Analysis of Secure LTF Frequency Windows in IEEE 802.11-21/0039r0

january 2021 n.w
1 / 25
Embed
Share

This document discusses security analysis focusing on Secure LTF Frequency Windows in the context of IEEE 802.11-21/0039r0 standards. It covers attack scenarios like PHY security, integrity attacks, and frequency/domain computational attacks. The content delves into how attackers manipulate measurements to fake proximity detection, replace Cyclic Prefix with zero-padded Guard Intervals, and conduct computational attacks based on Frequency and Time domains. Practical steps, advantages, and disadvantages of these attacks are outlined, emphasizing the importance of vigilance against various security threats in wireless communication protocols.

  • Security Analysis
  • IEEE 802.11
  • Secure LTF
  • Frequency Windows
  • PHY Security
rayaanacharya
mck_fol Follow

Uploaded on | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. January 2021 doc.: IEEE 802.11-21/0039r0 Analysis of Secure LTF Frequency Windows Date: 2021-01-06 Authors: Name Christian Berger Affiliations NXP Address 350 Holger Way, San Jose, CA Phone email christian.berger@nxp.com Submission Slide 1 Christian Berger (NXP)

  2. January 2021 doc.: IEEE 802.11-21/0039r0 PHY Security Attacker tries to modify the measured range Make STA appear closer to AP to fake proximity detection Spoof time-stamps t2 or t4 to achieve that Focus on physical layer attack Assume that MAC level is authenticated/encrypted Includes time-stamps t1/t4 feedback to initiator VHT- STF VHT- SIG-B L-STF L-LTF L-SIG VHT-SIG-A VHT-LTF Data VHT-LTF Adversary Timing advance Submission Slide 2 Christian Berger (NXP)

  3. January 2021 doc.: IEEE 802.11-21/0039r0 Integrity Attack Scenario First line security Use secure LTF (sequence unknown to attacker) Replace Cyclic Prefix (CP) with zero-padded Guard Interval (to reduce structure) Attack types 1. Frequency Domain/ Computational attack: attacker observes fraction of symbol and predicts the rest to attack the later part Time Domain/MMSE Attack: attacker continuously observes and attacks using low pass nature of baseband signal 2. Submission Slide 3 Christian Berger (NXP)

  4. January 2021 doc.: IEEE 802.11-21/0039r0 Frequency Domain/Computational Attack Steps Attacker will listen to first half portion of LTF Then try to estimate the full time-domain LTF waveform (typically by estimating frequency QAM symbols) Change measured t2 or t4 by transmitting the last (estimated) quarter of time-domain LTF waveform with timing advance Advantages: High received SNR (listen only) Processing delay of 100 ns okay Disadvantages Attack correlation limited by attack duration Receiver will notice poor SINR if boost power 6.4 s Waveform for channel measurement First half Timing advance Last quarter Waveform transmitted by attacker Submission Slide 4 Christian Berger (NXP)

  5. January 2021 doc.: IEEE 802.11-21/0039r0 Time Domain/MMSE Attack Steps Attack here Attacker will try to predict the waveform sample-by-sample Use finite bandwidth of signal and pulse shape/sidelobes Subtract out predicted symbols Start tx attack, while rx more data Maximum RTT effect Measure here Advantages Disadvantages Needs full duplex, limits receive SNR Needs to account for inter-symbol-interference Can only change RTT by prediction time (less proc. Delay) Can attack large part of symbol Does not depend on finite constellation Submission Slide 5 Christian Berger (NXP)

  6. January 2021 doc.: IEEE 802.11-21/0039r0 Attack Example 20 MHz - Rectangle Vulnerability depends on anti-causal part of pulse Caused by frequency domain interpolation Attack by 30 ns Attacker can observe energy up to Processing delay (30-60 ns) Attack ToA time (30 ns) Processing delay of 45 ns Observe pulse energy here If attack both RTT ToAs with 30 ns, can make distance seem 9 meters shorter Christian Berger (NXP) Submission Slide 6

  7. January 2021 doc.: IEEE 802.11-21/0039r0 Attack Example 80 MHz - Rectangle When changing bandwidth attacker capabilities stay the same Higher bandwidth systems are inherently more secure against time domain attack Attack by 30 ns Processing delay of 45 ns Tx Window Design Minimize pulse energy that can be used to attack Suggest a mask that minimizes energy more than 60ns before main pulse Observe pulse energy here Submission Slide 7 Christian Berger (NXP)

  8. January 2021 doc.: IEEE 802.11-21/0039r0 Window Design 40 MHz Rectangle HE40 2x Subcarriers No Window (rectangular, =0) Time domain Equivalent Pulse shaper Below 0.1 before 60 ns Below 0.04 before 160 ns Submission Slide 8 Christian Berger (NXP)

  9. January 2021 doc.: IEEE 802.11-21/0039r0 Window Design 40 MHz Raised Cosine HE40 2x Subcarriers Raised cosine ( =0.3) Easily meets spec Below 0.1 before 60 ns Below 0.04 before 160 ns Submission Slide 9 Christian Berger (NXP)

  10. January 2021 doc.: IEEE 802.11-21/0039r0 Window Design 40 MHz Flattop HE40 2x Subcarriers Flattop window (truncated at 0.5) Time domain Equivalent Pulse shaper Submission Slide 10 Christian Berger (NXP)

  11. January 2021 doc.: IEEE 802.11-21/0039r0 Window Design 40 MHz Trimmed Raised Cosine HE40 2x Subcarriers Raised cosine ( =0.3), cut at 0.5 Time domain Equivalent Pulse shaper Submission Slide 11 Christian Berger (NXP)

  12. January 2021 doc.: IEEE 802.11-21/0039r0 Window Design 80 MHz Rectangle HE80 2x Subcarriers No Window (rectangular, =0) No Tx window needed Below 0.1 before 60 ns Below 0.04 before 160 ns Submission Slide 12 Christian Berger (NXP)

  13. January 2021 doc.: IEEE 802.11-21/0039r0 Window Design 20 MHz Rectangle HE20 2x Subcarriers No Window (rectangular, =0) Tx window needed very much Below 0.1 before 60 ns Below 0.04 before 160 ns Submission Slide 13 Christian Berger (NXP)

  14. January 2021 doc.: IEEE 802.11-21/0039r0 Window Design 20 MHz Raised Cosine HE20 2x Subcarriers Raised cosine ( =0.6) Not enough to meet spec Submission Slide 14 Christian Berger (NXP)

  15. January 2021 doc.: IEEE 802.11-21/0039r0 Window Design 20 MHz Flattop HE20 2x Subcarriers Flattop window (truncated at 0.5) Not enough to meet spec Submission Slide 15 Christian Berger (NXP)

  16. January 2021 doc.: IEEE 802.11-21/0039r0 Window Design 20 MHz Kaiser Window HE20 2x Subcarriers Kaiser window ( =3) Aggressive enough to meet spec Submission Slide 16 Christian Berger (NXP)

  17. January 2021 doc.: IEEE 802.11-21/0039r0 Window Design 20 MHz Chebyshev Window HE20 2x Subcarriers Chebyshev Window (sidelobes at -30 dB) For small window size and not aggressive sidelobes, has peaks at boundary Peak at boundary Submission Slide 17 Christian Berger (NXP)

  18. January 2021 doc.: IEEE 802.11-21/0039r0 Cramer-Rao Lower Bound Formula for generic signal ?,? =???????? ? ? ??? ??? + ? ? ? ?? OFDM specific ? ? =?? ? ???? ??? ? ? ?? ?? ? ? Submission Slide 18 Christian Berger (NXP)

  19. January 2021 doc.: IEEE 802.11-21/0039r0 CRLB Evaluation 80 MHz HE80 2x LTF 512 FFT size 498 subcarriers, 3 DC, no pilots Can add more paths to reflect multipath OFDM+multipath OFDM signal generic signal Submission Slide 19 Christian Berger (NXP)

  20. January 2021 doc.: IEEE 802.11-21/0039r0 CRLB Evaluation Raised-Cosine 80 MHz Some degradation due to reduced effective bandwidth Renormalize to keep power constant OFDM+multipath OFDM signal Rectangle OFDM Submission Slide 20 Christian Berger (NXP)

  21. January 2021 doc.: IEEE 802.11-21/0039r0 CRLB Evaluation Flattop 80 MHz Similar degradation, slightly better in multipath Window is cut at 0.5 OFDM+multipath OFDM signal Submission Slide 21 Christian Berger (NXP)

  22. January 2021 doc.: IEEE 802.11-21/0039r0 CRLB Evaluation Trimmed Raised-Cosine 80 MHz Slightly better than Flattop Similar to Flattop, cut at 0.5 OFDM+multipath OFDM signal Submission Slide 22 Christian Berger (NXP)

  23. January 2021 doc.: IEEE 802.11-21/0039r0 Tx Window Comparison 40 MHz Some performance degradation Flattop worse than rectangle Trimmed raised-cosine has less loss than flattop flattop rectangle Trimmed Raised-cosine Submission Slide 23 Christian Berger (NXP)

  24. January 2021 doc.: IEEE 802.11-21/0039r0 Tx Window Comparison 20 MHz Some performance degradation Flattop worse than rectangle Kaiser even more aggressive than flattop and more loss Kaiser rectangle flattop Submission Slide 24 Christian Berger (NXP)

  25. January 2021 doc.: IEEE 802.11-21/0039r0 Conclusion Higher bandwidth signals are more secure 80 and 160 MHz LTFs don t need Tx windows 40 MHz can be easily addressed, choice of options 20 MHz needs aggressive window, with further degradation of performance Submission Slide 25 Christian Berger (NXP)

Related


Load Frequency Control in Power Systems

Load Frequency Control in Power Systems

acantha
Windows 7 ISO Download Get the Full Version of Windows 7 for Free

Windows 7 ISO Download Get the Full Version of Windows 7 for Free

buyantiviruskey
Where can I buy a genuine Windows 10 Pro OEM key at a discounted price

Where can I buy a genuine Windows 10 Pro OEM key at a discounted price

buyantiviruskey
windows 10 pro OEM kEYS

windows 10 pro OEM kEYS

buyantiviruskey
Unlock the full potential of Windows 10 with a best Genuine Activation Key

Unlock the full potential of Windows 10 with a best Genuine Activation Key

buyantiviruskey
Troubleshooting Windows 10 Pro Store_ Fixing Issues and Getting Your Apps Back on Track

Troubleshooting Windows 10 Pro Store_ Fixing Issues and Getting Your Apps Back on Track

buyantiviruskey
WindowKeys Unlocking the Power of Windows with Genuine License Keys

WindowKeys Unlocking the Power of Windows with Genuine License Keys

buyantiviruskey
If you are searching for Window Cleaner in Redcliffe

If you are searching for Window Cleaner in Redcliffe

Cathleen
One of the Best Conservatories in Langton Green

One of the Best Conservatories in Langton Green

Parker1
Doors and Windows in Architecture

Doors and Windows in Architecture

vlad
Capability of Supporting Windowing for Secure LTF in IEEE 802.11-21/0071r0

Capability of Supporting Windowing for Secure LTF in IEEE 802.11-21/0071r0

elowen
Transmission Operator Obligations in Under-Frequency Load Shedding

Transmission Operator Obligations in Under-Frequency Load Shedding

ananias
Enhancing Security with Windows Hello for Business

Enhancing Security with Windows Hello for Business

truett
One of the Best European Windows and Doors in Applewood Hills

One of the Best European Windows and Doors in Applewood Hills

Parker1
High Frequency Market Microstructure - A Comprehensive Overview

High Frequency Market Microstructure - A Comprehensive Overview

crater_n
Windows Platforms: A Lucrative Opportunity for Game Publishing

Windows Platforms: A Lucrative Opportunity for Game Publishing

mjeo
Publish a Windows 10 Game with Unity 5: Step-by-Step Guide

Publish a Windows 10 Game with Unity 5: Step-by-Step Guide

mykelt
Two-Way Frequency Tables in Data Analysis

Two-Way Frequency Tables in Data Analysis

smcsh
Unintentional Beamforming Issue in IEEE 802.11-19/1572r5 Secure-LTF Design

Unintentional Beamforming Issue in IEEE 802.11-19/1572r5 Secure-LTF Design

mathieson_j
IEEE 802.11-18-1269-00-00az Clock Synchronization Investigation

IEEE 802.11-18-1269-00-00az Clock Synchronization Investigation

choudhry_j
Windows 7 User Interface Overview

Windows 7 User Interface Overview

dcobi
GUI in Windows Operating System

GUI in Windows Operating System

nmoul

More Related Content