Man-in-the-middle Pilot Attack for Physical Layer Authentication
-
摘要: 现有物理层认证机制依赖合法信道状态信息(CSI)的私有性,一旦攻击者能够操控或窃取合法信道,物理层认证机制就会面临被攻破的威胁。针对上述缺陷,该文提出一种中间人导频攻击方法(MITM),通过控制合法双方的信道测量过程对物理层认证机制进行攻击。首先对中间人导频攻击系统进行建模,并给出一种中间人导频攻击的渐进无感接入策略,该策略允许攻击者能够顺利接入合法通信双方;在攻击者顺利接入后,可对两种基本的物理层认证机制发起攻击:针对基于CSI的比较认证机制,可以实施拒绝服务攻击和仿冒接入攻击;针对基于CSI的加密认证机制,可以实现对信道信息的窃取,从而进一步破解认证向量。该攻击方法适用于一般的公开导频无线通信系统,要求攻击者能够对合法双方的导频发送过程进行同步。仿真分析验证了渐进无感接入策略、拒绝服务攻击、仿冒接入攻击、窃取信道信息并破解认证向量等多种攻击方式的有效性。Abstract: The existing physical layer authentication mechanism relies on the privacy of the legitimate channel. Once the attacker can manipulate or obtain legitimate channel information, the physical layer authentication mechanism will face the threat of being compromised. To overcome the above-mentioned shortcomings, a Man-In-The-Middle (MITM) pilot attack method is proposed, which attacks the physical layer authentication mechanism by controlling the channel measurement process of the legitimate parties. Firstly, the man-in-the-middle pilot attack system is modeled, and a progressive and non-sense access strategy for MITM pilot attack is given. This strategy allows the attacker to access smoothly legitimate communication. After the attacker accesses successfully, he can launch attacks on two basic physical layer authentication mechanisms: For CSI-based comparative authentication mechanisms, denial of service attacks and counterfeit access attacks can be implemented; For the CSI-based encryption authentication mechanism, the channel information can be stolen, thereby further cracking the authentication vector. This attack method is suitable for general public pilot wireless communication systems, and requires the attacker to be able to synchronize the pilot sending process of the legitimate two parties. Simulation analysis verifies the effectiveness of multiple attack methods such as the progressive and non-sense access strategy, denial of service attack, counterfeit access attack, or cracking authentication vector.
-
表 1 仿真参数列表
仿真参数 设定值 配置天线数 ${ {{N} }_{\rm{A}}} = { {{N} }_{\rm{B}}} = { {{N} }_{\rm{E}}} = 8$ 导频功率 ${ { {P} }_{\rm{A} } } = { { {P} }_{\rm{B} } } = 30\;{\rm{dBm}}$ 噪声功率 ${\sigma _{{v} } } = - 80\;{\rm{dBm}}$ 节点之间的距离 ${ {{d} }_{{\rm{AB}}} } = 100,{ {{d} }_{{\rm{AE}}} } = 60,{ {{d} }_{{\rm{EB}}} } = 60$ 路径损耗因子 $\alpha {\text{ = }}3$ 系数$\rho $ 0.95 导频长度 ${{L} } = 16$ -
[1] WU Yongpeng, KHISTI A, XIAO Chengshan, et al. A survey of physical layer security techniques for 5G wireless networks and challenges ahead[J]. IEEE Journal on Selected Areas in Communications, 2018, 36(4): 679–695. doi: 10.1109/JSAC.2018.2825560 [2] XIAO Liang, GREENSTEIN L, MANDAYAM N, et al. A physical-layer technique to enhance authentication for mobile terminals[C]. IEEE International Conference on Communications, Beijing, China, 2008: 1520–1524. [3] XIAO Liang, GREENSTEIN L, MANDAYAM N, et al. MIMO-assisted channel-based authentication in wireless networks[C]. 2008 42nd Annual Conference on Information Sciences and Systems, Princeton, USA, 2008: 642–646. [4] XIAO Liang, GREENSTEIN L J, MANDAYAM N B, et al. Using the physical layer for wireless authentication in time-variant channels[J]. IEEE Transactions on Wireless Communications, 2008, 7(7): 2571–2579. doi: 10.1109/TWC.2008.070194 [5] SHAN Dan, ZENG Kai, XIANG Weidong, et al. PHY-CRAM: Physical layer challenge-response authentication mechanism for wireless networks[J]. IEEE Journal on Selected Areas in Communications, 2013, 31(9): 1817–1827. doi: 10.1109/JSAC.2013.130914 [6] WEN H, HO P H, QI C, et al. Physical layer assisted authentication for distributed ad hoc wireless sensor networks[J]. IET Information Security, 2010, 4(4): 390–396. doi: 10.1049/iet-ifs.2009.0197 [7] YANG Jing, JI Xinsheng, HUANG Kaizhi, et al. Unified and fast handover authentication based on link signatures in 5G SDN-based HetNet[J]. IET Communications, 2019, 13(2): 144–152. doi: 10.1049/iet-com.2018.5405 [8] 季新生, 杨静, 黄开枝, 等. 基于哈希方法的物理层认证机制[J]. 电子与信息学报, 2016, 38(11): 2900–2907. doi: 10.11999/JEIT160007JI Xinsheng, YANG Jing, HUANG Kaizhi, et al. Physical layer authentication scheme based on hash method[J]. Journal of Electronics &Information Technology, 2016, 38(11): 2900–2907. doi: 10.11999/JEIT160007 [9] ZHOU Xiangyun, MAHAM B, and HJORUNGNES A. Pilot contamination for active eavesdropping[J]. IEEE Transactions on Wireless Communications, 2012, 11(3): 903–907. doi: 10.1109/TWC.2012.020712.111298 [10] HUANG Yu, LIANG Jin, WEI Hongquan, et al. Pilot contamination with MITM attack[C]. 2017 IEEE 85th Vehicular Technology Conference (VTC Spring), Sydney, Australia, 2017: 1–7. [11] XIONG Qi, LIANG Yingchang, LI K H, et al. An energy-ratio-based approach for detecting pilot spoofing attack in multiple-antenna systems[J]. IEEE Transactions on Information Forensics and Security, 2015, 10(5): 932–940. doi: 10.1109/TIFS.2015.2392564 [12] TUGNAIT J K. Detection and identification of spoofed pilots in TDD/SDMA systems[J]. IEEE Wireless Communications Letters, 2017, 6(4): 550–553. doi: 10.1109/LWC.2017.2715814 [13] LIU Xiaoming, LI Bin, CHEN Hongbin, et al. Detecting pilot spoofing attack in MISO systems with trusted user[J]. IEEE Communications Letters, 2019, 23(2): 314–317. doi: 10.1109/LCOMM.2018.2889491 [14] COVER T M and THOMAS J A. Elements of Information Theory[M]. New York: Wiley-Interscience, 1991: 1–6. [15] SZABÓ Z. Information theoretical estimators toolbox[J]. Journal of Machine Learning Research, 2014, 15(9): 283–287. [16] HUANG Yu, JIN Liang, WEI Hongquan, et al. Fast secret key generation based on dynamic private pilot from static wireless channels[J]. China Communications, 2018, 15(11): 171–183. doi: 10.1109/CC.2018.8543098