Cross-Layer Authentication Protocol Design for Ultra-Dense 5G HetNets
Creating a secure environment for communications is becoming a significantly challenging task in 5G Heterogeneous Networks (HetNets) given the stringent latency and high capacity requirements of 5G networks. This is particularly factual knowing that the infrastructure tends to be highly diversified especially with the continuous deployment of small cells. In fact, frequent handovers in these cells introduce unnecessarily recurring authentications leading to increased latency.
In this paper, we propose a software-defined wireless network (SDWN)-enabled fast cross-authentication scheme which combines non-cryptographic and cryptographic algorithms to address the challenges of latency and weak security. Initially, the received radio signal strength vectors at the mobile terminal (MT) is used as a fingerprinting source to generate an unpredictable secret key. Subsequently, a cryptographic mechanism based upon the authentication and key agreement protocol by employing the generated secret key is performed in order to improve the confidentiality and integrity of the authentication handover. Further, we propose a radio trusted zone database aiming to enhance the frequent authentication of radio devices which are present in the network. In order to reduce recurring authentications, a given covered area is divided into trusted zones where each zone contains more than one small cell, thus permitting the MT to initiate a single authentication request per zone, even if it keeps roaming between different cells. Accordingly, once the RSS vectors and the encrypted mobile identification are received by the authentication slice (AS), this latter builds the authentication vector using the -nearest neighborhood technique to estimate the fingerprint distribution which is compared to the radio trusted zones database to prove the legitimacy of the MT and the network slice (NS). Cross-layer authentication protocol is consequently executed. The proposed scheme is analyzed under different attack scenarios and its complexity is compared with cryptographic and non-cryptographic approaches to demonstrate its security resilience and computational efficiency.
Wireless connectivity has progressively secured its place in the last decade to be an indispensable part of our communication means that has undoubtedly increased mobile traffic load. According to , mobile data traffic is expected to expand at a compound annual rate of 57% until 2019 and is predicted, by year 2020, to exhaust the available capacities provided by the fourth generation (4G) and the long term evolution (LTE) infrastructures .
In addition, network densification using low-power small cells is considered to be a core solution for 5G. This new architecture indeed demands new requirements such as flexibility in management and configuration, adaptability and vendor-independence. To meet these requirements, software defined wireless networks (SDWN) have been proposed as a cost-effective solution . Hence, the hetnet nature of 5G with the separation of data and control planes and the virtualization of major network functions increase the need for authentication improvement, integrity, and privacy protection in the presence of malicious actors .
The traditional authentication handover mechanism is based on a cryptographic key and on multiple handshakes. The authentication and key agreement (AKA) protocol which is standardized by the third generation partnership project (3GPP) in  is widely used in current wireless networks. In brief, the AKA protocol involves three entities which are (i) the mobile terminal (MT) which represents the user, (ii) the home environment (HE) and (iii) the serving network (SN).
AKA allows the SN to authenticate and exchange keys with the user, without ever being given the user’s key. Instead, one-time authentication vector (AV) are issued to SN by the HE. All communication and computations in AKA are very efficient thanks to the use of symmetric-key cryptography. To this end, the client authenticates the network by computing the response (RES) using its k secret key and the network authenticates back to the client across-AV by associating its response with the expected response (XRES). Using symmetric cryptography, AKA shares a k secret key with the MT and the HE in order to maintain the privacy and security of the information.
By exploring and investigating the security analysis of current authentication protocols, we pinpoint several of their vulnerabilities against different attacks including resistance attacks, black hole attacks, replay attacks, man-in-the-middle attacks, impersonation attacks, and denial of service attacks . We also note that considerable research has been made to improve such protocol. For instance, in , the authors propose a security enhanced authentication and key agreement (SE-EPS AKA) method based on wireless public key infrastructure by using the ellipse curve cipher (ECC) encryption. Additionally, the research work in  points out a scheme which resolves the privacy problem and prevents mobility management entity (MME) masquerading. Moreover, the devised scheme takes into consideration the fact that the MT is energy-limited and for that reason, public key cryptography is not used at the MT. The mechanism in  suggests an enhanced AKA protocol using a methodology which provides zero-knowledge proof using a pre-shared key that is never sent over the transmission medium. A new key exchange procedure is proposed in  where the user identity information and authentication vector in the network domain are encrypted using the public key cryptosystem. The public parent key adopted in local authentication is generated by means of random data. In , the authors show that their proposed approach eliminates the synchronization between mobile station and its home network in the key exchange process. Besides the discussed vulnerabilities, the conventional AKA authentication protocol may not fulfill the requirements of future dense small 5G network cells in terms of security, resistance to spoofing, low latency, infrequent handover and low computational costs .
Alternatively, it has been shown that exploiting the environment-dependent radiometric features of a specific transceiver pair, such as the channel state information (CSI)  and the received signal strength indicator (RSS) , can improve the authentication procedure. In fact, these channel characteristics can be used to differentiate signals arriving from authorized transmitters and those originating from spoofed transmitters , . Moreover,  presents a comparative survey of wireless local area network location fingerprinting schemes. The foundation behind these schemes is that RSS is location-specific, due to path loss and channel fading, where most works in this category usually assume that the users are static; thus generating an excessive false positive rate in mobile scenarios. Accordingly, an attacker who is at a different location from the genuine user might be placed in different RSS profiles and whereby can infer the RSS of the user by using a wireless sniffer tool.
To tackle these challenges, a promising cross-layer authentication method is proposed in this paper. The novelty of our work lies in devising and evaluating a multi-layer approach which amalgamates physical layer information (i.e., non-cryptographic)  in conjunction with cryptographic procedures. In this context, we define two security level agreements (SLAs) which are devised for decentralized and centralized networks, respectively. These agreements are established at the beginning between the network slice (NS) and the authentication slice (AS).
Moreover, we prosed the use of a radio trusted zones data base at the AS side. In fact, a given covered area is divided into trusted zones where each zone contains more than one small cell, thus permitting the MT to initiate a single authentication request per zone, even if it keeps roaming between different cells. On the other hand, the data base of each zone contains the different RSS profiles and their corresponding localizations. Thanks to the widely used radio mapping technique, this database is filled. Hence, this approach aims to add another security level to the system and reduce the recurring authentications in the network.
At the MI side and for non-cryptographic procedures, the gathered RSS measurements at the MT are used to generate the fingerprint aiming to randomize the secret key used by the AKA protocol. After this step, a cryptographic approach employing an enhanced AKA protocol is performed in order to improve the confidentiality and integrity of the authentication handover. Furthermore, sending the mobile identity (IM) on the fly in a clear form (without encryption) is still another weaknesses of the AKA protocol. We address this problem by generating a radio signal fingerprint that prevents such transmission patterns, thus obscuring IM. Subsequently, the obscured IM is encrypted and then transmitted with the RSS parameter to the AS to corroborate the MT identity within the NS.
Once received, the AS, in response, sends an AV built with the aid of the fingerprint, to approve the NS identity into the MT. In addition, before AS sends AV to MT across NS, AS applies the -nearest neighborhood (-NN) technique on the revived RSS with the existing data base to estimate the fingerprint distribution. The nearest output of this algorithm is used to identify the corresponding legitimate location stored in the database.
It should be mentioned that the inaccuracy of the estimation technique does not affect the reliability of the proposed protocol because the identification of legitimate location is already takes into consideration the localization error range to define the trusted radio zones.
Finally, the AKA authentication protocol is performed as operated in conventional cryptographic protocols.
To have better insights into this work, we frame the set of contributions of this paper as follows:
Defining two SLA for decentralized and centralized 5G networks and proposing a cross-layer authentication approach based on SLA specifications.
Exploiting the random and unique RSS measurements in order to compute a secret fingerprint.
Enhancing the security level of 5G networks by introducing a novel approach rendered by the creation of a radio trusted Zones database.
Executing security protocol analysis and validating the sensitivity of the proposed cross-layer protocol against different threats by leveraging the AVISPA tool. Additionally, comparisons of the computational complexity of the proposed scheme against traditional cryptographic and non-cryptographic approaches are also conducted.
To the best of author’s knowledge, the cross-authentication approach along with radio trusted zones have not yet been devised and evaluated in the literature. The remainder of this paper is organized as follows. Section II introduces the proposed system model and the protocol design. In Section III, the security and performance analysis are evaluated. Finally, this paper is summarized in Section IV, where a number of future endeavors are also put forward.
Ii System Model and Protocol Design
In order to tackle the important security challenge in SDWN-based 5G HetNets which results from the separation of the radio control plane from the data plane, we propose an AS as a third party security agent to provide isolation and efficient security authentication management over the integral network. Therefore, a cross-layer authentication procedure is proposed. This procedure is mainly based on increasing the security level of the AKA protocol by using physical layer information and machine learning algorithms at the server side in order to estimate the authenticity of the radio devices. The following subsections will detail the various steps related to the proposed protocol, namely, fingerprint generation, estimation and distribution, the cross-layer authentication and protocol design.
Ii-a Generation of the fingerprint
In our approach, we employ a channel-based fingerprinting mechanism to enhance the authentication procedure. Towards this end, we first define two SLAs which address decentralized and centralized networks, respectively. For decentralized networks, the authentication procedure is comprised of two steps. For centralized networks, a complete three steps approach is applied. These agreements are established at the beginning between the NS and the AS.
After defining the agreement, the non-cryptographic procedure is performed. As shown in Figure 1, the RSS measurements from different base stations are gathered and then averaged. In fact, to make this RSS parameter unique and random to suit the generation of the fingerprint key, different RSS values from various radio devices are required to compute the average. Otherwise, considering a single RSS measurement from one radio device and due to the multi-path propagation environment, two different users on different locations may have the same value, which hinders the security of the protocol. Hence, the received radio signal strength from different radio devices, when collected at the MT side, can be represented as
where is the time of arrival of the signal received from the access point to the MT at a given location. This time of arrival significantly reduces the possibility to impersonate the RSS vectors by an intruder.
The MT then averages the RSS vectors to generate the fingerprint such that
where is the mean operator.
The generated fingerprint aids in randomizing the secret key that is used by the AKA protocol. After this step, the AKA protocol is performed at the MT. As a first step in this protocol, the IM is masqueraded by the fingerprint. The output of the masquerading, dubbed as temporary identification mobile (TIM) aims to hide the device IM. After masquerading, in order to protect TIM from catching attack, this latter is encrypted with the AES ecryption algorithm. Finally, MT sends TIM with the RSS vectors to the AS to corroborate the MT identity within the NS.
Ii-B Estimation of the fingerprint distribution
In this section, we will first introduce the proposed radio trusted zone concept that we consider in our system design to recognize the legitimacy of different radio device identities in the network. To this end, each zone is set to form a cluster of neighboring small cells. The database of this latter is built thanks to radio map database using the localization fingerprinting method in .
Since building the radio trusted zone database is out of the scope of this paper, in the remaining of this work, we assume the existence of this database at the AS side. Once the radio signal is received (i.e., TIM and RSS vectors), the AS analysis the RSS vectors and computes the fingerprint as given in Eq. (2). The resultant key is used to unmask TIM in order to corroborate the IM authenticity within the NS. After this step, the deterministic -NN method is used to estimate the fingerprint distribution. In fact, the -NN method is one of the simplest ways to determine the fingerprinting process of wireless devices by using a radio map database. Hence, in contrary to our solution, the conventional -NN method is victim of false positive alarms when its output is compared to a radio trusted zone without taking into account the localization error range. Finally, in the proposed system, the -NN process considers multiple nearest neighbors to compute the fingerprint distribution as follows
where is the RSS vector stored in the radio trusted zone. The resultant is used to identify the corresponding location in the trusted radio zones database, taking into account the localization error range, to prove the legitimacy of the radio device. In the next subsection, we will detail the key exchange process; handover through the cross-layer authentication protocol.
Ii-C Cross-layer Authentication Protocol
The procedure of keys’ exchange between different network entities is exhibited in Figure 2. In this context, we assume that NS possesses previous credentials to coordinate with the AS. The following steps within the authentication protocol are executed only if the MT is a new user or enters a certain trusted zone for the first time.
MT computes the fingerprint based on Eq. (2) and masquerades IM with the resulting TIM.
MT sends TIM and RSS vectors to AS in response to the demand made by the NS.
AS generates the fingerprint based on RSS vectors and IM from TIM, and .
AS estimates fingerprint distribution and search its corresponding legitimate localization in the radio trusted zones database that has been previously built.
AS generates AV only if the legitimate localisation is found in the database.
Hence, AV will contain the following keys
= ( , , , )
= ( , )
= ( , )
= ( , )
= ( , )
where and denote the bitwise XOR and the concatenation operations, respectively. The notions to are the AES cryptographic hash functions, SQN is the fresh sequence number, AMF denotes a public authentication management field handled by the network operator, RAND signifies a random number, IK symbolizes the integrity key, CK refers to the cipher key, AK is the anonymity key, MAC denotes message authentication code, XRES is the expected response, XMAC is the expected MAC and AUTN implies the authentication token.
It is important to note that for the decentralized network, the cross layer authentication algorithm ceases in step 2 thus AS sends the AV[RAND, AUTH] to MT without passing by NS, then MT verifies SQN and compares XMAC with the MAC to validate the network. Therefore, for the case of the centralized network, the AS sends AV[RAND, AUTH, XRES] to the NS and then the NS sends AV[RAND, AUTH] to MT. Subsequently, the MT calculates different keys as follows:
= ( , )
= (, 2nd(), , )
= ( , )
= ( , )
= ( , )
After calculating the keys, the following is performed:
If SQN is in the correct range, then the XMAC is compared with MAC to validate the network.
If SQN is not in the correct range, then the connection is rejected.
Once validated, MT calculates its RES value and sends it to the NS for validation.
NS compares RES with XRES that is already present in the authentication vector.
If RES is equal to XRES, then the MT is also authenticated by NS and mutual authentication is achieved. Otherwise, it is rejected.
Iii Security and Performance Analyses
In the following, we perform automated security analysis to asses the security level of the proposed cross-layer authentication protocol using the Avispa tool to verify its resistance against various attacks. Moreover, we leverage a JAVA API to estimate the computational cost of the proposed scheme.
Iii-a Security Analysis
In this section, we analyze the security of the conventional authentication protocol and the proposed authentication protocol. In the first scenario, we assess the security of the conventional AKA protocol. Since this protocol sends its pre-shared key over the air, we consider herein that an intruder in the network has the knowledge about the key. In contrast, in the second scenario related to the proposed protocol, the intruder is unable to acquire knowledge about the pre-shared key given that this protocol does not send the key over the air. In both scenarios, the intruder performs several typical attacks (i.e., man-in-the-middle, redirection, replay, etc.) on the protocols.
Iii-A1 Scenario 1
In this scenario, the MT sends the IM and the secret key k on the fly to AS to initiate the authentication process. This process is formalized and then assessed using Avispa tool, As depicted in Figure 3 the protocol analysis indicates UNSAFE, revealing that the protocol is vulnerable to various analyzed threats.
Iii-A2 Scenario 2
As described in our protocol, MT sends IM encrypted with on the fly to AS. In contrast to the conventional mechanism, MT, SN and AS generate the fingerprint separately which improve the security as the fingerprint is never sent on the fly. This is corroborated by conducting protocol analysis using Avispa tool, which indicates that this protocol is SAFE (against the analyzed threats) as shown in Figure 4.
In the following, we detail how different attacks could be performed under scenario 2 and how our protocol design is resilient against such threats.
Redirection attacks and black-hole attacks
The mobile identification is not protected in the current mobile network and can be altered by an adversary with some devices such as an IM catcher, which leads to the redirection attack. In our protocol, the fingerprint is used to masquerade the IM and thereby protects 5G networks against redirection attacks.
Accordingly, the attack fails if the malicious user is unable to obtain the legitimate user information from the MT. In the proposed protocol, the MT computes the IM embedded with the fingerprint generating TIM and sends it to the AS. The authentication request is denied if the AS fails to match the IM sent by the MT. Such a technique solves the problem of miss-charged billing in the 5G network. Thus, the proposed scheme immunes the 5G network from black-hole attacks.
The cross-layer protocol is resilient against this attack by solely sending the RSS vectors and TIM during the transmission of information over the network. This prevents the misuse of valid information; an adversary typically can delay the message over the network and sends it later for some malicious purpose if no random number or fingerprint is involved in the transmitted message.
A man-in-the-middle attack occurs when an adversary eavesdrops the communicated information between the MT and the NS. In the context of the our proposed cross-layer protocol, the key is independently generated in the MT, AS and NS. This key prohibits the communication from being eavesdropped.
Over the 5G network, the corruption of the control plane endangers the security of the whole network. Following are some scenarios in which an adversary may attempt to impersonate the 5G network.
- Case 1:
Consider the presence of a fake NS where an intruder can eavesdrop all its messages. The adversary must reply with a valid response RES to the NS in order to impersonate the MT, but the intruder cannot obtain the correct RES since this latter is exchanged exclusively between the MT and an uncorrupted AS.
- Case 2:
If the intruder attempts to impersonate an uncorrupted network, the attempt would fail as the MT can verify that previously, there was no initiated request for AV. Furthermore, MT only exchanges traffic with trusted radio devices (i.e., the radio trusted zones database).
Denial of Service (DoS) attacks
The DoS attack and its variants are discussed in the following scenarios; the attacker MT’s flood the victim control plane with authentication requests by spoofing the IM/TIM, the k key and a request number.
- Case 1:
The attacker MT floods the NS victim with self IM. If the malicious MT does not respond within the threshold time duration to the proxy, then the connection is simply terminated. Accordingly, NS resets the authentication request and releases the resources that are used to maintain the authentication request status. In addition, if the request is originating from a malicious user, then the proxy will not acquire the key or would simply receive an invalid key. There is a timeout period for each MT to maintain the state of half-opened authentication requests. If the malicious MT attempts to cause an overflow at the victim NS with the half-open authentication requests, NS would not be able to accept any new incoming authentication requests.
- Case 2:
The attacker MT floods the victim NS by spoofing IM. In this scenario, if the actual MT that receives a message is not active, then the AS will not receive any information from the MT, and this process becomes similar to first case; the NS waits for a threshold time to hear from the AS. After the timeout period, the NS resets the authentication request and releases the resources that are used to maintain the authentication request status.
In fact, in this protocol, the AS is supposed to receive an RSS vectors from the MT, which is neither an actual IM of the MT nor a TIM for the NS. An actual IM or TIM with a fake key will not be able to extract the correct IM of the MT and thus the connection will be terminated. Hence, there is no chance that the attacker would be able to generate the same from a victim MT’s IM. Indeed, given the aforementioned information, we assert that the proposed cross-layer AKA protocol protects the network from DoS attacks.
Iii-B Computational cost analysis
We further thought that it would be insightful to analyze the computational cost of our proposed cross-layer protocol. In this context, it is important to note that the SDWN paradigm introduces the cloud radio access networks (C-RAN) paradigm, which aims at reducing the computational cost as most of the processing activities are executed on the distributed cloud. Moreover, the well-trusted radio zones database is formed by small cells; a mechanism which avoids frequent authentication of the MT within each small cell.
We perform comparisons of the non-cryptographic and cryptographic authentication algorithms against the proposed cross-layer protocol For our analysis, we exploit a dataset of 25 radio signal strength samples collected for 280 combinations of user locations and orientations.
Since our proposed cross-layer protocol is implemented in Java, a Java API is developed for this evaluation purpose to be coherent and to generate real time perspectives of the computational cost. Moreover, we use an Intel Core i7-6700 CPU with 3.4 GHz X64 based processor and 16 GB RAM to conduct the computations.
The results of this comparison is shown in Figure 5, which demonstrates the computational cost of cryptographic, non-cryptographic and the proposed cross-layer protocol across small cells with and without employing the trusted zone approach at the AS level. In the case where the proposed protocol operates without employing the radio trusted zones, we observe a clear increment in computational cost in comparison with non-cryptographic and cryptographic procedures, respectively, and this gap increases when the number of cells increases. The augmentation is due to the fact that our proposed cross-layer protocol operates in this specific case without a trusted zone and uses machine learning algorithm to authenticate the radio devices. The absence of a trusted zone increases the recurrence of authentication procedures, which leads to more complexity.
Once the radio trusted zones’ approach is employed, the computational cost of the proposed cross-layer protocol drops in contrast with the first approach. This renders the deployment of a radio trusted zones a better choice to achieve a lower complexity and thus reduce latency.
In this paper, we propose a software-defined wireless network (SDWN)-enabled fast cross authentication scheme that combines non-cryptographic and cryptographic algorithms to tackle the challenges of latency and weak security in 5G HetNets. First, the radio trusted zone database concept is introduced aiming to reduce the authentication recurrence. Consequently, the cross-layer algorithm is designed, implemented and evaluated. By executing automated protocol analysis using the Avispa environment, the security posture of our cross-layer authentication protocol in terms of resilience to various attacks is analyzed. The results show that the proposed scheme satisfies 5G security requirements and its advantages have been verified by simulations. Further, the proposed protocol causes considerable deduction of traffic authentications, thanks to the introduction of the radio trusted zone unit. Finally, a Java API is developed to compute the complexity of our system and to compare it against cryptographic and non-cryptographic approaches. It is shown that if a radio trusted zone is employed, the computation complexity is significantly reduced in comparisons with the two latter approaches, by limiting the authentication recurrence. As for future work, we will be focusing on employing machine learning techniques to properly classify the various RSS profiles of a HetNet in an attempt to build reliable and efficient radio trusted zones.
-  C. V. N. Index, “Global mobile data traffic forecast update, Cisco white paper,” https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/mobile-white-paper-c11-520862.html.
-  C. X. Wang, F. Haider, X. Gao, X. H. You, Y. Yang, D. Yuan, H. M. Aggoune, H. Haas, S. Fletcher, and E. Hepsaydir, “Cellular architecture and key technologies for 5G wireless communication networks,” IEEE Communications Magazine, vol. 52, no. 2, pp. 122–130, February 2014.
-  I. F. Akyildiz, P. Wang, and S.-C. Lin, “Softair: A software defined networking architecture for 5G wireless systems,” Computer Networks, vol. 85, pp. 1–18, 2015.
-  Y. Chen, J. Yang, W. Trappe, and R. P. Martin, “Detecting and localizing identity-based attacks in wireless and sensor networks,” IEEE Trans. on Vehicular Technol., vol. 59, no. 5, pp. 2418–2434, 2010.
-  Y. Deng, H. Fu, X. Xie, J. Zhou, Y. Zhang, and J. Shi, “A novel 3GPP SAE authentication and key agreement protocol,” in IEEE International Conference on Network Infrastructure and Digital Content, Nov 2009, pp. 557–561.
-  X. Li and Y. Wang, “Security enhanced authentication and key agreement protocol for LTE/SAE network,” in 7th International Conference on Wireless Communications, Networking and Mobile Computing, Sept 2011, pp. 1–4.
-  K. Hamandi, I. Sarji, A. Chehab, I. H. Elhajj, and A. Kayssi, “Privacy enhanced and computationally efficient HSK-AKA LTE scheme,” in 27th International Conference on Advanced Information Networking and Applications Workshops, March 2013, pp. 929–934.
-  M. Purkhiabani and A. Salahi, “Enhanced authentication and key agreement procedure of next generation evolved mobile networks,” in IEEE 3rd International Conference on Communication Software and Networks, May 2011, pp. 557–563.
-  J. B. B. Abdo, H. Chaouchi, and M. Aoude, “Ensured confidentiality authentication and key agreement protocol for EPS,” in Symposium on Broadband Networks and Fast Internet (RELABIRA), May 2012, pp. 73–77.
-  J. G. Andrews, S. Buzzi, W. Choi, S. V. Hanly, A. Lozano, A. C. K. Soong, and J. C. Zhang, “What will 5G be?” J. Sel. Areas Commun., vol. 32, no. 6, pp. 1065–1082, Jun 2014.
-  X. Duan and X. Wang, “Fast authentication in 5G HetNet through SDN enabled weighted secure-context-information transfer,” in IEEE International Conference on Communications (ICC), May 2016, pp. 1–6.
-  V. Moghtadaiee and A. G. Dempster, “Indoor location fingerprinting using FM radio signals,” IEEE Trans. on Broadcasting, vol. 60, no. 2, pp. 336–346, Jun 2014.
-  P. Hao, X. Wang, and A. Behnad, “Performance enhancement of I/Q imbalance based wireless device authentication through collaboration of multiple receivers,” in IEEE International Conf. on Commun. (ICC), Jun 2014, pp. 939–944.
-  P. L. Yu, J. S. Baras, and B. M. Sadler, “Physical-layer authentication,” IEEE Trans. Inf. Forens. Security, vol. 3, no. 1, pp. 38–51, Mar 2008.
-  V. Honkavirta, T. Perala, S. Ali-Loytty, and R. Piche, “A comparative survey of WLAN location fingerprinting methods,” in 6th Workshop on Positioning, Navigation and Communication, March 2009, pp. 243–251.
-  W. Hou, X. Wang, and J. Y. Chouinard, “Physical layer authentication in OFDM systems based on hypothesis testing of CFO estimates,” in IEEE International Conference on Communications (ICC), Jun 2012, pp. 3559–3563.