key: cord-0156534-jf3usma5
authors: Reaz, Khan; Wunder, Gerhard
title: ComPass: Proximity Aware Common Passphrase Agreement Protocol for Wi-Fi devices Using Physical Layer Security
date: 2021-03-11
journal: nan
DOI: nan
sha: 4e7a9f6e07e9680181447e561776a72b46d22495
doc_id: 156534
cord_uid: jf3usma5

Secure and scalable device provisioning is a notorious challenge in Wi-Fi. WPA2/WPA3 solutions take user interaction and a strong passphrase for granted. However, the often weak passphrases are subject to guessing attacks. Notably, there has been a significant rise of cyberattacks on Wi-Fi home or small office networks during the COVID-19 pandemic. This paper addresses the device provisioning problem in Wi-Fi (personal mode) and proposes ComPass protocol to supplement WPA2/WPA3. ComPass replaces the pre-installed or user-selected passphrases with automatically generated ones. For this, ComPass employs Physical Layer Security and extracts credentials from common random physical layer parameters between devices. Two major features make ComPass unique and superior compared to previous proposals: First, it employs phase information (rather than amplitude or signal strength) to generate the passphrase so that it is robust, scaleable, and impossible to guess. Our analysis showed that ComPass generated passphrases have 3 times more entropy than human generated passphrases (113-bits vs. 34-bits). Second, ComPass selects parameters such that two devices bind only within a certain proximity (less than 3m), hence providing practically useful in-build PLS-based authentiation. ComPass is available as a kernel module or as full firmware.

Connectivity is the key to the world of business, entertainment, education, and government services. While cellular dominates mobility use-case, 802.11 a.k.a Wi-Fi is the single most widely used technology to access the internet when it comes to streaming movies to the smart TV at home, making a video conference call at the workplace, or merely sharing vacation photos from a hotel room or a café. In recent years, consumers have also embraced Wi-Fi for connecting new types of peripherals as part of their daily life such as Amazon Alexa powered Echo devices or Google Connected Home or Apple Home accessories.

Quite recently, the world has faced COVID-19 pandemic. Due to the lockdown, people relied on home Wi-Fi more than ever to work remotely. Interpol reported an alarming rate of cyberattacks during the pandemic months [14] . The increased number of remote-working has made an adversary more interested in the radio part of the communication since it is more straightforward to capture packets over the air.

The Wi-Fi Alliance has developed several security protocols over the last decades to secure Wi-Fi communication. Nevertheless, none of the protocols provides fullproof and future-proof security. Recently, a significant flaw, popularly known as KRACK-attack was discovered, and it heavily affected all platforms [25] . To ease the provisioning of credentials, especially for resource-constrained devices, Wi-Fi Alliance had developed Wi-Fi Protected Setup (WPS) protocol. It gives consumers an easier option to set up a secure Wi-Fi connection by pushing a button (PBC mode), or entering a PIN, or via NFC interface [32] . However, WPS has a longstanding weak security, known as WPS PIN recovery [27] .

In an effort to strengthen the security of Wi-Fi, WPA3 has been recently announced (last release v3.0 on December 2020) [33] . The new standard mandates a higher cryptographic standard (192-bit key for enterprise mode, although 128-bit for personal mode). It replaces the Pre-Shared Key (PSK) exchange with Simultaneous Authentication of Equals (SAE) and introduces Forward Secrecy. However, a passphrase is still used. The newly introduced Wi-Fi Easy Connect [30] replaces all previous methods of WPS with a Public Key Cryptography (PKC) based provisioning mechanism. In Wi-Fi Easy Connect, a network owner is presumed to have a primary device (Configurator) with a rich user interface (e.g., a smartphone or tablet with a camera) that runs the Device Provisioning Protocol (DPP). Here, all Enrollees have electronic or printed QR codes or human-readable strings. The Configurator scans the code (the user can also manually type in the human-readable strings) to provision the Enrollee with credentials. DPP relies on QR code scanning, which is not at all feasible for a large number of devices (Think of a premise to be monitored with a Wi-Fi IP camera; then all the cameras have to be scanned and connected to the network). The Wi-Fi Alliance has released another supporting protocol, called Enhanced Open [10] . It is an adapted version of the Opportunistic Wireless Encryption (OWE) [31] protocol that aims to mitigate attacks on open un-encrypted wireless networks. Here, the client (STA) and the access point (AP) generate pairwise secret by performing Diffie-Hellman (DH) key exchange during the 4-way handshake procedure. OWE is based on PKC, and PKC is threatened by the uprising of quantum computers [16] . It is to be noted that the exponent size used in the DH must be selected such that it has at least double the entropy of the entire crypto-system, i.e., if we use a group whose strength is 128-bits, we must use more than 256-bits of randomness in the exponent used in the DH calculation [17] . This brings to the required DH key-size of 4200 bits at its best strength estimation [17] . The large key-size is a massive burden for the IoT ecosystem [16] .

In recent years several works have been done to generate the secret key using PHY-layer properties based on Shannon's [23] , Wyner's [35] , and Maurer's [19] seminal information-theoretic security concept. In the Physical Layer Security (PLS) approach, the inherent reciprocity property of the wireless channel and its varying nature (i.e. randomness) is used to agree on a key between two legitimate transceivers. Enthusiasm among researchers gave a significant rise towards developing key generation algorithms on this principle. Most of the existing works are based on Amplitude or Received Signal Strength (RSS) [36, 24, 39, 38] . It is because Amplitude and RSS show reciprocity without much effort and hence can be easily reconciled to generate a symmetric key. On the other hand, the slightest displacement of the transceivers cause the Phase to vary significantly. Xi et al. proposed the Dancing Signal (TDS) scheme in [36] . It requires devices to be within 5cm which is very impractical since most of the cases APs are wall-mounted or hidden to keep away unwanted hardware access. In TDS, keys are generated from the local entropy source instead of the randomness of the wireless channel. Their evaluation showed a good performance since the implementation is done on a traditional computer. This will not be the case for resource-constrained IoT devices which are known to have low entropy [16] . From the literature, it is well established that Amplitude or Received Signal Strength (RSS) based existing methods are slow, need iterative communications, authenticated channel, and a large number of samples to generate a good quality key.

We propose ComPass to tackle the challenges mentioned above. It is a new proximity aware common passphrase agreement protocol for deployable Wi-Fi network consisting of all classes of Wi-Fi devices (hence, some devices may have no camera or keypad). Our PLS based proposed method uses Phase information of the wireless channel and its varying nature (i.e., randomness) to agree on a passphrase between two legitimate transceivers. With the ComPass generated passphrase, it is possible to generate 128/192/256-bit (or higher) key with high entropy at a minimum communication overhead. Our intention is not to replace the well known WPA2/WPA3; instead, supplement it with the new automated passphrase generation protocol.

The paper is organized as follows. A brief introduction to Wi-Fi channel measurement is given in Sec.2. We presented the end-to-end steps of the ComPass protocol in Sec.3. and its security analysis in Sec.4. Sec.5 describes the implementation details. Our concluding remark is given in Sec.6.

We revisit some of the core technologies of the Wi-Fi PHY, specifically Beamforming. It utilizes the knowledge (i.e., Channel State Information (CSI)) of the MIMO channel to improve the receiver's throughput significantly.

In the complex baseband MIMO channel model, a vector x k = [x 1 , x 2 , ...x N Tx ] T is transmitted in subcarrier k using OFDM scheme. The received vector y k = [y 1 , y 2 , ...y N Rx ] T is then modeled as:

H k is the channel response matrix of dimensions N R x × N T x where N R x is the maximum number of receiving antenna, N T x is the maximum number of transmitting antenna. H k is expressed in complex number to represent the attenuation (i.e amplitude ( H k ) and the phase shift ( H k )) for each subcarrier k. Z is the additive white Gaussian noise. The CSI is expressed as a multidimensional matrix taking

N S c is the number of used data subcarriers [37, 40] . Depending on the Wi-Fi chip, protocol version, bandwidth and channel estimation method, the size of this matrix will vary. For example, a 3 × 3 MIMO device with a Qualcomm Atheros Wi-Fi chip operating on IEEE 802.11n 5GHz band with a BW =20/40 MHz would report CSI as a [3] [3][56/114] matrix. We refer to the IEEE standard [13] for the detailed explanation of the IEEE 802.11 PHY procedure.

Let us define entities of the ComPass protocol. Access Point is kept hidden (to reduce Evil Twin attacks) and it has an Authenticator with a rich user interface. The Enrollee is a device with limited interface (it can have a rich user interface too). Before initiating the protocol, devices are brought within proximity (≤ 3m). Summary of the protocol steps are as follows (1) With a button press or after booting, the Enrollee broadcasts its name-id with random nonce in Wi-Fi infrastructure mode. Power button or existing WPS button can be re-programmed for this purpose. (2) Authenticator verifies and confirms the Enrollee from an app or from the system's Wi-Fi setting.

a. Authenticator and Enrollee perform procedures as mentioned in the following sections (3.1 to 3.5) to generate a common passphrase 1 . Once connected, the Authenticator sends (SSID + AP-MAC) to the Enrollee. Subsequently, it sends Enrollee's MAC+ passphrase 1 to the Access Point. This communication is already encrypted since the Authenticator has joined the network beforehand. b. Enrollee switch to Wi-Fi Client mode after receiving (SSID + AP-MAC) from the Authenticator. It sends Association request to the Access Point appending hashed passphrase 1 . c. Access Point verifies the request by comparing hashed passphrase 1 . If successful, it initiates procedures as described in Sec. (3.1 to 3.5).

(3) Access Point and Enrollee generates passphrase 2 in the similar way.

(4) If successful, Access Point allows Enrollee to connect and it notifies Authenticator, else Enrollee returns to step (2)b. Finally, Authenticator and Access Point delete the passphrase 1 .

Authenticator and Enrollee refer to STA and the Access Point as AP. We assume that the Authenticator joins the Access Point securely either by existing WPA2/WPA3 method or by generating their common passphrase according to the procedures mentioned in Sec. (3.1 to 3.5). New devices can only be joined through the Authenticator(s). In the following subsections we present the intermediate steps of the protocol and algorithms.

In the last few years, several toolchains have been developed by researchers to extract CSI from commercial off-the-shelf (COTS) devices. Among them, the Intel CSI Tool (ICT) by Halperin et al. [9] and the Atheros CSI Tool (ACT) by Xie et al. [37] are widely used. The recent release of nexmon CSI extraction tool [8] has opened the door for extracting CSI from Broadcom and Cypress chipsets. Although there are some differences between these toolchains, they all report CSI to the firmware's user-space in a similar fashion. Hence, ComPass remains compatible with all of them. In this paper, we worked with ACT to implement ComPass on devices. We have patched some of the bugs that we found in ACT. For example, previously, the driver reported CSI for all packets, including the acknowledgment packets (ACK). It caused one device to have more CSI data than the other. The ACT supports up to 3 RF chains, but the SoC firmware sometimes use the Link Adaptation technique (especially in LOS scenarios) to turn off some antennas. Also, the time stamp associated with the reported CSI was according to each device's local clock. It caused misalignment for our intended use of the CSI to generate a common passphrase on both devices.

One of the first challenges of PLS method is to ensure that the collected channel measurements are coming from the packets that are exchanged within the channel's coherence time. This is to make sure that the collected channel measurements on both sides hold reciprocity property. To mitigate the unwanted effects on CSI, we employed a Synchronous CSI Collection (SCC) procedure between the devices to ensures that they have a common time stamp (up to a certain accuracy) and only CSI from the correct probing packets are logged. At first, STA aligns its local clock with AP by utilizing the Linux built-in library. AP instructs STA to start exchanging a fixed N number of dummy packets after waiting for t d seconds. Once CSI for an incoming packet is reported, it checks for R x × T x combination. If R x = T x , CSI value is dropped. After collecting CSI for N packets, the protocol moves to the Parameter Extraction step.

A vast body of literature on channel-based key generation, specifically those who implemented their schemes on COTS hardware relied only on the Amplitude/RSS part of a signal; only a very few considered to work with the Phase part [24, 28] . However, the Amplitude fluctuation of the signal is very low in proximity and in an static environment [22] . An active adversary can generate a synthetic channel amplitude profile to mimic the intended transceiver. Conversely, Phase varies significantly in an indoor environment while respecting the reciprocity property [34] . Thus, it is nearly impossible for an adversary to generate a synthetic phase profile. In this paper, we investigate the Phase part of the channel frequency response.

It is to be noted that the CSI reported by the Wi-Fi SoC driver contains the channel's cumulative frequency response and the device's inner circuitry response as it goes through amplification, down-conversion, packet detection phase. All this additional processing contaminate the true channel response as verified by previous works [40, 34, 18, 26, 36] . Hence, the collected CSI needs sanitizing to remove unwanted effects.

According to Zhu et al. [40] , the measured phase φ k = H( f k ) can be decomposed as:

where gain mismatch and phase mismatch is denoted by ε g , and ε θ respectively. Unknown timing offset and phase offset error is indicated by ζ and β . λ sums up the delay caused by time-of-flight (TOF), packet detection delay (PDD) and sampling frequency offset (SFO). Note that AWGN is omitted since it would cancel out when comparing phases of the measured CSI from two nodes.

We adapted the decomposition method of [40] to extract the relevant parameter from the measured CSI phase. We have studied the characteristics of these five parameters through several measurement campaigns performed at various locations at the Freie Universität Berlin and other private apartments that included LOS and NLOS scenarios. Our key findings are: (i) The almost sigmoidal-shaped arcus tangent function of the Eq. 2 strongly conforms in the LOS scenario and fails in the NLOS scenario. (ii) Cumulative delay parameter, λ is almost constant, which is expected because TOF, PDD, SFO remains static for a low mobility environment. Conveniently, λ could be useful to filter out CSI for a packet that arrived later than the channel coherence time T c . (iii) ε g and ε θ are the only useful parameter with good statistical properties.

This revelation of our analysis encouraged us to extract ε g and ε θ from the collected CSI and proceed to the next steps. Taking the Eq. 2 as a reference decomposition model, we estimate the default value for each of the five parameters from the ideal arctan function: ε g = 0.512, ζ = −0.02812, ε θ = −0.006355, λ = −0.02762, β = 0.1326. Then we perform a non-linear least square curve-fitting operation to estimate the parameters. Before we implemented ComPass on our COTS setup, we used a simulation tool for the next steps by quantizing both ε g and ε θ . Our analysis showed that ε g gives a slightly better result. Henceforth, ∑ N i=1 ε g is the parameter from the measured CSIphase that we will use in the following steps. The Delay Aware Parameter Extractor (DAPPER) algorithm is described in the Step 1 of Algorithm 1. AP and STA perform DAPPER independently.

Existing lossy and lossless (as categorized by Zenger et al. in [38] ) quantization schemes in the literature tend to overlook the fact that the underlying reciprocity would be broken if the guard-interval for converting measured complex-valued vectors to bit-string is calculated based on the whole CSI data set. Keeping this fact in mind, we opted in for an adaptive moving window based quantizer (MOW) (Step 2 of Algorithm 1). It is a lossless scheme and produces bit-string at 1 Bit/sample. The resulted scheme overcomes the well-known problem of burst 0's and 1's (i.e., 000 . . . 0, 111 . . . 1).

In an one-hop wireless environment, Round-Trip-Time (RTT) can be a useful metric to roughly estimate the effective channel coherence time (T c ) instead of using the Clarke's mathematical reference model [21] : T c = 9 16π( f m ) 2 , ( f m is the Doppler spread). RTT is readily available for each packet, and it takes into account various factors including propagation delay, clock offset, processing delay, motions of objects in the environment. We get the mean RTT value for the exchanged packets to set the window size w for the MOW quantizer, which is then rounded up according to the IEEE 745 standard respecting the half-to-even rule. The minimum is w = 3 since it needs at least 3 packets to successfully calculate the distance for two nodes (with asynchronous clocks). Then starting from the most significant bit, we take w element from ε g and find the meanw of that window. We convert each element of the w to 1/0 such that Q A i /B i = 1 for ε g i ≥w 0 for otherwise . After that, it moves to the next window and continues until the last element. If the last window has fewer elements than w, it will be filled by 0. This process will construct quantized bit strings Q A for STA and Q B for the AP.

Reconciliation shares the common properties of error-correction. The quantized bits on AP and STA are not necessarily the same; thus they cannot be used as is. In [5] , Dodis et al. presented a new primitive: Secure Sketch (SS). We employ SS as the reconciliation protocol for its notable advantages over others [5] . It allows reconciling one party's quantized bits with the other at minimum leakage. We chose a binary Bose-Chaudhuri-Hocquenghem (BCH) code based construction for SS, referred to as PinSketch [11] . It is the most efficient, flexible, and linear over GF (2) . One can overcome the computation time by choosing an efficient decoding algorithm for the BCH [5] . We designed the algorithm in a bottom-up approach using the available BCH library in the Linux kernel [4] .

SS generates public information X about its input a that can be used to reproduce a from its correlated version a , where a ∈ M and the metric space M has a distance function δ . It is a randomized procedure involving Sketch and Recover such that for input a ∈ M , Sketch produces a string s ∈ {0, 1}. The Recover procedure, Recover(a , Sketch(a)) = a works when δ (a, a ) ≤ t, t is the number of error. It uses random bit strings to mask original information from an adversary.

At this point, STA and AP has quantized bit strings Q A , and Q B respectively which are similar but not same. Our goal is to reconcile Q B with Q A at minimum leakage. We start designing the algorithm by choosing the Galois field order m. In our case m = 7 for generating a 128-bit key; which makes the maximum BCH codeword size n = 127 ← (2 m − 1). Details of the BCH algorithm is out of scope of this paper, hence, we refer to the original works [2] , [12] and its modified version for SS in [11] .

With the optimum error-correcting capability set as t = 9 bits, we create blocks each with 56 bits resulting 3 blocks. Because of the size of n, the last block has padding bits. Then each block is treated independently to produce secure sketch according to the Step 3 of Algorithm 1 and concatenated: S S ← S s 1 S s 2 S s 3 STA sent S S to AP as the helper string (note that S S does not expose the quantized bits Q A ). AP performs Recovery operation according to the Step 4 of Algorithm 1 to find the mismatch in Q B and correct them. Usually, in a BCH decoder, error locator root-finding is done by Chien search [3] . However, in our implementation, we used the technique of [1] for its better performance. It consists of factoring the error locator polynomial using the Berlekamp Trace algorithm down to degree 4. After that, the low degree polynomial solving technique of [41] is used. Fianally, AP and STA possess the same bit string, resulting in Q B ≡ Q A .

We map each 8-bit (starting with MSB) of the Q A /Q B according to the widely adopted 8-bit Unicode (UTF-8) (i.e., total 256 characters) encompassing the whole alphabet set of a passphrase (lowercase, uppercase, numerals, and symbols). Since there are some control and non-latin characters within the UTF-8 table, we changed U+0000 -U+0020 → uppercase HEX, and U+0080 -U+00FF → lowercase HEX. U+0021 -U+007E remains unchanged. This way, the generated passphrase complies with password policies such as lower and uppercase letters, digits and symbols (converted HEX are treated as regular AlphaNumeric). Finally, the resulted passphrase is treated as per the IEEE 802.11 standard's recommended passphrase to PSK mapping, as defined in IETF RFC 2898 section 5.2 [15] .

We used two well-known password quality estimators to evaluate ComPass generated passphrase. Microsoft's zxcvbn toolkit [29] is used to calculate the number of minimum attempts needed to guess (crack) a password using brute-force. zxcvbn's algorithm finds token, reversed, sequence, repeat, keyboard, date, and brute force pattern to estimate strength (as shown in Fig. 1, and Fig. 2) . KeePass-recommended by the German Federal Office for Information Security (BSI-E-CS001/003 1.5), and audited [7] by the European Commission's Free and Open Source Software Auditing (EU-FOSSA 1) project is used to calculate the available entropy (as shown in Fig. 3) . We assume that the information leakage due to reconciliation is negligible and at most tlog 2 (n + 1) (as mentioned in Theorem 6.3 of [5] ). Notably, an upper bound is given by 56 bits in our case. Since it is a different metric than the password strength, we leave its evaluation for future work. We have collected 50 Wi-Fi passphrases from various Cafes, Hotels, and users, which we label as the human-generated passphrase. Then we use an Apple Macbook Pro (with dedicated crpto processor) to generate another set of 50 passphrases using OSX Keychain's Password Assistant tool. Finally, we compare these two sets with 50 ComPass generated passphrases for AP (Bob) and STA (Alice). In Fig. 1 , it is shown that the human-generated passphrases would need less than 10 15 attempts, whereas machine-generated passphrases almost always need 10 31 attempts to crack it using brute-force. ComPass-generated passphrases went up as high as 10 32 and never below 10 24 guesses.

To evaluate an attacker's (Eve) performance, we put Eve very close (≤ wavelength/2) to the Alice and generate 50 passphrases for Bob-Eve. Although Eve is closely located to Alice, the Phase part of her channel profile is very different from Alice's (as also observed by Wu et al. in [34] ). Whereas, Amplitude and Signal Strength of the two is very similar. For this very reason, we chose to work with the Phase (as we have explained earlier). Now, we compare Eve's passphrases with Alice's. We append the actual (Alice-Bob's) passphrase with Eve's and Alice's to mimic the fact that Eve has partial knowledge of the channel profile. Appending Alice-Bob's passphrase to Alice does not make a difference since repeat is recognized by zxcvbn, and KeePass. Eve's channel profile will be the product of Alice-Bob's channel profile (H AB ) and Bob-Eve's channel profile (H EA ). Eve cannot separate it without a noiseless secondary channel. Notice from Fig. 2 that the chances of Eve to guess the valid passphrase would be very low as the number of guesses is drastically high even though Eve's channel profile consists of Alice-Bob's channel profile. We observed that the reconciliation scheme (in Sec. 3.4) fails when the distance is greater than 3m. It happens due to the multi-path effect that causes the reciprocity phenomenon to break, and thus there left almost negligible common randomness in the channel-phase profile to generate a common passphrase. Using KeePass entropy analysis tool, we show that on an average the humangenerated passphrases have 34-bit entropy, ComPass-generated ones have 113-bit, and machine-generated passphrases have 168-bit entropy (Fig.3) . Thus ComPass generated passphrases have nearly 3 times more entropy than a typical human generated passphrase.

In a conventional channel-based key generation methods, a final step called Privacy Amplification is performed to cover the lost entropy during the Reconciliation. We forgo this additional step in our current implementation of ComPass protocol in favor of a Secure Sketch based reconciliation protocol, which inherently provides security against leakage. In our future work, we aim to incorporate the KECCAK algorithm based NIST SHA-3 family hash functions for this purpose [6] . After this step, we hope to see that the notches in the curve of the guess analysis of ComPass generated passphrase is reduced.

Our demo setup involves implementing the algorithms on COTS hardware. We chose very ordinary and widely available TP-Link N750 routers (v1.5, v1.6), and Android device (8.0+) playing the role of AP and STA. We were operating our devices in 802.11n and chose channel number 40 (on 5GHz) with BW = 20MHz. Our patched version of ACT uses the upgraded ath10k driver instead of ath9k. All of the devices were equipped with 3 × 3 antenna, and Modulation and Coding Scheme (MCS)index 16 is set to enable transmission with all 3 antennas. For the non-linear least-squares fitting, we have used the least-square-cpp library by [20] . We enabled the bidirectional channel estimation option, where two devices (regardless of their role) exchange sounding Physcial Layer Protocol Data Unit (PPDU). The receiving STA computes an estimate of the MIMO channel matrix H k for each subcarrier k and for each RF chain. While it is possible to extract key-bits from all the available 9 antenna combination, we have implemented one of the nine paths for the demo. We put our devices in various co-working rooms of Freie Universität Berlin campus and private apartments resembling typical indoor environments to perform measurements and protocol tests.

We presented ComPass, a PLS inspired common passphrase agreement protocol for all classes of Wi-Fi devices governed by proximity (≤ 3m). It forgoes the necessity of memory friendly short password generation by an user and the dependency on PKC. We showed that the ComPass generated passphrase has increased the number of guesses required to crack it using brute force or dictionary attack compared to a typical human-generated passphrase, and it has increased the available entropy 3 times (113-bits vs. 34-bits). ComPass has been implemented on COTS hardware running the latest OpenWrt. The compiled module is 143kb in size, and can be installed on existing devices using opkg package manager or as a full firmware replacement.

Efficient Root Finding of Polynomials over Fields of Characteristic 2

On a class of error correcting binary group codes

Cyclic decoding procedures for Bose-Chaudhuri-Hocquenghem codes

Fuzzy extractors: How to generate strong keys from biometrics and other noisy data

SHA-3 Standard: Permutation-based Hash and Extendable-output Functions

Free Your CSI: A Channel State Information Extraction Platform For Modern Wi-Fi Chipsets

Tool release: Gathering 802.11 n traces with channel state information

Opportunistic Wireless Encryption

An implementation of syndrome encoding and decoding for binary BCH codes, secure sketches and fuzzy extractors

Codes correcteurs d'erreurs

RFC2898: PKCS #5: Password-based cryptography specification version 2

Factoring RSA Keys in the IoT Era

RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)

Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication

Secret key agreement by public discussion from common information

least-squares-cpp

Wireless Communications: Principles and Practice pp

Wireless Channel-based Autonomous Key Management for IoT (Au-toKEY) on WiSHFUL Testbed

Communication theory of secrecy systems

Secret Group-Key Generation at Physical Layer for Multi-Antenna Mesh Topology

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2

Decimeter-Level Localization with a Single WiFi Access Point

Wi-Fi Protected Setup (WPS) PIN brute force vulnerability

Cooperative Secret Key Generation from Phase Estimation in Narrowband Fading Channels

zxcvbn: Low-budget Password Strength Estimation

Wi-Fi Easy Connect

Alliance: Opportunistic Wireless Encryption Specification. Specification

Wi-Fi

PhaseU: Real-time LOS identification with WiFi

The Wire-Tap Channel

Instant and Robust Authentication and Key Agreement among Mobile Devices

Precise Power Delay Profiling with Commodity WiFi. MobiCom '15

Security analysis of quantization schemes for channel-based key extraction

A novel key generating architecture for wireless low-resource devices

π-splicer: Perceiving accurate CSI phases with commodity WiFi devices

On the solution of equations of degree ≤ 10 over finite fields GF(2 m )

Acknowledgements This work was carried out within "Sichere Fog-Verbindungschicht für IoT Anwendungen (SecureFog)" funded by the German Federal Ministry of Education and Research (BMBF) under the grant number 16KIS0776.