In advanced 3.5G to 4 G communication standards (e.g., Long Term Evolution (LTE) and LTE-advanced), security has been an important issue due to the increasing attention on user privacy. Compared to 2G Global System for Mobile Communications (GSM), the Evolved Packet System (EPS) that comprises LTE and System Architecture Evolution (SAE) has stronger protection on information security. For example, the authentication process in GSM only allows the serving network (SN) to authenticate the mobile stations, and the mobile station cannot authenticate the SN. Fake base stations thus can be transparent by imitating the mobile stations and forwarding their messages to the genuine base stations. This is the famous man-in-the-middle attack. The EPS, on the other hand, introduces mutual authentication between the SN and UEs. Therefore, EPS has resistance to man-in-the-middle attacks. Nevertheless, backward compatibility with GSM or General Packet Radio Service (GPRS) can still result in the risks of being attacked.
Despite the security improvement in the EPS, there are still some security issues remaining unsolved. For instance, the International Mobile Subscriber Identity (IMSI) is a special sequence of numbers unique for each mobile user in the cellular network. It serves as an identification that allows the Mobility Management Entity (MME) in the SN to authenticate the UE. To prevent eavesdroppers from obtaining the IMSI and accordingly having the ability to track the UE, the IMSI should be sent as infrequently as possible. For not revealing IMSI often, the MME will allocate Global Unique Temporary UE Identity (GUTI) after the UE establishes connection with the SN. Hence, the UE can mask its IMSI by transmitting the GUTI for the authentication process afterwards. However, the association between IMSI and GUTI is stored in the local MME and Home Subscriber Server (HSS). If the UE goes to a new area with new operators, the new networks can only fetch the association between the IMSI and GUTI from the old network. If the address of the home SN is not known or the connection between the local SN and the home SN fails, the local SN cannot retrieve the association anymore. As a result, the IMSI must be sent first to get initial authentication. Therefore, in places such as airports, the transmission of IMSI is not preventable, which makes eavesdropping and tracking possible.
The above problem is referred to as a secure initiation problem where passive eavesdroppers present as security threats. The secure initiation problem is not restricted to the security of the IMSI. It concerns the security of any confidential information sent before a secure transmission link is established. For example, the SN and the UE need to have an agreement on secret keys to allow cryptography schemes to work. The security transmission link is referred to as the establishment of symmetric cryptosystems such as Data Encryption Standard (DES) and Advanced Encryption Standard (AES) that use the same secret key for encryption and decryption. The symmetric cryptosystems are secure if the symmetric key is only known to the eNodeB and the legitimate UEs. Nevertheless, once the secrecy assumption of the key does not hold (i.e., the eavesdropper has the secret key), then the symmetric cryptosystems are not safe anymore. Therefore, protecting the confidential messages such as the secret key before the establishment of the symmetric cryptosystems is extremely important.
Applying asymmetric cryptography (e.g., RSA and Diffie-Hellman key exchange) to protect the symmetric secret key or IMSI is a possible solution to the secure initiation problem. The basic idea of asymmetric cryptography is to use different keys for encryption and decryption. By concealing the decryption key, the computation complexity of decrypting the confidential messages with the knowledge of only the encryption key is so high that eavesdroppers cannot finish the decryption in time. A successful decryption by a super computer usually takes over ten years. However, asymmetric cryptography has much more computation complexity in key generation, encryption, and decryption than the symmetric cryptography even though both keys are known. In addition, the asymmetric cryptography generally needs much larger secret keys than the symmetric cryptography (over ten time usually) to achieve the same level of security. Hence, due to the hardware cost, time efficiency, and power saving concerns, the asymmetric cryptography is not suitable for user devices.
To solve the secure initiation problem and to overcome the disadvantage of the asymmetric cryptography, security mechanisms can be built on the physical layer. Specifically, in wireless environments with Time-Division Duplex (TDD) schemes, the MIMO channel from the eNodeB to the UE and that from the UE to the eNodeB are identical by the operation of conjugate transpose (i.e., adjoint). On the other hand, the channels seen by eavesdroppers would be very different from the eNodeB-to-UE channel. In addition, channel realization would vary significantly through coherence time, which imposes a great difficulty for the eavesdroppers to predict. Hence, due to the reciprocity, uniqueness, and randomness of the channel, the eNodeB and the UE can quantize their observations on the channel to generate identical secret keys without explicitly transmitting the secret keys.
However, there are three major challenges ahead. First, because of channel estimation errors, the secret keys generated by the eNodeB and the UE might not match each other. How to quantize the channel so that the key error rate (KER) or the probability of key mismatch between the eNodeB and the UE is acceptably low is an issue. Second, although eavesdroppers cannot see the channel experienced by the eNodeB and the UE, they may still try to predict the channel by reconstructing the physical environment. For simple environments such as an empty room, it is possible to simulate the surroundings and rebuild the channels by, for example, ray tracing. Third, although channel will vary from time to time, the variation depends on the speed of the eNodeB and the UE. If the channel experiences slow fading, the secret keys that generated from time to time will have a great amount of correlation. Such a phenomenon is harmful to security since once an eavesdropper happens to have a secret key, the key might be used to predict the other keys. Therefore, channel reciprocity based physical layer security schemes should be designed tolerable to the key mismatch problem, the physical reconstruction hazard, and the slow fading channel.