Various exemplary embodiments disclosed herein relate generally to multi-pulse communication using spreading sequences.
In Direct Sequence Spread Spectrum (DSSS) and Ultra-wideband (UWB) communication, an information bit may be encoded through antipodal signaling into a sequence of pulses. In situations where the transmitted signal is observed at a very high Signal to Noise Ratio (SNR) by an attacker, the first pulse of the multi-pulse sequence may give away the polarity of the modulated spreading sequence. The attacker may then reproduce and transmit the remainder of this spreading codeword with a negative delay, except for some initial part that may be neglected in the bit detection operation of the receiver.
A brief summary of various exemplary embodiments is presented. Some simplifications and omissions may be made in the following summary, which is intended to highlight and introduce some aspects of the various exemplary embodiments, but not to limit the scope of the invention. Detailed descriptions of a preferred exemplary embodiment adequate to allow those of ordinary skill in the art to make and use the inventive concepts which will follow in later sections.
Various embodiments relate to a device of communicating by a transmitter. The method may include: creating information to be used by a receiver to define a spreading sequence for a subsequent packet; coding the information into a current communications packet; and transmitting the current communications packet.
In some embodiments the spreading sequence that may be used for the reception of a next radio packet is contained in an encrypted part of the current communications packet.
In some embodiments the spreading sequence is communicated between transmitter and receiver through a cryptographic channel and varied per radio packet.
Some embodiments further include transmitting two spreading sequences with the current communications packet.
In some embodiments the spreading sequence is computed by the receiver in dependence on information shared through a cryptographic channel with the transmitter.
Some embodiments further include storing the same table of allowed spreading sequences at the transmitter and the receiver.
Some embodiments may further include transmitting information through a cryptographic channel to be used by a receiver, wherein the receiver uses the transmitted information as an index in a lookup table to determine a spreading codeword.
Some embodiments may further include using a secret key at the receiver to derive the spreading sequence, where the secret key is one that is shared with the transmitter.
Some embodiments may further include deriving the spreading sequence in dependence on secret key information shared between the transmitter and a receiver, as well as a counter.
Various embodiments relate to a method of communicating by a receiver, the method including receiving a current communications packet; decoding information, created by a transmitter, in the current communications packet; identifying in the information a definition of a spreading sequence for a subsequent packet.
Some embodiments include the spreading sequence to be used for a next radio packet being contained in an encrypted part of the current communications packet.
Some embodiments may further include the spreading sequence being communicated between transmitter and receiver through a cryptographic channel and varied per radio packet.
Some embodiments may further include receiving two spreading sequences with the current communications packet.
Some embodiments may further include the spreading sequence being computed by the receiver in dependence on information shared through a cryptographic channel with the transmitter.
Some embodiments may further include storing the same table of allowed spreading sequences at the transmitter and the receiver.
Some embodiments may further include receiving information through a cryptographic channel transmitted by the transmitter, wherein the receiver uses the transmitted information as an index in a lookup table to determine a spreading codeword.
Some embodiments may further include using a secret key at the receiver to derive the spreading sequence, where the secret key is one that is shared with the transmitter.
Some embodiments may further include deriving the spreading sequence in dependence on secret key information shared between the transmitter and a receiver, as well as a counter.
In order to better understand various exemplary embodiments, reference is made to the accompanying drawings, wherein:
In some embodiments described herein, a spreading sequence may be randomly chosen out of a set of acceptable spreading sequences in dependence on secret information that may be shared between the legitimate transmitter and receiver. This may complicate the task for an attacker to predict the remainder of a multi-pulse sequence from the polarity of its first pulse(s).
Referring now to the drawings, in which like numerals refer to like components or steps, there are disclosed broad aspects of various exemplary embodiments.
Embodiments include combined ranging and communication systems that convey a message or information bit through a sequence of pulses that all convey the same message bit. Examples of such communication systems include DSSS systems. However, also in the payload part of the radio packets inside the IEEE 802.15.4a UWB standard, sequences of back-to-back pulses may be used. In this standard, the polarity of subsequent pulses is scrambled through a spreading sequence.
Embodiments of the present invention may be directed to secure communication and ranging. An eavesdropper may be listening in on the communication between a transmitter and a receiver that both employ multi-pulse based communication. From
For a non-trivial spreading sequence, which for example is specified by a communication standard, the polarity of the first pulse gives away the shape of the remaining multi-pulse sequence.
When a pseudo-random spreading sequence may be known to an eavesdropper, the polarity of the multi-pulse sequence follows from the polarity of the first pulse, provided this first chip is received at high signal-to-noise ratio. This may allow the attacker to retransmit an amplified version of the large remaining part of the multi-pulse sequence with a negative delay.
In case of automotive Passive Keyless Entry (PKE), when the secure ranging system measures a smaller distance between the car and the car key due to attacker activity, the doors of the car may be unlocked and the car may be stolen. With such a possible reward, the attacker may be willing to spend what it takes to attack such a system. Also in secure payment systems that employ a secure ranging subsystem to block financial transactions when the distance between an NFC equipped smart card and an NFC reader exceeds a specified distance, the blocking of transactions may be avoided by shortening the measured distance through a negative delay. The possibility that an attacker observes the signal at a higher SNR than the legitimate user undermines the security of the application.
In many applications one may speak of short range detection rather than range measurement as the ranging system may only need to answer the question whether or not the distance between the transmitter and receiver is larger or smaller than a given threshold, for example 2 meters. The secure ranging system may then have a binary outcome instead of a pseudo analogue distance value.
Embodiments may vary the spreading sequence that is used for the communication during a communication, where the choice of spreading sequence is shared between a transmitter and a receiver through a secure means which may not be eavesdropped. In that case, an attacker needs to estimate the first pulse(s) of a portion of the communication with high reliability, but in addition needs to guess the spreading sequence, in order to predict the remainder of the spreading codeword. This may complicate the task of the attacker, and limits their chance of successfully forging the range measurement through the emission of information sent by the legitimate transmitter at a negative delay.
When radio packets in embodiment 700 consist of a relatively large number of spreading codewords, an attacker may gradually learn the spreading codeword during the reception of a radio packet. In that case, the security of the ranging operation may be enhanced, for example, by the use of a first spreading sequence for the first half of the subsequent radio packet, and a second spreading sequence for the second half of the subsequent radio packet. More generally, the radio packet may use at least one, two, three spreading sequences, etc. These spreading sequences may apply to parts of a radio packet that are equal in length. Alternatively, the spreading sequence may be changed more often in parts of the radio packet that are more vital to protect against attack by an eavesdropper who wants to manipulate the range measurement, such as the challenge and response fields in case of mutual authentication schemes, or encrypted fields of the radio packet.
As a special case, two transceivers may communicate with each other and make the frequency of changing the spreading sequence adaptive to estimates of the local signal to noise ratio, preliminary detection of attacker scenarios, or the distance between the transceivers.
In case multiple spreading sequences are transmitted per radio packet, it may be advantageous to limit the length of such spreading sequences. As a special case, one may also consider the use of spreading codes of different lengths. For instance, longer spreading sequences may be used to communicate parts of a radio packet that have higher importance for the application at hand with greater reliability in the presence of channel noise. Embodiment 800 illustrates the use of 2 spreading sequences conveyed through radio packet k, these sequences being of different length during the reception of radio packet k+1.
As a further special case, one may increase the delay between the reception of a spreading sequence and its use for the reception of a subsequent radio packet. For instance, the spreading sequence conveyed by means of radio packet k to the receiver, may be used for the reception of radio packet k+2, and so on.
Furthermore, in case of bidirectional communication, not only may the transmitter choose the spreading sequence used in the communication, but in case of 2 transceivers, that both have a transmitting and a receiving end, the spreading sequences in both directions may be chosen by the same transceiver. For instance, one receiver may have more computational, data storage, or energy storage to power the necessary electronics, and the means to choose and provide the spreading sequences may be provided by one of the two transceivers at a lower cost when compared with the other transceiver. Alternatively, a receiver may request the use of a particular spreading sequence in an upcoming radio packet through its uplink to the transmitter, for example, in the case of a low battery level.
In another embodiment, when the radio packets comprise relatively few message bits, and, hence, short spreading codewords are used, a small number of successive radio packets may share the use of a same spreading sequence. Such sharing may limit the overhead cost involved in the use of a time-varying spreading sequence. Relevant costs may include computational cost, integrated circuit area, or power consumption or communication time.
In embodiment 900, the spreading sequence may be computed by transmitter and receiver in dependence on information shared through cryptographic channel. The spreading sequence itself may not need to be transmitted in full, but some input information into the computation of the spreading sequence at the receiver may suffice, for example, a seed for a random number generator. In some embodiments a pseudo-random number generator may be used. Linear feedback shift registers (LFSR) or Linear congruential generators may be utilized to accomplish this, for example. Similarly, Mersenne twister, xorshift generators, steam ciphers, and block ciphers may also be used, for example. In that case, the transmitter may carry out the same computation as the receiver, or its inverse, in order to check which spreading input corresponds with which spreading sequence. The computation unit typically also implements data storage means to realize its function, and may use previous processing results as additional inputs into the computation.
A benefit of embodiment 900 over embodiment 700 may be that the transmission of the spreading input as part of the encrypted part of previous messages may be more compact that the transmission of a full spreading sequence itself. This may save airtime and power for communication. It is also possible that a single spreading input may be used to provide a spreading sequence that extends over a number of packets.
A spreading sequence may be chosen from a table by the transmitter and receiver in dependence on information shared through cryptographic channel. Further, the computation unit may be replaced by a table lookup unit. Such a scheme may allow a transmitter and receiver to agree on a set of allowed spreading sequences that, for example, have favorable spectral properties. In embodiment 1000, what is called “spreading input” in embodiment 900 may become an index in a lookup table that is stored at both transmitter and receiver. In this way it is guaranteed that only allowed spreading sequences may occur on the radio channel or sequences that suit particular use cases out of multiple use cases addressed by the transceiver pair.
In further embodiments, the table of allowed spreading sequences may be stored in a compressed form. This way, the amount of read only or random access memory that needs to be implemented for making the ranging system more secure may be limited.
An amount of secure data storage may be available at both transmitter and receiver, and a common secret key may be programmed into this storage after the manufacturing of the transmitter and receiver apparatus. In that case, this common secret information may be used to aid in the creation of a common, shared sequence of spreading sequences, such as in embodiment 1100. In that case, the need to communicate the inputs to the computation of the spreading sequences by means of a cryptographically secured part of the existing communication channel may be relaxed, and these inputs may be transmitted in the clear.
Inputs to the computations of the spreading sequences may be transmitted by means of some other bidirectional communication channel than the UWB communication channel that is present between the transmitter and the receiver. This may decrease the likelihood that an attacker may be able to produce a suitable eavesdropping apparatus. In another embodiment, this input information may be derived from a broadcast channel that is commonly available at the transmitter and receiver in a near time synchronous fashion. GPS location, sound pressure level, or light intensity may be relevant at this point.
A spreading sequence may be derived in dependence on secret key information shared between transmitter and receiver, and a counter. A particular choice of the counter information to derive time-varying spreading sequence from common secret key information stored in secure data storage and information available in the clear is to derive the spreading codeword, or the choice of the spreading codeword from a set of allowed spreading codewords from this secret key information and the radio packet index or one of the other communication data structure indexes.
As shown, the device 1300 includes a processor 1320, memory 1330, user interface 1340, network interface 1350, and storage 1360 interconnected via one or more system buses 1310. It will be understood that
The processor 1320 may be any hardware device capable of executing instructions stored in the memory 1330 or the storage 1360. As such, the processor may include a microprocessor, field programmable gate array (FPGA), application-specific integrated circuit (ASIC), or other similar devices.
The memory 1330 may include various memories such as, for example L13, L2, or L3 cache or system memory. As such, the memory 1330 may include static random access memory (SRAM), dynamic RAM (DRAM), flash memory, read only memory (ROM), or other similar memory devices.
The user interface 1340 may include one or more devices for enabling communication with a user such as an administrator. For example, the user interface 1340 may include access to a display, a mouse, and a keyboard for receiving user commands. In some embodiments, the user interface 1340 may include a command line interface or graphical user interface that may be presented to a remote device via the network interface 1350.
The network interface 1350 may include one or more devices for enabling communication with other hardware devices. For example, the network interface 1350 may include a network interface card (NIC) configured to communicate according to the Ethernet or Bluetooth protocol, or a wireless protocol such as CDMA, TDMA or FDMA. Additionally, the network interface 1350 may implement a TCP/IP stack for communication according to the TCP/IP protocols, for example. Various alternative or additional hardware or configurations for the network interface 1350 will be apparent.
The storage 1360 may include one or more machine-readable storage media such as read-only memory (ROM), random-access memory (RAM), magnetic disk storage media, optical storage media, flash-memory devices, or similar storage media. In various embodiments, the storage 1360 may store instructions for execution by the processor 1320 or data upon which the processor 1320 may operate.
It will be apparent that various information described as stored in the storage 1360, may be additionally or alternatively stored in the memory 1330. In this respect, the memory 1330 may also be considered to constitute a “storage device” and the storage 1360 may be considered a “memory.” Various other arrangements will be apparent. Further, the memory 1330 and storage 1360 may both be considered to be “non-transitory machine-readable media.” As used herein, the term “non-transitory” will be understood to exclude transitory signals but to include all forms of storage, including both volatile and non-volatile memories.
In some embodiments, storage 1360 may contain communication instructions 1362, for example. Communication instructions may include instructions related to transmitting and/or receiving various codes. The instructions may be related to the relevant protocol used to transmit or receive.
While the hardware device 1300 is shown as including one of each described component, the various components may be duplicated in various embodiments. For example, the processor 1320 may include multiple microprocessors that are configured to independently execute the methods described herein or are configured to perform steps or subroutines of the methods described herein such that the multiple processors cooperate to achieve the functionality described herein. Various additional arrangements will be apparent.
It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative circuitry embodying the principals of the invention. Similarly, it will be appreciated that any flow charts, flow diagrams, state transition diagrams, pseudo code, and the like represent various processes which may be substantially represented in machine readable media and so executed by a computer or processor, whether or not such computer or processor is explicitly shown.
Although the various exemplary embodiments have been described in detail with particular reference to certain exemplary aspects thereof, it should be understood that the invention is capable of other embodiments and its details are capable of modifications in various obvious respects. As is readily apparent to those skilled in the art, variations and modifications can be affected while remaining within the spirit and scope of the invention. Accordingly, the foregoing disclosure, description, and figures are for illustrative purposes only and do not in any way limit the invention, which is defined only by the claims.