WO 2007/031089 discloses a method for secure communication in a wireless communication system. In a key generation mode, an access point equipped with an ESPAR antenna forms a beam pattern and sends a packet for measurement. The terminal receives that packet with an omnidirectional pattern and acquires a Received Signal Strength Indication (RSSI) value after averaging in order to equalize the influence of noise. Next, a packet for measurement is transmitted using the omnidirectional pattern by the regular user. The access point receives that packet by a pattern, which is identical to the original pattern, and acquires the RSSI value after averaging. There are K different RSSI values acquired by repeating the measurement of the RSSI K times and changing the beam pattern of the access point. An iteration K is simply set according to key length. Next, a threshold value is set up for the RSSI value of the K pieces, and it becomes 1, if it is higher than a threshold value and 0 if it is under the threshold value. After binarization, the same key is generated in the access point and the regular user, and key agreement can be achieved.
In wireless communication systems, secret-key cryptography is used because its processing speed can deal with bulk data. Secret-key cryptography is sometimes referred to as symmetric cryptography. It is a traditional form of cryptography, in which a single key can be used to encrypt and decrypt a message. Secret-key cryptography not only deals with encryption, but it also deals with authentication. One such technique is called message authentication codes (MACs). The encryption key is trivially related to the decryption key, in that they may be identical or there is a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. An advantage of secret-key cryptography is that it is generally faster than public-key cryptography.
Other terms for symmetric-key encryption are secret-key, single-key, shared-key, one-key and private-key encryption. However, use of the latter term conflicts with the term private key in public-key cryptography.
A major problem with secret-key cryptosystems is getting the sender and receiver to agree on the secret key without anyone else finding out. This requires a method by which the two parties can communicate without fear of eavesdropping. An important question is thus how to achieve the initial key exchange.
A first approach resides in the use of bi-directional LQI/RSSI (link quality indicator/received signal strength indicator) measurements to assess variations of the attenuation of the signal path between two transceivers, in order to establish a shared secret between two nodes. Thanks to the reciprocity theorem of radio wave propagation between two communication parties, it is possible for them to calculate common information by using the fluctuation characteristics of the channels. This approach can provide a secret key agreement scheme without any key distribution processes. Because this scheme can provide a onetime key when it is needed, it is an excellent method to solve the problems of key distribution and key management.
A second approach resides in the sending of a set of random numbers, optionally at low transmit power, and combining (e.g. XOR) them all together to generate a “key”. An attacker is unlikely to hear all of them correctly.
The first approach has an optional variant in which the established shared secret is used to secure a 128-bit random key generated by one of the devices. This helps to protect against future attacks against the amount of “randomness” in the attenuation of the signal. Additionally, the first approach makes it difficult for an attacker to get the keys because the attacker's receiver will have a different path attenuation between itself and each of the targets to that that they have between one another. As such the link quality figures (LQI, typically assessed as received signal strength indication, RSSI) assessed in each direction between the two nodes will be strongly correlated, whereas LQI/RSSI to a 3rd node will typically be very weakly correlated.
The second approach makes it difficult for an attacker to get the keys because they would either need to have a radio receiver device very nearby and specifically configured to be snooping the right channel at the time of the installation. Nevertheless, one of the risks with the second approach (combining multiple keys) is that attackers might leave a snooping device running all the time, possibly with a high quality receiver. They could then trawl through log files later and may, if they are lucky, receive all the keying information. This may optionally be mitigated by transmissions being at low transmit power, hopefully reducing the risk of attacks to a level that manufacturers are content to deploy products using it.
However, both approaches have a weakness in that they require a lot of transactions to generate a key that is strong enough for use in all cases. For example, the first proposal might require an exchange of 300 messages to give 128-bit security. For many applications this is excessive. A particular example of an application where this would be unsuitable is an energy scavenging device. It is becoming possible for devices, such as light switches, to generate sufficient power from the action of pressing the switch that they are able to enable their transceiver and microprocessor for a short period. This period would probably not be sufficient for the exchange of tens or hundreds of messages.
Latency is also an important consideration—if a user presses a key and nothing happens for e.g. 3 seconds, he may press another button. This is likely to be more important for devices that need to join a network frequently, perhaps including point-of-sale applications.
Conversely, higher demands for security require more messages to be sent in order to decrease the probability of an attacker being successful. The conflicting demands of higher security and low operating power/latency cannot be met adequately by the available systems.