# Channel Parameters

Since channel measurement mechanisms are always virtually implemented in wireless commu- nication interfaces, PLS primitives are applicable and enable novel security approaches. For example, using channel profiles/parameter — measured by two bidirectionally communicating parties — is an attractive source of joint entropy. Channel profiles provide access to the random source originated by unpredictable character- istics of the channel. Therefore, they are the most essential part of CRKE. Next, we review CSI, RSSI, LQI , and others.

Virtually all wireless interfaces provides RSSI values, including systems modulated by Direct Sequence Spread Spectrum (DSSS) or Frequency Hopping Spread Spectrum (FHSS). The RSSI is currently widely used for key extraction, especially for practice-oriented research and implementations. The average power level of a received signal that is identified as a packet (or part of a packet) is referred as Received Signal Strength (RSS), and the RSSI is an indicator of the RSS. A clear definition of the indication is often not given and, therefore, excludes the corresponding hardware for serious security applications. The instantaneous power of the received signal is usually not reported by the wireless interface. Usually, one RSSI value can be obtained from each received packet. In IEEE 802.15.4 instead of RSSI, a so called LQI is used for the characterization of the strength and/or quality of a received packet. The standard defines two approaches to examine the LQI value Cite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive title. The first is called Energy Detection (ED). It is measuring the received signal power for a time of 8 symbol periods (equivalent to 32µs) within the selected channel. The measured value is an 8 bit integer that is mapped linearly between the receiver sensitivity specification. The second approach considers a SNR estimation and can be used instead of or in combination with the first one. In IEEE 802.11 RSSI was intended to be used as a relative value within the chipset. The standard does not define any particular accuracy or precision. It also does not have to asso- ciated with any particular mW scale. Because of this imprecise definition RSSIs reported by an IEEE 802.11 chip may probably not be consistent between two vendors Cite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive title. Concerning the textCite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive title they conversion from RSSI to mW is described for the vendors: Atheros, Symbol, and Cisco. It is further demonstrated that the corresponding minimum, maximum, and step size mW-values differ between vendors. The IEEE 802.11 standard defines a second parameter, the Signal Quality (SQ). It is referred to the PN code correlation strength which is a measure of the correlation between the received DSSS signal and an original DSSS signal. Therefore, SQ can be used as a metric of the amount of corruption in the environment between both communicating parties. Of course, the SQ is only provided for sub-standards where DSSS is applied, e.g., 802.22b. Many RSSI-based key extraction systems were introduced in the past. Most are based on IEEE 802.11 systems Cite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive titleCite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive titleCite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive titleCite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive titleCite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive titleCite error: Invalid <ref> tag; name cannot be a simple integer. Use a descriptive title or IEEE 802.15.4 [1] systems. Other variants are based on frequency hopping [2]. Jana et al. [3] reported vulnerability of RSSI-based approaches to predictable channel at- tacks. The drawback of RSSI is that it fails to capture the multipath effects. Mathur et al. [4] and Jana et al. [5] included brief thoughts on potential attacks in their proposals. Simple countermeasures against spoofing attacks by active adversaries were introduced by Mathur et al. [6] and Ye et al. [7]. There has also been some work that deals with temporal cor- relation of samples, such as principal component analysis [8], beamforming [9] or linear prediction [10].

## Channel State Information (CSI)

Break-through techniques resort to finer-grained wireless channel measurement than RSSI. Using channel response, the PHY-layer is able to discriminate multipath characteristics, and thus holds the potential for better equalization of the receiver and transmitter filters. This more fine-grade channel parameter is called CSI. In IEEE 802.11 a/g/n it is defined as reflecting channel response. In a conceptual sense, Yang et al. said [The] channel response is to RSSI what a rainbow (color spectrum) is to a sunbeam, where components of different wavelengths are separated. [11]. CSI are mainly referred to CIR and Channel Transfer Function (CTF). Both have attracted many research efforts and some pioneer works have demonstrated a high performance increase for CRKE [12]. Furthermore, CSI-based key extraction has been exper- imentally proved to be immune to predictable channel attacks [13].

## Channel Impulse Response (CIR)

The wireless propagation channel modeled as a temporal linear filter is known as CIR. The CIR h(τ,t) is capable to fully characterize the individual paths (including the sum of all multipath components according to the tapped-delay-line model) and can be given as

$\displaystyle h(\tau,t) = \sum_{n=1}^{N(t)}\alpha_n(t)e^{-j\phi_n(t)}\delta(t- \tau_n(t))$

Calculation 2.11

and

$\displaystyle \phi_n(t) = 2\pi f_c\tau_n(t) - \delta D_n(t) - \delta_0$

Calculation 2.12

where $\displaystyle \alpha_n(t)$ is the amplitude attenuation, $\displaystyle \phi_n(t)$ the phase shift, and math>\tau_n(t)[/itex] the time delay of the n th tap. N(t) is the total path number $\displaystyle \delta(\cdot)$ the Diract function. CIR as a complex measure, are usually interpreted in its amplitude and phase information. Several schemes for key extraction were introduced using information of the phase shift $\displaystyle \phi_n(t)$ [14]. The proposed schemes differ in usage of wideband systems [15] and narrowband systems [16]. In narrow band systems, the phase is often decreased to a single-dimension parameter. Phase information is UWB settings have not been identified yet. The accumulation of more than one phase information collected in series leads to applications such as group and cooperative key extraction [17]. Except for the work of Mathur et al. [18] no practical system have been reported yet, especially not for wideband-based systems. The reason for this might be the high vulnerability of the phase to noise, carrier frequency offset, asynchronous clocks (or clock shift), an asynchronous clock drifts at the transmitter and receiver. The second approach for CIR-based key extraction is using the amplitude (of course a combination of both amplitude and phase is conceivable). Here the research focuses on UWB settings, where the amplitude can be estimated by sending a narrow approximation of a Dirac function) pulse signal [19]. Such systems are usually based on special hardware setups (far away from practical usage) using network analyzer, waveform generators and oscilloscopes. In narrow band systems, the amplitude of a CIR is often decreased to a single-dimension parameter, which represents the received power [20].

## Channel Transfer Function (CTF)

The CTF is the representation of the CIR in the frequency domain and can be given by its Fourier transform:

$\displaystyle H(f,t) = \int_0^{\tau_{max}}h(\tau, t=)e^{-j2\pi f\tau}\mathrm {d\tau}$

Here $\displaystyle \tau_{max}$ is the maximum channel delay. Measurements of the channel using Orthogonal Frequency-Division Multiplexing (OFDM) provide a noisy CTF $\displaystyle \hat{H}(f,t)$ , which can be written as:

$\displaystyle \hat H(f,t) = H(f,t) + \hat n(f,t)$
Caluclation: (2.14)

where $\displaystyle \hat n(f,t)$ is the noise effect in the frequency domain. Most CTF-based key extraction systems have been implemented on top of IEEE 802.11 OFDM systems [21]. For practical implementations, it is recommended to use only the amplitude, due to the carrier frequency offset, asynchronous clocks (or clock shift), an asynchronous clock drifts at the transmitter and receiver. Unfortunately, the interfaces of most Wi-Fi chips do not provide (documented) CSI. A current exception is the Intel Wi-Fi Link 5300 [22]. Software-Defined Radio (SDR)s are also able to provide CSI, such as the Universal Software Radio Peripheral (USRP) [23] or Wireless open-Access Research Platform (WARP) [24].

## References

1. [15, 148, 7, 148, 8, 124, 213, 175, 125, 9]
2. [212]
3. [103]
4. [132]
5. v.s.[103]
6. [132]
7. [222]
8. [35]
9. [129]
10. [137]
11. [220]
12. [126]
13. [123]
14. [110, 170, 174, 173, 131, 205, 206]
15. [110, 170, 174, 173]
16. [131, 205, 206]
17. [205, 206]
18. [131]
19. [215, 127, 128, 81, 82, 80, 93]
20. [131]
21. [204, 123, 218, 236, 238]
22. [78]
23. [64]
24. [207]