Analysis and Enhancement of Physical Layer Security in Wireless Communication


Student thesis: Doctoral Thesis

View graph of relations


Related Research Unit(s)


Awarding Institution
Award date15 Sep 2017



Wireless communications have been applied in various scenarios, which are important in daily life, such as wireless payment, Wi-Fi and peer-to-peer communication. However, the security issues of wireless communication are different from those of wired communication. The main threats to wireless communications are jamming and eavesdropping. Physical layer security is a new way to deal with these two threats without the need for a pre-shared key between communication participants. For us to effectively evaluate new physical layer proposals we require attack models that reflect realistic operating conditions and threats. Although physical layer security is a well developed research area, attack models mostly take into account only simple, passive attackers. The main goal of this thesis is to draw attention to smarter or active attackers, and illustrate that attack models for physical layer need to be more carefully considered depending on the objective of the scheme.

The first part focuses on self-jamming schemes, which is used as protection against eavesdropping. Self-jamming schemes utilize a jamming signal to degrade the capacity of the channel between the legitimate participants and the eavesdropper, with the purpose of preventing data leakage to the eavesdropper while still enabling the legitimate receiver to recover the message. The jamming signal is transmitted by the receiver and can achieve secret communication without the pre-shared key. These schemes play an important role in physical layer security and gain the attention of many researchers. However, the security analysis of these scheme are challenging. Schemes can be shown to be theoretically secure under specific conditions, but there are some questions about practical feasibility of these conditions. Similarly, a scheme can be show to be experimentally secure under practical conditions, but then there are questions about the capability of the defined attacker. As such, this thesis draws attention to these shortcomings by looking at schemes argued to be secure in certain conditions, but are vulnerable to different avenues of attack.

I propose a kind of practical desynchronization attack on one self-jamming scheme which utilizes the reader signal to jam RFID communication. This scheme utilizes the reader signal to hide the tag signal, and the scheme is experimentally shown to be effective against an attacker using a conventional method for data recovery, i.e. similar to a honest receiver. However, the jamming signal cannot cover the tag signal perfectly and in practice there is a small amount of desynchronisation between the jammer and sender. I introduce a smarter attacker that utilizes this desynchronization to recover the data. This draws attention to the fact that an attack model should more carefully consider the capability of the attacker, and that it does not necessarily follow standard rules. I then propose a new countermeasure to fix the weakness that varies both the time interval and the amplitude to hide the peaks and valleys caused by desynchronization.

If self-jamming scheme is applied in practice, for example to short range payment systems, we might require not only data confidentiality but also integrity. There is therefore also a need to consider not only passive eavesdroppers but also active attackers attempting to modify messages. Active attacker intends to block or modify the data signal by transmitting an attack signal. Although `overshadowing' is a known attack method there is a common assumption that such an approach could be detected in self-jamming schemes. For example, some of the well known audio self-jamming channels assume that the participating users would be able to hear this attack. I analyze the possibility of launching a successful inaudible overshadowing attack on existing self-jamming schemes, which using audio channels, and show that inaudible attacks are feasible. This again illustrates defects in common attack models, and the need for physical-layer security mechanisms to consider passive and active attackers where relevant.

The second part of this thesis focuses on physical layer key agreement based on channel state information (CSI). PHY-UIR (PHYsical layer key agreement with User Introduced Randomness) is the only paper which proposes a solution in detail to against a kind of active attacks, signal manipulation attack. In this paper, I propose an attack combining signal manipulation attack and man-in-the-middle attack to break PHY-UIR. I call it session hijacking attack as the attacker hijacking the key agreement by amplify-and-forward high power signals and force legitimate devices running PHY-UIR protocol with the attacker. In such way, the attacker and device generate the same key. Our experiment result validates our attack and shows the high performance of our attack on manipulating the generated key. A easy and efficient way to against the session hijacking attack is proposed at the end.

Above three experiment results have demonstrated that defects can be found in schemes shown to be secure according to chosen attack models. This is not necessarily a weakness in the scheme but highlights the fact that out security analysis is only as strong as our assumptions about the operational environment and the attacker. It is necessary for researchers to consider different attack approaches in attack models in order to generate more secure schemes. Apart from demonstrating defects in attack models, I have also in each case proposed solutions mitigating against these attacks approaches.