- Home /

Radio-telepathy: Extracting a Secret Key from an Unauthenticated Wireless Channel

Research Paper / Jan 2008

In order for network slicing to deliver on its promise as an effective tool to generate new revenues and profitability, new business models must match the dynamic technical and operational changes that it brings. Significant progress is being made in demonstrations and trials, as highlighted in this report and the...

Joe Giersch, a biologist from USGS, sat down with InterDigital to discuss technology’s role in the study of stream ecology, and explain why we should all know about the insect, Lednia tumana, that he has spent his life studying.

Recently, the Qualcomm Tricorder XPRIZE® announced its winners. We caught up with Ed Hepler, ex-InterDigital engineer and hardware development lead of the winning bootstrap operation, Final Frontier Medical Devices, after the winning announcement in this CREATORS sit-down.

Radio-telepathy: Extracting a Secret Key from an

Unauthenticated Wireless Channel

ABSTRACT

Securing communications requires the establishment of cryp-

tographic keys, which is challenging in mobile scenarios where

a key management infrastructure is not always present. In

this paper, we address this challenge by presenting a pro-

tocol that allows two users to establish a common crypto-

graphic key by exploiting special properties of the wireless

channel: that the underlying channel response between any

two parties is unique and that the channel response decorre-

lates rapidly in space. The established key can then be used

to support security services (such as encryption) between

two users. Our algorithm uses level-crossings and quanti-

zation to extract bits from correlated stochastic processes.

The resulting protocol resists cryptanalysis by an eavesdrop-

ping adversary and a spoofing attack by an active adversary

without requiring an authenticated channel, as is typically

assumed in prior information-theoretic key establishment

schemes. We evaluate our algorithm through theoretical and

numerical studies, and provide validation through two com-

plementary experimental studies. First, we use an 802.11

development platform with customized logic that extracts

raw channel impulse response data from the preamble of a

format-compliant 802.11a packet. We show that it is possi-

ble to practically achieve secret key establishment rates of

∼ 1 bit/sec in a real, indoor wireless environment. Next,

to illustrate the generality of our method, we show that our

approach is equally applicable to per-packet coarse signal

strength measurements using off-the-shelf 802.11 hardware.

1. INTRODUCTION

Many of the risks associated with securing wireless sys-

tems stem from challenges associated with operating in a

mobile environment, such as the lack of a guaranteed infras-

tructure or the ease with which entities can eavesdrop on

communications. Traditional network security mechanisms

rely upon cryptographic keys to support confidentiality and

authentication services. However, in a dynamic mobile en-

vironment, with peer-to-peer associations being formed on-

the-fly between mobile entities, it is difficult to ensure avail-

ability of a certificate authority or a key management center

to support security needs. Since such scenarios are likely to

become increasingly prevalent in the future, it is necessary

Permission to make digital or hard copies of all or part of this work for

personal or classroom use is granted without fee provided that copies are

not made or distributed for profit or commercial advantage and that copies

bear this notice and the full citation on the first page. To copy otherwise, to

republish, to post on servers or to redistribute to lists, requires prior specific

permission and/or a fee.

Copyright 200X ACM X-XXXXX-XX-X/XX/XX ...$5.00.

to have alternative methods for establishing keys between

wireless peers without resorting to a fixed infrastructure.

In this paper, we explore an alternative for building cryp-

tographic services by exploiting an untapped resource - the

wireless channel itself. The wireless medium can serve as a

mechanism to share secrets between two wireless entities by

exploiting the variability and dimensionality associated with

wireless propagation. The specificity of the radio channel be-

tween two wireless devices, and its rapid decorrelation with

distance, provide a basis for the creation of shared secret in-

formation, such as cryptographic keys, even in the presence

of an eavesdropper. In typical multipath environments (see

Figure 1), the wireless channel between two users, Alice and

Bob, produces a random, time-varying, stochastic mapping

between the transmitted and received signals. This mapping

changes with time in a manner that is location-specific and

reciprocal, i.e., the mapping is the same whether Alice is

the transmitter with Bob as the receiver or vice-versa. The

time-varying mapping, commonly termed fading, decorre-

lates completely over distances of the order of half a wave-

length, λ. Thus, an adversary, Eve, who is more than λ/2

away from both Alice and Bob, experiences fading channels

to Alice and to Bob that are statistically independent of the

fading channel between Alice and Bob. These two properties

allow us to generate a common, secret cryptographic key at

Alice and Bob such that Eve gets no information about the

generated key. For example, at 2.4 GHz, we only require

that Eve be roughly λ/2 = 6.25 cm away from Alice and

Bob to ensure that she gets no useful information. Thus,

while fading is typically considered harmful, it is profitably

exploited by our technique to extract perfectly secret bits

without leaking information to an adversary.

The extraction of secret bits from the wireless channel can

be viewed as a ’black-box’ that can be advantageously uti-

lized in various ways putting to good use information that is

already available from the channel. For example, in the cur-

rent 802.11i system, session keys for communication between

a station and an AP are derived by hashing together authen-

tication credentials and randomly selected nonces which are

exchanged by the two parties in the clear. This effectively

ties the confidentiality of all future messages sent over the

air to the authentication credentials. Therefore, if these cre-

dentials are compromised at some time in the future, an

adversary will be able to derive the session keys and de-

crypt all past encrypted messages. If instead, the nonces

are derived from the unique channel between the two users,

making them information-theoretically secure, a passive ad-

versary has no means to derive the session keys even if it

learns the authentication credentials [1]. Similarly, the ses-

sion keys can be updated by employing secret bits derived

from the channel to deliver the new keys, instead of relying

on previously existing keys [1]. This ensures that the confi-

dentiality of each new session is protected independently of

earlier sessions.

Yet another vulnerability in 802.11i stems from the fact

that during the establishment of a secure link between a sta-

tion and an AP, all messages exchanged over the air, includ-

ing management frames, are sent unencrypted till the point

at which both parties have obtained the session key (called

the temporal key or TK in 802.11 jargon) and are therefore

susceptible to eavesdropping by unauthorized users sharing

the wireless medium as well as to spoofing by other users.

While the 802.11w amendment seeks to protect some man-

agement frames from such attacks, it too fails to protect

messages exchanged before the the establishment of TKs.

The problem is that securing the initial exchanges between

the parties requires them to share a key which is not estab-

lished until layer. Our key extraction mechanism provides

a natural solution [2] by allowing the parties to generate a

temporary key that protects the interim exchanges before

the formal keys are in place.

Ad-hoc networks present another avenue where our tech-

nique can be useful. Alice may not care to establish Bob’s

identity if she merely wishes to employ his services to for-

ward her data over another hop but may like to establish a

secure link layer with him nevertheless so as to add link-level

encryption to her data.

Prior work in information theory has noted the potential

of using the wireless channel for generating shared secret

bits, but most of this work has been aimed at computing

theoretical limits and neither provides practical algorithms,

nor a demonstrable and quantifiable impact on security. Our

contribution in this paper may be summarized as follows:

1. We translate prior information-theoretic ideas into a

practical protocol applied to wireless channels;

2. We build a new algorithm for key extraction that, un-

like prior schemes, does not require an authenticated

channel, and we evaluate its performance for typical

fading channels;

3. We validate our algorithm using channel impulse re-

sponses measured using the 802.11a packet preamble

on a customized FPGA-based 802.11 development plat-

form and a second study that uses only coarse per-

packet RSSI information readily available to off-the-

shelf 802.11 platforms.

We emphasize that existing mobile radio platforms already

provide the information we need, but such data are normally

discarded after physical layer processing and can be prof-

itably exploited to benefit security services. It is important

to recognize that the new approach we present is intended

to augment, rather than to replace existing cryptographic

security mechanisms. It provides a new approach to estab-

lishing keys that is useful when there is no key management

infrastructure (e.g. in peer-to-peer wireless systems).

In Section 2 we summarize the related work, in Section 3

we describe our system model and the design issues relevant

to our problem, in Section 4 we describe our key-extraction

algorithm in detail, in Section 5 we evaluate the performance

of our algorithm and in Section 6 we present two experimen-

tal studies that validate our algorithm on 802.11a hardware.

We conclude in Section 7 with a discussion on the practical

implications of our proposed system and the broader impact

it may have on securing wireless systems.

2. RELATED WORK

Figure 1: The multipath fading for a signal from Alice to

Bob is different from that for the signal reaching Eve.

An extensive body of information-theoretic work during

the past several decades has explored the use of information

from the physical layer in deriving security benefits. In [3,4],

the authors introduced the problem of generating identical

bits based on correlated information available to two users

such that a third eavesdropping user does not learn anything

about the generated key. They showed, provided Alice and

Bob already share an authenticated public channel, that it

is possible to generate identical keys at the two users. The

standard method for generating secret keys at Alice and Bob

under this assumption consists of three basic steps and has

been utilized by a number of proposed systems [5–7]. In

advantage distillation [3, 8], the legitimate users, Alice and

Bob obtain correlated information while Eve is allowed to

eavesdrop, so that Alice & Bob share greater information1

than that shared between Alice & Eve or Bob & Eve. Al-

ice and Bob then convert their information into bits. In

the information reconciliation stage [6], Alice and Bob ex-

change error-correcting messages over an authenticated pub-

lic channel that allow them to agree on an identical string

of bits. However, the publicly exchanged messages reveal a

certain amount of information about the bit strings to Eve.

In privacy amplification [10], Alice and Bob diminish the

partial information revealed to Eve by systematically dis-

carding some of their common bits. Efficient protocols have

since been designed [6,11]2 to allow key generation without

leaking out information to an eavesdropping adversary.

However, a central assumption in this entire body of work

is that Alice and Bob have an authenticated channel avail-

able to them even before key generation begins. This is an

unrealistic assumption in practice because the availability of

an authenticated channel implies that Alice and Bob already

share a secret key to begin with! Therefore, the purpose of

generating a common secret key is defeated.

In [13], Maurer and Wolf showed that secret key extrac-

tion without an authenticated channel is possible only if Eve

cannot possibly transmit a signal to Bob that is statistically

indistinguishable from signals coming from Alice (and vice-

versa). This provides an important insight that has not been

translated into a practical algorithm. Our work is the first

to build upon this result: we use use the wireless channel to

guarantee that Eve does not possess the required informa-

tion to prevent key generation.

More recently, [14] examined PHY-layer based authenti-

cation and confidentiality in wireless systems. The work

in [15,16] looked at authentication using channel signatures

between the transmitter and receiver(s). Our work is per-

haps most closely related to the work of [17], which proposes

1In information-theoretic terms, the amount of information

between two observations X and Y is measured by the mu-

tual information I(X;Y ) between them [9].

2Much of this work was done in the context of quantum key

distribution. For a more complete bibliography on quantum

key distribution see [12].

a scheme for generating secret bits from correlated observa-

tions of deep fades by two users communicating via a TDD

link. This work focuses on the theoretical construction for

extracting randomness through use of universal hash fam-

ilies. However, they do not demonstrate or evaluate the

amenability of the wireless channel to detection of deep fades

by both users using TDD to the degree of precision required

by their scheme. Their work does not provide a quantifi-

cation of the secret key rate versus parameters associated

with the underlying fading process or parameters involved

in their algorithm. Additionally, we note that their method

focuses primarily on a passive adversary. The reliance on

deep fades can be easily exploited by an active adversary

that produces greater interference power at one legitimate

user than the other so that a deep fade for one user may not

be a deep fade for the other. In [18], a method exploiting

channel reciprocity using ultra-wideband (UWB) channels

to generate secret bits was presented. In [19], specialized

electronically steerable antennas were proposed for use in

generating key bits by exploiting channel reciprocity. The

methods in [17–19] all rely on conventional reconciliation

for correcting bit-errors, and thus require an authenticated

channel. In [20,21], a method for secret key generation based

on phase reciprocity of frequency selective fading channels

was proposed. While this is attractive, it is difficult to im-

plement or evaluate in practice because accurate phase in-

formation is difficult to harvest from existing hardware plat-

forms.

In contrast to prior work, the algorithm we propose tran-

scends the requirement of an authenticated channel, does

not require specialized hardware and is not limited to UWB

channels. We provide both a fundamental analysis as well as

a real-world experimental implementation of our algorithm

and show that existing mobile platforms already provide suf-

ficeint information for producing secret bits using our algo-

rithm. We evaluate the randomness of the bit-sequences

produced by our algorithm, a generally overlooked aspect

in prior work on secret key generation, and show that they

are suitable for use as cryptographic keys. Lastly we note

that our technique may be compared with classical key es-

tablishment techniques such as Diffie-Hellman, which also

use message exchanges to establish keys. However, clas-

sical cryptographic key establishment techniques rely upon

the (unproven) arguments of computational complexity such

as the hardness of inverting discrete logarithms or factor-

ing a product of large prime numbers, while our algorithm

provides information-theoretic security, which does not rely

on these computational hardness assumptions and builds a

practical methods to achieve this type of security. In this

way we provide an analog of quantum cryptography for wire-

less networks.

3. SYSTEM MODEL & DESIGN ISSUES

The crucial insight that allows the wireless channel to be

amenable for generating a secret key is that the received sig-

nal at the receiver is modified by the channel in a manner

that is unique to the transmitter-receiver pair. It is the mod-

ification of the transmitted signal by the wireless multipath

channel that introduces information into the received signal

from which we can extract secret bits. This distortion cap-

tures information that depends critically upon the location

of the transmitter, the receiver, and the placement of scat-

tering surfaces in the wireless environment. Typically, such

distortion is estimated at the physical layer of the receiver

and the associated distortion information dealt with to en-

sure reliable physical layer decoding of the communication

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5

0

0.5

1

1.5

2

2.5

Time (sec)

M

ag

ni

tu

de

(a)

10 20 30 40 50 60 70

0

0.5

1

1.5

2

(b)

Probe index number

M

ag

ni

tu

de

o

f c

ha

nn

el

p

ar

am

et

er q

+

level

q

−

level

h(t) process

Alice’s estimates

Bob’s etimates

Alice

Bob

q

+

q

−

3 pts above q

+

4 pts above q

+

Figure 2: (a) A sample realization of a Rayleigh fading

stochastic process. (b) Successive channel estimates of the

process by Alice and Bob showing excursions above the q+

and below the q− levels on a magnified portion of (a).

Symbol Meaning

h Stochastic channel parameter of interest

h(t) Value of the stochastic process h at time t

s(t) Probe signal transmitted to estimate h(t)

fd Maximum Doppler frequency (Hz)

fs Rate at which each user sends probes (Hz)

q+, q− Quantizer bin boundaries (Upper and lower resp. )

m Reqd. min. # of estimates in a excursion

N Length of key in bits

Rk Rate of generation of secret bits (s-bits/sec)

pe Probability of a bit error

pk Probability of key mismatch = 1− (1− pe)

N

Table 1: A summary of the notation used

signal. However, since this information is always present and

uniquely corresponds to the transmitter-receiver pair, it also

provides our transmitter (Alice) and receiver (Bob) a means

to privately establish secret bits associated with this distor-

tion. In this section, we focus on the challenges of using the

stochastic nature of the wireless channel to secretly establish

bits. We break down our discussion to include a description

of: (1) the underlying channel model associated with mul-

tipath fading; (2) the tools needed to obtain bits from the

channel response; and (3) the design goals that need to be

addressed in order to reliably establish these bits. To assist

the reader, we provide notation in Table 1.

3.1 Channel model

Let h(t) be a stochastic process corresponding to a time-

varying parameter that describes the wireless channel be-

tween Alice and Bob. Although there are many choices for

h(t), for our discussion, we shall assume that h(t) is the

magnitude of the transfer function of the multipath fading

channel between Alice and Bob evaluated at a fixed test fre-

quency, f0. Implicit in this formulation is the observation

that the system transfer function of the channel is the same

in the Alice →Bob direction as in the Bob→Alice direction

at a given instant of time. This follows from reciprocity,

which is a fundamental property of electromagnetic wave

propagation [22,23] in a medium and must not be confused

with additive noise or interference, which may be different

for different receivers. To distinguish between the channel

parameter of interest, and its value at a given instant of

time, we denote the parameter by h and refer to its value

as h(t). To estimate the parameter h, Alice and Bob must

transmit known probe signals to one another. Each party

can then use the received signal along with the known probe

signal to compute an estimate hˆ of the parameter h. Since

practical radios are half duplex due to hardware constraints,

Alice must wait to receive a probe signal from Bob before

she can transmit a probe to him and vice-versa. In the time

between the two successive probes, h(t) changes slightly in a

manner that is modeled by an appropriate underlying prob-

ability distribution (e.g. Gaussian). The received signal at

Alice and Bob due to successive probes may be written as

ra(t1) = s(t1)h(t1) + na(t1) (1)

rb(t2) = s(t2)h(t2) + nb(t2), (2)

where s(t) is the known probe signal, na & nb are the in-

dependent noise processes at Alice and Bob and t1 & t2 are

the time instants at which successive probes are received by

Alice and by Bob respectively. Using the received signal,

Alice and Bob, each compute (noisy) estimates of h:

hˆa(t1) = h(t1) + za(t1) (3)

hˆb(t2) = h(t2) + zb(t2), (4)

where za and zb represent the noise terms due to na and

nb respectively after having been processed by the function

that estimates h. We refer the reader to [24] for designing

good estimator functions for h. The estimates hˆa and hˆb

are in all likelihood unequal, due in part to the independent

noise terms and in part to the time lag τ , however they can

be highly correlated if Alice and Bob send probes to one

another at a fast enough 3 rate, i.e. if τ = t2 − t1 is small.

By repeatedly sending probes in an alternating manner over

the time-varying channel, Alice and Bob can generate a

sequence of n estimates hˆa = {hˆa[1], hˆa[2], . . . , hˆa[n]} and

hˆb = {hˆb[1], hˆb[2], . . . , hˆb[n]} respectively, that are highly

correlated, as in Figure 2. Although Eve can overhear the

probe signals sent by each of the users, the signals received

by Eve are completely different:

rbe(t1) = s(t1)hbe(t1) + ne(t1) (5)

rae (t2) = s(t2)hae(t2) + ne(t2), (6)

where hbe and hae denote the channel between Bob & Eve

and between Alice & Eve respectively and ne is the noise

added at Eve. If Eve is more than ∼ λ/2 away from Al-

ice and Bob, then hae and hbe are uncorrelated with h [25].

Therefore, despite possessing knowledge of the probe signal

s(t), Eve cannot use her received signals to compute mean-

ingful estimates of the Alice-Bob channel, h.

3.2 Converting the channel to bits

Alice and Bob must translate their respective sequences of

channel estimates to extract identical bit-strings. Further,

the bit strings they generate must be suitable for use as

cryptographic keys. This means that they must be:

1. Suitably long: Keys of length 128 to 512 bits are com-

monly used in symmetric encryption algorithms. So

they should be able to generate at least these many

bits in a reasonable amount of time.

2. Statistically random: The bits should be random with

equal probability of a ‘0’ and a ‘1’. Also, the bit-

sequences must not suffer from statistical defects that

could be exploited by an attacker.

3‘Fast enough’ here is in relation to the coherence time of

the channel, which is inversely proportional to the maximum

Doppler frequency fd.

The second requirement guarantees that the generated key

has desirable security properties. That is, an N-bit key must

really provideN bits of uncertainty to an adversary who only

knows the key generation algorithm and nothing else.

We now briefly describe how to obtain bits from the chan-

nel estimates hˆa and hˆb, to provide the intuition behind our

algorithm, while postponing a formal description to Sec-

tion 4. The sequence of channel estimates hˆa and hˆb are

sequences of random variables, drawn from an underlying

probability distribution that characterizes the random chan-

nel parameter h. We assume, for the sake of our discussion,

that h(t) is a Gaussian random variable and the underly-

ing stochastic process h is a stationary Gaussian process. A

Gaussian distribution for h may be obtained, for example,

by taking h to be the magnitude of the in-phase component

of a Rayleigh fading process between Alice and Bob [22].

It must be noted that the assumption of a Gaussian distri-

bution on h is for ease of discussion and our algorithm is

equally valid in the general case.

Since the channel estimates computed by Alice and Bob

are continuous random variables, it is necessary to quantize

their estimates using a quantizer Q(·) to obtain bits. How-

ever, a straightforward quantization of the vectors hˆa and

hˆb is not sufficient because it does not guarantee that an

identical sequence of bits will be generated at the two users.

In our scheme, Alice and Bob use the channel statistics to

determine scalars, q+ and q− that serve as reference levels

for the quantizer Q(·) as follows:

Q(x) =

1 if x > q+

0 if x < q−

. (7)

Alice then parses through her channel estimates hˆa to deter-

mine the locations of excursions4 of her channel estimates

above q+ or below q− that are of a duration ≥ m esti-

mates, i.e., m successive channel estimates in hˆa are > q+

or < q−, where m is a protocol parameter. She sends Bob

a message over the public channel containing the locations

of k such excursions in the form of an array of indexes

L = {l1, l2, . . . , lk}. Bob then checks his own sequence hˆb

at the locations specified by the indexes in L to determine

whether it contains an excursion above q+ or below q− for

a duration greater than or equal to ‘m − 1’ samples, i.e.

whether hˆa(li) is > q+ or < q− for a duration that spans

m−1 or more estimates, for each i = 1, . . . , k. Bob identifies

‘good’ indexes by finding all index values l in L that produce

such an excursion in hˆb. He places these indexes into an ar-

ray L˜ to be sent to Alice publicly. Indexes in L but not in L˜

are dropped from consideration by each party. The indexes

in L˜ are used by each user to compute a sequence of bits

by performing the quantization: Q(hˆa(L˜)) and Q(hˆb(L˜)). If

the bit-vectors Q(hˆa(L˜)) and Q(hˆb(L˜)) are equal, then Alice

and Bob succeed in generating |L˜| identical bits. We show

later that provided the levels q+, q− and the parameter m

are properly chosen, the bit sequences generated by the two

users are equal with very high probability. A variation of

the protocol that copes with the spoofing attack is detailed

in Section 4.1.

3.3 Design goals

An important quantity of interest will be the rate of gen-

eration of secret bits, expressed in secret-bits per second or

‘s-bits/sec’. Naturally, it is desirable that Alice and Bob

achieve a high secret-bit rate. According to 802.1x recom-

4A stochastic process is in an excursion when it lies above

or below a specified level for a given duration of time.

mendations, it is generally desirable for master keys to be

refreshed at intervals of one hour [26]. Using these exam-

ples and AES key sizes of 128 bits as a guideline, a con-

servative key rate of roughly 0.1 bits per second is needed,

though it is desirable to achieve higher secrecy rates. How-

ever, we are especially wary of bit errors. If the sequence

Q(hˆa(L˜)) is different from Q(hˆb(L˜)) even by a single bit,

then the two bit-strings cannot be used as cryptographic

keys and consequently the entire batch of bits must be dis-

carded. Therefore, we would like the bit error probability

pe, to be extremely low, so that the probability pk that the

keys generated by the two users do not match is acceptably

small. For example, in order to have a key-mismatch prob-

ability of pk = 10

−6, assuming keys of length 128 bits, we

must target a bit-error probability of pe where

pk = 1− (1− pe)128, (8)

which gives pe ∼ 10−8. A bit-error is defined as the event

that Alice and Bob agree to use a certain index li contained

in the list L˜ for generating a bit, but they end up generating

different bits, i.e. hˆa and hˆb both lie in excursions at the

index li but the excursions are of opposite types.

The rate at which secret bits can be extracted from the

channel is fundamentally limited by the rate of time-variation

in the channel. We quantify this variation by the maximum

Doppler frequency, fd. In a fading channel, fd determines

the both the rate at which the channel varies and the mag-

nitude of the swings produced. A simple measure of the

maximum Doppler frequency in a given wireless environ-

ment is given by fd =

v

λ

, where v is a measure of the effects

of user mobility and the dynamic environment around the

users, expressed in meters/sec and λ is the wavelength of

the carrier wave. In our case λ = c

f0

, where c is the speed of

light. It can be seen that increasing the value m or the mag-

nitudes of the quantizer boundaries q+ & q− would not only

result in a lower rate but also a lower probability of error.

Intuitively, this is because larger magnitudes of q+ & q−, or

a larger value of m makes it less likely that Alice’s and Bob’s

channel estimates lie in opposite type of excursions, thereby

reducing the error rate. However both types of excursions

also become less frequent, thereby decreasing the number of

secret bits that can be generated per second. Thus, there is

a tradeoff between rate and probability of error, and the pa-

rameters q+, q− and m provide convenient controls to select

suitable operating points over this tradeoff. Apart from gen-

erating bits at a reasonable rate and achieving robustness to

errors, we also require the bits to be random and free from

statistical defects. This aspect is discussed in Section 5.3.

Finally, the correlated information obtained by Alice and

Bob can be utilized to build a secret key in a number of

different ways and it is important to make sure the method

employed does not allow Eve to infer any useful information.

An alternative bit extraction scheme is to have each user es-

timate a statistical measure of the channel (e.g. the mean

signal-strength, or variance in the estimates) using hˆa and

hˆb respectively. If the channel is stationary

5, then their re-

spective statistical measures would each converge to the true

value with time. In this way, Alice and Bob will each pos-

sess knowledge about a numerical quantity, without having

actually sent messages over the air containing this quantity.

They could then quantize their estimates of the statistical

measure to generate bits. However, the trouble with using a

statistical measure is that knowledge of the locations of Al-

5By stationary, we mean a channel whose stochastic charac-

teristics do not vary significantly over the time duration of

the key extraction protocol.

ice and Bob and their environment may allow Eve to infer

the statistics of the channel between them. Indeed publicly

available tools, such as the WISE ray-tracer [27], make it

easy to predict the signal statistics at a receiver given the

knowledge of the locations of the transmitter and receiver

and the building’s layout. Thus, it is important to recog-

nize that using a statistical measure for key generation can

be perilous. Our algorithm avoids statistical measures from

influencing the secret-key generation process by relying on

specific instantiations of the fading process.

4. LEVEL-CROSSING ALGORITHM

We now detail our key-extraction algorithm based on level

crossings and quantization of Alice’s and Bob’s channel es-

timates. It is assumed that when the algorithm is run, Alice

and Bob have collected a sufficiently large number of chan-

nel estimates hˆa and hˆb, by alternately probing the channel

between themselves. Further, it is assumed that the vectors

hˆa and hˆb are of equal length and their j

th elements hˆa(j)

and hˆb(j) correspond to successive probes sent by Bob and

Alice respectively, for each j = 1, . . . , length(hˆa). Algorithm

1 describes the procedure and consists of the following steps:

1. Alice parses the vector hˆa containing her channel es-

timates to find instances where m or more successive

estimates lie in an excursion above q+ or below q−.

2. Alice selects a random subset of the excursions found

in step 1 and for each selected excursion, she sends Bob

the index of the channel estimate lying in the center of

the excursion, as a list L. Therefore, if hˆa(i) > q+ or

< q− for some i = istart, . . . , iend, then she sends Bob

the index icenter = ⌊ istart+iend2 ⌋.

3. For each index received from Alice, Bob checks whether

his own vector of channel estimates hˆb contains at least

m−1 channel estimates centered around that index in

an excursion above q+ or below q−, i.e. whether hˆa >

q+ or < q− for each index

˘

l − ⌊m−2

2

⌋, . . . , l + ⌈m−2

2

⌉¯,

for each l ∈ L.

4. For some of the indexes in L, Bob’s channel estimates

do not lie in either excursion. Bob makes a list L˜ of

all indexes that lie in excursions and sends it to Alice.

5. Bob and Alice compute Q(hˆa) and Q(hˆb) respectively

at each index in L˜, thus generating a sequence of bits.

Since Eve’s observations from the channel probing stage

do not provide her with any useful information about hˆa

and hˆb, the messages L and L˜ exchanged between Alice and

Bob do not provide her with any useful information either.

This is because they contain time indexes only whereas the

generated bits depend upon the values of the channel esti-

mates at those indexes. Further, the selection of a random

subset in Step 2 from the set of eligible excursions found in

Step 1, guarantees that Eve cannot use L and L˜ to infer the

values of the channel estimates of Alice or Bob at those time

indexes.

4.1 Preventing a spoofing attack

Since Alice and Bob do not share an authenticated chan-

nel, Eve can impersonate Alice in Step 2, or Bob in Step

4 above, allowing for a spoofing attack. If successful, such

an attack would allow Eve to insert her own ‘fake’ L or

L˜ messages, thereby spoofing a legitimate user to the other

and effectively disrupting the protocol without revealing her

presence to the two users.

Algorithm 1: The basic level crossing algorithm

Input : hˆa and hˆb

Output : A cryptographic key Ka = Kb at Alice and Bob

Alice:

for i = 1 to length(hˆa)−m do

if Q(hˆa[i]) = Q(hˆa[i + 1]) . . . = Q(hˆa[i+m− 1]) then

iend ← last index in excursion

L′ ← [L′ ; ⌊

i+iend

2 ⌋]

i← iend + 1

else

i← i + 1

end

end

L = Random subset of L′

Alice sends L to Bob on PUBLIC_CHANNEL .

Bob:

for l ∈ L do

if Q

“

hˆb(l− ⌊

m−2

2 ⌋)

”

= . . . = Q

“

hˆb(l+ ⌈

m−2

2 ⌉)

”

then

L˜← [L˜; l]

end

end

Kb = Q

“

hˆb(L˜)

”

Bob sends L˜ to Alice on PUBLIC_CHANNEL.

Alice:

Ka = Q(hˆa(L˜))

Our protocol provides a mechanism to detect the adver-

sary in each of the two cases above. We first focus on the

possibility of Eve inserting a fake L-message. Since Eve

has no information about the locations of channel excur-

sions apart from L, she can only make random guesses about

which indexes to place into a fake L-message to Bob (apart

from the ones Eve learns from L). For each guess, she has

a very low probability of choosing an index that lies in an

excursion spanning (m − 1) or more estimates at Bob. Of

these, the indexes that do not lie in an excursion in hˆb are

discarded by Bob while those that do happen to lie in an ex-

cursion are considered eligible for quantization and placed

into the L˜-message sent to Alice. Therefore, an unsuccessful

guess provides no benefit to Eve, while a successful guess,

albeit improbable, causes L˜ to contain an index that was not

present in L, thereby alerting Alice. Thus, Eve must modify

the message L˜ by deleting this index before it reaches Alice.

Our protocol can be made to resist modification of the

L˜-message as follows. Once Bob computes the list L˜, he

can proceed with the quantization stage and compute Kb =

Q(hˆb(L˜)) of length N bits. The first Nau bits of Kb are kept

aside for use as an authentication keyKau = Kb(1, . . . , Nau),

to prevent a spoofing attack and the remaining N − Nau

bits are kept as the extracted secret key K¯b = Kb(Nau +

1, . . . , N). Bob computes a message authentication code for

L˜ using Kau to obtain MAC

“

Kau, L˜

”

. Finally, he sends

the package

n

L˜,MAC

“

Kau, L˜

”o

to Alice. Upon receiv-

ing this package, Alice uses L˜ to form the sequence of bits

Ka = Q(hˆa(L˜)). She uses the first Nau bits of Ka as the au-

thentication key Kau = Ka(1, . . . , Nau), and using Kau she

verifies the message authentication code to confirm that the

package was indeed sent by Bob. Since Eve does not know

the bits in Kau generated by Bob, she cannot modify the

L˜-message without failing authentication at Alice. Finally,

if Eve inserts a significant number of random guesses into

a fake L-message, Bob can detect her presence by comput-

ing the proportion of indexes in L that lead to excursions in

hˆb. Since Eve can only make random guesses, this quantity

would be much lower than one resulting from a legitimate

L-message from Alice. Therefore, even without an authen-

Algorithm 2: Modified algorithm incorporating au-

thentication and resistance to an active attack.

Input : hˆa and hˆb

Output : A cryptographic key K¯a = K¯b at Alice and Bob

Alice:

for i = 1 to length(hˆa)−m do

if Q(hˆa[i]) = Q(hˆa[i+ 1]) = . . . = Q(hˆa[i+ m− 1]) then

iend ← last index in excursion

L′ ← [L′ ; ⌊

i+iend

2 ⌋]

i← iend + 1

else

i← i+ 1

end

end

L = Random subset of L′

Alice sends L to Bob on PUBLIC_CHANNEL.

Bob:

for l ∈ L do

if Q

“

hˆb(l− ⌊

m−2

2 ⌋)

”

= . . . = Q

“

hˆb(l+ ⌈

m−2

2 ⌉)

”

then

L˜← [L˜; l]

end

end

if

n

|L˜|

|L| < 0.5 + ǫ

o

then

DECLARE ACTIVE ATTACK

else

Kb = Q

“

hˆb(L˜)

”

Kau = Kb(1, . . . , Nau)

K¯b = Kb(Nau + 1, . . . , N)

Package =

n

L˜,MAC

“

Kau, L˜

”o

Bob sends Package to Alice on PUBLIC_CHANNEL.

end

Alice:

Ka = Q

“

hˆa(L˜)

”

Kau = Ka(1, . . . , Nau)

K¯a = Ka(Nau + 1, . . . , N)

if MAC validation using Kau fails then

DECLARE ACTIVE ATTACK

end

ticated channel, Alice and Bob can successfully establish

a common secret key despite an active adversary, provided

there are no bit errors. This explains why we insist on a very

low probability of error in Section 3.3. Further, the reduc-

tion in the secret-bit rate is negligible over a long run of the

protocol because the Nau bits used for authentication are a

one-time expense that allow Alice and Bob to bootstrap au-

thentication. A modified version of the secret key extraction

algorithm that incorporates the above ideas is presented as

Algorithm 2 (see Figure 3) and has the following additional

steps:

1. To make sure that the L-message received is really

from Alice, Bob computes the fraction of indexes in L

at which hˆb lies in an excursion spanning (m − 1) or

more estimates. If this fraction is less than 1

2

+ ǫ, for

some fixed parameter 0 < ǫ < 1

2

, Bob concludes that

the message was not really sent by Alice, implying that

an adversary has injected a fake L-message.

2. If the authentication check above passes, Bob replies

to Alice with a message L˜ containing those indexes

in L at which hˆb lies in an excursion. Bob computes

Kb = Q(hˆb(L˜)) to obtain N bits. The first Nau bits are

used as an authentication key to compute a message

authentication code (MAC) of L˜. The remaining N −

Figure 3: Timing diagram for the key-extraction protocol.

Nau bits are kept as the extracted secret key. The

overall message sent by Bob is

n

L˜,MAC

“

Kau, L˜

”o

.

Another type of active attack involves Eve impersonating Al-

ice or Bob during the channel-probing stage itself, i.e. Eve

may begin sending probes to Bob pretending to be Alice

or vice-versa. Such an attack can be detected using a hy-

pothesis testing approach on the sequence of probes received

at each legitimate user, and this has been extensively stud-

ied in [15, 16]. Essentially, legitimate users compare each

newly received probe against the recent history of received

probes from the other legitimate user using a hypothesis

test. The technique relies on the insight that given a suf-

ficiently fast probing rate, successive probes received at a

legitimate user are most likely to differ by a small amount.

In practice the hypothesis test is implemented by compar-

ing a likelihood ratio [28] with a threshold and is based on

a Neyman-Pearson criterion. We do not present further de-

tails on this type of attack here. Detection of Eve using the

hypothesis test can only be accomplished if Alice and Bob

have already exchanged some probes. If Eve impersonates

either or both legitimate users from the very beginning of

the channel probing stage, then the method is susceptible to

a man-in-the-middle attack wherein Eve can establish two

keys, one each with Alice and Bob, while giving Alice and

Bob he impression that they have established a key with

themselves. We note that this problem can be alleviated

using techniques similar to those used to secure the Diffie-

Hellman protocol.

5. PERFORMANCE EVALUATION

The central quantities of interest in our protocol are the

rate of generation of secret bits, the probability of error

and the randomness of the generated bits. The controls

available to us are the parameters: q+, q−,m and the rate

at which Alice and Bob probe the channel between them-

selves, fs. We assume the channel is not under our con-

trol, and as explained in Section 3.3, the rate at which the

channel varies can be represented by the maximum Doppler

frequency, fd. The typical Doppler frequency for indoor

wireless environments at the carrier frequency of 2.4 GHz

is fd =

v

λ

∼ 2.4×109

3×108

= 8 Hz, assuming a velocity v of 1

m/s. We thus expect typical Doppler frequencies in indoor

environments in the 2.4 GHz range to be of the order of

about 10 Hz and 20 Hz in the 5 GHz range. For automobile

scenarios, we can expect a Doppler of ∼ 200 Hz in the 2.4

GHz range.

5.1 Probability of error

The probability of error, pe is critical to our protocol. As

explained in equation (8), in order to achieve a robust key-

mismatch probability pk, the bit-error probability pe must

2 3 4 5 6 7 8 9 10 11

−8

−7

−6

−5

−4

−3

−2

−1

0

Value of m

Pr

ob

ab

ilit

y

of

b

it

er

ro

r,

p e

(lo

g 1

0

sc

a

le

)

SNR = 0 dB

SNR = 10 dB

SNR = 20 dB

SNR = 30 dB

SNR = 40 dB

Figure 4: Probability of bit error pe for various values of m

at different SNR levels (q± = mean ± 0.8σ)

be much lower than pk. A bit-error probability of pe =

10−7 ∼ 10−8 is desirable for keys of length N = 128 bits.

We have explained in Section 3.3 that there is a fundamental

trade-off in the selection of parameters m, q+ and q− that

affects the rate and probability of error in opposing ways.

The probability of bit-error, pe is the probability that a

single bit generated by Alice and Bob is different at the

two users. The symmetry of the distribution of h allows

us to consider just one type of bit error in computing pe.

Consider the probability that Bob generates the bit “0” at

an index given that Alice has chosen this index but she has

generated the bit “1”. As per our Gaussian assumption on

the parameter h and estimates hˆa and hˆb, this probability

can be expanded as

P (B = 0|A = 1) =

P (B = 0, A = 1)

p(A = 1)

= (9)

Z ∞

q+

Z q−

−∞

. . .

Z ∞

q+| {z }

(2m−1) terms

(2pi)(1−2m)/2

|K2m−1|

1/2

exp

n

− 12x

TK

−1

2m−1x

o

d(2m−1)x

Z ∞

q+

. . .

Z ∞

q+| {z }

(m) terms

(2pi)−m/2

|Km|

1/2

exp

n

− 12x

TK

−1

m x

o

d(m)x

,

where Km is the covariance matrix of m successive Gaus-

sian channel estimates of Alice and K2m−1 is the covariance

matrix of the Gaussian vector (hˆa[1], hˆb[1], hˆa[2], . . . , hˆb[m−

1], hˆa[m]) formed by the combining m channel estimates of

Alice and the m−1 estimates of Bob in between, in chrono-

logical order. The numerator in (9) is the probability that of

2m− 1 successive channel estimates (m belonging to Alice,

and m − 1 estimates in between belonging to Bob), all m

of Alice’s estimates lie in an excursion above q+ while all

m− 1 of Bob’s estimates lie in an excursion below q−. The

denominator is simply the probability that all of Alice’s m

estimates lie in an excursion above q+. We compute these

probabilities for various values of m and present the results

of the probability of error computations in Figure 4. The

results confirm that a larger value of m will result in a lower

probability of error. This is because a larger m makes it less

likely that Alice’s and Bob’s estimates would lie in opposite

types of excursions. Note that if either user’s estimates do

not lie in an excursion at a given index, a bit error is avoided

because that index is discarded by both users.

5.2 Secret-bit rate

The correct way to address the tradeoff between prob-

ability of error and rate of generation of secret bits is to

upper bound the acceptable probability of error and then

attempt to derive the greatest possible rate. How many

s-bits/second can we expect to derive from a time-varying

channel? An approximate analysis can be done using the

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5

0

2

4

6

8

10

12

Probing rate (KHz)

R

at

e

in

s

ec

re

t b

its

/s

ec

(a)

m=2

m=4

m=8

m=14

m=20

0 5 10 15 20 25 30 35 40 45 50

0

20

40

60

80

100

120

(b)

Probing rate (KHz)

R

at

e

in

s

ec

re

t b

its

/s

ec

m=2

m=4

m=8

m=14

m=20

fd = 10 Hz

fd = 100 Hz

Figure 5: Rate in secret bits per second for various values of

m, against probing rate for a channel with Doppler frequency

(a) fd = 10 Hz and (b) fd = 100 Hz (q± = mean ± 0.8σ)

level-crossing rate for a Rayleigh fading process, given by

LCR =

√

2πfdρe

−ρ2 [22], where fd is the maximum Doppler

frequency and ρ is the threshold level, normalized to the root

mean square signal level. Setting ρ = 1 in this expression

gives LCR ∼ fd.

The above calculation tells us that we cannot expect to

obtain more s-bits per second than roughly the order of fd.

In practice, the rate of s-bits/sec depends also on the channel

probing rate fs, i.e. how fast Alice and Bob are able to send

each other probe signals. In Figure 5 (a) and (b), we plot the

rate in s-bits/sec as a function of the channel probing rate

for a wireless channel with maximum Doppler frequencies of

fd = 10 Hz and fd = 100 Hz respectively. As expected, we

find that the number of s-bits the channel yields increases

with the probing rate, but saturates at a value that is of the

order of fd. A more precise analysis of the secret-bit rate can

be performed as follows: The number of s-bits/sec equals

the number of s-bits per observation times the number of

observations per second, i.e. the probing rate. Therefore

Rk = H(bins) × p(A = B) ×

fs

m

(10)

= 1× (p(A = 1, B = 1) + p(A = 0, B = 0))×

fs

m

(11)

= 2

fs

m

× p(A = 1, B = 1) (12)

=2

fs

m

.

Z ∞

q+

. . .

Z ∞

q+| {z }

(2m−1) terms

(2π)

1−2m

2

|K2m−1|1/2

e

n

− 1

2

xTK

−1

2m−1x

o

d

2m−1

x,(13)

where H(bins) is the entropy of the random variable that

determines which bin (> q+ or < q−) of the quantizer the

observation lies in, which in our case equals 1 assuming that

the two bins are equally likely6. The probing rate fs is

normalized by a factor of m because a single ‘observation’

in our algorithm is a sequence of m channel estimates. The

expression in (13) is reminiscent of the probability of error

expression in (9) and has been evaluated in Figure 5.

Figure 5 confirms the intuition that the secret bit rate

must fall with increasing m. This is because the longer du-

ration excursions of the Gaussian processes required by a

larger value of m are less frequent. In Figure 6 (a), we inves-

tigate how the secret-bit rate Rk varies with the maximum

Doppler frequency fd, i.e. as the amount of time-variation

of the channel is changed. We found that for a fixed channel

6The levels q+ and q− are chosen so as to maintain equal

probabilities for the two bins.

0 50 100 150 200 250

0

50

100

150

200

250

Doppler frequency fd (Hz)

Se

cr

et

b

its

p

er

s

ec

on

d

m=2

m=3

m=4

m=5

m=6

Probing rate f

s

= 4 Khz

(a)

0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2

0

5

10

15

Value of α

Se

cr

et

b

its

p

er

s

ec

on

d

f

s

= 3.5 KHz, any m

m=4, f

s

= 500 Hz

m=8, f

s

= 500 Hz

m=12, f

s

= 500 Hz

q

+

= mean+α⋅σ

q

−

= mean−α⋅σ

fd = 10 Hz

(b)

Figure 6: (a) Secret-bit rate for varying Doppler fd and

fixed fs for various values of m (b) Rate as a function of

function of quantizer levels q+ & q− parametrized by α.

probing rate (in this case, fs = 4000 probes/sec), increas-

ing fd results in a greater rate but only up to a point, after

which the the secret-bit rate begins to fall. Thus, ‘running

faster’ does not always help unless we can increase the prob-

ing rate fs proportionally. This suggests that not only does

each channel have an optimal minimum probing rate for de-

riving the best possible secret-bit rate, but each probing rate

also corresponds to a most ‘useful’ maximum Doppler fre-

quency. Figure 6(b) shows the expected decrease in rate as

the quantizer levels q+ and q− are increased in magnitude.

In this figure, α denotes the number of standard deviations

from the mean at which the quantizer levels are placed.

5.3 Randomness of generated bits

Guaranteeing that the generated bits are random is crucial

because they are intended for use as a cryptographic key.

Since we have assumed the adversary possesses complete

knowledge of our algorithm, any non-random behavior in the

bit sequences can be exploited by the adversary to reduce

the time-complexity of cracking the key. For example, if the

algorithm is known to produce a greater proportion of ‘1’s

than ‘0’s, then the effective search space for the adversary

would be reduced. Consequently a variety of statistical tests

have been devised to test for various defects [29].

In evaluating the randomness of bit sequences generated

by our algorithm, we focus on Maurer’s universal statistical

test [30], a widely accepted benchmark for testing random-

ness. The test statistic relates closely to the per-bit entropy

of the sequence, and thus measures the actual cryptographic

significance of a defect as related to the running time of an

adversary’s optimal key-search strategy [30]. It detects a

broad class of statistical defects and therefore subsumes a

number of other standard tests.

In addition to Maurer’s universal test, we ran a few other

basic tests using the public-domain test suite made available

by NIST [31]. We refer the interested reader to [32] for a

description of these tests and the definitions of p − value

for each test. The results for these are summarized in Table

2. Subsequent runs produced comparable results and thus

support the conclusion that our algorithm provides random

bits. In particular, Maurer’s test showed the average entropy

of our bit-sequences is very close to the value expected for

a truly random sequence. This can be possible only if suc-

cessive bits are almost independent of one another, which

in turn requires that they must be separated in time by at

least a ‘coherence time’ interval. Since the coherence time of

a channel is inversely proportional to the Doppler frequency,

extracting bits from a channel at a rate significantly greater

than fd cannot possibly produce random bits. We observed

Test P-value

Maurer’s Test 0.8913

Monobit frequency 0.9910

Runs Test 0.1012

Approx. entropy 0.8721

Random excursions 0.5829

Lempel Ziv 1.0000

Table 2: Results from randomness tests on bit sequences

(108 bits) produced by our algorithm for fd = 10 Hz, fs = 30

Hz, m = 5 and q+, q− = mean ± 0.2σ. In each test, a p-value

> 0.01 indicates the sequence is random.

in Section 5.2 that the rate at which our algorithm gen-

erates secret bits is bounded from above by approximately

the maximum Doppler fd - therefore our algorithm produces

bits slow enough for them to be random. Finally, we note

that the selection of a random subset of excursions by Alice

effectively allows her some control on selecting the final key

generated. Thus, even if a particular run happens to pro-

duce excursions at Alice containing a statistical defect in the

resulting bit sequence, she can fix the defect to some extent

by suitably choosing L from among eligible excursions.

5.4 Summarizing insights

The rate in secret bits per second that Alice and Bob de-

rive from a time-varying channel is fundamentally limited by

the rate of time-variation in the channel. To maximize rate,

we need to probe the channel fast enough. Given the fastest

possible rate at which we can probe, the parameters m, q+

and q− can be tuned to keep the probability of error within

an acceptable bound. Increasing m or the magnitudes of

q+, q− provides a drop in the error probability at the cost

of a decrease in the secret-bit rate. Further, increasing the

amount of temporal variation in a channel helps increase

the secret-bit rate but only up to a point, after which fur-

ther increase in temporal-variation produces a decrease in

the rate, unless it is accompanied by a proportional increase

in the channel probing rate. Standard randomness tests in-

dicate that our algorithm is resilient to attacks exploiting

randomness defects. Key rates significantly greater than the

maximum Doppler frequency cannot result in truly random

bits.

6. VALIDATION USING 802.11A

We now describe our experimental efforts to validate our

algorithm for typical indoor environments. Our experiments

were divided in two parts. In the first study, we delved into

the structure of an 802.11 packet to access the preamble

sequence [33] in the received signal to compute a 64-point

channel impulse response (CIR) that showed one or more

resolvable dominant paths as separate peaks. We used the

magnitude of the tallest peak in the CIR, which corresponds

to the dominant multipath, as the channel parameter of in-

terest in our algorithm. To access received signal informa-

tion at the sample level, we used an 802.11 development

platform with FPGA-based customized logic added for pro-

cessing CIR. Our results showed that our algorithm works

very well for both static and mobile scenarios, producing

error-free secret bits at rates ∼ 1 s-bits/sec in the tested

indoor environments.

Encouraged by the CIR results, we sought to determine

whether unmodified off-the-shelf 802.11 hardware could achieve

comparable results. Therefore, for the second study, we used

coarse RSSI measurements reported in the Prism headers7

7The Prism header is available on Atheros 802.11 cards using

the Madwifi [34] driver and contains RSSI and MAC-layer

timestamps among other parameters.

(a)

(b)

Figure 7: (a) Our experimental platform - a development

board for a commercial 802.11a/b/g modem IP, to which we

added custom logic to process CIR information. (b) Timing

diagram for collecting CIR information using PROBE packets

Figure 8: A layout of the experimental setup for the CIR

method (distances in cm)

of 802.11 packets exchanged between commercially available

802.11a radios, with one legitimate user configured as an

access point (AP mode) and the other as a client (station

mode), and a third user configured to listen (station mode)

on transmissions from both legitimate users.

6.1 CIR method using 802.11a

6.1.1 Experiment setup

Our experimental platform (Figure 7(a)) consisted of an

802.11 development board with commercial 802.11a/b/g mo-

dem IP, to which we added custom logic to extract the chan-

nel impulse response from received packets. This allowed us

to pull out received signal information at a level not normally

accessible using commodity 802.11 hardware and drivers.

Two such boards were set up as Alice and Bob, while a

third board was configured to be Eve. Alice was configured

to be an access point (AP mode), and Bob was configured to

be a client (station mode). The experiment involved Bob

sending PROBE request messages to Alice, who then replied

with a PROBE response message (Figure 7(b)). Limitations

of our development boards allowed us to have Eve listen on

either Alice or Bob, but not both. In the results presented

here, Eve has been configured to listen in on Alice. In the

first experiment, Alice and Eve were placed in a laboratory,

while Bob was placed in an office cubicle outside the lab.

Figure 8 shows the layout of the three users and the sur-

rounding environment. In the second experiment, Alice and

Eve remained in the same positions while Bob circled the

cubicle area along the trajectory in Figure 8 in a cart on

wheels.

Figure 9 shows a 64-point CIR obtained from a single

802.11a PROBE request packet received at Alice, along with

the corresponding CIR computed from the PROBE response

packet received by Bob in reply. Also shown is the CIR

0 10 20 30 40 50 60

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

Sample number

M

ag

ni

tu

de

Alice’s CIR

Bob’s CIR

Eve’s CIR

Figure 9: The 64-point CIR from a single 802.11 packet.

For our key-extraction algorithm, we use the magnitude of

the main peak as the channel parameter of interest.

0 100 200 300 400 500 600 700 800 900 1000

1

1.2

1.4

1.6

1.8

CIR index

(a)

M

ag

ni

tu

de

(m

ain

pe

ak

) Eve’s CIR

Bob’s CIR

Alice’ CIR

"1" bits

"0" bits

150 160 170 180 190 200 210 220 230 240 250

1.1

1.2

1.3

1.4

1.5

1.6

1.7

CIR index

(b)

M

ag

ni

tu

de

(m

ain

pe

ak

)

Key generated by Alice: 111000111110111111111111000011001000000010001

Key generated by Bob: 111000111110111111111111000011001000000010001

Key inferred by Eve: 010001010000000010001000100000000000000100000

q

+

q

−

Figure 10: (a) Traces of Alice, Bob and Eve. Variation in

avg. signal power produces longs strings of 1s and 0s. (b) A

magnified portion of the traces.

as computed by Eve, using the overheard PROBE response

packet from Alice. For the purpose of our algorithm, we use

only the magnitude of the main peak in the CIR.

Figure 10 shows the traces of the CIR’s main peak’s mag-

nitude at Alice and Bob for our first experiment. While our

experiment ran for ∼ 22 minutes, in the interest of space and

clarity we show 1000 CIRs collected over a duration of ∼ 110

seconds. The traces show significant changes in average sig-

nal power, ostensibly due to time-variations in the wireless

environment between Alice and Bob (see Figure 8). If each

user simply uses this data as input to the level-crossing bit-

extraction algorithm, the generated key has long strings of

1s and 0s (see Figure 10). This is because we are attempt-

ing to include the effect of shadow fading [22] (also called

large-scale fading) that produces large but slow swings in

the average signal power, into the key generation algorithm.

In other words, the channel in Figure 10 is not stationary.

Each user locally computes q+ and q− as:

qu+ = mean(hˆu) + α · σ(hˆu) (14)

qu− = mean(hˆu)− α · σ(hˆu), (15)

where u can be Alice or Bob, hˆu is the set of magnitudes

of the CIR’s main peak collected by user u, and σ(hˆu) rep-

resents the standard deviation of hˆu. The factor α can be

selected to vary the quantizer levels. We chose α = 1

8

for

the CIR-method. The effect of the underlying shadow fading

0 100 200 300 400 500 600 700 800 900

−0.4

−0.3

−0.2

−0.1

0

0.1

0.2

0.3

CIR index

(a)

M

ag

ni

tu

de

(m

ain

pe

ak

)

150 160 170 180 190 200 210 220 230 240 250

−0.4

−0.3

−0.2

−0.1

0

0.1

0.2

0.3

CIR index

(b)

M

ag

ni

tu

de

(m

ain

pe

ak

)

Alice’s CIR

Bob’s CIR

Eve’s CIR

"1" bits

"0" bits

Key generated by Alice: 10101011010011001011010010100100010010001010101101010101010

Key generated by Bob: 10101011010011001011010010100100010010001010101101010101010

Key inferred by Eve: 00100100101000101110010 101000110011010100001101101111011010

q

+

q

−

Figure 11: (a) Traces of Alice and Bob after subtracting

average signal power. Using m = 5, N = 59 bits were gener-

ated in 110 seconds (Rk = 0.54 s-bits/sec) while m = 4 gives

N = 125 bits (Rk = 1.13 s-bits/sec.) with no errors in each

case. (b) A magnified portion of (a)

contained in the collected data can be removed by subtract-

ing a moving average of each trace from the original trace.

This leaves only the small scale fading that we wish to use

in our algorithm. The result is shown in Figure 11. In this

way, not only do we do away with the problem of long strings

of 1s and 0s, we also prevent the average signal power from

affecting our key generation process. Using the small scale

fading traces, our algorithm generates N = 125 s-bits in 110

seconds (m = 4), yielding a key rate of about 1.13 s-bits/sec.

6.1.2 Contrasting Eve’s attempts

Figures 10 shows a trace of Eve’s CIR peak as overheard

from Bob along with Alice’s and Bob’s traces. Figure 11

shows the bits that Eve would generate if she carried through

with the key-generation procedure. The mutual informa-

tion [9] (M.I.) between Eve’s data and Bob’s data is a use-

ful measure of the information learned by Eve about Bob’s

measurements hˆb and can be compared to the mutual infor-

mation between Alice’s and Bob’s estimates hˆa and hˆb. Ta-

ble 3 gives these mutual information values computed using

the method in [35]. As a consequence of the data process-

ing inequality [9], any processing of the received signal by

Eve would only reduce her information about the Alice-Bob

channel, and therefore the M.I. values in Table 3 provide up-

per bounds on the information about the Alice-Bob channel

leaked out to Eve. The results from our second experiment

with a moving Bob are very similar to the ones shown for the

first experiment, although with fewer bits produced. Due to

space limits, we do not present plots for the mobile experi-

ment but instead summarize our results in Table 3. It is no-

table that in the static case the M.I. between Eve and Bob

is orders of magnitude smaller than that between Alice and

Bob and very close to zero, indicating that Eve is unable

to derive any significant information about the Alice-Bob

channel. Further, the M.I. between Eve and Bob is lower in

the mobile case compared to the static case, indicating that

mobility actually helps strengthen the secrecy of generated

keys.

6.2 Coarse measurements using RSSI

6.2.1 Experiment setup

(a)

(b)

Figure 12: (a) Timing diagram for collecting RSSI infor-

mation using PING packets in the RSSI-method. (b) Exper-

imental Layout for RSSI-based method showing trajectories

of Bob and Eve, while Alice (the AP) was kept stationary.

The setup consisted of three off-the-shelf 802.11 radios.

Alice was configured in AP mode along with a virtual moni-

tor interface to capture received packets. Bob was a client,

consisting of a laptop with a 802.11a card configured in sta-

tion mode, along with virtual monitor mode for capturing

received packets. Eve was a third 802.11a node, identical

in configuration to Bob, but capable of receiving packets

from both Alice and Bob. In our experiment, Alice was sta-

tionary, while Bob and Eve moved along fixed trajectories.

Atheros [36] WiFi cards based on the 5212 chipset were used

at each end along with the Madwifi driver [34] for Linux.

The experiments were done in the 5.26 GHz channel. The

AP-station configuration ensured that MAC-layer clocks at

the two nodes were synchronized. Figure 12 (b) shows the

layout of the office building along with the location of the

fixed AP and path followed by the mobile client. ICMP PING

packets were sent from the AP to the client at a rate of 20

packets per second. Each PING request packet received at

the client generates a MAC-layer acknowledgment packet

sent back to the AP, followed by a PING response packet.

Upon receiving the PING response packet, the AP similarly

replies with a MAC-layer ACK packet.

Figure 12 (a) shows the sequence in which these packets

are sent. A tcpdump [37] application running on both the AP

and the client side recorded and time-stamped all packets re-

ceived on the monitor interface of each user. The experiment

consisted of sending 8, 000 packets from Alice to Bob. The

tcpdump traces at each end were filtered using the MAC ad-

dress field to keep only the four types of packets described

above. Further, RSSI and MAC-timestamps were pulled out

of each packet to generate a trace of (timestamp,RSSI)

pairs.

6.2.2 Modification to handle timestamps

We note that since the precise time instants at which the

PING response and PING request messages are received Al-

ice and Bob respectively cannot be controlled, there was no

way to guarantee that successive PING request messages re-

ceived by Bob were separated in time by exactly one PING

response received in between by Alice. Therefore MAC-

layer timestamps were essential to time-align RSSI informa-

tion at Alice & Bob since we did not have index numbers

with which to reference RSSI values. This required a slight

variation in our algorithm to handle MAC-timestamps in-

2.15 2.2 2.25 2.3 2.35 2.4 2.45 2.5

x 109

20

30

40

50

60

70

80

MAC layer timestamp (µs)

R

SS

I r

ec

ei

ve

d

Alice’s recd. RSSI

Bob’s recd. RSSI

"1" bits

"0" bits

Eve’s RSSI from ALice

Eve’s RSSI from Bob

0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 1 0 1 1 1 1 1 0 1 1 1 1 1 1 1 1 0

1 1 0 1 0 0 1 1 1 1 1 1 1 1 1 1 0 1 1 1

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

1 1 0 1 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 1 0 1 0 1

0 1 1 1 0 1 1 1 1 0 1 0 1 1 1 1 1 1 1 1

1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 1 0 1 1 1 1 1 0 0 1 0 1 0 0 1 1

0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0

0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1

Key generated

by Alice & Bob:

Bob → Eve

Alice → Eve

Bob → Alice

Alice → BobLong strings of 1s & 0s

Figure 13: RSSI traces of Alice and Bob and bits generated.

This plot includes the effect of shadow fading.

2.15 2.2 2.25 2.3 2.35 2.4 2.45 2.5

x 109

−5

0

5

10

15

MAC−timestamp (µs)

(a)

R

SS

I (5

−p

kt

av

era

ge

)

2.335 2.336 2.337 2.338 2.339 2.34 2.341 2.342

x 109

−6

−4

−2

0

2

4

6

8

MAC−timestamp (µs)

(b)

R

SS

I (5

−p

kt

av

era

ge

) AliceBob

"1" bits

"0" bits

Alice recd. RSSI

Bob’s recd RSSI

"0" bits

"1" bits

0 1 1 1 1 0 0 1 1 1 0 0 0 0 1 0 1 0 1 1 1 0 1

0 1 0 0 1 1 0 1 0 1 0 0 0 0 1 0 0 0 1 1 0 1 0

1 0 0 0 1 0 1 0 1 0 1 0 0 0 1 1 1 1 1 1 0 1 1

0 0 0 0 1 1 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1

1 1 0 1 0 0 1 1 1 1 0 1 0 0 1 0 0 0 1 1 0 0 0

1 0 1 0 1 0 0 1 0 0 1 1 1 0 1 0 0 0 1 1 1 1 0

1 0 1 1 1 0 1 1 0 1 0 0 1 0 1 1 0 0 0 1 0 1 1

0 1 0 1 0 1 0 1 1 1 0 1 1 1 0 0 0 0 1 0 1 0 1

1 0 1 0 1 1 0 1 1 1 0 1 1 1 1 0 1 1 0 0 1 0 1

1 0 1 0 0 1 1 0 0 0 1 0 0 1 1 1 0 1 0 0 1 0 0

1 1 1 1 0 1 0 1 1 0 0 1 0 0 1 0 1 0 1 1 1 0 0

0 1 1 0 0 1 1 0 1 0 0 1 1 1 0 1 0 1 0 1 1 0 0

0 1 0 0 1 1 1 1 0 0 1 1 0 0 1 0 1 1 0 1 0 1 0

0 1 1 1 1 1 0 0 1 0 0 0 1 0 1 0 0 0 1 1 1 0 0

0 1 1 0 1 1 0 0 0 1 0 0 1 1 1 0 1 0 1 1 1 1 0

0 0 1 0 1 1 0 1 0 1 0 0 1 0 1 1 0 0 1 0 0 1 1

1 1 0 0 0 0 1 0 1 1 0 1 0 1 1 1 0 0 1 0 1 1 1

0 0 0 1 1 0 1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1 0

0 1 0 0 0 1 0 1 0 1 1 0 1 0 0 0 1 0 1 1 0 1 1

1 1 0 0 1 0 1 1 1 0 0 0 1 0 1 1 0 0 1 0 0 1 1

0 0 1 1

1 0 0 0

1 0 1 1

1 1 0 1

0 0 1 1

1 1 0 0

0 1 0 0

1 0 0 1

0 0 0 1

1 0 0 1

q

−

q

+

Key @ Alice

and Bob:

Figure 14: RSSI traces of Alice & Bob after subtracting

windowed mean. We get 511 bits in 392 sec using m = 4

(Rk = 1.3 s-bits/sec.)

stead of indexes in the messages exchanged between Alice

and Bob. The modifications may be summarized as:

1. Instead of sending index numbers to Bob, Alice now

sends MAC-timestamps in the message L (see Algo-

rithm 1 in Section 4).

2. For each MAC-timestamp sent by Alice, Bob finds the

MAC-timestamp in his own trace that is closest in time

to the value of the timestamp sent by Alice.

3. Bob uses the packet determined in Step 2 above as

if it were the index sent by Alice. He checks for the

presence of excursions above q+ or below q− centered

at this packer as in Algorithm 1.

The RSSI field in the Prism header of received 802.11 pack-

ets reports RSSI as integers, thereby providing only coarse

channel information. Moreover, the 802.11 cards at Alice

and Bob may not be relatively calibrated and thus may re-

port different values of RSSI. We found in our experiments

that although lacking calibration, the temporal variations in

RSSI are matched in Alice’s and Bob’s traces. This problem

was solved by subtracting out a moving average of the trace

to remove the effects of slowly varying average signal power,

as in the CIR method. Figure 13 shows the raw RSSI traces

CIR-based method

Value of m used 4

Choice of q+, q− mean ±0.125σ

Duration of experiments 1326 sec (∼ 22 min.)

Inter-probe duration 110 msec.

Static case:

Average secret-bit rate 1.28 s-bits/sec.

I(Alice; Bob) 3.294 bits

I(Bob; Eve) 0.0468 bits

Mobile case:

Average secret-bit rate 1.17 s-bits/sec.

I(Alice; Bob) 1.218 bits

I(Bob; Eve) 0.000 bits

RSSI-based method

Value of m used 4

Choice of q+, q− mean ±0.5σ

Average secret-bit rate 1.3 s-bits/sec

Inter-probe duration 50 msec.

Duration of experiment 400 sec.

I(Alice; Bob) 0.78 bits

I(Alice; Eve) 0.00 bits

I(Bob; Eve) 0.07 bits

Table 3: Summary of experimental results. I(u1;u2) denotes

the mutual information (M.I.) between the measurements of

users u1 and u2.

collected by Alice and Bob plotted against their received

MAC-timestamps. As in the CIR-method, the traces ex-

hibit strong variations in average signal power. We average

out the large-scale variations and keep only the small scale

fading effect. The result is shown in Figure 14. Our algo-

rithm produces secret bits at a rate of almost 1.3 s-bits/sec

using m = 4, where q+ and q− were computed independently

by each user as in (14)-(15) with α = 1

2

.

6.2.3 Contrasting Eve’s attempts

We plot the RSSI traces captured by Eve for both Alice’s

and Bob’s signal in Figure 13. The traces from Alice and

Bob after considering only variations about a moving aver-

age, are shown in Figure 14 along with the key generated

by Alice and Bob. Even with coarse RSSI measurements

that represent the average received signal power per-packet

over the entire 802.11 channel bandwidth, Alice and Bob can

exploit reciprocity of their channel to successfully generate

secret bits at a fairly good rate. We compute the pair-wise

M.I. between the traces of Eve, Alice and Bob in Table 3.

As in the CIR-method, we find that Eve gets almost no in-

formation about the Alice-Bob channel.

7. DISCUSSION AND CONCLUSIONS

The properties of the wireless medium can support secu-

rity objectives for wireless systems by making it easier to

establish cryptographic keys. In this paper, we proposed

a protocol that exploits the reciprocity of the transfer func-

tion of the wireless multipath channel to establish a common

cryptographic key between two communicating entities. Our

protocol obtains a security advantage from the fact that the

channel response decorrelates rapidly with distance from ei-

ther communicator, implying that there is strong protection

against a passive eavesdropper as well as an active adver-

sary attempting a spoofing attack. The performance of our

scheme was evaluated and important insights relating the

probing rate, quantizer parameters and the resulting secret

key generation rate were provided.

We also presented the results of a thorough effort to ex-

perimentally validate the utility of the wireless channel for

secret key generation. We validated our algorithm through

two complementary efforts. First, we constructed a system

to extract channel impulse response information on a cus-

tomized 802.11 development platform, where we utilized the

802.11a preamble to compute channel impulse responses on

a per-packet basis. Second, we used off-the-shelf 802.11a

cards for collecting coarse RSSI measurements. In both

cases, our algorithm worked well, generating secret bits at

a useful rate without any errors. We showed that an eaves-

dropper shares minuscule mutual information with legiti-

mate communicators, thereby supporting security against

eavesdroppers. Our work demonstrates that the multipath

information that is inherent in any wireless system (and is

normally discarded after physical layer processing), can suc-

cessfully support key establishment. More importantly, we

showed that although this capability is possible with custom

architectures, it can actually be achieved using off-the-shelf

radio platforms, and thus could lead to an immediate impact

on the security of commodity wireless systems.

The astute reader might inquire about whether varying

levels of interference at different locations in the environ-

ment would affect the secret key generation process. Our

work has provided fundamental tradeoffs relating signal-to-

interference levels to quantizer parameter selection for an

isotropic noise background. By conservatively selecting pro-

tocol parameters (e.g. selecting a larger value of m (see

Figure 4)), it is possible to improve robustness in the key

generation process, though at the cost of lowering the rate.

Beyond our fundamental observations and feasibility stud-

ies, there are many avenues for advancing the proposed pro-

tocol that could make our scheme more powerful. In partic-

ular, we have used a simple two-level scalar quantizer, and

we note that the quantizer could be optimized through vec-

tor quantization, which would allow for improved trade-off

between key generation rate and probability of error. This is

a non-trivial optimization problem though and is part of our

ongoing effort. Finally, we note that many emerging wire-

less systems are moving toward adopting MIMO or OFDM

as a means to enhance communication rates. Our algorithm

would naturally benefit from both of these, as multiple un-

correlated channels between two users would lead to a pro-

portional increase in the secret-bit extraction rate.

8. REFERENCES

[1] Method and system for deriving an excryption key using joint

randomness not shared by others. InterDigital

Communications Corporation, US Patent Application

ITC-2-1135.01.WO, 2006.

[2] System for fast secret-key extraction from a wireless channel

prior to authentication and key distribution in a wireless

communication system. InterDigital Invention Disclosure No.

9-8164, 2008.

[3] U. Maurer, “Secret key agreement by public discussion from

common information,” IEEE Transactions on Information

Theory, vol. 39, no. 4, pp. 733–742, 1993.

[4] R. Ahlswede and I. Csiszar, “Common randomness in

information theory and cryptography – Part I: Secret sharing,”

IEEE Transactions on Information Theory, vol. 39, no. 4, pp.

1121–1132, 1993.

[5] J. Cardinal and G. V. Assche, “Construction of a shared secret

key using continuous variables,” Info. Theory Workshop, 2003.

[6] G. Brassard and L. Salvail, “Secret key reconciliation by public

discussion,” Advances in Crytology Proc. - Eurocrypt ’93,

Lecture Notes in Computer Science, vol. 765, pp. 410–423,

1994.

[7] C. Ye, A. Reznik, and Y. Shah, “Extracting secrecy from jointly

Gaussian random variables,” in Proceedings of IEEE Int. Symp

on Info. Theory, Jul 2006, pp. 2593 – 2597.

[8] C. Cachin and U. M. Maurer, “Linking information

reconciliation and privacy amplification,” Journal of

Cryptology: the journal of the International Association for

Cryptologic Research, vol. 10, no. 2, pp. 97–110, Spring 1997.

[9] T. M. Cover and J. A. Thomas, Elements of Information

Theory. John Wiley, 1991.

[10] C. H. Bennett, G. Brassard, and J.-M. Robert, “Privacy

amplification by public discussion,” SIAM J. Comput., vol. 17,

no. 2, pp. 210–229, 1988.

[11] W. T. Buttler, S. K. Lamoreaux, J. R. Torgerson, G. H. Nickel,

C. H. Donahue, and C. G. Peterson, “Fast, efficient error

reconciliation for quantum cryptography,”Phys. Rev. A,

vol. 67, p. 052303, 2003.

[12] G. V. Assche, Quantum Cryptography and Secret Key

Distillation. Cambridge University Press, 2006.

[13] U. Maurer and S. Wolf, “Secret key agreement over a

non-authenticated channel -Part II: The simulatability

condition,” IEEE Transactions on Information Theory,

vol. 49, no. 4, pp. 832–838, Apr. 2003.

[14] Z. Li, W. Xu, R. Miller, and W. Trappe, “Securing wireless

systems via lower layer enforcements,” in WiSe ’06:

Proceedings of the 5th ACM workshop on Wireless security,

2006, pp. 33–42.

[15] N. Patwari and S. K. Kasera, “Robust location distinction using

temporal link signatures,” in MobiCom ’07: Proceedings of the

13th annual ACM international conference on Mobile

computing and networking, 2007, pp. 111–122.

[16] L. Xiao, L. Greenstein, N. Mandayam, and W. Trappe,

“Fingerprints in the ether: Using the physical layer for wireless

authentication,” in Proceedings of the IEEE Int.. Conf. on

Comm., pp. 4646 – 4651.

[17] B. Azimi-Sadjadi, A. Kiayias, A. Mercado, and B. Yener,

“Robust key generation from signal envelopes in wireless

networks,” in CCS ’07: Proceedings of the 14th ACM

conference on Computer and communications security, 2007,

pp. 401–410.

[18] R. Wilson, D. Tse, and R. Scholtz, “Channel identification:

Secret sharing using reciprocity in UWB channels,” IEEE

Transactions on Information Forensics and Security, vol. 2,

no. 3, pp. 364–375, 2007.

[19] T. Aono, K. Higuchi, T. Ohira, B. Komiyama, and H. Sasaoka,

“Wireless secret key generation exploiting reactance-domain

scalar response of multipath fading channels,” IEEE

Transactions on Antennas and Propagation, vol. 53, no. 11,

pp. 3776–3784, Nov 2005.

[20] A. Hassan, W. Stark, J. Hershey, and S. Chennakeshu,

“Cryptographic key agreement for mobile radio,” Digital Signal

Processing, vol. 6, pp. 207–212, 1996.

[21] H. Koorapaty, A. Hassan, and S. Chennakeshu, “Secure

information transmission for mobile radio,” IEEE

Communication Letters, vol. 4, no. 2, Feb 2000.

[22] T. S. Rappaport, Wireless Communications: Principles and

Practice. Prentice Hall PTR., 2001.

[23] A. Goldsmith, Wireless Communications. New York, NY,

USA: Cambridge University Press, 2005.

[24] J. K. Tugnait, L. Tong, and Z. Ding, “Single-user channel

estimation and equalization,” IEEE Signal Processing

Magazine, vol. 17, pp. 16–28, 2000.

[25] W. C. J. Jr., Microwave Mobile Communiations. Wiley, 1974.

[26] T. Moore, “IEEE 802.11-01/610r02: 802.1x and 802.11 key

interactions,”Microsoft Research, 2001.

[27] S. Fortune, D. M. Gay, B. Kernighan, O. Landron, R. A.

Valenzuela, and M. Wright, “Wise design of indoor wireless

systems: practical computation andoptimization,”

Computational Science and Engineering, IEEE, vol. 2, no. 1,

pp. 58–68, April 1995.

[28] H. L. V. Trees, Detection, Estimation and Modulation

Theory: Part I. Wiley-Interscience, 2001.

[29] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone,

Handbook of Applied Cryptography. CRC Press, 1996.

[30] U. M. Maurer, “A universal statistical test for random bit

generators,” Journal of Cryptology, vol. 5, pp. 89–105, 1992.

[31] “http://csrc.nist.gov/groups/st/toolkit/rng/.”

[32] NIST, “A statistical test suite for the validation of random

number generators and pseudo random number generators for

cryptographic applications,” 2001.

[33] “IEEE standard 802.11a: Part 11 wireless LAN medium access

control (MAC) and physical layer (PHY) specifications:

High-speed physical layer in the 5 GHz band.”

[34] “http://www.madwifi.org/.”

[35] Q. Wang, S. R. Kulkarni, and S. Verdu, “A nearest-neighbor

approach to estimating divergence between continuous random

vectors,” in Int. Symp. on Inform. Theory, 2006, pp. 242–246.

[36] “http://www.atheros.com/.”

[37] “http://www.tcpdump.org.”

InterDigital develops mobile technologies that are at the core of devices, networks, and services worldwide. We solve many of the industry's most critical and complex technical challenges, inventing solutions for more efficient broadband networks and a richer multimedia experience years ahead of market deployment.

© Copyright 2017 InterDigital, Inc. All Rights Reserved