also reduces the frequency of wave change.

Figure 11

Secret bit rate comparison.

Figure 12

Bit mismatch rate comparison.

Figure 13

Entropy comparison.

Here, we present another reason why we choose 4-level Haar wavelet transform. As shown in Figure 14, the curve of secret bit rate goes down with the curve of bit mismatch. The curve of bit mismatch falls faster before 5 Level, and the curve of secret bit rate falls faster after 5 Level. In a word, it is worth sacrificing secret bit rate to reduce mismatch before 5 level.

Figure 14

Secret key rate versus bit mismatch rate in scenario 2.

4. Fuzzy Vault Based Key Distribution

In this section, we first describe our novel key distribution protocol based on fuzzy vault. Then, we give analysis on its security and efficiency.

4.1. Protocol Description

Our key distribution protocol uses fuzzy vault to facilitate a pairwise symmetric key agreement between Alice and Bob through measuring RSS values. The protocol is as follows.

4.1.1. Channel Feature Generation

First, both Alice and Bob should obtain common information based on RSS value. Next, every 128 samples form a window, and neighboring windows have 32 overlapping samples. Using WTKE mentioned in Section 3 to process each window, we will get 8-bit binary. In order to increase the range of chaff points, 4-level Daubechies 5 wavelet transform is used to search for the fourth level detail signal's maximum point, whose position in 128 samples will be converted into 7-bit binary. For example, as shown in Figure 15, if the window contains 128 samples from index 500 to 627, the maximum points of Alice and Bob in 128 samples are both at index 518. So the position of maximum points in the window is 19 and could be converted into 0010011. Finally, the first 6 bits generated by WTKE and all 7 bits extracted by maximum point form a channel feature. A group of channel features generates a feature vector $F_{D} = {f_{D}^{1}, f_{D}^{2}, \dots, f_{D}^{N}}$ , where D is either the sender Alice or receiver Bob and N is the size of the feature vector. In the end of the feature generation process, Alice owns $F_{A} = f_{A}^{1}, f_{A}^{2}, \dots, f_{A}^{N}$ , and Bob has $F_{B} = f_{B}^{1}, f_{B}^{2}, \dots, f_{B}^{N}$ . The whole flow chart is shown in Figure 16.

Figure 15

4th level db5 detail signal.

Figure 16

Flow chart of channel feature generation.

4.1.2. Polynomial Choice

Alice uses a random generator to produce random numbers which is the secret key she wants to share with Bob. The length of the key is set as 128 bits here, and it could also easily be set longer. To create a vth order polynomial of the form $p (x) = c_{v} x^{v} + c_{v - 1} x^{v - 1} + \dots + c_{0}$ , the key is divided into $v + 1$ parts to form the coefficients ${c_{i}}_{i = 0}^{v}$ of the polynomial. The order v of $p (x)$ is not a secret and is known to all sensors in the BAN. If Bob reconstructs the polynomial successfully, he can get the secret key by concatenating the coefficients together (key = $c_{v} | c_{v - 1} | \dots | c_{0}$ ).

4.1.3. Vault Creation

Since the polynomial and feature vectors are now available, fuzzy vault is then created by computing the set $P = {f_{A}^{i}, p (f_{A}^{i})}$ , where $f_{A}^{i} \in F_{A}$ and $1 \leq i \leq N$ . To hide the secret points, a set C of M random chaff points also needs to be calculated: $C = {c f_{j}, d_{j}}$ , where $c f_{j} \notin F_{A}$ , $d_{j} \neq p (c f_{j})$ , and $1 \leq j \leq M$ . The value $c f_{j}$ fluctuates within the same limits as that of the features ( $2^{n}$ , and n is the length of channel feature). Therefore, the total number of points in the vault ( $| R |$ ) is bounded within $2^{n}$ , which is equal to $| M | + | N |$ . We define $| R |$ as vault size.

4.1.4. Vault Locking

Alice builds the vault $R = P \cup C$ and randomly permutes the values, to make sure the chaff points and the legitimate points are indistinguishable. According to [3], different numbers of points in set C mean different levels of security. With the number of points in set C increasing, the level of security rises. We can set the level of security by changing the cardinality of set C when required.

4.1.5. Vault Exchange

Alice then sends the vault R to Bob using the following message: Alice → Bob: IDs, Nonce, R, Par, MAC (Key, $R |$ Nonce|IDs). Here IDs is the id of Alice, Nonce is a unique random number for transaction freshness, Par is parity of P to improve efficiency of reconstructing polynomial for Bob, and MAC is the message authentication code. Bob can compute MAC to confirm whether the key calculated from the vault is right or not.

4.1.6. Vault Unlocking

Once Bob receives the vault R, he makes parity check using Par and drops the part which does not match $F_{A}$ . Then, Bob computes the set Q, where $Q = {(b, c) | (b, c) \in R, b \in F_{B}}$ . Based on the points in Q, Bob can try to use the Lagrangian interpolation for reconstructing the polynomial p. According to the suggestion of [30], with the knowledge of $v + 1$ points ${(x_{0}, y_{0}), (x_{1}, y_{1}), \dots, (x_{v}, y_{v})}$ on a vth order polynomial, we can rebuild the polynomial by performing the following linear combination: $p^{'} (x) = \sum_{j = 0}^{v} ‍ y_{j} d_{j} (x)$ , where $d_{j} (x) = \prod_{i \neq j, i = 0}^{i = v} ‍ (x - x_{i}) / (x_{j} - x_{i})$ . The condition $| Q | > v$ must be satisfied for Bob to unlock the vault successfully. Obviously, Bob tries to unlock the vault by taking $v + 1$ points from Q every time. To check the validity of the unlocking, Bob verifies the MAC by concatenating the coefficients of the resulting polynomial concatenated together.

4.1.7. Vault Acknowledgment

If unlocking is successful, Bob sends a message back to Alice to inform the successful unlocking. The message is described as follows: Bob → Alice: MAC (Key, Nonce|IDs|IDr). The meanings of Key, Nonce, and IDs are described in the paragraph of Vault Exchange, and IDr means the ID of Bob. After verifying the acknowledgement sent by Bob, Alice knows the key has been shared successfully. Since Bob measures the similar distinct RSS values to the measurements of Alice, only Bob can unlock the vault.

Figure 17 shows the key distribution process. This protocol provides a one-hop security by channel property, and this protocol can be easily extended to multihop end-to-end communication, where the estimates of shared channel property could be delivered as proposed in [28]. Considering the latency problem in BAN, sensors can initialize a secret key by only executing the protocol one time and then derive keys from this initialized key for ensuring the security of more communications.

Figure 17

Fuzzy vault based key distribution protocol.

4.2. Security Analysis

With the use of fuzzy vault, FVKD ensures that the two ends of the communication link can share a secret key though they do not have all the same features. The security of the FVKD scheme depends on the difficulty of polynomial reconstruction. We can hide the legitimate feature points among a mass of the spurious chaff points, whose values fluctuate in the same range as that of legitimate ones. An adversary, without knowledge of legitimate points, has to try out each of the $v + 1$ points in set R to get the correct polynomial, and the probability of success remains very low. Obviously, if Bob acquires more features, it gets easier to reconstruct the hidden polynomial. When there are more chaff points or higher order polynomial, the vault becomes more secure. According to [3], as shown in Figure 18, with 2000 chaff points and order, security strength of the vault is the same as 60 bits when polynomial order is 6, and security level is approximately 105 bits when polynomial order is 12.

Figure 18

Security of the vault.

It is also hard for adversaries to know the key in the vault exchange and acknowledge phases. As mentioned in Section 3, Alice and Bob could authenticate each other by using methods in [24–26]. It is a reasonable assumption that Alice and Bob have been device paired. For this reason, the existence of ID (IDs and IDr) could be used to control access. The Nonce provides the freshness of the protocol, and the MAC is used to prevent man-in-the-middle attack.

4.3. Performance Evaluation

4.3.1. Distinctiveness

The channel properties depend on the location and relative motion of two endpoints in the link. Half wavelength (e.g., 6.25 cm of 2.4 GHz carrier frequency) is close enough for the BAN user to detect adversaries. We also conduct a series of theoretical analysis here. As to WTKE, after 4-level Haar transform, the bit mismatch probability ( $P_{b m}$ ) can be expressed below, with the assumption that channel state is Gaussian estimation of channel state and successive sampling values are independent.

\begin{array}{l} P_{b m} = P (Φ_{A} > 0 \land Φ_{B} < 0) + P (Φ_{A} < 0 \land Φ_{B} > 0) \\ = (1 - F (Φ_{A} = 0)) F (Φ_{B} = 0) \\ + F (Φ_{A} = 0) (1 - F (Φ_{B} = 0)), \end{array}

(9)

where

F ()

is the cumulative distribution function for Gaussian distribution, Φ is defined in (6) (

Φ_{A}

means Alice's result and

Φ_{B}

means Bob's). Based on our experiments and observations, each feature's mismatch probability is determined by mismatch probability of WTKE. That means when the probability

P_{b m}

of the individual bit mismatch is known, the probability

P_{q}

of having mismatching features can be expressed as

\begin{matrix} P_{q} = \sum_{i = 1}^{(n - 7)} ‍ C_{(n - 7)}^{i} {P_{b m}}^{i} {(1 - P_{b m})}^{n - 7 - i} . \end{matrix}

(10)

Here C is combinatorial computing. Therefore, the probability that receiver can unlock the vault is shown in Figure 19. With consideration of the time effectiveness, we set N, the size of feature vector, below 15. It means if response time of sensor is between 20 to 40 ms, the sample time is 29.44 to 58.88 s. To balance security and efficiency, we set polynomial order as 7 and the size of feature vector as 11. As shown in Figure 10, Eve's $P_{b m}$ is nearly 0.5, which results in extremely high value of its $P_{q}$ .

Figure 19

Unlock probability.

4.3.2. Length and Randomness

The key shared between Alice and Bob is generated by Alice using a random number generator. Thus, the length and randomness of the key can ensure communication security.

4.3.3. Temporal Variance

As mentioned above, the variation of channel is quantified by the maximum Doppler frequency, and the variation follows Gaussian distribution. It can be concluded that even though adversaries know the previous values, they cannot infer the value of channel properties.

4.4. Implementation

We prototype FVKD by using Verilog HDL to evaluate its cost and performance in hardware. The Xilinx ISE software tool is used for emulating a Virtex V platform (http://www.xilinx.com). The metrics used for the evaluation are CPU clock cycles and memory footprint. Table 4 shows the details.

Table 4

Computational cost and memory footprint of our prototype implementation.

Entity	Total cycles	Memory footprint
Sender	8,417	23.22 KB
Recvr.	13,396	21.35 KB

Though the computational cost is composed of many tasks, only three kinds of them (feature generation, key hiding, and key unhiding) are crucial. Both sender and receiver have feature generation step. Only sender has the task of key hiding, and receiver is just responsible for key unhiding task. As key unhiding needs more computations than key hiding, receiver runs more cycles. We set a 25 MHz clock, so it would only take a few milliseconds to execute our protocol. And the cost could be amortized in the sampling phase. Since other than generating features, the sampling phases can computerize and transmit some chaff points in the meantime. The memory foot print values are primarily determined by chaff points (2000, 13-bit x-values, and 23-bit y-values), features (13-bit values), and polynomial projections (23-bit values). Compared to our protocol, DH takes more than 320,000 cycles and its variant ECDH takes more than 100,000 cycles, though they consume less memory footprint.

5. Related Work

There has been increasing research on utilizing wireless channel properties to extract secret keys. This approach is based on the theory of [14, 31, 32], and it suggests that a secret key agreement is possible for two parties to achieve through using correlated random variables of channel in the presence of an eavesdropper. Till now, several channel properties such as signal phase, time delay, angle of arrival, and received signal strength (RSS) have been proposed, among which phase difference is firstly proposed in [31]. It measures differential phase of two-tone signal to generate secret keys. Further research is done by using phase difference to improve the efficiency of key establishment in [33]. The impulse response of a wireless channel is estimated from WiFi signals in [14]. And in [22], statistics of the angle-of-arrival (AOA) is used on the condition that AP needs a programmable phased array antenna.

RSS is widely used due to the fact that it can be easily collected through most off-the-shelf radio devices. As to RSS-based methods, some works focus on temporal and spatial variations such as [14, 15, 34, 35]. In [36–38], some other factors like multiple antenna diversity and multiple frequencies are also taken into account. In [14], the authors develop a lossy quantization to extract key bits from a statistical Gaussian channel. And they supply theoretical certification and validate this mechanism in indoor environment. In [15], Jana et al. extend this approach to measure RSS over a single channel in various environments using laptops. And a multibit quantization method is also proposed to improve secret bit rate with privacy amplification. In [35], the authors use a transform to decorrelate secret key bits for a very high bit generation rate (40 bits/s).

Although BAN is a newly emerging wireless sensor network, there is still research already done on this topic. In [39], the authors examine the near-body radio channel for key generation based on simulation modeling. Body-worn scenarios such as patient mobility, different placement of devices on the body, and different modes of motion are considered in [40]. To avoid reconciliation phase in key generation, the authors analyze the reasons of measurement asymmetries and then use Savitzky Golay filter to improve signal correlation [21]. In [38], channel hopping is used to solve the problem of little dynamic channel change that exists, which means the channel coherence time period is too large.

Different from the above works, we use waveform trend and feature to promote key agreement by using wavelet transform and fuzzy vault.

6. Conclusion

This paper presents two main research findings: a key extraction scheme and a secure key distribution protocol for BAN. On the basis of the high correlation in RSS measurements between two communication parties, wavelet analysis and fuzzy vault are utilized in this paper. With the assumption of enough motions in BAN, a secret key can be shared between two sensors, and the key can also be shared between a sensor and a basestation, even though an eavesdropper is present. This paper analyzes the security and performance of the scheme and protocol, and it turns out that WTKE provides a secure key with low mismatch rate, high entropy and acceptable secret key rate. FVKD meets the requirements of key agreement (randomness, distinctiveness, and temporal variance).

There are some problems this paper does not fully explore. For instance, the channel coherence time period lasts longer than node's response time. We would take measures to adjust the channel coherence time in our future research.

Footnotes

Acknowledgments

This research was supported by National Basic Research Program of China (973 Program) under Grant no. 2011CB302702 and National 863 Program of China under Grant no. 2011AA010305.

References

Apple inc.

http://www.patentlyapple.com/patently-apple/2012/06/inductively-powered-ring-shines-in-fujitsus-iphone-app-patent.html

Shimmer research

http://www.shimmer-research.com/

Venkatasubramanian

K. K.

Banerjee

Gupta

S. K. S.

PSKA: usable and secure key agreement scheme for body area networks

IEEE Transactions on Information Technology in Biomedicine 2010 14 1 60 68

2-s2.0-76849098534

10.1109/TITB.2009.2037617

Astrin

Ieee standard for local and metropolitan area networks part 15.6: wireless body area networks: Ieee std 802.15. 6-2012

2012

Zhu

Setia

Jajodia

LEAP+: efficient security mechanisms for large-scale distributed sensor networks

ACM Transactions on Sensor Networks 2006 2 4 500 528

2-s2.0-33847120377

10.1145/1218556.1218559

Liu

Ning

TinyECC: a configurable library for elliptic curve cryptography in wireless sensor networks

Proceedings of the International Conference on Information Processing in Sensor Networks (IPSN '08)

April 2008

IEEE

245 256

2-s2.0-51249087814

10.1109/IPSN.2008.47

Blaß

Zitterbart

Efficient implementation of elliptic curve cryptography for wireless sensor networks

2005

Karlsruhe, Germany

Institute of Telematics, Universityof Karlsruhe

http://doc.tm.uka.de/tr/TM-2005-1.pdf

Cherukuri

Venkatasubramanian

Gupta

Biosec: a biometric based approach for securing communication in wireless networks of biosensors implanted in the human body

Proceedings of the IEEE International Conference on Parallel Processing Workshops

2003

432 439

Poon

C. C. Y.

Zhang

Y. T.

Bao

S. D.

A novel biometrics method to secure wireless body area sensor networks for telemedicine and M-health

IEEE Communications Magazine 2006 44 4 73 81

2-s2.0-33646948221

10.1109/MCOM.2006.1632652

10.

Venkatasubramanian

K. K.

Banerjee

Gupta

S. K. S.

EKG-based key agreement in body sensor networks

Proceedings of the IEEE INFOCOM Workshops

April 2008

IEEE

1 6

2-s2.0-51049107527

10.1109/INFOCOM.2008.4544608

11.

Qin

Tan

C. C.

Wang

IMDGuard: securing implantable medical devices with the external wearable guardian

Proceedings of the 30th IEEE International Conference on Computer Communications (INFOCOM '11)

April 2011

1862 1870

2-s2.0-79960873920

10.1109/INFCOM.2011.5934987

12.

Mana

Feham

Bensaber

B. A.

Trust key management scheme for wireless body area networks

International Journal of Network Security 2011 12 2 75 83

13.

Juels

Sudan

A fuzzy vault scheme

Designs, Codes, and Cryptography 2006 38 2 237 257

2-s2.0-30844458593

10.1007/s10623-005-6343-z

14.

Mathur

Trappe

Mandayam

Reznik

Radio-telepathy: extracting a secret key from an unauthenticated wireless channel

14th Annual International Conference on Mobile Computing and Networking (MobiCom '08)

September 2008

ACM

128 139

2-s2.0-60149097098

10.1145/1409944.1409960

15.

Jana

Premnath

S. N.

Clark

Kasera

S. K.

Patwari

Krishnamurthy

S. V.

On the effectiveness of secret key extraction from wireless signal strength in real environments

Proceedings of the 15th Annual ACM International Conference on Mobile Computing and Networking (MobiCom '09)

September 2009

ACM

321 332

2-s2.0-70450242725

10.1145/1614320.1614356

16.

Yazdandoost

Sayrafian

Channel model for body area network (ban), ieee p802. 15-08-0780-09-0006

Working Group Document 2009 IEEE 802.15

17.

Hanlen

Chaganti

Gilbert

Rodda

Lamahewa

Smith

Open-source testbed for body area networks: 200 Sample/sec, 12 hrs continuous measurement

Proceedings of the IEEE 21st International Symposium on Personal, Indoor and Mobile Radio Communications Workshops (PIMRC '10)

September 2010

IEEE

66 71

2-s2.0-78751539947

10.1109/PIMRCW.2010.5670518

18.

Rappaport

T. S.

Wireless Communications: Principles and Practice 1996 2

19.

Paulraj

Nabar

Gore

Introduction To Space-Time Wireless Communications 2003

20.

Smith

D. B.

Zhang

Hanlen

L. W.

Miniutti

Rodda

Gilbert

Temporal correlation of dynamic on-body area radio channel

Electronics Letters 2009 45 24 1212 1213

2-s2.0-70549113407

10.1049/el.2009.2057

21.

Ali

Sivaraman

Ostry

Zero reconciliation secret key generation for body-worn health monitoring devices

Proceedings of the 5th ACM Conference on Security and Privacy in Wireless andMobile Networks

2012

ACM

39 50

22.

Aono

Higuchi

Ohira

Komiyama

Sasaoka

Wireless secret key generation exploiting reactance-domain scalar response of multipath fading channels

IEEE Transactions on Antennas and Propagation 2005 53 11 3776 3784

2-s2.0-28644438588

10.1109/TAP.2005.858853

23.

Tope

M. A.

McEachen

J. C.

Unconditionally secure communications over fading channels

Proceedings of the Communications for Network-Centric Operations: Creating the Information Force (Milcom '01)

October 2001

IEEE

54 58

2-s2.0-0035727429

24.

Shi

Yuan

Bana: body area network authentication exploiting channel characteristics

Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks

2012

ACM

27 38

25.

Mathur

Miller

Varshavsky

Trappe

Mandayam

ProxiMate: proximity-based secure pairing using ambient wireless signals

Proceedings of the 9th International Conference on MobileSystems, Applications, and Services

July 2011

ACM

211 224

2-s2.0-79961063540

10.1145/1999995.2000016

26.

Brik

Banerjee

Gruteser

Wireless device identification with radiometric signatures

Proceedings of the 14th Annual International Conference on Mobile Computing and Networking (MobiCom '08)

September 2008

ACM

116 127

2-s2.0-60149092949

10.1145/1409944.1409959

27.

Rukhin

Soto

Nechvatal

Smid

Barker

A statistical test suite for random and pseudorandom number generators for cryptographic applications

DTIC Document 2001

28.

Liu

Yang

Wang

Chen

Collaborative secret key extraction leveraging received signal strength in mobile wireless networks

Proceedings of the 31st Annual IEEE International Conference on Computer Communications (IEEE INFOCOM '12)

2012

IEEE

927 935

29.

Shannon

C. E.

Weaver

A Mathematical Theory of Communication 1948

30.

Uludag

Pankanti

Jain

Fuzzy vault for fingerprints

Audio-and Video-Based Biometric Person Authentication 2005

New York, NY, USA

Springer

55 71

31.

Hershey

J. E.

Hassan

A. A.

Yarlagadda

Unconventional cryptographic keying variable management

IEEE Transactions on Communications 1995 43 1 3 6

2-s2.0-0029234878

10.1109/26.385951

32.

Maurer

U. M.

Secret key agreement by public discussion from common information

IEEE Transactions on Information Theory 1993 39 3 733 742

2-s2.0-0027599802

10.1109/18.256484

33.

Wang

Ren

Kim

Fast and scalable secret key generation exploiting channel phase randomness in wireless networks

Proceedings of the 30th IEEE International Conference on Computer Communications (INFOCOM '11)

April 2011

IEEE

1422 1430

2-s2.0-79960885380

10.1109/INFCOM.2011.5934929

34.

Patwari

Croft

Jana

Kasera

S. K.

High-rate uncorrelated bit extraction for shared secret key generation from channel measurements

IEEE Transactions on Mobile Computing 2010 9 1 17 30

2-s2.0-72249083097

10.1109/TMC.2009.88

35.

Croft

Patwari

Kasera

S. K.

Robust uncorrelated bit extraction methodologies for wireless sensors

Proceedings of the 9th ACM/IEEE International Conference on Information Processing in Sensor Networks (IPSN '10)

April 2010

ACM

70 81

2-s2.0-77954527646

10.1145/1791212.1791222

36.

Zeng

Chan

Mohapatra

Exploiting multiple-antenna diversity for shared secret key generation in wireless networks

Proceedings of the 29th IEEE International Conference on Computer Communications (INFOCOM '10)

March 2010

1 9

2-s2.0-77953297543

10.1109/INFCOM.2010.5462004

37.

Wilhelm

Martinovic

Schmitt

J. B.

Secret keys from entangled sensor motes: implementation and analysis

Proceedings of the 3rd ACM Conference on Wireless Network Security (WiSec '10)

March 2010

ACM

139 144

2-s2.0-77952329424

10.1145/1741866.1741889

38.

Yao

Ali

S. T.

Sivaraman

Ostry

Decorrelating secret bit extraction via channel hopping in body area networks

Proceedings of the IEEE 23rdInternational Symposium on PersonalIndoor and Mobile Radio Communications (PIMRC '12)

2012

IEEE

1454 1459

39.

Hanlen

Smith

Zhang

Lewis

Key-sharing via channel randomness in narrowband body area networks: is everyday movement sufficient?

Proceedings of the 4th International Conference onBody Area Networks. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering)

2009

40.

Yao

Ali

S. T.

Sivaraman

Ostry

Improving secret key generation performance for on-body devices

Proceedings of the 6th International Conference on Body Area Networks. ICST (Institute for Computer Sciences, Social-Informatics and TelecommunicationsEngineering)

2011

19 22