IoT Access Authentication Framework based on Radio Frequency Fingerprint and Fingerprint Expression Specification

The classical device-authentication methods includes MAC address, pre-shared key. However, the MAC address is easy to be imitated. Radio frequency fingerprint (RFF) is a physical layer inherent characteristic for a device. Utilizing the RFF for terminal access control, it is possible to realize identity authentication by received waveforms. Some RFF features can be used for classification and identification. Different kinds of RFF extraction algorithms would generate features with different expressions. Hybrid features would be used to improve identification relability in practical use.So The wireless access control system based on RFF must support different kinds of fingerprint expressions and be compatible with the existing authentication framework. Besides uniforming the RFF expressions could make the framework suitable for a variety of IoT devices. As a new authentication key, RF fingerprint is incorporated into the access control system. This requires the unified expression format, coding, control signal frame, status code and other specifications of fingerprint.

IoT Device Access Gateway A device works for network connection, control and management, which deployed at the boundary between the perception layer and the network layer of the Internet of things. It realize the communication between the Internet of things devices and the network layer. Trust Center A special IoT device responsible for authenticating the legitimacy of devices and distributing communication keys in a IoT network. Lower Computer A computer that directly controls the hardware to obtain the condition of other devices or command them. CSMA/CD Carrier Sense Multiple Access with Collision Detection ASCII American Standard Code for Information Interchange

RF fingerprint access control framework uses RF fingerprint as the authentication token for access. It is different from the traditional authentication mode which depends on the pair of MAC address and secure key. It substitutes the secure key with RF fingerprint. When a new network device requests access, if its MAC address is illegal, the access framework will directly reject it. If its MAC address is legal, it will then be judged whether its fingerprint matches its MAC address. If not, it will be considered as an illegal and disguised device with a fake MAC address. Limited to the weak computing ability of IoT edge devices and the requirement of RF fingerprint extraction algorithm, the access control framework adopts a three-party authentication model. It includes the claimant, relying party, the verifier, and the relationships among them is shown in . The claimant refers to the IoT device requesting access to the network. The relying party refers to the nodes which is responsible for access control in the IoT network, such as the central node device or the lower computer of the IP interface. The verifier refers to a trusted third party for RF fingerprint extraction and identification. The verifier and the relying party can be the same entity.

+-------------------+ +-------------------+ | Claimant | <----------> | relying party | +-------------------+ +-------------------+ ^ ^ | | | | | | | | | v | +-------------------+ +-----------------------> | verifier | +-------------------+ shows the network architecture after deploying the network model of Figure 1. The RF fingerprint wireless access control system mainly includes physical layer equipment access gateways, authentication servers, proxy servers, signal collectors, etc. The relying party is an entrance gateway of the IP network, or the trust center which is a special device in an IoT network. Therefore, the communication between the relying party and the proxy server requires an appropriate interface. The black and white list of the system is stored in the authentication server.

+-------------+ +---------------+ +----------------+ | New Device | | Intermediate | | PHY Gateway | | (Claimant) |<----->| Device Node |<----->| /Trust Center | | | | | | (Relying Party)| +-------------+ +---------------+ +----------------+ ^ | ^ | | | | 1.request| |4.result | Trusted Environment | | | +-------------------------------------------+--------+ | | | | | | | v | | | | +---------------+ 2.request with RFF +------------+| | | |Authentication | <-------------- | Proxy || | | | Server | --------------> | (extract || | | +---------------+ 3.result | feature) || | | +------------+| | | | ^ | | | | | | | | v | | | | +---------------+ | +----+--------------------------------> | Signal | | | | Collector | | | +---------------+ | | | +----------------------------------------------------+ Detailed access process is described as follows. When a new device applies to join a network, it should firstly establish a connection to parent node. The IP address of the new device is preseted or assigned by its parent node before authenticattion. After the preliminary connection is established, the parent node sends an authentication request, which carries the MAC address of the new device, to the relying party. The relying party sends an authentication request to the proxy server, and the proxy server uses the analog signals received from the new device to extract. Then the proxy server sends a request frame containing the fingerprint to the authentication server. The signal collector usually keeps monitoring the entire system. Since the wireless network device adopts the CSMA/CD strategy for sending signals, the request frame for joining a network would be captured by the signal collector in real time. Sampling data is already stored in the proxy server before the relying party requests authentication. If the proxy server does not capture the claimant's connection request signal, it will return a status code, ?no fingerprint collected?, to the relying party. Therefore, there are three kinds of status code for authentication: legal, illegal and no fingerprint collected. The relying party executes access control according to the authentication status code, such that: Legal Assign communication keys to allow new nodes to join the network. Illegal Do not assign keys to the new node and send a control frame to block the illegal device. No Fingerprint Collected Send the control frame to ask the new node to resubmit the authentication request.

The certification service of the verifier shall be independent and impartial, and its authentication results should help to establish a trust relationship between the application system and new IoT device. The IoT device application layer protocol should provide specific signaling and functional processes for access control framework. Specifically: The connection process between the new device and its parent node should be split into two parts: connection establishment and authentication. After the connection is established, the new device uses its MAC address to request authentication. The communication key can only be obtained after the judgment is legal. Authentication status code should contain at least 3 types: legal, illegal, no fingerprint collected. The gateway or trust center should be able to respond to the authentication result from the proxy server when it does not actively apply a connection request. That is, the verifier can check the legitimacy of the devices in the network at any time. The verifier needs to be in a secure and trusted environment. For example, proxy servers, authentication servers, and signal collectors are deployed in a security intranet. All communication interfaces in the framework should be reliable. The relying party and the authenticating party should adopt encrypted communication mode, using an independent, preset session key. The access authentication framework does not specify the fingerprint extraction method and authentication mechanism, and has nothing to do with the signal protocol type of the IoT devices. But all kinds of fingerprints should have a unified expression form.

RF fingerprints mainly include frequency offset, phase offset, power spectral density, adaptive filter coefficients, differential constellation, etc. They could be mainly divided into two types: graphics and numerical values, both of which can be transformed into a one-dimensional vector. According to the type of IoT device and the type of communication protocol, the identification algorithm adopts single or multiple RFF features. Fingerprint identification algorithm classifies and identifies the devices through the differences among feature vectors. Features of one device is stable and similar in different time. Differences of features among different devices are obvious and easy to classify.

RF fingerprint is expressed as a one-dimensional vector including no more than 30 elements. If it exceeds 30 elements, feature dimension reduction is required. For features that cannot be reduced to less than 30 elements, feature segmentation and packet transmission shall be carried out. The one-dimensional RFF feature vector shall fully reflect the fingerprint characteristics of the devices. The feature vector of the same device shall remain relatively stable, while the feature vectors of different devices shall maintain distinguishable differences.

The original fingerprint vector dimension is less than 30 dimensions, and the data storage form is floating point or integer. The compression coding process is presented as follows: Normalize the fingerprint vector , scale the numerical value in (- 1,1). For each one-dimensional vector, convert it to binary decimal and 24 significant digits are reserved. The first bit is the sign bit. The sign bit 0 indicates that the value is positive and 1 indicates that the value is negative. The 64 symbols 48 ~ 90 and 97 ~ 117 in the ASCII code table are used as the mapping table. The 24 bit binary is grouped into 4 groups according to 6 bits. Convert every 6-bit binary decimal to 1-bit 64 decimal. Then map the 64-decimal symbol to an ASCII symbol according to the index. Thus, each one-dimensional data coding dimension is decoded by 4 ASCII symbols. Convert all dimensions of all vectors to ASCII symbols and splice them into strings. The string length is less than or equal to 120 characteristics. This string is the fingerprint formal expression.

The control message is compatible with radius protocol, in which attributes, functions and maximum length are in accordance with radius protocol. The control message is compatible with RADIUS protocolRFC 2865, in which attributes, functions and maximum length are in accordance with radius protocol.

The message format shall at least contain five fields: frame type, identifier, frame length, authenticator and attribute. The detailed description is shown in .

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Respones Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-+- Code Describe the type of message. 1 indicates access request message, while 2 indicates access accept message. Identifier Identify the message serial number, which is used to match the request message and response message, and detect the request message retransmitted within a period of time. Length The length of access control message. Bytes exceeding the length value are ignored as padding characters. If the actual length of the received message is less than the value of length, the message will be discarded. Response Authenticator Verify the response message of servers. Authenticator in the request message is a random number, followed by MD5 of shared key and random number. Attributes The Attribute field is variable in length. It is the content body of the message. attributes is encoded in Type/Length/Value triplets.

The Attribute for RFF access control is specified from atrributes in RADIUS. It only needs one attribute. In a triplet,the first element is the MAC address of the new device,which is a fixed length for devices of one kind. The second element is the length of the triplet. The third element is the encoded fingerprint. shows the structure of the attribute.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC address | Length | Fingerprint | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

This document includes no request to IANA.

This section will address only security considerations associated with the use of RF fingerprint access control framework. Encrypted communication is required when the access control message is transmitted between the IoT trust center and the third-party server. If the third party is not credible, the access system loses credibility. Therefore, it is necessary to ensure that the relying party and the verifier are in a secure and trusted environment.