Analysis of the Experimental Results for Quantum Key Distribution Cryptography in IEEE 802.11

Networks

Xu Huang Faculty of Information Sciences and

Engineering University of Canberra, ACT 2601,

Australia Xu.Huang@canberra.edu.au

Shirantha Wijesekera Faculty of Information Sciences and

Engineering University of Canberra, ACT 2601,

Australia Shirantha.Wijesekera@canberra.edu.au

Dharmendra Sharma Faculty of Information Sciences and

Engineering University of Canberra, ACT 2601,

Australia Dharmendra.Sharma@canberra.edu.au

Abstract—Wireless technology is rapidly evolving, and is playing an important role in the lives of people throughout the world. Due to the nature of open guide medium of wireless communications, it is possible for an adversary to snoop on confidential communications or modify them to gain access to the wireless networks more easily than with wired networks, which has been drawing great attentions. In this paper, we focus on improving the security of IEEE 802.11 networks through secure key distribution using Quantum Key Distribution (QKD) which offer unconditional security between two communication parties. In our previous research work, we have demonstrated a novel protocol using quantum cryptography for secure key distribution in IEEE 802.11 networks. In our current paper, we analysis the experimental results we obtained in our previous research works, which will be focusing on the reconciliation phase of this protocol.

Keywords- IEEE 802.11, Wireless Security, Quantum Key

Distribution

I. INTRODUCTION Currently wireless networks and their applications are

becoming popular every day, but associated security issues have become a great concern. Out of the many wireless networks, the IEEE 802.11 [1] has significant amount of users globally. The key that used to encrypt data in wireless networks plays a major role in providing secure communication between the users. Hence it is critical that the key to be securely distributed between communicating parties.

It was found that the key exchange can be done securely with the use of QKD [2].The key obtained via QKD is proven to be unconditionally secure [5]. In our previous research work [2, 3, 4, 9], we have presented a novel wireless protocol with the use of QKD to implementation key distribution in 802.11i networks.

In our QKD system, the QKD procedure takes place in two channels, namely, Quantum Channel and Classical Channel. During the quantum channel, series of polarized photons representing the key bits are sent to the receiver with designed QBER (Quantum Bit Error Rate). The classical channel (the

IEEE 802.11 wireless network in this case) is used to recover the final key by removing errors introduced during key transmission. The final key recovery of classical channel comprises of four stages: Sifting, Error Estimation, Reconciliation and Privacy Amplification.

During the sifting phase, Supplicant (STA or client) informs the bases used to Authenticator (Access Point or AP). AP keeps only the bits that are recorded against the correct bases. In the error estimation, they compare random bit mapped from quantum channel to check the error rate of the transmission. If this is over a threshold value, they revert back to quantum channel and start a new photon transmission, proceeds otherwise. In reconciliation phase, they remove all the errors present in the key by applying a chosen reconciliation protocol to obtain an identical key. In privacy amplification, they apply a hash function to eliminate possible information that may have leaked to a third party.

It is noted that out of these four phases, reconciliation phase performs bulk of the processing as it involves identifying and eliminating the erroneous bits of the key. In this paper, we focus only on the reconciliation phase of proposed protocol. The main reason of doing analysis on reconciliation is because it is the phase that most of the processing to recover the final key taking place.

This paper comprises of VII sections. A brief description of the proposed protocol is given in Section II. Section III describes the new method used to implement the reconciliation phase. Section IV describes the simulation model while analysis has been done in section V. Section VI briefly discuss the analysis of overall protocol and we conclude in section VII.

II. PROPOSED QKD BASED IEEE 802.11 In our proposed protocol, the existed 4-way handshake of

IEEE 802.11i has been replaced with the QKD based 4-phase handshake as shown in Fig. 1. EAP key is delivered in the last message of IEEE 802.1X authentication (flow (1) of Fig. 1). At the end of this stage, both parties are in possession of Pairwise Master Key (PMK). At this point, the proposed QKD based

2011 Ninth IEEE/IFIP International Conference on Embedded and Ubiquitous Computing

978-0-7695-4552-3/11 $26.00 © 2011 IEEE

DOI 10.1109/EUC.2011.18

345

2011 Ninth IEEE/IFIP International Conference on Embedded and Ubiquitous Computing

978-0-7695-4552-3/11 $26.00 © 2011 IEEE

DOI 10.1109/EUC.2011.18

338

2011 Ninth IEEE/IFIP International Conference on Embedded and Ubiquitous Computing

978-0-7695-4552-3/11 $26.00 © 2011 IEEE

DOI 10.1109/EUC.2011.18

338

2011 IFIP Ninth International Conference on Embedded and Ubiquitous Computing

978-0-7695-4552-3/11 $26.00 © 2011 IEEE

DOI 10.1109/EUC.2011.18

338

Wi-Fi protocol begins. The communication switches to quantum channel and the photon transmission takes place (flow (2)). Once the quantum transmission finishes, the communication channel switches back to the wireless channel. The final key recovery process begins afterwards by executing the 4 phases of QKD as shown in flows (3) to (6).

Fig. 1. The Proposed 4-Phase Handshake Protocol.

During the first phase (sifting) AP announces the bases it used to interpret the bits and they keep the bits that are recorded against the matching bases. In the error estimation (phase 2), the STA sends a random sample of its key to AP flow as shown in (3). AP then compares these bits with its copy of the key can calculate the error level to estimate the error level of the transmission. In reconciliation phase (flow (5)), they extract the final secured key by implementing a selected reconciliation protocol such as Cascade [6], Winnow [7], parity check [8] etc. At the end of this phase both parties hold identical keys, but may not completely secure. During privacy amplification (flow (6)), they apply a selected hash function to extract the final key which has been proven to be unconditionally secure [5]. We take this key as the Pairwise Transient Key (PTK) of 802.11i standard. For Counter mode with CBC-MAC Protocol (CCMP) PTK is 384 bits. Knowing the PTK, rest of the 802.11i key hierarchy consisting of KCK (Key Confirmation key), KEK (Key Encryption key), TK (Temporal Key) and GTK (Group Temporal Key) can be retrieved. The TK is used to encrypt data for the subsequent wireless communication. The full operation of this QKD based protocol has been described in our previous papers [3], [9].

III. IMPLEMENTATION OF RECONCILIATION PROTOCOL

To implement the 4-phase handshake, existing EAPOL (Extensible Authentication Protocol Over LAN) flows has been

used. Some of the identified EAPOL packet fields have been modified to carry relevant QKD information. These changes only require few field level modifications thus the existing frame structure remains intact. Fig. 2 shows the modified EAPOL-Key frame with QKD specific changes. Modifications have been made to Key Information, Key Nonce and Key Data fields.

Fig. 2. Modified EAPOL-Key Frame to implement QKD.

The Nonce values that used in the existing 4-way handshake protocol are not required in the 4-phase handshake protocol. Hence the Key Nonce field has been replaced with a new field called QKD Phase [3].

There are no specific changes required to Key Data field. As the existing IEEE 802.11 protocol operates, this field is of variable length and carries additional information relevant to current communication flow. With respect to QKD modifications, Key Data field holds data as per each of the QKD Phase.

In this research, the parity check based bisection method [11] has been used as the reconciliation protocol. When compared to other reconciliation protocols such as Cascade, Winnow, the parity check method involves more processing cycles to recover the final key after correcting errors. The reason for using the parity check method is to test the proposed protocol under worst possible conditions.

In the parity check based reconciliation protocol, STA and AP partition their keys into blocks of equal length and compares parity of each of the block. Each time an overall parity check does not agree, STA and AP initiate a binary search by bisecting the respective block to repeat the parity check. This bisective search continues until the erroneous bit is located and deleted. Finally when for some fixed number of consecutive repetitions, if no error is found, they assume that to a very high probability, the remnant key is without any error. By this way the reconciled key is obtained.

To implement this reconciliation process in the EAPOL-Key frames, a novel method has been used as described below. All these changes have been applied to Key Data field of EAPOL-Key frame.

We define a structure to hold the blocks, sub-blocks and parity results that are being compared between STA and AP as below:

346339339339

< Block Number | Sub-Block Level | Sub-Block Partition Number | Parity Check Results >

Where:

Block Number: Partition number of the main block.

Sub-block Level: If the main block parity check failed, that block will be bisect and perform the parity check again. This field specifies the level of bisection of each main block.

Sub-block Partition Number: Whenever a mismatch in parity of block/Sub-block is observed, that particular block/Sub-block is bisected. This field holds the Sub-block partition number of each of the sub blocks.

Parity Check Result: This field holds the results of parity check of respective sub block.

The Key Data frame has been structured to carry these information is the new format as shown in Fig. 3.

To start with, AP and STA partition their raw keys into blocks of equal length. For each of these blocks, they perform the parity check and calculate parity. During the first message containing reconciliation information, the STA constructs the EAPOL frame as per the structure of Fig. 3 for each of the blocks of the key.

Fig. 3. Key Data field values of EAPOL frame during reconciliation phase

of QKD.

TABLE I RECONCILIATION PARITY CHECK EAPOL FRAME DETAILS

Block Number

Sub-block Level

Maximum Number of partitions

Parity Check Results

n 1 1 R1-1

n 2 2 R2-1, R2-2

n 3 4 R3-1, R3-2, R3-3, R3-4

n 4 8 R4-1, R4-2, R4-3, R4-4, R4-5, R4-6, R4-7, R4-8

Where: n : Main block number Rb-x : Parity check result of Sub-Block Level “b”, sub block “x”. When the key is partitioned for the first time, Sub-Block

Level field is set to 1. STA calculates the parity of each of the blocks and populates the Parity Check Result field along with the respective block/Sub-block position in the EAPOL frame. The STA then sends this EAPOL frame to the AP. AP in turn compares the parity results of each block against its copy of the raw key. If a parity mismatch is found, the respective block is bisected and the parity is calculated for the new sub-blocks.

These parity checks are populated in the respective Parity Check Result field. The AP then constructs the respective EAPOL message and sends to the STA. This process continues until there are no more parity mismatches is found. Table 1 shows how each field of this protocol is constructed.

IV. SIMULATION MODEL FOR RECONCILIATION The proposed modifications are focused only to a specific

portion of the overall IEEE 802.11 protocol. Also, there are no Wi-Fi certified devices equipped with quantum transmitters and receivers are available as of now. Due to these reasons, the implementation and analysis of this solution could be better performed using a simulation. Simulink [10] has been chosen as the simulation tool as it offers flexibility to analyse the four stages of QKD comprehensively. This solution has been developed in C++ and used Simulink S-functions to do the simulations. The simulation model has been designed in such a way that each of the four phases of QKD to implement individually. Since the aim of this paper is to analyse the reconciliation phase, only the modifications and simulations relevant to reconciliation are discussed here. The Simulink model for reconciliation at AP side is shown in Fig. 4.

Fig. 4. Simulink Model of Reconciliation Phase for Access Point

Main functionalities of this model are:

- Split the key into blocks

- Calculate the parity of each block

- Construct the EAPOL frame

- When the reply frame is received:

* Compare the parity of each block

* If a mismatch is found, bisect the block and calculate

parity of each sub-block

* Construct the EAPOL frame

- Repeat the process until there are no more errors

- Perform more parity checks to verify that there are no more errors

This model implements the new bisect algorithm developed as part of this research as described in section III. During the

347340340340

first cycle, sfun_blocksplitter splits the key into blocks of equal length. It keeps a record of block sizes, sub-block levels, parities of each block that are required to calculate the block sizes. During subsequent cycles, this function process each sub-block by comparing with the sub-blocks received from STA. The sfun_parity calculates the parities of new sub-block and sfun_construct does the construction of final details that are required to form the EAPOL frame. This information is then passed to the transmitter to be sent to STA.

STA too execute similar processes to verify the parities of blocks and sub-blocks. Simulink model of STA is identical except for minor changes when initiating its first cycle. In addition, it takes its own copy of key bits as the input. The Simulink model of STA is shown in Fig. 5. The Verify Blocks Subsystem checks the overall state of the key string. It decides how accurate the derived key bits are after removing errors through parity checking. It decides how long the parity checking needs to continue and when to stop.

Fig. 5. Simulink Model of Reconciliation Phase for STA.

V. ANALYSIS OF RECONCILIATION Reconciliation is the most critical phase of 4-phase

handshake protocol where STA and AP remove all the errors present in their respective keys to recover the final identical key. Unlike other phases of 4-phase handshake protocol, the number of communication flows involved in the reconciliation phase cannot be known in advance. This is because the number of cycles needed to complete this phase depends on the amount of errors present in the key and also the type of reconciliation protocol being used.

The time taken to complete the reconciliation process in this simulation model depends on several key factors:

- Length of the main key

- Length of the initial block size of the partition

- Number of cycles the parity check will run for

Several scenarios have been attempted to estimate the time taken to complete the reconciliation phase. During this simulation, keys with different levels of error rates and different key lengths have been fed into the Simulink model. As the input, data obtained through parallel QKD project at the University of Canberra has been used [11]-[13]. QBER levels between 4% - 8.1% have been achieved during those

demonstrations. The time taken to complete reconciliation under these input conditions for an initial block size of 8 bits is shown in Table II. The Key Length refers to the key obtained after error estimation, while block size refers to the size of the block that the main key was divided initially. This initial block size gets reduced each time the respective block is bisected.

Fig. 6 shows the line graph plot against these data. The results show that when the error rate is low, the final key can be recovered much quicker. The maximum key length tried in the simulations has the length of 800 bits, which is a good upper limit as it can produce a final key of 480 bits at 40% error rate. This is quite sufficient to obtain the final PTK of length 384 bits for CCMP. It is evident that for larger key lengths with high error rates, more time is taken to complete the reconciliation. This is mainly because under such circumstances the initial key needs to go through several cycles of parity check. For larger key lengths and high error rates, bisect algorithm needs to go through a number of sub levels of bisections in order to locate the bits that are in error. This invariably is more time consuming for the reconciliation process.

TABLE II TIME TAKEN FOR RECONCILIATION FOR BLOCK SIZE = 8

Key Length

Time taken to complete Reconciliation with various error rates (ms)

10% 20% 30% 40% 400 4.1 4.21 4.35 N/A 500 4.34 4.47 4.57 5.09 600 4.51 4.65 4.75 5.23 700 4.71 4.92 5.09 5.46 800 4.9 5.07 5.26 5.77

Fig. 6. Time Key sizes Vs Time for block size = 8. Key length of 400 bits with 40% of error rate is not a valid input as it is not possible to obtain final key of length 384 bits after removing 40% of error.

However it must be noted that modern QKD communications have achieved error rates well below 10% [15]. Even if such situations occur, they will be detected during the error estimation phase. The scenarios over 20% of error rates have been considered just to simulate the worst possible scenarios. The most notable observation is that all lines of Fig. 6 show similar behavior to various error levels and key lengths. The main conclusion is that regardless of the key length, for

348341341341

smaller error rates, the reconciliation phase could be completed well within reasonable time frame.

Further analysis has been carried out to find out how the initial block size could impact on the performance of the reconciliation process. During this analysis, time to complete the reconciliation has been calculated for various error levels for a fixed key length of 500 bits. Fig. 7 shows how initial block sizes interact with the performance of reconciliation.

It could be seen that the smaller the bisect block size, the quicker the completion of the reconciliation process. With initial block sizes of 4, 8 and 16 reconciliation completes within 4ms time frame which is quite acceptable considering the amount of work involved in removing the errors. The main reason to this result is that when the initial block size is smaller, the errors can be located more quickly. Further, if a parity mismatch is found, then the respective block gets bisected and eventually another round of parity verification is added to the overall communication. With a smaller initial block size, the number of sub-blocks required is considerably low. Hence the reconciliation can be completed more quickly. Once the block size exceeds 16, it could be seen that the amount of time required for reconciliation increases significantly. The main reason for this observation is that the number of cycles needed to process the full key length is considerably large. Larger block length will subsequently bisect into more and more sub-blocks hence parity check requires more time to complete.

Similar analysis has been done to estimate the time to complete reconciliation for different key lengths and block sizes by keeping the error rate constant at 30%. Fig. 8 shows the simulation analysis for these input conditions. Yet again it could be seen that for smaller block sizes, regardless of key length, reconciliation shows much improved performances. For initial block sizes 4, 8, 16, 24, 32 and 64 the performances show similar behaviour. However for block length of 128 bits, the time consumption becomes significantly larger.

This outcome once again confirms the previous evidence that for smaller key lengths and smaller initial block sizes, the performance of reconciliation shows better results. However, much smaller initial block sizes are not advisable since the parity results are publicly revealed via classical channel. If the blocks are small, the parity results revealed could lead any third

party to guess the bits of the blocks [14]. Hence it could be concluded that block sizes between 8 to 16 shows much improved results for the reconciliation phase of the 4-phase handshake protocol. Initial block length of 24 bits is also acceptable as it is in the marginal levels with respect to the time taken for completion.

Fig. 8. Time to complete Reconciliation for Error Rate of 30%.

It could be seen that the smaller the bisect block size, the quicker the completion of the reconciliation process. With initial block sizes of 4, 8 and 16 reconciliation completes within 4ms time frame which is quite acceptable considering the amount of work involved in removing the errors. The main reason to this result is that when the initial block size is smaller, the errors can be located more quickly. Further, if a parity mismatch is found, then the respective block gets bisected and eventually another round of parity verification is added to the overall communication. With a smaller initial block size, the number of sub-blocks required is considerably low. Hence the reconciliation can be completed more quickly. Once the block size exceeds 16, it could be seen that the amount of time required for reconciliation increases significantly. The main reason for this observation is that the number of cycles needed to process the full key length is considerably large. Larger block length will subsequently bisect into more and more sub-blocks hence parity check requires more time to complete.

Similar analysis has been done to estimate the time to complete reconciliation for different key lengths and block sizes by keeping the error rate constant at 30%. Fig. 9 shows the simulation analysis for these input conditions. Yet again it could be seen that for smaller block sizes, regardless of key length, reconciliation shows much improved performances. For initial block sizes 4, 8, 16, 24, 32 and 64 the performances show similar behavior. However for block length of 128 bits, the time consumption becomes significantly larger.

This outcome once again confirms the previous evidence that for smaller key lengths and smaller initial block sizes, the performance of reconciliation shows better results. If the blocks are small, the parity results revealed could lead any third party to guess the bits of the blocks [14]. Hence it could be concluded that block sizes between 8 to 16 shows much improved results for the reconciliation phase of the 4-phase handshake protocol. Initial block length of 24 bits is also acceptable as it is in the marginal levels with respect to the

Fig. 7. Time to complete Reconciliation for Key Length = 500 bits.

349342342342

time taken for completion.

VI. OVERALL ANALYSIS OF THE PROTOCOL In this section briefly discusses the results obtained for

overall 4-phase handshake protocol. Table III shows total time taken for the whole 4-phase handshake at different key lengths for error rate of 20% and initial block sizes of 16 bits. It could be seen that the time taken for reconciliation dominates the total time for the overall 4-phase handshake. The variations of chosen reconciliation protocol are the length of the key, initial block size of the partition and error rate.

Under all above conditions, the 4-phase handshake protocol gets completed well below 10ms. Further results show that in worst circumstances, time for varied key lengths with 30% of error rate is about 9.89ms. Test logs captured by protocol analyser show that 4-way handshake takes about 7.1ms on average. Thus the proposed 4-phase handshake protocol is not far from the performance point of view.

The 802.11 standard requires the encryption key to be refreshed at pre-defined regular intervals to avoid any possible security attacks [16]. Thus the key hierarchy established via 4-way handshake in the existing 802.11 protocol takes additional time for these key refreshes that depends on the nature of the connection. However, for the proposed QKD based Wi-Fi protocol, such key refreshes is not required as the key obtained provides unconditional security. Even under error rates of 20%, the results show the overall 4-phase handshake completes within reasonable time limits. Ideally, today’s quantum transmissions achieve error rates well under 10%.

Hence it can be concluded that the proposed solution is efficient enough to be incorporated in the IEEE 802.11

standard. In addition, the final key obtained via QKD is proven to be unconditionally secure. This drastically improves the security of the overall communication to the highest level. We have explored the multi agent based approached for the same protocol as a future modification [4].

VII. CONCLUSION The nature of modifications proposed in this research work

focused on the process where the key is being distributed. The 4-way handshake protocol of the existing IEEE 802.11 has been replaced with the QKD based 4-phase handshake

protocol. Only the key distribution portion is modified while rest of the overall IEEE 802.11 protocol remains unchanged. The aim is to see the behavior of the modified key distribution process under various input conditions.

The implementation has been tested against various input combinations which are based on the data obtained from the quantum channel. Hence it can be concluded that the proposed solution is efficient enough to be incorporated in the IEEE 802.11 standard. In addition, the final key obtained via QKD is proven to be unconditionally secure. This drastically improves the security of the overall communication to the highest level. We have explored the multi agent based approached for the same protocol as a future modification [4].

REFERENCES [1] IEEE Std 802.11, IEEE Standard for Information Technology –

Specific requirements. Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, Amendment 6: Medium Access Control (MAC) Security Enhancements, 2007.

[2] Shirantha Wijesekera, Xu Huang, and Dharmendra Sharma, A Novel Protocol using Quantum Cryptography for Secure Communication in 802.11 Networks, IEEE International Symposium on a World of Wireless Mobile and Multimedia Networks, Kos, Greece, June 2009.

[3] Shirantha Wijesekera, Xu Huang and Dharmendra Sharma, Quantum Cryptography Based Key Distribution in Wi-Fi Networks - Protocol Modifications in IEEE 802.11, 5th International Conf. on Software and Data Technologies (ICSOFT 2010), Athens, Greece, July 2010.

[4] Shirantha Wijesekera, Xu Huang, Dharmendra Sharma, Utilization of Agents for Key Distribution in IEEE 802.11, The 2nd International Symposium on Intelligent Decision Technologies, IDT-2010, Baltimore, USA, ISBN 978-3-642-14615, Pages 435-443, July 2010.

[5] Bennett, C. H. and Brassard, G., Quantum cryptography: Public-key distribution and coin tossing, Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India, December 1984, pp. 175 – 179.

[6] A Quick Glance at Quantum Cryptography, Samual J. Lomonaco, 1998. [7] Gilles Brassard, Louis Salvail, Secret-Key Reconciliation by Public

Discussion, SBN 978-3-540-57600-6, 1994. [8] W. T. Buttler, S. K. Lamoreaux, J. R. Torgerson, G. H. Nickel, C. H.

Donahue, and C. G. Peterson, Fast, Efficient error reconciliation for quantum cryptography,2003.

[9] X. Huang, S. Wijesekera, and D.Sharma, “Quantum Cryptography for Wireless Network Communications,” IEEE International Symposium on Wireless and Pervasive Computing, 11-13th February 2009, Melbourne, Australia, ISBN: 978-1-4244-2966-0, Security pp.1-pp5.

[10] Matlab Simulink ,http://www.mathworks.com/products/simulink/. [11] The University of Canberra – Telstra Tower Quantum Crypto – Key

Telecommunications Link, P. J Edwards, Advanced Telecommunications and Quantum Electronics Research Centre University of Canberra, 2002.

[12] P.J. Edwards, Telstra Tower / University of Canberra Quantum Cryptographic Telecommunications Link, WARS02, February 2002.

[13] G. Ganeshkumar, P. J. Edwards, W. N. Cheung, L.O. Barbopoulos, H. Pham, J.C. Hazel, The University of Canberra Quantum Key Distribution Test-bed, 12th Australian Optical Society Conf., p.34, University of Sydney, 1999.

[14] Norbert Lu¨tkenhaus, Estimates for practical quantum cryptography, Phy. Review A, Volume 59, number 5, S1050-2947~99105305-6, 1999.

[15] M. Jofre, A. Gardelein, G. Anzolin, G. Molina-Terriza, J..P. Torres, M.W. Mitchell and V. Pruneri, 100 MHz amplitude and polarization modulated optical source for free-space quantum key distribution at 850 nm, 2010.

[16] Matthew Gast, 802.11 wireless networks: the definitive guide, ISBN-13-978-0-596-10052-0, p 147, p 164, O'Reilly Publications, 2005.

TABLE III TOTAL TIME FOR OVERAL4-PHASE HANDSHAKE PROTOCOL

(ERROR RATE = 20%, INITIAL BLOCK SIZE =16 BITS)

Key Length

Time (ms)

Sifting Error Estimation Reconciliation

Privacy Amplificatio

n Total

400 0.81 0.72 4.43 0.83 6.79 500 0.98 0.79 4.63 0.91 7.31 600 1.05 0.83 5.03 1.01 7.92 700 1.17 0.90 5.38 1.08 8.53 800 1.25 1.02 5.98 1.20 9.45

350343343343