Time Correlation Analysis of Secret Key Generation via UWB Channels

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2010 proceedings.

Time Correlation Analysis of Secret Key Generation via UWB Channels Masoud Ghoreishi Madiseh, Stephen W. Neville, Michael L. McGuire Department of Electrical and Computer Engineering University of Victoria Victoria, B.C. V8W 3P6, CANADA Email: {masoudg,sneville,mmcguire}@ece.uvic.ca Abstract—Wireless channel characterization is a known methodology for the generation of secret keys, where the secrecy of the key depends on the spatial-temporal correlation properties of the channel which themselves arise due to the channel’s physical constraints. Spatial correlations can be suitably addressed simply by moving from narrow band channels to ultra-wide band (UWB) channels, but this does not address temporal correlations, (i.e., the likelihood that two successive key generation processes will generate the same, or nearly the same, key). This work shows that the worst-case of the temporal correlation problem, (i.e., when an eavesdropper has perfect knowledge of all past channel characterizations) is effectively addressed by applying channel prediction to the available ensemble of channel characterisation events and removing the predictable ensembles. It is shown that this proposed prediction approach increases the security of the key generation process while simultaneously reduce the available amount of information for the key generation. Moreover, real-world experimental data is also applied to confirm that a linear prediction suffices in this case.

I. I NTRODUCTION The communication of sensitive information via IT systems and technologies has become a commonplace activity. How to keep these communications secure and private remains a pressing research problem, particularly when the level of achieved security and/or privacy must be quantified. Key generation via wireless channel characterizations offers one approach to address critical portions of this overall problem in a manner that ties the achieved security to the physics of the communications channel. Wireless channel characterizations provide a methodology by which two parties, Alice and Bob, can jointly observe a common source of random information, which can then be used for key generation [1]– [8]. More particularly, the portion of the wireless channel that is of most interest for key generation purposes can be viewed as exactly the opposite of the portion of the channel that is of interest for actual message communications. Standard communication approaches are most interested in the highly stable and predictable portions of the channel, as this allows maximum communication rates, whereas key generation processes would like to exploit regions of the channel that exhibit the highest degrees of spatial-temporal non-stationarities, (i.e., the channel’s least predictable portions). In this manner, ideally, the key generation process will innately construct shared secret keys that are temporally and spatially specific, (i.e., Alice and Bob would generated a new key for each change in their relative

locations and each time they go through the key generation process). Such approaches, assuming the per key generation cost is sufficiently low, open the door to single-use secret keys in which the security of the key is based on physical constraints and not algorithmic constraints. Key generation exists as an alternative to the standard approaches such as key distribution, a hard problem in a wireless environments assuming no a priori shared secret exists, or public key cryptography, in which a public-private key pair exists and the public keys is, as the name implies, publicly published. Although public key cryptography could be used to address the problem, several issues arise. First, both Alice and Bob must have access to some repository where the other’s public key is stored, where this may or may not be available within a general wireless environment. Second, to retain security Alice and Bob must regularly change their public-private key pairs, given that theft of electronic keys is largely undetectable and exists as a limiting cases with respect to quantifying the level of achieved security1 . The need to regularly change keys leads to synchronization problems in that Alice and Bob must ensure that they are using the others current public-key. Third, man-in-the-middle approaches can be used to circumvent the presumed security of the publicprivate key approach, or secret key approaches for that matter. Fourth, when trusted third parties are used as the holders of the public keys, then the issue of forged credentials, such as occurred with [9], becomes a problem. Finally, in general public-private keys must be substantially longer than secret keys to achieved the same level security due to the existence of additional attack vectors [10], (e.g., generally, 1024-bits public-private keys versus 128-bit secret keys). This leads to substantial increased performance costs to perform encryption and decryption tasks which, although tenable under modern desktop of laptop computers, becomes untenable for mobile devices and/or for applications such as streaming real-time multimedia. Previously, the authors have proposed an approach for key generation via the characterization of indoor UWB wireless 1 In general, the algorithmic security of the keys are based on computational complexity arguments; hence, stealing the electronic keys, a relatively simple process, always exists as the easier strategy to circumvent the assumed keybased security, assuming no innate defects in how the keys were generated or are used exist.

978-1-4244-5637-6/10/$26.00 ©2010 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2010 proceedings.

channels [7], [8]. In [8], which showed that such an approach has advantages over key distribution and public-private keys in that: (a) no a priori information sharing is required, (b) shorter 128-bit secret keys can be used, (c) new keys can be generated on-demand at low-cost, and (d) the security of the generated key arises via the physical constraints of the UWB channel, (i.e., innately low spatial correlations exist where an eavesdropper must be be within 10 cm of Alice or Bob to see the same channel). The problem that arose with these prior works though was that the temporal correlation of the communications channel, specifically within a highly static indoor environment, was unreasonably high. More particularly, if it was assumed that an ideal attacker existed who had access to an oracle through which all past channel characterization where available, then that attacker could, with high probability, either: (a) identify the next secret key that Alice and Bob would generate or (b) be able to substantially reduce the search space for this key such that the problem of determining the key became trivial. This problem arises since, assuming Alice and Bob remain fixed in their locations and the environment in which they are located also remains fixed, (i.e., the principal reflectors within the environment remain constant and at constant angles of Alice and Bob), then the principal components of the channel characterizations remain nearly constant over time. Hence, the next key generated has a high probability of being very similar to the last key that was generated, Alice and Bob’s local noise effects largely precluding the possibility that exactly identical keys are generated each time. This work addresses this innate temporal predictability problem by applying a linear predictor to the ensemble of available channel characterizations to ensure that the extracted key bits are taken solely from the hard to predict portions of the channel, (i.e., those portions that exhibit sufficiently high degrees of non-stationarity which exist as the predictor’s innovation sequence). It is shown, via analysing real-world collected experimental data, that linear prediction generally suffices in that the collected data exhibits does not exhibit non-linear correlations. Hence, through extending the authors’ prior work via this new proposed approach, a key generation process can be constructed that meets the tenets of providing low-cost temporally and spatially specific keys. The remainder of the work is organized as follows: Section II introduces the applied channel prediction approach and the required background information with respect to channel characterization based key generation. Section III then provides the confirmation that linear prediction suffices for this application via through the analysis of experimentally collected real-world UWB channel characterization traces. Section IV then performs simulation-based evaluations to determine the impact that the proposed prediction approach has on the likelihood that Alice and Bob are still capable of independently generating the identical secret keys, where this is expressed in terms of the likelihood that key disagreements occur versus the bit length of the generate keys. Section V then concludes the work.

II. T HE P ROBLEM OF C HANNEL P REDICTION AND BACKGROUND I NFORMATION The authors, with a prior set of works [7], [8], have shown that UWB channel characterizations can be used as a source of common mutually observable random information by which a given pair of communicating parties, Alice and Bob, can generate a secret key in a manner that is secure versus eavesdropping. These works primarily extended prior literature on key generation via narrow band channel characterizations [1]– [3] and key generation via mutually observable random information in general [4] to the domains of indoor UWB channels. More particularly, UWB channels offer a core advantage over narrow band channels for key generation in that the physics of UWB innately requires that any eavesdropper must be within located 10 cm of either Alice’s or Bob’s physical location to obtain channel measurements which are highly correlate with Alice’s and Bob’s channel measurements, (i.e., eavesdroppers located outside of this 10 cm regions of co-locations receive largely uncorrelated channel measurements, as has been confirmed by real-world measurements [8]). Importantly, this includes eavesdroppers who are located directly on the line-of-site (LOS) path between Alice and Bob, where of course in the narrow band case such an eavesdropper will receive a highly correlated channel measurement. As was shown in [7], [8], error correction coding approaches and a public discussion approach must also be included to address the issue that Alice’s and Bob’s channel measurements also must be considered to be contaminated by local independent noise sources, (i.e., local thermal noise, etc.), if a suitably low probability of key disagreement is to be achieved. The experimental measurements that were taken in support of the authors’ prior works were taken within a standard research laboratory setting. A channel characterization pulse was transmitted every 500 msec and the channel impulse response was recorded for each pulse, where each of these impulse responses could then be used to generate a secret key, (i.e., the experimental setting mimics the extreme case where Alice and Bob seek to generate a new secret key every half second). During these tests normal activities occurred within the laboratory environment, (i.e., personnel walked around the environment and the transmission antennae as per normal). For each channel characterization a channel impulse response of 4096 time domain samples was obtained and the temporal correlation between these impulse responses was then calculated for both the line-of-sight (LOS) and nonline-of-sight (NLOS) propagation conditions, the latter being achieved by placing an appropriately sized opaque object in the Freznel zone of the LOS path. Figures 1 and 2 show the evolution of the measured time correlations for the LOS and NLOS paths over time. These figures clearly shown a high degree of time correlation occurs in both cases for indoor environments, such as a research laboratory setting, which are innately highly static environments, (i.e., environments in which the majority of physical change involves people walking through the

978-1-4244-5637-6/10/$26.00 ©2010 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2010 proceedings.

Time Correlation (LOS) 1 0.9

Correlation Coefficient

0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0

100

Fig. 1.

200

300

400

500

600

Time (sec)

700

800

900

1000

Time Correlation Coefficient, LOS propagation.

Time correlation (NLOS) 1

Correlation Coefficient

0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2 0

Fig. 2.

100

200

300

400

500

600

Time (sec)

700

800

900

1000

Time Correlation Coefficient, NLOS propagation.

environment relatively sporadically). Hence, if ideal attackers is assumed to exist, (i.e., one that is defined as having access to an oracle by which all past Alice to Bob channel characterization can be obtained perfectly), then this attacker will be able to either: (a) accurately predict the next key that Alice and Bob will generate or (b) when the issue of Alice’s and Bob’s local noise sources is included, only need to search a relatively small space to determine the key. The relatively obvious approach to solve this innate problem is to introduce channel prediction into Alice’s and Bob’s key generation process. More particularly, Alice and Bob are assumed to hold all past channel characterizations and to implement a set of predictors that run across this ensemble to determine how predictable each time based sample of the next channel characterization process will be. If the given sample is highly predictable from past channel measurements, (i.e., the sample arises primarily via the major static reflectors within the environment), then this sample is discarded and not used in the subsequent key generation process. Hence, the key bits are only extracted from the channel impulse response samples that have low predictability. Of course, it would be possible to replace the predictable portions of the channel’s impulse response with the prediction filter’s innovation, (i.e., prediction

error) sequence, but this presumes that the selected filter exists as the optimal prediction filter, whereas if this cannot be assured it can be argued that it is better to just discard predictable samples. Three issues arise with respect to this proposed approach, namely: (a) the exact nature of the prediction filter must be selected, (e.g., linear, non-linear, etc.), (b) the methodology by which the predictability threshold is set must be determined, and (c) it must be shown that the innate requirements of the approach are likely to exist within real-world settings. Sections IV and V will address questions (a) and (c). With respect to question (b) it can be observed that the required threshold can be constructed by calculating the distribution of prediction error variance. If the prediction error variance of the ensemble is larger than a set threshold then that ensemble will be kept for key generation otherwise the ensemble will be discarded. How this can be done is addressed in Section V. Hence, overall the following process can be applied to allow Alice and Bob to employ prediction to improve the temporal security of the key generation process. (i) Alice and Bob retain a history of past impulse response measurements. (ii) Alice and Bob engage in a new channel characterization process as per [8]. (iii) Alice and Bob independently apply the wavelet-based measurement noise estimation process, to be discussed in Section V, to determine the measurement noise SNR and to denoise their received signals. (iv) For each channel characterization, Alice and Bob independently apply an ensemble prediction filter across the store impulse response history to determine which samples from the current impulse response measurement are highly predictable, (i.e., in the sense that the variance of the ensemble prediction error is less than a certain threshold). (v) Alice and Bob independently remove the samples from their current impulse response measurements that have been determined to have high predictability. (vi) Alice and Bob proceed with key generation use the remaining impulse response samples, as per [8]. (vii) Should Alice or Bob have determined that all samples of the impulse response were predictable, then Alice or Bob can initiate a public discussion to either: (a) generate a new impulse response, hopefully that possesses less predictability, or (b) reduced the required threshold to preserve the ability to perform key generation but with a known weakening of the secrecy of the generated key. It should be noted that the key generation process expressly focuses on the portion of the channel characterization that has the highest degree of non-stationarities and, hence, the portion that would expressly not be used for communications. Additionally, Alice and Bob do not necessarily communicate over this portion of the channel, they only perform channel characterization of this portion; instead, the fading portion of the channel exists as the ”signal” of interest.

978-1-4244-5637-6/10/$26.00 ©2010 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2010 proceedings.

Ensemble Prediction per Impulse Response Sample

k=1

t

Ensemble

k=2

t

k=3

t Fig. 4. ment.

k=2000

Lag-lag plot for a typical LOS channel impulse response measure-

t

Fig. 3. Set of linear least mean square predictors constructed for each impulse response time sample across the available ensemble.

III. P ROPOSED P REDICTION A PPROACH Figure 3 illustrates the proposed channel prediction approach to be enacted independently by Alice and Bob based on the assumption that they retain the history of their past joint channel estimations. More particularly, as per the conducted real-world experiments, it is assumed that Alice and Bob have recorded a long history of channel impulse responses collected periodically. Assume that Alice and Bob have k separate channel impulse responses taken at intervals of m seconds apart and assume that the attacker (or eavesdropper) has perfect information regarding all but the last of these channel impulse responses, (i.e., the attacker has exact information regarding all preceding k−1 measurements but no information about measurement k). Alice and Bob independently apply a set of adaptive linear least square error predictors to the k − 1 ensemble to assess how much information the available impulse response history gives about each time domain sample within the currently measured impulse response. Linear prediction is a relatively easily applied process and, more importantly, adaptive least square error predictors do not require an a prior channel model which by the nature of the process is assumed unknown. More particularly, if a good channel model is a priori known then Alice and Bob cannot use the channel for key generation since the attacker can merely use the channel model itself to greatly reduce the required search space for the generated key. The physics of UWB channels preclude such a channel model from being available for the non-stationary portions of the channel. The lack of a sufficient channel model also precludes the use of predictors such the Kalman or extended

Fig. 5. Lag-lag plot for a typical NLOS channel impulse response measurement.

Kalman filter, (i.e., non-model based prediction innately must be employed). Of course, the use of a linear predictor innately leads to the question, with respect to the security of the approach, as to where the attacker could employ a non-linear predictor and, thereby, gain an advantage over Alice and Bob. To confirm that non-linear prediction is unlikely to be advantageous laglag plots were constructed from the available set of 2000 experimentally collected impulse response traces taken every 500 msec for stationary antennae within a largely static environment. Typical examples of these lag-lag plots for both the LOS and NLOS channels are shown in Figures 4 and 5, where it can be seen that no structure outside of a linear correlation exists; hence, the data can be reasonably assumed not to possess any exploitable non-linear relationships. In particular, the experimental data that has been used can be reasonably considered to be a worst-case scenario since the analysis measurements for the key generation obtained in highly static environment; hence, if non-linear relationships do not exist

978-1-4244-5637-6/10/$26.00 ©2010 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2010 proceedings.

within this data they are unlikely to exist in other data sets that are innately more advantageous with respect to the key generation process. Finally, before applying the proposed prediction approach Alice and Bob must possess a method by which they can compute the measurement noise associate with the channel impulse response and where this measurement is applicable to non-stationary signals to denoise the received signals. As Alice’s and Bob’s independent measurement noise can be reasonably assumed to arise from standard effects such as thermal noise, etc., then it is reasonable to assume that the Central Limit theorem will apply. Therefore, the well known approach of [11] can be applied to allow the standard deviation of the noise to be reasonably estimated as the standard deviation of the wavelet coefficients of the highest detail level available for in the wavelet decomposition of the measured time domain channel impulse response. More formally, σ ˆ of the assumed N (0, σ) measurement noise process can be estimated as, N

σ ˆ=

2 

N 2

1 [cj,k − c¯j ]2 , − 1 k=1

(1)

where cj denotes the wavelet coefficients of the highest detail level of which there will be N/2 such coefficients is the time domain signal possesses N samples, and where c¯j denotes the statistical mean of the wavelet coefficients at this jth detail level. After calculating the noise power level, wavelet denoising can then be applied.

Assume that the hN j is a zero mean Gaussian random variable with variance σh2 . Additionally, assume that all measurement noises na , nb and ne are zero mean Gaussian with σ02 variance. Further, ideally we can assume that eN j is zero mean Gaussian with σe2j variance, (i.e., assume that the predictors are optimum so the output innovation sequence will be white Gaussian). In [13], the mutual information between two mutually Gaussian random variables X and Y is given by   1 1 log2 , (2) I(X; Y ) = 2 1 − ρ2xy ) where ρxy = E(XY σX σY . To prove that the lower bound is strictly greater than zero, where (X, Y ), (X, Z), and (Y, Z) are mutually Gaussian joint random variables, we need to show that3

ρxy

IV. S IMULATION R ESULTS The method is validated on the real measurements obtained from an experimental setup using the parameters shown in Table I. More details on the measurement test scenarios are provided in [8], [14]. no. 1 2 3

parameter sample rate, fs modulator carrier frequency, fc signal generator power

is the eavesdropper in the environment.

value / type 40 Gs/sec 4 GHz 10 dBm

TABLE I SECRET KEY GENERATION ALGORITHM ’ S PARAMETERS .

The first step in the proposed algorithm is the wavelet denoising. In our test, we have obtained 2000 channel characterizations each of 4096 = 212 samples. Denoising is then performed according to [11]. The predictors are linear adaptive least square predictors of order 20. To determine the threshold for removing the samples, across each ensemble e¯2j , the average of the error pattern power, is calculated. The histogram of e¯2j illustrates that the prediction error power has the exponential distribution. Then the threshold is set to     2  1 4096 e¯2 , (4) T =  4096 j=1 j

N −1 which is the root mean square of e¯2j = N 1−1 k=1 e2kj . Therefore, only time samples from ensembles which have e¯2j ≥ T will be kept and used for key generation4 .

X and Y are statistically identical then I(X; Z) = I(Y ; Z). and Bob can of course chose to employ either a stronger or weaker threshold depending on their assumption regrading what Eve knows. 3 If

4 Alice

2 Eve

(3)

It can easily be shown that the inequality in Eq.(3) holds when the prediction error is nonzero. Consequently, information theoretic analysis validates that a secret key rate can be generated that provably Eve cannot know.

A. Information theoretic analysis of the method The question to be answered with respect to the proposed method is whether the secret key rate remains positive, (i.e., do non-predictable key bits exist). To answer this question, we will calculate the lower bound on the secret key rate and show that this lower bound is strictly greater than zero. The secret key rate lower bound is given in [12] as min [I(X; Y ) − I(X; Z), I(X; Y ) − I(Y ; Z)] where X, Y , and Z are the random variables indicate the observations of Alice, Bob, and Eve2 , respectively. Assume that Alice, A, and Bob, B, measure the channel characterization N times and for each channel characterization there are M time domain samples. Define matrix H as the composite of the channel characterizations where the jth element of ith row of H, hij , denotes the amplitude of the channel sample j from the ith ensemble record. If after wavelet denoising, the remained measurement noise contaminated the channel characterization at A, B, and E sides are denoted as na , nb , and ne , respectively, then observations of the N th ensemble’s jth sample of channel characterization will be X = hN j + na for Alice, Y = hN j + nb for Bob, and ˆ N j = hN j + eN j is Eve’s ˆ N j + ne for Eve, where h Z = h prediction of the N th ensemble’s jth sample obtained from Eve’s presumed prefect knowledge of the prior N − 1 channel characterization events and eN j is the prediction error.

> ρxz .

978-1-4244-5637-6/10/$26.00 ©2010 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE Globecom 2010 proceedings.

The simulation results for LOS channel shows that after applying the algorithm the N th channel characterization the number of samples available for key generation is reduced from 4096 samples to 405 samples, (i.e., 90% of the measurement samples are highly predictable by the assumed ideal Eve). For NLOS channel the number of samples reduces from 4096 samples to 275 samples; hence, for NLOS and the idealize Eve 93.3% of the samples are highly predictable. This somewhat counter intuitive result arises due to the improved wavelet denoising that is available for the NLOS channel which results due to all of the received signal noise power coming from reflections in environment, whereas for LOS a significant portion of the received signal power follows the LOS path and, hence, is not contaminated by such environmental noise. Hence, the above prediction process for the NLOS path provides better results as the NLOS path has more noise and, hence, better noise estimation is possible via the wavelet approach. V. C ONCLUSION Within this work a methodology based an linear adaptive least square error prediction has been developed to ensure that predictable portions of UWB channel characterizations are not used as the basis for key generation processes. Further, based on actual UWB channel measurements, it was shown that without applying such approaches 90+% of the next channel characterization measurements are highly predictable if a rich past history of channel measurements is assumed and the physical environment is highly static. Hence, if the proposed approach is not applied highly predictable keys would result. As the developed technique provides a mechanism by which Alice and Bob can independently arrive at the number of channel characterization samples available for key generation, (i.e., unpredictable by Eve), the developed methodology can also be used by Alice and Bob as a decision mechanism whereby they can choose to only generate new secret keys when channel measurements indicate that sufficient degrees of non-stationarity have occurred, (i.e., a fail safe mechanism is provided). It should be clearly noted that the provided analysis assumed a worst-case key generation scenario in which: (a) the physical environment was highly static, (b) Alice and Bob were absolutely stationary, and (c) Eve had full and perfect knowledge of all past channel characterization events. Even in this extreme case, its was shown that UWB based key generation remains feasible.

[4] R. Wilson, D. Tse, and R. Scholtz, “Channel identification: Secret sharing using reciprocity in ultrawideband channels,” Information Forensics and Security, IEEE Transactions on, vol. 2, no. 3, pp. 364–375, Sept. 2007. [5] M. Bloch, J. Barros, M. Rodrigues, and S. McLaughlin, “Wireless information-theoretic security,” Information Theory, IEEE Transactions on, vol. 54, no. 6, pp. 2515–2534, June 2008. [6] N. Patwari, J. Croft, S. Jana, and S. Kasera, “High rate uncorrelated bit extraction for shared secret key generation from channel measurements,” Mobile Computing, IEEE Transactions on: Accepted for future publication, vol. V, no. forthcomming, p. PP, 2009. [7] M. Ghoreishi Madiseh, M. McGuire, S. Neville, L. Cai, and M. Horie, “Secret key generation and agreement in uwb communication channels,” Global Telecommunications Conference, 2008. IEEE GLOBECOM 2008. IEEE, pp. 1–5, 30 2008-Dec. 4 2008. [8] M. Ghoreishi Madiseh, S. He, M. McGuire, S. Neville, and S. Dong, “Verification of secret key generation from uwb channel observations,” International Conference on Communications, 2009. IEEE ICC 2009. IEEE, pp. 1–5, June 2009. [9] Microsoft Inc. (2001, March) Verisign digital certificates spoofing hazard. Windows Security Update. [Online]. Available: http://www.microsoft.com/downloads/details.aspx?displaylang= en\&FamilyID=43fd979a-03c1-4008-b38d-70e9bcd67454 [10] A. J. Menezes, P. C. V. Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography. CRC Press, 1997. [11] D. Donoho and I. M. Johnstone, “Adapting to unknown smoothness via wavelet shrinkage,” Journal of the American Statistical Association, vol. 90, pp. 1200–1224, 1995. [12] U. M. Maurer, “Secret key agreement by public discussion from common information,” IEEE Transactions on Information Theory, vol. 39, no. 3, pp. 733–742, May 1993. [13] R. G. Gallager, Information Theory and Reliable Communication. John Wiley & Sons, 1968. [14] M. Ghoreishi Madiseh, S. He, M. McGuire, W. Neville, and X. Dong, “Statistical analysis of uwb channel measurements,” Dep. of Elec. & Comp. Eng., University of Victoria, Tech. Rep., Aug 2008, available online: http://www.ece.uvic.ca/∼masoudg/upload/report.pdf.

R EFERENCES [1] A. Hassan, W. Stark, J. Hershey, and S. Chennakeshu, “Cryptographic key agreement for mobile radio,” Digital Signal Processing, Academic Press, vol. 6, pp. 207–212, 1996. [2] T. Aono, K. Higuchi, T. Ohira, B. Komiyama, and H. Sasaoka, “Wireless secret key generation exploiting reactance-domain scalar response of multipath fading channels,” Antennas and Propagation, IEEE Transactions on, vol. 53, no. 11, pp. 3776–3784, Nov. 2005. [3] C. Ye, A. Reznik, G. Sternberg, and Y. Shah, “On the secrecy capabilities of itu channels,” in Vehicular Technology Conference, 2007. VTC-2007 Fall. 2007 IEEE 66th, 30 2007-Oct. 3 2007, pp. 2030–2034.

978-1-4244-5637-6/10/$26.00 ©2010 IEEE