A Practical Man-In-The-Middle Attack on Signal-Based Key Generation Protocols

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7459)


Generating secret keys using physical properties of the wireless channel has recently become a popular research area. The main security assumption of these protocols is that a sufficiently distant adversary is unable to guess a generated secret due to the unpredictable behavior of multipath signal propagation. In this paper, we introduce a practical and efficient man-in-the-middle attack against such protocols. Using this attack, we demonstrate: (i) intentional sabotaging of key generation schemes, which leads to a high key disagreement rate, and (ii) a key recovery that reveals up to 47% of the generated secret bits. We analyze statistical countermeasures (often proposed in related work) and show that attempting to detect such attacks results in a high false positive rate, questioning the overall benefit of such schemes. We implement and experimentally validate the attacks using off-the-shelf hardware, without assuming any technological advantage for the adversary.


Wireless Channel Receive Signal Strength Indicator MITM Attack Channel Reciprocity Active Attacker 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Mathur, S., Trappe, W., Mandayam, N., Ye, C., Reznik, A.: Radio-telepathy: extracting a secret key from an unauthenticated wireless channel. In: Garcia-Luna-Aceves, J.J., Sivakumar, R., Steenkiste, P. (eds.) Proceedings of the 14th ACM International Conference on Mobile Computing and Networking (MOBICOM 2008), pp. 128–139. ACM (September 2008)Google Scholar
  2. 2.
    Jana, S., Premnath, S.N., Clark, M., Kasera, S.K., Patwari, N., Krishnamurthy, S.V.: On the effectiveness of secret key extraction from wireless signal strength in real environments. In: Shin, K.G., Zhang, Y., Bagrodia, R., Govindan, R. (eds.) Proceedings of the 15th International Conference on Mobile Computing and Networking (MOBICOM 2009), pp. 321–332. ACM (September 2009)Google Scholar
  3. 3.
    Li, Z., Xu, W., Miller, R., Trappe, W.: Securing wireless systems via lower layer enforcements. In: Poovendran, R., Juels, A. (eds.) Proceedings of the 5th ACM Workshop on Wireless Security (WiSe 2006), pp. 33–42. ACM (September 2006)Google Scholar
  4. 4.
    Dodis, Y., Reyzin, L., Smith, A.: Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Impagliazzo, R., Levin, L.A., Luby, M.: Pseudo-random generation from one-way functions. In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC 1989), pp. 12–24. ACM (May 1989)Google Scholar
  6. 6.
    Cachin, C., Maurer, U.: Linking information reconciliation and privacy amplification. Journal of Cryptology 10(2), 97–110 (1997)zbMATHCrossRefGoogle Scholar
  7. 7.
    Wilhelm, M., Martinovic, I., Schmitt, J.B., Lenders, V.: Reactive jamming in wireless networks: How realistic is the threat? In: Proceedings of the 4th ACM Conference on Wireless Network Security (WiSec 2011), pp. 47–52. ACM, New York (2011)CrossRefGoogle Scholar
  8. 8.
    Xiao, L., Greenstein, L., Mandayam, N., Trappe, W.: Fingerprints in the ether: Using the physical layer for wireless authentication. In: Proceedings of the IEEE International Conference on Communications 2007 (ICC 2007), pp. 4646–4651. IEEE (June 2007)Google Scholar
  9. 9.
    Maurer, U.M.: Protocols for Secret Key Agreement by Public Discussion Based on Common Information. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 461–470. Springer, Heidelberg (1993)Google Scholar
  10. 10.
    Azimi-Sadjadi, B., Kiayias, A., Mercado, A., Yener, B.: Robust key generation from signal envelopes in wireless networks. In: Ning, P., De Capitani di Vimercati, S., Syverson, P.F. (eds.) Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pp. 401–410. ACM (October 2007)Google Scholar
  11. 11.
    Liu, H., Yang, J., Wang, Y., Chen, Y.: Collaborative secret key extraction leveraging received signal strength in mobile wireless networks. In: Greenberg, A.G., Sohraby, K. (eds.) Proceedings of the 31st IEEE International Conference on Computer Communications (INFOCOM 2012), pp. 927–935. ACM (March 2012)Google Scholar
  12. 12.
    Hamida, S.B., Pierrot, J.B., Castelluccia, C.: An adaptive quantization algorithm for secret key generation using radio channel measurements. In: Al Agha, K., Badra, M., Newby, G.B. (eds.) Proceedings of the 3rd International Conference on New Technologies, Mobility and Security (NTMS 2009), pp. 1–5 (December 2009)Google Scholar
  13. 13.
    Ye, C., Mathur, S., Reznik, A., Shah, Y., Trappe, W., Mandayam, N.B.: Information-theoretically secret key generation for fading wireless channels. IEEE Transactions on Information Forensics and Security 5(2), 240–254 (2010)CrossRefGoogle Scholar
  14. 14.
    Zhang, J., Kasera, S.K., Patwari, N.: Mobility assisted secret key generation using wireless link signatures. In: Proceedings of the 29th IEEE International Conference on Computer Communications (INFOCOM 2010), pp. 1–5. IEEE (March 2010)Google Scholar
  15. 15.
    Wang, Q., Su, H., Ren, K., Kim, K.: Fast and scalable secret key generation exploiting channel phase randomness in wireless networks. In: Proceedings of the 30th IEEE International Conference on Computer Communications (INFOCOM 2011), pp. 1422–1430. IEEE (April 2011)Google Scholar
  16. 16.
    Wilhelm, M., Martinovic, I., Schmitt, J.B.: Secret keys from entangled sensor motes: Implementation and analysis. In: Proceedings of the 3rd ACM Conference on Wireless Network Security (WiSec 2010), pp. 139–144. ACM (March 2010)Google Scholar
  17. 17.
    Ali, S.T., Sivaraman, V., Ostry, D.: Secret key generation rate vs. reconciliation cost using wireless channel characteristics in body area networks. In: Proceedings of the IEEE/IFIP 8th International Conference on Embedded and Ubiquitous Computing (EUC 2010), pp. 644–650. IEEE (December 2010)Google Scholar
  18. 18.
    Aono, T., Higuchi, K., Ohira, T., Komiyama, B., Sasaoka, H.: Wireless secret key generation exploiting reactance-domain scalar response of multipath fading channels. IEEE Transactions on Antennas and Propagation 53(11), 3776–3784 (2005)CrossRefGoogle Scholar
  19. 19.
    Croft, J., Patwari, N., Kasera, S.K.: Robust uncorrelated bit extraction methodologies for wireless sensors. In: Abdelzaher, T.F., Voigt, T., Wolisz, A. (eds.) Proceedings of the 9th ACM/IEEE International Conference on Information Processing in Sensor Networks (IPSN 2010), pp. 70–81. ACM (April 2010)Google Scholar
  20. 20.
    Döttling, N., Lazich, D., Müller-Quade, J., de Almeida, A.S.: Vulnerabilities of Wireless Key Exchange Based on Channel Reciprocity. In: Chung, Y., Yung, M. (eds.) WISA 2010. LNCS, vol. 6513, pp. 206–220. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  21. 21.
    Edman, M., Kiayias, A., Yener, B.: On passive inference attacks against physical-layer key extraction. In: Proceedings of the 4th European Workshop on System Security (Eurosec 2011), pp. 8–13. ACM (April 2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  1. 1.University of KaiserslauternGermany
  2. 2.University of OxfordUK

Personalised recommendations