Introduction
D2D enables devices to communicate directly with each other without the involvement of fixed networking infrastructures such as Access Points or Base Stations. Though D2D can be applied using different technologies like Bluetooth, WiFi-Direct and Near Field Communications (NFC), an important standardization effort is represented by the 3GPP Proximity Services (ProSe) function.
D2D brings many advantages (shorter latency, decreased network traffic, power saving and a fallback system in the case of network failure), but it is generally acknowledged that the security of devices and data is a key factor for the success of Device to Device communication technology. No matter the technology used for D2D communications, the security problematic areas that must be considered are the same, including confidentiality, integrity, authentication, privacy, availability and dependability, as well as non-repudiation.
More security schemes were proposed for the D2D security mechanism, classified in the surveys of Wang and Zheng [1] or Hamoud et al. [2] with details on different methods for key management, authentication and access control. More than 40 research papers are mentioned, in these surveys, detailing security related work for D2D communication at different OSI layers. None of these solutions take into consideration the use of physical unclonable functions (PUF) for the unique identification of a device (integrated circuit) or as a method for generating private keys. Our implementation takes benefits of this PUF “circuit fingerprinting ” methodology that is extremely suitable for mobile devices by implementing the mechanism on Static Random-Access Memory (SRAM)-based PUFs, that is achieving widespread adoption in commercial products, as some prototypes are already implemented by major handheld vendors like Intel, Samsung, UMC, Cypress, TSMC, IBM, Renesas. For instance, Samsung has released the “Exynos I” [3] dedicated Internet of Things (IoT) chip series with on-chip ‘Security Sub-Systems’ based on PUF, providing much higher levels of security compared to the conventional one-time-password based solutions [4].
The survey [2] also mentions whether the proposed D2D security mechanism are implemented or simulated and we have observed that many of the proposed solutions are just conceptual. Our algorithm proposal is also implemented in a prototype that will be detailed throughout the paper. There are more security issues needed to be taken into consideration for a D2D security mechanism, like confidentiality, integrity and authentication.
Our proposed security scheme offers solutions for the following problems:
key management using RO-PUF for the unique secret key generation, Elliptic Curve Cryptography for generating the public key corresponding to the secret key, Diffie Hellmann for generating the shared secret key and key exchange;
data encryption using stream cyphering method based on Salsa20-20 algorithm, suitable for real-time communications encryption;
The paper is organized as follows: The first section describes the D2D security issues and the mechanisms that should be implemented relative to the 3GPP description of the ProSe function. We will mention the solutions and motivation for the selection of the algorithms to be part of our prototype, compared to other related work implementations. The
Security Considerations for D2D Communications and Related Work
The D2D communication can occur either on operator’s licensed spectrum (underlying 3GPP LTE-A networks) or in the unlicensed spectrum (Bluetooth, WiFi-Direct).
While the D2D communication is mostly using the Industrial, Scientific and Medical (ISM) spectra and works in a pure autonomous way, the 3GPP specifications ProSe (Proximity Services) have some well-established signaling procedures, as well as an own key management method [8]. First introduced in Release 12 of the 3GPP specifications, the LTE-A ProSe relies on multiple enhancements to existing LTE standards including new functional elements and a “sidelink” air interface for direct connectivity between devices. There are three main scenarios for D2D communications (Fig. 1):
the In-Coverage scenario in which the devices are in the coverage area of a base station (BS) / access point (AP), traffic offloading being the most common use-case
the Relay Coverage in which part of the devices are out of base station coverage (Partial Coverage), but they can communicate through relaying their communication data via other covered devices
the Out-of-Coverage case when the network coverage is absent. A typical use-case is the Public Safety communication. Devices can autonomously set up connections and start D2D communications with each other in their proximity, without the assistance of any operators.
Most of the existing literature refers to this 3rd scenario, detailing methods for key management, authentication, access control for spontaneous and non-assisted D2D communication.
Several D2D key management solutions are detailed in other research papers, taking benefit of Diffie Hellman Key Exchange (DHKE): Shen et al. [9] detail a method for establishing a shared secret key between two D2D devices based on DHKE, Zhang et al. [10] present a method to realize a session key agreement between two D2D devices under the control of BS, while Ekberg et al. [11] detail the usage of DHKE for setting a security association, followed by mutual authentication via home core network certificates. We have also used the Diffie-Hellman algorithm, but we have complemented it with Elliptic Curve Cryptography (ECC) for generating the public key corresponding to the secret key. ECC is a public key encryption technique based on elliptic curves theory that can be used to create faster, smaller, and more efficient cryptographic keys than other first-generation encryption public key algorithms such as RSA and Diffie-Hellman, so it is recommended for mobile and wireless devices [12]. Another method proposed by related research papers is the key management based on Attribute-Based Encryption (ABE), a type of public-key encryption in which the secret key of a user and the cipher-text are dependent upon attributes [13].
For authentication purpose, several methods were detailed in research papers dedicated to D2D implementations: Hash Message Authentication Code – HMAC [10], sharing pin authentication [13] or certificate authentication [11], [14].
We have observed that there are no D2D security schemes taking benefit of the device uniqueness model based on physical unclonable functions (PUF). There are several methods for authentication or key management using the PUF [15], but not applied on D2D key management schemes. Considering that the chip manufacturers – including mobile devices vendors – started including PUF security in their chips, we hereby propose the usage of PUFs in D2D security schemes.
When it comes to data encryption for real data streaming, it is known that stream cyphering is more suitable compared to block cyphering, as it was also used in GSM networks (GEA methods based on the KASUMI algorithm), many of the available solutions being based on block Cyphering. The 3GPP ProSe function uses the EEA (extended Euclidean algorithm) cryptography – while the version EEA-2 uses the 128-bit AES (Advanced Encryption Standard), more recently, EEA-3 has become available, based on the ZUC [16] stream cipher [17].
We are proposing the usage of Salsa20/20 in our implementation, a stream cyphering method very efficient and considered secure, as it was not yet compromised so far.
The surveys in [1], [2], and [18] describe – besides some other work related to D2D security – some types of attacks that can be performed on D2D communication. A single compromised node can be turned into a malicious one that brings down a complete system or can cause disasters.
Proposed D2D Key Management and Encryption Mechanism
The algorithms used for D2D security are presented in Figure 2. RO PUF (Ring Oscillator Physical Unclonable Functions) implemented on Zynq are used to generate a secret key for one device involved in D2D communications. Each device involved in the communication gets a secret key generated with RO PUF circuits. Elliptic Curve Cryptography operations are used for the generation of a public key corresponding to the secret key generated with RO PUF. The next step is to generate a shared secret key for each device using: i) the secret key generated with RO PUF; ii) the ECC cryptographic operations and iii) the public key of other device involved in the D2D communication. It has been used the Diffie-Hellman anonymous key agreement protocol that allows two parties, each having an elliptic curve public-private key pair, to establish a shared secret key over an insecure channel. The shared secret key is used as a seed into Salsa20/20 pseudo-random generator in order to have a stream of secret keys to be used in a symmetric encryption.
The encryption scheme for the D2D communication between Device A and Device B has the following phases:
Generate a secret key with RO PUF circuits for each device. Due to the process variations, each secret key will be unique for each device;
Generate the public key for each device using the corresponding RO PUF secret key and ECC operations;
Switch the public keys between device A and Device B (Device A sends his Public Key A and receives the Public Key B);
Compute the shared secret key for Device A and Device B (in case of Device A there are used: the corresponding RO PUF secret key, the Public key from Device B and the ECC operations);
Use the shared secret key as a seed for Salsa20/20 algorithm and generate pseudo random keys;
Use the XOR operation between the Salsa20/20 PRNG (pseudorandom number generator) output and the plain text message in order to encrypt the information
Implementation
A. RO PUF Circuits Implemented on ZYNQ
Inspired by biometrics, PUFs provide a unique way to identify integrated circuits. Comparable in a simplistic way with a “unique fingerprint” of an IC – that differentiates one IC from another (though apparently identical) – PUFs exploit the inherent variability in IC manufacturing to implement challenge-response functions whose outputs depend on the inputs and on the physical micro-structure of the devices.
The secret key is generated using 128 RO PUF circuits which exploits IC manufacturing process natural variations in attributes of the transistors (length, width, oxide thickness).
One RO PUF is composed of 5 inverter gates connected in a loop as may be seen in Figure 3.
The inverters are manually placed and routed on the hardware resources using constraints like the ones described in Figure 4.
Those inverters connected in a loop generate a periodical signal. Due to process variations the frequencies of two generated signals are slightly different. The periodical signal is used as a clock signal for a 13-bit width counter. Considering two counters each with a clock signal generated by 5 inverters connected in a loop, one of the counters will reach first the maximum value – due to the above-mentioned process variations that occur during the manufacturing process. Using a comparator for the output of the two counters, the comparator output will be unpredictable (0 or 1), representing the RO PUF response, 1 bit from the total 128 bits used as a secret key.
One RO PUF instance used in our implementation is composed of the digital circuits mentioned in Figure 5.
At first, 64 bits are generated using clock signals produced by the ro_puf_inst and ro_puf_inst1 and then the clock signals are switched with the ones generated with ro_puf_inst0 and ro_puf_inst10. In this manner, the number of 13-bit width binary counters is decreased twice – 64 instead of 128. Figure 5 shows an instance of RO PUF which generates the 50 bit and 100 bit from 128 bits. There are a total of 64 instances of RO PUFs as the one presented in Figure 5.
The statistical analysis of RO PUF circuits regarding their unicity and reproducibility is beyond the scope of this paper and has been extensively analyzed in [19]–[21].
Because of the FPGA routing complexity and limitations, few existing PUF circuits can be implemented on FPGA. After many attempts of PUF implementations we concluded that the well-known ring oscillator PUF and the Latch based PUF are appropriate for an FPGA application. However, in case of an ASIC integrated circuit, the SRAM PUF is a suitable choice.
B. Elliptic Curve Cryptography
Symmetric key cryptosystems use the same key for encryption and decryption. Having the disadvantage of needing a secret key known by all the participants (a secret shared key) they have, nevertheless, the advantage of a reduced computing time [22]. Therefore, we will use symmetric key cryptosystems for encryption/decryption and we will generate a secret shared key.
Compared to other encryption technologies, ECC is helpful for use in low-memory and low-computing environments such as mobile devices and wireless devices. For example, a 160-bit ECC encryption key provides the same security as a 1024-bit RSA (Rivest-Shamir-Adleman) encryption key and can be up to 15 times faster, depending on the platform on which it is implemented [23], [24].
In this section there are illustrated details and results of the Elliptic Curve Cryptography implemented in hardware using HDL (Hardware Description Languages). For fast and accurate arithmetic in hardware implementations, elliptic curves over binary field \begin{equation*} y^{2}+xy= x^{3}+ax^{2}+b,\quad \mathrm {where}~ x,y,a,b \in F_{2^{m}}\end{equation*}
\begin{equation*} E(F_{2^{m}}{)\!=\!\left \{{\left ({x,y }\right)\!\!:x,y\in F_{2^{m}} ~\mathrm {satisfy}~ y^{2}\!+\!xy\!==\!x^{3}\!+\!ax^{2}\!+\!b }\right \}}_{}\end{equation*}
The public key of each entity is computed as elliptic curve scalar multiplication. We will produce a “trapdoor function” where the special information or “trapdoor” is the ID value generated using PUF circuits. In order to implement the elliptic curve scalar multiplication, the following information is required [25]:
Given a curve
Let
We decomposed the problem in three layers as it can be seen in Figure 6.
The first layer implements the operation over the Galois Field (GF): addition, subtraction, multiplication and multiplicative inverse. The field GF (
In our implementation, the Galois Field elements are considered in binary vector representation. The addition and subtraction operations in hardware over
We implement the multiplication as a multiplication followed by division using the reducing polynomials as the divisor.
First, we consider a general algorithm for division of two binary polynomials. In the second attempt for multiplication we consider a multiplication followed by a particular division using a fix (known) value of the reducing polynomial as the divisor. For the multiplicative inverse we implement the extended Euclidian algorithm (EEA) which is based on polynomial division and multiplication over Galois Field. In order to optimize the extended Euclidian algorithm in terms of area we optimized the polynomial division algorithm. In our implementation we considered the representation of the Galois Field as binary vectors. Table 3 shows an example of operations in Galois Fields over \begin{equation*} {\boldsymbol p\left ({{\boldsymbol t} }\right)}={\boldsymbol t}^{163}+{\boldsymbol t}^{7}+{\boldsymbol t}^{6}+{\boldsymbol t}^{3}+{\boldsymbol 1}\end{equation*}
The second layer contains the operations of elliptic curve cryptography: point addition and point doubling, which are based on the operations from the first layer. The equations for point addition and point multiplication are given below: \begin{align*} \begin{array}{|c|c|} \hline R=P+Q& R=2P \\[5pt] x_{R}=\lambda ^{2}+\lambda +x_{p}+x_{q}+a\quad ~&~\quad x_{R}=\lambda ^{2}+\lambda +a\\[5pt] y_{R}=\lambda \left ({x_{p}+x_{R} }\right)+x_{R}+y_{p}\quad ~&~\quad y_{R}=x_{P}^{2}+\lambda x_{R}+x_{R}\\[4pt] \lambda =\dfrac {y_{Q}+y_{P}}{x_{Q}+x_{P}}\quad ~&~\quad \lambda =x_{P}+\dfrac {y_{P}}{x_{P}}\\[-8.9pt] \hline\end{array} \end{align*}
C. Diffie Hellman Key Exchange
Elliptic curve Diffie-Hellman is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public-private key pair, to establish a shared “secret” over an insecure channel [26]. A schematic description of the Diffie Hellman key agreement protocol is presented in Figure 7.
The Diffie Hellman key agreement protocol has the following steps: i) Each device generates his own secret based on RO PUF circuit responses; ii) Using the generated secret key and the elliptic curve cryptography described in Section A the public cryptographic key is produced; iii) the public keys are exchanged between devices; iv) the shared secret key is computed using: public key, secret key generated with RO PUF and ECC operations.
Experimental Setup
As experimental setup we have used the SDR prototyping environment offered by the Digilent “Zedboard”, combining the Xilinx Zynq®-7000 All-Programmable SoC (ARM® dual-core Cortex™-A9+28 nm programmable logic) with the Analog Devices AD-FMCOMMS3-EBZ FMC (FPGA Mezzanine Card) module featuring the AD9361 integrated RF Agile Transceiver.
The Zynq-7000 SoC (System on Chip) offers the possibility to combine the software programmability of an ARM-based processor with the hardware reconfigurability of a FPGA, enabling hardware acceleration while integrating CPU, DSP and mixed signal functionality on a single device. The features listed above make the Zynq7000 a good platform for Software Defined Radio (SDR) implementations of a broad range of transceiver applications for wireless communications. We recommend it as very suitable for experimenting Device-to-Device communication and integration with complex security implemented functions. For our demonstrator we have used a back-to-back configuration (Figure 8) with direct coupled radio interfaces, without any limitations and interferences with the public spectrum.
A description of the environment setup on Zedboard and the usage of the ARM core using a Linux operating system was presented by Dustinta and Stanciu [27].
In order to set-up the SDR work environment we have used the Linux ARM co-processor and the SoC implementation using Xilinx Vivado software [28] at FPGA level, connected with the Analog Devices AD-FMCOMMS3-EBZ board as radio interface. The communication sub-system was implemented using the AD IP Core for wireless communication.
Development for combining the communication modules with our implemented security modules can be performed in different ways:
Software implementation – running on the ARM core Linux implementation provided by Analog Devices – that also instantiates the communication with the AD Communication IP Core (see Figure 9). On top of this operating system, other communication software packages can be used (for example those from the open source GNU Radio).
Software and hardware co-design using MATLAB – particularly the MATLAB Communication module and the belonging LTE Advanced D2D communication modules [29]
Custom using the AD IP Core via Xilinx Vivado and running C code on top of this IP Core
Implementation Results
A. RO PUF Circuits
The 128 bits secret key generation with RO PUF circuits is presented in Figure 10. Results are visualized with the ChipScope Logic Analyzer provided by Xilinx Vivado. Firstly, there are generated 64 bits representing the LBSs of the secret key and the other half of it by changing the ring oscillators composed of 5 inverters connected in a loop.
B. Hardware Implementation of ECC
This section is summarizing the results of elliptic curve cryptography implemented in Verilog and synthesized, placed and routed with Xilinx Vivado.
Table 5 presents the implementation results of elliptic curve cryptography over
C. Experimental Setup – Back-to-Back “Zedboards”
In Figure 8 it was presented the connection between two devices: i) Device A represented by a “Zedboard” development platform and FMCOMMS4 [30] and ii) Device B which is implemented on a Zedboard platform and FMCOMMS3 [31]. Device A is running a GNU application over a Linaro operating system that receives the encrypted data from Device B. Details regarding this implementation are presented in [27]. Device B is using the HDL reference design presented in [32], the version with ARM microprocessor which runs a C code in order to transmit encrypted data. The C code is available on [33] and the encryption of data was done with the above-detailed chosen algorithms.
D. Proposal for 3GPP ProSe Key Management Function Enhancement for an “Out-of-Coverage Scenario”
As part of the key management signaling in LTE-A, security parameters are provided by a network node called the ProSe Key Management Function. This node may physically be part of the ProSe Function included in the LTE-A core network. Central to the security is the ProSe Group Key (PGK) parameter. It is used as a basis to derive input parameters for the security algorithm. Each PGK is provided with an expiry time. By providing the UE (User Equipment) with PGKs valid for different times, the UE may operate for a longer time without further parameter provisioning from the core network – like, for example in the out-of-coverage – always taking a PGK valid for the actual time [34]. However, this method of operation has some disadvantages mainly for devices that were out of coverage for a long time, so a possible solution would be for the device to generate locally some parameters using the PUF generated secret key.
Conclusion
This paper proposed a D2D security mechanism for key management and data encryption, implemented and tested on two Digilent “Zedboard” FPGA based systems. The security mechanism is generic, can be applied to any type of communication (Wifi Direct, Bluetooth) but it can improve also the standardized 3GPP ProSe Key Management Function in the out-of-coverage scenario.
Although most of the papers approaching D2D cryptographical methods are focused on describing the algorithms and their advantages in a theoretical or simulated manner, we have implemented the proposed security algorithms in the Verilog HDL.
Important results of the research work include:
A proposed security mechanism for D2D communication involving some novel solutions like PUF-based key generation, efficiency of ECC as public key generation and a stream cyphering encryption method using Salsa20/20, suitable for confidentiality of the wireless transmissions.
Actual implementation of the algorithms, not only in software, but also hardware-accelerated on the Zync SoC platform with the Analog Devices RF daughter-boards.
A method for implementing a prototyping environment of the D2D communication and security by usage of dedicated SDR platforms, with a HW-SW codesign that can be used for future research and development.
The paper was focused on the security related implementation and the integration of the SDR configurations, but the methods we have accomplished for communications can be adapted and enhanced by deployment on different radio technologies (some of them facilitated, for instance, by pre-defined LTE-A MATLAB routines, integrated with Simulink and Analog Devices specific drivers).
Further research can extend the presented approach on the integration of signaling related to device discovery procedures or on the side-link channels and transmissions.