idnits 2.17.1 draft-linning-authentication-physical-layer-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (October 8, 2018) is 2026 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force 3 Internet-Draft 4 Intended status: Informational Southeast University 5 Expires: April 11, 2019 October 8, 2018 7 Authentication by Physical Layer Features 8 draft-linning-authentication-physical-layer-00 10 Abstract 12 This document proposes an authentication method using physical layer 13 features from terminal unit. This document assumes that the reader 14 is familiar with some concepts and details regarding physical layer 15 security. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at https://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on April 11, 2019. 34 Copyright Notice 36 Copyright (c) 2018 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (https://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2.1. Physical layer feature extraction . . . . . . . . . . . . 3 55 2.2. Physical Layer Feature based Authentication . . . . . . . 3 56 3. Physical Layer Feature Extraction . . . . . . . . . . . . . . 3 57 4. Physical Layer Feature based Authentication . . . . . . . . . 4 58 5. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 59 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 60 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 61 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 62 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 63 8.2. Informative References . . . . . . . . . . . . . . . . . 6 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 66 1. Introduction 68 The classical device authentication method includes MAC address, pre- 69 shared key or digital certificate. However, the MAC address is easy 70 to be imitated, which can hardly ensure the security. The security 71 of the pre-shared key and digital certificate is mainly due to the 72 strength of the digital key and authentication algorithms. 74 Physical layer feature based device identification provides a 75 physical layer security protection for networks. Utilizing the 76 inherent physical layer feature of terminal unit, it is possible to 77 realize identity authentication via only the received waveform. 79 It has been demonstrated that physical layer feature owns uniqueness 80 and persistence, which could be used for terminal unit 81 identification. The physical layer feature could be obtained via 82 transient feature extraction, spectrum feature extraction or 83 modulation feature extraction. [Ref_1] After that, gateway could 84 identify the identity of the terminal unit via the received signal 85 waveforms by identification algorithms. 87 1.1. Terminology 89 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 90 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 91 document are to be interpreted as described in RFC 2119 [RFC2119]. 93 2. Applicability 95 This mechanism authenticates the identity of the terminal unit by 96 physical layer features, which is suitable for wireless, wired and 97 optical networks. 99 When network node transmits message to other network nodes, the 100 binary message is transformed to analogical signal in physical layer. 101 This physical layer signal includes the unique physical layer feature 102 of the transmitter. The receiver utilizes the physical layer 103 features from the transmitter signal. 105 The steps are listed below: 107 2.1. Physical layer feature extraction 109 The physical layer feature extraction methods can be generally 110 summarized into three categories, namely transient-based method, 111 spectrum-based method, and modulation-based method. [Ref_1] The 112 obtained physical layer features are digitalized to a feature vector, 113 which is used for authentication. 115 2.2. Physical Layer Feature based Authentication 117 The gateway uses the extracted physical layer features to 118 authenticate the accessing terminal device. 120 3. Physical Layer Feature Extraction 122 The physical layer features include transient-based feature, 123 spectrum-based feature, and modulation-based feature. 125 The transient-based method measures the turn-on/off transient or 126 transmitting signal variations for device identification. These 127 features are extracted by measuring the envelope of the transient 128 signal. Signal processing methods such as principal component 129 analysis (PCA) and discrete Fourier transform (DFT) are employed for 130 further feature process. In addition, statistical methods are also 131 used for transient-based feature extraction. The standard deviation, 132 variance, skewness and kurtosis of the transient amplitude, phase and 133 frequency are extracted for physical layer features. A vector of 134 these features are directly employed for 135 authentication.[Ref_1][Ref_2] 137 Signal spectrum is another important physical layer feature. The 138 power spectrum density (PSD) is directly extracted from the samples 139 of the receiver signal. In general, the non-linearity behavior of 140 the device transmitter is the main source of the signal spectrum 141 feature. The signal spectrum feature can be quantified by selecting 142 several significant regions at PSD. The in-band outline and out-of- 143 band outline of PSD is another important physical layer feature for 144 authentication. [Ref_1] 146 Modulation-based methods extract stable features from the received 147 signal, including auto gain control (AGC) responds, amplifier 148 nonlinearity characteristics, sampling frequency offset, carrier 149 frequency offset, differential constellation trace figure (DCTF) and 150 so on. These modulation-based features can be extracted in the 151 baseband by specific methods. [Ref_3] 153 The extracted physical layer features are grouped into a feature 154 vector. This feature vector is further used for authentication. 156 4. Physical Layer Feature based Authentication 158 In physical layer feature based authentication, the gateway has two 159 process, including a training process and decision process. In 160 training process, the system works in a secure connection. The 161 identity of the accessing device is true and known at gateway. The 162 gateway capture the physical layer signal and extract the physical 163 layer feature. The obtained physical layer feature is stored in 164 database for decision process in authentication. In decision 165 process, the system works in an open network. Gateway receives the 166 signal of accessing terminal device. Gateway authenticate the 167 identity of the terminal using the stored features in database. 169 In terminal identity authentication problem, the gateway is faced 170 with two situations. The first situation is that the identity of the 171 terminal device has been registered before, the terminal device 172 declare its identity in its accessing. In this case, gateway compare 173 the extracted physical layer feature to the feature vector stored in 174 the database. The result of the comparison is a degree of similarity 175 between the accessing terminal device and legitimate device. Gateway 176 confirm the identity of the accessing terminal device when the degree 177 of similarity is higher than a threshold. If the identity of the 178 accessing terminal device is legitimate, gateway opens the connection 179 of the terminal device to the internal network. The second situation 180 is that the identity of the terminal device has not been registered 181 before. In this case, gateway also extracts the physical layer 182 feature of the accessing terminal device. The gateway compare the 183 extracted feature to all of the feature vectors stored in the 184 database. A final result of degree of similarities between the 185 accessing terminal device and stored features is obtained. Gateway 186 confirm the new identity of the accessing terminal device when all of 187 degree of similarities are lower than a threshold. Gateway close the 188 connection of the terminal device to the internal network. 190 5. Example 192 An application example is introduced as follows: 194 The authentication by physical layer feature system includes four 195 elements: terminal unit, physical layer feature extraction unit, 196 internal network unit and accessing control unit. The terminal unit 197 is connected to the physical layer feature extraction unit and 198 accessing control unit. The physical layer feature extraction unit 199 is connected to the accessing control unit. The internal network 200 unit is connected to the accessing control unit. The signal is 201 transmitted from terminal unit to physical layer feature extraction 202 unit. The signal is also transmitted from physical layer feature 203 extraction unit to accessing control unit. The terminal unit and 204 accessing control unit have mutual signal exchange. The internal 205 network unit and accessing control unit also have mutual signal 206 exchange. 208 The physical layer feature extraction unit includes three components: 209 front-end signal capture device and processor. The processor 210 extracts the physical layer feature using the capture signal from 211 front-end signal capture device. The accessing control unit includes 212 two components: storage and processor. The processor authenticates 213 the accessing terminal device using the physical layer feature. The 214 authentication rule and identity information are stored in the 215 database of storage. The extracted physical layer feature is also 216 stored in the database of storage. 218 In training process, physical layer feature extraction unit initially 219 obtains physical layer feature and transmits the physical layer 220 feature to accessing control unit. Accessing control unit binds the 221 physical layer feature to the identity of terminal device. The 222 physical layer feature of the trained device is stored in database at 223 accessing control unit. 225 In decision process, physical layer feature extraction unit captures 226 the signal of accessing terminal device. Physical layer feature 227 extraction unit further extracts the physical layer feature from the 228 captured signal. Physical layer feature extraction unit transfers 229 the physical layer feature to accessing control unit. In decision 230 process, the authentication has two situations. In the first 231 situation, the identity of the terminal device has been registered 232 before in the database. The terminal device declares his identify 233 when it accesses the network. The accessing control unit compares 234 the extracted physical layer feature to the stored physical layer 235 feature in the database with the declared index. This comparison 236 gets a result of degree of similarity. If this degree of similarity 237 is higher than a threshold, accessing control unit confirms the 238 identity of the device and opens the connection of terminal unit to 239 the internal network unit. If this degree of similarity is lower 240 than a threshold, accessing control unit rejects the access of the 241 device and closes the connection of terminal unit to the internal 242 network unit. In the second situation, the identity of the terminal 243 device has not been registered before in the database. The terminal 244 device does not declare his identify when it accesses the network. 245 The accessing control unit compares the extracted physical layer 246 feature to all of the stored physical layer feature in the database. 247 This comparison gets a result of highest value of degree of 248 similarity. If the highest value of degree of similarity is lower 249 than a threshold, the accessing control unit confirms the new 250 identity of the accessing terminal device and closes the connection 251 of terminal unit to the internal network unit. If the highest value 252 of degree of similarity is higher than a threshold, the accessing 253 control unit requires other authentication method to confirm the 254 identity of the terminal device. 256 6. IANA Considerations 258 This document includes no request to IANA. 260 7. Security Considerations 262 This section will address only security considerations associated 263 with the use of physical layer features for authentications. The 264 similarity of physical layer features between different devices is 265 relied on the consistency of physical devices, measurement accuracy 266 of the gateway. If the gateway cannot distinguish the physical layer 267 features between different devices, authentication methods in higher 268 layer is required. 270 8. References 272 8.1. Normative References 274 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 275 Requirement Levels", BCP 14, RFC 2119, 276 DOI 10.17487/RFC2119, March 1997, 277 . 279 8.2. Informative References 281 [Ref_1] Danev, Boris., 282 "https://dl.acm.org/citation.cfm?id=2379782", 2012. 284 [Ref_2] J.Carbino , Timothy., 285 "https://ieeexplore.ieee.org/document/7069371/", 2015. 287 [Ref_3] Peng, Linning., 288 "https://ieeexplore.ieee.org/document/7752534/", 2016. 290 Authors' Addresses 292 Linning Peng 293 Southeast University 294 No.2 SiPaiLou 295 NanJing, JiangSu 210096 296 China 298 Phone: +86 25 52091692 299 Email: pengln@seu.edu.cn 301 Aiqun Hu 302 Southeast University 303 No.2 SiPaiLou 304 NanJing, JiangSu 210096 305 China 307 Phone: +86 25 52091692 308 Email: aqhu@seu.edu.cn