Efficient Secret Key Delivery Using Heartbeats

. Recently many researchers have employed physiological signals like heartbeats as a source of the key seed used in key establishment protocols. The physiological signals make it easy to establish a secret key between implantable (or attachable) medical devices which can sense physiological signals. A key establishment protocol is a fundamental requirement to support the security of the healthcare and medical services such as diagnosis, treatment, prevention, and follow-up services. However, existing key establishment protocols demand high computational and communication costs or need long key establishment time. In this paper, we propose an efficient IPI-based key establishment protocol that requires relatively short time while keeping the strength of security close.


Introduction
Recent advances of sensor technologies have enabled the emergence of small types of sensor devices, especially, called biometric sensors. Generally, biometric sensors are small enough and they can be attached on or implanted in the human body in order to monitor physiological signals. Once integrated with wireless network modules, biometric sensors can construct a special kind of wireless sensor networks in a human body, called as body sensor networks (BSNs). The biometric sensors check the health status of the human body and, as needed, they may carry out intelligent treatment via their mutual communication automatically. The information covered by BSNs not only involves individual privacy, but it may even be life threatening in the worst case. For example, if an attacker with malicious intent can control the insulin injector implanted in a particular patient at will and it excesses insulin into the patient's body, the patient will be in a very dangerous situation. Thus, privacy and security protection of the BSNs is an essential requirement to popularize medical and healthcare services.
In BSNs, the use of biometrics, specifically, physiological signal, makes it possible to provide stronger security more easily. We can imagine that a long-term secret key is embedded in implantable medical devices before deployment. If a malicious attacker gets the longterm key by unpredicted accidents or a compromise attack, the patient with the implantable medical device will have to undergo surgery to update the long-term secret key. If asymmetric cryptosystem is applied to the implantable medical device, it may not be necessary to store the secret key in advance, but it will bring a huge energy problem to the medical device. For these reasons, many security researchers have proposed symmetric key-based cryptographic protocols that does not required storing secret information in advance.
Most of physiological-signal-based key establishment schemes [1][2][3][4][5][6] have been designed based on fuzzy-vault scheme [7]. However the fuzzy-vault scheme fundamentally requires significant computation and communication costs by a number of polynomial calculations and the transmission of numerous chaff points. For these reasons, most researchers have tried to deal with the issues. The work [3] reduced computational costs by not calculating lagrangian interpolation coefficients only by transmitting matched points to the other party. The work [4] employs simple arithmetic operators instead of Euclidean distance formula which requires squaring and square root, for vault unlocking. Above these, the works [5][6] have been enhanced the security of fuzzy-vault. In the works, chaff points are chosen from not 1-dimensional space but 2-dimensional space in order to increase the number of available points and make it difficult for a brute force attack to be successful.
In this paper, we propose a lightweight key establishment scheme using inter-pulse interval (IPI) of photoplethysmogram (PPG), in order to avoid the above disadvantages of the fuzzy-vault scheme. Here, an IPI means the interval between two peaks of the PPG signals. If the IPIs are used for key establishment scheme, it is not necessary to derive the polynomial, unlike the fuzzy-vault, and there is no need to transmit chaff points, so the amount of computation and the amount of traffic can be greatly reduced. Although various IPI-based key establishment schemes [8][9][10][11][12] have been proposed so far, the work [13] recently proposed a simple and efficient IPI-based key delivery protocol. The work [13] encodes the secret key generated by biometric sensor A using an error correction code (ECC), then A hides it in a witness, which is generated from the biometric information measured by itself, and transmits it securely to another biometric sensor B. Then B recovers the secret key using its own witness. However, since the work has to collect biometric information for witness generation as long as the bit length of the encoded output, the secret key exchange takes a relatively long time.
In this paper, we have reduced the key generation time by lessening the length of witness, while maintaining the advantages of the IPI-based key establishment schemes. Biometric sensor A encodes the generated witness using the ECC and it transmits only the parity code of the encoded outputs to another biometric sensor B. Also, in order to hide a secret key in the witness, A needs a witness equivalent to the key length, not the encoded output length. The main contributions of the paper are outlined as follows.
1) Relatively short key establishment time: we shortened the key establishment time by reducing the number of IPIs needed to generate a secret key. It will be possible to access the medical device (biometric sensor) faster in an emergency.

2) Low computational and communication cost:
The proposed protocol adopts a symmetric cryptosystem, not an asymmetric cryptosystem. Furthermore, the proposed protocol does not transmit a large amount of data like chaff points of the fuzzy-vault. The remainder of this paper is organized as follows. Section 2 introduces backgrounds of the proposed key delivery protocol. After explaining our IPI-based key delivery protocol in Section 3, we discuss the performance of the proposed protocol in Section 4. Finally, we conclude this paper in Section 5.

Backgrounds
In this section, we explain our system and adversary models, and we briefly introduce related works.

Fig. 1. Our System Model
Fig. 1 depicts our system model, which can be applied to biometric-based systems such as u-Healthcare service system, a BSN (a Body Sensor Networks), and a WBAN (a Wireless Body Area Network). Such systems are mainly made up of two types of devices: a Collector and several biometric sensors. Each biometric sensor can be attached to a body or implanted in the body as necessary. The collector can be wirelessly connected to an external management server. Each biometric sensor measures biometric information of the body for various tasks such as health status monitoring and medical decision support, while offering the biometric information to the collector. The collector periodically aggregates the biometric information from each biometric sensor installed in the same body, and then it sends the aggregated data to the external management server.
In our system model, the collector as well as the biometric sensors can measure the inter-pulse interval (IPI) of the photoplethysmogram (PPG). Here, IPIs can be measured in / above the human body [14]. In biometricbased systems, since biometric sensors handle private medical information of patients, it is necessary to construct secure communication between them. The secret key delivery protocol, which proposed in this paper, allows two biometric sensors (or between a biometric sensor and a collector) to share a secret key for secure communication between themselves.

Adversary model
The type of an adversary A can be divided into two types as follows. The first is to find who possess a certain biometrics even though A does not have any secret which is shared between a collector and each biometric sensor and used in process of authentication. The second is to make a valid response even though A is not a legitimate participant. More specifically, A wants to be not only authenticated by a collector or biometric sensors of the attack target, but also participate in a secret delivery protocol by pretending to be a legitimate participant. Accordingly, we can define two adversary types: a passive adversary and an active adversary.
A passive adversary is an adversary that can just eavesdrop and collect the exchanged messages between legitimate participants but cannot inject and modify their messages because A has no ability to make a valid challenge and response of the secret key delivery protocol. For instance, tracing through continuous eavesdropping is one of passive attacks. Meanwhile, an active adversary is defined as A who can fabricate messages and insert them into the normal authentication process to achieve his/her malicious purpose. Here, we assume that an active adversary cannot physically access a biometric sensor because physical access to a biometric sensor implanted in a body or attached on a body is quite difficult. The attack target will probably be able to easily recognize the physical access. For example, impersonation and spoofing attacks belong to this attack.

Related works
The feasibility of IPIs for key establishment between biometric sensors have been studied steadily. It relies heavily on the randomness of IPIs and their disparity between IPIs obtained by different subjects. In this subsection, we discuss these IPI characteristics and then we introduce some of the representative IPI-based key delivery protocols.
In many previous works [8][9][10][11][12], it is already evaluated that each IPI, which is obtained from healthy subjects as well as patients with cardiovascular diseases, has a high degree of entropy and it therefore can be used as a security key. However, all bits of an IPI does not have a high degree of entropy. Although the length of IPIs is from eight to ten bits in accordance with the sampling rate of a biometric sensor and each IPI is time-variant, it is known that only the three or four least-significant bits (LSBs) of all its bits are independent random variables [12][13].
One of the most important consideration when IPIs are used for key establishment is the disparity between IPIs which are simultaneously obtained from the same body. Most related works [13,[15][16][17] have focused on how to efficiently synchronize IPIs having such a property. The work [15] firstly proposed the key establishment scheme using IPIs while the works [16] and [17] did not share any secret information between two parties in advance for key exchange. Compared with these works, the work [13] does not use pre-deployed secret information while reducing the number of communication rounds considerably. Fig. 3 shows the outline of the work [13]. It is assumed that two biometric sensors (Sender and Receiver) are attached to the same subject. Both biometric sensors measure IPIs in real time and they periodically exchange misdetection flag (݉ ௌ , ݉ ோ ) for the block consisting of several trimmed IPIs. The sender and the receiver generate witness values ( ‫ݓ‬ ௌ and ‫ݓ‬ ோ , respectively) generated from the blocks. The receiver creates nonce K used as a symmetric key between itself and the sender. After encoding the nonce using the BCH (Bose-Chaudhuri-Hocquenghem) code, the receiver computes XOR operation with the encoded codes and its witness ‫ݓ‬ ோ , and then it transmits the computed results to the sender. The sender runs XOR operation with the received value and its witness ‫ݓ‬ ௌ , decodes the encoded codes. Finally, the sender checks whether a derived key is correct through the key confirmation step. However, the work [13] requires a relatively long time to exchange a secret key. For example, it takes between 60 and 77.6 seconds to generate a 80-bit key with using three LSBs and (204, 80, 37) BCH codes; that is, a 204-bit witness is required to make a 80 bit key and it is derived from about 68 IPIs.

Fig. 2. Outline of the work [13]
The key-exchange time should be reduced for practical use. In this paper, we significantly reduced the expected key-exchange time by modifying the commit step effectively.

Proposed secret key delivery protocol
In this section, we explain the proposed secret key deliver protocol between two biometric sensors (a Sender and a Receiver) using IPIs. The proposed protocol is composed of several steps: witness generation, ECC encoding & decoding, key generation, key transmission, key derivation, key verification, and key confirmation. The three steps (ECC encoding, key generation, and key transmission) accord with the Commit step of Fig. 2 while other three steps (ECC decoding, key derivation, and key transmission) accord with the Decommit step of that. Fig.  3 depicts our proposed secret key deliver protocol. The notation is shown in Table 1.

SUCCESS
A flag to mean that a pairwise key between Sender and Receiver is established successfully

Witness generation
Each biometric sensor makes its own witness from its own measured IPIs in this step. Sender S consecutively measures n IPIs (IPI1, IPI2, …, IPIn), each of which is the time difference between two sequential heartbeats. Like the work [13], we assume that only three LSBs of each IPI is used to produce a witness piece. The selected IPI bits are reprocessed through the Gray coding, which can lower the disparity between two IPIs. We then call the Graycoded bits as a witness piece, i.e., an IPI is a source of a witness piece and n witness pieces ‫ݓ(‬ ௌ,ଵ , ‫ݓ‬ ௌ,ଶ , … … , ‫ݓ‬ ௌ, ) become a witness ‫ݓ(‬ ௌ ). In the same way as S, Receiver R also generates its own witness ‫ݓ‬ ோ (where ‫ݓ‬ ௌ ≈ ‫ݓ‬ ோ ) , providing a basis for trust establishment.

ECC encoding & decoding
In this step, S generates parity code P for its ‫ݓ‬ ௌ using an error correcting code. We employ an error correcting code as the BCH code. The encoded output of the BCH code is separated into its original data ‫ݓ‬ ௌ and its parity code P. In the key transmission step, only P is sent to R for BCH decoding.

Key generation & transmission
S generates a secret key and then it provides R with supplementary information required for key derivation and key verification. S selects a nonce used as a symmetric session key K between itself and R. After computing , S sends R the computed result, which helps R to the end that R recovers the K.

Key derivation & verification
R derives the same key K using its own witness ‫ݓ‬ ோ . On receiving the supplementary information, R decodes it using ‫ݓ‬ ோ together with P. Consequently, R can obtain ‫ݓ‬ ᇱ ௌ (= ‫ݓ‬ ௌ ). If the bit difference between ‫ݓ‬ ௌ and ‫ݓ‬ ோ is within the correctable range of the BCH code, ‫ݓ‬ ᇱ ௌ and ‫ݓ‬ ௌ will be exactly the same. Using ‫ݓ‬ ᇱ ௌ , R computes ‫ܭ‬ ⊕ ‫ݓ‬ ௌ ⊕ ‫′ݓ‬ ௌ and it finally get secret key ‫ܭ‬ ᇱ (= ‫.)ܭ‬ For the validation check of ‫ܭ‬ ᇱ , after calculating ‫ܥܣܯ‬ ᇱ (ܶܵ ∥ ‫ܭ‬ ⊕ ‫ݓ‬ ௌ ∥ ܲ), R checks whether the calcaulted result is equal to the received value ‫ܥܣܯ‬ (ܶܵ ∥ ‫ܭ‬ ⊕ ‫ݓ‬ ௌ ∥ ܲ). If same, R determines ‫ܭ‬ ᇱ as a session key during the session associated with S.

Key confirmation
S confirms that S and R has the identical session key. In this step, R computes ‫ܥܣܯ‬ ᇱ (ܶܵ ∥ SUCCESS ) using its own session key ‫ܭ‬ ᇱ and then transmitting it to S. On receiving it, S computes ‫ܥܣܯ‬ (ܶܵ ∥ SUCCESS ) and it then checks whether the computed value and the received value are the same. If same, S and R begin secure communication using the session key. Otherwise, they start the entire steps again.
protocol depends on the parameter value, specifically, k and t, of the BCH code (n, k, t); here, n is the total bit length of the BCH-encoded data, k is the bit length of the BCH input data, and t is the number of correctable bits.
In order to get some profitable information, a passive or active adversary should find out a valid session key or guess it accurately. Since it is very difficult for the adversary to directly obtain the biometric information from the body of the attack target, the adversary has to predict the key without a given biometric information. If the adversary can precisely estimate (k-t) bits or more, then he/she get a valid session key. Accordingly, we can compute the probability (P) of correctly estimating (k -t) bits ore more among the total k bits as below, (1) , when k = 80, the key prediction probability is higher in the proposed protocol than in the work [7] at all t values. However, in case that k = 128 and t ≤ 10, the key prediction probability of the proposed protocol is lower than that of the existing work. Besides, as the error correction rates of the proposed protocol and the existing protocol are about 0.078 and 0.088, respectively, they are almost similar. Next, let's look at the key generation time. We assume that 3-bit IPIs are used for a key generation and 70 IPIs are measured per a minute. A 128-bit key for the proposed protocol requires 36.57 secs (= ଵଶ଼ ଷ × ), while a 80-bit key for the existing protocol needs 58.28 secs (= ଶସ ଷ × ). As already expected, the proposed protocol can significantly reduce the key establishment time, compared with the existing protocol, by approximately 35%.

Conclusion
In this paper, we proposed an efficient key delivery protocol. Compared to the existing work, we have significantly reduced key generation time by decreasing the size of the witness required to generate a secret key. This advantage will enable faster response by reducing the time to access a secure medical device in an emergency.
In the near future, we will perform real-time testing using actually measured photoplethysmogram in order to investigate the availability of the proposed protocol. Furthermore, we will demonstrate how high probability that a session key between two biometric sensors is established on a simulator to be built in the near future.