DS-TWR Clock Attack Avoidance Report

sept 2024 n.w
1 / 11
Embed
Share

Explore how DS-TWR addresses clock attacks in MMS ranging, comparing it to SS-TWR solutions. Discuss the changing reporting formats and implications for security. Discover the differences in clock corrections and ranging markers to prevent vulnerabilities in wireless personal area networks.

  • Wireless Personal Area Networks
  • Clock Attacks
  • DS-TWR
  • MMS Ranging
  • Security
rayaanacharya
tennessee Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Sept. 2024 doc.: 15-24-0502-01-04ab Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: MMS DS-TWR reporting and avoidance of clock attack Date Submitted: Sept. 2024 Source: Li-Hsiang Sun, Li Ma, James Yee (MediaTek) Address: 13480 Evening Creek Drive North, Suite 600, San Diego, CA 92128 E-Mail: li-hsiang.sun@mediatek.com Abstract: Provide alternatives for discussion Purpose: To facilitate comment resolution related to DS-TWR CIDs Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15. Submission Slide 1 Li-Hsiang Sun et al, MediaTek

  2. doc.: 15-24-0502-01-04ab Background [1] has proposed non-interleaved MMS for SS-TWR and DS-TWR [2] has proposed interleaved MMS for DS-TWR [3] pointed out SS-TWR can be subject to clock attack because the report from the other party is corrected by factor based on the CFO/SFO of the attacking ranging signal DS-TWR can avoid the above attack Assume the report is protected Assume at measured time instance (RMARKER) a secure ranging signal is received However, clock attack can still happen in DS-TWR for MMS ranging [3] In MMS ranging, the receiver may not be able to tell whether at the measured time instance (RMARKER) the received signal is noise, or actual signal fragment contributed to a positive correlation to the expected secure ranging signal Submission

  3. doc.: 15-24-0502-01-04ab DS-TWR MMS reporting format SS-TWR DS-TWR report format needs to be changed comparted to that of SS-TWR currently defined for compact frame SS-TWR (current MMS assumption) A reports T_round B reports T_reply A applies clock correction to T_reply before calculating T_prop B applies clock correction to T_round before calculating T_prop DS-TWR B reports T_round2, T_reply1 A reports T_round1, T_reply2 A and B do not need to correct values reported by the peer 2 ranging RMARKERS are sent by A, and because of fixed interval between RMARKERS from A (e.g. 1ms) for MMS, A only needs to report either T_round1 or T_reply2 but not both DS-TWR Submission

  4. doc.: 15-24-0502-01-04ab S&A attack [3] to DS-TWR Treply2 Tround1 A Assume position of the arrows are RMARKERS Green: correct derived RMARKER positions, e.g. attacker relays RIFs with 0 delay and does not change CFO between A & B, i.e. no attack Red: derived RMARKER positions which are based on the altered clock frequency of replayed RIFs Receiver may not be able to tell it has received correct RIF pulses at/around the RMARKER position because of low link budget. RMARKER position is derived based on correlation and combination of all RIF pulses, and the CFO of peer s clock. Some of the pulses contributed to the positive correlation may be several ms away from the RMARKER Proposal of Bit-wise verification [4] of RIF was rejected in 15.4ab When A or B uses Green RMARKERS (x=y=0) Correct ranging result When A or B uses Red RMARKERS (advanced) X>0, y=0 X=0, y>0 X>0, y>0 T prop is shortened Normally it is difficult to advance RMARKER because RIF is unpredictable x MITM Treply1 Tround2 B y y =(??????1 ?)(??????2 ?) (??????1+ ?)(??????2+ ?) ??????1+ ??????2+ ??????1+ ??????2 ????? Submission

  5. doc.: 15-24-0502-01-04ab Case 1 Advanced RMARKERs B RMARKERS Case 1 and case 2 are examples of MITM replays a partial sequence of RIFs with altered clock speed, which causes derived RMRKER positions to be earlier than they are supposed to be Based on the previous page (red RMARKERs), the T prop is shortened slower clock RIF-A (partial) RMARKER slower clock RIF-B (partial) A B Case 2 RMARKERS delayed and faster clock RIF-A (partial) RMARKER delayed and faster clock RIF-B (partial) A Submission

  6. doc.: 15-24-0502-01-04ab Remedy 1: use a conservative result If the receiver cannot determine the position of RIF pulses contributed to positive correlation near the RMARKERs, then 2 sets of RMARKERs are used for Tprop1 and Tprop2 The two sets of RMAKERs can be located at near the beginning and near the end of RIF sequence to ensure a conservative estimation. For example, for application wishing to verify distance between A & B to be less than a threshold, Tprop=max(Tprop1 , Tprop2) This has been proposed in [2] Submission

  7. doc.: 15-24-0502-01-04ab Remedy 2: compare reports with CFO estimation A compares Tround2 +Treply1 in the report from B, and the interval D= (Tround1 +Treply2) corrected to B s clock, to detect any discrepancies For example, A detects discrepancy larger than a margin between: (Tround2 +Treply1) in report (1+ )D, is the estimated CFO used for coherently combining RSF/RIF from B For case 1, <0 (i.e. MITM sends slowed RIF to A), but (Tround2 +Treply1) >D (i.e. MITM sends slowed RIF to B), then (Tround2 +Treply1) >(1 + )D + margin, is detected by A Based on received signal, A thinks B s clock is slower, but the reported values from B indicate the B's clock is faster This discrepancy signals an attack. For case 2, >0 (i.e. MITM sends faster RIF to A), (Tround2 +Treply1) <D (i.e. MITM sends faster RIF to B), then (Tround2 +Treply1) <(1 + )D margin, is detected by A Based on received signal, A thinks B s clock is faster, but the reported values from B indicate the B's clock is slower. This discrepancy signals an attack. If discrepancy is detected by A, A indicates to B the ranging is unreliable, and/or does not report Tround1 or Treply2 to B The unreliable indication could be in a protected message after the report message(s) Submission

  8. doc.: 15-24-0502-01-04ab Cases not fixed by remedy 1&2 B RMARKERS Case 3 Attacker matches CFO of the replayed partial RIFs sequence (one faster than B s clock, one slower than A s clock, and replayed at different parts of sequence) Case 3 is an example If y<x, distance reduction is still possible delayed and faster clock RIF-A (partial) RMARKER slower clock RIF-B (partial) Treply2 Tround1 A A x MITM Treply1 Tround2 B Submission y y

  9. doc.: 15-24-0502-01-04ab Remedy 3 One device s transmitted signal is pre-corrected based on another device s clock e.g. responder pre-corrects its clock based on initiator s clock before transmission CFO -> 0, the imaginary advances of RMARKER do not happen Even with clock pre-corrected, SS-TWR is still not advised Submission

  10. doc.: 15-24-0502-01-04ab Summary Check our understanding of possible attacks on DS- TWR described in [3] with 4ab experts. Discuss/learn remedies if clock attack on DS-TWR is indeed an issue. Submission

  11. doc.: 15-24-0502-01-04ab References [1] https://mentor.ieee.org/802.15/dcn/24/15-24-0409-00-04ab-non- interleaved-mms.pptx [2] https://mentor.ieee.org/802.15/dcn/24/15-24-0413-00-04ab-ds- twr-with-uwb-mms-packets.pptx [3] https://mentor.ieee.org/802.15/dcn/23/15-23-0274-00-04ab- more-on-clock-related-attacks-against-uwb-ranging.pptx [4] https://mentor.ieee.org/802.15/dcn/23/15-23-0403-00-04ab- optional-spreading-factor-l-16-for-ranging-integrity-fragments-rif.pptx Submission

Related


mms colleges in mumbai

mms colleges in mumbai

Arunseo
Evidence on Multiple Micronutrient Supplementation for Maternal Health

Evidence on Multiple Micronutrient Supplementation for Maternal Health

wesson
PDF Is MMS degree worth it

PDF Is MMS degree worth it

Arunseo
Autonomous Obstacle Avoidance Robot Using ROS, Lidar, and Raspberry Pi with Matlab Path Planning

Autonomous Obstacle Avoidance Robot Using ROS, Lidar, and Raspberry Pi with Matlab Path Planning

elyse
Discussion on NBA-MMS-UWB MAC in IEEE P802.15 Working Group

Discussion on NBA-MMS-UWB MAC in IEEE P802.15 Working Group

rumi
Determining OBS Clock Drift Using Seismic Interferometry

Determining OBS Clock Drift Using Seismic Interferometry

juanjes
Time, Clock Synchronization, and Atomic Clocks

Time, Clock Synchronization, and Atomic Clocks

iaqui
Time Through Clocks

Time Through Clocks

dani_v
IEEE 802.11-18-1269-00-00az Clock Synchronization Investigation

IEEE 802.11-18-1269-00-00az Clock Synchronization Investigation

choudhry_j
What's the Time, Mr. Wolf? - Fun Clock Times for Kids

What's the Time, Mr. Wolf? - Fun Clock Times for Kids

mat_al
Avoidance Behavior and Its Theories

Avoidance Behavior and Its Theories

mir_she
Efficient Implementation of DS-TWR with UWB MMS for Wireless Personal Area Networks

Efficient Implementation of DS-TWR with UWB MMS for Wireless Personal Area Networks

atro956
Overview of Canadian and South African General Anti-Avoidance Rules (GAARs)

Overview of Canadian and South African General Anti-Avoidance Rules (GAARs)

eyre_kru
Mechanism of Br2 Attack on Trans-Cinnamic Acid

Mechanism of Br2 Attack on Trans-Cinnamic Acid

wzam
Introducing Connected Alarm Clock IoT Project

Introducing Connected Alarm Clock IoT Project

sampsell_n
Clock Synchronization Distribution For Data Taking Systems

Clock Synchronization Distribution For Data Taking Systems

gre_ro
Distributed System Synchronization and Logical Clocks

Distributed System Synchronization and Logical Clocks

hitc_el
Feedback Analysis on Medication Incident Reporting in Hospitals

Feedback Analysis on Medication Incident Reporting in Hospitals

sorg_aft
Guide to Using a Digital Clock for Timekeeping

Guide to Using a Digital Clock for Timekeeping

kent_368
Social Engineering Attack Framework (SEAF) - Understanding the Process

Social Engineering Attack Framework (SEAF) - Understanding the Process

ito_ime
Negotiation of Short-Term Operating Parameters in MMS Ranging

Negotiation of Short-Term Operating Parameters in MMS Ranging

yons405
Proposal on MMS in Automotive Use Case Consideration

Proposal on MMS in Automotive Use Case Consideration

oans486

More Related Content