Internet DRAFT - draft-linning-authentication-physical-layer
draft-linning-authentication-physical-layer
Internet Engineering Task Force
Internet-Draft
Intended status: Informational Southeast University
Expires: April 11, 2019 October 8, 2018
Authentication by Physical Layer Features
draft-linning-authentication-physical-layer-00
Abstract
This document proposes an authentication method using physical layer
features from terminal unit. This document assumes that the reader
is familiar with some concepts and details regarding physical layer
security.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 11, 2019.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Expires April 11, 2019 [Page 1]
�
Internet-Draft APLE October 2018
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2
2. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Physical layer feature extraction . . . . . . . . . . . . 3
2.2. Physical Layer Feature based Authentication . . . . . . . 3
3. Physical Layer Feature Extraction . . . . . . . . . . . . . . 3
4. Physical Layer Feature based Authentication . . . . . . . . . 4
5. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
7. Security Considerations . . . . . . . . . . . . . . . . . . . 6
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
8.1. Normative References . . . . . . . . . . . . . . . . . . 6
8.2. Informative References . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
The classical device authentication method includes MAC address, pre-
shared key or digital certificate. However, the MAC address is easy
to be imitated, which can hardly ensure the security. The security
of the pre-shared key and digital certificate is mainly due to the
strength of the digital key and authentication algorithms.
Physical layer feature based device identification provides a
physical layer security protection for networks. Utilizing the
inherent physical layer feature of terminal unit, it is possible to
realize identity authentication via only the received waveform.
It has been demonstrated that physical layer feature owns uniqueness
and persistence, which could be used for terminal unit
identification. The physical layer feature could be obtained via
transient feature extraction, spectrum feature extraction or
modulation feature extraction. [Ref_1] After that, gateway could
identify the identity of the terminal unit via the received signal
waveforms by identification algorithms.
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Expires April 11, 2019 [Page 2]
�
Internet-Draft APLE October 2018
2. Applicability
This mechanism authenticates the identity of the terminal unit by
physical layer features, which is suitable for wireless, wired and
optical networks.
When network node transmits message to other network nodes, the
binary message is transformed to analogical signal in physical layer.
This physical layer signal includes the unique physical layer feature
of the transmitter. The receiver utilizes the physical layer
features from the transmitter signal.
The steps are listed below:
2.1. Physical layer feature extraction
The physical layer feature extraction methods can be generally
summarized into three categories, namely transient-based method,
spectrum-based method, and modulation-based method. [Ref_1] The
obtained physical layer features are digitalized to a feature vector,
which is used for authentication.
2.2. Physical Layer Feature based Authentication
The gateway uses the extracted physical layer features to
authenticate the accessing terminal device.
3. Physical Layer Feature Extraction
The physical layer features include transient-based feature,
spectrum-based feature, and modulation-based feature.
The transient-based method measures the turn-on/off transient or
transmitting signal variations for device identification. These
features are extracted by measuring the envelope of the transient
signal. Signal processing methods such as principal component
analysis (PCA) and discrete Fourier transform (DFT) are employed for
further feature process. In addition, statistical methods are also
used for transient-based feature extraction. The standard deviation,
variance, skewness and kurtosis of the transient amplitude, phase and
frequency are extracted for physical layer features. A vector of
these features are directly employed for
authentication.[Ref_1][Ref_2]
Signal spectrum is another important physical layer feature. The
power spectrum density (PSD) is directly extracted from the samples
of the receiver signal. In general, the non-linearity behavior of
the device transmitter is the main source of the signal spectrum
Expires April 11, 2019 [Page 3]
�
Internet-Draft APLE October 2018
feature. The signal spectrum feature can be quantified by selecting
several significant regions at PSD. The in-band outline and out-of-
band outline of PSD is another important physical layer feature for
authentication. [Ref_1]
Modulation-based methods extract stable features from the received
signal, including auto gain control (AGC) responds, amplifier
nonlinearity characteristics, sampling frequency offset, carrier
frequency offset, differential constellation trace figure (DCTF) and
so on. These modulation-based features can be extracted in the
baseband by specific methods. [Ref_3]
The extracted physical layer features are grouped into a feature
vector. This feature vector is further used for authentication.
4. Physical Layer Feature based Authentication
In physical layer feature based authentication, the gateway has two
process, including a training process and decision process. In
training process, the system works in a secure connection. The
identity of the accessing device is true and known at gateway. The
gateway capture the physical layer signal and extract the physical
layer feature. The obtained physical layer feature is stored in
database for decision process in authentication. In decision
process, the system works in an open network. Gateway receives the
signal of accessing terminal device. Gateway authenticate the
identity of the terminal using the stored features in database.
In terminal identity authentication problem, the gateway is faced
with two situations. The first situation is that the identity of the
terminal device has been registered before, the terminal device
declare its identity in its accessing. In this case, gateway compare
the extracted physical layer feature to the feature vector stored in
the database. The result of the comparison is a degree of similarity
between the accessing terminal device and legitimate device. Gateway
confirm the identity of the accessing terminal device when the degree
of similarity is higher than a threshold. If the identity of the
accessing terminal device is legitimate, gateway opens the connection
of the terminal device to the internal network. The second situation
is that the identity of the terminal device has not been registered
before. In this case, gateway also extracts the physical layer
feature of the accessing terminal device. The gateway compare the
extracted feature to all of the feature vectors stored in the
database. A final result of degree of similarities between the
accessing terminal device and stored features is obtained. Gateway
confirm the new identity of the accessing terminal device when all of
degree of similarities are lower than a threshold. Gateway close the
connection of the terminal device to the internal network.
Expires April 11, 2019 [Page 4]
�
Internet-Draft APLE October 2018
5. Example
An application example is introduced as follows:
The authentication by physical layer feature system includes four
elements: terminal unit, physical layer feature extraction unit,
internal network unit and accessing control unit. The terminal unit
is connected to the physical layer feature extraction unit and
accessing control unit. The physical layer feature extraction unit
is connected to the accessing control unit. The internal network
unit is connected to the accessing control unit. The signal is
transmitted from terminal unit to physical layer feature extraction
unit. The signal is also transmitted from physical layer feature
extraction unit to accessing control unit. The terminal unit and
accessing control unit have mutual signal exchange. The internal
network unit and accessing control unit also have mutual signal
exchange.
The physical layer feature extraction unit includes three components:
front-end signal capture device and processor. The processor
extracts the physical layer feature using the capture signal from
front-end signal capture device. The accessing control unit includes
two components: storage and processor. The processor authenticates
the accessing terminal device using the physical layer feature. The
authentication rule and identity information are stored in the
database of storage. The extracted physical layer feature is also
stored in the database of storage.
In training process, physical layer feature extraction unit initially
obtains physical layer feature and transmits the physical layer
feature to accessing control unit. Accessing control unit binds the
physical layer feature to the identity of terminal device. The
physical layer feature of the trained device is stored in database at
accessing control unit.
In decision process, physical layer feature extraction unit captures
the signal of accessing terminal device. Physical layer feature
extraction unit further extracts the physical layer feature from the
captured signal. Physical layer feature extraction unit transfers
the physical layer feature to accessing control unit. In decision
process, the authentication has two situations. In the first
situation, the identity of the terminal device has been registered
before in the database. The terminal device declares his identify
when it accesses the network. The accessing control unit compares
the extracted physical layer feature to the stored physical layer
feature in the database with the declared index. This comparison
gets a result of degree of similarity. If this degree of similarity
is higher than a threshold, accessing control unit confirms the
Expires April 11, 2019 [Page 5]
�
Internet-Draft APLE October 2018
identity of the device and opens the connection of terminal unit to
the internal network unit. If this degree of similarity is lower
than a threshold, accessing control unit rejects the access of the
device and closes the connection of terminal unit to the internal
network unit. In the second situation, the identity of the terminal
device has not been registered before in the database. The terminal
device does not declare his identify when it accesses the network.
The accessing control unit compares the extracted physical layer
feature to all of the stored physical layer feature in the database.
This comparison gets a result of highest value of degree of
similarity. If the highest value of degree of similarity is lower
than a threshold, the accessing control unit confirms the new
identity of the accessing terminal device and closes the connection
of terminal unit to the internal network unit. If the highest value
of degree of similarity is higher than a threshold, the accessing
control unit requires other authentication method to confirm the
identity of the terminal device.
6. IANA Considerations
This document includes no request to IANA.
7. Security Considerations
This section will address only security considerations associated
with the use of physical layer features for authentications. The
similarity of physical layer features between different devices is
relied on the consistency of physical devices, measurement accuracy
of the gateway. If the gateway cannot distinguish the physical layer
features between different devices, authentication methods in higher
layer is required.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
8.2. Informative References
[Ref_1] Danev, Boris.,
"https://dl.acm.org/citation.cfm?id=2379782", 2012.
[Ref_2] J.Carbino , Timothy.,
"https://ieeexplore.ieee.org/document/7069371/", 2015.
Expires April 11, 2019 [Page 6]
�
Internet-Draft APLE October 2018
[Ref_3] Peng, Linning.,
"https://ieeexplore.ieee.org/document/7752534/", 2016.
Authors' Addresses
Linning Peng
Southeast University
No.2 SiPaiLou
NanJing, JiangSu 210096
China
Phone: +86 25 52091692
Email: pengln@seu.edu.cn
Aiqun Hu
Southeast University
No.2 SiPaiLou
NanJing, JiangSu 210096
China
Phone: +86 25 52091692
Email: aqhu@seu.edu.cn
Expires April 11, 2019 [Page 7]
