1 Introduction

With the proliferation of wireless personal devices, wireless personal area networks (WPANs) have experienced great development in recent years. A WPAN involves a variety of lightweight, small-size and low-power wireless devices, which are held or carried by the owner. For example, around an owner, a mobile phone receives daily fitness data from an associated smart bracelet and exchanges voices with the Bluetooth headset. Other typical WPAN nodes include intelligent watches, wearable sensors and so on.

Because the wireless personal devices inevitably transmit private information in WPANs, the communications need to be secured; however, conventional solutions are unsuitable for the wireless devices to establish secure channels. First of all, there is no “mobile” trusted third server to facilitate the wireless nodes to authenticate each other or negotiate secret keys, which hardly allows the owner to connect two WPAN devices anytime and anywhere. Secondly, because the small-size WPAN devices are equipped with very limited input and output interfaces, it is difficult to type some characters as prior knowledge or display a passcode to verify the communication peer, before they establish secure channels. For example, the Xiaomi smart bracelet has only three LED lights as its output interface to users. Finally, although the owner could connect wireless devices by wires and then set up prior associations securely, it is very inconvenient and harms the benefits of wireless communications.

To establish secure channels between a WPAN device and another device, both of which are carried by the owner, we need to ensure that, (a) the wireless communication peer is held or controlled by the owner, i.e., authentication; and (b) the messages exchanged are not leaked to other entities, i.e., confidentiality. To authenticate a wireless device without prior knowledge, existing proximity-based authentication solutions [4, 6, 13] employ the received signal strength (RSS) feature of nearby wireless devices, to distinguish a legitimate node from distant (or illegitimate) ones in real time. Therefore, the proximity-based authentication can be finished without requiring the owner’s explicit operations. As for the confidentiality issue, existing solutions usually leverage the reciprocity of wireless communication to negotiate secret keys, so that the eavesdroppers cannot extract the same key as the pair of WPAN nodes.

In this paper, we propose vBox, a simple but effective RSS-based solution to establish secure channels between two wireless devices without any prior knowledge. vBox follows distinct principles from the existing solutions: it requires explicit operations executed by the owner so as to proactively prevent threats from adversaries. By holding and simultaneously waving two WPAN devices that need to establish secure channels, the owner easily “builds” a virtual shield box, so that (a) the adversaries at distance cannot send wireless signals with stable RSS to the shielded devices; and (b) the strength of wireless signals sent between these shielded devices, cannot be measured accurately by the adversaries at distance. Different from existing solutions, vBox follows a proactive philosophy. In particular, the owner explicitly creates a special environment that is static to the legitimate nodes but unpredictable to the adversaries, and deliberatively tunes the strength of the signal for the key establishment.

vBox consists of two phases, one of which is for authentication; and the second phase is to transmit secret keys. In the first phase, one node (called the initiator in this paper) sends signals with stable RSS for a certain period of time, and the other node (called the listener) verifies the stableness to authenticate the initiator. In the key transmission phase, the initiator tunes its transmitting power level based on a random number, i.e., transmits a session key in plaintext; and the listener obtains the secret key based on RSS. Note that these two phases are performed, as the owner waves them together in an unpredictable way. Then, the listener replies with a message generated by the secret key (e.g., a message authentication code) to acknowledge the integrity of the received secret key. The subsequent communications will be secured by such secret key. In addition, the above operations can be triggered after the owner presses a special button on the devices (and waves them), or when the devices detect the wave and automatically start the process of authentication and key transmission because more and more WPAN devices are configured with motion sensors.

While vBox takes advantage of RSS to complete the authentication and key transmission, the statistics of RSS is greatly affected by the relative distance and direction between the sender and the receiver. When the initiator and the listener devices are being held together and waved by the owner, the relative distance and direction between two devices remains unchanged. In contrast, it is extremely difficult to predict such relative distance and direction between the initiator (or the listener) and any other wireless devices not being held by the owner. In this way, the RSS detected by the listener can be synchronized by the initiator so that the authentication and key transmission succeed. Meanwhile, the listener node being waved cannot receive wireless signals with stable strength from any other wireless devices, so no adversarial wireless device would be authenticated successfully by the listener. Finally, no wireless device except the listener can detect the signal strength (i.e., the secret key) tuned by the initiator.

We implemented vBox on commercial-off-the-shelf ZigBee devices. Through extensive experiments under the normal case and several attack scenarios, we demonstrate that, by choosing suitable parameters including the authentication threshold and the power level difference for key transmission, vBox successfully establishes secure channels between wireless devices against various attacks.

The rest of this paper is organized as follows. Section 2 introduces preliminary knowledge on wireless propagation and related works. Section 3 illustrates the main idea of vBox. Section 4 presents the complete vBox protocol and discusses the parameters. Section 5 depicts the extensive experiments we have conducted for validating the properties of vBox. Section 6 evaluates the proposed scheme from the security and usability aspects. Section 7 concludes the paper.

2 Preliminaries and Related Work

2.1 Wireless Signal Propagation

The strength of a wireless signal fades, when it propagates over the air. The received signal strength (RSS), i.e., the receiver’s measurement of the wireless signals, is determined by two factors: (a) the initial strength of the wireless signal, or the transmitting power at the transmitter, and (b) the path loss, which depicts how the signal is fading through the wireless channel. So, the RSS can be expressed as Eq. 1 as follows,

$$\begin{aligned} P_R = P_{0} - P_L \end{aligned}$$
(1)

where \(P_R\) is the strength (or power) of wireless signals at the receiver, and \(P_0\) is the initial strength. \(P_0\) and \(P_R\) are usually measured in dBm, and the path loss \(P_L\) is represented in dB, representing the ratio between the strengths at the transmitter and the receiver.

The path loss mainly consists of two factors, called the slow fading and the fast fading. The slow fading is caused by events such as shadowing, where a hill or large building obscures the main signal path between the transmitter and the receiver. The two main causes of fast fading are (1) the multipath effect, where the wireless signal reaches the receiver through two or more paths; (2) Doppler shift, where the relative motion between the transmitter and the receiver causes frequency shifts of the signal. Fast fading is reflected by the tremendous fluctuations of the instantaneous RSS values.

The path loss of wireless signals inside a building or densely populated area, is modeled as a log-distance formula [11] as follows:

$$\begin{aligned} P_L = C + 10{\alpha }\,\lg (d) + F_{g} \end{aligned}$$
(2)

The first part C is a constant which accounts for system losses. The second part \(10{\alpha }log(d)\) is related to the slow fading, where \(\alpha \) is called the path loss exponent, d is the distance between the transmitter and the receiver. The values of \(\alpha \) range from 1.2 to 8 [9], depending on the certain propagation environment. In the free space, the value of \(\alpha \) is 2.

The fast fading is mainly expressed in the third part \(F_g\), which is a variable reflecting the channel fading. In an indoor environment, the channel fading is mainly fast fading caused by the multipath effect. Particularly, for a receiver that is moving rapidly, the fading is aggravated by Doppler shift, which results in great fluctuations in its RSS measurements of received wireless signals. In this case, \(F_{g}\) is a variable with Rician distribution [1].

2.2 RSS-based Authentication and Key Establishment

Since the RSS is highly related to the wireless channels from the transmitter to the receiver, RSS-based approaches are proposed for proximity authentication [10] and key establishment. RSS measurement is a generally available feature for most commercial-off-the-shelf wireless devices, so such approaches outrange many hardware-based solutions in terms of usability.

In temporal RSS variation authentication (TRVA) [16], one node sends a list of RSS variations of acknowledgment frames that it has ever received, and then the other node authenticates the sender if the list is consistent to its own observation. TRVA is based on the reciprocity principle of wireless channels, but it requires that the two nodes authenticate each other a priori by other means. On the other hand, in proximity-based authentication solutions, the receiver collects the RSS statistics to determine their proximity, and decide a proximate applicant as legitimate; so they eliminate the necessary prior knowledge in traditional authentication systems. Good Neighbor [4] is a wireless device pairing scheme, and it requires neither shared secrets nor out-of-band channels as vBox. However, Good Neighbor assumes that the receiver device has at least two antennas separated by a reasonable distance (e.g., 10 cm), so it is not always suitable for small-size WPAN devices. The authentication design of vBox shares the same spirit with BANA [13], which employs the distinct RSS variation to authenticate legitimate nodes. In BANA, the unique on-body channel characteristic arises from the multipath fading in the surroundings, while vBox requires the owner to explicitly build such an environment (i.e., wave the WPAN devices).

RSS-based key establishment leverages the reciprocity of wireless communication, i.e., the wireless channels between two communicating parties affect both the parties equally and causes identical RSS variations on each of them. Moreover, these variations are distinct from other channels between any communicating party and attackers, especially in dynamic environments. Therefore, a shared key can be generated secretly based on the observed RSS variations. Radio-telepathy [7] establishes a shared secret key between 802.11 nodes by exploiting the reciprocity property. R. Wilson et al. discussed such key establishment approaches in ultrawideband channels and analyzed the approximation and upper bound on the key size [15].

However, the difference of the RSS variations between the channels of legitimate nodes and those of adversaries, becomes insignificant in static environments. S. Jana et al. evaluated the effectiveness of key extraction based on the reciprocity principle in different wireless scenarios, and showed that, in static environments the eavesdropper could predict the “secret” key between two nodes [5]. Then, an adaptive approach was proposed to generate secret keys [5] at a high rate and high entropy, in both static and dynamic environments. In fact, the similar risk is also notified by the designers of BANA [13], that is, when the owner is not in motion, the legitimate on-body channel characteristic is not so distinct from that of the attack channels.

3 vBox Design

3.1 Design Goal and Threat Model

The goal of vBox is to establish secure channels between two small-size wireless devices, without any prior association. After the two phases of vBox, these two devices called the initiator and the listener Footnote 1, authenticate each other and share a secret session key used for the confidentiality, authenticity and integrity of the following wireless communication. Designed for small-size mobile wireless nodes, vBox requires no extra hardware or human interface, and it leverages the RSS measurement for authentication and key transmission, which is a standard function of wireless devices. No computationally-expensive or time-consuming processing (e.g., public-key cryptographic computations) is involved in vBox, so this lightweight solution is very suitable for resource-constrained devices.

In vBox, the two wireless devices are picked up by the owner, so we assume that the owner has the ability and caution to distinguish his own devices from any other malicious devices, not belonging to him. We do not consider the social engineering attacks on the owner; for example, replace the owner’s Bluetooth headset by another one with embedded malicious codes. The detailed parameters and steps of the vBox protocol are publicly known. At the same time, adversaries could eavesdrop and send wireless signals, attempting to be authenticated as a legitimate device or obtain the secret key. In particular, an attacker would receive and measure all wireless signals from the initiator or the listener, or send signals to them arbitrarily. Moreover, we assume that, the adversaries might be a place very close to the owner, e.g., only \(1\,\mathrm{m}\), but not be detected physically.

3.2 Basic Insight

Building a Virtual Box over the Wireless Channels. As mentioned in the preliminaries, the wireless signal prorogation between two devices is highly related to their relative position. For two nearby devices that are relatively static to each other, the wireless channel between them is very stable. On the contrary, for two devices that are in rapid relative motion, the wireless signal prorogation between them experiences tremendous fluctuations. When two devices are held together and waved randomly in the air: the wireless channel between the two relatively static devices remains stable, while any channel between a third device and either of these two devices is fluctuated remarkably. Based on this fact, the owner can build a shielded environment for the legitimate initiator and listener in terms of signal stability, by holding and randomly waving them together. We name the virtual shield environment vBox.

Fig. 1.
figure 1

Signal propagation of the in-box channel and the off-box channel

Full size image

Figure 1 illustrates the functionality of vBox in a typical indoor environment in the presence of an adversary. The initiator and the listener are held together and waved by the owner, while the adversary hides behind the wall. The solid-arrowed line indicates the direct path between the legitimate nodes, while the dashed-arrowed lines indicate the multiple paths between the legitimate devices and the adversary. We recognize three wireless channels in this scenario:

  • The initiator-listener channel. Because the initiator and the listener are kept very close, the direct path (DP) is the dominant path [12], which suffers little from the environment changes. In other words, the RSS variation is very small.

  • The adversary-listener channel. This channel exists when the adversary tries to send data to the listener to be authenticated as a legitimate device. The signal propagates through multiple paths. Meanwhile, the rapid relative motion between the adversary and the listener causes the Doppler shift. So the channel is filled with fluctuations, leading to large RSS variations at the listener.

  • The initiator-adversary channel. This channel exists when the adversary tries to eavesdrop data sent between the legitimate nodes. This channel is also fluctuated due to the rapid movement of the initiator and filled with fluctuations that lead to large RSS variations at the adversary.

In the remainder, the stable channel between the initiator and the listener is also called the in-box channel, and sometimes the off-box channel is used to represent both the initiator-adversary and adversary-listener channels.

Proximity-Based Authentication Within vBox. In the first phase, the initiator is authenticated as follows. This phase can be triggered by the user by pressing buttons on the devices, or automatically by the device themselves if they are configured with motion sensors.

  1. (a)

    The initiator sends a sequence of packets at a fixed TX power level for a predetermined period of time, as an authentication request;

  2. (b)

    On receiving the authentication request, the listener calculates the standard deviation of the sequence’s RSS;

  3. (c)

    If the calculated standard deviation is lower than a threshold, the listener accepts the authentication request; otherwise, it is rejected and the vBox protocol terminates.

vBox ensures that, only the initiator that is held and waved together with the listener, will be authenticated successfully. As is illustrated above, the RSS variation of the in-box channel is very small, while that of off-box channel is much greater. So, this security goal is achieved by determining the threshold of RSS standard deviation.

Tuned-RSS as Secret Keys Within vBox. After being successfully authenticated, the initiator sends a plaintext secret key to the listener, by tuning the RSS of another sequence of packets. We name this key transmission method active RSS tuning. The method is as follows:

  1. (a)

    The initiator generates an m-bit random key on its own. Then, it sends the key as a sequence of packets, where the TX power of each packet is tuned by one key bit: if the bit is ‘1’, the packet is transmitted at the power level of \(P_{0H}\); if it is ‘0’, the packet is transmitted at \(P_{0L}\).

  2. (b)

    The listener receives the m packets, and extracts the secret key based on its RSS measurements.

vBox ensures that, the secret key recovered by listener is identical to the one generated by the initiator, and adversaries cannot recover these random bits. The in-box channel is very stable and suffers little noise, while the secret information (i.e., the initial TX power) is mixed with the noise in the off-box channel. So, the security goals are achieved by determining \(P_{0H}\) and \(P_{0L}\) as well as the key recovery rule at the listener.

3.3 The RSS Analysis of vBox

RSS Variation of the Channels. We analyze the RSS (or the strength at the receiver) of the three channels, to show the practicability of vBox and find the suitable parameters in the protocols. For the in-box channel, the distance d between the two devices is almost kept unchanged; and the fading between the two closely-located devices (i.e., \(F_g\)) is expressed as a Gaussian variable \(X_{\sigma _X}\) related to the static environment. From Eqs. 1 and 2, we have

$$\begin{aligned} P_R = P_{0} - (C+10\alpha \lg (d) + F_g) \approx P_0 + X_{\sigma _X} + C' \end{aligned}$$
(3)

where \(C'\) is a constant. The RSS variation is mainly determined by \(\sigma _X\), the standard deviation of X, which is typical very small if there is not malicious wireless jamming.

As for the off-box channel, the rapid relative motion between the communicating peers aggravates the fast fading phenomenon substantially, and it follows the Rician distribution. When the adversary is relatively distant from the legitimate devices and the owner waves the nodes around his body, the change of the distance between the initiator (or the listener) and the adversary is very small, compared with the effect of fast fading. From Eqs. 1 and 2, we have

$$\begin{aligned} P_R = P_{0} - (C+10\alpha \lg (d) + F_g) \approx P_0 + R_{\sigma _R} + C'' \end{aligned}$$
(4)

where \(C''\) is another constant and R is a variable of Rician distribution with standard deviation \(\sigma _R\). Note the RSS variation of the initiator-adversary channel is identical to that of the adversary-listener channel.

RSS Analysis on Authentication. The authentication of vBox requires that, the RSS variation through the in-box channel is much smaller than the RSS variation through the off-box channel, and there is a clear gap between them. From Eqs. 3 and 4, it is required that: \(\sigma _X \ll \sigma _R\).

Fig. 2.
figure 2

RSS at Listener, sent by Initiator and Adversary with fixed TX power

Full size image
Fig. 3.
figure 3

RSS at Listener and Adversary, of a tuned key sent by Initiator

Full size image

Figure 2 shows the elementary experiment results in these different channels. In the experiment, the initiator and the adversary send packets to the listener with fixed power at a rate of 50 packet/s, respectively; the RSS measured at the listener is also shown. The legitimate nodes are held and waved rapidly together, while the adversary is placed \(3\,\mathrm{m}\) away from them. The experiment took place in an office room for 6 s. From Fig. 2, it is found that, the RSS through the in-box channel is very stable, almost fixed at \(-10\,\mathrm{dBm}\). In contrast, the RSS of the adversary-listener channel is filled with fluctuations, varying dramatically in the range of \([-70\,\mathrm{dBm}, -35\,\mathrm{dBm}]\). It is verified that there exists a clear gap between the RSS variation of the in-box channel and that of the off-box channel, i.e. the RSS variation of the initiator-listener channel is restricted in a small range, while that of the adversary-listener channel is much more significant.

RSS Analysis on Key Transmission. Firstly at all, to transmit key bits correctly, the difference between \(P_{0H}\) and \(P_{0L}\), i.e. \(\varDelta {P_0}=P_{0H}-P_{0L}\), shall be great enough to eliminate the interference of the RSS variation through the in-box channel; at the same time, to transmit key bits secretly, \(\varDelta {P_0}\) shall be smaller enough, to prevent the adversary from recovering the random bits through the off-box channel. Basically, we have: \(\sigma _{X} \ll \varDelta {P_0}/2 \ll \sigma _{R}\).

Figure 3 is the experiment result of the key bit tuning in vBox. This experiment configuration is the same as that in Fig. 2, except that the initiator sends 128 bits by tuning the signal strength of 128 consecutive packets in 3 s, and \(\varDelta {P_0}\) is \(4\,\mathrm{dBm}\). The sequence of bits consists of ‘0’ and ‘1’ alternatingly, i.e., 010101...0101. It is shown that, by choosing a reasonable threshold \(R_T\) (the dashed line in Fig. 3), the listener is able to recover the bit sequence from its RSS measurements correctly: if the RSS is higher than \(R_T\), the bit is ‘1’; if lower, it is ‘0’. In contrast, adversaries cannot recover the correct bit sequence from its RSS measurements, as the original tuning is overwhelmed by the inherent fluctuations in the initiator-adversary channel.

4 The Detailed vBox Protocol

In this section, we describe the detailed authentication and key transmission steps, and then present the parameters in this protocol.

4.1 The Initiator-Listener Protocol

The secure communication between the two devices is composed of three phases. In the first stage, the listener authenticates the initiator, following the proximity-based authentication; in the second stage, the initiator transmits the secret key to the listener, by actively tuning the RSS. These two phases shall be performed, as the owner waves the virtual box. Then, in the third phase, all data are protected by the negotiated secret key; e.g., each data packet is encrypted and appended with a message authentication code.

In vBox, the secure channel is established by the owner explicitly. Sometimes, the owner needs to be responsible for two issues: (a) appoint the roles (i.e., the initiator or the listener); and (b) trigger the vBox protocol. These inputs can be set by simple interface. For example, a long press on the button means the listener, and a normal press means the initiator; then, the devices will start the protocol. However, these issues may be solved automatically, too. For example, a mobile phone always acts as the listener, and a smart bracelets or Bluetooth headset always acts as the initiator; or, if the devices are configured with motion sensors, the protocol can be triggered as they are waved. In the following description, I and L stand for the initiator and the listener, respectively.

Phase 1: Initiator Authentication

  1. (a)

    \(I{\rightarrow }L\): AuthReq(j), where \(j=1,...,N\) and N is the packet number for I to send. I sends N consecutive AuthReq using the fixed TX power level \(P_{0I}\).

  2. (b)

    \(L{\rightarrow }I\): AuthResp(AuthResult). L receives N AuthReq from I and measures the RSS values. Upon receiving the N AuthReq, L calculates the mean value and the standard deviation of the N values, denoted as \(R_T\) and \(\sigma \), respectively. Then \(\sigma \) is compared against a predetermined threshold \(\sigma _T\). If \(\sigma <\sigma _T\), L replies I with a “success” message; otherwise, replies with a “fail” message.

Phase 2: Key Transmission and Listener Authentication

  1. (c)

    \(I{\rightarrow }L\): BitCarrierMsg(i), where \(i=1,...,M\) and M is the length of the key. I decides its two transmitting power levels as \(P_{0H}=P_{0I}+\varDelta {P_0}/2\), \(P_{0L}=P_{0I}-\varDelta {P_0}/2\). I successively sends M key bit messages to L with transmitting power level \(P_{0H}\) or \(P_{0L}\). The transmitting power of the ith message is decided by the \(k^{th}\) key bit \(k_i\). If \(k_i=1\), it is transmitted at power level \(P_{0H}\); if \(k_i=0\), it is done at \(P_{0L}\).

  2. (d)

    \(L{\rightarrow }I\): \(AuthBack(E_{K'}(OK))\). L receives the M BitCarrierMsg from I and records the M corresponding RSS values. L firstly verifies that all the RSS values fall into the range [\(R_T-\varDelta {P_0}/2-3\sigma _X\), \(R_T+\varDelta {P_0}/2+3\sigma _X\)], where \(R_T\) is the mean of the RSS values of AuthReq in (b). Then L starts to recover the key from the M RSS values. L interprets each RSS value above \(R_T\) into bit ‘1’ and each RSS value below \(R_T\) into bit ‘0’, orderly. The key recovered by L is denoted as \(K'\). L replies I with an “OK” message encrypted by \(K'\).

  3. (e)

    \(I{\rightarrow }L\): Success(). I decrypts the encrypted “OK” message with the original key K, to verify the correctness of \(K'\) and authenticates L. If \(K'=K\) is verified, I replies L with a success message.

  4. (f)

    L: On receiving the Success message, L blinks its LED to inform the user. Till now, a common secret key K has been established between I and L after they authenticate each other.

Phase 3: Encrypted Communication

  1. (g)

    \(I{\leftrightarrow }L\): I and L protect the following communication with the established symmetric key.

4.2 Parameters

The following parameters are used in the prototype. A more detailed discussion on the parameters is given in Appendix A. We use a 128-bit key for key transmission, and configure T as 20 ms, i.e. 50 packets are transmitted per second for authentication and key transmission. The authentication time is \(4\,\mathrm{s}\) in Phase 1.

The Power Level Difference \(\varDelta {}P_0\). To deliver a 128-bit key correctly with a probability of 0.99, \(\varDelta {}P_0\) should satisfy: \(\varDelta {P_0}\ge {5{\cdot }\sigma _X}\). At the same time, \(\varDelta {P_0}\) should be as small as possible on the premise of ensuring the reliability of the key transmission.

The Valid RSS Range for Key Transmission. We determine a valid RSS range for key transmission, which is [\(R_T-\varDelta {P_0}/2-3\sigma _X\), \(R_T+\varDelta {P_0}/2+3\sigma _X\)], according to the empirical 3-sigma rule for Gaussian distribution [2]. The protocol requires that all the RSS values of the BitCarrierMsg should fall in to the valid range.

5 Experiments

We carry out extensive experiments in real world scenarios on three aspects: (1) Estimation of the RSS variation of the in-box channel and the off-box channel; (2) Verification of the effectiveness of the vBox protocol, including both authentication and key establishment; (3) Verification of the security of vBox.

5.1 Setup

The experimental system involves three wireless nodes: the initiator, the listener, and the adversary. Each wireless node in our experiment is a SmartRF05 evaluation board from Texas Instruments, which is a popular ZigBee application tester in home automation development. The node works at the radio frequency of 2.4 GHz and is capable of varying its transmission power. Each node is equipped with a 2 dBi omni-directional SMA antenna.

The initiator and the listener are held together by a researcher in his hand and kept relatively stationary to each other during the experiment. The researcher waves initiator and the listener simultaneously rapidly in front of himself. The adversary is placed at a distance away from the researcher, which can be as near as 1 m and as far as 8 m. The experiments are carried out in three scenarios:

Fig. 4.
figure 4

Layout of the rooms in Scenario A and Scenario B

Full size image

  • Scenario A. Compact office room. The office room is 4 m\(\,\times \,3.5\) m\(\,\times \,3.5\) m in size. The layout is shown by Fig. 4(a).

  • Scenario B. Spacious living room. The living room is \(8\,\mathrm{{m}}\,\times \,4\,\mathrm{{m}}\,\times \, 3.5\,\mathrm{{m}}\) in size. The layout is shown by Fig. 4(b).

  • Scenario C. Large dining hall. The dining hall is as large as \(20\,\mathrm{{m}}\,\times \,15\,\mathrm{{m}}\) and the ceiling is 6 m high. A clean area of 50 m\(^2\) in the hall is selected for the experiment.

5.2 Real World Estimation of the RSS Variation \(\sigma _X\) and \(\sigma _R\)

The experiments show that \(\sigma _X\ll {\sigma _R}\) holds in real world environment. We evaluate the approximation of \(\sigma _X\) and \(\sigma _R\) by performing the authentication phase of the vBox protocol 50 times in each experimental scenario and calculating the RSS variations of the initiator-listener channel and the initiator-adversary channel, respectively. The results for the initiator-listener channel is independent of the scenario, so they are shown in Fig. 5 as “Legitimate”; the results for the initiator-adversary channel are shown in Fig. 5 as “Scenario A”, “Scenario B”, and “Scenario C”, respectively. From the experimental results, we expect the real world RSS Variation \(\sigma _X\) and \(\sigma _R\) to be around \(0.67\,\mathrm{dBm}\) and \(6.21\,\mathrm{dBm}\), respectively. A detailed description of the process is given in Appendix B.

Fig. 5.
figure 5

\(\sigma \) values in different scenarios

Full size image

5.3 On the Effectiveness of the vBox Protocol

We conducted a series of experiments to verify the effectiveness of vBox. The protocol parameters are determined based on the experiment results and the principles in Sect. 4.2, and are used throughout the following experiments.

The Accuracy of Authentication. We verify the accuracy of the proximity-based authentication in the vBox protocol by testing it against the initiator and the adversary at the same time. In this experiment, both the initiator and the adversary try to authenticate themselves to the listener following the protocol. The difference is that, the initiator is held and waved together with the listener, while the adversary is placed at a distance away. The experiment is conducted for 50 times in each scenario, and the adversary is located at a different spot each time. The authentication threshold, i.e. \(\sigma _T\), is set to \(1.5\,\mathrm{dBm}\), according to the results of Sect. 5.2. The authentication time is set to 4s, i.e. 200 packets are transmitted for authentication. The experimental results show that the authentication achieves 100 % accuracy through all the scenarios, with no false positive or false negative.

The Reliability of Key Transmission. We verify the reliability of the key transmission of the vBox protocol by making the initiator deliver a known 128-bit key to the listener with active RSS tuning following the protocol, and validating whether listener can restore the key correctly from the RSS measurements. According to Eq. 7, \(\varDelta {P_0}\) is set to \(4\,\mathrm{dBm}\). The packet rate is 50 / s. The key is a random 128-bit sequence generated by the initiator, denoted as K. The experiment is conducted 50 times in each scenario, and the adversary is located at a different spot each time. The experimental results show that the success ratio of key transmission reaches 100 % through all the scenarios.

The Resistance Against Eavesdropping. When the initiator transmits the key, the adversary might be placed at a distance away and eavesdrops on the key transmission process. The experiment is conducted for 50 times in each scenario, and the adversary is located at a different spot each time. The key is the same random key generated by the initiator in the above section. We evaluate the resistance against eavesdropping of the key transmission method by calculating the Pearson correlation coefficient between the key derived by the adversary (\(K'\)) and the original key (K), both in the form of bit sequence. The smaller the correlation coefficient is, the greater resistance the method has against eavesdropping. The Pearson correlation coefficient is calculated as:

$$\begin{aligned} \rho _{K,K'} = \frac{E(KK')-E(K)E(K')}{{\sqrt{E(K^2)-E(K)^2}}{\sqrt{E(K'^2)-E(K')^2}}} \end{aligned}$$
(5)

The results are shown in Table 1. The overall correlation coefficient of the eavesdropped key and the original key throughout all the scenarios is 0.07. Even in the worst case, which actually only occurred twice among 150 trials, the coefficient is no larger than 0.21. The small correlation coefficient indicates that little information can the adversary get from the eavesdropped RSS values. In addition, the adversary himself has no idea which bits of the key are incorrect. The result implies that recovering the key correctly by eavesdropping is infeasible, even when performed at a distance as near as 1 m from the initiator.

Table 1. Correlation coefficient for eavesdropping
Full size table

The Resistance Against False Key Attack. We simulate the effect of a false key attack using the same \(\varDelta {P_0}\) as the initiator. As analyzed in Sect. 6.1, such attacks will be detected and failed by the valid range check. On this premise, we still want to test the distortion effect that the channel fluctuation causes on the false key. We assume that the listener recovers the key bits from the RSS measurements of the adversary regardless of the valid RSS range: interpreting any RSS above the mean value as ‘1’, and any RSS below the mean value as ‘0’. Then we calculate the correlation coefficient between the recovered key and the original false key. We let the adversary send a false key to the moving listener from 50 random spots in each scenario, with other experimental settings unchanged. The results regarding the detection ratio of the attack and the correlation between the recovered key and the original false key are shown in Table 2: The detection ratio column clearly shows that all of the false key attack attempts are detected by the valid range check. On this premise, the results on the correlation coefficient in the rest columns is similar to those in Table 1, which is a proof of the distortion effect of the channel fluctuations.

Table 2. Detection ratio and correlation coefficients
Full size table

6 Evaluation and Analysis

In this section, we analyze vBox in terms of security and usability.

6.1 Security

Eavesdropping. The security of the scheme against eavesdropping is well guaranteed by the RSS fluctuations on the adversary’s side which are introduced by the movements. The key transmission SNR for the initiator-adversary channel is too low for the adversary to recover the key bits. As shown in Table 1, the adversaries cannot obtain enough information on the key bits, even when they are very close (1 m) to the initiator. We can even choose a smaller \(\varDelta {P_0}\) to ensure more protections against eavesdropping, for the value of \(\varDelta {P_0}\) in our experiments is more than sufficient for reliable key transmission in the in-box channel.

False Key Attacks. In extreme cases, if the initiator suddenly loses the connection with the listener right after being authenticated successfully (e.g., out of battery), the adversary might launch a false key attack by sending a key to the listener in the name of the initiator. The false key in this attack is also delivered in the RSS tuning way as required by the protocol. However, the attack will be detected and prevented in the vBox protocol. For an attacker that uses a very large \(\varDelta {P_0}\) parameter to overcome the great fluctuation of the adversary-listener channel, the attempt will be thwarted by the valid range check in Step (d) of the protocol. For an attacker that uses the same \(\varDelta {P_0}\) parameter as the initiator, the situation is worse, because: (1) he can not pass the valid range check, either; (2) the key is greatly distorted by the great fluctuation of the adversary-listener channel (similar to the case of eavesdropping), so the listener will shared a “fake” key with the adversary and the adversary cannot decrypt packets.

LOS (line-of-sight) Attacks. LOS attacks refer to the scenarios where the attacker can getting relatively close to the user and a direct signal propagation path exists between them. For some RSS-based authentication or key establishment schemes whose security heavily rely on a multipath environment [5, 13], such attacks can be very threatening. However, vBox has strong resistance against LOS attacks, because the fast relative motion between the legitimate devices and the attacker leads to tremendous Doppler shift in the off-box channel [11], which contributes largely to the fast fading of the channel. Even if the attacker launch attacks in a very near proximity (1 m as described in the experiment section) with no obstacle, the security is still well guaranteed. In the same spirit, the nature of vBox also makes it more resistant to attacks using directional antennas, where the attacker tries to eliminate the multipath effect by using directional antennas that provide a narrower main lobe of the radio wave.

Channel Prediction Attacks. The proposed scheme is also secure against channel prediction attacks. In such attacks, the attacker might leverage his knowledge of the environment to predict the wireless channel between himself and the target device. However, this attack is usually effective against stationary targets only. In our scheme, the random movement of the initiator makes the realtime channel prediction impractical. Note that this random entropy comes from the wave by the owner but also the greatly aggravated fast fading of the wireless channel due to the wave.

6.2 Usability

Operation Time. The vBox protocol is very efficient in terms of time consumption. The experiment results show an operation time of about 6.5 s (4 s for authentication, and 2.5 for key transmission). The time efficiency is remarkably high compared with existing works, which averagely takes more than 10s to finish the authentication [4, 13].

Secret Bit Rate. The secret bit rate (as defined in [5]) of vBox is approximately 1, meaning that each RSS measurement can contribute nearly 1 secret bit. This can be seen as an advantage over existing key extraction approaches, whose secret bit rates are mostly around 0.3 [3, 5, 7, 14]. At a sending speed of 50 packet/s, vBox can finish the establishment of a 128-bit key within 3 s.

Computation Overhead. vBox is lightweight in terms of computation overhead. Unlike approaches that leverage public key cryptography, there is no computationally expensive operations involved in vBox. This lightweight feature makes it a good choice for low-end WPAN nodes.

Versatility. vBox does not rely on any pre-shared secrets between the devices or additional hardware support such as special biometric sensors, NFC transceivers, or multiple antennas. vBox is applicable for almost all off-the-shelf small-size wireless devices.

Ease of Use. The users of vBox do not need any special training. The human interaction involved is very simple: pressing a button and waving for a short period of time. For devices that are equipped with motion sensor (which has already been widely adopted), the operation can be even simpler by detecting the motion of the user and starting the protocol automatically.

7 Conclusion

In this paper, we proposed vBox, a method to proactively establish secure channels between wireless devices without any prior knowledge. By requiring the owner to simply waving the devices together, vBox builds a virtually shielded environment for RSS-based authentication and secret key transmission in plaintext. vBox eliminates the dependence on dynamic environments of existing RSS-based authentication and key negotiation approaches. We presented the detailed vBox protocol and implemented it on commercial-off-the-shelf ZigBee devices. The experiment results and security analysis demonstrate that vBox is lightweight, easy-of-use, efficient and secure against various attacks.